Forgot password?
|
|
|
|
Home
We were unable to sign you in.
Please verify your user name and password and try again. If you do not have a TEC account, register now.
Printer Friendly
  • E-Mail Article
    • To: (e-mail address)
        

      From: (e-mail address)
        

      Subject:


      Message:
       

Contact Us
Articles RSS
Rate this article
Average Reader Rating 0.00
You may also be interested in:
The Path to Healthy Data Governance through Data Security
Waking Up to a “New Day” at Infor
Secure Mobile ERP—Is It Possible?

White Papers related to this article:
Humidification Strategies for Data Centers and Network Rooms
Avoidable Mistakes that Compromise Cooling Performance in Data Centers and Network Rooms
Electrical Efficiency Measurement for Data Centers

Other articles written by Teresa Wingfield:

Featured Author
Read Comments <Originally published - August 16, 2006

Networks are commonly protected by specialized software such as firewalls, antivirus, and network access control products to prevent unauthorized access and activity. Yet other IT infrastructure components, including applications, databases, web servers, directories, and operating systems rely mostly on the security mechanisms that come as part of the product’s built-in feature set. Security policies evolve around leveraging passwords and privileges to protect data. But is this really enough, considering that many users, such as database administrators (DBAs) and system administrators, have elevated privileges—meaning that there’s no guarantee that a company’s change policies are actually being followed?

Just because your IT organization has deployed security products or IT components with best-in-class security features, it doesn’t mean they are being used properly. They may not be used in the way they have been intended, or as often as required, to fully protect your valuable IT assets. As a result, your organization may be at great risk, lulled into a false sense of security that everything has been taken care of. And then you wake up one morning to an emergency phone call, alerting you that your records have been illegally accessed.

In today’s compliance-driven world, where failure to protect sensitive financial and customer information means damaged careers, along with lawsuits, fines, and reduced public confidence in your enterprise, IT security needs to be more granular than ever before. Increasingly, it will be important to detect all user actions in the IT infrastructure and to validate changes against approved change requests within Remedy, Peregrine, or other change management systems. Otherwise, users will be able to circumvent your security policies, procedures, and best practices, regardless of how robust your IT infrastructure components’ security features are. For this reason, IT staff should consider an IT policy enforcement solution to complement the built-in feature sets of IT components.

How IT Policy Enforcement Solutions Help You Regain Control

An IT policy enforcement solution detects, validates, and reports unauthorized change and out-of-compliance actions on the IT infrastructure. It also lets you know if your security policies, procedures, and best practices are actually being followed. Using an IT policy enforcement solution will help IT security staff comply with key controls in the organization, such as access control, change validation, emergency change monitoring, IT security process compliance, and segregation of duties.

Access Control

Passwords and privileges excel at defining who can get access to your systems and data. But privileged users, such as system administrators and root users, require full access rights to get their job done. This is why you need to understand the activity of users in addition to just restricting access. You need to know if someone in IT is looking at your sensitive customer information or financial data. And you also need to identify all changes to accounts and permissions. Is a user colluding with another employee to violate segregation of duties controls, or with an external thief attempting to gain remote access? Or is a user making changes to production systems outside of allowed maintenance times? Having the ability to answer these types of questions is why your organization needs an IT policy enforcement solution.

An IT policy enforcement system monitors access to all restricted data. To reduce fraud or malicious activity, the system can also check that the level of access granted to a user is appropriate to the business purpose, and that the level of access does not compromise segregation of duties. It will also make sure that administrators follow information security concepts, such as least-possible-privilege and need-to-know.

Change Validation

Discovering change management control deficiencies and resolving them are important because unauthorized, unplanned, and untested changes are the leading cause of costly downtime. While your IT organization has probably developed standardized methods and procedures to use for efficient and prompt handling of changes to minimize the impact of any related incidents upon service, it doesn’t know if these procedures are actually being followed.

IT policy enforcement solutions automatically identify unauthorized changes in the IT infrastructure by comparing detected activities to approved change requests in a change management system. The IT policy enforcement solution will help you answer various questions:

  • Does an approved change request exist for the change?
  • Did the change occur on the appropriate device or devices?
  • Was the change made during the approved time window?
  • Did the appropriate individual make the change?

If the answer to any of these questions is “no,” the change is not compliant with the IT organization’s change control policies, and the IT policy enforcement solution will immediately send an alert to the appropriate staff.

Emergency Change

For most enterprises, emergency changes forgo the normal change approval process. When an incident occurs, it must be resolved as soon as possible if it’s disrupting business operations. During repair, firekey users (emergency access users) have free rein over the IT component they have logged into. But are they only taking actions to resolve the incident, or are they taking advantage of emergency access for other purposes as well? You need to know, because IT compliance requirements now mandate greater documentation of the actual changes associated with an emergency change. IT policy enforcement solutions track and report firekey account logins and logouts, and monitor firekey change activity.

IT Security Process Compliance

Antivirus and backup and recovery tools are key components of most corporate security policies. These solutions have been deployed, but are they actually running and being used according to your corporate security policies? IT policy enforcement solutions tell you whether or not your operational processes adhere to corporate procedures so that the security technologies you have deployed do the job they were intended to do.

Your IT components may come equipped with an outstanding set of IT security features, but they won’t do you any good if they are not being used according to security policies. Another valuable benefit of an IT policy enforcement product is its ability to detect which IT components are not adhering to the configuration policies managed by a configuration management database. In this way, you know where your organization has the greatest security risk exposure, and can take actions to prioritize security process improvements.

Segregation of Duties

Segregation of duties isn’t only for business users. For example, giving a developer the ability to migrate changes to a production environment is generally a really bad idea. The more resources the IT staff member has access to (such as production programs, the programming documentation, system utilities, and the operating system itself), the greater the risk to the organization. In actual practice, segregating duties across these resources is very difficult.

Where feasible, IT policy enforcement solutions support segregation of duties. In other instances, IT policy enforcement solutions provide audit trails that serve the purpose of an acceptable compensating control. Auditors have access to detailed forensics of activity including the who, what, when, and where of all user actions.

Catch IT Policy Violations and Confirm Compliance

Hopefully, after reading this article, you now see that relying solely on built-in security features of IT components poses significant risks for your company. Passwords and privileges will only get you so far. You also need to understand the behavior of users of IT components, as well as of users who are responsible for making sure that the security procedures for the IT component are followed.

Still not convinced? For argument’s sake, let’s suppose that your existing IT security measures are doing the job they are intended to do. You’re still going to have to demonstrate security compliance with industry and government regulations, and best practices to your internal and external auditors. With millions of events on hundreds of servers in dozens of locations across your enterprise, the task of validating and enforcing your security controls is too large, too error-prone, and too costly to tackle without automation. An all-too-common approach to addressing compliance work is to dedicate additional people to the problem—lots and lots of people. While this brute-force method may get you through regulatory audits, it distracts you from your core IT responsibilities, while doing little to advance your business.

An IT policy enforcement solution not only brings an extra degree of security control to your IT infrastructure, it also helps you confirm security policy compliance. An automated way to detect, validate, and report unauthorized changes and out-of-compliance actions on the IT infrastructure may help you avoid severe compliance headaches down the track.

IT CONTROL IT Policy Enforcement
Access control
  • Monitors privileged user activity
  • Identifies changes to accounts and permissions
  • Enforces allowed maintenance times
Change validation
  • Validates actual changes in the IT environment against planned change requests, identifying those changes that happen without approvals
Emergency change
  • Tracks firekey account logins
  • Monitors firekey change activity
IT security process compliance
  • Ensures backup and recovery procedures are followed
  • Makes certain antivirus processes adhere to corporate policies
  • Identifies deviations from desired configuration baselines
Segregation of duties
  • Controls developer access to production systems

About the Author

Teresa Wingfield has held senior-level marketing positions at Active Reasoning, TIBCO Software, Niku Corporation (acquired by Computer Associates), and Netfish Technologies (acquired by IONA Technologies). Wingfield has also been an industry analyst at Current Analysis and Giga Information Group (acquired by Forrester Research). She holds graduate degrees in business from MIT’s Sloan School of Management, and in software engineering from Harvard.


