ISO27001 compliance and Privileged Access Monitoring

Transcription

1 ISO27001 compliance and Privileged Access Monitoring February 24, 2014 Abstract How to control and audit remote access to your servers to comply with ISO27001:2013 using the BalaBit Shell Control Box Copyright BalaBit IT Security Ltd.

2 Table of Contents 1. Preface Using SCB for compliance What SCB is How SCB works Real-time content monitoring with SCB eyes authorization Supported protocols Public references Using SCB for ISO27001 compliance Other important features Summary About BalaBit

3 Preface 1. Preface This paper discusses the advantages of using BalaBit Shell Control Box (SCB) to control remote access to your UNIX/Linux and Windows servers, networking devices, as well as your virtualized applications. SCB can transparently control, audit and replay protocols commonly used to remotely access and manage servers, including the Secure Shell (SSH), Remote Desktop (RDP), HTTP, Citrix ICA, VMware View, Telnet, and Virtual Network Computing (VNC) protocols. This document is recommended for technical experts and decision-makers working on auditing server-administration and remote-access processes for policy compliance (for example, PCI DSS or ISO 27001), or simply to gather information for forensics situations in case of security incidents. However, anyone with basic networking knowledge can fully understand its contents. The procedures and concepts described here are applicable to ISO27001:2013 and version 3 F5 of BalaBit Shell Control Box Using SCB for compliance Compliance is becoming increasingly important in several fields laws, regulations and industrial standards mandate increasing security awareness and the protection of customer data. As a result, companies have to increase their auditability and the control over their business processes, for example, by ensuring that only those employees have access sensitive data who really need to, and also carefully auditing all accesses to these data. The BalaBit Shell Control Box (SCB) is a device to control and audit data access: access to the servers where you store your sensitive data. Being independent from the controlled servers, it also complements the system and application logs generated on the server by creating complete, indexed and replayable audit trails of the users' sessions. Using an independent device for auditing is advantageous for the following reasons: SCB organizes the audited data into sessions called audit trails, making it easy to review the actions of individual users; SCB provides reliable, trustworthy auditing data, even of system administrator accounts who are able to manipulate the logs generated on the server, and SCB allows you to create an independent auditor layer. The auditor can therefore control, audit and review the activities of the system administrators, while being independent from them. Owing to its authentication, authorization, and auditing capabilities like 4-eyes authorization and real-time monitoring and auditing, SCB can play an essential part in the access control of remote access, for example, in the control of remote server administration What SCB is BalaBit Shell Control Box (SCB) is an activity monitoring appliance that controls access to remote servers, virtual desktops, or networking devices, and records the activities of the users accessing these systems. For example, it records as the system administrators configure your database servers through SSH, or your employees make transactions using thin-client applications in VMware View. The recorded audit trails can be replayed like a movie to review the events exactly as they occurred. The content of the audit trails is indexed to make searching for events and automatic reporting possible. SCB is especially suited to supervise privileged-user access as mandated by many compliance requirements, like PCI DSS or ISO It is an external, fully transparent device, completely independent from the clients and the servers. The server- and client applications do not have to be modified in order to use SCB; it integrates smoothly into the existing infrastructure. 3

4 How SCB works The BalaBit Shell Control Box (SCB) is a device that controls, monitors, and audits remote administrative access to servers and networking devices. It is a tool to oversee server administrators and server administration processes by controlling the encrypted connections used in server administration. It is an external, fully transparent device, completely independent from the clients and the servers. The server- and client applications do not have to be modified in order to use SCB it integrates smoothly into the existing infrastructure. Figure 1. Controlling remote access with the BalaBit Shell Control Box 1.3. How SCB works SCB logs all administrative traffic (including configuration changes, executed commands, and so on) into audit trails. All data is stored in encrypted, timestamped and signed files, preventing any modification or manipulation. In case of any problems (server misconfiguration, database manipulation, unexpected shutdown) the circumstances of the event are readily available in the audit trails, therefore the cause of the incident can be easily identified. The recorded audit trails can be displayed like a movie recreating all actions of the administrator. In other words: with SCB you can oversee and control the work of the system administrators, creating a new management level that has real power over the system administrators. Fast forwarding during replay and searching for events (for example, mouse clicks, pressing the Enter key) and texts seen by the administrator is also supported. Reports and automatic searches can be configured as well. To protect the sensitive information included in the communication, the two directions of the traffic (client-server and server-client) can be separated and encrypted with different keys, therefore sensitive information like passwords are displayed only when necessary. The protocols that SCB can control are not only used in remote administrative access, but also in thin-client environments like Citrix ICA, VNC, or RDP used to access Windows Terminal Services. For such applications SCB provides an application-independent way to record the activities of the clients Real-time content monitoring with SCB SCB can monitor the traffic of certain connections in real time, and execute various actions if a certain pattern (for example, a particular command or text) appears in the command line or on the screen, or if a window with a particular title appears in a graphical protocol. Since content-monitoring is performed real time, SCB can prevent 4

5 4-eyes authorization harmful commands from being executed on your servers. SCB can also detect numbers that might be credit card numbers. In case of RDP connections, SCB can detect window title content. The following actions can be performed: Log the event in the system logs. Immediately terminate the connection. Send an or SNMP alerts about the event. Store the event in the connection database of SCB. SCB currently supports content monitoring in SSH session-shell connections, Telnet connections, RDP Drawing channels, and in VNC connections eyes authorization SCB can also ensure that a user is overseen and authorized by an auditor or authorizer: when 4-eyes authorization is required for a connection, a user (called authorizer) must authorize the connection on SCB as well. This authorization is in addition to any authentication or group membership requirements needed for the user to access the remote server. Any connection can use 4-eyes authorization, so it provides a protocol-independent, outband authorization and monitoring method. The authorizer has the possibility to terminate the connection any time, and also to monitor real-time the events of the authorized connections: SCB can stream the traffic to the Audit Player application, where the authorizer (or a separate auditor) can watch exactly what the user does on the server, just like watching a movie Supported protocols SCB 3 F5 supports the following protocols: The Secure Shell (SSH) protocol used to access Unix-based servers and network devices. The Remote Desktop Protocol (RDP) used to access Microsoft Windows platforms. Accessing Remote Desktop Services (RemoteApp programs) is also supported. Citrix XenApp and XenDesktop. The X11 protocol forwarded in SSH, used to remotely access the graphical interface of Unix-like systems. The Telnet protocol used to access networking devices (switches, routers) and the TN3270 protocol used with legacy Unix devices and mainframes. The Virtual Network Computing (VNC) graphical desktop sharing system commonly used for remote graphical access in multi-platform environments. VMware View when VMware View Clients using the Remote Desktop (RDP) display protocol to access remote servers. The HTTP protocol (including HTTPS) commonly used to access the web interface of appliances, networking devices, and other applications Public references Among others, the following companies decided to use SCB in their production environment: 5

6 Public references Alfa Bank ( Arcui ( Emerging Markets Payments Jordan ( Dubai Islamic Bank PJS ( National Bank of Kuwait ( Svenska Handelsbanken AB ( The Central Bank of Hungary ( Ankara University ( ČEZ Group ( Fiducia IT AG ( Leibniz Supercomputing Centre (LRZ) ( MTS Ukraine Mobile Communications ( ) Orange Romania ( Telenor Group ( 6

7 Using SCB for ISO27001 compliance 2. Using SCB for ISO27001 compliance The following table provides a detailed description about the requirements of the ISO/IEC 27001:2013 Standard relevant to auditing. Other compliance regulations like the Sarbanes-Oxley Act (SOX), Basel II, or the Health Insurance Portability and Accountability Act (HIPAA) include similar requirements. A.6.1 Internal organization Objective: To establish a management framework to initiate and control the implementation and operation of information security within the organization. A Segregation of duties. How SCB helps you: SCB provides a way to control and audit access to remote servers, services, and applications, independently from the users and the server ad- Control: Conflicting duties and areas of responsibility shall be segregated to reduce opportunities for unauthorized or unintentional layer above system administrators. It also helps to segregministrators. This allows you to create a separate auditor modification or misuse of the organization's ate the fields of IT maintenance and IT security, and assets. provides a way to fully audit and control the work of system administrators. This greatly increases the chance of finding human errors, and decreases the possibilities of internal misuse. A.9.1 Business requirements of access control Objective: To limit access to information and information processing facilities. A Access to networks and network services. Control: Users shall only be provided with access to the network and network services that they have been specifically authorized to use. How SCB helps you: Although SCB is not a generalpurpose firewall, it can granularly control access to servers, applications, and protocol features, based on the identity of the user, or group-memberships. In addition to access control, SCB can fully audit the events of the connections into searchable, replayable, movie-like audit trails. A.9.2 User access management Objective: To ensure authorized user access and to prevent unauthorized access to systems and services. A Management of privileged access rights. Control: The allocation and use of privileged access rights shall be restricted and controlled. How SCB helps you: SCB gives you the possibility to control remote access from a central location. It can enforce strong authentication and authorization methods, and provide customized access control to the audited systems. 7

