Defence mechanisms

Managers have to make sure that authorised users get fast, simple access to the resources they need without being hampered by overly complex security mechanisms

Security is an ongoing challenge for any IT department, but there are many different hardware and software platforms available to help. Most companies have long had the basic elements in place – firewalls, anti-virus/anti-spam software and intrusion detection and prevention systems, for example.

But some organisations have been compelled to implement a range of other security tools designed both to stop hackers and malware getting into their systems, and sensitive information from getting out, and to manage the considerable workload that security puts on IT staff.

Tight control of access to business networks, applications, data and services is essential to prevent viruses, worms and other forms of malware from potentially wreaking havoc with IT systems, causing expensive downtime and damage to an organisation’s reputation.

But at the same time, managers have to make sure that authorised users get fast, simple access to the resources they need without being hampered by overly complex security mechanisms.

Single sign-on
“The biggest challenge really comes down to striking a balance between flexibility and responsiveness, maintaining an audit trail, knowing who is who, and managing that trust,” says Bill Rafferty, development manager at City University London, which recently started using IBM’s Tivoli systems management software platform to simplify staff and student access to web-based applications and other educational services.

Implemented with the aid of systems integrator Pirean, the single sign-on technology imports user authentication details from a central Microsoft Active Directory database and provides up to 25,000 people with secure access to existing collaborative services and portals. It also provides a framework for in-house software development that City University IT staff can use to customise the software for other forms of secure application access in the future.

“Having to manage access and security for each application separately was provi ng to be extremely time consuming and negating some of the savings we had made,” says Rafferty. “Pirean delivered a solution that allows us to rein in those costs and deploy new applications quickly without generating more management overheads for the IT department.”

City University also uses a technology called Shibboleth, an open source single sign-on technology standard that provides access to shared library and online resources for certain groups within its community.

Identity and access management
But the sheer number of people accessing some networks still makes it difficult for IT staff to make sure only authorised users are given permission to connect. In some cases, simple username and password-based authentication can be supplemented by other measures, including hardware-based solutions such as tokens, biometric readers and barcode readers.

Milton Keynes College, for example, has to date insisted that students accessing its online resources, including the internet and virtual learning environments, do so from the college’s own computers, in much the same way as staff do in office environments.

“We have gone from a basic export from our student management system to a deal with NetMania that provides self-service password resets that are tied to barcodes on student ID cards,” says Ashley Allen, Milton Keynes College systems database administrator. “The only way to access a PC is by having that ID card, which gets around things such as password sharing.”

The college is now moving towards a system that allows students to attach their own PCs to the network – something that brings its own set of security headaches.

“We are moving towards letting students use their own kit, by setting up a guest network that does not allow access to shared areas or home drives,” says Allen. “We’re looking at a couple of products for this, such as Barracuda Networks’ portal appliance, which allows us to lock down their PCs and provide them with pretty much everything they get.”

Encryption
Many organisations, particularly those in the public sector, have to make sure they comply with the terms of the Data Protection Act (DPA), and have used encryption on employee laptops to protect data from being compromised in the event of that device being lost or stolen.

NHS Lothian is just one of many health trusts to have applied encryption and device control technology to patient records accessed by up to 25,000 employees, for example. Last year, it installed Lumension Security’s Sanctuary Device Control and Becrypt’s Disk Connect software on 11,000 employee devices. These tools help ensure that the data on all those devices is encrypted, but also that only authorised users can write data from the network onto removable media such as USB drives, CDs and DVDs. Detailed audit trails of both device usage and data transfer means IT staff can quickly trace the source of any data leakage.

But research from privacy and information management research firm the Poneman Institute published last month suggests that encryption alone is not enough. Its report, The Human Factor of Laptop Encryption, found that as many as 53 per cent of British business managers have simply turned off encryption mechanisms to facilitate access to their systems, indicating that encryption has to work in conjunction with other security tools to be effective.