Now more than ever, IT Managers are tasked with doing more with less to accommodate their growing networks. Companies need more connectivity, more collaboration with business partners and secure guest access. But they must ensure connectivity with less budget, fewer resources and incredibly short deadlines to implement. This invariably leaves the IT Department struggling to cut corners without impacting business continuity -- and deciding how best to meet internal users’ needs. Unfortunately in this scenario, data and network security almost always suffer first. Why does this happen? Here are three reasons why network security tends to be compromised, and the role identity-aware networks play in mitigating these issues.
Defining Access Control Ownership
Take access control, for example. If you ask who implements access control in an organization, the probable answers will range from the application owner, the directory administrator, the networking group, the server admin or the security team. The true answer is -- all of them. Who “owns” access control and coordinates this disparate mess of rules, rights, and policies is another matter entirely. In order for an organization to create a seamless access policy, ownership of access control needs to be mandated by the CSO or the CISO. Even then it is a monumental task to normalize these different access methodologies and drive inter-departmental communication.
Preventing Access Control from Controlling You
From the network perspective, access control in a “topology aware” network is typically provided by access control lists (ACLs) in routers and firewalls. An ACL is one or more conditional statements that pose an action (permit or deny) if a packet matches a statement. Traditional ACL-based systems can become cumbersome in a large enterprise network, so ACLs are generally very broad in definition in order to limit constant changes. This poses an enormous risk, as the coarse grain implementation of ACLs can allow an attacker to masquerade themselves (spoof) from a pool of unused IP addresses and, in doing so, inherit the access rights of that IP address.
However, there’s a simple test to figure out the effectiveness of your organization’s access control. First, log onto the network in the usual way. Open “Network Neighborhood” and browse the domain for systems like “Finance,” “Payroll” or “HR” for which you don’t have legitimate access. If you can see them, so can everyone else and therefore they can be exploited.
Overcoming Weak Network Control Standards
In addition, many organizations have spent considerable funds for perimeter security to keep unwanted intruders out, but the internal network communities have tended to be -- by default -- implicitly trusted. Therefore, the requirement to implement internal, network level access controls is often seen as an unnecessary expense. For this very reason, minimal application-level access control has become the defacto standard for securing a system’s data and applications. If there is no network-level access control requirement within the internal network, unauthorized users can easily circumvent application-level access controls and permissions by using a number of targeted system or application level attacks. With few exceptions, the purpose of a computer attack is not to take control of a network, but rather to hijack an application and its data. Perhaps this is the primary reason why networks remain vulnerable to compromise and sensitive data leakage.
If these current approaches to access control and management don’t work, then organizations will need a new approach. To help mitigate the confusion around access control, a layer of abstraction is required. An abstraction layer is a way of hiding the implementation details of a particular set of functionality -- in this case, the network. By making the underlying network “transparent” to the network administrator, identity can be used as a constant identifier for policy and access enforcement. Because of this, network equipment vendors have started to shift their focus away from a traditional “topology aware” network approach to identity-driven, Role-Based Access Control (RBAC) or Identity-Aware Networks as the layer of abstraction.
Here are a few reasons why IT managers should consider using an identity-aware approach to policy and access enforcement to secure critical data.
Name Tags for the Network
By utilizing the identity already embedded in the infrastructure -- such as Microsoft’s Active Directory -- some network devices (OSI Layers 2 & 3) can be made “identity aware,” thus giving organizations the ability to bridge-the-gap between application-level and network-level access controls. By controlling access at the lower layers within the network -- without the need for complicated firewall and router rule updates -- identity provides a more consistent, finer grain policy control of resource access and enforcement. By integrating policy management into an LDAP compliant directory service, companies can use their existing directory infrastructure to administer network access more effectively and efficiently. The network access policies defined will describe whether a user -- by their group membership or individual permissions -- can access a network resource. The resource could be any network server, port or service using TCP/IP to identify the servers and applications on the network. It’s as simple as that.
It’s Audit Time, Again
One of the key features and benefits of identity-aware networks is the ability to audit by user identity -- which includes the user’s full name and organizational department as stored in the directory. The collected audit data can be a valuable resource to further define and enforce access policies for users accessing resources. But it also provides detailed reports of network behavior -- based on user identity, not IP address -- which can be used as evidence of internal and external audit compliance. A business level individual such as a CFO or audit and compliance manager can immediately recognize the business value of these reports and use them to good effect -- such as forming inter-departmental security policies. In turn, the whole organization benefits from reduced disruption to the IT department during the discovery and data collection phase of an IT audit. Identity also provides a more reliable means for non-refutable evidence of when a user accessed the network, where they went, and what they did. This unified approach to authorization allows the network administrator to consistently enforce policy whether the user is working at their desk, working from a conference room, working on a local wireless network segment, or working remotely.
Taking Back Control of Access Control
Identity-aware networks are also helpful when defining access permissions. The holy grail of access permissions at all operating levels of the network is something called Global Policy. However, Global Policy has been very difficult for many organizations to achieve for many of the reasons stated previously. Broken down into simple logistics, the answer to Global Policy creation in a “dynamic” topology-aware network environment is to recognize a “constant” as the primary access identifier. The “constant” must be unique, provide a means of validation, and remain connection and location agnostic. In today’s networks the “constant” is identity -- and it can be further strengthened by multi-factor authentication mechanisms to help prevent compromise. A true identity-aware network should know “who” you are by your “network name tag” and your individual permissions as assigned by policy at the point of decision -- and not just a user’s “role.” With these global policies in place, ownership of access control will now be clearer from the CISO’s point of view, and the consistency of policy from an implementation perspective will be normalized.
As networks continue growing to unparalleled depth and complexity, so will the challenges that IT departments will face when meeting security, operational, audit and compliance mandates. For these reasons, the use of identity-aware networks is emerging to support the ever increasing network workload, help mitigate IT complexity, and reduce companies’ overall security risk.
About the Author
Andrew Maguire is a Senior Director of Product Marketing for Applied Identity in
