Access Control Excellence

CISO Briefing: How Security Can Enable Top IT Priorities for 2011
In this paper we explore how one key security technology, Enterprise Access Management, can play a pivotal role in enabling the CIO and the CISO to work together to achieve four of the top 10 goals.

The publication, InformationWeek, recently featured an article titled, Top 10 CIO Priorities and Issues for 2011, based on discussions with IT executives and their teams, tech vendors, LOB executives and academics. The priorities ranged from optimizing opportunities with optimized systems to creating a robust mobile strategy. While this article isnt necessarily the Top 10 list for CISOs, in reading through the priorities, it becomes clear that a lack of efficient and effective security capabilities will hinder the organizations ability to achieve these top priorities. In this paper we explore how one key security technology, Enterprise Access Management, can play a pivotal role in enabling the CIO and the CISO to work together to achieve four of the top 10 goals. Heres how and where enterprise access management comes into play:

Enabling the Global Enterprise

Most organizations have operations spread across the global. That means that your IT infrastructure and staff are also global. To facilitate the global IT infrastructure, you need to ensure that the infrastructure is secure. Part of secure enablement of global operations is to ensure that the access rules, both how users authentication and authorization, are automatically enforced and centrally managed, especially as it relates to the privileged administrators accessing servers and end users access business applications. IDM and SSO wont solve the access control problem. Password vaulting isnt enough. And tools such as sudo are proving to be insecure and highly inefficient, especially when you consider global operations. As well, to fully support the global enterprise, you need greater flexibility in securing administrative and end user access from wherever they may be working. One solution to the challenge of the global operation is to implement an enterprise access management and privileged account control solution which will enable your organization to automatically adapt authorization and authentication policies dependent on where the user logs in from, what they want to access, and the time of day. Questions to explore in assessing your access control effectiveness for supporting the global enterprise include: Do we have a centralized, automated approach to defining, managing and enforcing access control policies across our diverse servers? Can we effectively control and monitor access to outsourced or remote servers? Can we automatically adapt access control rules based on the location of the user?
2

CISO Briefing: How Security Can Enable Top IT Priorities for 2011

Can we implement both flexible authentication and authorization policies depending on the user, location, method used to access the device and time of day being accessed? Are we still relying on password vaulting or sudo to control privileged passwords? Does our identity management process include robust access control administration and enforcement? Do we have a common method for controlling authentication and authorization across our diverse applications? With robust enterprise access controls across diverse servers, applications, and desktops, you will enable your organization to securely grow the business globally.

Enabling the Massively Adaptable Data Center

Most organizations are in the midst of juggling private clouds with hybrid clouds while determining whether to consolidate around one vendor versus weaving together heterogeneous systems. Others are working towards datacenter transformation and consolidation. And then you have the management and blending of big applications from SAP, Oracle, IBM and others. In some cases, the ability to ensure secure access to the resources is hindering the massively adaptable data center. Questions to explore related to the how access management supports the adaptable data center include: Can we control access policies across cloud, virtual and physical devices? Do we have a solid understanding and method for controlling privileged access to resources in the cloud? Do we have the same, centralized methods for enforcing access across our SAP, Oracle, IBM and other custom applications? Are we utilizing robust server-side authorization and authentication for controlling access to applications or are we still relying on client side single sign-on? Enterprise access management, with common access policy definitions across diverse virtual and physical servers including resources in the cloud and across diverse business applications, will give your organization the flexibility, security and efficiency needed to incorporate cloud technologies, manage user access rules through consolidation, and centrally administer and enforce access across diverse hardware and software vendor environments.
3

Enabling the Digitized Enterprise

While your company is relying on the timely availability of business information, that information is often very sensitive. A great example of how accessibility to information can go awry with serious consequences is the recent Bank of America breach of customer data by an internal employee, which cost the bank $11 million dollars. Regardless of how digitized your enterprise is or wants to be, ensuring the right mix of availability and security of data is crucial. Questions to explore: Are you using the latest techniques to control and proactively enforce access to your servers and data including contextual use of multi-factor authentication and fine-grained authorization? Can you proactively enforce who can access the data or can you only report on who access which device after the fact? Do you know and control exactly who can access which servers without sharing functional passwords? Can you control what privileged commands a user can perform on a given server? Can you control a users access route to a given server? Are user accounts automatically deleted from servers when a person leaves or is promoted? Are you controlling local Windows accounts? Do you have server-side authentication for end user access to applications? The latest enterprise access management solutions will enable your organization to centrally define and enforce highly granular and robust authentication and authorization rules across servers and applications, enabling timely access to the right information by the right people, without the security risk.

Resolving the 80/20 Budget Trap

Spending 80% of the IT budget on internal IT operations and maintenance of systems is no longer acceptable. The IT organization is expected to shift the budget to projects that deliver innovation and growth. One simple way you can help the IT organization tip the budget in favor of innovation is to implement solutions that deliver great efficiency in administration and IT audits.
4

CISO Briefing: How Security Can Enable Top IT Priorities for 2011

Questions related to optimizing security administration and audits that you should explore: Are your security administers able to provision and de-provision user accounts from across hundreds of diverse servers and multiple business applications in one step? Are your access controls seamlessly integrated with your identity management processes to automate provisioning and de-provisioning as much as possible? How much time are your administrators spending re-setting passwords? Are you still using inefficient password vaulting mechanisms? How much effort is being expended to produce audit reports related to access controls and security policies? Are user access activities and keystroke logs automatically consolidated from across diverse servers to automate audit reporting? Is this data automatically mapped to SOX, PCI, HIPAA, and NERC compliance requirements? An enterprise approach to access management will enable you to significantly streamline administration and automate compliance reporting, enabling your organization to shift more of the budget to innovation.

Conclusion
The CISO can play a key role helping the organization achieve their key IT initiatives and resolve their challenges. Leveraging the latest enterprise access management and security capabilities, you can provide leadership in the need to adapt and evolve the infrastructure, securely support the global enterprise, and streamline operations to support a shift towards innovation.

Sponsored by Fox Technologies, Inc. (FoxT)

FoxT protects corporate information and privileged accounts with an enterprise access management solution that centrally enforces access across diverse servers and business applications. The ability to centrally administer, authenticate, authorize, and audit across diverse platforms and applications enables organizations to simplify audits, streamline administration, and mitigate insider fraud. www.foxt.com

Copyright 2011 FoxT. All rights reserved. The document is provided for informational purposes only and the contents herein are subject to change without notice. This document is not warranted to be error-free, nor subject to any other warranties or conditions, whether expressed orally or implied in law, including implied warranties and conditions of merchantability or fitness for a particular purpose. We specifically disclaim any liability with respect to this document and no contractual obligations are formed either directly or indirectly by this document. The document may not be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without our prior permission. FoxT logo is a trademark of FoxT, Inc. Other product and company names herein may be registered trademarks and trademarks of their respective owners.

www.foxt.com 883 North Shoreline Blvd. Building D, Suite 210 Mountain View, CA 94043 USA 650.687.6300