The Case for Access Control

For years, IT Security has been managed according to principles set long ago. Those principles stated that the good people were on the inside, the bad people were on the outside and we put a firewall in between them to keep them apart and keep us secure.  As time progressed, we added a username and password to supplement the security.  And then evolution stopped (not really, but in some ways many organizations still rely on this as the backbone of their security architecture).

That worked well for quite some time. But, those were the days when people had desktop machines and came to the office every day. Laptops started to put a strain on the IT Security groups, but they had a magical word they could use to stop potential security risks in their tracks.  It was the word NO. If people asked for access and IT Security could not do it reliably and securely, they would just say no.

However, today is different. The IT Security administrator, CSO or CISO can no longer say no to their users. That’s a very big shift and it’s happened quite rapidly. End-user expectations have simply expanded beyond the offerings that their IT Security has traditionally allowed. Today, people are used to having nearly ubiquitous access to their information for things they do every day, like Facebook (News - Alert), Twitter and even online banking. It’s all available to them all the time from just about any device they like!

This change, among a few others we’ll talk about, has created a new paradigm for IT Security. In the past, perhaps they would make a few exceptions for executives who needed special access. Today, it’s not just the executives it’s everyone who needs “special” access from their mobiles, tablets and more. The business also wants them to have this access because it makes employees more productive. It has even gotten to the point that security is a secondary concern to access. This is the point where it becomes real trouble.

Recently, we’ve seen an increasing number of security breaches that involve large companies and large exposure of information such as credit card details, confidential patient information and even information gathered about people’s own personal devices. The list goes on and it’s not going to get better until security has caught up with the latest wave of technology.

Two other significant events that have created a challenge to the IT Security groups are mobile devices and the cloud. 

Mobile devices including smartphones and tablets have created a huge challenge for organizations. How do you effectively manage BYOD (bring your own device) also known as the consumerization of IT?   How do you ensure security when people only need a simple IP address in the network and a valid username and password to access anything they like? This is a legacy back from our old firewall days.  It sounds scary, but this is the reality in MANY organizations today. 

As an example of this, a healthcare organization, who prefer to remain nameless, recently did an audit of their network infrastructure to see how many unknown devices were accessing corporate information in their network. They are a large organization with many thousands of users. Their expectation was to see 30 or 40 unknown devices accessing information without their knowledge. What they found was 6,000 unknown devices in their own network that they had no idea about! The scary thing to me, this is not an isolated circumstance.

The cloud is the other area that has created a lack of access control for IT security groups. Users connect directly to the cloud resources. You don’t have control over usernames, passwords or who can or cannot get access to the information, you cannot generally add multi-factor authentication to the sessions and you also are not in control of the information itself. Cloud providers are starting to understand these problems and have been attempting to resolve these issues in multiple ways. But, each cloud provider does it differently and it may not work with your own corporate policies. It makes moving to the cloud very challenging for many organizations despite some perceived benefits for cost savings, etc.

The last point I’ll make deals with the most important of all security elements in your organization… your end users. It seems we’ve gone out of our way to make it difficult for them to help with corporate security. It is nearly impossible for end users to actually participate in simple ways to ensure security in most organizations. 

If you don’t believe me, go look around at some of your employees desks. Look closely at monitors, under keyboards or in the top right-hand drawer of most desks. There, you’ll find a list of usernames and passwords that allow people to actually remember what they need to have to just get into systems and do their jobs! 

In the name of security, we’ve put the end users, your most important link in the chain, in an impossible situation. We’ve created so many different passwords for them to remember, each one a complex password that must use capitals, numbers, letters and sometimes punctuation, can’t be a word in the dictionary and expires so frequently that no one really has much hope of keeping all of these in their heads. Think about it… how many passwords do you have to remember every day to do your job? Then add in the ones for home, social media, and a myriad of other places you visit on a regular and irregular basis. Do you have 20, 50, 100? Sit and think about it… you’ll be surprised at how many passwords you need to know.  How do we expect users to do this? Yet it’s a significant basis for most of our organization’s security. Scary when you consider it. 

So, what to do. 

The old days are gone. Kiss them goodbye and start thinking differently about how you control access. This is not as radical a departure in thought as it may sound. Understand there may be some pain involved too. Start evangelizing. Find ways that make an improvement for people in their work life. Make sure that the organization understands what the real risks are and that they may be at more risk than people may have thought. There are all sorts of statistics available to help. They’re everywhere.   

But, it is extremely important that you’re not just scare-mongering. That doesn’t work. This needs to be solid, fact-based information that is delivered in terms of risk to the business. Executives think in terms of risk. Financial risk, reputation risk, productivity risk are all part of that equation. Try to present the information in a way that someone from a business background can understand it. Also realize that sometimes the risk is acceptable to the business.  As an example, if there was a one in 10 chance your company would be breached and that breach was going to cost $100,000 to deal with and your security solution to protect from that breach cost $50,000. Is it worth it? Simple valuation says it’s worth $10,000. But, if you add in additional situations like fines for losing control of patient information or financial information, then add in intangibles like reputation damage you may have a stronger foundation from which to make your case.

It is important to think about new ways to help manage your security effectively.

