Demystifying and Applying the DHS Continuous Diagnostic Mitigation (CDM) Program for Physical Security. Mark Steffler and Ross Foard

Transcription

1 Demystifying and Applying the DHS Continuous Diagnostic Mitigation (CDM) Program for Physical Security Mark Steffler and Ross Foard

2 Mark Steffler VP Government Practice for Quantum Secure, part of HID Global Security Industry Association (SIA) Standards Access Control & Identity Subcommittee Identity and Access Council Steering Committee for Smart Card Alliance Instructor / Presenters Ross Foard Phase 2 Engineer and ICAM SME for DHS NPPD Recipient of ICE Assistant Secretary OCIO Award and DHS Partner Award Over 15 years of Identity and Access Management experience

3 Agenda Introduction to DHS CDM Program CDM Phase 2 Requirements CDM Phase 3 Requirements Mapping the CDM Program to Real World Best Practices How CDM is now incorporating Physical Security for a Comprehensive Program Exploring The Ideal Solution to Incorporate Physical Access Security Q & A

4 Learning Objectives Identify access risks due to legacy processes and Implement a least privilege management approach to securing the enterprise facilities and assets. Compare an organization's current physical access processes and practices against the CDM model and identify gaps and desired target state. Develop a plan, which implements the CDM principals for an organization's unique physical access infrastructure. Create Governance structure to ensure successful implementation

5 US Government Continuous Diagnostics and Mitigation Ross Foard

6 DHS CDM Program The Continuous Diagnostics and Mitigation (CDM) program is a dynamic approach to fortifying the cybersecurity of government networks, systems and facilities. Provides federal departments and agencies with capabilities and tools that identify cybersecurity and facilities risks on an ongoing basis Phased approach, currently in Phase 2 Leverages and reinforces many existing programs including NIST Rev 4 Security and Privacy Controls for Federal Information Systems and Organizations Federal Identity Credential and Access Management Guidance (FICAM) ICAM Privileged User Instruction and Implementation Guidance Today s focus is on CDM's application to physical access management and security and how to converge that with the logical domain for greater awareness and risk management of threats/vulnerabilities.

7 CDM and Related Government Directives CDM Phase 2 CDM Phase 3 Agencies shall adhere to Governmentwide requirements in the deployment and use of identity credentials used by employees and contractors accessing Federal facilities FICAM Circular A-130 Revised OMB M ICAM Privileged User Instruction and Implementation Guidance (2014) Physical access controls systems, which include, for example, servers, databases, workstations and network appliances in either shared or isolated networks, are considered information systems.

8 Privileged User Management

9 FICAM recommends that Logical and Physical Access Control Follow the Same Paradigm Both Physical and Logical Access Controls are held to the Same Standard

10 CDM Core Concepts Dashboard Risk Scoring Threat Awareness Policy Alerting 10

11 CDM Capabilities Phased Delivery Capability: A collection (set) of security controls that work together to achieve an overall security purpose NIST Rev4

12 How Does CDM Phase 1 Work? 6. Report Progress 5. Fix Worst First 1. Install & Update Sensors All Systems Data Currency within 72 Hours 4. Triage and Analyze Results 2. Automated Search for Flaws 3. Collect Results from Departments and Agencies Primary Focus is Network Infrastructure: Routers Firewalls Computers Myriad devices (IoT) Etc.

13 CDM Phase 2 Least Privilege (Access) Management BEHAVE TRUST, BEHAVE, CRED and PRIV Linkage to the User TRUST USER is a generic term that applies to any entity (including non-person entities) that access any resource, physical or logical, in an organization. TRUST is used to validate a person s identity and the degree to which they have been vetted. Requires CRED is a digital representation of a user and binds a type of credential or authentication mechanism to an identity established in TRUST with a level of assurance and is used to grant access (physical and logical). PRIV establishes the privileges associated with the credential and in turn the individual or service PRIV USER Requires CRED BEHAVE identifies that the individual has the proper knowledge and training for the roles they are assigned and that they remain up to date.

14 Phase 3 Feeds the Manage Security Lifecycle Stage Plan for Events Respond to Events Generic Audit/Monitoring Document Requirements, Policy, etc. Quality Management Risk Management Boundary Protection Network, Physical, Virtual

15 Lexicon of Terms/Concepts used in CDM Ab. Term CDM Definition Relevant CDM Example MUR Master User Record Unique Identity record containing all relevant data/attributes on a person MDR MSR Master Device Record Master System Record Unique record for each device on the network containing relevant device data/attributes Unique Record for each (sub) system. One of a number of PACS could each be a system SoS System of Systems This is a system with collects data from other (sub) systems under its control to create a more manageable hierarchy enterprise class architecture PDP Policy Decision Point This is software that determines/assures whether access should be granted to a person based on policy. Record containing: person s name, location, training certifications, type, security check, etc. Record containing: device s name, type of device, last update, f/w or s/w version, etc. Record containing: (sub) system s name, function, last update date, s/w version, attached components, etc. A PACS uber Management System could manage numerous individual PACS under a single system Detect that someone manual assigns access to a person in violation of a given policy (like requiring training to access a facility)

16 CDM Is all about Using COTS Software Architectural boundaries- Zone A: Tools and Sensors Zone B: CMaaS Integration Zone C: Agency Dashboard Zone D: Federal Dashboard Dashboard operates as a Standardization Driver Dashboard Provider focused on Federal Level CMaaS Provider focus for Agency Level CDM Architecture Reflects Commercial Best Fit

