This month we looked at a mix of data leakage prevention (DLP), identity management (IM) and network access control (NAC) products. While this may seem an odd mix, each product type makes significant contributions to the ingredients needed to manage access control on today's enterprises. To put that statement into perspective let's take a little deeper dive into each group, starting with what is clearly part of the back-end services: identity management.
There are several things that we may expect an identity management system to do for us. First is the issue of provisioning and de-provisioning. Competent IM products support these functions and, especially in large enterprises that are geographically dispersed, self-provisioning is a plus.
Identity management systems are built around the concepts of usernames and access control. More important, perhaps, is the notion that identities fit into groups based on any of several criteria that define the identity management policies. While, strictly speaking, IM addresses identities, today we have broadened that description to include both identity and authentication. But the key word in identity management is "management." Being able to tie IM to such things as role management, work flows and monitoring policy compliance has become a big part of defining what IM is.
The products we looked at this month in the identity management category all covered the bases and were, on the whole, complete tools. There were a few that were solutions to point problems, such as provisioning, but, although we saw a lot of convergence in functionality, the end result focused on three key areas: self-provisioning, compliance and role definition, and management as prerequisites for managing IDs, passwords/authentication and authorization.
Meanwhile, network access control is aimed more at the device than the user. The key is whether or not we will allow a user to attempt to log into a system when the user's computer/device is out of a predetermined range of compliance. NAC systems allow administrators to define what an acceptable device for attachment to the network looks like. Most also provide mechanisms for self-correction by users of rejected devices.
NAC systems we examined this month were pretty impressive overall. They provide a range of capabilities, most under the control of the NAC administrator. Functionality for these tools - as with all of this month's products - is of paramount importance. Since we are seeing the convergence of functionality from a growing number of product types into more complete, inclusive tools, we carefully watch what is included as features in the latest generations of these solutions, as well as what the implementation is.
Finally, data leakage prevention is the heart - or should be - of current security architecture. Modern malware is far more concerned with stealing data than, as in the past, bedeviling the system administrators. Since stealing data - credit card numbers, personally identifiable information, proprietary assets - is the hallmark of the modern cyber criminal, DLP becomes an important line of defense.
Competent DLP systems must identify the fact that data is being exfiltrated - or attempts are being made to grab assets - even if the data is encrypted. That's a very large order and not all the tools we reviewed are able to do it with equal competence.
Another issue that is important in a good DLP system is granularity. The administrator should have the option to create discrete policies, groups, etc., that are of the size or focus that meets the particular organization's needs.
Compliance, manageability, granularity and strong policy content all are keynote issues for all three product types. When all of these factors are strong and the functionality expected of the product type is equally good, one has a top-notch offering. All that's left is marrying the product to one's specific requirement and a match is made.
