Product Group Tests
NAC, IDM, DLP
Network access control, identity management and data leakage prevention can work together to help protect data from unauthorized access and exfiltration.
Full Group Summary
Let's start this month by getting a handle on what we mean by each of the three product types at which we are looking and how they contribute to a comprehensive, holistic data access management program. We are looking at three general product types: network access control (NAC), identity management (IDM) and data leakage prevention (DLP). These three can work together to help protect data from unauthorized access and exfiltration. Each of these has its own role to play and no data access management program is complete without all three.
We begin with identity management (IDM). In his master's thesis for the IT University of Copenhagen, Amir Hadziahmetovic describes identity as traits/attributes plus reputation. We believe that's a pretty good place to start. If we are going to manage identities - the kind that we define within an enterprise; for example, using Active Directory for our tool - we are very concerned with the traits and attributes of the identity that we are attaching to a user or process and we are concerned over time with the way that user or process behaves (its reputation in the context of our system).
Part of the problem with IDM systems is that they must associate an identity uniquely and unambiguously with a user or process. This is challenging for IDM products in a large widely distributed enterprise. These products must assign, verify, provision and deploy credentials such that the users and processes are uniquely and unambiguously identified and their behavior tracked over time. Regardless of the turn of phrase used by vendors and identity mavens, this, really, is what IDM comes down to.
As you evaluate the IDM products this month, look at how you expect to use them in your enterprise, how you plan to deploy and provision and how you will track behavior. Then select the product or products that address your needs.
Moving on to NAC, we find that, as is typical in information security, definitions vary. However, there are a couple of elements that are pretty consistent. First, there is an element of IDM. If we think of access control as having three components: who you are (identity), how you prove it (authentication) and what you can do once authenticated (authorization), NAC cares about all three to some degree. Thus, we might think of NAC as a consumer of IDM's work. Once the IDM has assigned and deployed an identity, the NAC can use it as part of its function.
But NAC goes a step further in that it usually does for the device - endpoint - what IDM does for the user or process. The difference is that people and processes are active while devices, arguably, are passive. As such, they may have vulnerabilities, be poorly configured, may be hosts for rogue processes such as malware and so on. It is the job of the NAC to, based on a set of policies, ensure that every endpoint that associates with the enterprise is safe.
NACs usually are perimeter devices. Today, most NACs are appliances although there are some software versions and certainly some virtual appliances. The physical appliance may sit in-line at the perimeter or simply be sniffing the traffic and sending alerts and commands to internetworking devices, such as routers and switches. In either case, deployment is one of the challenges for NACs as is configuration. Both of these issues become exacerbated in a large, distributed enterprise as one might certainly imagine. Make sure that the NAC you select - if it is to be deployed in-line (and some NACs give you the choice) - does not impact your enterprise's throughput to and from the internet. Also satisfy yourself that it is readily manageable from remote locations on (and off, if necessary) the enterprise.
Finally, we take up DLP. There are a lot of forms of DLP. Some products focus on the physical and application layers. They protect against a thumb drive being connected to an endpoint and then bleeding off sensitive information, for example. Or they protect against a network tap doing the same thing. Or they watch email and file transfers to and from the cloud.
Some, however, are focused on stopping exfiltration by malware. These are specialized and usually - but not always - perimeter gateway devices. There is DLP for the endpoint and DLP for the perimeter, then. Decide which (or both) fits your needs before you start selecting products.
Whatever your choice, it is useful if you can ensure that these three product types - if you opt to deploy all three in your environment - will work well together. And that is part of the purpose for this month's reviews. So let's get started.
Sal Picheria contributed to these reviews.