White paper. Four Best Practices for Secure Web Access



Similar documents
FIVE KEY CONSIDERATIONS FOR ENABLING PRIVACY IN HEALTH INFORMATION EXCHANGES

TECHNOLOGY PARTNER CERTIFICATION BENEFITS AND PROCESS

RSA SecurID Two-factor Authentication

with Managing RSA the Lifecycle of Key Manager RSA Streamlining Security Operations Data Loss Prevention Solutions RSA Solution Brief

RSA Solution Brief RSA. Data Loss. Uncover your risk, establish control. RSA. Key Manager. RSA Solution Brief

How To Choose An Authentication Solution From The Rsa Decision Tree

RSA Solution Brief. RSA SecurID Authentication in Action: Securing Privileged User Access. RSA Solution Brief

ADAPTIVE AUTHENTICATION ADAPTER FOR JUNIPER SSL VPNS. Adaptive Authentication in Juniper SSL VPN Environments. Solution Brief

A Websense Research Brief Prevent Data Loss and Comply with Payment Card Industry Data Security Standards

RSA Solution Brief RSA. Encryption and Key Management Suite. RSA Solution Brief

SOLUTION BRIEF SEPTEMBER Healthcare Security Solutions: Protecting your Organization, Patients, and Information

The RSA Solution for. infrastructure security and compliance. A GRC foundation for VMware. Solution Brief

CA Technologies Healthcare security solutions:

RSA Solution Brief. The RSA Solution for Cloud Security and Compliance

HIPAA: MANAGING ACCESS TO SYSTEMS STORING ephi WITH SECRET SERVER

RSA envision. Platform. Real-time Actionable Security Information, Streamlined Incident Handling, Effective Security Measures. RSA Solution Brief

PortWise Access Management Suite

Preemptive security solutions for healthcare

PortWise Access Management Suite

Data Privacy: The High Cost of Unprotected Sensitive Data 6 Step Data Privacy Protection Plan

Strengthen security with intelligent identity and access management

RSA Solution Brief. RSA Adaptive Authentication. Balancing Risk, Cost and Convenience

expanding web single sign-on to cloud and mobile environments agility made possible

SOLUTION BRIEF CA TECHNOLOGIES IDENTITY-CENTRIC SECURITY. How Can I Both Enable and Protect My Organization in the New Application Economy?

Security Overview. BlackBerry Corporate Infrastructure

Service management White paper. Manage access control effectively across the enterprise with IBM solutions.

AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE

Secure Administration of Virtualization - A Checklist ofVRATECH

Web Access Management. RSA ClearTrust. Enhancing control. Widening access. Driving e-business growth. SSO. Identity Management.

Beyond passwords: Protect the mobile enterprise with smarter security solutions

BlackBerry Enterprise Solution and RSA SecurID

Stay ahead of insiderthreats with predictive,intelligent security

Feature. Log Management: A Pragmatic Approach to PCI DSS

SOLUTION BRIEF Improving SAP Security With CA Identity and Access Management. improving SAP security with CA Identity and Access Management

APIs The Next Hacker Target Or a Business and Security Opportunity?

AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE

White paper. Convenient Multi-Factor Authentication (MFA) for Web Portals & Enterprise Applications

Teradata and Protegrity High-Value Protection for High-Value Data

RSA SECURITY SOLUTIONS. Secure Mobile & Remote Access

EMC CONSULTING SECURITY STANDARDS AND COMPLIANCE SERVICES

How To Comply With Ffiec

Security management solutions White paper. Extend business reach with a robust security infrastructure.

AVEPOINT CLIENT SERVICES

ADAPTIVE IAM: DEFENDING THE BORDERLESS ENTERPRISE

Analyzing Security for Retailers An analysis of what retailers can do to improve their network security

Payment Card Industry Data Security Standard

White paper. The Role of Security in Trustworthy Cloud Computing

Provide access control with innovative solutions from IBM.

