Interview: CISO explains enterprise's access control policies - Information Security Magazine

Interview: CISO explains enterprise's access control policies

Authentication and access control used to be fairly simple propositions: set up user IDs, passwords and role-based permissions and you were done. In today's enterprise environments, you have to get deeper in the weeds. Mike Roberti, the chief information systems security officer at Harris Corp., knows that as well as anyone, having the unenviable task of ensuring his 10,000 users have secure access to the resources they require.

Mike Roberti

Authentication and access control are challenges for distributed companies, especially with partners and customers needing access to the network. How have you handled that?
One of the things we had been trying to accomplish was the synchronization of IDs and passwords across the corporation. There were people trying to remember 10-plus passwords. The second thing was to give our users the ability to reset a password without having to call the help desk. Our vendor, Avatier, said, 'Give me your analyst for an hour and we'll have it in production in an hour.' That was a challenge, I thought. But within an hour it was running. We had a pretty robust access control system we built internally and it was based on users requesting access, rather than access being granted based on roles.

Strong authentication, such as tokens or smart cards, has been touted as the panacea. Have you considered going down that road?
Yes, we have looked

    Requires Free Membership to View

    Login

    SearchSecurity.com members gain immediate and unlimited access to breaking industry news, virus alerts, new hacker threats, highly focused security newsletters, and more -- all at no cost. Join me on SearchSecurity.com today!

    Michael S. Mimoso, Editorial Director

    By submitting your registration information to SearchSecurity.com you agree to receive email communications from TechTarget and TechTarget partners. We encourage you to read our Privacy Policy which contains important disclosures about how we collect and use your registration and other information. If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States. Your use of SearchSecurity.com is governed by our Terms of Use. You may contact us at webmaster@TechTarget.com.

into that. One of our divisions uses tokens. You want a solution that works internally as well as externally. Smart cards are a good solution, but they won't do if the user is at his mother's house or somewhere else. We'll probably stay with a token solution and roll it out to everyone. Some of the systems won't handle two-factor, so we'll have to keep passwords in some places too. To me, the ideal solution would be a proximity smart card where the user would walk into his office and [the card would] automatically log him in. If we could use that in conjunction with physical security, that would be great.

Have you tied your physical security with your information security at this point?
Not at this time. We've seen a couple of things out there and that seems to be where the industry's going. I think there's a lot of cost involved there, but at some point it's something that we'll need to investigate. We have network security and physical security relatively separate. But all information security starts with physical security.

If you have physical access, you can probably get the data. So I think that integration needs to occur more, but with the right driver and the right investment. You have to balance it with the business need and the cost.


Download the full interview with Mike Roberti at searchsecurity.com.

This was first published in October 2007