Access control-related technology has become a top growth area for many security solution providers, in large part due to an expanding number of privacy laws and the increasing popularity of new mobile devices like the iPad.
And that trend is only growing, according to the results of a SearchSecurityChannel.com survey of several dozen information security systems integrators, solution providers, consultants and other security channel professionals conducted in the first quarter of 2010. Half of the respondents claimed that
Regulations driving access control
Jim Kelton, managing principal at the Santa Ana, Calif-based Altius Information Technologies Inc., has seen a trend over the past couple of years: large organizations are pushing down on their smaller, third-party service providers to meet privacy laws, and that often increases the need for access control technology.
For example, the Massachusetts data protection law, MA 201 CMR 17, which went into effect in March 2010, requires "secure access control measures" that restrict access to records and files containing personal information to those who need it for their job duties. The law also requires the assignment of unique identifications and passwords, not vendor-supplied default passwords, to each person with access to a computer within any organization that possesses sensitive data of Massachusetts residents.
MA 201 CMR 17 is just one of a few compliance regulations or standards that require an organization to shore up its access controls. HIPAA requires procedures that identify employees who can access electronic protected health information (EPHI). PCI DSS calls for unique IDs and restricted access to credit cardholder data.
Legislation like MA 201 CMR 17 and HIPAA require their external partners, service providers and business associates, who may be located in a different state, to provide assurance of compliance -- a major factor, says Kelton, in increased access control technology deployment.
"Over time, the regulations have gotten stronger, telling large firms and everyone else: you also have to make sure your third-party service providers are meeting the requirements," said Kelton, who works primarily as an auditor for companies ranging from small clients with only nine employees to large firms of up to 25,000 people.
Larry Boettger, director at InfoSec Security & Compliance Group, based in Madison, Wis., agrees that the concern about access control is largely due to privacy laws.
"A lot of focus now is on regulations and regulatory compliance. And through the years, access controls were the weakest links," said Boettger, citing how he still audits companies and finds customers keeping passwords under computers.
"Access control is in every regulation," he said.
Dan Thormodsgaard, director of solutions architecture at the Kansas City, Mo.-based solution provider FishNet Security, has implemented NAC across many client organizations, including a medical manufacturing company. For Thormodsgaard, the move for NAC has had little to do with compliance regulations and everything to do with a new favorite gadget: the iPad.
"We are absolutely having daily, weekly conversations around mobile devices: iPhones, iPads, Droids, all these devices that have limited management capabilities. They really don't have an effective tool that allows you to centrally manage [them]," said Thormodsgaard.
If a vulnerability is found on an iPhone, for example, there is currently no built-in ability to push an update to affected devices.
To address the problem of letting non-managed devices on the network, Thormodsgaard has deployed Great Bay Software Inc.'s Beacon product, which supports 802.11x implementations and creates an inventory of endpoint-attached devices, and Juniper Networks' Unified Access Control product for profiling and containment of non-compliant machines.
Working for a PCI level-1 auditor, Thormodsgaard deals with financial institutions, retail organizations and the heavily regulated healthcare industry. For him, however, access control technology deployments like NAC projects occur because of a company's business decision, not because of privacy laws. Thormodsgaard, for example, has seen iPads allowed into the organization as business enablement tools, many times without the organization looking to IT and security teams for ways to reduce risk.
"NAC is for mitigation, not based on compliance issues," said Thormodsgaard. "How can you have a managed network and allow non-managed devices on your network?"
Thomodsgaard said he's seen a "shocking" number of companies, from healthcare facilities to retail stores to global food branding companies, whose executives have pushed iPads and mobile devices into the organization and down to IT, often because their peers are using the devices in their own environments.
"They're not looking at the risk it's introducing in the environment. That's usually an afterthought," adding that access control needs to be implemented around the new allowed technology.
Access control: Technology choices
Larry Boettger has seen NAC implementations increase, but a deployment of this type raises more complicated implementation challenges, including how to get the technology integrated with authentication directories like Active Directory and whether to implement it in-band or out-of-band. Instead, Boettger has seen an increase in two-factor authentication to address social engineering practices that could keep users from accidentally or intentionally giving up passwords.
"When we do risk assessments…our clients are looking at two-factor for remote access for users coming in from home, from laptops," he said, adding that many of his healthcare and banking community clients have put internal controls like biometrics and certificate-containing access cards on their budgets.
"The No. 1 reason two-factor is becoming popular is that passwords just don't work, and users aren't protecting them. If users aren't accepting their organizational security policies for protecting them, that's a problem politically."
Gordon Shevlin, executive vice president at FishNet Security, however, says that two-factor authentication is losing its luster, due to the technology's laborious management challenges, like when employees lose tokens. Instead he has seen some companies deploy a less intense version of data leak prevention (DLP).
"DLP is really growing strong, and we're seeing quite a few companies, instead of buying whole the enchilada, are going in on 'DLP Lite,'" alluding to a process where companies develop and expand rule sets, but don't go through the standard and laborious task of classifying assets across an entire organization.
"If you work for Boeing , and you see Airbus, I want a notification," said Shevlin, referring to 'DLP Lite''s' role in monitoring logs and IP addresses to detect a potential data leak to a competitor.
The implementation of technologies that relate to access control -- NAC and two-factor authentication-- often vary based on the size and maturity of organizations. Shevlin agrees, however, with many of the respondents of the SearchSecurityChannel.com survey.
"Access control is just heating up right now," Shevlin said. "If I looked last year at the amount of access control projects, it wasn't that big. It's grown based on money starting to flow back in companies."
Send your feedback to Editor@searchsecuritychannel.com.
Join us on LinkedIn.