Feature

Interview: CISO explains enterprise's access control policies

Ezine

This article can also be found in the Premium Editorial Download "Information Security magazine: Tips from the 2007 Security 7 Awards."

Download it now to read this article plus other related content.

Authentication and access control used to be fairly simple propositions: set up user IDs, passwords and role-based permissions and you were done. In today's enterprise environments, you have to get deeper in the weeds. Mike Roberti, the chief information systems security officer at Harris Corp., knows that as well as anyone, having the unenviable task of ensuring his 10,000 users have secure access to the resources they require.

Mike Roberti

Authentication and access control are challenges for distributed companies, especially with partners and customers needing access to the network. How have you handled that?
One of the things we had been trying to accomplish was the synchronization of IDs and passwords across the corporation. There were people trying to remember 10-plus passwords. The second thing was to give our users the ability to reset a password without having to call the help desk. Our vendor, Avatier, said, 'Give me your analyst for an hour and we'll have it in production in an hour.' That was a challenge, I thought. But within an hour it was running. We had a pretty robust access control system we built internally and it was based on users requesting access, rather than access being granted based on roles.

Strong authentication, such as tokens or smart cards, has been touted as the panacea. Have you considered going down that road?
Yes, we have looked

    Requires Free Membership to View

into that. One of our divisions uses tokens. You want a solution that works internally as well as externally. Smart cards are a good solution, but they won't do if the user is at his mother's house or somewhere else. We'll probably stay with a token solution and roll it out to everyone. Some of the systems won't handle two-factor, so we'll have to keep passwords in some places too. To me, the ideal solution would be a proximity smart card where the user would walk into his office and [the card would] automatically log him in. If we could use that in conjunction with physical security, that would be great.

Have you tied your physical security with your information security at this point?
Not at this time. We've seen a couple of things out there and that seems to be where the industry's going. I think there's a lot of cost involved there, but at some point it's something that we'll need to investigate. We have network security and physical security relatively separate. But all information security starts with physical security.

If you have physical access, you can probably get the data. So I think that integration needs to occur more, but with the right driver and the right investment. You have to balance it with the business need and the cost.


Download the full interview with Mike Roberti at searchsecurity.com.

This was first published in October 2007

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: