Policing The Network: Who Accesses What?
If you are a network manager who has not implemented identity management (IDM) and network access controls (NAC), then you will be a network manager who is looking for a new job, according to digital security experts Gemalto.
“If you do not implement identity management and network access controls, you are really setting yourself up for a problem because even though a username and password has been considered good enough security, that is changing. We are getting to a place where the demand, especially for sensitive areas of a corporate network, is for stronger authentication credentials,” explains Ray Wizbowski, vice president of strategic marketing, Security Business Unit, at Gemalto.
IDM and NAC is the management of individual identifiers, their authentication, authorisation, and privileges within or across system and enterprise boundaries with the goal of increasing security and productivity while decreasing cost, downtime and repetitive tasks. Who accesses what in a corporate network is an essential tool in the battle to maintain network security.
IDM can be extended to physical access, to buildings and access control systems in general. A good example of this is the Emirates ID card, which potentially could be used for identity management or to identify the individual.
“In the future you might have public services which will use the certificate store that we have on the Emirates ID to identify the individual against those services. There is nothing that stops the Emirates ID project from also having commercial access for enterprises to identify employees, visitors etc,” says Nicolai Solling, director of technology services at help AG Middle East.
When enterprises looking at IDM and NAC for the typical uses that exist within the organisation and the access that they need, they need to keep in mind how privileged users are controlled within the organisation.
“As part of an overall access governance programme, people should look to put the right controls in place that actually improve the ability for people to do their jobs, but also take away the risk from the business. So being able to control the sharing and use of privileged passwords, being able to record sessions if an external consultant is accessing systems and being in a position where you haven’t got large number of administrators who are using and sharing system or administrator passwords,” says Phil Allen, director, Identity and Access Management, EMEA at access control and identity management experts Dell Quest One Identity Solutions.
The average American enterprise environment any user will have up to 25 different identities they have to remember within the environment and at any point in time they will have username and password that is expiring or about to expire and the user has to remember all of these, says Wizbowski.
“From a management perspective that is a huge overhead. Every time that you lose a password as a user, some of the research shows that it costs the company $25 is in loss of productivity because the person cant log it, it is the fact that you have to call support etc,” he explains.
Importance of identity, access management
Data is the crown jewel of any organisation; the intellectual property and the data of the business, whether that is financial data, mergers and acquisition data, and all of that is now connected to the internet.
In today’s environment there needs to be a new way of looking at enterprise security. In the past, NAC and IDM were focused on keeping the bad guys out and letting the good guys in. Enterprises handled this by putting up a strong perimeter security strategy. NAC and IDM were put in place to essentially offer keys to the right people to let them in through this hardened perimeter while keeping those without the keys out of the network.
“This was a decent strategy when the enterprise controlled their data centre, the applications sat within that data centre, and the organisation could easily control who to let in and who to keep out,” says Marc Lee, director EMEA, at identity and access management leaders Courion.
Enterprises now have travelling executives who have unlimited access to the data on the corporate network and are carrying it with them on their laptops, so that data becomes the most precious asset within a company. Controlling who gets access to what is critical and having strong authentication is essential.
“Identity and access management is beyond a nice to have thing. I would call it business critical, mission critical, whatever term you want to use,” states Gemalto’s Wizbowski.
Implementing a way to ensure a high level of assurance that the employee that is accessing that data is the correct person has become essential.
“If it is not in place it is a case of not if you will get compromised, it is when you will get compromised, because if you are blocking access by using a username and password that is easily bypassed by cyber thieves,” states Wizbowski.
Today, the extended enterprise is all about ensuring that employees, contractors, partners and even customers can access critical data and applications from anywhere, anytime. The applications and data are often cloud based and accessed by mobile devices. This hardened perimeter of keeping everyone out no longer applies; the new perimeter is policy based and the key ingredient to that policy is identity and access.
“Because of the huge entrance of the new devices to the network, mainly from tablet computers, smartphones etc, additional security is needed now, included network access control,” says Ammar Enaya, general manager for the Middle East at network access solution provider, Aruba Networks.
Identity intelligence is required to immediately identify when user access or activity is suspicious, identify the risk associated with this, and immediately alert and notify the proper people and provide them ability to remediate. It provides the ability to define policy, enforce policy, verify policy compliance, and immediately identify risky access and user behaviour to take immediate action to remedy.
