Access control is one of those venerable categories that has been around since information security began as a formal discipline “in the 1970s as individuals began to break into telephone systems."1 The approaches to access control have varied over the decades, but today the challenges are greater than ever.
As we discussed with our selected vendors the various categories in this year's Innovator section, we found that there are many approaches to security and, indeed, many of those approaches are quite unique. However, at the end of the day – whether it is acknowledged formally or not – everything has to do with access control in one form or another. It does not matter whether you are trying to control who can do what with a data asset or whether you are trying to figure out what has happened on your system and who is responsible. There is no escaping that the key is controlling who – or what – can access an asset.
Every year we begin the Innovator section with access control and that is no accident since the category really defines – arguably – the whole of information protection or what has come to be called “cybersecurity.” The main difference between the Innovators that we will highlight here and those in other categories is that these vendors make access control their focus. We have two top Innovators this year and their approaches are quite different. One is a system that encompasses a lot of other security products while the other is reasonably standalone as a solution to the access control challenge.
As with all of our products and vendors in the Innovator issue, we make no recommendations. Of course, we will summarize such things as cost and what we believe is innovative, but the rest is up to you. The two vendors in this access control section certainly are worth your consideration, but they by no means define the entire field. So, with that in mind, and a few words to define our various sections this year, let's proceed to the first of our Innovators.
1 For a fascinating history of computer security see https://ecommerce.hostip.info/pages/249/Computer-Security-HISTORY-COMPUTER-SECURITY-PROBLEMS.html.
Vendor RSA, the security division of EMC
Flagship product RSA Via Access
Cost Varies, sold on a subscription basis, priced per user per month.
Innovation Developing an easy to use and deploy solution to remote access control for applications that do not require the strength of SecurID, while maintaining a coherent security management system based on GRC and policy management.
Greatest strength Creative integration of all of the elements of a successful access management program under a single umbrella of the Via Portfolio.
The RSA Via system is part of the continuing evolution of RSA as a premier security vendor. The whole focus on Via is to converge the security offerings of the company. To do that the group has focused on three major areas: identity, ASOC (advanced SOC addressing advanced threats), and GRC (governance, risk management and compliance). We found it interesting to hear what this Innovator had to say about identity.
In their view, identity means understanding who has access to what, while being able to manage that access. They see a need to go beyond strong authentication because of the loss of the perimeter and emergence of mobile applications. Their goal is to allow any user to go anywhere, from anywhere to anything. This addresses the need for easier ways to protect users, but not to the level of SecurID. That's what Via is all about.
Historically, typical ways to bring remote users into the enterprise were by things such as VPNs. RSA wanted to have a universal way – whether the user is on-premises, off-premises, in a hybrid cloud, or wherever. They believe – and we agree – that the new attack surface is identity. In fact, the Verizon's "2015 Data Breach Investigations Report," says more than 90 percent of breaches target credentials. This allows the bad guys not only to move laterally in the system but among systems. The ID is the centerpiece along with the credentials. Via Access is designed to put all access in one place for all things ("to anything"), and to stop proliferation of many silos for many types of access.
This goes back to an old problem: How to provide convenient single sign-on, especially to remote users. Via Access is part of RSA's overall access capability. Governance helps understand who has access to what and provides lifecycle management and enforcement. The goal is to offer a full suite of identity management to help customers be effective and successful. All of these access management pieces are tied together under the Via Portfolio. By pulling its products together, the company can enforce least privilege and can clean out unused apps and access. By pooling governance and access management it can enforce access to only what users need to do their jobs.
Flagship product D-FACTOR
Cost $75,000 for the D-FACTOR Device Authentication Engine.
Innovation Significant improvement in machine-to-machine authentication.
Greatest strength Attitude toward innovation, particularly relative to the IoT and its communication with the cloud. The ability to build a trusted network of authorized devices for secure, mission-critical IoT applications.
We really liked the attitude of this Innovator: "Stay on the customer side as you develop new products." We could not have said that better. The company was started with substantial intellectual property, an advantage that not a lot of start-ups have. It is a small company with about 10 full-time employees. Their business model is to contract a lot of its basic services, such as legal, HR, etc.
The company has an interesting take on the Internet of Things: “When you look at security relative to IoT you recognize that this has been around a while but called something different." They are not focused on consumer IoT issues, however. The company's main interest is in industrial, health care, SCADA and other large-scale IoT issues. Device Authority also focuses on protecting cloud access and data collection where IoT data feeds to the cloud. The objective is to be able to build a network of trusted devices.
Machine-to-machine identification and authentication has been around a long time. However, static credentials are not adequate for IoT. The big issue is providing a dynamic security capability and addressing authentication by users for devices. It is not practical to rely solely on shared keys and certificates as static credentials are vulnerable and, as well, difficult to deploy and manage for very large enterprises.
Device Authority's goal, among other things, is to provide better, multi-faceted, machine-to-machine communication and to improve deployment options. The company provides the ability for customizable security specific to a customer's environment.
Core to its technology is dynamic authentication of a device. As a device attempts to connect, it receives a unique challenge – a dynamic key generation based on device and its environment. The system then interrogates the device and authenticates, performs identity verification and policy enforcement. A key problem this can solve is spoofing an IoT device and sending the data to the cloud. That opens some vulnerabilities such as flows from the device to an application and from the cloud service back to the device for control.
Device Authority believes that they have ability to have a real impact on security for the nation. Their approach is that many other startups are working on problems that don't need to be solved – but they want to make a major impact on our ability to secure ourselves. We found that approach, in itself, to be quite innovative.