Achieving ISO/IEC 27001 Compliance with Quest One Solutions for Privileged Access Written By Quest Software, Inc.
Contents Abstract... 2 Introduction... 3 About BS ISO/IEC 27001:2005... 3 About ISO 27001 Compliance... 3 About this Document... 3 Achieving BS ISO/IEC 27001:2005 Compliance... 4 Overview of Quest Solutions... 4 Privileged Password Management... 4 Privileged Session Management... 5 Figure 2. Privileged Session ManagerAPPENDIX A: ISO 27002 Requirement Summary... 6 APPENDIX A: ISO 27002 Requirement Summary... 7 About Quest One Identity Solutions... 13 1
Abstract This document describes how organizations can use Quest One Privileged Password Manager (PPM), Privileged Session Manager (PSM) and Privileged Command Manager (PCM) to achieve ISO 27001 compliance. 2
Introduction About BS ISO/IEC 27001:2005 BS ISO/IEC 27001:2005 (ISO 27001) is a standard to guide the development and implementation of an information security management system (ISMS). It was preceded by BS 7799, which was created in 1995 by the British Standards Institution (BSI). The two key reasons for the growing interest in certification to ISO 27001 are the proliferation of threats to information and the growing range of regulatory and statutory requirements that relate to information protection. ISO 27001 requires that management do all of the following: Systematically examine the organization's information security risks, taking account of the threats, vulnerabilities and impacts Design and implement a coherent and comprehensive suite of information security controls and/or other forms of risk treatment (such as risk avoidance or risk transfer) to address those risks that are deemed unacceptable Adopt an overarching management process to ensure that the information security controls continue to meet the organization's information security needs on an ongoing basis. About ISO 27001 Compliance As with all regulatory requirements, there is no single product or policy/procedure that can assure ISO 27001 compliance there is no silver bullet for ISO 27001 compliance! ISO 27001 compliance requires that your enterprise deploy many security technologies and have specific policies and procedures in place. Technical security controls such as antivirus and firewalls are not normally audited in ISO 27001 certification audits; the organization is essentially presumed to have adopted all necessary information security controls since the overall ISMS is in place and is deemed adequate by satisfying the requirements of ISO 27001. Existing legacy policies and procedures are also unable to meet many of the requirements standards presented under ISO 27001. Management, control and audit of both shared/privileged account passwords and critical remote third-party and administrative-level connections is mandatory in meeting ISO 27002 requirements and other growing regulatory, compliance and best-practice security needs. About this Document This document focuses on the unique issues associated with both privileged password management and remote vendor access in meeting ISO 27001 compliance requirements, and explains how Quest One Privileged Password Manager, Privileged Session Manager and Privileged Command Manager can help you achieve compliance. Appendix A details the particular ISO 27002 objectives and controls that are addressed by these solutions. 3
Achieving BS ISO/IEC 27001:2005 Compliance Overview of Quest Solutions The Quest One Privileged Account Appliance offers integrated products designed specifically to meet the compliance and security requirements associated with privileged identity management and privileged access control: Privileged Password Manager (PPM) Enables secure storage, release control, and change control of privileged passwords across a heterogeneous deployment of systems and applications. Privileged Password Manager also replaces embedded passwords that are hardcoded in scripts, procedures and programs with simple CLI/API calls. Privileged Session Manager (PSM) Offers control, auditing, and replay of sessions of high-risk users, including administrators and remote vendors. Privileged Command Manager (PCM) Provides the ability to granularly delegate user access to specific programs, tasks and commands across both Windows and Unix/Linux hosts. Privileged Command Manager is an add-on module to Privileged Session Manager. In combination, these solutions received the SC Magazine s Readers Trust Award in 2010 for Best Regulatory and Compliance Solution. Privileged Password Management Given the level of access and the shared nature of accounts like root and administrator, internal and external audits are taking a close look at existing enterprise controls over privileged accounts. In most cases, the existing manualbased policy/procedure solutions such as locking passwords inside a safe or sealing them inside an envelope or internally developed technical solutions are failing to deliver assured accountability and adequate audit. PPM, PSM, and