17 CDM Road to On-going Assessment and Authorization ISCM as supported by CDM Governance Activities Governance is Distinct from Management Risk Management and Cybersecurity Framework (CSF) Ongoing Assessment and Authorization Tiers 1-4 of the CSF Control Automation Reporting Structure: OU/FISMA Containers Sync Function between Agency/Federal + Modules for Incident Response, Etc. Protecting all assets including data CDM Sensors/Tools and Dashboards

18 Phase 2 Comparing AS-IS State versus Desired State AS IS Ramification Desired Benefit Manual Processes Hard to Audit Common Master User Record Subject (User) Not known across organization Correlation of events across different systems is hard Subject information correlated with Unique ID Ability to automate and normalize information Ability to know the same user wherever access occurs TRUST not defined Difficult to Trust with confidence Trust Level based on defined process The Trust assigned a user is current and accurate BEHAVE not known Uneven security knowledge Required Training completed Ensures Subject understands rules CRED not integrated Various local forms of Identification Utilize a single (PIV) credential Ensure user is as presented PRIV not defined Not sure what authorized to grant Only Authorized Access to high impact systems Reduce attack surface of critical systems

19 Applying CDP Program Principals to Best Practices in Enterprise For Physical Security and Access Mark Steffler

20 CDM Phase 2 and Phase 3 Maps to Best Practices CDM Phase 2 Who is on the Network? FICAM and FISMA Controls OMB Circular A-130 and M Policy and Process Automation Use Cases Common measures across network and facilities Automated on-boarding and off-boarding Strong Authentication utilizing Smart Card Defect Detection and Reporting Streamlined Change in Access Authorizations Privileged Access Management Visitor and Contractor Access Management Risk Management Observe Behavior and Risk Analysis CDM Phase 3 What is happening on the Network? Audit and Defect Identification Policy Refinement

21 CDM Phase 2 - Privileged Physical Access Controls ACP = Access Control Point (door) Entitlements Policy Automation Automatically assigned access to start Heightened Access Process Automation Access Granted by approval Privileged Access Policy & Process Automation Access Earned by credentials (BEHAVE/TRUST) and (multiple) Approvals

22 Mapping the ICAM Enterprise to CDM Phase 2 CRED MUR/PDP BEHAV TRUST PRIV

23 BOUND-P Expands the Functionality beyond Today s Disparate PACS Typically there are many unique PACS instances across an enterprise. How do you scale this across multiple PACS? Need a centralized PACS Privilege Management System that overlays the disparate PACS Physical identity and access management (PIAM) deployments are increasing due to technology and product development, compliance mandates, a greater desire to manage alternative user populations such as on-premises visitors and contractors, and a sharp emphasis on timely and secure access 1

24 BOUND-P - Physical Access Controls for CDM CDM BOUND defines the boundary for what is included and monitored within an enclave of devices/systems BOUND-P: Monitor and Manage Physical Access Controls Authentication (e.g. - credential, identity) Authorization (e.g. - permission to access a given door/facility) PDP (distributes access policy to PEP and validates faithful execution) PEP (PACS endpoint functions grant/deny access at a door) Individual PACS IP Addressable components (head-end and panels) need MDR Enclaves of PACS need MSR to more fully characterize each PACS sub-system BOUND-P Operation Implementation - System of System approach Overarching Centralized PACS Privilege Management Connects to each PACS instance and gathers data to populate MUR, MDR and MSR Reports Phase 1 Device (MDR) Defects Reports Phase 2 Identity (MUR) Defects (CRED, BEHAVE, TRUST, PRIV) 24 Reports BOUND-P (MSR) Defects (policy violations)

25 CDM/ICAM - Bound-P Notional Architecture MUR Provision: Credential (PIV) Access Privileges Policy for PEP (PACS) Retrieve data for defect reporting - Each PACS subsystem metrics - PACS Device Status - Privileged Access activity - User behavior MDR MSR PDP Layer PEP Layer

26 What is your Situation? # Employees 0 1,000 1,000 4,999 5,000 + # PACS/# Doors 2/50 5/200 5+/200+ Security Compliance Low Medium High Audit Risk/Impact Low Medium High Insider Threat Program N/A Minimal Vital (NISPOM 2) Consequences Low Medium High Need for Automation (System of Systems) ROI for Adopting PIAM Manual methods probably OK Consider PIAM System Strong need for PIAM System Low 50% annually >100% annually Good Governance means intentional cooperation between IT security department and physical security department. Create PMO with members from each dept. Collaborate Develop shared vision

27 Wrap-up: Q & A and How to Learn More Ross and Mark are available immediately following this session Come Visit Mark and Ross at the HID Exhibitor Booth # We will be available from 2PM 5PM today to answer questions and provide more information Make an appointment for tomorrow at Booth #11063 with Mark Contact Mark or Ross anytime

28 Appendix

29 Helpful References DHS CDM Program Overview: DHS Continuous Diagnostics and Mitigation (CDM) Training Program website: FICAM Roadmap: dmap_and_implementation_guidance_v2%200_ _0.pdf ICAM Privileged User Instruction and Implementation Guidance: nitaitive_putt%20doc_ pdf NIST Attribute Based Access Control: NIST SP Rev 4 :

30 Glossary of Terms (not previously defined) Term BOUND-P Defect CMaas (F)ICAM OMB M FISMA Definition Monitor and Manage Physical Access Controls Condition under which the current state is not in conformance with policy. Continuous Monitoring as a Service. Essentially the software system, which monitors the network or facilities access (Federal) Identity, Credential and Access Management Office of Management and Budget Memorandum mandating conformance to FICAM for all federl departments and agencies (issued: February 2011) Federal Information Security Management Act 30

31 Example - PACS Defects Report Example of PACS Infrastructure Status versus Approved or Target State

32 FICAM Provisioning Use Cases