COI Report – Part VII
Page 302 of 425
highlight NIST’s recommendations in SP 800-63-3 Revision 3 table 6-1) and SP 800-63B
79
(table 4-1) requiring multi-factor authentication as a minimum, for systems and online services that process personally identifiable, sensitive or classified information (i.e. Assurance Level 2 or 3).
880. Any implementation of PAM by IHiS must be accompanied with strict controls ensuring that the PAM-based access is the exclusive means by which administrators access servers. If not, administrators are likely to useless secure means to access restricted systems, to avoid the perceived tedium of using PAM. This would nullify the effectiveness of FA. For instance, PAM had in fact been implemented by IHiS for servers in H-Cloud, and thereafter for servers in the
SGH Local Data Centre (“LDC”). However, even after PAM had been implemented, administrators were not limited to accessing servers in the SGH LDC and H-Cloud only by using PAM. Administrators preferred to use an alternative method to access the servers, which did not require FA, because they found usage of PAM tedious – IHiS administrators found that the PAM sessions timed out quite quickly resulting in their having to reenter credentials and FA to reconnect to the servers, while carrying out their administrative tasks.
881. The Committee stresses that the implementation of a technical solution is not enough. The use of security-related technical solutions must be enforced, and less secure authentication methods must be closed-off. As noted by Vivek, if all other means of access are not closed off when FA is introduced, the whole purpose of PAM would be defeated, as it could easily be circumvented by administrators, fora variety of reasons.
882. The Committee recognises that there are certain circumstances in which exceptions maybe granted to certain administrators. However, as stressed by
Vivek, where these exceptions are granted, they must be carefully monitored.
78
NIST.SP.800-63-3.
79
NIST.SP.800-63B.
|
