How to Protect Your Critical Resources with Identity-based Access Control
Transcription
How to Protect Your Critical Resources with Identity-based Access Control
Technical Solution Paper Trusted. Certified. Secure. How to Protect Your Critical Resources with Identity-based Access Control An AEP Networks Technical Solution Paper Technical Solution Paper Trusted. Certified. Secure. Identity-Based Access Control: An Overview Background IT security architects face a sizable challenge when designing a modern network. On one hand, a robust information access environment that is flexible, resilient and available at any time for a wide variety of constituents has become a mandatory competitive imperative. On the other hand, broader access to information resources from varied user communities increases exposure to security threats. The financial, market reputation and lost business impacts resulting from inappropriate access or loss of control over critical information have become board and C-level management concerns. At one time, a perimeter security model implemented with firewalls divided the network and data center resources into two distinct areas: the “safe” internal LAN, and “unsafe” external networks, such as the Internet. Mission-critical data and resources were kept within the network, along with most desktop computer-bound users, with a hopefully small number of access points and firewall ports opened to the outside. In this model, a user outside the perimeter defenses was the exception, not the rule. Access requirements for those few external users were met by creating a secure data tunnel that brought them inside the network, creating a virtual private network (VPN). Today, IT security architects are correctly questioning the notion that the perimeter is the only protection point needed to secure high-value resources. An increasingly mobile workforce, greater information sharing between business partners, and globalization trends like outsourcing and off-shoring necessitate an “anytime, anywhere access” philosophy. In this environment, a perimeter firewall security model becomes insufficient - even obsolete. Threats from unauthorized user access, malicious code attacks, and compliance auditing initiatives make it necessary to isolate the most critical data systems and implement additional controls from end to end. Simply put, traditional perimeter security and “engineered” approaches no longer apply in a world where: » Compliance and regulatory considerations force organizations in many industries – healthcare, financial, retail and government, among others – to prove that they have incorporated effective technology to protect confidential data. » Business integrity and reputation concerns surrounding the loss of intellectual property, trade secrets or customer-supplied information are legitimate; they magnify in the face of potential negative media attention across blogs and other instant media. » Globalization, outsourcing, and off-shoring practices have blurred the boundary between “insiders” and “outsiders”. Organizations can no longer safely assume that “trusted” employees who are exclusively tethered to the LAN are the only users accessing their networks. » Mobile computing devices leave the building every day. They connect to the Internet and other networks where the trustworthiness and posture of the device can be lost. » The greatest security threats are posed by legitimate network users whose devices may be used inadvertently or intentionally to access visible corporate resources on open networks. » Many threats from the outside have been known to pass directly into the datacenter through opened ports at the perimeter, such as those used for web and encrypted web traffic. Technical Solution Paper Trusted. Certified. Secure. With these new realities in play, conventional enterprise security methods are no longer sufficient. As a result, IT professionals are faced with managing remote access, network access control (NAC), branch office network security and partner extranets in new and innovative ways. Some have turned to contorting existing solutions or engineering complex infrastructures. Network engineers and network equipment vendors struggle to design add-on controls using switches, routers and other methods to create so-called “smart” networks. But imposing intelligence in this manner onto the network is difficult to engineer and implement, costly and unwieldy to maintain, and can limit data bandwidth. Implementing NAC inside the network fabric is another option, but is similarly difficult to implement and requires multiple control points that can add to costs and limit NAC’s practicality. This state of affairs requires a new paradigm governing data access and protection to increase security and simplify the management burden - an identity-based access control (IBAC) strategy. What Is Identity-Based Access Control? The IBAC approach involves identifying the user and making policy enforcement decisions based on identity in order to fully protect – as well as audit – access to an organization’s most highly valued resources. Identity-based access control follows these principles: 1. It defines identity and trust policies for who gets access to the corporate network. 2. It stores the identity and access policies of every user in a directory, like LDAP or Active Directory. 3. It authenticates a user’s identity before allowing them to access the network. More advanced IBAC solutions incorporate identity information at the packet level of the data stream. 4. It incorporates Network Access Control (NAC) functionality by comparing the user’s machine status to the network’s security policies and takes necessary remediation steps. 