PDF Access Rights Management for the Financial Services Sector
NIST SPECIAL PUBLICATION 1800-9B
Access Rights Management for the Financial Services Sector
Volume B: Approach, Architecture, and Security Characteristics
James Banoczi
National Cybersecurity Center of Excellence Information Technology Laboratory
Sallie Edwards Nedu Irrechukwu Josh Klosterman Harry Perper Susan Prince Susan Symington Devin Wynne
The MITRE Corporation McLean, VA
August 2017
DRAFT
This publication is available free of charge from:
DRAFT
DISCLAIMER
Certain commercial entities, equipment, products, or materials may be identified in this document in order to describe an experimental procedure or concept adequately. Such identification is not intended to imply recommendation or endorsement by NIST or NCCoE, nor is it intended to imply that the entities, equipment, products, or materials are necessarily the best available for the purpose.
National Institute of Standards and Technology Special Publication 1800-9B Natl. Inst. Stand. Technol. Spec. Publ. 1800-9B, 104 pages, August 2017 CODEN: NSPUE2
FEEDBACK
You can improve this guide by contributing feedback. As you review and adopt this solution for your own organization, we ask you and your colleagues to share your experience and advice with us. Comments on this publication may be submitted to: financial_nccoe@ Public comment period: August 31, 2017 through October 31, 2017 All comments are subject to release under the Freedom of Information Act (FOIA).
National Cybersecurity Center of Excellence National Institute of Standards and Technology
100 Bureau Drive Mailstop 2002
Gaithersburg, MD 20899 Email: nccoe@
NIST SP 1800-9B: Access Rights Management for the Financial Sector
i
DRAFT
1 NATIONAL CYBERSECURITY CENTER OF EXCELLENCE
2 The National Cybersecurity Center of Excellence (NCCoE), a part of the National Institute of Standards 3 and Technology (NIST), is a collaborative hub where industry organizations, government agencies, and 4 academic institutions work together to address businesses' most pressing cybersecurity issues. This 5 public-private partnership enables the creation of practical cybersecurity solutions for specific 6 industries, as well as for broad, cross-sector technology challenges. Through consortia under 7 Cooperative Research and Development Agreements (CRADAs), including technology partners--from 8 Fortune 50 market leaders to smaller companies specializing in IT security--the NCCoE applies standards 9 and best practices to develop modular, easily adaptable example cybersecurity solutions using 10 commercially available technology. The NCCoE documents these example solutions in the NIST Special 11 Publication 1800 series, which maps capabilities to the NIST Cyber Security Framework and details the 12 steps needed for another entity to recreate the example solution. The NCCoE was established in 2012 by 13 NIST in partnership with the State of Maryland and Montgomery County, Md.
14 To learn more about the NCCoE, visit . To learn more about NIST, visit 15 .
16 NIST CYBERSECURITY PRACTICE GUIDES
17 NIST Cybersecurity Practice Guides (Special Publication Series 1800) target specific cybersecurity 18 challenges in the public and private sectors. They are practical, user-friendly guides that facilitate the 19 adoption of standards-based approaches to cybersecurity. They show members of the information 20 security community how to implement example solutions that help them align more easily with relevant 21 standards and best practices and provide users with the materials lists, configuration files, and other 22 information they need to implement a similar approach.
23 The documents in this series describe example implementations of cybersecurity practices that 24 businesses and other organizations may voluntarily adopt. These documents do not describe regulations 25 or mandatory practices, nor do they carry statutory authority.
