Interview: CISO explains enterprise's access control policies

Access control and authentication isn't as simple as setting up user IDs and passwords.

This Content Component encountered an error
This article can also be found in the Premium Editorial Download: Information Security magazine: Tips from the 2007 Security 7 Awards:
Authentication and access control used to be fairly simple propositions: set up user IDs, passwords and role-based permissions and you were done. In today's enterprise environments, you have to get deeper in the weeds. Mike Roberti, the chief information systems security officer at Harris Corp., knows that as well as anyone, having the unenviable task of ensuring his 10,000 users have secure access to the resources they require.

Mike Roberti

Authentication and access control are challenges for distributed companies, especially with partners and customers needing access to the network. How have you handled that?
One of the things we had been trying to accomplish was the synchronization of IDs and passwords across the corporation. There were people trying to remember 10-plus passwords. The second thing was to give our users the ability to reset a password without having to call the help desk. Our vendor, Avatier, said, 'Give me your analyst for an hour and we'll have it in production in an hour.' That was a challenge, I thought. But within an hour it was running. We had a pretty robust access control system we built internally and it was based on users requesting access, rather than access being granted based on roles.

Strong authentication, such as tokens or smart cards, has been touted as the panacea. Have you considered going down that road?
Yes, we have looked into that. One of our divisions uses tokens. You want a solution that works internally as well as externally. Smart cards are a good solution, but they won't do if the user is at his mother's house or somewhere else. We'll probably stay with a token solution and roll it out to everyone. Some of the systems won't handle two-factor, so we'll have to keep passwords in some places too. To me, the ideal solution would be a proximity smart card where the user would walk into his office and [the card would] automatically log him in. If we could use that in conjunction with physical security, that would be great.

Have you tied your physical security with your information security at this point?
Not at this time. We've seen a couple of things out there and that seems to be where the industry's going. I think there's a lot of cost involved there, but at some point it's something that we'll need to investigate. We have network security and physical security relatively separate. But all information security starts with physical security.

If you have physical access, you can probably get the data. So I think that integration needs to occur more, but with the right driver and the right investment. You have to balance it with the business need and the cost.


Download the full interview with Mike Roberti at searchsecurity.com.

This was first published in October 2007

Dig deeper on Enterprise User Provisioning Tools

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close