Our Services
Wednesday, 03 March 2010 00:00
Information security is one of the most misunderstood disciplines in the modern technology world. The IT managers responsibility to establish and maintain a secure network environment can be readily vexed by conflicting demands. Users demand simplified access controls and are inclined to breach the principles of good security by writing down network credendials such as user IDs and passwords. It is not uncommon to witness the practice of writing critically secure information on prominently displayed post-it notes. At the same time, and for good reason, there is a growing intollerance of security breaches.
An effectively secure network environment does not happen by accident - nor should a breach of security be treated as an accident. The advent of key-stroke-logging trojan malware means that basic weaknesses in the overall nentwork environment can facilitate infestation and security breaches. These should never be accepted as a necessary evil for the sake of systems usability, or user peace of mind. Network security requires discipline. That sounds simple but in most organizations the effective level of discipline is often much lower than secure practive standards would dictate. Let's consider the three key elements of network and data systems security: Authentication, Authorization, and Access Control.
Authentication
Ask yourself this question: "If someone were to access your on-line bank account with your username and password, is that sufficient warrant for legitmate withdrawal of your money?" - Obviously not. Likewise, the mere fact that someone may know how to access an information system with a valid set of user credentials is not enough to establish the transaction as a bona fide event. The obvious question that needs to be answered is: "What assurance do we have that the valid set of credentials are in fact being used in a legitimate manner?" An equally daunting follow-up question that every business must consider is: "Can this user be trusted if indeed the credentials presented are correct, and it has been reasonably established that the user is as claimed?"
One way of dealing with every authentication event would be to report the transaction to the organization's security officers, and in particular to report it to the user whose credentials were used. This is an after-the-event notice, but is better than not at all. Fraud investigation would then be tasked with any follow-up that may be called for.
Authorization
Many business network perimeter security systems rely on no more than presentation of correct credentials to permit access to the internal, supposedly secure, environment. But how many systems adequately track and control network, systems and applications access for permitted access times? Corporate networks that permit access from the Internet should carefully track the origin of network connection attempts. A legitimate set of credentials for a connection that originates from a far-flung place such as Camelot while the user is actually in New York should raise immediate alarm. All data and systems resource access attempts ought to be treated as a potential threat. Appropriate risk abatement policies should be meticulously followed at all times.
Authorization can be implemented as a two step process. Firstly, the user can be provided with immediate feedback upon being authorized to access an information resource. Secondly, the user and his/her manager may be notified of the authorization event. The second step provides a means of additional auditing and validation, and while it may not prevent unauthorized intrustion, at least it provides an avenue by which the organization can become aware of a potential felony.
Access Control
After a user has been authenticated and the connection or session has been authorized, is there any further need to control or monitor what the user does? Obviously there are many situations where additional access controls are essential. For example, the janitor would not likely have good reason to access a payroll application. For that matter, a shipping clerk would not likely have good cause to access a company's HR database. These situations demand appropriate privileges that also could be carefully monitored. In the event of an access attempt that is beyond the users' privilege level how could the attempt be rerouted to protect vital business information while not unduely alarming the person making the inappropriate access attempt?
Many organizations spend more effort considering how aversive action may impede legitimate systems use, rather than focusing on the negative impact of leakage of vital information into the wrong hands. It goes without saying that there is a justifable need for sound policies and procedures so that information that is important to the organization, its employees, and its customers can be safe-guarded and protected.