There's an old saw that says “there are management solutions to technical problems, but no technical solutions to management problems.” To that I'd like to add, “unless you have the right tools.” This month's reviews are focused on some of those tools.
Our first group, endpoint security, enforces a set of policies that have to do with requiring good behavior at the users' workstations.
Our second group, biometrics, is comprised of a tool set for enforcing strong authentication. Given that the management problem is solved – there is an enforceable strong authentication policy – these tools enforce the policy and help solve the management problem.
So, even with the aphorism, we still need tools – a hammer, if you prefer – to enforce the management solution (usually a policy).
In both cases technical support for the management solution comes down to the individual. If we enforce our policies at the user level, we deal with the weakest link in the security chain.
The idea of enforcing security policies using IA tools is fundamental. That is not to say, of course, that we substitute tools for policies. It's a case of the three Ps: people, policies and products. The best products address the other two Ps by providing the glue that enforces the policies on the people.
Tools come in two flavors: preventative and detective. In today's business environment driven by regulatory requirements we need both. The products we looked at this month provide both in the form of action that is determined by policies (preventative) and good reporting (detective). The idea here is that if for some reason you cannot prevent something, you need to, at least, detect the resulting anomaly. They do this by generating logs. If a tool does not generate a log, it is of little use.
Today, the notion of traceability is extremely important. When an anomalous event occurs, we need to be able to trace it to its source. The two groups this month help us do that. The biometrics ensure that the person using the resource – computer, file, application – is who they claim to be. So, if a user compromises a desktop by downloading a virus-laden file, we can say with certainty who is responsible.
That, by the way, is an important distinction. I didn't say that we know who did it. I said that we know who is responsible. Back to policies: the person authorized to logon to the resource is responsible and, with biometrics, we know who that is. If the responsible person allows someone else to use the resource under their login, they assume responsibility for the surrogate's actions.
Endpoint security products help us ensure that, even if the authorized user does something that violates the policies being enforced, the tools kick in and prevent the action. If somehow the user manages to compromise the tool, there likely is a log somewhere that tells us that. That is an appropriate mix of preventative and detective controls.
As I have pointed out over the past year, these products are just part of the overall security administrator's tool kit. They have their own special applications and belong in those applications. For example, while prices have come down on biometrics many organizations still prefer to restrict their use to high security applications.
Depending on the organization, that may be a good choice. In these two product groups, more than many, one size doesn't fit all. – Peter Stephenson, technology editor