The traditional “triple A’s” of access security, Authentication, Authorization, and Accounting, have been joined by a newcomer – Auditing. Like its predecessors, auditing is most effective when enforced, rather than being voluntary.
The importance of enforcing access based on auditing has escalated, as malware has gotten smarter. Worms and trojans are indifferent to traditional user authentication. Like parasites, they attach themselves onto systems whose users unwittingly connect them to the company. With this type of threat, the best course of action is to screen systems before they have access to the corporate network.
Small and large organizations can benefit from policy enforcement. An administrator with a dozen users can manually update systems, but enforcing the updates is easier. The same task with hundreds of remote notebooks almost mandates an enforcement solution. In a larger enterprise, however, even a 1% non-compliance rate can leave hundreds or thousands of systems running outdated antivirus software and vulnerable operating systems and applications.
Administrators must take care to select the appropriate enforcement solution. Although “enforcement” implies that circumvention is impossible or impractical, the reality is that products have varying levels of bite. Also, the definition of enforcement often changes depending on the context in which it is used.
Some soft enforcement solutions work only when the software is installed and running on the end system. For example, a software client might update antivirus patches. However, software can be removed, systems can become corrupt, and users may disobey corporate security guidelines. Any of these may prevent future updates from occurring, which means that non-compliant systems will stay that way.
Strict enforcement prevents a system from accessing resources until it has passed an audit. This ensures that systems missing client software or which are otherwise misconfigured will not have access to the network. By denying access until trustworthiness has been established, strict enforcement prevents compromised systems from attacking the network.
Strict enforcement solutions also require some sort of agent on the end system, but a server on the back end performs the enforcement. The agent audits while the server enforces access, unlike soft enforcement where the client software does both. The benefit of using a server is that it only grants access to systems that pass the audit. Strict enforcement denies access to systems that are corrupt, invalid, or do not have the client, unlike soft enforcement, which lets such systems in.
There are different approaches to providing policy enforcement. Some vendors have embedded policy enforcement into existing products. This model is particularly attractive to organizations with enforcement requirements limited to those products. For example, some VPNs check for the configuration of the remote system before allowing access. Also, some endpoint firewalls enforce configurations through a back end server with varying degrees of strictness.
Other vendors have created dedicated policy enforcement solutions. A standalone approach can enforce best of breed security solutions and offer centralized management. This model can support additional systems, devices, and users, such as consultants and business partners accessing the network, who may require non-intrusive or web based solutions. Although administrators have the right to ensure such systems meet minimum security standards, they may not be able to install software on such systems.
Policy enforcement on end systems is an idea whose time has come. The number of devices and types of connections used to attach to the company network is quickly growing, and multi-vector threats will continue to grow. Administrators must concern themselves with what is attached to the company network, as well as who.