Cisco Security Optimization Service

SOLUTION BRIEF CA TECHNOLOGIES IDENTITY-CENTRIC SECURITY. Identity-centric Security: The ca Securecenter Portfolio

SharePoint Governance & Security: Where to Start

Securing and protecting the organization s most sensitive data

IBM Data Security Services for endpoint data protection endpoint data loss prevention solution

Compliance and Security Solutions

How can Content Aware Identity and Access Management give me the control I need to confidently move my business forward?

Windows Least Privilege Management and Beyond

Global Headquarters: 5 Speen Street Framingham, MA USA P F

IBM Data Security Services for endpoint data protection endpoint data loss prevention solution

STRONGER AUTHENTICATION for CA SiteMinder

SANS Top 20 Critical Controls for Effective Cyber Defense

INTELLIGENCE DRIVEN IDENTITY AND ACCESS MANAGEMENT

Endpoint Virtualization for Healthcare Providers

White Paper Cybercom & Axiomatics Joint Identity & Access Management (R)evolution

Secure Remote Access Give users in office remote access anytime, anywhere

Adopt a unified, holistic approach to a broad range of data security challenges with IBM Data Security Services.

The Impact of HIPAA and HITECH

Leveraging innovative security solutions for government. Helping to protect government IT infrastructure, meet compliance demands and reduce costs

OPENIAM ACCESS MANAGER. Web Access Management made Easy

PRIVACY, SECURITY AND THE VOLLY SERVICE

REGULATIONS FOR THE SECURITY OF INTERNET BANKING

Security Overview Enterprise-Class Secure Mobile File Sharing

PCI Compliance for Cloud Applications

Top 5 Reasons to Choose User-Friendly Strong Authentication

RSA Adaptive Authentication and Citrix NetScaler SDX Platform Overview

Securing Remote Vendor Access with Privileged Account Security

IMPLEMENTING A SECURITY ANALYTICS ARCHITECTURE

Unified Security Anywhere HIPAA COMPLIANCE ACHIEVING HIPAA COMPLIANCE WITH MASERGY PROFESSIONAL SERVICES

SIEM and DLP Together: A More Intelligent Information Risk Management Strategy

CA point of view: Content-Aware Identity & Access Management

SECURE YOUR DATA EXCHANGE WITH SAFE-T BOX

How To Achieve Pca Compliance With Redhat Enterprise Linux

EMC Security for Microsoft Exchange Solution: Data Loss Prevention and Secure Access Management

FISMA / NIST REVISION 3 COMPLIANCE

White paper December Addressing single sign-on inside, outside, and between organizations

Ensuring Security and Compliance of Your EMC Documentum Enterprise Content Management System: A Collaborative Effort of EMC Documentum and RSA

Protecting Data and Privacy in the Cloud

Transcription:

White paper Four Best Practices for Secure Web Access

What can be done to protect web access? The Web has created a wealth of new opportunities enabling organizations to reduce costs, increase efficiency and provide anytime anywhere access to corporate resources for employees, customers and partners. As organizations shift from an internal to external focus, the traditional view of identity and access management (IAM) is changing, as well. IAM has long been at the forefront of securing access to web resources by controlling and managing access rights to sensitive information for authorized users. Yet, with a bevy of regulations around the globe aimed at data protection, the rapid expansion of external users accessing corporate resources, the increased usage of web-based collaborative tools such as Microsoft SharePoint, and an advanced threat landscape, securing web access is creating many new challenges. Contents I. Challenges to Achieving Secure Web Access page 1 Regulatory compliance page 1 Increase in external user access page 1 Increase in Web-based collaborative tools page 1 Threat landscape page 2 II. Four Best Practices for Secure Web Access page 2 Best Practice #1: Discover and classify sensitive data. page 2 Best Practice #2: Centrally manage and control access page 3 privileges to critical resources. Best Practice #3: Assure user identities. page 3 Best Practice #4: Monitor and log security events. page 4 III. RSA Solution for Secure Web Access page 4 IV. Conclusion page 5

I. Challenges to Achieving Secure Web Access Security has traditionally been designed to protect the network perimeter from unauthorized access. Yet, as more external users require access to corporate resources, the network boundaries are becoming less effective and disappearing, creating a paradigm shift to an informationcentric security model. IT organizations are tasked with discovering and classifying sensitive data, managing and enforcing security policy, assuring the identities of users requesting access, and capturing and logging user activities to meet compliance. There are many challenges to achieving secure web access including: Regulatory Compliance The number of regulations that organizations are required to be in compliance with can often pose a challenge. Most regulations today contain comprehensive guidelines for securing web access across a number of areas including data discovery and protection, access control, authentication, reporting and auditing. For example, the Payment Card Industry (PCI) Data Security Standard (DSS) dictates that access controls must be properly managed and enforced to ensure only authorized users can access sensitive information within various applications, file shares and databases. PCI also requires that a user s identity be established through strong authentication prior to them gaining that access. It also calls for the protection of sensitive data through such measures as encryption to ensure that even if that information falls into the wrong hands, it can only be unlocked by designated persons who have the key. The same can be applied to healthcare legislation. A number of security measures are needed to meet the Health Insurance Portability and Accountability Act (HIPAA) access control requirements, to maintain Joint Commission (JCAHO) accreditation and to meet EU Data Security requirements. Under HIPAA, for example, healthcare institutions must protect against reasonably anticipated threats to the security and integrity of health information. This might include encrypting certain classes of highly sensitive data or requiring users with privileges to that data to validate their identity with two-factor authentication. Increase in External User Access As traditional network boundaries and controls are becoming less effective, organizations are striving to facilitate information sharing through the use of portals to improve supply chains, better serve their customers, and reduce operational costs. The extension of access to external users is continually increasing. Employee mobility and globalization has created the need to extend anytime, anywhere access for employees. Partners require the same on demand access to various business data and applications in order to increase efficiency and streamline business processes. Finally, customers demand 24x7 instant Web access to self-service features in order to conduct business and manage their accounts. Organizations face a broad range of issues on how to best manage a wide array of users, all with different access rights and authorization levels to various applications and data. For example, when access is provided to users, organizations often encounter issues such as the absence of a consistent framework for managing access control policy across multiple applications or the difficulty in ensuring user entitlements are up-to-date due to multiple administration infrastructures. In addition, the evolution of service-oriented architecture (SOA) is changing the way organizations are now approaching security technologies and policies which traditionally did not extend beyond enterprise boundaries. SOA has enabled organizations to externalize and centralize access management, authorization and entitlements from the application to help strengthen the security of Web services, Web applications, legacy applications, documents and files, and physical security systems. Increase in Web-based Collaborative Tools Many organizations are increasingly using Web-based collaborative tools such as Microsoft SharePoint to facilitate information and knowledge sharing among various user groups in order to improve productivity and eliminate the duplication of efforts. In addition, these tools can also save time and IT budget by centralizing information within a single application that can be accessed across the enterprise. Despite these advantages, organizations must still authenticate users, manage their access rights, and safeguard highly sensitive information from unauthorized users in order to prevent data loss. In a survey conducted by Courion Corporation of 163 business managers, more than 86% of respondents expressed concern that sensitive data could be stored on SharePoint sites, while another 22% said they had already discovered data on SharePoint sites that should not have been there. The survey also revealed that 34% of respondents had no policy for SharePoint usage and 36% did not monitor the activity. RSA White Paper 1

Threat landscape The threat landscape has continued to grow more sophisticated and international in scope in recent years. When unauthorized access to an application or system is achieved whether from internal or external sources the result can be staggering. Organizations can be subject to regulatory fines, fraud-related charges, loss of customer confidence and most devastating, an erosion of corporate reputation or brand value. External threats can originate from two sources: actual threats such as phishing, Trojans and other forms of crimeware or from external users gaining unauthorized access. A number of high-profile data breaches in recent months have been the result of external sources. In addition, the threat of phishing and crimeware, traditionally targeted at financial institutions, has began to move into new industries, looking to harvest credentials from online users in sectors such as healthcare, retail and education. External threats, however, are not the only focus of security professionals. The threat from insiders is increasingly on the rise, especially with the current state of the economy. In a recent study issued by Cyber-Ark, 58% of U.S. workers admitted to downloading competitive corporate data and plan to use that information as a negotiation tool in the search for a new job. In another survey of senior information technology executives conducted by business consulting firm, Deloitte & Touche, 91 percent of those questioned said they are concerned about risks to security arising from within their organizations. 58% of U.S. workers admitted to downloading competitive corporate data and plan to use that information as a negotiation tool in the search for a new job. 2 RSA White Paper Cyber-Ark 22% of business managers said they have discovered data on SharePoint sites that should not have been there. Courion II. Four Best Practices for Secure Web Access A total solution for secure web access considers many factors including: How do I discover and classify sensitive data so that I can apply appropriate policies? How do I manage and centralize user access to applications or systems? How do I authenticate users trying to gain access to a corporate resource, web portals or an online account? How do I control the sharing of sensitive information across the organization? What processes do I have in place to control, monitor, detect and remediate upon unauthorized intrusions, violations of policy, or other high-risk and suspicious activities occurring over the network? With increased IT spending on security in the coming year expected and organizations across all verticals looking to build out their compliance programs, secure web access is likely to be a critical focus. The following four best practices can help serve as a starting point for organizations to develop a comprehensive framework for securing web access. Best Practice #1: Discover and Classify Sensitive Data. Not all data is of equal importance from a security perspective. The first step to ensuring secure web access is to determine which data is most sensitive or at highest risk to be targeted and then define appropriate polices around that data. But how can an organization determine which data is most sensitive to the business? To answer the question, organizations need to understand their business structure, examine the various departments and lines of business across the organization, and identify both the regulatory and non-regulatory security drivers for each department. For example, the finance department

might need to comply with Sarbanes-Oxley and Gramm- Leach-Bliley Acts as well as SAS 70, while the retail operations group needs to focus on SB 1386 and PCI. Once the regulatory and corporate compliance universe is understood, organizations need to prioritize their data by grouping information into various classes. For example, there might be three classes of information from the most restricted and sensitive (e.g., data relating to the company's unannounced financial results) to the least sensitive (e.g., data pertaining to vendor shipping rates). Once the data is grouped, the next step is to determine the data categories, elements, and owners for each class of information. Finally, after the data has been classified, policies must be defined the rules for 'appropriate handling' of the data including which employees and applications are authorized to access this data and how, when, and from where they are allowed to access it. For example, all employees in R&D may be able to access information pertaining to the company's products, but only certain employees will be able to view the data about new, unreleased products and only during specific hours and from within the corporate firewall. Best Practice #2: Centrally manage and control access privileges to critical resources. As web access is extended to a number of different external user groups each with their own unique access privileges organizations must anticipate a new set of threats and challenges and initiate controls to mitigate risk. Some of these challenges might include the absence of a consistent framework for managing access control policy across multiple applications, the difficulty in ensuring that user entitlements are up-to-date due to multiple administration infrastructures or ensuring that the right users have the appropriate access to the systems and applications needed in order to effectively perform their daily job tasks. Provisioning is an essential part of the process in defining policies for access to enterprise information and resources and implementing them by creating IT accounts with the appropriate access rights, as dictated by corporate policies. Provisioning involves creating, managing and terminating end-user accounts, along with their associated access rights and entitlements, based on those policies. The ability to automate the management of end user accounts provides many benefits including enforcing compliance with internal security policies, industry standards or government regulations, streamlining business processes, and reducing administration expenses. These challenges can also be addressed through a centralized, standards-based policy management and enforcement platform. By removing security decisions from applications and creating a centralized access control administration policy platform, organizations can improve IT efficiencies, business agility and productivity. This allows developers to focus on business logic and ultimately, reduce project schedules and budgets. For example, this can be accomplished by moving towards an SOA infrastructure utilizing standards such as XACML to help create centralized fine-grained entitlements and policy management. And by combining provisioning with role-based access, organizations can reduce the complexity of user administration by mapping a potentially large number of users with related functions into a smaller number of welldefined IT accounts and entitlements. A solution that combines authentication and authorization can help organizations to increase security and enforce end user access control based on specific risks and business context.? Enroll Sign-on RISK Allow access Unconfirmed user Enrolled user Authenticated user Security policy Authorized user Resources RSA White Paper 3

