Embedded Files
This page is classified as INTERNAL.
NIST 800-53 (r4) Control:
The information system separates user functionality (including user interface services) from information system management functionality.
NIST 800-53 (r4) Supplemental Guidance:
Information system management functionality includes, for example, functions necessary to administer databases, network components, workstations, or servers, and typically requires privileged user access. The separation of user functionality from information system management functionality is either physical or logical. Organizations implement separation of system management-related functionality from user functionality by using different computers, different central processing units, different instances of operating systems, different network addresses, virtualization techniques, or combinations of these or other methods, as appropriate. This type of separation includes, for example, web administrative interfaces that use separate authentication methods for users of any other information system resources. Separation of system and user functionality may include isolating administrative interfaces on different domains and with additional access controls. Related controls: SA-4, SA-8, SC-3.
NIST 800-53 (r5) Discussion:
System management functionality includes functions that are necessary to administer databases, network components, workstations, or servers. These functions typically require privileged user access. The separation of user functions from system management functions is physical or logical. Organizations may separate system management functions from user functions by using different computers, instances of operating systems, central processing units, or network addresses; by employing virtualization techniques; or some combination of these or other methods. Separation of system management functions from user functions includes web administrative interfaces that employ separate authentication methods for users of any other system resources. Separation of system and user functions may include isolating administrative interfaces on different domains and with additional access controls. The separation of system and user functionality can be achieved by applying the systems security engineering design principles in SA-8, including SA-8(1), SA-8(3), SA-8(4), SA-8(10), SA-8(12), SA8(13), SA-8(14), and SA-8(18).
38North Guidance:
Meets Minimum Requirement:
Deploy system management functionality and user functions in separate virtual networks (i.e., "Management Network" and "Customer Network"). The Management Network should provide a set of shared services for the rest of the environment.
Deploy management functionality inside private subnets protected by Network Access Control Lists (NACLs) and/or firewalls. Restrict ingress/egress data flows by port, protocol, and source/destination IP address.
Best Practice:
Deploy management functionality and user functions in separate virtual networks (i.e., "Management Network" and "Customer Network"). The Management Network should provide a set of shared services for the rest of the environment. Each customer should reside in their own virtual network.
Deploy management functionality inside private subnets protected by Network Access Control Lists (NACLs) and/or firewalls. Restrict ingress/egress data flows by port, protocol, and source/destination IP address. Group assets in separate subnets based on business functions.
Enforce a separate network access path and fine-grained access controls for the Management Network. CSP administrators should access the Management Network via a bastion host hardened to DISA STIG standards. All administrative activity and network connections within the environment should originate from the bastion host, require multi-factor authentication, and be subject to stronger auditing controls (e.g., keystroke logging, full-text recording of privileged commands, etc.).
Create and assign specialized roles in accordance with the principle of least privilege for Management Network administrators.
Traffic flows between Management and Customer Networks should be one-dimensional (e.g., flow from Management Network to Customer Network) with few exceptions (e.g., agent communication with management servers etc.).
Implement Role-Based Access Controls (RBAC) within application User Interfaces (UI).
Utilize cloud-native, in-boundary peering connection to connect virtual networks while bypassing the internet.
Unofficial FedRAMP Guidance:
None
Assessment Evidence:
Live demonstration showing that management and user functionality are logically separated. Assessors want to observe individuals with and without permissions attempt to access services/resources inside the Management Network. Access should be granted to individual assigned the appropriate role(s) and permissions, and denied to those who are not. Assessors will conduct a penetration test to validate access controls and logical isolation between virtual networks (ex., attempting to hop from Management Network to Customer Network, Customer1 Network to Customer2 Network, etc. as a credentialed system user).
Documentation or screenshots showing firewall and/or NACL configuration settings.
List of individuals with access to management functionality.
CSP Implementation Tips:
Amazon Web Services (AWS):
Build isolated network segments using Amazon VPCs, Security Groups, and NACLs.
Ensure communications between the management network and user functionality network is encrypted.
Microsoft Azure: TBD
Google Cloud Platform: TBD
Page updated
Report abuse