In the first part of this series, we reviewed the first three steps in setting up an identity and access management system at a small or medium-sized business (SMB). The three steps are evaluation, planning, and implementation and provisioning.
Once the evaluation and planning phase is done, it's time to pick products and begin implementation.
For this tip, I've set up a fictitious SMB to illustrate the implementation phase.
The SMB has 800 employees spread among six offices. Four of the offices are in the U.S., one office is in London and another in Hong Kong. All the offices are wholly owned and operated by the company. There are no agents, subsidiaries or local joint ventures. This is an important point: If the offices are part of a single company, most likely they're on the same network. This simplifies your options.
Some offices handle only special functions. The office in Hong Kong oversees manufacturing in China. The London office handles sales that have just started to grow in Europe. The U.S. offices do everything.
The backbone of the SMB's network sits on Windows Server 2003. This includes all the file servers, database servers, the email system and other network applications. The users have either desktops or laptops, not both. The desktops and laptops run Windows XP Professional. The laptops are used by the sales staff members, who are always on the road, a few executives and a handful of telecommuters.
The entire staff uses three or four different applications, including email, depending on each employee's work. Each application requires its own unique user ID and password.
Finally, the overworked network staff members overseeing this far-flung operation double as your information security department. They already provision user IDs and passwords and have the skills and experience to implement and deploy access control systems.
What to look for:
Identity and access management products should have the following features:
- Can be handled by existing staff, no additional staff needed.
- Scalable for future employee growth.
- Flexible, allowing new authentication systems to be added.
Recommended plan for office-bound employees:
For office-bound employees doing routine office work, stick with Active Directory (AD), since the network is already running Windows Server 2003. It's already built-in, and it has been part of Windows servers from Windows 2000 onwards. AD is flexible for segmenting access among the different, and sometimes competing, user groups within your company. It is scalable up to millions of users, so it can meet future growth. It works well with other authentication systems you may consider adding in the future, such as smart cards or biometrics.
That leaves two pressure points: your remote users and the multiple user IDs and passwords your users need for access each time they log in.
For the remote users, consider using a Secure Sockets Layer virtual private network (SSL VPN). An SSL VPN allows a remote user to access your network from a simple Web browser. That means anywhere. Your road warriors can get in to do their work right from their laptops, whether in a hotel, at a customer site or waiting in an airport lounge. Other office-bound employees, who might travel occasionally, can also use the SSL VPN from any Web browser where they're stationed.
No tokens, or complex hardware, are required as in IPsec VPN installations, and the cost is substantially lower. Seattle-based Aventail Corp. has a popular SSL VPN product on the market. It consists of a single appliance installed in your network that acts as a secure SSL VPN Web server.
There's only one drawback. SSL VPNs are basically Web applications. That means they have the same strengths and weaknesses as any other Web application. They need to be properly secured and should time out if the user walks away from their laptop or terminal. This prevents a malicious user from casually entering your network through a still-open browser window to your SSL VPN.
To solve the multiple login problem, Imprivata offers a lightweight single sign-on (SSO) solution. Like Aventail, Lexington, Mass.-based Imprivata Inc.'s OneSign is a dedicated appliance installed on your network. It doesn't use complex scripts on already crowded servers, like other SSO solutions. It's aimed at midmarket companies because of its easy installation and low maintenance. It can be remotely managed and is scalable for new users and new authentication devices.
With these solutions, our SMB can implement a sound identity and access management strategy for the different needs of all of its offices. And the information security staff, masquerading as the network department, can handle everything efficiently.
Joel Dubin, CISSP, is an independent computer security consultant in Chicago. His specialty is Web and application security and he's a Microsoft MVP in security. He is also the author of The Little Black Book of Computer Security, which has tips on setting up an access management system. The book is available from Amazon.com