5. More sophisticated IBAC solutions provide connectivity depending on the user’s identity and system profile, and make private data unreachable for who lack the appropriate identity. If the user only has permission to access email, they won’t be able to retrieve–or even know about–sensitive data on the wider network. This paper addresses the concerns facing network security architects and introduces AEP IDpoint as an advanced IBAC solution that meets datacenter security needs and satisfies modern business security challenges. Technical Solution Paper Introducing AEP IDpoint: Identity-driven Policy Enforcement AEP Networks is offering a comprehensive policy enforcement architecture that enables the next generation of enterprise security. The centerpiece of this architecture is the identity enforcement appliance – AEP IDpoint™. IDpoint is a wire-speed, identity-driven, policy enforcement appliance for use in-line with sensitive networked application resources in the datacenter. As an advanced IBAC product, IDpoint offers organizations an end-to-end security vehicle for real-time provisioning of access privileges based on the identity, entitlements, and endpoint integrity of the user. Effectively, IDpoint combines the best elements of traditional security models into a single network device, while infusing the otherwise missing – and critical - element of identity into the network data stream for use as a criteria for making access decisions. Protected Datacenter Resources AEP IDpoint Any IP Network IDpoint™ Any User/Any Location Internal LAN/WAN/Remote User/Branches, Etc. User Directories Active Directory LDAP AEP PacketTag™: Modifying IP to Meet Modern Business Challenges In its original design, the Internet Protocol (IP) was written with the goal of connecting everything on the network together easily. Missing from the original definition was any concept of identity. In truth, this represents a shortcoming in the use of IP for distributed information sharing needs, especially when user-level accountability is a mandate. IDpoint takes IP one step further by adding identity information directly into the IP payload when needed, and leverages this information to make policy decisions. IDpoint enforces these identity-based access policies through an innovative technology called AEP PacketTag. PacketTag is employed through the IDPoint token, which resides on all client machines that require access to protected resources in the datacenter. The IDPoint token can be manually installed, delivered automatically through software distribution systems, or provided as a temporary, downloadable agent for guests or remote users who must access high-value resources for a brief time. Features such as periodic session re-keying, periodic re-authentication and idle timers are built into the token for added security. Technical Solution Paper The token is responsible for collecting the user authentication information and passing it over a secure, encrypted session to the IDpoint appliance. It is then checked against the appropriate authentication store (RADIUS, Local, RSA, Vasco, Aladdin, PKI certificate, or LDAP, for example). Alternatively, the token can “transparently” capture the user’s Windows NTLM Domain authentication at initial login. PacketTag 101100010110001 101100010110001 Protected Resources AEP IDpoint 10110 PacketTag 10110 IDpoint™ Any User/Any Location Internal LAN/SAN/Remote User/Branches, etc. User Directories Importantly, the token resides silently in the background until an IDpoint-protected resource is requested. When this occurs the token employs PacketTag technology to inject a digital fingerprint – representing the user’s identity – into only those IP frames destined for protected resources guarded by IDpoint, enabling non-refutable logging and reporting functions. Only packets that meet IDpoint’s policy rules are allowed to pass through to the protected data. Other traffic is blocked at the IDpoint interface and dropped from the network. Towards Compliance: Reporting for Audits and Regulatory Requirements Many organizations are compelled through regulatory necessities to prove that they have appropriate mechanisms in place to protect the confidentiality of private data as well as monitor and track all access attempts to high-value resources. IDpoint provides such proof through comprehensive logging and reporting of all traffic requiring PacketTag data that traverses the network; both successful users and denied attempts. This information is available as customizable reports and rolled up to an executive dashboard to simplify and speed the auditing process, aiding compliance with various institutional regulations. For example, consider financial institutions compelled under the Payment Card Industry Data Security Standard (PCI) to protect against security vulnerabilities and threats while controlling access to customer credit card data. In order to limit the scope of costly audits, financial institutions must prove that they have segmented and isolated resources storing such information. Given the highly sensitive nature of credit card data, the risk of inappropriate access would be financially devastating and ruinous to an organization’s reputation. Denying inappropriate access from unauthorized users is part of the task, but financial organizations must also prove that private data was accessed only by appropriate users. IDpoint solves this challenge by completely isolating the data store and eliminating the possibility of unauthorized user interaction with the information. By tracking the data access by user, IDpoint leaves an extensive audit trail, thus simplifying compliance auditing for a variety of industries. Technical Solution Paper IDpoint: The Benefits of Transparency Key Benefits of IDpoint • • • • • • • • • • • • • Seamless installation: IDpoint pulls in directory infrastructure already in place and instantly segments the secure zone. Stealth mode: Functions as a “transparent”, undetectable firewall, invulnerable to typical firewall attacks. Completely hides and isolates protected resources making them inaccessible or attackable. This greatly reduces the network surface area required for compliance audits by segmenting a separable “high security zone” within the enterprise. Real-time proactive enforcement and control with comprehensive audit logs Zero configuration, network transparency: Designed without IP