Product Details
Product Rating
Access control (2003)
As more and more sensitive data is being accessed from networks,managing who can access what is becoming increasingly crucial. By Craig Hinton
Knowing that the most valuable item in the corporate inventory is the data on the network should be second nature to everyone by now. Forget the hardware, the furniture and even the network kit itself, the value of corporate data to the company overshadows all of that. Buried within the file servers are lists of clients, corporate spending plans and strategic information - everything that gives a company its business edge. Safely tucked away from prying eyes it provides a company its strategic advantage but, in the wrong hands and in a worst-case scenario, that information in a rival's possession could spell bankruptcy. So, keeping that information secure should be the bottom line for every network administrator.
Beware of the enemy within
Unfortunately, it still isn't second nature to many network administrators. They may have ring-fenced the organization with firewalls, encrypted their VPNs and built the most state-of-the art security system to ensure that no one from outside can get close to the network unless authorized, but they often forget that over 80 percent of security incidents originate within the organization.
Many, if not all, employers are horrified by this statistic, which would appear to suggest that their employees are spending all of their working day trying to think of ways in which to cripple the company. But that really isn't true. Only a tiny fraction of internal breaches are actually malicious - the majority are completely innocuous. It is true that some employees wish to cause their company financial harm - getting into databases to steal information which can then be sold to rivals or planting false information - but this is only a tiny percentage of the total security breaches.
Curiosity counts for a larger proportion as employees try to peek into the payroll database to see how much their peers are earning, or into the human resources database to see if they can find anything gossip-worthy. This may be irritating, but it is hardly malicious - it is just human nature. The truth is most security breaches are caused because employees are trying to make their working day easier.
It is clear that some kind of access control has to be installed at the user level, and it has to be enforced, otherwise it might as well not be there. However, this requires a careful balance between security and ease of use. If the access control application takes users ten minutes and fifteen windows before they get to their destination on the network, they are hardly going to make sure that their machine is securely locked up before going for a five minute coffee break, are they?
For those five minutes, the machine could be hijacked by anyone, and the only audit trail would lead directly back to the hapless user. Similarly, the user may attempt to discover some form of workaround which could possibly leave a gaping but unnoticed hole in the overall security policy. This - employees trying to do their jobs - is responsible for the majority of internal security breaches, but it is so often overlooked.
IBM's RACF mainframe product offered a good example of a workaround. Imagine you have set it to enforce a password change every 28 days, and not to allow repeated passwords for a year. RACF didn't see that as a year though, it saw it as repeats within the last 12 passwords. It was simplicity itself to write a RACF macro - which required no special security status - that would run every 28 days, running through 12 password changes and allowing you to keep the same password month in, month out. So, rather than being protected, the user's machine is wide open to anyone who can guess the password. Usability is always a factor in any review, but in this case it takes center stage.
Despite all of the advances in software design and implementation, developers appear to have a shocking blind spot where access is concerned. It is as if PIN numbers and passwords are the only options for users. Yet PIN numbers and passwords are frighteningly easy to forget, and even more frighteningly easy to guess. More often than not, the developers' solution to this is to simply add more layers of protection, meaning multiple PIN numbers and passwords, and a corresponding multiplication of the risk of users finding workarounds. Given that there are other options which provide as much, if not more security, but with greater usability - - biometric authentication and smartcards to name but two - it is disappointing to see how few software houses are exploring the other avenues.
It all comes down to ease of use
But this ease of use has to extend to the installation and maintenance of the access control software as well. No network administrator is going to want to have to install the same product on every PC in the organization, one machine at a time, and maintain each one separately. There has to be some form of central roll-out and central update facility. Without these, you may have to factor in sloppy administration; defaults not being altered, password policies not being tailored to the company's needs, and a whole host of other blunders that leave your systems wide open.
Also important is whether the product can be tailored on a user-by-user basis. The access required by an office temp is going to be completely different to that required by the HR director. Can the application cope with this, or is it 'one size fits all?'
The products under examination in this Group Test all provide access control, but will they integrate into your network? Will they fit into a user's daily routine, or will users see them as an obstacle to overcome? And can they be tailored to the specific requirements of your organisation and your users? These are the factors that should be considered when implementing any form of access control.
Remember though, the majority of your employees haven't got an axe to grind, they simply want to make their working day that little bit easier. And that should really be your first concern as well.
