Privileged user management trips up NSA – TechTarget

A recently declassified report revealed the U.S. National Security Agency failed to fully secure its systems since the Edward Snowden leaks in 2013.

The report detailed the findings of the Department of Defense inspector general's 2016 assessment of the NSA's security efforts around privileged user management. The heavily redacted report was declassified after Charlie Savage, a Washington correspondent for The New York Times, filed a Freedom of Information Act lawsuit. The assessment looked at how the NSA handles privileged access management, and, according to the report, the NSA was found wanting.

After Edward Snowden leaked over a million files in 2013, the NSA began an initiative, dubbed Secure the Net (STN), with seven privileged user management goals. The inspector general's assessment found that the NSA met only four out of the seven goals: developing and documenting a plan for a new system administration model; assessing the number of system administrators across the enterprise; implementing two-factor access controls over data centers and machine rooms; and implementing two-factor authentication controls for system administration.

According to the report, dated Aug. 29, 2016, not all of the four privileged user management initiatives were fully met. "[The] NSA did not have guidance concerning key management and did not consistently secure server racks and other sensitive equipment in the data centers and machine rooms in accordance with the initiative requirements and policies, and did not extend two-stage authentication controls to all high-risk users," the report read.

Additionally, the assessment found that three of the seven STN initiatives for strong privileged user management were not accomplished. The NSA was supposed to "fully implement technology to oversee privileged user activities; effectively reduce the number of privileged access users; and effectively reduce the number of authorized data transfer agents."

There were 40 STN initiatives in total, though the assessment focused on the seven related to privileged access management. The conclusion reached in the assessment was, while the NSA was successful in part, it "did not fully address all the specifics of the recommendations."

Learn everything you need to know about privileged access management in the enterprise

Find out how to manage and monitor privileged user accounts

Test your privileged user management knowledge with this quiz

Original post:
Privileged user management trips up NSA - TechTarget