Security and Risk Management Strategies Blog

Blogger: Eric Maiwald

We are in the final stages of analyzing the results of our research into network security architecture and one of the things that jumped out of the research was a huge desire and need to know who and what is connecting to the enterprise networks. The need to identify users and machines is a major driver for network admission and access control. For the most part, the decision was binary – I know you or I don’t; I recognize the machine as one of ours or I don’t. This decision applied equally across wired, wireless, and remote access networks.

User and machine identity is used to determine access to resources but more importantly, it also determines how you are allowed to access the resources. For example, if the user is recognized but the machine is not, the user might be redirected to a terminal server environment (if access is granted at all).

But there is more to it than simply knowing who is connecting to the network. There is a desire to hold users accountable for their actions. One of the interviewees put it very clearly, “I don’t just want to know which IP address or machine performed this bad thing, I want to know which user did this.” Based on the research results, we can take things a step further and say that holding the users accountable for their actions once on the network is becoming as important as preventative controls. It seems that this change comes from cultural issues that show security (and more generally IT as a whole) cannot be an impediment to business.

Along the same lines we found most organizations are thinking of NAC as using user and machine identity to control access. While there was some discussion about health checking the end point, this appears to be more of a future wish list item. We found problems with health checking at the time of admission to the network, but the real issue was what to do if you found a non-compliant end point. If security and IT cannot be an impediment to business, then a non-compliant end point may not be sufficient reason to deny the user access to the network (assuming that the end point belongs to the enterprise of course). This is especially true if the remediation of the non-compliant issue is not quick, easy, or invisible to the user.

We have more analysis to perform on our data. The results of the research will be presented in June at Catalyst North America in San Diego. Look for more blog entries and content based on this research in the future.

Blogger: Eric Maiwald

In the security world, we talk a lot about trust – the assured reliance on character, ability, or strength of someone or something (according to Webster). We place confidence in products, mechanisms, processes, companies, and people to act in a particular way. The trust that we have in something or someone directly affects how we view the risks associated with various activities.

Our trust may be based on any number of things – who the person is, their reputation, testing done on a product or mechanism, etc. In the network world, knowing who is coming on to the network seems to be an important consideration. The Security and Risk Management Strategies Service (SRMS) at Burton is working on a project to learn how the network fits into an overall enterprise security architecture. This project seeks to learn whether enterprises are currently using or planning to deploy an overlay style of architecture, and whether defenses are being shifted to the endpoints, application systems, information systems, and data centers. It will also challenge the messaging that vendors use to justify their NAC products and their strategy for building security intelligence into networks by tracking recent customer experience with NAC projects and gain an understanding of how network security architecture is evolving in enterprise customer networks. So far in our research, the idea of placing a control to limit the access of unknown people or clients to the network is appearing regularly. It appears that enterprises have a desire (and sometimes a need) to at least find out who is connecting to the network. Maybe that is the basis for identifying how far the enterprise will trust the individual or the client system and maybe that trust forms the basis for a perceived risk.

If there is a need to know who is coming on to my network, does that imply that NAC (network admission or access control) is important? (In a previous blog entry, I talked about the confusion in the NAC market and what NAC actually is) Well, at least identity seems to be important. Enterprises are using the identity of individuals and client systems to make decisions on entry to the network and access to resources once on the network. Other preliminary indications in our research show that the configuration and status of the client system are less important than whether the client system belongs to the enterprise or not and whether the individual is an employee or not. So maybe it is that some type of control over the network is important.

The failure of Lockdown Networks this past week is seen by some as an indication that NAC has failed. I think that goes too far. Our research indicates that some type of control over who enters or connects to the network is important to enterprises. However, trust has another part to play in the success of vendors who offer this type of control. Customers have to have confidence that the vendor can provide the product as advertised and that the vendor will do well enough to provide the necessary support for the product over the long haul. It seems that Lockdown did not inspire the necessary confidence in the market. Perhaps Lockdown offered a product that didn’t fit into what the enterprise customers were looking for or perhaps Lockdown’s financial future was sufficient secure for enterprise customers to take a change on a small vendor.

We will be finalizing our research and presenting the findings from our network architecture research at Catalyst North America in San Diego. Come join us there in June!

Blogger: Trent Henry

Time flies when you're having fun.

(Or perhaps it's just flying because of my age...)

Either way, Burton Group's Catalyst Conference isn't too far away, and it's time to line up speakers.

Our guiding theme for 2008 is “security vital signs,” which includes assessing the vital signs and trends in the security market and measuring vital signs for security success within enterprise security programs. These themes are organized to push forward the areas of:

• Metrics: what should enterprises be counting and measuring, and communicating upstream?
• Host admission and network controls: what are the business drivers, trends, and architecture for layered network protection and endpoint assessment?
• Data protection and encryption: amid the trend toward information-centric security, how can enterprises properly manage encryption, keys, and related controls?
• “GRC”: what is the market messaging (and confusion) around governance, risk management, compliance, and how should the enterprise get value from the processes, even when tools are lacking?
• Going global: what are the appropriate management models and solutions in increasingly geographically diverse and multi-jurisdiction large organizations?

We'd love to have people put together some abstracts for these or related topics. Check out the submission form linked from www.catalyst.burtongroup.com/na08/SpeakersAbout.html.

Hope to see you in San Diego!