PCM are delivered as purpose-built secure appliances with no client- or host-based software requirements. Together, they resolve your security and compliance concerns for shared and privileged account, service account, and hard-coded password management. Appendix A explains how PPM, PSM and PCM can help your organization obtain and maintain ISO 27001 compliance for many security requirements. At a high level, however, the core features, functions and capabilities under each product that help drive ISO 27001 compliance include: Privileged-user accountability Privileged-account access control Dual-release controls (requestor/approvers) Automated password change (time-based and last-use based) Strong password generation Secure password storage 4
Administrators connect to the Privileged Account Appliance (PAA) through a standard web browser via https (see Figure 1). PPM supports role-based access and connections for requestors, approvers, and various admin and auditor functions. From a requestor/approver standpoint, PPM securely stores, releases and changes privileged account passwords for a heterogeneous enterprise system environment, including Unix; Windows; databases and network devices (firewalls, Cisco); AS/400 mainframes; and many other systems, devices and applications. Provided with proper authorization (e.g., approval if under dual control), PPM will deliver the current privileged account password to the administrator. Once the release window expires, PPM will automatically change the privileged account password. Connections to back-end systems are also clientless using native system protocols. Figure 1. Privileged Account Appliance (PAA) with Privileged Password Manager Privileged Session Management Quest One Privileged Session Management (PSM) can address the security and compliance concerns associated with allowing remote third-party (vendors, suppliers, consultants, etc.) and administrative access into enterprise networks and resources. Technically, many of these issues are easily addressed for employees through the deployment of an enterprise VPN, firewall, virus software and IDS, but these issues become more challenging when working with remote third-party vendors, since the enterprise does not have the same level of physical or technical controls over third-party systems, networks and environments as they do over remote employee connections. 5
Appendix A details how PSM can help the enterprise meet the intention of many security standards. At a high level, the areas of audit under ISO 27001 that PSM directly addresses are: Monitoring vendor accounts Logging all action by root and administrator Monitoring, controlling, and limiting access PSM delivers a compliance-driven solution to the critical audit issues associated with remote third-party connections, including: Remote session recording, including keystrokes, mouse movements and all screen changes Remote session monitoring Session proxy no direct connection to back-end servers, accounts or applications Clientless secure, encrypted communication via https The unique session recording and monitoring capabilities and DVR-like playback of PSM allows you to easily answer the question What did the remote vendor do when connected? It is like having a camera recording a parking garage: it is not something you would review every day, but when needed it is a great security and compliance benefit to be able to go to the tape. What s more, with Privileged Command Management, you can delegate privileged access to key resources down to the command level. Figure 2. Privileged Session Manager 6
APPENDIX A: ISO 27002 Requirement Summary ISO 27002 Objective/Control How Quest meets the requirement A.6.2 External parties A.6.2.1 Identification of risks related to external parties A.6.2.2 Addressing security when dealing with customers A.8.3 Termination or change of employment A.8.3.3 Removal of access rights A.10.1 Operational procedures and responsibilities Objective: To maintain the security of the organization s information and information processing facilities that are accessed, processed, communicated to, or managed by external parties. Control: The risks to the organization s information and information processing facilities from business processes involving external parties shall be identified and appropriate controls implemented before granting access. Control: All identified security requirements should be addressed before giving customers access to the organizations information or assets. Objective: To ensure that employees, contractors and third-party users exit an organization or change employment in an orderly manner. Control: The access rights of all employees, contractors and third-party users to information and information processing facilities shall be removed upon termination of their employment, contract or agreement, or adjusted upon change. Objective: To ensure the correct and secure operation of information processing facilities. PPM is able to