Best Practice #3: Assure user identities. Once sensitive data is discovered and a control strategy is in place, the next step in securing web access is to assure the identities of users requesting access to systems and enrolling into web applications or for credential issuance to new users. Identity assurance is critical for both new users and known users, but the type of authentication required for validating each group is often different. For new users, organizations must verify their identity as they enroll into a new application or system or make a request to be issued credentials to ensure the user is a trusted identity that should be granted access. For known users, organizations must provide ongoing authentication controls for subsequent logins once the user has been initially verified. In determining what authentication solution(s) will work best, organizations must consider the following criteria: Control over the end user environment. Considerations include things such as whether the organization is allowed to install software on the end user s system and whether they can dictate the operating system platform an end user is required to work on. Access methods to be used. Taking into account the user, their access rights, and their planned usage will have a direct effect on the authentication methods selected. The demand for anywhere, anytime access. Providing the option for users to securely access information is critical to the continuation of business. For employees or partners, providing the option of anytime, anywhere access is critical to sustaining productivity; for customers, it is important for maintaining customer satisfaction. The need for disk, file or email encryption. Organizations should consider the other business purposes that it may want the authentication method to address. For example, a healthcare organization might have the need to encrypt protected health information (PHI) or other personally identifiable information (PII) of a patient as it is transmitted between departments and facilities in order to meet HIPAA regulations. Fraud prevention. Apply context and monitoring to the high-risk transactions and activities that are performed by a user after initial authentication at login in order to prevent fraud. Best Practice #4: Monitor and log security events. There are millions of activities and events occurring across multiple systems and applications every day. Having insight into those activities by retaining access logs, deploying automated tools to monitor system events, and implementing controls to be alerted to network policy violations is essential to ensure adherence to most regulations. By implementing a security information and event management (SIEM) solution, organizations can more effectively meet the reporting mandates required by most regulations. More importantly, a SIEM solution provides insight into the risks that your network is exposed to by initiating security alerts in real-time. This enables organizations to respond faster to external threats or discern internal ones by gaining comprehensive visibility over their networks. III. RSA Solution for Secure Web Access The RSA Secure Web Access solution secures the exchange of sensitive enterprise and personal data via web applications across multiple users and across heterogeneous environments and domains. This is accomplished by creating a centralized security service that discovers and classifies sensitive data, offers granular authorization policy to control user access, provides positive user authentication at enrollment and subsequent logins, and reporting and auditing functions to meet compliance requirements. The RSA Secure Web Access solution creates a secure framework to address these four best practices. Best Practice #1: Discover and classify sensitive data. RSA Data Loss Prevention (DLP) Datacenter helps enable enterprise-wide classification and discovery to rapidly identify where sensitive data resides in file shares, SAN/NAS and other data repositories within the IT infrastructure in order to identify the areas where data is at most risk. RSA DLP Datacenter helps manage sensitive data to help organizations maintain compliance with industry and government regulations and protect valuable intellectual property, business strategy, and operations information. RSA Professional Services also offers services to help organizations define their data classification policy and use RSA Data Loss Prevention Suite tools effectively. 4 RSA White Paper

