NIST (National Institute of Standards and Technology) Controls

NIST (National Institute of Standards and Technology) provides comprehensive guidance for improving Identity and Access Management (IAM) systems. These guidelines are part of broader cybersecurity frameworks and publications that help organizations secure their digital identities and access controls. Here's an overview of the key NIST controls and guidelines relevant to IAM:

1. NIST SP 800-53: Security and Privacy Controls for Information Systems and Organizations

This document provides a catalog of security and privacy controls for federal information systems and organizations. It covers a wide range of topics, including IAM. Relevant control families include:

  • AC (Access Control): This family of controls deals directly with access to information systems and includes:
    • AC-1: Access Control Policy and Procedures
    • AC-2: Account Management
    • AC-3: Access Enforcement
    • AC-4: Information Flow Enforcement
    • AC-5: Separation of Duties
    • AC-6: Least Privilege
    • AC-7: Unsuccessful Login Attempts
    • AC-17: Remote Access
    • AC-19: Access Control for Mobile Devices
    • AC-20: Use of External Information Systems
    • AC-21: Information Sharing
  • IA (Identification and Authentication): This family of controls focuses on ensuring that only authorized individuals can access information systems and includes:
    • IA-1: Identification and Authentication Policy and Procedures
    • IA-2: Identification and Authentication (Organizational Users)
    • IA-3: Device Identification and Authentication
    • IA-4: Identifier Management
    • IA-5: Authenticator Management
    • IA-6: Authenticator Feedback
    • IA-7: Cryptographic Module Authentication

2. NIST SP 800-63: Digital Identity Guidelines

This document provides technical requirements for federal agencies implementing digital identity services. It consists of several volumes:

  • NIST SP 800-63-3: Offers guidance on selecting appropriate identity assurance levels (IALs), authentication assurance levels (AALs), and federation assurance levels (FALs).

  • NIST SP 800-63A: Covers enrollment and identity proofing, detailing processes for verifying identities and issuing credentials.

  • NIST SP 800-63B: Provides guidelines on authentication and lifecycle management, including multi-factor authentication (MFA), password management, and session management.

  • NIST SP 800-63C: Focuses on federation and assertions, covering how identities can be securely shared across different systems.

3. NIST Cybersecurity Framework (CSF)

The NIST CSF is a voluntary framework designed to help organizations manage and reduce cybersecurity risk. It's structured around five core functions: Identify, Protect, Detect, Respond, and Recover. IAM is particularly relevant in the Identify and Protect functions:

  • Identify: Understanding the organization's identity management landscape, including assets, data, and systems, is key to implementing effective IAM controls.

  • Protect: Implementing IAM solutions like access controls, encryption, and MFA to safeguard data and systems.

4. NIST SP 800-207: Zero Trust Architecture

This publication provides guidelines on implementing a Zero Trust Architecture (ZTA), which assumes that threats could be both external and internal. IAM is central to ZTA, ensuring that access decisions are made dynamically based on identity, context, and risk.

Improvement Guidance for IAM Systems:

  • Implement Strong Authentication Mechanisms: Adopt multi-factor authentication (MFA) to increase security.

  • Apply Least Privilege Principle: Ensure users only have access to the resources necessary for their roles.

  • Regularly Review and Update Access Controls: Continuously monitor and adjust access controls to respond to changing threats and organizational needs.

  • Identity Proofing and Credential Management: Follow NIST SP 800-63A/B guidelines to ensure identities are verified, and credentials are managed securely.

  • Audit and Monitoring: Regularly audit access logs and monitor for unusual access patterns to detect and respond to potential security incidents.

These NIST controls and guidelines provide a strong foundation for building a secure and effective IAM system. They are designed to help organizations manage digital identities, control access, and protect sensitive information.

Comments

Post a Comment

Popular posts from this blog

SailPoint IIQ - Installation Steps

Image
How to Install and Deploy SailPoint IdentityIQ in Local Windows Machine 1]  Prerequisite tools checklist: Use below credential during MySQL database installation setup (At step 2): MySQL super user access needed for running schema scripts  UID          root Password root123 This is same password which you have set during installation of MySQL Download and install below softwares Oracle or Open JDK - Version 1.8  ( https://www.java.com/en/download    or    https://openjdk.org/projects/jdk8/ ) MySQL database - Version 8x  ( https://dev.mysql.com/downloads/installer/ ) Apache Tomcat Server - Version 9x  ( https://archive.apache.org/dist/tomcat/tomcat-9/v9.0.56/bin/apache-tomcat-9.0.56.zip ) Set JAVA_HOME ,  JRE_HOME  and  MY_SQL  path in environment variable 2]  Deploy Sailpoint war/jars & launch SailPoint IQ application: Steps to follow for deploying SailPoint jars/wars and Launch Sai...
Read more

SailPoint IIQ - Database Tables

#User master table, consist of firstname, lastname, email etc. select  * from spt_identity #Entitlement select * from spt_identity_entitlement #Role select * from spt_bundle #Application table details like HR, Finance, PAM application etc. select * from  spt_application # Managed attributes details like type entitlement, group etc. select * from  spt_managed_attribute # Profiles related table select * from  spt_profile select * from  spt_profile_constraints select * from spt_bundle #Request manage access table select * from spt_identity_request_item #Access request table - with completion status, requester, approver etc. select * from  spt_identity_request #WorkItems select * from spt_work_item #Plugin listing table select * from  spt_plugin # Password policies select * from  spt_password_policy #Capabilities select * from  spt_capability select * from  spt_capability_rights select * from  spt_capability_children #Request Detai...
Read more