 
comments powered by Disqus


Demystifying SAP Solution Manager | Cloud Assets: A Guide for SMBs—Part 3 | I Want My Private Cloud | The Sum of All Malware Fears: Siemens on Stuxnet | Managing the Overflow of E-mails | The Marriage of Virtual Machines, Software as a Service, and Cloud Computing | Security Risk Assessment and Management in Web Application Security | Open Platform Provider Answers Questions about the State of the Market | A Partner-friendly Platform Provider Discusses Market Trends | Contributing to the Rejuvenation of Legacy Systems in the Enterprise Resource Planning Field | Aligning Information Technology with Corporate Strategy | Enterprise Resource Planning Giants Eye the Shop Floor | A New Development Framework on iSeries or i5/OS: Architecture | Customer Choices for Achieving Growth | Competitive Advantage in a Saturated Market: How Will the Big Few Do It? |
+
Achieving Growth: New Accounts versus Up-selling to Existing Accounts | Who Else is Using Your Wireless Network? | Information Security Firewalls Market Report Part Two: Current Market Trends and User Recommendations | Information Security Firewalls Market Report Part One: Market Overview and Technology Background | Automated Enterprise: Many High-ROI Opportunities | Secure Transfers of Large Files Over the Internet Using YouSendIt | Fed Warms Up to ERP Spending, but Will Contractors and Their ERP Vendors Comply? Part Two: Challenges and User Recommendations | Feds Warms Up to ERP Spending, but Will Contractors and Their ERP Vendors Comply? Part One: Event Summary and Market Impact | Product Review: GFI's LANguard Network Security Scanner | The Best ACT! Is Still to Come | HIPAA-Watch for Security Speeds Up Compliance Part Two: Phase III and IV, and Product and User Recommendations | HIPAA-Watch for Security Speeds Up Compliance Part One: Vendor and Product Information | EAM Versus CMMS: What's Right for Your Company? Part One | Using PKI to Protect Your Business Information | The CyberAngel: Laptop Recovery and File Encryption All-in-One | Evaluating Enterprise Software-Business Process or Feature/Function-Based Approach? All the above, Perhaps? Part Three: Knowledge Bases and User Recommendations | InsideOut Firewall Reporter Unravels the Mysteries of Your Firewall Logs | The Future of Secure Remote Password (SRP) Part Two: Overcoming Obstacles to Success | The Future of Secure Remote Password (SRP) | Integrated Security: A New Network Approach Part Two: The Shift Toward Integration | Integrated Security: A New Network Approach | Vendor Analysis: Kaspersky Anti-Virus Products Examined | 6 Immediate Business Improvements Offered by an Online SRM System: Part 3: Other Points to Consider | Legacy Single Sign-On: Novell, Evidian, IBM, PassGo, or Computer Associates? | Fourth Shift's evolution Within SoftBrands' DemandStream | OKENA Brews Up a StormSystem that Secures All Applications | Incident Handling and Response Capability: An IT Security Safeguard Part 2: Establishing the Capability | Incident Handling and Response Capability: An IT Security Safeguard Part 1: Are You Ready to Support an Incident Response Capability? | Outsourcing Security Part 3: Selecting a Managed Security Services Provider | Outsourcing Security Part 2: Measuring the Cost | Outsourcing Security Part 1: Noting the Benefits | Vendor Review: SecureWave Protects Microsoft Operating System Platforms | Thanks to a Smart Little Company called Lexias, CIOs Can Now Empower their Users to Assist in eBusiness Security | Feds Buckle Down on Customer Information Security | Identix Leads Biometric Authentication | Bootcamp for the Pros; Why Ernst & Young Will Lead Security Auditing Standards | Vendor Analysis: Interliant's Security Vulnerability Assessment | OKENA Pioneers Next-Generation Intrusion Prevention | Social Engineering Can Thwart the Best Laid Security Plans | Application Single-Sign On: Netegrity, Securant, or Evidian? | Lost Your Laptop? The CyberAngel® Brings It Back | InsideOut Makes Firewall Reporting Useful | The SOAP Opera Progresses - Helping XML to Rule the World | Talarian and NextSet Team for B2B Solutions | Tempest Creates a Secure Teapot | E*Trade Ignores Private Security Warning, But Public Hullaballoo Gets Response | IBM Server Line Redrawn | My Network Engineers are Talking about Implementing Split DNS. What Does that Mean? | Human-Machine Interaction Company Ramps Up Firewall Product Line | Security Information Market Heading for Growth | Alibris Charged with Intercepting Email | Cart32 in Need of Duct Tape | Deutsche Telekom to Acquire VoiceStream Wireless | Study Shows: FBI Alienates Industry Security Experts | Firewall Cowboyz Set the Stage to Free Innocent Convict | Yahoo! Goes Mobile in Greece | Symantec Swallows AXENT; Takes on Network Associates | Novatel Wireless and Diversinet Team Up to Provide Security for Wireless Modems | Windows 2000 Bug Fixes Posted | Baltimore Technologies Doubles Revenues, Offers World-Class PKI Hosting | The Whys and Hows of a Security Vulnerability Assessment | Earthlink Leads the Way in DSL Security | PKI and Biometrics Ready for Take-Off | Secure Transport of EDI and