The landscape of IT security is changing, and every organization has to question who it trusts to perform privileged activities and to access sensitive data and resources. Glenn Hazard, CEO of Xceedium, Inc., says the safest posture is to have “zero trust access control.” Zero trust, however, doesn’t mean a total lock-out. The Xceedium GateKeeper appliance contains, controls and monitors privileged users without getting in the way of the work they need to perform.
I recently had a one-on-one discussion with Glenn Hazard, CEO of Xceedium, Inc. We talked about the changing nature of IT security and how, despite the fact that companies have spent heavily on perimeter defense, the investments in various technologies haven’t provided the hoped-for and needed high level of security.
Hazard points out that many companies now allow vendors, partners, outsource providers, and contractors inside their critical infrastructure, and this is changing the concept of who we trust. “In many cases, people we have never met are now responsible for providing systems administration for our enterprise infrastructure,” says Hazard. This is especially prevalent with government agencies that increasingly have engaged low-bid contractors to perform many critical IT functions such as network administration, configuration management and user provisioning. And, as more companies place computing resources in the cloud, it’s harder to know who is caring for those applications and devices.
“The contractors who are assigned the tasks of configuring and operating an organization’s IT infrastructure are a privileged community that can pose a risk to security,” says Hazard. The risk stems from unintentional actions, such as misconfiguring a device, as well as from intentional malfeasance, such as accessing confidential data. Hazard says it’s important to adopt a “zero trust” stance and ensure identity-based access to these systems. What’s more, the privileged user should only have access to the systems and resources he needs to perform his job.
The increasing complexity of compliance is also changing the security landscape. “New regulations and security mandates require continuous monitoring and enforcement of controls for users who access critical infrastructure or sensitive or regulated data,” says Hazard. “PCI, HIPAA, SOX, FISMA – name your regulation. They all require tight control over who is accessing what, along with the ability to produce audit trails and reports to prove the actions of privileged users.”
A third scenario that is adding to the complexity of IT security is the movement to new computing models. “Server virtualization and cloud computing stretch the boundaries of existing perimeter security technology,” says Hazard. Organizations are especially fearful of inadvertently allowing access to one virtualized application or system through another – a situation Hazard calls “leap frogging.”
Enterprise security officers are certainly feeling the pain of these issues. Among the challenges:
• How to enforce fine-grained access control on vendors, contractors and administrators (i.e., privileged users) without restricting their ability to do their jobs?
• How to contain these users so that they only have access and visibility to authorized resources?
• How to provide accountability and proof of compliance for mandated regulations?
Traditional access control solutions focus on giving users access to systems rather than proving their identity. Such a narrow focus can lead to cases of mistaken identity. Unfortunately, identity is one of several critical concerns legacy access control systems do not adequately address. Other key areas include entitlement (credential management), user monitoring, and auditing.
Xceedium addresses all those areas with a “zero trust access control” system bundled into a neat little appliance called a GateKeeper. This solution provides enforcement of least privilege access control policy on users; containment of users to authorized systems; and continuous monitoring and audit-quality logging for compliance and risk management.
Privileged users such as administrators log onto the network via the GateKeeper appliance, which uses very granular company policies to control precisely what each individual user can do and which resources he can see or access. The user is prevented from accessing resources he is not specifically granted access to through a patented procedure Xceedium calls “Anti-LeapFrogging.”
GateKeeper tracks and logs everything a privileged user does; all keystrokes and screens are recorded and reported upon for an easy audit trail and proof of compliance with PCI, HIPAA and other regulations. (Not all privileged users are IT workers; they might be doctors, nurses or other healthcare workers who should not have access to certain sensitive medical records or equipment, or retail clerks or merchants that are prohibited from handling credit card information.) In addition, real-time activity monitoring can prevent a worker from doing something he doesn’t have privileges for by terminating the activity or session and triggering an alert. The activities log can feed into SIEM systems for a more holistic look at security events on the network.
Hazard says that many prospects come to Xceedium looking for a solution to help with compliance issues – which GateKeeper addresses – but these organizations soon learn that this appliance helps to reduce operational risk as well. It’s an opportunity to advance two agendas: meeting compliance mandates, but more importantly, boosting an organization’s security posture by containing privileged users who have the ability (legitimate or otherwise) to do damage to the organization.
Linda Musthaler is a Principal Analyst with Essential Solutions Corporation. You can write to her at mailto:LMusthaler@essential-iws.com.
About Essential Solutions Corp: Essential Solutions (http://www.essential-iws.com) researches the practical value of information technology, and how it can make individual workers and entire organizations more productive. Essential Solutions offers consulting services to computer industry and corporate clients to help define and fulfill the potential of IT.