It is access management time again. This month, we look at two groups that fit in that broad category: network access control (NAC) and identity management. Both of these pose some very interesting solutions to some very difficult problems. These problems usually feel like access management problems – and, of course, they are. But, as with many types of products today, there often is a forensic twist as well.
I like the forensic twists, not just because that is my sweet spot, but because it signals clearly that the old adage of “it's not IF you'll be compromised, it's WHEN” certainly is true. Years ago, I promoted the idea that the intrusion detection system was the best network forensic tool available because it is the only thing watching the network 24/7. That is not necessarily true anymore. Most of the products we looked at this month also are. And they are watching very closely.
A good example of that is the NAC group. I currently am working on a cyber stalking investigation where the ability of the NAC to identify subtleties, such as hive keys in the registries of every person logging on, will facilitate catching our bad guy. That capability could just as easily be used to keep the bad guy out of the system, even if he is known to the system, has been allowed to be on it and has, for whatever reason, been banned.
NAC is one of those applications that many organizations have viewed as a luxury. Smaller organizations have avoided NACs because they are expensive, complicated to implement and a challenge to maintain. That is no longer true, and organizations of most sizes can and probably should look into it. Counter-perceptions are out of date.
Our other group, identity management, is the logical adjunct to NAC. No matter how it may appear, these two groups do not compete. They complement each other. NAC manages the access at the asset level. Identity management manages the users. A well-managed, secure enterprise needs both.
This month, the two Mikes wielded the test beds. Mike Lipinski worked the NAC side while Mike Stephenson handled identity management. I always enjoy these two groups because their obvious juxtaposition suggests a sort of security synergy. This month was no exception to the past in that regard. As you read the openers for each group, as well as the individual reviews, you will note that taken as a whole they suggest a baseline security architecture that makes a lot of sense.The basis of a security architecture is policy, and both of these groups are ruled by policy. They also are important tools for enforcing and reporting on the enforcement of regulatory requirements. Proving regulatory compliance can be a tedious chore if you try to do it without the right tools. Having the right tools in this case means tools that are sufficiently close to a possible event that they record and report it as it is happening – not after the fact. IDS tools are great for after-the-fact and, we hope, pretty good in near real time. But while recaps of incidents are very important, preventing them – and being confident in that prevention – is even more important. And that is where this month's batch of access management tools really shines.