How does it work?
Most software systems use NAC or IDM software in one form or another. User identity is authenticated and verified to ensure that the user has the correct provisions to access information. Vendors that provide access management systems provide an application residing on a server that accepts authentication requests and uses standards-based policies to verify the request.
“The identity used in the request contains attributes and credentials that are used in the verification step. Additional software uses the identity information that is also indexed with application or system entitlements to determine whether the requestor is authorised to access the application or system. There are specific entitlements for each application. These entitlements are identified and stored in an entitlement catalog during the construction of the identity management system,” explains Earl Perkins, research vice president in Systems, Security and Risk, at market research firm Gartner.
Access management solutions bring together authentication and authorisation services to verify identities and enforce the entitlements associated with them. Audit software serves as a foundation for analysis and alerting, recording activity and recognising patterns of user behaviour. If there is an anomaly or abnormality, Identity and Access Management systems can alert IT staff, enabling the identification of potential risk areas before any real threats occur.
“The authorisation decision of ‘should you get access to this resource’ or ‘can you perform this operation’ is then made using identity and provisioning information. The software is used to detect whether more information or stronger authentication is required to provide access, or whether access should be granted to the user,” explains Lee.
Access control software controls who goes to what part of a complex or building.
“We allow the IT managers to define roles, because in an organisation a particular user might need access to certain programmes, so we allow them to define what a person’s role is, what they are allowed to do and we allow them to implement that role based approach,” says Prasanna Kumar Singh, senior technical expert, ADManager Plus at ManageEngine.
According to Allen, from Dell Quest One Identity Solutions he typically sees organisations still using the in-built authentication processes that exist within applications like Microsoft systems and Unix systems that exist on their infrastructure.
“However, if people are accessing the network externally from we are seeing a rise in enterprises using strong authentication processes, such as software based tokens, hardware based tokens, people using one time tokens on mobile devices,” he says.
The burden on IT
An effective IDM and NAC system brings an enterprise better assurance of access, more transparency for access and identity administration, and accountability of that access for all users, according to Gartner.
In such an environment, audit for compliance purposes is easier and more thorough, and automation of many manual processes associated with identities is established and helps to streamline the process of identity management and use.
“To build an effective system, there is a burden placed upon key support providers like network managers to construct an effective identity data model, to ensure that systems are configured and supported properly, and to ensure the ongoing maintenance of that environment. The overall level of effort by the manager varies widely based upon the degree and scale of implementation,” says Perkins.
According to HID global, there is a lot of work involved when it comes to implementation of access controls and network authentication software.
“You are looking at thousands and thousands of people, different ID numbers and one person at a time and each one has to be given different access to various points in a building or buildings in a complex and that does place a lot of burden on the IT managers as well as on the infrastructure because in some instances you are managing hundreds of thousands of people. A big petroleum company has 200-300,000 employees as well as contract workers that come in every day and every one of these people has to be managed and given access and permission and every time new vendor comes into a building, all their details have to be put into the system,” says Pisupati.
Wizbowski says that in most cases there is no downtime for the organisation when they move into access and identity management, it is just a simple switch over. However, the biggest challenge is getting hardware devices, such as an OTP token in people’s hands.
“The easiest way to provide enterprise employees with access controls is for them to download an application and then switch to using it, so it really is a back end change,” he explains.
This change can be done in as little as a couple of weeks for small organisations or as a phased approach, or where different groups are phased into the access change over a couple of months. Another advantage of the latest IAM technology is that it allows IT managers to better align business risk to access risk by providing a clear view of the most problematic security areas. This enables organisations to allocate their security budgets more effectively to the most critical areas that pose significant risk to their business.
In terms of actual dollar costs, Perkins from Gartner says that at a guess, if we assume an “average” enterprise of 10,000 users with at least 10 major applications and requirements for different classes of access, such an organisation might require $250,000 to $500,000 in software costs and another $200,000 to $400,000 in implementation costs. This means such a use case might cost between $450,000 to $900,000. Such projects often take anywhere from six months to a year to implement depending upon complexity. These costs also include training and education.