Meet NIST 800-171 3.3 Audit and Accountability with Office 365 GCC High

    NEWS: It was announced at Microsoft Ignite 2018 that audit log retention policies can be set for 1 year. 

    As a disclaimer, this blog is intended to address just Microsoft based systems and environments. This is not a complete approach but an overview of capabilities and functionality available to assist in your overall approach.

    The NIST 800-171 Control Family 3.3, entitled "Audit and Accountability", is established to track system activity of all types, maintain records of those activities, and track who is handling those records. For ease of access, I've copied the excerpted section to reference.

    Basic Security Requirements

    3.3.1  Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity.
    3.3.2  Ensure that the actions of individual system users can be uniquely traced to those users so they can be held accountable for their actions.
    Derived Security Requirements
    3.3.3  Review and update logged events.
    3.3.4  Alert in the event of an audit logging process failure.
    3.3.5  Correlate audit record review, analysis, and reporting processes for investigation and response to indications of unlawful, unauthorized, suspicious, or unusual activity.
    3.3.6  Provide audit record reduction and report generation to support on-demand analysis and reporting.
    3.3.7  Provide a system capability that compares and synchronizes internal system clocks with anauthoritative source to generate time stamps for audit records.
    3.3.8  Protect audit information and audit logging tools from unauthorized access, modification, and deletion.
    3.3.9 Limit management of audit logging functionality to a subset of privileged users. 

    The Yin and Yang of 3.3 Audit and Accountability

    3.3.1 and 3.3.2 set the tone for the rest of the requirements. It is critical for government suppliers and contractors to be aware of the "activity" and "actions" of their users or unintended users. These requirements also have a proactive ("monitor") and reactive ("analysis, investigation, and reporting") element. This common theme of tandem proactive and reactive requirements can be seen throughout 3.3.3-3.3.9.
    Case in point: 3.3.3 requires organizations proactively review and update logged events, and then the subsequent requirement mandates that there be alerts in place for logging process failures. 3.3.5 (reactive) and 3.3.6 (proactive) share this yin and yang as well.
    Information systems are defined in NIST 800-171 as "A discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information." If a government contractor elects to maintain on-premises systems, they must purchase and manage individual solutions for each system: mail, content repositories, archives, collaboration and communication platforms, etc. Not all of these individual solutions can do, both, the proactive and reactive functions required.

    A Cloud Solution for Security and Compliance Goals... and Your Wallet

    We will assume an average business has five information systems if they are not using a cloud SaaS or PaaS solution set. That business may also require multiple tools/modules for each information system. If each tool/module costs an average of $5,000 per year conservatively, then we are assuming $50,000 annually without factoring in the maintenance and management of each tool. There is also the concern that each tool will not support the other 13 control families in NIST 800-171 that apply.
    For example, the same product you purchase to audit your on-premises servers may not address your requirements for Identification and Authentication in 3.5.
    With Microsoft 365 and specifically Office 365 GCC High, you gain a centralized Security and Compliance Center across all of your Microsoft information systems. Security to meet NIST 800-171 3.3 is baked in and native functionality within Office 365 GCC High. You still need tools or a single tool to monitor personal machines, network devices, firewalls, etc.
    Meet 3.3 Audit and Accountability with Office 365
    Some key metrics to consider:
    • Microsoft is processing 260 Billion "information sources" on a monthly basis in Auditing Services across their client base.
    • Auditing Service in Office 365 can monitor and provide "on demand analysis" (3.3.6) for over 900 user operations within your ecosystem of information systems.
    • 15+ services, or information systems, are supported by the native Office 365 Auditing Service.
    Office 365 GCC High Auditing Service

    Office 365 GCC Meets Every Requirement in 3.3 Audit and Accountability for Your Microsoft Cloud Enterprise

    Every information system should be unified with a comprehensive Identity Management product, Microsoft's Azure AD ensures all actions and events can be traced to a source or collection of sources regardless of where the unauthorized or unlawful activity takes place. It's important to have time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked. Through the Audit log search functionality in Office 365 GCC High and the backing of long-term auditing storage in Office 365, we can search by all of these aforementioned parameters and more. This meets the "uniquely traced" requirements in 3.3.2 and some. Being able to drill down and provide "audit record reduction" is critical to meet 3.3.6.
    Auditing Services to meet 3.3.6 in NIST 800-171
    Alerting services within Office 365 GCC High are critical in meeting 3.3.8. Within the Security and Compliance Center, administrators can set alerts for modification or manipulation of any existing policies or rules. This includes creation of new, setting of existing, or deletion of existing rules and policies.
    Alerts can also be set for suspicious activities within specific workloads such as the attempted sharing, access, or deletion of specific documents in SharePoint. Another example is the attempted or successful alteration of settings within the Admin Center or changing permissions for other user accounts. 
    Alerting Services to meet 3.3.8 in NIST 800-171
    Alerting Services in Office 365 GCC High
    3.3.9 is addressed with administrative roles within the Security and Compliance Center, and Privileged Access Management within Office 365 was just made available to create workflows for approval on high risk tasks like handling audit logs. As mentioned at the top of this blog, it was also recently announced at Microsoft Ignite that audit log retention policies can be set for 1 year! Reminder alerts on expiring logs can be set as well so that your team can take appropriate action.
    Audit Records can be reviewed and analyzed to meet 3.3.5 with accurate time stamps (3.3.7) on various actors. This includes risky users, machines, documents, folders, and actions resulting from them. Below are some sample views into the various dashboards available for logged events in the Audit Record Dashboard. These dashboards alone give a window into event types and log history so that a company can review and update or evolve logging policies (3.3.3)
    Audit Log Analysis to meet 3.3.5 in NIST 800-171
    Audit Log Analysis in Office 365 GCC High
    Audit Logs 3.3.3 in NIST 800-171

    Wrapping It All Up

    For additional details and background on the referenced data points and releases, check out this session from Microsoft Ignite 2018. This blog is one of many to come addressing each control family in NIST 800-171 with an overview of capabilities in Office 365 GCC High. We also hope to partner each of these with a video for those that dislike reading or want the general overview. Shoot us questions if you need specifics or further explanations. 




    Subscribe Here!

    Recent Posts

    Posts by Topic

    see all