8 A.9.4 System and application access control A Removal or adjustment of access rights. Control: The access rights of all employees and external party users to information and information processing facilities shall be removed upon termination of their employment, contract or agreement, or adjusted upon change. How SCB helps you: SCB provides a single point that authenticates and controls access to the protected servers and services. For example removing a user from your central LDAP (for example, Active Directory) database instantly and automatically revokes all access of that user. SCB also supports scenarios when the user does not know the actual credentials used to access the server. This makes removing access rights easy even when shared accounts are used. A.9.4 System and application access control Objective: To prevent unauthorized access to systems and applications. A Information access restriction. How SCB helps you: SCB can complement this control in several different ways: it can serve as a central Control: Access to information and application authentication host that controls remote access to your system functions shall be restricted in accordance with the access control policy. VNC, Citrix ICA, VMWare View, or HTTP/HTTPS servers and services that use the SSH, RDP, Telnet, protocols, allowing you to control, audit, and authenticate remote privileged access (for example, database and server administrators), and also thin-client users (for example, Citrix XenApp, XenDesktop, or Microsoft Terminal Services). SCB also allows you to control which remote applications or protocol features are available for a specific user, for example: limit (and also audit) file transfers like SCP and SFTP, permit SSH but disable port forwarding, permit RDP access but disable file redirection, prevent the user from starting specific applications (this feature of SCB detects the command or application to be started in real time, and can terminate the connection, or raise an alert if the user tries to access a prohibited application, for example, the sudo in a Linux/UNIX terminal, or the Group Policy Management window on a Microsoft Windows server). To limit access to certain information, SCB can integrate with DLP systems to process the information that the user accessed in the connection. 8

9 A.10.1 Cryptographic controls A Secure log-on procedure. Control: Where required by the access control policy, access to systems and applications shall be controlled by a secure log-on procedure. How SCB helps you: SCB has numerous features that support the secure log-on procedure, including the following: Enforce the use of strong encryption methods, for example, by disallowing the use of weak cipher algorithms in the connections. Enforce the use of strong authentication methods, for example, disable the use of passphrases, and require the users to authenticate with X.509 certificates. Authenticate the users to a central LDAP database (for example, Microsoft Active Directory). SCB can serve as an authentication gateway, where the users must authenticate before accessing the target server or service. The gateway authentication can happen inband, within the audited connection, or also outband, using an external, secondary connection to SCB. You can set up SCB to require the users to authenticate on SCB using their own credentials (for example, their own certificate or password), and SCB can use different credentials to access the target server. This is useful if the target server (for example, a legacy mainframe, or a network device) does not support strong authentication methods, has only a built-in account, or you do not want the users to know the actual credentials to the target server. SCB can use a credential store or a password vault to authenticate on the target server. A.10.1 Cryptographic controls Objective: To ensure proper and effective use of cryptography to protect the confidentiality, authenticity, and/or integrity of information. 9

