home
NEWS       BLOGS       FORUMS       NEWSLETTERS       RESEARCH       EVENTS       DIGITAL LIBRARY       CAREERS  
Network Computing Network Computing Powered by InformationWeek Business Technology Network

IMMERSE YOURSELF:

SOA

  |

Data Center

  |

802.11n

  |

Data Privacy

  |		 APO  |

Virtualization

  |

NAC

  |

Security

  |

Network Mgmt

  |

Enterprise Apps

  |

Storage & Servers


Security
F E A T U R E  
Control the Keys to the Kingdom

  September 2, 2002
  By Mike Fratto


TOC Issue TOC
Printer Print full article
Printer Print this page
Printer Download as PDF
E-Mail E-Mail this URL
flame author Flame the author
 
  In this article
arrow
 Introduction
arrow
 It's All About Risk
arrow
 A Risk-Based Policy
arrow
 Executive Summary
arrow
 Cost Factor Gotchas
arrow
 Make Your Case
arrow
 Online Only: Password Woes? Look to the User
arrow
 Epoll Results

You leave work and find your car parked where you left it. What you don't know is that your friends, as a joke, carried your car to another spot. But then, remembering your reaction last time they pulled a prank, they moved it back. When you approach your car, nothing seems amiss--after all, your keys were in your possession all day. Your expectations are met, and you drive home happily. This is a fundamental exercise in what we know and, more important, what we take for granted.

Now pick a user account at random from your Microsoft Windows NT Domain or Active Directory, see when the user last logged in (if you're not logging Logon/Logoff events, stop reading this right now and start logging), and without getting up from your desk, try to determine if that ID was used by the person to whom it is assigned. How confident are you that it was Joe Bob (user ID: jbob) accessing that account?

If Joe Bob is a low-level user with no access to critical business resources, such as internal data, business plans and financial and HR information, you might not need much assurance that user jbob is really Joe Bob. But if Mr. Bob can modify data, access HR records or manipulate financials, that's a whole different ball of wax: Knowing that users are who they say they are is what authentication is all about.


FYI
Next time a user complains that he just can't remember complex passwords, pass along this hint published by the Bergen County, N.J., Technology Center: Take a phrase you like and will remember. Now use the first letter of each word. Add any appropriate capitalization, punctuation and other character manipulations. For example: "Three blind mice, see how they run" would end up as "3bm,shtr."
The AAA Triptych

We've said it before and we'll say it again: You will never have a totally secure network. The best you can hope for is that your security strategies will minimize exposure to attack, and if you are hit, the damage can be contained. Plenty of point products are available to help eliminate avenues of attack. Firewalls, VPNs, SSL, host- and network-based IDSs (intrusion-detection systems), and virus scanners all bar entry points. Encryption protects data in storage and in transit. But none of these technologies helps you let only authorized users in, only where they should be. Authentication is where this starts, and access control and accounting close the loop (for in-depth information on these three pillars of network security, see "New Security Threats--Stronger Defenses").

Access control and accounting are possible only if authentication takes place, but without all three processes, you can't implement a policy that stipulates who can access what, when, where and how, nor can you track who did what, when, where and how. Authentication--matching a user ID to an individual--is fundamental to security. Without knowing for sure that a user really is who he says he is, all your efforts toward access control and accounting are worthless.

Three basic user characteristics establish authentication:

• Something the user knows, such as a password or a PIN;

• Something the user has, such as a token or a smartcard;

• Something the user is, established biometrically.

Access control goes hand-in-hand with authentication, and in fact, the two sometimes dance in one another's wake. Without authentication, access control gives you only the "where and what"--where users are going, where they are coming from, what services they are trying to reach--but not the "who." User-based access control adds that piece of the puzzle and further restricts access to resources, files on a network share or options in management applications, for example, based on who a user is or with what group he or she is affiliated.

And accounting creates a historical listing of who authenticated when and, in some cases, for how long. Accounting also notes failed login attempts. The terms "auditing" and "accounting," though often confused, have different meanings. Accounting is simply listing login information; auditing adds details about what a user did while connected and creates a trail that can be reconstructed. You can do accounting with auditing data but not vice versa.


start top Introduction It's All About Risk 





Looking for a new job?

Function:

Keyword(s):

State:
SPONSOR
RECENT JOB POSTINGS
CAREER NEWS
IT Jobs Stabilize; Tech Unemployment Rate 5.5%
The tumbling of IT jobs stopped in the second quarter, as the IT sector added about 44,000 jobs.

Oracle Execs See First Hints Of IT Spending Turnaround
It's just a glimmer, but Oracle is starting to see a bit of light at the end of the recession tunnel.

More articles from our career center










2009 IT Salary Survey: Meager Raises, Solid Prospects
Though raises are notably smaller than a year ago, and job security’s shrinking, IT careers are looking safer than many others in this economic downturn. Get all the findings in InformationWeek's 2009 IT Salary Survey. Available FREE for a limited time.
 
ROLLING RIGHT ALONG
Follow key Network Computing Reviews from conception to completion. This Week: Holistic APM.



Network Computing Reports Emerging Enterprise Podcast Series: Secrets to Success








TechSearch
Microsite of the Week


Powerful Information at Your Fingertips



Techweb
Informationweek Business Technology Network
InformationweekInformationweek 500Informationweek 500 ConferenceInformationweek AnalyticsInformationweek Events
Informationweek MagazineGlobal CIOIWK Government ITbMightyByte and SwitchDark Reading
Digital LibraryIntelligent EnterpriseInternet EvolutionNetwork ComputingPlug Into The CloudDr. DobbsContentinople
space
TechWeb Events Network
InteropVoiceConWeb 2.0 ExpoWeb 2.0 SummitEnterprise 2.0Mobile Business ExpoNoJitter
Black HatGTECEnergy CampCloud ConnectGov 2.0 ExpoGov 2.0 Summit
space
Light Reading Communications Network
Light ReadingLight Reading AsiaUnstrungCable Digital NewsInternet EvolutionPyramid Research
Heavy ReadingLight Reading LiveLight Reading InsiderEthrnet ExpoTelco TVTower Technology Summit
space
Financial Technology Network
Advanced TradingBank Systems and TechnologyInsurance and TechnologyWall Street and TechnologyAccelerating WallstreetBST SummitBuyside Trading SummitIT Summit
space
Microsoft Technology Network
MSDNTechNetTotal IT ProTotal Dev ProNET Total Dev Pro CommunitySQL Total Dev Pro Community
space


App Infrastructure   |   Messaging & Collaboration   |   Network & Systems Mgmt   |   Network Infrastructure   |   Security  |   Storage & Servers   |   Wireless   |   Enterprise Apps
About Us  |  Contact Us  |  Site Map  |  Technology Marketing Solutions  |  Advertising Contacts  |   Briefing Centers
Copyright © 2009  United Business Media LLC  |  Privacy Statement  |  Terms of Service