Public Sector: NIST 800-63 & SOX Compliance

For academic institutions, nonprofits and government organizations that need to protect against account takeover and data theft, Duo Security supports several authentication methods and integrations with VPNs, servers and web apps to keep the public sector safe.

Deployment is fast and efficient because there’s no hardware to deploy or hardware tokens to inventory and distribute. Users register themselves and enroll their own devices, or use Duo’s batch enrollment or sync with existing databases with Microsoft Active Directory support; ideal for large deployments.

NIST 800-63 & SOX Compliance At a Glance

The National Institute of Standards and Technology (NIST) provides security recommendations for both federal agencies and nongovernmental organizations in the document, the Electronic Authentication Guideline (PDF).

The most recent version of the document was published in December 2011, updating older versions to include more recent authentication technology and threats.

NIST identifies different levels of authentication security, with a table that outlines each authentication process attack or threat, and which level can prevent said attack:

As can be seen in the table above, Level 3 & 4 provide the most adequate levels of security.

Another law that governs public companies is the Sarbanes-Oxley Act of 2002, or SOX. SOX compliance is intended to protect investors by standardizing how publicly traded companies manage auditors, financial reporting, executive responsibility and internal controls.

SOX was enacted in order to prevent another major financial scandal such as Enron. To comply with SOX, information security teams must strengthen IT security in order to protect the integrity of financial data.

The The Control Objectives for Information and Related Technology (COBIT) provides an IT framework that IT professionals have commonly used to determine what kind of security controls are sufficient for SOX compliance.

Two-Factor Authentication, NIST 800-63 & SOX Compliance

Two-factor authentication satisfies Level 3 assurance. As NIST states:

Level 3 provides multi-factor remote network authentication. At least two authentication factors are required. At this level, identity proofing procedures require verification of identifying materials and information.

Authentication requires that the Claimant prove, through a secure authentication protocol, that he or she controls the token. The Claimant unlocks the token with a password or biometric, or uses a secure multi-token authentication protocol to establish two-factor authentication (through proof of possession of a physical or software token in combination with some memorized secret knowledge).

Modern two-factor authentication solutions leverage smartphones as a one-time password token. Duo Security’s mobile app generates passcodes in accordance with NIST guidelines, and also offers hardware tokens that can be used to authenticate.

While SOX compliance does not mention specific technology or methods, it does require strong internal controls to protect financial information.

Requirement DS5.2: Identification, Authentication and Access dictates that:

The logical access to and use of IT computing resources should be restricted by the implementation of adequate identification, authentication, and authorization mechanisms, linking users and resources with access rules. Such mechanisms should prevent unauthorized personnel, dial-up connections, and other system (network) entry ports from accessing computer resources.

Industry best practices dictate that two-factor authentication can provide the sufficient amount of access security required to protect financial data from unauthorized access.

Two-Factor Authentication for Public Sector Vendors

For vendors and third-parties that support the public sector, including schools, nonprofits and government organizations, two-factor authentication can also provide a strong security solution.

Attackers often target smaller organizations that may provide a gateway into larger, public sector organizations because they often have more lax security or less resources to spend on implementing IT security.

With Duo’s two-factor authentication solution, we provide an affordable way for small and medium-sized businesses to enhance their security profiles with a per-user pricing model and no overhead costs. Find out more in our Editions.

NIST 800-63 & SOX Compliance Resources

NIST Electronic Authentication Guideline: SP 800-63-1 (PDF) - The federal publication that outlines information security standards and guidelines for the public sector.
COBIT 4.1: Framework for IT Governance and Control - COBIT is an IT governance framework and supporting toolset that allows managers to bridge the gap between control requirements, technical issues and business risks.