10 A.12.1 Cryptographic controls A Policy on the use of cryptographic controls. Control: A policy on the use of cryptographic controls for protection of information shall be developed and implemented. How SCB helps you: SCB can enforce the use of strong encryption methods, for example, by disallowing the use of weak cipher algorithms in the audited connections. The recorded audit trails can be digitally signed and encrypted using strong encryption methods. It is even possible to require multiple certificates to be present to decrypt the audit trails. A.12.1 Cryptographic controls Objective: To ensure correct and secure operations of information processing facilities. A Change management. How SCB helps you: SCB can complement changemanagement policies and controls if the information Control: Changes to the organization, business processing facilities are remotely managed using a remote processes, information processing facilities and access protocol supported by SCB, for example, SSH or systems that affect information security shall RDP. Such changes can be audited by SCB, and be part be controlled. of the documentation of the change. For example, the audit trails can be used in forensic situations or general review to verify that a particular configuration change was actually performed. A.12.4 Logging and monitoring Objective: To record events and generate evidence. A Event logging. How SCB helps you: SCB can record and audit the actions of system administrators and other privileged Control: Event logs recording user activities, users accessing systems and services remotely, for example, using the Secure Shell (SSH), Remote Desktop exceptions, faults and information security events shall be produced, kept and regularly (RDP), HTTP, Citrix ICA, VMware View, Telnet, and reviewed. Virtual Network Computing (VNC) protocols. The recorded events can be replayed like a movie, and are stored in encrypted, digitally signed, and timestamped format, preventing manipulation or misuse. SCB is an excellent tool to find and review faults and actions in forensics situations. A Protection of log information. How SCB helps you: SCB is an individual appliance that can operate transparently, so the users of the audited Control: Logging facilities and log information connection have no access to the appliance. On SCB, shall be protected against tampering and unauthorized access. signed, and timestamped format preventing manipulation the audit trails can be stored in encrypted, digitally or misuse. 10

11 A.13.1 Network security management A Administrator and operator logs. How SCB helps you: SCB was developed exactly for this purpose: to control, monitor, and audit remote Control: System administrator and system operator activities shall be logged and the logs and encrypted audit trails and reports about remote access activities. SCB provides reliable, digitally signed, protected and regularly reviewed. system administration activities to ensure that every event is properly logged. The events can be reviewed exactly the same way as they happened. A Clock synchronisation. How SCB helps you: SCB can automatically synchronize its system clock to a remote time server. That Control: The clocks of all relevant information way the audit trails contain accurate time information processing systems within an organization or even if the server logs are mistimed because the clock security domain shall be synchronised to a of the server is not accurate or has not been synchronized. single reference time source. A.13.1 Network security management Objective: To ensure the protection of information in networks and its supporting information processing facilities. A Network controls. How SCB helps you: SCB can control, monitor, and audit the encrypted channels used in remote service access and remote application access, and can also enforce Control: Networks shall be managed and controlled to protect information in systems and strong authentication and authorization methods, including gateway authentication, two-factor authentication, applications. and 4-eyes authorization. SCB can also monitor the terminal connections used to access networking devices, such as routers and switches. This real-time monitoring and alerting feature allows you, for example, to collect configuration changes of Cisco routers, or even prevent the network administrators from executing unwanted commands. A.15.2 Supplier service delivery management Objective: To maintain an agreed level of information security and service delivery in line with supplier agreements. 11

12 A.16.1 Management of information security incidents and improvements A Monitoring and review of supplier services. Control: Organizations shall regularly monitor, review and audit supplier service delivery. How SCB helps you: SCB is ideal to oversee IT services managed by third parties, for example, remote support or remote service management. SCB can provide detailed, replayable audit trails and reports to review the actions of the third party. It also offers strong access control methods to limit the access of the third party to the absolutely necessary, for example: grant access only in a specific maintenance window, require out-of-band authentication on the SCB gateway, limit the available channels in the remote connection, prevent the user from starting specific applications (this feature of SCB detects the command or application to be started in real time, and can terminate the connection, or raise an alert if the user tries to access a prohibited application, for example, the sudo in a Linux/UNIX terminal, or the Group Policy Management window on a Microsoft Windows server), enforce the 4-eyes principle to oversee the third party, and permit remote connections from the third party only if someone has authorized the connection and is actively monitoring the events. A.16.1 Management of information security incidents and improvements Objective: To ensure a consistent and effective approach to the management of information security incidents, including communication on security events and weaknesses. A Collection of evidence. How SCB helps you: SCB collects information independently from the clients and the servers, therefore it Control: The organization shall define and apply procedures for the identification, collection, encrypted, digitally signed, and timestamped format to cannot be manipulated. The audit trails can be stored in acquisition and preservation of information, prevent manipulation or misuse. SCB provides reliable which can serve as evidence. audit trails and reports about remote system access activities to ensure that every event is properly logged and the events can be reviewed exactly the same way as they occurred. This is especially useful since many applications do not log enough information to exactly reconstruct the actions of the users. SCB can complement these logs. 12

13 A.17.2 Redundancies A.17.2 Redundancies Objective: To ensure availability of information processing facilities. A Availability of information processing facilities. Control: Information processing facilities shall be implemented with redundancy sufficient to meet availability requirements. How SCB helps you: The SCB appliance supports high-availability configurations, where two SCB units operate together in fail-over mode, and every incoming data is instantly available on both units. Also, the appliances can be equipped with redundant power units. 13

14 Other important features 3. Other important features This section highlights some of the features of BalaBit Shell Control Box that were not discussed in detail so far, but are useful to know about. Protocol inspection SCB acts as an application level proxy gateway: the transferred connections and traffic are inspected on the application level (Layer 7 in the OSI model), rejecting all traffic violating the protocol an effective shield against attacks. This high-level understanding of the traffic gives control over the various features of the protocols, like the authentication and encryption methods used in SSH connections, or the channels permitted in RDP traffic. Detailed access control SCB allows you to define connections: access to a server is possible only from the listed client IP addresses. This can be narrowed by limiting various parameters of the connection, for example, the time when the server can be accessed, the usernames and the authentication method used in SSH, or the type of channels permitted in SSH or RDP connections (for example, SCB can permit SSH port-forwarding only to selected users, or disable access to shared drives in RDP). Controlling the authentication means that SCB can enforce the use of strong authentication methods (public key), and also verify the public key of the users. High availability support All audited traffic must pass SCB, which can become a single point of failure. If SCB fails, the administrators cannot access the protected servers for maintenance. Since this is not acceptable for critical servers and services, SCB is also available with HA support. In this case, two SCB units (a master and a slave) having identical configuration operate simultaneously. The master shares all data with the slave node, and if the master unit stops functioning, the other one becomes immediately active, so the servers are continuously accessible. Seamless integration The system is fully transparent, no modification on the client or the server is necessary, resulting in simple and cost effective integration into your existing infrastructure. Automatic data and configuration backups The recorded audit trails and the configuration of SCB can be periodically transferred to a remote server. The latest backup including the data backup can be easily restored via SCB's web interface. Managing SCB SCB is configured from a clean, intuitive web interface. The roles of each SCB administrator can be clearly defined using a set of privileges: manage SCB as a host, manage the connections to the servers, or view the audit trails. The web interface is accessible via a network interface dedicated to the management traffic. This management interface is also used for backups, logging to remote servers, and other administrative traffic. 14

15 Summary 4. Summary This paper has shown how to use the BalaBit Shell Control Box (SCB) appliance to control privileged access to remote systems and record the activities into searchable and replayable movie-like audit trails, and how to use the audit trails in forensic situations. SCB is an ideal choice to enhance your IT infrastructure if your organization must comply to external regulations like ISO 27001: About BalaBit BalaBit IT Security Ltd. is an innovative information security company, a global leader in the development of privileged activity monitoring, trusted logging and proxy-based gateway technologies to help protect customers against internal and external threats and meet security and compliance regulations. As an active member of the open source community, we provide solutions to a uniquely wide range of both open source and proprietary platforms, even for the most complex and heterogeneous IT systems across physical, virtual and cloud environments. BalaBit is also known as the logging "company", based on the company's flagship product, the open source log server application syslog-ng, which is used by more than companies worldwide and became the globally acknowledged de-facto industry standard. BalaBit, the fastest-growing IT Security company in the Central European region according to Deloitte Technology Fast 50 (2012) list, has local offices in France, Germany, Russia, and in the USA, and cooperates with partners worldwide. Our R&D and global support centers are located in Hungary, Europe. To learn more about commercial and open source SCB products, request an evaluation version, or find a reseller, visit the following links: Shell Control Box homepage Product manuals, guides, and other documentation Contact us and request an evaluation version Find a reseller All questions, comments or inquiries should be directed to <info@balabit.com> or by post to the following address: BalaBit IT Security 1117 Budapest, Alíz Str. 2 Phone: Fax: Web: Copyright 2014 BalaBit IT Security Ltd. All rights reserved. This document is protected by copyright and is distributed under licenses restricting its use, copying, distribution, and decompilation. No part of this document may be reproduced in any form by any means without prior written authorization of BalaBit. The latest version is always available at the BalaBit Documentation Page. 15