Today, technical solutions to protect the network beyond passwords fall back to two classic concepts in information security that are "least privilege" and Authentication Authorization & Accounting (AAA). All technical mechanisms must take the approach of allowing the least amount of access that users need to do their job, make reasonably sure the users are who they say they are, make sure they are assigned access to limited resources, and their activities are accounted for and anomalies are identified.
Least privilege must be applied based on more than the user's identification. Different levels of access should be applied based on the type of device being used to access the network, when the network is accessed, and where the network is being accessed from. User access profiles should be developed for the most common access scenarios that users utilize to access the network. For example most organizations will have the following categories (most to least secure):
" User on the internal network on a managed device
" User on the external network on a managed device
" User on the external network on a non-managed device
" User on the internal network on a non-managed device
Each of these categories should be assigned a set of resources that they are allowed to access, which could include restrictions to certain server or services. Unmanaged devices should be directed to services that provide abstract access that limit the volume of activity a user can access.
For example, a Citrix Xen App or Microsoft Terminal Services access could be allowed to limit the amount of information an attacker could retrieve from the network. Access controls should be designed to contain a compromised account to the least amount of access and the least amount of data loss possible. This concept can be extended to internal network segmentation to protect sensitive internal networks such as process control, financial and manufacturing systems.
Technologies such as Network Admission Control, SSL VPN with posture assessment, Mobile Device Management (MDM), and virtual desktop/application presentation applications have matured to a point where they provide network designers effective tools to control network access.
The network should be designed in a way that leverages the technologies to provide users the least privilege while at the same time enabling them to leverage technology. Most network vendors are heavily focused at integrating these technologies into their products.
Implementing least privilege is designed under the assumption an account will be inevitably compromised. Even though a compromised account should be expected, steps should be taken to reduce the probability of a compromise occurring and detecting abuse as rapidly as possible.
Classic password policies and user awareness training provide a basic level of protection that most organizations will need to implement. Password policies should be implemented in a way that is accepted by the user base. Requiring overcomplicated or frequently changing passwords in most cases will result in users repeating passwords or writing them down.
Sign up for CIO Asia eNewsletters.