That’s where Access Control comes in. If you change your thoughts from the traditional firewall approach to one of protecting your key assets (your applications and data resources) instead of your network, you’ve made a good start. Don’t get me wrong, technologies that focus on the networks are still important, but they’re table stakes for just about every device out there.

What I’m talking about is creating a defense to protect the resources themselves or more accurately access to those resources. And here’s the important part… regardless of where they reside! This means protecting assets in your own datacenter or in the cloud!

So, how do we accomplish that? 

• First, create a control point or a gateway that protects access to all of your resources. All traffic must traverse prior to getting access to information. But, it’s not just a firewall. It must have intelligence beyond what has existed in the past.

It’s important to understand that access is no longer a predictable entity. It’s not like the good ole days where people were on the secured, corporately managed desktops and trying to access from inside the office. Now, they’re accessing information from everywhere and every sort of device. That’s a big change. 

• It’s all about the context of access that’s important.

So, what do I mean by context? Let’s say you’re in charge of security for a large public company. They have financial reports that have to be prepared each quarter. These are highly confidential and cannot be seen in public until officially announced. Now, let’s imagine a finance employee who works to help prepare these numbers. When they’re working inside the company’s building, on their managed corporate laptop, there’s not much risk there. They’ve entered their credentials; they are on a secured machine and in a secure location.

Now, let’s take that same user, with the same laptop (managed corporate device) and put them on a train or in an internet café. Is there a risk that the employee could accidentally leak information, however unintentional it may be, out to the public before it’s made available? Sure is. So, access must be different. Controls have to be in place that can identify the differences in the context of access and allow organizations to make policy decisions based on that.

• You need to understand the device, information about the device, location and user to create effective policies 

Where is access coming from? What type of device is it? What is its disposition (e.g. antivirus level, operating system, etc.)? Who is using that device? Is it a smartphone, table, PC, MAC, etc. You need to understand as much as possible about that device and user in order to make an informed decision about access.

Each access could be completely unique. It’s the combination of location, device, users and more that defines the connection. Once you understand all this, you can move on to effective policy enforcement.

• Create very granular policies for access control than take into account the varied ways the information will be accessed.

Should people in finance be allowed to access financial data from outside the company’s walls? From mobile devices? From unmanaged PCs (like home PCs or Internet cafes)? You get the idea.

By combining access context with a robust ruleset for how access needs to be governed, you can handle a wide variety of specific access request.

• Make it easier for the end users. 

This means that end users need to have one spot where they enter their credentials just once into a centralized access control point. From there the system should be smart enough to determine what they are able to access based on their device information, location and credentials in combination.

• Create a central portal for access to all resources.

It should then create a nice portal that visually shows them what they get access to. Then, they simply click on the application and it goes there. No extra sign on required. They just get to do their job. And by the way, it shouldn’t matter to the end user whether the resource is in the cloud… or locally based. Why would they care? They just want to do their job.

• Implement Single Sign On for applications from the Portal.

You need to have single sign on for the applications. That makes life better for everyone. It also provides you with a higher level of control over who gets access to what and when. If someone leaves the organization, you remove them from your authentication repository and they stop having access to all of your resources, even ones in the cloud!

• Lock and Secure the Front Door with Multi-factor authentication

Now that you’ve created a central control point, you can’t rely on just username and password for security. You’ve made it simpler on whole for your end-users to access the information. Now you can add a form of multi-factor authentication on top of the gateway. The specific style of multi-factor doesn’t matter as much as having it. Tokens, SMS text, picture-based or other forms are all great and improve your security immensely. Even better, for high security environments you might even consider having a third factor authentication if it’s not too cumbersome for users.

• Centralize management

This may be one of the hardest challenges for most organizations today. You also have to be able to manage all of this and it’s best to do so through a centralized system. That’s part of the challenge because today, most vendors only solve specific problems. Some deal with mobility (MDM), some deal with some aspects of access (like VPN and SSL/VPN technologies), some deal with single sign on while others deal with controlling access to some applications. Finding a unified solution can be a challenge, but there are some new, innovative companies that are offering these technologies and taking on the problem of access control in new ways. One example of this would be PortSys, Inc.  

The point is, we’ve changed and security needs to change to match the nature of what’s gone on in the world over the past several years. If you don’t keep up with the rapid pace of change, you’re going to pay the price eventually. It’s more cost effective to plan for it now, keep pace and keep secure. Access Control when implemented properly can help you do this.

Michael Oldham is CEO and Founder of PortSys, Inc. (formerly known as Portcullis Systems, Inc), whose products are used by more than one million users and customers in more than 20 countries around the world. Michael has more than 25 years of Information Technology and Security Industry experience encompassing the Government, Defense, Healthcare, Energy, Commercial, Finance and Banking sectors.

Today, Michael and PortSys are focused on solving the security challenges associated with providing secure access to information and applications from multiple locations from many device types, regardless of where those resources reside (local, private or public cloud).hybrid datacenters, i.e. those where corporate resources are provided locally and within the Cloud. 

Prior to founding PortSys, Michael was Global Program Director for Network Engines (News - Alert), Inc. where he helped to build a global security products division of the company.