Mainframes are the technological equivalent of the television show “Father Knows Best”—both represent an idyllic time when life was simpler. Back then, CIOs and VPs of MIS/DP knew all their users and governed access accordingly.
Today, technology more closely resembles the popular show “Survivor”—as tech leaders never really know who’s a threat or where the next betrayal could come from. Distributed systems and the Web have helped create a security paradox: providing workers enough access to do their jobs, while maintaining enough control over the network to keep it secure.
As a result, security tool vendors are assiduously working on what’s been dubbed “identity management” in order to make administration easier. Nearly every security software vendor touts a tool for central control of user access, authorization, and authentication.
But the fundamental challenges remain: How do you determine who gets access to what, and which systems a user needs to do his job? The goal, obviously, is granting only those permissions needed and no more.
However, CIOs might not want to hear the answers provided by security experts. As with so many facets of IT, it’s not a technology question as much as it is a business question
Simply put, it’s a task of extreme granularity, and there’s no way out of it.
“Everybody’s a one-off,” said Mark McClain, president of Waveset, a developer of identity-management software. “It’s a computer science theory meeting messy reality.”
Taking it on a case-by-case basis
Admittedly, devising security permissions on an individual basis is a tedious but necessary chore.
“Security and ease of use don’t go together and they never will,” said Adrian Santangelo, a partner in Full Brain Technologies, an Iowa City, IA, consulting firm, specializing in security. Santangelo fears that in most companies, the default security configuration is access to everything. He recommends that tech leaders head in the opposite direction. “Don’t give anyone access to anything and work up from there. It’s tedious, but it’s the only way to do it,” he said.
SRI security expert Peter Neumann agrees. Most database systems, he explained, have fine-grain access control, but they’re not set up properly. “If you have access to anything, you have access to everything,” he said.
Unfortunately, in setting individual permissions, CIOs might run into high-level executives who think they should have access to everything. Santangelo tells these executives, “You pay me to do this the proper way, and that’s what I’m going to do. You might cause problems, not because you want to, but accidentally.” All it takes is someone with an all-access pass to unintentionally leave his or her computer on, and suddenly sensitive data is accessible, he noted.
Where tools come into play
However, while administering access manually is tedious, it has also become nearly impossible with the explosion of distributed systems, both internal and external. The situation is exacerbated when security staffers are versed in NT security but not as well versed in Oracle security.
The issue will only get worse with the implementation of online privacy regulations such as the Health Insurance Portability and Accountability Act and the financial services industry’s Graham-Leach-Bliley requirements.
And that’s exactly what’s spurring the slew of automated security tools.
“Doing it manually doesn’t scale,” said Waveset’s McClain. “You need an automated way to deal with a person joining or leaving, or when you acquire a company with 5,000 more users.”
That’s where an 80-20 rule comes into play, he added. With the 80-20 approach, enterprises use automated software to handle 80 percent of the administrative issues, and let the IT staff handle the rest.
For example, one Waveset client, a computer manufacturer, has linked its PeopleSoft system to its Waveset identity management system, so that when the HR department adds or deletes someone, that user is automatically added or deleted from the Waveset system.
Another advantage to automated identity-management software is that by increasing the so-called self-service capabilities—letting users reset their passwords or letting their supervisors assign security access to files based on need—the permissions decision becomes business-based rather than IT-based. While he acknowledged that IT should always be a partner in the permissions process, McClain insisted that “the decision on permissions should be made by who owns the data, not IT.”
If CIOs need more motivation for taking a granular permissions approach, consider the ounce-of-prevention argument. If a minimum number of people have access to certain databases and files, and there is a security breach, you’ve already limited the scope of your investigation.
“If you’ve set up permissions granularly,” said Full Brain’s Santangelo, “you can find a problem more quickly. A stricter policy will help you figure out what went wrong.”