X
Tech
Home Tech Security

Automate access control

The need to protect data and, at the same time, to give employees access to it have always been in conflict. Now automated identity management tools are looking to ease that tug of war.
Written by Howard Baldwin, Contributor
Mainframes are the technological equivalent of the television show "Father Knows Best"--both represent an idyllic time when life was simpler. Back then, CIOs and VPs of MIS/DP knew all their users and governed access accordingly.

Today, technology more closely resembles the popular show "Survivor"--as tech leaders never really know who's a threat or where the next betrayal could come from. Distributed systems and the Web have helped create a security paradox: providing workers enough access to do their jobs, while maintaining enough control over the network to keep it secure.

As a result, security tool vendors are assiduously working on what's been dubbed "identity management" in order to make administration easier. Nearly every security software vendor touts a tool for central control of user access, authorization, and authentication.

But the fundamental challenges remain: How do you determine who gets access to what, and which systems a user needs to do his job? The goal, obviously, is granting only those permissions needed and no more.

However, CIOs might not want to hear the answers provided by security experts. As with so many facets of IT, it's not a technology question as much as it is a business question. Simply put, it's a task of extreme granularity, and there's no way out of it.

"Everybody's a one-off," said Mark McClain, president of Waveset, a developer of identity-management software. "It's a computer science theory meeting messy reality."

Take it on a case-by-case basis

Admittedly, devising security permissions on an individual basis is a tedious but necessary chore.

"Security and ease of use don't go together and they never will," said Adrian Santangelo, a partner in Full Brain Technologies, an Iowa City, IA, consulting firm, specializing in security. Santangelo fears that in most companies, the default security configuration is access to everything. He recommends that tech leaders head in the opposite direction. "Don't give anyone access to anything and work up from there. It's tedious, but it's the only way to do it," he said.

SRI security expert Peter Neumann agrees. Most database systems, he explained, have fine-grain access control, but they're not set up properly. "If you have access to anything, you have access to everything," he said.

Unfortunately, in setting individual permissions, CIOs might run into high-level executives who think they should have access to everything. Santangelo tells these executives, "You pay me to do this the proper way, and that's what I'm going to do. You might cause problems, not because you want to, but accidentally." All it takes is someone with an all-access pass to unintentionally leave his or her computer on, and suddenly sensitive data is accessible, he noted.However, while administering access manually is tedious, it has also become nearly impossible with the explosion of distributed systems, both internal and external. The situation is exacerbated when security staffers are versed in NT security but not as well versed in Oracle security.

The issue will only get worse with the implementation of online privacy regulations such as the Health Insurance Portability and Accountability Act and the financial services industry's Graham-Leach-Bliley requirements.

And that's exactly what's spurring the slew of automated security tools.

"Doing it manually doesn't scale," said Waveset's McClain. "You need an automated way to deal with a person joining or leaving, or when you acquire a company with 5,000 more users."

That's where an 80-20 rule comes into play, he added. With the 80-20 approach, enterprises use automated software to handle 80 percent of the administrative issues, and let the IT staff handle the rest.

For example, one Waveset client, a computer manufacturer, has linked its PeopleSoft system to its Waveset identity management system, so that when the HR department adds or deletes someone, that user is automatically added or deleted from the Waveset system.

Another advantage to automated identity-management software is that by increasing the so-called self-service capabilities--letting users reset their passwords or letting their supervisors assign security access to files based on need--the permissions decision becomes business-based rather than IT-based. While he acknowledged that IT should always be a partner in the permissions process, McClain insisted that "the decision on permissions should be made by who owns the data, not IT."

If CIOs need more motivation for taking a granular permissions approach, consider the ounce-of-prevention argument. If a minimum number of people have access to certain databases and files, and there is a security breach, you've already limited the scope of your investigation.

"If you've set up permissions granularly," said Full Brain's Santangelo, "you can find a problem more quickly. A stricter policy will help you figure out what went wrong."

The security paradox: Granting access while maintaining control
First published on August 13, 2002
By Howard Baldwin

How does your company plan to improve identity management? TalkBack below or e-mail us with your thoughts.

Editorial standards
Show Comments

Related

lenovo-ideapad-pro-5i-main

One of the longest-lasting laptops I've tested is not a MacBook or Asus

Close-up of a speaker for the SteelSeries Arena 9. It is on a wall shelf next to a few RPG rule books and merch from the 2018 Netflix revival of She-Ra

The most immersive speaker system I've ever tested is now $110 off at Best Buy

prioritize-hands-on-images

Why Apple's elusive iPad Pro Amazon discount is a fantastic deal for Memorial Day