Interview: CISO explains enterprise's access control policies
Access control and authentication isn't as simple as setting up user IDs and passwords.
Mike Roberti
Continue Reading This Article
Enjoy this article as well as all of our content, including E-Guides, news, tips and more.
Authentication and access control are challenges for distributed companies, especially with partners and customers needing access to the network. How have you handled that?
One of the things we had been trying to accomplish was the synchronization of IDs and passwords across the corporation. There were people trying to remember 10-plus passwords. The second thing was to give our users the ability to reset a password without having to call the help desk. Our vendor, Avatier, said, 'Give me your analyst for an hour and we'll have it in production in an hour.' That was a challenge, I thought. But within an hour it was running. We had a pretty robust access control system we built internally and it was based on users requesting access, rather than access being granted based on roles.
Strong authentication, such as tokens or smart cards, has been touted as the panacea. Have you considered going down that road?
Yes, we have looked into that. One of our divisions uses tokens. You want a solution that works internally as well as externally. Smart cards are a good solution, but they won't do if the user is at his mother's house or somewhere else. We'll probably stay with a token solution and roll it out to everyone. Some of the systems won't handle two-factor, so we'll have to keep passwords in some places too. To me, the ideal solution would be a proximity smart card where the user would walk into his office and [the card would] automatically log him in. If we could use that in conjunction with physical security, that would be great.
Have you tied your physical security with your information security at this point?
Not at this time. We've seen a couple of things out there and that seems to be where the industry's going. I think there's a lot of cost involved there, but at some point it's something that we'll need to investigate. We have network security and physical security relatively separate. But all information security starts with physical security.
If you have physical access, you can probably get the data. So I think that integration needs to occur more, but with the right driver and the right investment. You have to balance it with the business need and the cost.
Download the full interview with Mike Roberti at searchsecurity.com.
Start the conversation
0 comments