Access management is critical to protecting a business’s assets, but implementation has languished because of cost and complexity. In particular, application- and server-based techniques take too much time, apply to only one application at a time, and fail to provide enough protection because they leave the rest of the network wide open. The new frontier in access management is to implement access control directly in the network infrastructure. This approach, based on intelligent infrastructure, provides a simpler, faster, and dynamic means of controlling access to corporate resources, with tighter security to boot.
Why has access management emerged as such a critical task? Traditionally, we allowed anyone inside the building to go anywhere on the LAN – they were assumed to be a trusted insider. But now, with today’s increased reliance on contractors and business partners, as well as guest demands for network access while onsite, the outsiders are now the insiders. The simultaneous change to migrate to digital storage of nearly all critical business assets, and insider awareness of the value of that information, has dramatically increased corporate risk.
Businesses today must enable the connectivity and access people require to do their jobs effectively and businesses require to collaborate with outside entities, but they must also ensure their valuable online assets are not compromised.
Application-based controls have been available for a long time and indeed will continue to flourish. Details about which personnel can complete which steps in an order entry and fulfillment process, for example, will continue to reside within a company’s enterprise resource planning (EPR) application. But not all applications have such controls, and implementing basic control over who can access a certain application is not scalable when attempted application by application.
Similarly, server-based controls have their place too, with IT able to designate folder and file access directly on servers. Again, however, the scalability issue is severe, with IT needing to designate for each folder and file, on every server, which groups of people should be allowed access.
Network-based controls have the advantage of applying controls within the infrastructure so that IT does not have to go to each application or each folder on a server to designate access rights. These tools, however, have also had significant scalability issues to date. IT has historically had only the most primitive of tools at their disposal – the use of virtual LANs (VLANs) and access control lists (ACLs).
VLANs and ACLs are challenging to configure, relying on IP addresses and TCP port numbers and an arcane syntax. Plus, IT has very few testing or troubleshooting tools available to determine if an ACL has been properly configured or to know when or against whom an ACL has been used to block access. In these days of increased business scrutiny, with auditing and compliance concerns impacting the majority of businesses, IT needs a fresh way to embed controls in the network.
More intelligent infrastructure, with knowledge of the user and application and the ability to enforce access policies based on that information, are the key to IT’s ability to keep pace with changing business practices while protecting assets on the LAN. Intelligent LAN appliances and next-generation switches can deliver this user and application control. Having such intelligence embedded in the infrastructure gives IT the simple tools they need to support connectivity without risking valuable data. The intelligent appliances allow IT to embed control in networks without making any other infrastructure changes, while intelligent switches are the smart choice for any network expansion or upgrade.
Intelligent infrastructure leverages many existing assets. It ties into the directory structure, with its user groups in place, and uses that data to automatically authenticate users as they come onto the LAN and place them into a role. IT can also designate “security zones,” classifying files, servers, and applications into their appropriate business use and outlining which groups can access those zones.
With these two basic steps, IT has just answered the most challenging aspects of access management – who should go where on the LAN. And by tying into directories, IT is able to automatically keep up with individual user changes, provisioning and deprovisioning users readily. Plus, by elevating policy to roles, IT simplifies the control matrix needed – those who process bill payments need to be in the PCI (Payment Card Industry) role and have rights to the servers and applications hosting credit card data. This approach is much simpler than trying to create ACLs to block the IP addresses that shouldn’t reach those servers.
IT can also use this user and application intelligence to get more granular about their controls. It may be appropriate, for example, for a bank teller to access customer accounts out on the floor, but that same access – by the same person, to the same application – would not be appropriate from the back office location. Application- or server-based controls cannot provide this level of context to ensure appropriate access management.
This intelligence also provides layers of protection for IT beyond policy enforcement. An understanding of application behavior means that an application with aberrant behavior is now identifiable, and can be stopped. So if an application or device is being used inappropriately, to propagate an attack or attempt data access it shouldn’t have, the intelligent infrastructure can detect and stop this traffic.
Plus, by embedding this intelligent control in the infrastructure right at the user edge of the LAN, IT gains much tighter control throughout the LAN. Using ACLs, embedded on a core switch only, leaves the rest of the LAN wide open, to both intentional attacks or the accidental spread of malware.
Centralized policy creation, distributed to enforcement devices throughout the LAN, vastly simplifies the task of access management in today’s LANs. Appliances and switches that offer intelligent control over users and applications provide the critical foundation needed to support the business today. This intelligent infrastructure allows IT to support the full scope of users “inside” and “outside” the business, quickly roll out new applications and locations, and yet simultaneously protect the vital assets at the heart of today’s companies.
Jeff Prince is chief technology officer for ConSentry Networks. Jeff has more than 18 years of experience developing networking and ASIC technologies. Jeff holds eight patents related to networking technologies, and he has a BS in Computer Engineering from