deliver individual accountability to shared privileged accounts such as root. Configuration options can assure that only one authorized user can have access to an account password during a release window. Last-use change controls will assure that after use, the password is changed before release to any other authorized user. This combination of release and change controls assures individual accountability is maintained. PSM can monitor and control any access of third parties to any of the organization s assets. PPM and PSM can be integrated with AD and/or existing CMDB such that changes made at a directory level (e.g., user removed) would affect change within PPM/PSM policy/configuration. Setting of dual-authorization (or more) controls for release of managed passwords and/or resource access can also help assure terminated user access is denied. Setting PPM for last-use password-change control ensures that NO USER has privileged-account password knowledge unless they are in an active release window. This ensures that any terminated user even if not immediately removed from AD, CMDB and/or PPM would have no privileged password knowledge. 7
ISO 27002 Objective/Control How Quest meets the requirement A.10.1.3 Segregation of Duties A.10.1.4 Separation of development, test and operational facilities A.10.10 Monitoring A.10.10.1 Audit logging A.10.10.3 Protection of log information A.10.10.4 Administrator and operator logs Control: Duties and areas of responsibility shall be segregated to reduce opportunities for unauthorized or unintentional modification or misuse of the organization s assets. Control: Development, test and operational facilities shall be separated to reduce the risks of unauthorized access or changes to the operational system. Objective: To detect unauthorized information processing activities. Control: Audit logs recording user activities, exceptions, and information security events shall be produced and kept for an agreed period to assist in future investigations and access control monitoring. Control: Logging facilities and log information shall be protected against tampering and unauthorized access. Control: System administrator and system operator activities shall be logged PPM, PSM and PCM support role-based access controls (RBAC), dual-connection authorization controls, and command-level controls. PPM and PSM provide a trusted point from which access between development, test and production environments can exist and maintain ISO 27002 compliance. See the Quest One Developer and Administrator Access to Production (DAAP) white paper for details. PPM and PSM audit and log all activity, including success or failure of action. With PSM session controls, PSM can augment target-system audit and logging to include a fullsession recording of all activity, auto-archiving, and DVR-like playback. The recording wil include success or failure indications to the degree those are visible to the connected user. PSM session-access control and recording features greatly enhance existing host-based logging and audit trails. Session recordings provide a full recording view of all activity to an entity s hosted environment. Recordings can be stored on the appliance and/or automatically archived. Retrieval and playback of recordings is quick, easy and automated through PSM. Recordings can be retrieved based on date/time, user, system and other attributes to assure quick review of relevant session recordings in the event of a compromise or other critical issue. PPM and PSM audit logs are secured on the appliance and cannot be modified by any user. Viewing of audit logs is rolebased. If exported, audit-log security would be based on the external device (Syslog server, etc.). With PSM session controls, PSM can augment target-system audit and logging to include a full-session recording of all activity, auto-archiving, and DVR-like playback. Recordings will include any user authorized or unauthorized access to target system audit logs. PSM supports reviewer roles to ensure access recordings and logs are reviewed as determined by policy; if not reviewed, notifications or escalation can be sent via email. PPM and PSM audit and log all activity. Access to audit trails is limited based on user or administrator roles. With PSM session controls, all access to target systems can be recorded, including any access to audit trails. 8
ISO 27002 Objective/Control How Quest meets the requirement A.10.10.5 Fault logging A.11.2 User access management A.11.2.1 A.11.2.2 Privilege management A.11.2.3 User password management A.11.2.4 Review of user access rights Control: Faults shall be logged, analyzed and the appropriate action taken Objective: To ensure authorized user access and to prevent unauthorized access to information systems Control: There shall be a formal user registration and deregistration procedure in place for granting and revoking access to all information systems and services. Control: The allocation and use of privileges shall be restricted and controlled. Control: The allocation of passwords shall be controlled through a formal management process. Control: Management shall review users access rights at regular intervals using a formal process. PPM and PSM audit and log all activity. Access to audit trails is limited based on user and/or administrator roles. With PSM session controls, all access to target systems can be recorded including creation and deletion of system-level objects. PPM provides life-cycle management of privileged credentials, including secure storage, release controls and change controls. PPM supports integration with AD and existing CMDB(s) such that changes made at a directory level can affect PPM. For example, a user removed from AD windows admin group would be removed from PPM and associated access policies. PPM and PSM support granular policy-based access to control resources as well as dual-access (or more) authorization controls. PCM supports access control to the command level. PPM provides life-cycle management of privileged credentials, including secure storage, release controls and change controls. PPM and PSM support dual (or more) passwordretrieval control and dual-resource (or more) connection authorization-control workflows. PPM provides life-cycle management of privileged credentials, including secure storage, release controls and change controls. PPM supports integration with AD and existing CMDB(s) such that changes made at a directory level can affect PPM. For example, a user removed from AD windows admin group would be removed from PPM and associated access policies. PPM and PSM support granular, policy-based access to control resources as well as dual-access (or more) authorization controls. PCM supports access control to the command level. PSM and PCM session-management and command-level controls can ensure access by authorized users only and further limit sessions to a specific command. This helps augment host-level controls. Access not explicitly allowed by policy is denied. PPM provides life-cycle management of privileged passwords, including secure storage, release controls and change controls. PPM and PSM support dual (or more) passwordretrieval control and dual-resource (or more) connection authorization-control workflows. PPM and PSM have user entitlement reports that provide a mechanism to review and audit individual users permissions for systems, accounts, commands and files on an enterprise scale. Based upon selected filter criteria, the report will show each user s permissions to each system, whether based upon collection, group, or individual assignment. Furthermore, PPM and PSM support settings to disable users after a defined number of days of inactivity. 9
ISO 27002 Objective/Control How Quest meets the requirement A.11.3 User responsibilities A.11.3.1 Password use A.11.4 Network Access Control A.11.4.2 User authentication for external connections A.11.4.5 Segregation in network A.11.4.6 Network connection control A.11.5 Operating system access control Objective: To prevent unauthorized user access, and compromise or theft of information and information processing facilities. Control: Users shall be required to follow good security practices in the selection and use of passwords. Control: Appropriate authentication methods shall be used to control access by remote users. Control: Groups of information services, users, and information systems shall be segregated on networks. Control: For shared networks, especially those extending across the organization s boundaries, the capability of users to connect to the network shall be restricted, in line with the access control policy and requirements of the business applications (see 11.1). Objective: To prevent unauthorized access to operating systems Passwords managed by PPM are automatically created based on defined password creation policy. Passwords can be configured for change after each use, effectively providing privileged one-time-use passwords. PPM provides full configuration control of password rule policies, including numeric/alphabetic and min/max-length requirements. Passwords managed by PPM will be generated according to the associated rule to the system and/or account. PPM and PSM can be integrated with two-factor authentication to provide increased security for remote users. PSM can also be used to only provide session-based access to remote users and full-session recording of all activity, auto-archiving, and DVR-like playback. PPM and PSM support role-based access to privileged accounts and resources. Shared-hosting providers deploying PPM and PSM can assure access restrictions are maintained and controlled between entities and their specific systems, applications and data. Session monitoring and recording functions provide a method whereby each entity can review activities in real time or as a post-forensic review. Dualauthorization controls can support a workflow whereby serviceprovider access is requested and approved by the specific entity. Several features and functions provided by PPM and PSM help extend entity s control and audit over resources deployed with a shared hosting provider PPM supports day-of-week and time-of-day access-request controls. PSM supports real-time session monitoring and recording of vendor sessions. 10
ISO 27002 Objective/Control How Quest meets the requirement A.11.5.1 Secure log-on procedure A.11.5.2 User identification and authentication A.11.5.3 Password management system A.11.5.4 Use of system utilities A.11.5.6 Limitation of connection time A.11.6 Application and information access control A.11.6.1 Information access restriction Control: Access to operating systems shall be controlled by a secure log-on procedure. Control: All users shall have a unique identifier (user ID) for their personal use only, and a suitable authentication technique shall be chosen to substantiate the claimed identity of a user. Control: Systems for managing passwords shall be interactive and shall ensure quality passwords. Control: The use of utility programs that might be capable of overriding system and application controls shall be restricted and tightly controlled. Control: Restrictions on connection times shall be used to provide additional security for high-risk applications. Objective: To prevent unauthorized access to information held in application systems Control: Access to information and application system functions by users and support personnel shall be restricted in accordance with the defined access control policy. PSM provides secured non-console administrative access to systems and applications. Authorized connections are proxied and secured via secure native protocols (SSH, https, etc.). PPM and PSM support configuration settings to lock out a user after a configured number of access attempts. Thus, the user would be unable to get access to the passwords or systems managed through PPM and PSM. PPM is able to deliver individual accountability to shared privileged accounts. Configuration options can ensure that only one authorized user can have access to an account password during a release window. Last-use change controls will assure that after use, the password is changed before release to any other authorized user. This combination of release and change controls assures individual accountability is maintained. PPM and PSM support dual (or more) password-retrieval control and dual-resource (or more) connection authorizationcontrol workflows. Passwords managed by PPM are automatically created based on defined password-creation policy. Passwords can be configured for change after each use, effectively providing privileged one-time-use passwords. PPM provides full configuration control of password rule policies, including numeric/alphabetic and min/max-length requirements. Passwords managed by PPM will be generated according to the associated rule to the system and/or account. PPM and PSM can limit the connection time to provide additional security for high-risk applications. PSM supports options to proxy (no direct access), control, monitor and record access to databases. PCM supports access control to the command level to limit users and support personnel access to only the commands they need. 11
A.15.3 Information systems audit considerations Objective: To maximize the effectiveness of and to minimize interference to/from the information systems audit process. A.15.3.2 Protection of information systems audit tools Control: Access to information systems audit tools shall be protected to prevent any possible misuse or compromise. PPM and PSM audit logs are secured on the appliance and cannot be modified by any user. Viewing of audit logs is rolebased. If exported, audit-log security would be based on the external device (Syslog server, etc.). With PSM session controls, PSM can augment target-system audit and logging to include a full-session recording of all activity, auto-archiving, and DVR-like playback. Recordings will include any user authorized or unauthorized access to target system audit logs. PSM supports reviewer roles to ensure access recordings and/or logs are reviewed as determined by policy; if not reviewed, notifications or escalation can be sent via email. 12
About Quest One Identity Solutions Quest One Identity Solutions reduce the complexity, cost and risk of managing identities and controlling access to increase your compliance, security and efficiency. Our modular yet integrated approach features a broad portfolio of award-winning solutions that simplify access governance, user activity monitoring, privileged account management and user account management. Unlike traditional framework solutions, Quest One provides granular enforcement across heterogeneous systems with 360-degree business visibility with an incredibly fast time to value! Whether you are starting from scratch, already have an identity and access management solution or need to address specific IAM objectives on a single system or platform, Quest One enables you to do it more simply and affordably than you can imagine. Learn more about the solutions that earned SC Magazine s highest five-star RECOMMENDED rating by visiting www.quest.com/identity-management. 13
2011 Quest Software, Inc. ALL RIGHTS RESERVED. This document contains proprietary information protected by copyright. No part of this document may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying and recording, for any purpose without the written permission of Quest Software, Inc. ( Quest ). The information in this document is provided in connection with Quest products. No license, express or implied, by estoppel or otherwise, to any intellectual property right is granted by this document or in connection with the sale of Quest products. EXCEPT AS SET FORTH IN QUEST'S TERMS AND CONDITIONS AS SPECIFIED IN THE LICENSE AGREEMENT FOR THIS PRODUCT, QUEST ASSUMES NO LIABILITY WHATSOEVER AND DISCLAIMS ANY EXPRESS, IMPLIED OR STATUTORY WARRANTY RELATING TO ITS PRODUCTS INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT. IN NO EVENT SHALL QUEST BE LIABLE FOR ANY DIRECT, INDIRECT, CONSEQUENTIAL, PUNITIVE, SPECIAL OR INCIDENTAL DAMAGES (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS INTERRUPTION OR LOSS OF INFORMATION) ARISING OUT OF THE USE OR INABILITY TO USE THIS DOCUMENT, EVEN IF QUEST HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Quest makes no representations or warranties with respect to the accuracy or completeness of the contents of this document and reserves the right to make changes to specifications and product descriptions at any time without notice. Quest does not make any commitment to update the information contained in this document. If you have any questions regarding your potential use of this material, contact: Quest Software World Headquarters LEGAL Dept 5 Polaris Way Aliso Viejo, CA 92656 www.quest.com email: legal@quest.com Refer to our Web site for regional and international office information. Trademarks Quest, Quest Software, the Quest Software logo, AccessManager, ActiveRoles, Aelita, Akonix, AppAssure, Benchmark Factory, Big Brother, BridgeAccess, BridgeAutoEscalate, BridgeSearch, BridgeTrak, BusinessInsight, ChangeAuditor, ChangeManager, Defender, DeployDirector, Desktop Authority, DirectoryAnalyzer, DirectoryTroubleshooter, DS Analyzer, DS Expert, Foglight, GPOADmin, Help Desk Authority, Imceda, IntelliProfile, InTrust, Invirtus, itoken, I/Watch, JClass, Jint, JProbe, LeccoTech, LiteSpeed, LiveReorg, LogADmin, MessageStats, Monosphere, MultSess, NBSpool, NetBase, NetControl, Npulse, NetPro, PassGo, PerformaSure, Point,Click,Done!, PowerGUI, Quest Central, Quest vtoolkit, Quest vworkspace, ReportADmin, RestoreADmin, ScriptLogic, Security Lifecycle Map, SelfServiceADmin, SharePlex, Sitraka, SmartAlarm, Spotlight, SQL Navigator, SQL Watch, SQLab, Stat, StealthCollect, Storage Horizon, Tag and Follow, Toad, T.O.A.D., Toad World, vautomator, vcontrol, vconverter, vfoglight, voptimizer, vranger, Vintela, Virtual DBA, VizionCore, Vizioncore vautomation Suite, Vizioncore vbackup, Vizioncore vessentials, Vizioncore vmigrator, Vizioncore vreplicator, WebDefender, Webthority, Xaffire, and XRT are trademarks and registered trademarks of Quest Software, Inc in the United States of America and other countries. Other trademarks and registered trademarks used in this guide are property of their respective owners. Updated October, 2011 14
About Quest Software, Inc. Quest Software (Nasdaq: QSFT) simplifies and reduces the cost of managing IT for more than 100,000 customers worldwide. Our innovative solutions make solving the toughest IT management problems easier, enabling customers to save time and money across physical, virtual and cloud environments. For more information about Quest solutions for application management, database management, Windows management, virtualization management and IT management, go to www.quest.com. Contacting Quest Software PHONE 800.306.9329 (United States and Canada) If you are located outside North America, you can find your local office information on our Web site. EMAIL MAIL sales@quest.com Quest Software, Inc. World Headquarters 5 Polaris Way Aliso Viejo, CA 92656 USA Contacting Quest Support Quest Support is available to customers who have a trial version of a Quest product or who have purchased a commercial version and have a valid maintenance contract. Quest Support provides around-the-clock coverage with SupportLink, our Web self-service. Visit SupportLink at https://support.quest.com. SupportLink gives users of Quest Software products the ability to: Search Quest s online Knowledgebase Download the latest releases, documentation and patches for Quest products Log support cases Manage existing support cases View the Global Support Guide for a detailed explanation of support programs, online services, contact information and policies and procedures. SBW-QOS4PA-ISO27001Comply-US-KS 15