Network Security, Security Strategy, Plan, Budget

Who are you and what are you doing here?


This month we are looking at three facets of access management. When we think about access control, the obvious aspects are: identification, authentication and authorization. We also should be thinking about data leakage as well. The idea that data leakage is part of access management might seem a bit odd, but if we consider why we manage access – to control access to data – it starts to make sense. If data is leaking from the enterprise, you are not controlling access to it.

With that in mind, we are tackling identity management, network access control (NAC) and data leak (or, if you prefer, loss) prevention (DLP). We have a good crop of products, but, unfortunately, we did not see a lot of new or innovative functionality this year. That said, the juxtaposition of these three technologies is, in itself, interesting, innovation or not.

Protecting data on the enterprise requires creative thinking. Back in the day, we could set up a firewall, sprinkle on a bit of encryption and season with a dash of remote access and we'd be fine. Not so these days, of course. Today, many organizations have no hard demarcation between the protected network and the internet. The perimeter often is a collection of subnets that connect on one side to the world and on the other side to the backend database or other application. Web interfaces are, often, complicated applications in themselves.

“Everything we do is done to protect the data, whether we're talking about policy, people or products.”

– Peter Stephenson

When we consider a soft demarcation, we must have some creative ways to protect our data, and that is what this month's reviews are all about. Identity management is pretty obvious. We need ways to provision – and de-provision – users with IDs and first-use passwords. It would be good to associate IDs with authorized resources, and to do that we can use a robust NAC. NAC is a technique/tool that has been in and out of favor over the years. We can recall people saying that NAC won't last or that it will be absorbed by some other technology. It's been nine years since Cisco coined the term in 2003 and NAC is still going strong.

DLP has had multiple functions since it was included as part of multipurpose appliances. Generally, though, it may be thought of as a sort of reverse firewall or IPS. Firewalls and IPS are intended to keep intruders out. DLP is intended to keep data in the enterprise where it belongs. In fact, during the early days of DLP, the appliances were called ìextrusion prevention systems,î as distinguished from intrusion prevention systems.

So, think about it. The connection between identity management, NAC and DLP is not quite as tenuous as it might at first appear. As we have said many times, it's all about the data. Everything we do is done to protect the data, whether we're talking about policy, people or products. So this month, we take up that function from yet another perspective.

To help us do that, we introduce our newest member of the SC Labs team, Jim Hanlon. I've known Jim for years. He is a thorough professional who developed his testing chops over several years in a variety of information security positions. It's a real pleasure to have him join the team. We are certain that you'll enjoy his reviews as much as we did. He is sharing the lab space with Mike Stephenson, our SC Lab manager. Between the two of them, we are pretty sure that you'll agree that they have wrangled these products through their paces.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.