Network Computing is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Correlating NAC Events With Audit Trails

Network access control can address some compliance and reporting requirements, but truthfully, there is only so much that it can audit effectively.
Stuart Hodkinson, general manager of U.K. operations for Courion, wrote a story for PublicTechnology.net, NHS & HIPAA: Drawing Parallels for Best Practices in Security & Patient Privacy about how a celebrities' privacy was breached at North Trees Primary Care Trust when multiple employees who had no business looking at the celeb's heath records did so. An article at computerweekly.com points to a warning issued by North Trees that certainly the same thing can happen with paper records, but the exposure is generally limited to those in physical proximity.

In an electronic world where everything is going digital, anyone with access to the repository has access to the data. Physical proximity doesn't matter.

In a previous post on the limits of NAC to control access and why NAC products really don't capture data like "who accessed what information", I tried to make the point that many audit and compliance claims are misguided. Sure, you can tie a user name to an IP and a date and time. But when dealing with any multiuser system like a records repository, the chances are there is no way to really discern what users are actually doing on the system. Passive analysis -- examining the network payload for activity -- is extremely difficult to do and is generally very specific to the application logic. NAC appliances might be able to pull out data from HTTP headers like requests and responses, but that is a far cry from making sense of what the data means.

For NAC to be applicable in application level access control, the NAC product has to be aware of information specific to the application. Applcations containing private information should have a built-in audit system that describes what users are doing with data. But how can NAC help? By correlating a username to an IP address and time of day from a NAC product with the same information from the application, there's a possibility that you can actually determine who was sitting at the keyboard or at least raise the likelihood that the person accessing the application data is really who they say they are.

Take a hospital setting, where it???s fairly common for doctors to share their credentials so that the staff can record records and perform other administrative tasks. Plenty of health care IT admins tell a similar story. Determining that Dr. Johnson really accessed patient Jones' records is impossible. At best you can tell that someone using the doctor's credentials accessed Jones' records. The records applications may work fine, but the users are defeating the auditing capability by sharing secrets. Arguably, this points to flaws in how the records system was implemented in hospitals, but that's beside the point. It happens.

  • 1