Best Practice #2: Centrally manage and control access privileges to critical resources. RSA Access Manager provides effective, secure access to Web applications in intranets, extranets, portals and exchange infrastructures. RSA Access Manager allows organizations to manage multiple groups of users while enforcing a centralized access policy that protects enterprise resources from unauthorized access and makes it easier for legitimate users to perform required tasks. Users benefit from single sign-on (SSO) to multiple resources while the enterprise protects access to mission-critical Web resources. RSA Entitlements Policy Manager is a centralized authorization platform which extends web access management solutions by providing policy-based, fine grained controls to granular resources while preserving identity context across an enterprise application infrastructure. Enabling security officers to discover, manage, monitor, enforce and audit access controls across enterprise application infrastructure; thus improving IT efficiencies and bringing organizations closer to real time regulation compliance. RSA Entitlements Policy Manager is built on a strong architectural foundation leveraging industry standards such as XACML and SAML creating a scaleable and extensible system for enterprise applications. AccountCourier, from RSA partner Courion Corp., is a user provisioning solution that automates the process of creating and managing user accounts and access rights across a wide range of enterprise systems, including web-based applications. RoleCourier, also from Courion Corp., is a role management solution designed to simplify and optimize security and access policy enforcement by creating user roles that align business functions with IT accounts and access rights, AccountCourier and RoleCourier are both designed to work seamlessly with RSA s authentication and authorization products to ensure business users are provided with appropriate access rights and entitlements. Best Practice #3: Assure user identities. RSA provides a number of authentication methods for both new and known users. New users RSA Identity Verification is a knowledge-based authentication platform that assures user identities in realtime. When a new user attempts to enroll into a web application or system, RSA Identity Verification presents a series of top of mind questions utilizing relevant facts on the individual obtained by scanning dozens of public record databases. RSA Identity Verification delivers a confirmation of identity within seconds, without requiring any prior relationship with the user. RSA Identity Verification also provides improved accuracy in authenticating new users with the Identity Event Module by measuring the level of risk associated with an identity and adjusting the difficulty of the questions presented during the authentication process accordingly. Some of the identity events that are measured include: Public record searches. Suspicious access to a user s public record reports Identity velocity. A high volume of activity associated with an individual IP velocity. Multiple authentication requests generated from the same IP Known users RSA Adaptive Authentication is a multi-channel authentication and fraud detection platform providing costeffective protection for an entire user base. Adaptive Authentication provides strong and convenient protection by monitoring and authenticating user activities based on risk levels, organizational policies, and user segmentation. Powered by RSA s risk-based authentication technology, Adaptive Authentication tracks over one hundred indicators, including device identification, IP geo-location, and behavioral profiles, to identify suspicious activities. Each activity is assigned a unique risk score; the higher the score, the greater the likelihood is that an activity will be deemed high-risk. RSA SecurID one-time password technology is a leading two-factor authentication solution; it is based on something you know (a PIN or password) and something you have (an authenticator). The authenticator generates a new one-time password (OTP) code every 60 second making it difficult for anyone other than the genuine user to input the correct token code at any given time. To access resources that are protected by the RSA SecurID system, users simply combine their secret personal identification number (PIN) with the code that appears on their authenticator display at that given time. The result is a unique, one-time password that is used to positively assure a user s identity. RSA White Paper 5

RSA SecurID authentication is available in a number of form factors including hardware tokens, software tokens for mobile devices and Windows desktops, a software toolbar, a hybrid token with digital certificates, a display card and on demand delivered via SMS or e-mail. Best Practice #4: Monitor and log security events. The RSA envision platform is a security information and event management solution that delivers high visibility into all security threats across the entire information infrastructure from switches and routers to security devices, host assets, applications, servers and storage. With the use of the RSA envision platform s baseline alerting system, organizations can see exactly what usual and unusual patterns are forming, enabling them to identify security threats anywhere in the network, even in remote locations. About RSA RSA, The Security Division of EMC, is the premier provider of security solutions for business acceleration, helping the world's leading organizations succeed by solving their most complex and sensitive security challenges. RSA's information-centric approach to security guards the integrity and confidentiality of information throughout its lifecycle no matter where it moves, who accesses it or how it is used. RSA offers industry-leading solutions in identity assurance & access control, data loss prevention, encryption & key management, compliance & security information management and fraud protection. These solutions bring trust to millions of user identities, the transactions that they perform, and the data that is generated. For more information, please visit www.rsa.com and www.emc.com. IV. Conclusion Securing web access is critical to protect against the threat of sensitive corporate data ending up in the wrong hands. As organizations extend access to more users and enable information sharing across more applications and systems, a secure web access strategy is essential. By following these best practices, organizations can improve their ability to secure sensitive data and in turn, protect revenue, prevent the erosion of customer confidence and brand value, and meet the demands of regulatory compliance. RSA, SecurID, RSA Security and the RSA logo are registered trademarks or trademarks of RSA Security Inc. in the United States and/or other countries. EMC is a registered trademark of EMC Corporation. All other products or services mentioned are trademarks of their respective owners. 2008-2009 RSA Security Inc. All rights reserved. 4BPWA WP 0509 6 RSA White Paper

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information