How much access control technology is enough?

I recently attended a meeting with a group of leading CIOs of U.S. Federal Government agencies, all of whom are working to meet a presidential mandate (HSPD 12) to integrate high-tech Personal Identity Verification cards into their access control systems.  Some level of activity is of course required for compliance—there’s a “just do it” attitude that has to apply in some way. The more surprising conversation for me was a mentality that would be familiar to anyone who has ever remodeled a house: “while we’re in there, let’s also fix that…”. These CIOs were very interested to know how much effort to improve access control beyond mere compliance is worthwhile from a cost/benefit perspective.

IREC’s research efforts on access management and assessing the relative value of control investments shed some light on the question of how much technology is enough.

Three principles guide our thinking on the topic:

1)      Technology investments can only play one part of an overall access management strategy, and not the most important part. An access control strategy must include processes for maintenance and governance, authorization, authentication, and validation.  Technologies such as PIV cards and the back-end support systems only play a role in some of these areas.

2)      Access controls should be a major consideration in the design of any new system or application. Building access controls into new systems in the design phase is much more cost effective and provides greater return than refitting systems after they have been built.

3)      Access controls that apply at a more “coarse” layer provide the same benefit as fine-grained controls at a lower overall cost. IREC’s 2009 Controls Maturity Analysis indicates that access control regimes that apply at the network or operating system layer provide a similar amount of information protection as those applied at the application layer, but provide significantly more scalability and flexibility.

Just like every remodeling project needs to stick to its budget, our thinking is that a lot of proposed add-ons to the PIV card project are unlikely to be worthwhile from an ROI perspective. Access control is one of the few places where security technologies can actually make users’ lives easier, and it is tempting to spend here for the sheer goodwill. However, in these times of tight budgets, it is more important than ever to ensure all projects have a strong business case and are the best possible use of limited resources.

Several years of negative audit findings and technology improvements has nearly one-third of IREC members revisiting or reconsidering their access control strategy for 2010.  So even if you are not a federal CIO/CISO, take a look at this short presentation that lays out the state of Access Controls using the NIST 800-53 framework, and let us know how we can be most helpful to you as you address this topic in your own organization.

We also encourage you to contact us for information on how we can help prioritize your list of security projects.

Explore posts in the same categories: Identity and Access Management, Regulation/Compliance

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: