Critical Infrastructure Security

2013 Industry Innovators: Access control

Access control is, arguably, the key aspect of information protection. We think of access control in several ways. For example, we consider access control as the way into a system. We may also apply it to applications. Overall, access control has some facets that make it effective. The first, of course is I and A – identification and authentication. This tells the object who the subject is and offers proof of identity. Next is authorization. Once the subject is positively identified, the next question to answer is what the subject is allowed to do. 

If we add to these fundamental security issues the operational issues of deployment, provisioning and management, we have the core requirements for today's access control products. There are a lot of products that, one way or another, fulfill those requirements. What we were looking for this year were those niche players who have something really special that shows the kind of creativity needed to address current and future access management requirements. To our great surprise, snuggled in with those smaller players with a high ‘cool' quotient, was one of our old favorites, a large company with a wide-ranging reputation in the security space.

This year, we began to see those larger companies. Last year, we were surprised by the presence of one giant, but this year we have more than one large entity. It was good to see these guys – ForeScout – in the game this year. But they were not alone. A once-small company, now gobbled by a giant, was in our access management mix as well. Last year, we had one of those too and they passed into the Hall of Fame. We are predicting big things for this year's access control company taken into a larger player. All indications are that the acquisition is a very good thing for both parties. We like that too. 

Overall, we see some major changes in access management and those changes are exemplified by this year's crop of Innovators. New approaches to the fundamentals that make it harder for the bad guys without forgetting what access management is all about – that's what this year's access control Innovators are all about.

BehavioSec

We are not in the habit of quoting last year's discussion of a particular Innovator. Each year is new and fresh, but this Innovator really broke the mold and we thought that it would be interesting to compare our views last year with this year. In 2012, we said: BehavioSec has taken a core concept that has not been executed well and did not really have a reason for existence and, through creative thinking and good market understanding, built upon the concept.

AT A GLANCE 

Vendor: BehavioSec  

Flagship Product: BehavioWeb-Mobile 

Cost: $ 0.16/user/year (a sliding scale depending on platform, this price is for one million users for web)

Innovation: Invented the concepts of “behavioral biometrics” and “continuous authentication.”

Greatest Strength: Market vision and, of course, knockout technology 

That core concept, of course, was keystroke monitoring. This Innovator took a fresh look at how keystroke monitoring was being done, fed the undernourished concept a good dose of algorithms and the result was a biometric access control nearly devoid of false positives and negatives, easy to deploy and easy on end-users. This year, they continued their focus on mobile devices and expanded on their concept of separating business and personal data on tablets, smartphones and the like.

One new piece of innovation was extending the notion of passcode authentication on mobile devices – which can be dodgy – to gesture authentication common on them. Along with the technical issues, they took a strong look at the market, saw the potential in government departments moving away from BlackBerry, and extended their focus on the increasingly popular iOS and Android devices.

The key to BehavioSec's success is what they call continuous authentication. Rather than simply checking a bit of typing at login and then considering the authentication finished, BehavioSec constantly monitors keystroke dynamics, fine-tuning as it goes and alerting when the pre-learned parameters no longer apply to the user. The idea is that it is not too hard to spoof a simple login, but it is far harder to spoof long-term typing characteristics. If one applies this concept to such high risk applications as online banking, the combination of economies of scale – there are lots of internet users – and improved access management are obvious.

We continue to be impressed by this Innovator and we wonder where they will go next. We would be very surprised if their coming year did not land them in the 2014 Hall of Fame.

EyeLock

Last year when we looked at these guys, they knocked our socks off. The scenario was the security entrance to the gates at a busy international airport and their product could pick out and verify identities at a distance and in motion. We could only imagine the positive impact on both security and efficiency in this use case.

AT A GLANCE 

Vendor: EyeLock  

Flagship Product: EyeSwipe Nano COST: $2,495. 

Innovation: In-motion and at-a-distance iris authentication technology. 

Greatest Strength: These folks continue to innovate, now adding a miniature version of their product priced to fit well into consumer applications. They know their market and what it takes to dominate.

EyeLock is a miniaturized iris-based scanner that sports remarkable speed and accuracy. Now, with the EyeSwipe Nano, such commercial applications as banks, pharmacies, office buildings, etc., can take advantage of biometric-grade access control at a reasonable price. The Nano can replace traditional card swipe access management, maintain better security and speed up the access process.

For example, access to several high-security rooms at Norwich University all are protected by swipe card access. Many times, students and professors on the access list approach one of these doors loaded down with books, tools, computers, etc., and must put everything down just to get their cards and open the doors. How much better it would be simply to walk up to the door and have it open. More important, when a student loses their swipe card, there is a chance of compromise. With the Nano, no such risk would exist.

EyeLock products are industry compatible and are comfortable with most third-party access control products. Replacing an existing card swipe system, for example, should pose no particular challenges. If you have an oddball system, though, there is an software development kit available that can help you through the rough spots.

The combination of speed, accuracy and ease of use all go to make this a truly innovative solution to a whole slew of tough challenges. Adding the affordability of the product just increases its appeal. And along those lines, necessary software for such things as provisioning and iris matching come with the product and are not licensed per user. Price, support, forward thinking and a whale of a solution to tough challenges all go to make these guys one of our favorite Innovators.


ForeScout


We love this company here in the SC Labs. Its products always are welcomed in our Group Test reviews because they work well, do what they're advertised to do, and support is good. But it is also a fine innovator. This is the company's second year in the Innovators section, and we asked the company what was new over the past year. Boy, did we get an earful, and that seems to have been typical of the pattern we saw of most of our returning Innovators.

AT A GLANCE 

Vendor: ForeScout Technologies  

Flagship Product: ForeScout CounterACT 

Cost: Starts at $9,572.

Innovation: Bi-directional integration: Customers and partners can do integrations easily.

Greatest Strength: Pervasive network security, forward thinking.

The big new thing from ForeScout this year is API and its new program/ecosystem. The company has written 66 integrations now and expects many other third-party vendors to join. It developed the notion of“bi-directional integration” that allows it to integrate other third-party products into its ecosystem quickly and easily. In fact, customers and partners can do the integrations themselves with Fore Scout's API. It launched the new capability in late October and a week later had 25 new partners signed up. 

This is a big deal. For example, when FireEye sees an APT-infected host, it tells CounterACT and CounterACT remediates or removes the host from the network. The idea of customers applying their own integrations is important because they can apply their own use cases. Usually, it is typical that if an organization has a use case outside the mainstream, special arrangements need to be made with the vendor – at an added cost. The usual outcome is that the customer settles for the closest thing that the tool provides already or that it can deploy as part of a policy. The end result may or may not be a good fit. With bi-directional integration, the customer applies the API to the use case and creates an integration that fits the use case exactly.

Add to this a clear focus on bring-your-own-device (BYOD)  and the idea of pervasive security throughout the enterprise and you have forward-looking thinking. ForeScout has traditionally been a NAC powerhouse. The experience and creativity that took it there has taken the company to the next level with the innovations of the past year.


RSA Aveksa

RSA Aveksa is a new entry in our Innovators segment and the company is quite interesting. First, its offering is another example of the trend we are seeing of platforms rather than tools. The Aveksa platform is a well thought-out approach to identity and access management (IAM). There are lots of innovations here. 

AT A GLANCE 

Vendor: RSA Aveksa 

Flagship Product: RSA Aveksa Identity & Access Management Suite 

Cost: The solution is priced per user, by module. Prices start in the $20 to $30 per user range. 

Innovation: IAM as a platform with the operational focus on the line of business instead of technologists. 

Greatest Strength: Their view of themselves as a competitor in a crowded market and how it approaches that market from the point of view that IAM should be business-driven, speaking the language of business.

First, Aveksa believes that IAM should be a line of business rather than an IT or security department issue. The line of business knows who does what, who needs to access what, and how least privilege applies. They don't, perhaps, think about these things in exactly those terms – familiar to security pros of course – and RSA Aveksa doesn't believe that it should need to. So their IAM platform is aimed squarely where it belongs: at the line of business using it.

All of this is fine, of course, and the technology is first rate and very forward thinking. But, what really impressed us was the way it competes in its particular market. This is an example of a clever organization acquired by a much bigger, equally clever organization that was itself acquired by an Innovator of still bigger size. Innovation at all levels is strongly in the DNA here.

When we asked a representative from the company why it believes it is an innovator, it felt as if we had opened Pandora's box. We heard such things as “innovation is doing something totally different from your competitor.”

What's their secret sauce? It clearly is their data modeling engine – user/ID, resources, policy – all brought together in a unique way that requires little intervention by IT or security. These resources are presented to the business user in business language. They uniquely define all of this in three clear areas. First, single sign-on, provisioning and governance. Second, where to apply the resource: SharePoint, home-grown applications, etc. And, finally, how to consume the resource: SaaS or on-premise. All in all, this new addition to our Innovators section is a fine example of planning, technology marketing and execution, all built around the drive to innovate.


Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.