26 ABSTRACT
27 Managing access to resources (data) is complicated because internal systems multiply and acquisitions 28 add to the complexity of an organization's IT infrastructure. Identity and access management (IdAM) is 29 the set of technology, policies, and processes that are used to manage access to resources. Access rights 30 management (ARM) is the subset of those technologies, policies, and processes that manage the rights 31 of individuals and systems to access resources (data). In other words, an ARM system enables a 32 company to give the right person the right access to the right resources at the right time. The goal of this 33 project is to demonstrate an ARM solution that is a standards-based technical approach to coordinating 34 and automating updates to and improving the security of the repositories (directories) that maintain the 35 user access information across an organization. The coordination improves cybersecurity by ensuring
NIST SP 1800-9B: Access Rights Management for the Financial Sector
ii
DRAFT
36 that user access information is updated accurately (according to access policies), including disabling 37 accounts or revoking access privileges as user resource access needs change. Cybersecurity is also 38 improved through better monitoring for unauthorized changes (e.g., privilege escalation). The system 39 executes user access changes across the enterprise according to corporate access policies quickly, 40 simultaneously, and consistently. The ARM reference design and example implementation are described 41 in this NIST Cybersecurity "Access Rights Management" practice guide. This project resulted from 42 discussions among NCCoE staff and members of the financial services sector.
43 This NIST Cybersecurity Practice Guide also describes our collaborative efforts with technology providers 44 and financial services stakeholders to address the security challenges of ARM. It provides a modular, 45 open, end-to-end example implementation that can be tailored to financial services companies of 46 varying sizes and sophistication. The use case scenario that provides the underlying impetus for the 47 functionality presented in the guide is based on normal day-to-day business operations. Though the 48 reference solution was demonstrated with a certain suite of products, the guide does not endorse these 49 specific products. Instead, it presents the NIST Cybersecurity Framework (CSF) core functions and 50 subcategories, as well as financial industry guidelines, that a company's security personnel can use to 51 identify similar standards-based products that can be integrated quickly and cost-effectively with a 52 company's existing tools and infrastructure. Planning for deployment of the design gives an organization 53 the opportunity to review and audit the access control information in their directories and get a more 54 global, correlated, disambiguated view of the user access roles and attributes that are currently in 55 effect.
56 KEYWORDS
57 Access; authentication; authorization; cybersecurity; directory; provisioning.
58 ACKNOWLEDGMENTS
59 We are grateful to the following individuals for their generous contributions of expertise and time.
Name Jagdeep Srinivas Hemma Prafullchandra Roger Wigenstam Don Graham Adam Cohen Clyde Poole Dustin Hayes
Institution AlertEnterprise HyTrust NextLabs Radiant Logic Splunk TDi Technologies Vanguard Integrity Professionals
NIST SP 1800-9B: Access Rights Management for the Financial Sector
iii
DRAFT
60 The Technology Partners/Collaborators who participated in this build submitted their capabilities in 61 response to a notice in the Federal Register. Respondents with relevant capabilities or product 62 components were invited to sign a Cooperative Research and Development Agreement (CRADA) with 63 NIST, allowing them to participate in a consortium to build this example solution. We worked with:
Product Vendor AlertEnterprise
HyTrust
NextLabs Radiant Logic Splunk TDi Technologies
Vanguard Integrity Professionals
Component Name Enterprise Guardian
Cloud Control
NextLabs RadiantOne Enterprise ConsoleWorks
Vanguard
Function
Access policy management, administration and account provisioning system
Privileged user access controller, monitor, and logging system for VSphere
Attribute based access control interface for SharePoint
Virtual directory system
Log aggregation and analytics system
Application and operating system privileged user access controller, monitor, and logging system
Mainframe RACF to LDAP interface system
NIST SP 1800-9B: Access Rights Management for the Financial Sector
iv
................
................
In order to avoid copyright disputes, this page is only a partial summary.
To fulfill the demand for quickly locating and searching documents.
It is intelligent file search solution for home and business.
Related download
- pdf access rights management for the financial services sector
- pdf key findings efina access to financial services in nigeria
- pdf financial inclusion measuring progress nov19 imf
- pdf consumers access to financial services
- pdf public disclosure authorized the basic analytics of access to
- pdf financial aid self service module
- pdf 2016 finaccess
- pdf ps18 21 sme access to the financial ombudsman service near
- pdf effect of perceptions and behaviour on access to and use of
- pdf request for information regarding consumer access to
Related searches
- access financial services colorado
- access financial services limited jamaica
- access financial services address
- access financial services contact
- access financial services location
- access financial services jamaica
- access financial services mn
- access financial services jamaica address
- objective for financial services resume
- honda financial services address for insurance
- financial services management problem
- rights for the disabled