Who Really Controls Your Network?
by Andy Sakalian
Posted November 12, 2003
 |
|
Andy Sakalian
|
The Aberdeen Group recently published a report entitled "2003 Predictions for Security and Privacy," which stated that organizations are looking for security solutions that demonstrate real financial and business benefits. That equates to spending big dollars on identity management campaigns in the future, but companies are struggling now to ensure that the individuals managing their corporate networks are who they say they are and are adhering to corporate security policies.
There's no doubt that people are focusing their concerns on the many aspects of security, but part of any ongoing discussion in an organization needs to start at the beginning—internally. Companies first need to look at managing who has access to what information in the context of the ever-expanding enterprise, which includes the usual consultants, vendors, and—more important—its IT staff.
So where is the starting point? For most organizations, this entails a general security overview of their existing network and the individuals who have access to it. The second component is the question, "How do I authenticate individuals and feel comfortable that the process is appropriate?"
In one extreme, administrators receive broad access rights within your systems and applications. This allows the administrator to work on day-to-day tasks, as well as special or urgent projects. However, the problem is that you have now given broad access rights to your network, where you should have granted only specific rights for the required work. More often then not, cookie-cutter security definitions do not offer the granularity required by dynamic organizations, and configuring special security groups for individual IT staffers can involve a lot of administrative overhead. An IT staffer's need for access to an application does not necessarily mean that he needs access to the system on which it is installed. Or if a staffer needs administrator rights to a group of systems that does not mean she needs rights to all of them. All too often organizations have to make a choice between productivity and security.
As an example, consider an IT contractor or perhaps a curious or malicious IT staff member. This person has the domain-level administration password to your Active Directory, Exchange, and maybe even a few general enterprise applications. The potential nightmare is that he can make a backup of your e-mail system and restore it to his home network, in the process giving himself access to all of the e-mail. Or if he is so inclined, he can change the CEO's password and start reading e-mail on the spot. Today's systems are likely to catch him doing this, but he already will have done his damage.
The other end of the spectrum is that the enforcement of so much security hampers your IT staff's ability to work. Doing their jobs can become a burden. People are constantly asking permission to get the required rights so they can perform the administrative tasks they need to do. Quite often, getting this permission takes time, and it usually involves considerable paperwork.
This is where identity management comes in. The ideal scenario involves the separation of all of the individual administrative functions of your network. Install a system that will give your IT staff a key to change the work items for which they have responsibility at any given time. Do this with a system that understands the context of who they are and the functions that they need to perform. On-the-fly provisioning lets you be as flexible as your business: After you provision individuals with specific access rights and they perform the work task, the key returns to the system. In the meantime, you've audited their work, which ensures that you maintain strict security standards.
Companies today need to look at network security not only as an IT expense but also as a company investment. Security is a management-level decision. Furthermore, enterprises need to manage and control authorized identities to ensure they are current and are being used in accordance with established policies.
An identity management solution that includes authentication, auditing, on-the-fly provisioning, and single sign-on will help organizations lower costs and increase user and IT staff productivity. Companies that recognize network security issues and make future investments are the companies that "get it."
About the Author
Andy Sakalian is the president of Version3 Inc., makers of Version3 Simple Sign-On. Version3 Simple Sign-On maintains individual application identity and increases security levels through Microsoft's Active Directory. He currently serves on various advisory councils and technology-related associations within the Microsoft community, and he is frequently a general session speaker at collaboration and identity management conferences and tradeshows. You can reach him at . Back to top
|