addresses on the enforcement paths; allows IDpoint to be placed anywhere on the network, independent of existing routers, subnets, or IP address topology True wire speed enables effective LAN access without slowing the network Identity-driven resource access control: User and group identity harvested from standard directories (NTLM, Active Directory, LDAP, RADIUS, 2-factor, smartcards, or AEP proprietary Client-Machine Identity technology (CMID)) AEP PacketTag™ technology: Digital fingerprint embedded in all IP packets destined for protected resources Targeted NAC endpoint integrity checks: Ensures the health of the endpoint and incorporates results into policy decisions before allowing access to critical systems Centralized Policy Management: Web-based administration for defining policy sets and rules. Simplified control in place of complex networkengineered solutions. Tight integration with AEP Netilla SSL VPN extends identity-based access control to the network edge Redundancy and business continuity solutions available Built-in logging and reporting aids compliance with regulatory guidelines One drawback to deploying a range of network appliances, routers, switches and firewalls to protect key resources is that they employ addressable interfaces that advertise their existence across the network, representing obvious targets for attacks, while adding additional network integration and management. In contrast, IDpoint functions as a transparent, or bridging “identity firewall”. IDpoint, for example, does not employ IP addressing on either of its network interfaces. This means: » The IDpoint existence on the network is imperceptible to users, and renders the appliance invulnerable to the exploits typically launched against network-based security devices, such as denial of service attacks. » With no IP addresses and a wire-speed, bump-in-the-wire architecture, IDpoint can be installed quickly and easily into virtually any network topology with zero reconfiguration of switching, routing, or network equipment. This allows IDpoint to get to work protecting critical resources with the lowest possible implementation time. » Protected resources are only accessible by packets and users that meet IDpoint policy; all users who lack the appropriate identity are unable to even ping – or know about – either the protected data or the IDpoint appliance itself. Unauthorized packets lacking the necessary PacketTag identifier are “dropped on the floor” before they reach protected resources. Seamless Access Management Many emerging security architectures seek to “impose intelligence” onto the network with “smart” technology. Unfortunately, this almost always adds complexity and management headaches, and causes disruption to existing schemes and solutions. Alternatively, as an inline device, IDpoint integrates into the network without any modifications to existing designs, simplifying interactions and dependencies among network layer systems, and providing a single portal for policy management and audit tracking. As part of this philosophy, IDpoint injects PacketTag identity information into the network stream only when a protected resource is requested, minimizing additional network overhead. Technical Solution Paper Policy Networking: Flexible Intelligence, Invaluable Control Using Existing Directories Ultimately, the network administrator and business owner’s challenge is to provide access to critical resources while still retaining fine-grained control. An administrator therefore needs a variety of options for creating access policies to protected resources. Critically, these options must be simple to configure and maintain, but flexible enough to meet a multitude of situations. IDpoint employs this model by supporting a wide range of inputs, not typically available at other points in the network, to make real-time access control decisions to critical systems. IDpoint starts by leveraging entitlements based on role definitions harvested from leading directory implementations, such as Microsoft ActiveDirectory. This enables the enterprise to maintain fluid change management processes when people are hired, fired, change jobs or when the job descriptions or applications themselves transform. Additional inputs effectively combine user identity, target destination, source network, traditional network-layer firewall functions, device health and machine identity into a single control point where the protection is needed. Consider an organization that wants remote users on un-managed devices to pass a series of NAC-like endpoint security tests and authenticate with strong, 2-Factor authentication. These users can be assigned to follow a policy that requires both functions – as well as the appropriate identity – in order to proceed with access to protected resources. In another scenario, members of the Finance team need to access customer credit information, while other members of the organization must not. Indeed, only the highest-ranking members of finance should be able to access such information, and only from corporate-managed machines inside headquarters, running the latest anti-virus revision. In this scenario, IDpoint policy can be defined to control access as needed, and log and report all access attempts, both successful and those that fail. In the simplest case, IDpoint can be configured to white-list or black-list individual users or groups who access protected resource under IDpoint’s control. Flexibility and granularity can be easily defined by IDpoint policy. Importantly, IDpoint policy decisions for user and group associations are based on standard enterprise directory subsystems. This way, user account maintenance is accomplished though existing workflow systems, and with existing mechanisms. After access policies are configured in IDpoint, user access is managed within the directory, without increasing the burden on application owners or system administrators. Technical Solution Paper Protecting the Remote User: Extending Identity to the Edge Providing access to remotely located