Category-breaking innovation

1 2 Page 2
Page 2 of 2
  • Within a browser-based session, the user requests a level of access to a particular application for which he doesn't have the necessary roles and permissions.
  • Access Enforcer presents the user with an access-request form, which can be customized to the proper format and can include all the data fields necessary, pulled from multiple internal and external data sources (such as SAP's human resources application), to complete the desired process.
  • The user enters all necessary and appropriate data elements into the access-request form.
  • The user completes and submits the completed access-request form, thereby automatically triggering a workflow process within Access Enforcer.
  • The access request is routed through a pre-specified, customized workflow (defined by the appropriate corporate business managers) to any number of reviewers and approvers.
  • At each stage in the workflow, the relevant reviewer/approvers receive e-mail notifications of the request, including a link directing them to the completed form.
  • The reviewer/approvers can retrieve additional information from multiple sources to provide the data necessary for a complete analysis, including "segregation of duties" (i.e., conflict of interest) assessments automatically evaluated by Virsa's Compliance Calibrator software tool. This is one of the critical internal control steps required by the Sarbanes-Oxley regulation.
  • Upon approval, the access request can be routed to the security team for entry into the target application, or executed automatically within that application or platform.

Access Enforcer keeps a fully documented audit trail of executed user requests and approvals for security, legal and regulatory compliance monitoring.

Access Enforcer integrates fully into an enterprise's existing application and identity infrastructure. It is a stand-alone Web-based application within J2EE and .Net environments. Access Enforcer dynamically retrieves user identity, permission and role information from multiple sources, including Lightweight Directory Access Protocol directories, Windows Active Directory and SAP platforms. In response to a user access request, it automatically looks up current user roles and permissions across all connected systems and assesses the risks of provisioning the requested access across diverse systems.

The category-breaker: ThinkPad T42
The vendor: IBM
The columnist: Johna Till Johnson, president of Nemertes Research, Eye on the Carriers

What makes this service so special? Biometrics has been the "next big thing" in security circles for the past five years. IT executives are intrigued by the possibilities, but reluctantly end up concluding that the technologies aren't quite simple enough to roll out to thousands of end users. That changed with IBM's December introduction of the ThinkPad T42, which includes the IBM Embedded Security Subsystem 2.0, which features a built-in fingerprint scanner. By bringing biometrics to the desktop, IBM addressed several critical requirements that IT executives tell us are top-of-mind in 2005: endpoint security, identity management and compliance.


Who's using it? No enterprise accounts are publicly available at this point, but we have spoken with clients who are evaluating the ThinkPad T42.

How much will it cost the average enterprise? Pricing for the T42 with Embedded Security Subsystem 2.0 begins at $1,400.

What else should we know? Anyone who's concerned about endpoint security, identity management or compliance should seriously consider this system.

  • Endpoint security. Increasingly, sensitive data resides on users' desktops and laptops - not just on managed and protected servers. Ensuring effective endpoint security is a key component of an up-to-date security strategy.
  • Identity management. Security policies rely on effective identity management - knowing who a user is, and mapping that user's access rights to his or her profile. The biggest challenge in identity management is authentication - ensuring that a user is who he or she claims to be. This is particularly important when multiple users share the same machine - one user might have rights to view a set of files, for example, that other users might not have rights to view.
  • Compliance. Regulations such as Gramm-Leach-Bliley, Sarbanes-Oxley and the Health Insurance Portability and Accountability Act (HIPAA) increasingly require senior company executives to ensure that sensitive or protected data can only be accessed by appropriate personnel. Password protection is often insufficient, as most passwords can be cracked.

The T42 with Embedded Security Subsystem 2.0 works effectively in a variety of scenarios. For users who share client systems (for example, hospital, IT administrative and military staffs), it integrates into server-based authentication to reproduce sensitive user credentials and key information. Thus, users can roam from one security-enabled system to another followed by their authentication credentials and keys, and gain access only to those files they're entitled to see (from any machine). The system also enhances the security of wireless networking (particularly critical in HIPAA environments) by concealing authentication credentials for industry-standard 802.1x protocols and Cisco Lightweight Extensible Authentication Protocol (LEAP).

For IT executives, though, all that pales beside the T42's most compelling feature: It's easy to use. Users simply swipe their fingers across the integrated fingerprint scanner; if there's a match, the system provides single sign-on to appropriate data and applications. For companies that currently spend millions on password management, the simplicity alone is a standout. It translates into a hard-dollar rationale for implementing the new machines: IT executives can now seriously consider implementing company-wide biometrics while reducing their operational security costs.

The category-breaker: Eli
The vendor: Electronic Lifestyle Integration
The columnist: Winn Schwartau, president of Interpact, On Security

What makes this service so special? It is a rare year indeed when I get slap-happy over a product, but Eli certainly made me so. Eli brings hope to the professional security officers struggling to maintain a reasonable level of security for a corporation with hundreds of distance offices, telecommuters and travelers moving hither and yon across the globe. Once this small lightweight is connected to a cable modem or DSL line, or router, Eli "calls home" and is assigned a "master server" somewhere in the company's expansive global infrastructure. Your Eli, which has secure Ethernet and wireless ports and a built-in network address translation firewall, then is updated with the latest and greatest in anti-virus signatures, spyware blocks, content filtering decisions, popup detectors and more. Here, Eli shines more than any other product I have seen in years, putting it into a category of its own!


Who's using it? ELI is in negotiations with a number of systems integrators and service providers, and a handful of high-profile enterprise organizations.

How much will it cost the average enterprise? About $200, with service that starts at $10 per month for complete automatic managed security for a small network.

What else should we know? ELI advertises Eli as the first managed broadband security appliance for the home, but I immediately realized it is so much more than that. Epidemics of viruses, malware and spam make Ma and Pa part of the global security problem. The road warrior of today and remote offices are clones of the security woes brought on by millions of broadband home users.

Architecturally, Eli is a small, surprisingly lightweight box that connects to a cable or DSL line or can be easily hooked to a router. Eli provides four protected Ethernet ports and a fully featured 802.11 b/g capability with the usual MAC/WPA security. The built-in network address translation firewall assures that you are indeed in stealth mode to the world - and that's a great thing, as you want to be as invisible as possible to keep those pesky bad guys far, far away. A USB port is perfectissimo for a centralized wireless printer.

But that is only the start. Are you migrating to VoIP to save money, maintain a single phone number and schlep around the world? Eli handles all of that, too. Securely.

Once hooked up (true plug 'n'play), Eli "calls home" and is assigned a "master server" somewhere in Eli's expansive global infrastructure. Your Eli is then updated with the latest and greatest in anti-virus signatures, spyware blocks, content-filtering decisions, pop-up detectors and more.

But wait, there's more!

How about VPNs for Dummies? Any Eli can automatically talk to any other Eli with strong Diffy Hellman key exchange and Advanced Encryption Standard. To me, this is one of the most stupendous features for connecting securely and with supreme laissez-faire ease to an organization's distant offices.

In summary:

  • I like ridiculously simple.
  • I like to tell those without a clue, "Don't touch."
  • I like all-in-one solutions that are hardware-based.
  • I like solutions that address real-world corporate needs, small office/home office necessities and anything that will keep Ma and Pa from hurting themselves by tweaking inside of Windows.

To me, Eli is this and more. Eli is going to be huge.

Learn more about this topic

Be sure to read these other great Signature Series issues
Power Issue


Buzz Issue You Issue NW 200
Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2005 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2