|
Most networks today have a large investment in protections against external threats. The walls around the network have been built and in most cases they are close to impenetrable. Hadrian however subscribes to the principle of “Defense in Depth”. Fortifications were designed with the knowledge that there was inevitably going to be a breach at some point along the wall with a high percentage chance that it would occur at the main gate. The defenders also knew that many cities and fortifications had been taken by subversive actions from within. Whether the motives were for greed or revenge the results of conspirators opening a gate or getting information about internal weakness to the enemy was catastrophic defeat for the defenders. Today’s corporations and the IT networks that serve as their backbone is today subject to the same threats. Gartner reports that 68% of companies are losing or having data stolen 6 times per year. The second principle of Hadrian’s network security architecture is the implementation of Identity Management.
Identity management is an ancient practice that dictated that all members of the empire had identification of their personal identity, citizenship status, and economic status (merchant, government official, etc). These papers allowed or disallowed the individual to travel within the empire and also provided access limits within the individual cities and townships within the empire. Identity management within a network is applied in the same way. Instead of leaving an employee free to roam within the company’s infrastructure a policy is created for the individual and only those assets or services that are need in the performance of his or her job are open to the employee. All other assets and services are blocked at the network level leaving them virtually invisible to the individual that does not have the proper permissions within their personal policy.
Another large area of risks lies within the area of surge or contractor staffing. Here by the very nature of the staffing model loyalty and professionalism are based solely on the integrity of the individual. As the positions and duties are temporary in nature the individual rarely integrates into the organization and therefore does not have the loyalty or long term vision that full time employees will maintain. This issue alone brings on the need for a holistic approach to protecting the organization’s network. For day-to-day operations the need for granular authorization management and auditing for internal networks has become a necessity.
The highlights of the Hadrian Security solution are outlined below:
- Can be used in a conference room to allow visitors who need access to the Internet for doing demonstrations, or reaching their main office, while blocking their access to any of your organizations resources.
- Can complement the privacy enabled by the WEP or WPA security features of your wireless network (or VPN you may use on the wireless) when deployed at the interface between a wireless network segment and the internal network backbone.
- Can segment a particular department's resources and users, such as finance or a clinical testing medical lab, for data or information that must be strictly controlled.
- Assures that authorization privileges will be strictly and consistently enforced between the segments whether they are hardwired in the building, leased lines between remote sites or connected through the Internet or wirelessly.
- For mobile employees, contractors or partners, ID-Enforce consistently enforces policy whether the user is working at their desk, from a conference room, on a local wireless network segment, or remotely. To further reduce risk of unauthorized access, each user is only provided with visibility to the networked resources for which he or she is granted access.
- Even if IPSec or SSL VPN is in place on the network edge, ID-Enforce does not require distributing a "thick client" as with an IPSec VPN, or building web authorization pages that provide granular access controls as with clientless SSL VPNs. Normally, these pages or access portals can generate a lot of work and must be updated whenever the network or the applications on the back-end change. In contrast, ID-Enforce consistently provides granular identity-based access control and the configuration does not change as network-related changes occur.
- Through deep integration with LDAP directory services, ID-Enforce provides unique management benefits. As a user's identity is added or changed in the directory and given appropriate group or individual network privileges, ID-Enforce verifies those access policies each time this user authenticates to ensure that the correct access rights are applied and the authorization process is seamless to the user.
|
