IMPLEMENTING ROLE-BASED ACCESS CONTROLS FOR SYSTEMS AND USERS
Protecting critical resources from unauthorized systems and users represents one of the most important cyber security concerns for enterprises today. The “unauthorized” threat is not limited solely to a user who lacks the appropriate privileges. It can also refer to a machine from which the user is accessing a resource that is: unapproved for the type of access requested, unknown to the organization, or fails to meet required security standards as defined in the organization's security policies.
This challenge has been made greater by factors such as an increasingly mobile workforce, dependence on contractors and guest workers, and unapproved usage of personal machines. Similarly, the portability of users' access credentials exacerbates the situation. As a result, organizations need to have the ability to ensure that any machine from which a user attempts access is subject to and compliant with appropriate security policies. Enterprise IT organizations commonly look to identity and access management (IAM) solutions to provide a framework to restrict a user's right to access systems and applications, but these solutions often fail to account for the current security posture of the machine from which the access is being initiated.
Effectively remedying this situation requires a unified policy-based approach that manages access based on the roles of individual machines and users, and provides the ability to both authorize and verify the security posture of requesting machines before access is granted.
The Elemental Security Platform (ESP) provides the industry's only comprehensive solution for the continuous protection of critical network resources. It combines automated device discovery, targeting of policies (to both users and machines), continuous compliance monitoring, and adaptive host-level access controls - all within a single policy-based application. This integrated approach to managing communications - both within the network as well as across the perimeter - ensures that machines granted access to an organization's key computing assets not only are fully authorized, but also are in compliance with their assigned security policies.
Knowing Who and What Are On the Network
The Elemental solution provides an unparalleled level of visibility into the network environment. The ESP agent, which runs on server and desktop operating systems, continuously monitors the configuration, inventory, policy compliance, user logon, and network activity of its host machine. Additionally, each agent constantly surveys the network for the presence of unmanaged machines. Upon detection, it passively classifies unmanaged machines based on their observed host properties and networking activity.
This in-depth visibility creates a clear understanding of roles in the network environment - the who, what, where, and when. These roles can be based on the identity and access rights of users (ESP can natively use directory services such as Active Directory), the security posture and profile of computers (such as what applications are running or installed, or their patch levels), the physical or virtual location of hosts (subnets, time zones, and more), as well as alignment with business schedules. In addition, the continued compliance with assigned policies is a key criterion that can be used to define the roles of machines on the network (such as whether they're running up-to-date anti-virus software or are compliant with your full suite of SOX policies).
Protecting Critical Resources
The in-depth view and role-based context provided by ESP enables policies to be accurately targeted to individual users and machines based on defined roles and business objectives. Access control policies implemented at the host level ensure that only users with appropriate privileges are granted access and that machines from which they are requesting access are both authorized and compliant with their assigned policies.
The ESP solution monitors all network traffic going in and out of managed machines and controls access based on an organization's security policies. Policies are centrally managed at the Elemental server and locally implemented on each managed machine. When violations are detected, responses can range from simply reporting these violations-raising awareness of unauthorized activity to automatically enforcing policies that deny unauthorized network activity.
Adapting To Change
The detailed visibility of users and machines provided by the Elemental system provides an automated policy management infrastructure that enables enterprises to easily manage policies for all communications on their networks. Policies are applied to groups of hosts or users and automatically updated as changes in the state of machines or the activity of users is detected. IT staff can simply specify policies controlling access for groups of hosts or users that have the right to communicate, and whether either has the right to access protected resources.
This continuous and detailed view into the network landscape enables the Elemental solution to quickly identify and control access to any machine observed on the network. For managed machines running the ESP agent, this may mean automatically restricting the ability to connect to key servers if they fall out of compliance with their respective policies. For unmanaged machines, it can enable IT staff to implement granular access controls, such as allowing guests to have access to a limited set of applications or data while still ensuring they can't access key resources.
A Comprehensive and Layered Defense
Traditional security methods seek to control network access at gateway devices and infrastructure, application, and data servers, but fail to protect network resources once the first lines of defense have been breached. The Elemental system bridges this security gap by unifying the processes of managing access control for systems and users, and by ensuring that authorized communications take place only between machines that can demonstrate up-to-the-moment compliance with their assigned security policies.
- NIST 800-171 Compliance
- PCI-DSS Compliance
- HIPAA/HITECH Compliance
- Sarbanes-Oxley Compliance
- Protect Sensitive Data
- Managing Security Policies
- Unauthorized Host Containment
"More than half of the thousands of elements in a typical network are changing every year, people are revolving in and out of the organization at a rapid rate, and rogue machines, outsourcing and consultants constantly inject unknown risks."