By Stephen J. Bigelow, Senior Technology Writer
Business owners and managers are constantly identifying areas of risk and taking steps to mitigate that risk. In an IT environment, risk takes the form of access. An organization may possess a wealth of resources, but those resources are not available to every employee, customer or partner. Businesses implement access control to ensure that each user (inside or outside of the organization) only has access to the resources necessary to perform their respective tasks, while preventing access to resources that are not relevant to the user.
Solution providers need to recognize the importance of access control in everyday security, understand its management implications, and help clients match access control to compliance obligations. The first installment of this Hot Spot Tutorial explores the goals of access control and other considerations as it relates to user identities and authentication.
Access control goals and considerations
There are many different types of access control: network access control (NAC), identity management (IDM), Web access control, remote access control, and device or endpoint access control. This tutorial deals with the importance of access control related to user identity -- in other words, ensuring that users have access to the right data (or other corporate resources).
Access control involves three processes: authentication, authorization and audit.
The second process, authorization, allows users access to the appropriate applications, servers, data stores and physical items (such as building doors and equipment). "One [process] figures out who it is, and the other one figures out what they can do," said Andrew Plato, president of Anitian Enterprise Security, a security solution provider headquartered in Beaverton, Ore. Authorization is often handled by manually correlating authenticated users to specific applications or other resources -- a time-consuming and error-prone activity. Recent developments like single sign-on (SSO) and other IDM technologies promise to bring automation and better control to the process.
Access control is increasingly tied to access auditing and reporting. Auditing, the third process in access control, creates a user activity trail. Administrators can analyze the audit trail and identify access anomalies that might reveal inappropriate access assignments on the part of administrators or unauthorized access attempts on the part of users.
The practice of "least privilege," which limits user access to the minimum number of corporate resources needed for immediate job functions, has become crucial in access control, helping to minimize business risk. Even application design is affected by least privilege principles.
"Web browsers are a great example. They're becoming the window into so many sensitive applications -- everything from banking to internal [customer relationship management]," said Pete Sclafani, senior director of information systems and strategy at UnitedLayer, a managed Internet service provider in San Francisco. "Having an application that doesn't use least privilege … can become a liability even though it helps worker productivity [to be] able to access documents from anywhere."
Access, and associated privileges, can be determined through a number of different techniques. The method used in each client's organization will depend upon their environment, circumstances and business needs. Mandatory access control (MAC) matches "sensitivity labels" to users and resources, allowing users to access objects or resources up to or including their level of sensitivity. This type of access control is rigid and rarely used except by governments and military organizations.
Discretionary access control (DAC) allows the owner of a resource or object to determine which users can access a resource. DAC is also rarely used because there is little central control over resource access.
The most common and familiar access control technique is role-based access control (RBAC), where privileges are assigned to organized groups of users. For example, Level 1 engineers and human resource generalists may receive very different access privileges. A user placed into either of those groups will receive the access privileges granted to that group.
Elements of an access control system
Access control is not a product that is purchased and deployed to address a client need, but rather an infrastructure and processes that are integrated into the client's environment and expanded across the environment in phases over time.
An access control system starts with a server running access control software to provide the user database, control framework and management tools (such as policy management, enforcement and auditing). Notable examples include IBM's Remote Access Control Facility (RACF) running on a z/OS or OS/390 server and CA's Access Control software, which can run on Unix, Linux and Windows platforms and even virtualized servers. The access control framework interfaces with directory services like Lightweight Directory Access Protocol (LDAP) and security services like Radius.
Access control systems also require user credentials. User names and passwords are the simplest credentials stored in the system's user database. For example, VidoopSecure provides multifactor authentication for high-traffic consumer websites. But credentials can be far more sophisticated. These can include a wide range of two-factor identification technologies such as magnetic or proximity-based smart cards and corresponding user PINs. Even biometric technologies are appearing, including fingerprint scanners, retinal scanners and facial recognition scanners.
While biometric devices are not a new concept, experts are split on their adoption. "Biometrics is gaining more visibility within organizations as it becomes less intrusive and more integrated with technology," said Allen Zuk, president and CEO of Sierra Management Consulting LLC, an independent technology consulting firm. Zuk noted that biometric devices are getting more accurate and providing fewer "false" results.
But other experts question the degree of uptake. "I haven't seen adoption of biometrics as prevalent as you'd expect," said Robi Papp, strategic accounts manager with Accuvant Inc., a security consulting organization headquartered in Denver. "The technology is there, but you can't apply it very well. I see two-factor authentication used more."
Papp also noted that access control methods can be challenged by the disabilities of users. For example, tokens or retinal scanning may not work well for blind users, while fingerprint scanning may not be suited to amputees. Solution providers will need to consider authentication methods that are appropriate for the client's user base.
Trends in access control deployments
Solution providers should consider some notable trends occurring in access control implementations. Policy controls are evolving, and previous approaches that focused on individual users are now addressing groups of users more comprehensively -- and this is more in tune with business practices.
"This represents a very significant advantage over previous approaches that were aimed at the individual level," Zuk said. For example, a human resources professional may remove a user from the company's global directory after their exit interview, effectively removing the user from any and all groups, thereby maintaining security.
Also expect to see an increased emphasis on least privilege, combined with greater efforts to protect credentials from theft. "If a hacker or a malicious person steals credentials and has legitimate credentials to the environment, they cannot be stopped," Plato said, noting that providers need to make the credentialing process more sophisticated and complex through multifactor authentication, using factors like tokens or one-time passwords. It's not just large companies that need the protection of multifactor authentication, and products like AuthAnvil from Scorpion Software Corp. are appearing for the small and medium-sized business (SMB).
Look for more controls and tools to manage rights, helping to bring more automation to rights management, along with more auditing and reporting capabilities featured in products such as security information management (SIM) and security event management (SEM). Tools like Varonis DatVantage 3.7 from Varonis Systems provide access control monitoring and automation.
This was first published in December 2008