Losses from insider threats can be spectacular: in just three days in January, 2008, Société Générale lost about €4.9 billion ($7.2 billion at then-current exchange rates). The bank blames a trader—familiar with access controls from years spent in its compliance department —for fraud, forgery, and attacks on an automated system. But less dramatic losses have become almost routine: the Privacy Rights Clearinghouse documents a long and growing list of financial and other personal information breaches, many due to dishonest, vengeful, or merely careless insiders.
Controls and complexity
Access controls have evolved to meet the challenges of insider threats to organizations and networks. They start with physical checkpoints: receptionists in corporate lobbies and card readers at data center doors. But today's porous networks and extended enterprises allow former outsiders — guests, contractors, temporary workers and non-employee visitors — past those checkpoints, and grant them varying degrees of access to networks, applications and data. On the network, security may actually become inverted, where openness is needed to make former guests productive, and make organizations successful. And off-shoring and near-shoring practices open networks to organizations that don't share physical facilities.
Organizations try to adapt their physical, electronic and process controls to manage access to these multiple networks, applications and databases, all based on policies that align permissions to business roles.
This complexity raises problems of its own. Consistent application of policies is a never-ending challenge for security personnel: user roles change constantly, and while granting access is often an emergency, withdrawing it rarely is. This systematic bias can lead to "access inflation": greater and more widespread access, punctuated by intermittent panics and audits. It's an invitation to disaster, a red flag for regulators, and no way to run a business. But what can be done?
Establish disciplined, granular policies
Access controls for this new threat environment require a disciplined approach based on clear policies. Starting with established authentication policies, policymakers should add granularity to cover:
- high-security and high-risk data, applications, and network zones such as personnel, human resources, finance, and research and development, and others to protect sensitive data and their precious IP
- personnel roles and responsibilities down to individual identities, taking care to maintain separation of responsibilities where regulations, standards, and common sense require it
- site-wide visibility to cover every organizational responsibility and network leg, for monitoring, deterrence, and forensics support to pinpoint any policy exceptions
Granular policies should be aligned for ease of use and manageability across the entire organization, and to assure consistency across network zones, data types, roles, and responsibilities. It's particularly important to apply just one set of policies for both local and remote (SSL VPN) access — it saves time, money and user patience, and assures at least baseline policy coverage. Once granular policies are in place, aligned for consistency and interoperability, and checked for gaps, they are ready to be propagated across networks, applications, and data.
Choose an open, flexible solution
The first step is to make effective use of network security products already in place. Individual network defenses like firewalls, SSL VPN gateways and intrusion prevention and intrusion detection systems (IPS/IDS), as well as other security software and appliances, need to interoperate with the selected network access control solution. The goal is to make sure that access control and network defenses are aligned on policy, and reference the same information.
Interoperability works both ways: the access control solutions take input from security devices to assess the instantaneous threat environment and identify events, and they enforce their response through these same devices, for example by restricting access to threatened network segments, applications, data sources, or by restricting or blocking actions of suspect individuals or devices. The best of them offer policies and templates that work across multiple network access methods and with different network security products to speed implementation and simplify management.
Critical use cases
With granular access control in place communicating with firewalls, IPS and IDS, SSL VPN gateways, rate-limiting switches and other compatible devices, organizations can begin to address complex use cases such as these:
- zone-based access to applications — restrictions on specific application use in sensitive areas; for example blocking IM attachments when users are in the personnel zone or accessing the finance servers, regardless of user
- time-based access; for example by restricting social networking applications to after hours and lunchtime use
- “high alert” policies that restrict access to a location, application, data type, or by an individual's identity or organizational role when security devices signal a local or general attack
- rate-limiting of low-priority downloads to maintain Quality of Service (QoS) for customer-facing functions, like web portal and VoIP applications
- granular intrusion response that quarantines, logs off or locks out users or devices (not just IP addresses) in response to anomalous behavior on the intranet
- correlation of information across network security products to identify “slow and stealthy” attacks that evade simple security point product solutions
Ensure efficient, productive management
Properly implemented, automation and collaboration with security solutions improve almost every aspect of access control. They accelerate management responsiveness, and root out even sophisticated insider threats that evade traditional solutions. They reinforce consistency with a comprehensive view of policy implementation across the entire organization from a single console. They help avoid "access inflation" and workarounds by making consistent security portable from one security solution or network leg to another. And they help scale policy and control across the entire organization, incorporating the information and behavior of all its security products.
Finally, automated access control increases the productivity and control of administrative staff. By decreasing the time spent by administrative staff on access controls enables them to focus their talents on addressing core and strategic networking issues. From a strategic perspective, trusted networks that support reliable communications of critical information among employees and partners throughout the enterprise are a key link in raising productivity while saving costs.
Business and network evolution has increased the number and severity of network, application, and data risks from errors and attacks made by authorized insiders, including outsourcers. Traditional access controls and point products can leave gaps in coverage, and raise risks of "access inflation" and precarious workarounds when network and access management grows too complex. A solution-oriented, granular, policy-based approach, assigning identities and roles for access control and interoperating with existing network and security infrastructure, carefully and cost-effectively implemented and efficiently managed, provides the most effective, consistent defense against a growing array of insider risks and outsourcing threats.
Rich Campagna is senior product line manager of access solutions at Juniper Networks