Published with permission of the author in Blog
Four legs provide a sturdier seat
For many security professionals, the fourth leg of choice is Authenticity or its security synonym, Accuracy. Authenticity is a process by which the integrity of data and its origin are verified. Authenticity assures the recipient of data that the data he received are an exact copy of the data that were transmitted, and that the data were indeed produced by the sender. You can implement this security A in many ways, and incrementally. Consider whether integrity protection measures would be appropriate for the data that is likely to reside, be stored at, or communicated to and from branch offices. For example, it might be useful to put anti-tampering measures on servers to protect against unauthorized or unintentional modification of critical system and configuration files. If your business routinely exchanges sensitive information using internal mail and document delivery systems, consider whether employees should hash and sign such documents.
Four legs makes for a sturdy stool. But recently, security professionals are exploring ways to make the stool even sturdier if somewhat unusual in appearance.
Historically, authentication has been considered the enabler of all security services. Let’s look at some examples where having verified that a person is who he claims to be isn’t enough.
- Mary proves her identity to an air transportation security inspector using her government-issued passport. Knowing that Mary is indeed Mary doesn’t assure us that she’s not concealing a weapon.
- John proves his identity to a US Customs and Immigration officer using his new Canadian high-security driver’s license. Knowing that John is who he claims to be doesn’t tell us whether he’s carrying a communicable disease.
- Beth is on her way to a confidential board meeting where her company’s earnings will be reviewed prior to public disclosure of its annual report. She proves her identity to the security guard at her employer’s office using her company-issued ID. Knowing that Beth is who she claims to be doesn’t tell us whether an industrial spy’s planted a listening device on her clothing.
Suppose Mary, John and Beth are not people but computers trying to connect to networks. Mary’s concealing a root kit. John’s infected with a virus. Beth’s hosting a keylogger. Just as in our real world examples, authentication alone doesn’t help us assert the trustworthiness of the endpoint device from which a user will authenticate and subsequently access data.
Adding a Fifth Leg
Admission control adds a desperately needed leg to the security stool. It’s conceptually simple. When a device attempts to connect to a network, we examine that device to verify that it is free of malicious code before we accept a single keystroke from a user at that device. We can verify that all security measures – firewall, antivirus, antispyware, host IDS – are have all the current patches, malware and intrusion signatures, are properly configured and are operating as anticipated. If an endpoint fails to meet these criteria, we can block admission, or quarantine the endpoint to a location on our network where the user can access the resources required to bring the endpoint into compliance.
Many organizations have successfully implemented these five As throughout their main offices and campuses. Organizations who’ve completed this phase of deployment are now actively planning and in some cases deploying additional security As to branch offices. The blueprint for branch office deployment will vary across organizations. If your organization is growing, you may want to consider a CCNA training course for key networking staff.
Organizations that run their networks in a hub and spoke arrangement are best positioned to add As to improve branch office security. These organizations can leverage admission control and authentication services already deployed at main offices so that all devices are screened for admission, all users are authenticated, data access controls are imposed uniformly, all network and security events are audited and all copies of data are readily authenticated.
Organizations that allow branches to operate more autonomously, or that must contend with business variables – mergers and acquisitions for example – may have to choose a different path. Fortunately, admission control is available in many point products and can be used in complement with branch-in-a-box solutions to add this fifth and valuable leg to the stool. And while your organization is implementing admission control, it can revisit some of the other security As as well.