XML for Trading Exchanges | Can You Trust Entrust? | Standard & Poor's Announces Security Certification | Check Point Leads Firewall Market | Fighting Cybercrime on the Internet | NetWare for Small Business – NetWhy? | Let Your Hard Drives Tell You Where they Are! | E&Y Spins-Off eSecurity Online and Unveils Security Vulnerability Assessment Services | With Record Revenues, AXENT Puts Down a Solid Fist | NAI Will Pay Trend $12.5 Million Resulting from Law Suit | Sub7 Tells Chat Rooms All Your Stuff; F-Secure Leads the Battle | E-Cash Rollout Replaces Amex | GSA Schedule Partnership Gets Network-1 in the Door | Los Alamos Loses Top-Secret Information, Again! | Standard & Poor's Exposes Customers' Security | The AS/400 Takes You Securely Where You Want to Go | Trend Micro Steps into PDA/Wireless AntiVirus Information Market | CryptoSwift Takes Rainbow Revenues Up 620% | Smart Shoppers Go Abroad for Affordable Information Security Programs | Anti-Virus Advisories: Rating Them | The 7 Habits of Highly Effective Security | Fischer’s Prio! SecureSync ~ A Solution to Enterprise Directory Chaos | Abandon All Insecurity, Ye Who Enter Here | Top 10 Excuses For Not Securing Your Website or Network | Ernst & Young Leads Big 5 in Security | IBM Taking on Sun in Web Infrastructure? | 6 Days After Advisory Posted, AboveNet Gets Hit | A Firewall is Cheaper Than a Lawyer | Fixing Security Backdoors:
Red Hat 1, Microsoft 0 | WAP Forum Specifies RSA’s RC5 Encryption For Wireless | Netpliance Responds Quickly to Hardware Hack | IBM Updates the Netfinity Line | Security Stocks Burn Rubber | DSL Provider Scoops up Netscreen Firewall Goldmine | Cyclone Untangles Digital Partnerships | Security Begins on Your Desktop | Network Associates Hopes to Rekindle the Flame | Hacker Publication Gets Top Defense Attorney | Saudi Arabian Network Security Provokes Local Considerations | Gosh, There’s a Bug in Windows 98 | How Many Napkins Have to Die Needlessly? A Case for Business Architecture | Robust Systems are Built from the Bottom Up | DOJ Keeps Low Profile on Curador; Protect Your IIS Server Today! | Security Breach: Now What? | IBM and Deutsche Telecom Announce Plans for 100 Terabyte Data Warehouse | Is There a Magic Pill for Web Performance Problems? | Sendmail, Inc. and Disappearing, Inc. Team Up to Add Enhanced Security | Tentative Unification in Server I/O Architecture Battle | Is Your Financial Transaction Secure? | Compaq, HP, IBM, Intel and Microsoft Create New PC Security Alliance | Expect Boom in Electronic Signatures | Secure Your Search Engine | President Proposes Security of Medical Records | Sendmail Takes Security to the Next Level with Version 3.0 for NT | CheckPoint & Nokia Team Up to Unleash a Rockin' Security Appliance | Trend Micro Anti-Virus Server for Microsoft Exchange ~ A Secure Choice For Enterprise Wide Anti Virus Protection. | Security Snafu at NetBank | Freeware Vendor's Web Tracking Draws Curses | The "S" in SAP Doesn't Stand for Security (that goes for PeopleSoft too) | Content Technologies releases MIMEsweeper PolicyPlus | Hackers Will Be Out in Full Force On New Year's Eve | Analysis of Virgin Net's Hacker Scare | Network Associates RePositions Itself as a Security E-Village | Lexiguard™: The Coming "Adobe Acrobat" of Encryption | CyberPeepers from Korean Sites Peek at U.S. Networks | Would You Hire a Hacker? What Would Your Mother Say? | @Home Scans Own Customers | CIOs Need to Be Held Accountable for Security | New Market for Security Insurance | At Least Your Boss Can't Read Your Home E-mail, Right? Wrong! | PrettyPark Virus Litters Cyberspace | IBM Firewall Discontinued | Dell, IBM in $6B Services Deal | IBM to Sell Aptiva Direct | Packard Bell / NEC Leads Secure Etoken Deployment | Congress Acknowledges Outdated Banking Laws | How Secure is Your E-Mail? | Trend Virus Control System - A Centralized Approach to Protection | VPNs Are Hot, but What Are They? | ATM Machines Hacked in Moscow | How To Mitigate Holiday Cybercrime | Surf's Up at Akamai |


Use this index to search for white papers related to commonly used search terms A B C D E F G H I J K L M N O P Q R S T U V W X Y Z Others 
Recent Searches
A B C D E F G H I J K L M N O P Q R S T U V W X Y Z Others
A: 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26
B: 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19
D: 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19
E: 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22
F: 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27
G: 1 2 3 4 5 6 7
H: 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20
I: 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
J: 1 2 3 4 5
K: 1 2 3 4
L: 1 2 3 4 5 6 7 8 9 10 11 12 13 14
M: 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20
N: 1 2 3 4 5 6 7 8
O: 1 2 3 4 5 6 7 8 9 10 11 12 13 14
P: 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19
Q: 1 2
R: 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17
T: 1 2 3 4 5 6 7 8 9 10 11 12 13
U: 1 2 3
V: 1 2 3 4
W: 1 2 3 4 5 6 7 8 9 10 11
X: 1
Y: 1
Z: 1
Others: 1 2 3


©2013 Technology Evaluation Centers Inc. All rights reserved. Search powered by Google