Over the course of the year we have visited several aspects of access control. This month we will look into three more. Identity management and network access control (NAC) are fairly obvious, while data leakage prevention (DLP) is, perhaps, not.
NAC is a no-brainer. The purpose of network access control is exactly what it sounds like. Identity management is a sort of “back office” control that sets the stage for active access control based on the identity management policies and work flows that IM products established. But what about DLP? Arguably, DLP prevents access to sensitive information by preventing it from leaving the network and falling into unauthorized hands. When I think of DLP, I think of access control in terms of unauthorized access prevention. The whole idea is to prevent unauthorized transfer of data, particularly out of the network.
All of that being said, access control has so many aspects – each of which is equally important – that we can think of each of them as a component of an access management ecosystem. The three we look at this month actually play three very different roles. Think of access management as a suite of services that all contribute to the overall objective of preventing unauthorized access to information. This suite of services contributes to an overall defense-in-depth strategy for information.
Often, we are tempted to think of defense-in-depth as a network function. We tend to assign layers to the process, thinking of defense-in-depth as emanating from a combination of layer 2 and 3 (7-layer model) network communication and layer 7, applications such as malware control. While all of that is true and constitutes worthy objectives, we also should focus on controlling access to the data itself. Lest we forget, security – whether at the network or at the application – should be focused on the data. If we did not need to protect the data we would not need the security.
We looked at our products this month from the dual perspectives of each product type's individual contribution to protecting the data and how the product types work together to achieve the appropriate in-depth protection of the data. Many organizations have some or all of the components of the access management ecosystem, so slotting in those that they do not yet have requires a rather serious assessment of requirements, gaps in protection and specific types of data being protected.
DLP is always a good idea, but it becomes critical when we are dealing with regulated data – such as health care or credit card information – personally identifiable information (PII), or trade secrets. Unfortunately, DLP often is the last major security expense budgeted by many organizations. My own opinion is that this is, at least in part, because organizations sometimes don't thoroughly understand the importance of protecting the data explicitly.
A layered approach to managing access to data, including preventing its unauthorized leakage, is the best way, overall, to ensure that the data is safe, and access to it is controlled. This month's products, coupled with others that we have looked at in the past, provide the kind of comprehensive protection that is required in today's hostile electronic environment. So, without further chit-chat, let's proceed to the meat of this month, the products themselves.