RES Software and Security

Transcription

1 res Software // Whitepaper RES Software and Security Realizing asset-centric and user-centric approaches to security Whitepaper IT, the way you need it

2 2 Table of Content Executive Summary...3 Security, why does it matter?...4 Availability...4 Focus on assets...4 The user is no longer bound to any single device...5 New challenges: confidentiality...5 Confidentiality...6 Conclusion...7 IT, the way you need it

3 3 Executive Summary In the rush to meet regulatory or customer mandates, organizations have spent millions of dollars implementing security and compliance measures either issue by issue or regulation by regulation. This has resulted in an asset-centric security approach, where we focus on the IT infrastructure and make sure that this is secure. However, in the current versatile user community, a user is no longer bound to any single device. So, although assets still need to be kept secure, the need arises for a user-centric security approach, where security rules are aligned with the use of those assets. This white paper presents an overview of both the asset-centric and the user-centric approaches to security. These approaches will be mapped towards the standard for Information Security: ISO

4 4 Security, why does it matter? Information is an important asset in the current market. As a result, businesses want to manage this asset, but at the same time they are evolving towards collaboration with other companies in order to fulfill customer needs more quickly. This approach has increased the pressure on IT departments: on the one hand, they need to make information available for more users; and on the other hand, they need to keep this information secure and share it only with the appropriate organizations. So security matters, and any approach will have to focus on two things: Availability: making sure that information is available for use. Confidentiality: making sure that only authorized people can access it. Availability Currently, an important job for many administrators is to ensure that authorized users have access to information and the associated assets when required. This usually results in two approaches towards the issue: Focus on assets Currently, the most common approach is to focus on assets. This approach originates from a risk management approach: In a Microsoft Windows environment, this means that the following tasks that need to be performed on a regular basis: Scanning machines for vulnerabilities, i.e. querying installed operating system patches and installed software, querying NTFS and share right assignments, querying service properties, and running MBSA queries. Taking counter measures for certain risks, i.e. installing patches, changing service parameters, changing NTFS and share rights assignments. These standard, frequently repeated tasks can be easily automated with a solution for IT Run Book Automation for Windows, such as RES Wisdom. Risk Analysis Assets Threats Vulnerabilities Risk Management Risks Countermeasures IT, the way you need it

5 5 The user is no longer bound to any single device The question arises whether this asset-centric approach, in which threats are perceived as external forces, is enough. Does this approach ensure availability of the service? In the current user environment, users no longer have their own desktop (asset) on which they use their services. In today s IT world, a user can have a laptop or desktop for use at the office during the day, and a desktop made available via Server Based Computing for use from home or from any other place outside the office. This results in new challenges for IT departments, because the main focus is on ensuring availability of a user s services. Users want their services (applications plus their settings) to be available whatever the method of delivery, and they want changes made in one environment to be reflected in all the others automatically. This results in the next approach to availability: the user-centric approach, which is reflected in User Workspace Management. In this approach, all user settings are disconnected from the underlying application delivery solution, and are applied when a user starts an application. This gives the user a unified workspace independent of application delivery solution. New challenges: confidentiality Focusing on the availability of services to users, both in the office and outside the office, enhances user productivity and business performance. However, this approach does pose new challenges to the IT department, and these challenges need to be addressed. A user now has access to the company network from outside the office too, but some services and their corresponding resources should not be available from outside the office. Once we have established the availability of a service to a user, we need to make sure that this service is only available for those who are authorized. This is confidentiality, the focus of the next part of this whitepaper.

6 6 Confidentiality To ensure that information is accessible only to those who are authorized to access it, is a challenging task in the current environment. If a user is not bound to one single workstation, it is no longer possible to allow or disallow access based on the workstation (asset). The asset-centric approach, though important, is not sufficient. A user-centric approach is needed as well, so that a user can get access to the services, but only after the following checks: Who is the user? This question is answered using authentication based on username and password. Where is the user? This is important, because where a user starts a service can determine whether that service (such as the application plus its settings and resources) should be available. What time is it? Some services may have scheduled maintenance windows during which they are not available. Does the user have the necessary token? In some cases, you may want to base access to a service on additional levels of authentication, because the application contains too much sensitive information. Besides the internal user, business is starting to collaborate with other companies. These collaborative initiatives will need to share information, and so they need to be supported by IT. The asset-oriented approach tries to make sure that external threats don t come in. This is not possible in a collaborative enterprise: people from other companies do need to get inside your network, but you only want to grant them access to those services they need. This requires a different approach, one that starts from the inside and works out, instead of the other way round. This is what you deliver with a user-centric security approach. You grant a user access to a service, namely the application with its settings. Based on this access, you can then grant the user access to related: Files and folders Local storage Removable storage Network resources Network Resources Removable Storage Local Storage Files and Folders Applications (services) IT, the way you need it

7 7 Conclusion The ISO standard is related to information security. This standard defines information as an asset that may exist in many forms, and that has value to an organization. The goal of information security is to protect this asset suitably, so that business continuity is ensured, business damage is minimized, and return on investments is maximized. According to ISO 17799, information security is characterized as the preservation of: Integrity: safeguarding the accuracy and completeness of information and of protection methods. Availability: ensuring that authorized users have access to information and associated assets when required. Confidentiality: ensuring that information is accessible only to those authorized to have access. As discussed in the previous paragraphs, there are two approaches in Information Security: asset-centric and user-centric. The asset-centric approach ensures that the infrastructure is available, and helps protect it against external threats. But in the current versatile user environment, this approach by itself is not enough to make services available to users. Because the user is working from multiple desktops both in and out of the corporate network, a user-centric approach is needed as well. Combining these approaches will result in a better availability, but, even more importantly, will greatly improve the confidentiality as described by ISO The user-centric security approach is delivered through the use of User Workspace Management. This gives the desired availability of the services to end users, without compromising the necessary security policy. Together, the RES Software products RES Wisdom and RES PowerFuse deliver both the asset-centric and the user-centric security approach.

8 RES Software is an independent software developer and vendor, founded in We unify different technologies with one goal: getting the right services to the right people at the right time. Our versatile and innovative products enable IT professionals to manage their Microsoft Windows environments, delivering IT the way people need it to do their daily work. We achieve this by involving our customers in the development and enhancement of our products. Currently more than 2,500 organizations worldwide have purchased products from the RES Software portfolio. RES Software products are exclusively delivered through a network of certified partners. More information: Copyright RES Software. V