branches, partners and employees over the public network can expose protected resources to all of the risks residing on the Internet. As a result, VPNs – and in particular, SSL VPNs – have emerged as the vehicle of choice for extending private resources over the public network, eliminating the need to expose the entire network to remote users. In fact, many organizations have already implemented an earlier form of IBAC through an SSL VPN remote access deployment. In this model, only specifically designated resources are “published” on a remote user’s web browser. The rest of the network is hidden from view. AEP Networks has been offering edge-based policy networking remote access with their Netilla line of SSL VPNs for many years. Yet VPN technology by itself is insufficient for protecting high value assets that contain personal data or intellectual property. This is because VPNs pass through the perimeter firewall on encrypted sessions that cannot be monitored by intrusion detection systems or inspected by firewalls. As a result, remote users bypass an organization’s perimeter security protocols and are incapable of incorporating identity into the decision-making process. Applications A,B,C Files X,Y,Z Protected Resources Enterprise LAN AEP Netilla SSL VPN Internet or WAN AEP IDpoint IDpoint™ Remote Users (Branch Offices, Partners, Employees) IDpoint mitigates this danger through tight integration with the AEP Netilla SSL VPN. While other VPNs lose the user’s identity in the DMZ, IDpoint extends identity enforcement to the WAN by injecting PacketTag information into the user’s data stream at the remote endpoint. In this way, all members of an organization’s user community can be included in identity-driven access decisions. Comparing Alternatives Employing identity to determine access to high-value datacenter resources can represent an integral element of a security strategy, in part because it facilitates compliance auditing for industries that face such challenges. Given this imperative, a range of tactics have emerged to address secure access management needs. Choosing the approach best-suited to meet an organization’s need can be a challenge. Technical Solution Paper The following table makes a case for identity-based access control by comparing various security models to the IBAC approach. Approach Key Points Engineering the Network: (Firewalls, VLANs, static routing) » » » » » » VPN (IPSec/SSL) » » » » Network Access Control (NAC) » » » » Identity-based Access Control (AEP IDpoint) » » » » » » » » » » » Predominant methodology in use today Lacks identity-driven decision making capability Lacks centralized admin/change control; requires multiple consoles to change a single policy. Complex and expensive to manage/troubleshoot/update Monitoring/auditing/reporting limitations requiring manual consolidation of multiple reports from multiple sources. Self-defeating security - creates porous perimeter when accommodating access needs Best for WAN/Remote access termination at the network edge IPSec VPNs lack embedded identity-driven decision making capability Encrypted traffic defeats Intrusion Protection Systems (IPS), host-asset or threat-management equipment Low-bandwidth hardware adds latency and overhead for poor LAN performance. Lacks effective auditing/reporting for compliance NAC is not enough: Once “green-lighted” user is free to ping/discover the network at will NAC protects the network, but not data center resources within that network Efficient endpoint compliance check (A/V, firewall, device health, patch level) Can require costly 802.1x switch upgrades Highly complex to install/manage/support Brings security and protection as close as possible to protected application/resource assets Injects identity into data stream for wire-speed decision making Enhances existing perimeter security Protected resources are invisible to users who lack PacketTag-based token authority or fail to meet policy rules Stealth-mode operation eliminates typical firewall attack strategies and effectively “drops in” existing network infrastructure. Next-generation targeted NAC: Links user/machine identity, health scans, AD group policy and authentication for wire-speed access decisions Greatly simplified network design and management. Combines authentication, policy, reports and audits into a single console Delivers end-to-end security from endpoint to data center resources rather than just network security Zero overhead for moves, changes and rearrangements of users Technical Solution Paper Conclusion Safeguarding critical network resources and meeting compliance requirements calls for a breakthrough in network technology. What’s needed is an approach that satisfies dynamic business realities and meets expanding security threats. Critical systems must be isolated and protected before access is granted, while access histories must be gathered as evidence to prove that strong measures have been deployed to protect the sanctity of high-value data assets. AEP IDpoint offers a compelling alternative to traditional network security approaches, protecting information from malicious or inappropriate use at all times – both from outside or inside - without overtaxing the IT department in cost, complexity and management. Contact Us CORPORATE HEADQUARTERS 347 ELIZABETH AVE., SUITE 100 SOMERSET NJ 08873 TOLL-FREE: 1 877 638 4552 TEL: (+1) 732 652 5200 EUROPE FOCUS 31, WEST WING CLEVELAND ROAD HEMEL HEMPSTEAD HERTS HP2 7BW U.K. TEL: (+44) 1442 458 600 GREATER CHINA (MAINLAND, TAIWAN, HONG KONG) SHANGHAI, CHINA TEL: (+86) 136 4626 0288 © 2008 AEP Networks, Inc. All rights reserved. AEP Networks, the AEP Networks logo, IDpoint, PacketTag, and NACpoint are trademarks of AEP Networks, Inc., with registration pending in the United States. Netilla, SmartGate, SmartPass and SmartAdmin are registered trademarks of AEP Networks, Inc. All other trademarks or registered trademarks contained herein are the property of their respective owners. JAPAN, SOUTHEAST ASIA, AUSTRALIA, NEW ZEALAND TEL: (+1) 732-652-5219 www.aepnetworks.com