Jamie Bodley-Scott , pictured, global product manager at Cryptzone, references the old ‘knock knock’ joke to get to the crux of how we should think about secure access.
Over the past few years, changes to the way we work have brought old-school approaches to network security to its knees. It’s no longer safe to assume an employee will always access resources through the same fixed IP address, or even that the workforce will be happy to use corporate-issued laptops with heavy-handed security software installed. The average user now expects to be able to connect to the network, regardless of device or location – and will assume limited accountability for any threats they bring along.
This has left many system administrators scratching their heads over how the existing security model can be adapted to the modern network environment. The truth is, it’s very difficult to do this successfully. If authentication is based on IP address – already a shaky proposition given it’s no guarantee that the same user reliably returns to the same machine – a prohibitively large number of firewall rules are needed to cover every possible endpoint. Similarly, some IT departments have tried extending the same device management regimes used in laptops to employee-owned smartphones, coming up against problems like an unmanageably large number of possible software configurations and potentially risky third party apps.
So, in today’s rapidly evolving network environment, how can the secure access conundrum be tackled effectively? Perhaps it’s time to rethink the way our security controls confront each individual user. Are they asking the right questions in the first place? I’d like to propose we rethink the model with reference to a perennially popular witticism: the ‘knock knock’ joke. These call-and-response puns work in the first place because there’s an accepted, logical response to someone knocking on your door – you don’t ask where the visitor’s come from, but rather: “who’s there?”
Here’s how your network security controls ought to be responding when an unknown party raps on the figurative door and asks to come inside.
Who are you?
In all cases, the first thing you should determine is who’s looking to access the network resources on the other side of the door. With hindsight, this might seem profoundly simple – after all, the purpose of secure access is to make sure the right people see the data in question. However, that hasn’t stopped time-honoured security solutions prioritising where the person set out from – their IP address – over who they actually are.
Now that a single employee might connect to the network on a multitude of different devices – their corporate-issue laptop, their smartphone or their tablet computer, for instance – it’s become untenable to assume their identity based on where they’ve come from. Instead, a user-based architecture is much more appropriate. Permissions should be built around user-name and password-based authentication, with user accounts linked to groups with common ground rules.
Where are you from and how have you got here?
This doesn’t by any means make the question of endpoint less important. The ability to configure access rights that are adapted automatically according to the context in which the user seeks access is also key. For example, if a visitor arrives from a familiar location, you can afford to open the door that bit wider. Conversely, the employee who arrives in the dead of night having travelled a considerable distance might be greeted with a little more apprehension – despite their credentials appearing to be in order.
What have you brought with you?
Finally, before letting a user through the door you need to determine whether or not they’re carrying anything suspect that you wouldn’t want in the house, or even if there’s an uninvited guest hot on their heels who’ll slip inside the moment the first party is given a chance to cross the threshold.
In terms of network access, this means checking whether they’re using a carefully vetted corporate device or a much riskier, employee-owned one. You’ll also want to determine if their antivirus software is up to date, or else they might be bringing infectious malware to the party.
The next time there’s a knock at your virtual door, how will you respond?
About Jamie Bodley-Scott
Jamie Bodley-Scott is a qualified Electronics Engineer, who has worked in a wide range of industries, including financial services, aerospace, automotive and mobile computing prior to moving into IT security. He has been an active member of the Jericho Forum for many years and co-author of the paper which won the Jericho Challenge in 2005 – “Moving away from the firewall centric view of security”. Jamie works with key accounts, channel partners and system integrators to help develop their access/security strategies. Given this insight, he is also responsible for defining and delivering the AppGate secure access solution family road map. He has many years of experience applying network segmentation for defence projects, manufacturing systems and PCI compliance. Jamie has been with Cryptzone for almost ten years. Visit http://cryptzone.com
