This article originally appeared on
SearchSecurity.com.
Todd Towles has been around the block enough times to know that
regardless of a company's size, IT administrators must always
authenticate users and keep tight control of their network
behavior. Otherwise, malicious people will have little trouble
stealing sensitive information, which can all too easily be used to
destroy the company's reputation or commit identity fraud against
customers.
Towles is an IT security consultant who today works for a large
financial enterprise, but most recently worked for a retail chain
closer to the midmarket with about $2 billion in annual revenue and
12,000 or so employees. In both environments, he said, IT managers
must always reevaluate the resources that users are able to
access.
But global enterprises have more money to spend on controls like
two-factor authentication,
smart cards and tokens. That technology isn't always affordable
for midmarket companies, which typically have $50 million to $1
billion in annual revenue and anywhere from 100 to 5,000 employees.
[In the retail sector, midmarket companies could have as many as
12,000 employees and up to $2 billion in annual revenue.]
For that reason, midsized IT departments are making the most of
network access controls (NAC) offered by their technology
infrastructure providers, including Microsoft and Cisco Systems
Inc. Those companies recently unveiled plans for
more interoperability between their network access control
technologies. Meanwhile, security vendors are trying to entice the
midmarket with cheaper authentication tools that are more scalable
for growing companies.
 |
| ID AND ACCESS MANAGEMENT IN THE
MIDMARKET | About this series: Mid-sized
companies have some unique challenges when it comes to ensuring
users are who they say they are and that network access is limited
to what their jobs require. This two-part multimedia series
examines the difficulties IT security pros have experienced and the
solutions they have found.
Series menu:
Day 1: Midmarket IT pros get the NAC for security. Despite
tighter budgets, security experts say midmarket IT pros can build
an identity and access management program that's as effective as
what the big guys have.
Day 2: Security Wire Weekly podcast. Forrester
Research analyst Jonathan Penn examines the policies and
technologies midsized companies need for solid ID and access
management. |
|
| |
|
But no matter how good the technological controls are, industry
experts agree that midmarket IT professionals won't be successful
at ID and access management unless they educate their users on
smart computing habits and convince their bosses of the importance
of security.
NAC, compatibility a big deal
Amer Deeba, VP of business development for Redwood Shores,
Calif.-based Qualys Inc., said access controls at mid-sized
companies often lack the maturity of what larger enterprises have
in place. For example, they may have strong controls for internal
employees, but not for outside contractors, many of whom frequently
plug into the network.
"That's why NAC is becoming such a big deal," Deeba said. "It
allows them to have a security framework where they can make
changes that are more automated and customized. With NAC, you can
tie together all of your security technology and decide what you
want to do with individual users."
Security vendors have been working to develop inexpensive tools
that can be used to bolster those controls. But if interoperability
isn't part of the equation, IT professionals won't be interested,
Deeba said, adding, "Qualys is trying to make security products
that are as automated and interoperable as possible."
Other vendors like Issaquah, Wash.-based BioPassword Inc. try
catering to the midmarket with offerings that don't require new
hardware.
"Midsized customers are telling us they want smart cards, tokens
and two-factor authentication, but they want the benefits without
the cost," said Greg Wood, BioPassword's VP and CTO. "The big
concern is manageability and usability as it relates to cost. We're
cost-effective because we are software only."
While midmarket companies have an ever-increasing number of
choices when looking for affordable identity and access management
technology, Towles said there's no magic bullet. IT administrators
can deploy two or three different products and each will provide
bits of information about the company's security status. But, he
said, "The challenge is in how you integrate all the information in
a way that allows you to see the big security picture."
He said products that work well in and of themselves and enable
IT administrators see that big picture are of the most value.
Overcoming cultural challenges
No matter how good their identity and access management technology
is, midmarket IT managers won't be successful unless they have the
support of top executives and everyone obeys the written security
policies, said Jonathan Penn, an analyst with Cambridge,
Mass.-based Forrester Research.
"In midmarket companies, security isn't always viewed as
something that's important or strategic," Penn said. There isn't as
much security spending, he said, because executives can't see the
return on investment.
Penn said it's up to IT professionals to help their bosses
understand what's at stake.
"What works is when IT professionals talk about this in terms of
risk," Penn said. "Executives understand the concept of risk, and
the IT professional should frame the need for new investment not in
terms of cost, but in terms of how it will help the company manage
its risk."
It's getting easier to sell investments to upper management, he
added, since security vendors are catering more to the midmarket,
but regulatory pressure has been the most powerful catalyst in
getting executives to take security seriously.
"The
PCI Data Security Standard has really motivated a lot of
mid-sized companies," Penn said. "They have to be audited, and so
suddenly security is a big issue, whereas it wasn't before."
A program that grows with the company
Another challenge for midsized companies is that access management
controls that work successfully today may not be sufficient to
handle a company's growth, Penn said. Therefore, IT professionals
need to develop a scalable program that can be easily adjusted to
accommodate more employees and services.
"They need to do some research and talk to vendor references to
get a fix on the technology that's the most scalable to their
needs," he said.
Scalability is certainly a factor for Keith Gosselin, IT officer
for Biddeford Savings Bank in Biddeford, Maine. With 72 employees
and $12 million in revenue last year, the bank doesn't fit the
criteria of a midmarket company. But the company hopes to grow in
the next three to five years, Gosselin said, by opening new branch
offices and attracting new customers.
Gosselin though is confident his identity and access management
controls will remain effective if the company does indeed expand.
He said he has the support of his upper management, and that
regulatory compliance has also motivated them to take security more
seriously.
As proof of that, the company is moving beyond simple passwords
and rolling out a program based on two-factor authentication. The
Federal Financial Institutions Examination Council (FFIEC) is
requiring banks with online services to implement some form of
two-factor authentication for customers by January 2007.
Beyond that, Gosselin shares the view of many security
professionals that companies large and small
can no longer afford to carry on with basic passwords.
"I personally believe two-factor authentication has become a
necessary layer of security," Gosselin said. "Passwords are simply
not enough anymore."