Buzzword Babylon III: Even More Baffling IT Security Terms ExplainedApril 10, 2014 by Daniel Humphries
Anyone who’s ever browsed IT security products on a major manufacturer’s website knows that trying to figure out what all those different platforms and applications do can be a frustrating experience. There are so many acronyms and such an overlap of functions that it can be difficult to cut through the marketing and tech jargon.
This issue isn’t limited to the inexperienced, or small business owners without dedicated IT departments—as the recent Target breach shows, huge, established firms with colossal technology budgets can also crash and burn when it comes to security. If this is the case, how can the rest of us avoid making costly, even catastrophic errors?
Well, as the ancient Chinese philosopher Confucius said some 2,500 years before computers were invented, “The beginning of wisdom is to call things by their proper name.” In that spirit, we asked a group of top IT experts to help us translate some of these nebulous terms into plain English.
- Network Access Control (NAC)
- Identity Access Management (IAM)
- Threat Intelligence
1. Network Access Control (NAC)
Prakash Nagpal, senior VP of product marketing and marketing at Narus: Think of NAC as a health check for your device. With today’s Bring Your Own Device (BYOD) policies, companies must provide employees with a way to connect their devices to the corporate network.
Before authorizing access, however, organizations must verify that the laptop/tablet/mobile device (called an “endpoint”) is an authorized legitimate user, and not a potential threat. NAC is a solution that implements checkpoints that endpoint devices must pass through prior to receiving access to the network.
Scott Montgomery, public sector CTO at McAfee: Many people liken NAC to a bouncer at a nightclub, but this isn’t entirely accurate. It’s not just whether you’re “on the list” to get in—there are specific criteria, and if you don’t meet them, you’re detained until you do. It’s more like the Department of Homeland Security’s Customs and Border Protection (CBP), which checks very specific things when you return from traveling internationally, including:
- Your name, date of birth, street address, passport country and number and the airline and number of your arrival flight;
- Where you visited and who you’re traveling with;
- If your trip was for business or pleasure;
- If you’re returning with items such as fruits, plants, food and/or animals, and if you were in proximity to livestock;
- If you’re carrying $10,000 USD (or the foreign equivalent) or more;
- If you’re carrying commercial merchandise; and
- The total value of all goods with you.
NAC uses a similarly granular level of criteria to determine if a machine can gain access to your network. This includes whether you:
- Have the right OS service pack;
- Have the most up-to-date software patches for commonly exploited software packages, such as Adobe Reader or Internet Explorer;
- Have up-to-date anti-virus signatures (a string of characters/numbers anti-virus programs use to detect viruses);
- Are running older/deprecated software versions; and
- A large variety of other administrator-defined criteria.
Based upon a check performed when the machine is trying to gain network access, the NAC “CBP agent” can decide not to allow it through until necessary changes are made.
Kurt Roemer, chief security strategist at Citrix: NAC is for keeping people off of networks, but it’s heavily misunderstood. It’s valuable for controlling access to network-based resources when the network is tightly managed—like making sure only approved devices can access your company’s Wi-Fi or internal networks. But organizations should know that NAC has limitations and is powerless to do anything at the application level, where users do their work.
Many organizations believe the network is the center of the security universe, and that it’s the only true way of controlling security. But security professionals know that data is at the center of the universe, and there are an almost infinite number of methods and networks for accessing this data—most of which do not use NAC.
In other words, know that people will find a way to bypass network-based controls by using their own networks and devices, setting up rules to forward information to personal email, syncing data from the office to a personal file-sharing service, etc. Users are even more likely to use NAC to bypass mechanisms when they’re accessing resources remotely.
2. Identity Access Management (IAM)
Prakash Nagpal: IAM provides a structured way to limit who (e.g. employees, contractors, vendors, customers, partners) can access what (e.g. network elements, servers, information, applications) This should not be confused with Identity Access Governance, which is the part of an IAM system that defines an organization’s rules on who can access what.
Michael Fimin, CEO of Netwrix: IAM can be explained as, “The right access at the right time.” In other words, it’s essential to control who has access to what in an organization based on their roles, and to be able to provide (or revoke) that access as soon as they need it. For example, granting access when an employee joins a company or gets transferred to another department, and terminating it as soon as that person leaves the company.
Curt Aubley, McAfee CTO of the Americas: IAM is an information security, risk management and business discipline with a broad range of measurable and demonstrable benefits.
At its foundation, IAM is all about:
- Who needs and is authorized to access what (e.g. applications/systems/information);
- Controlling that access;
- Ensuring a person is who they say they are;
- Ensuring access is easy and secure; and
- Ensuring that, if something changes, the associated access and controls change as well.
While it sounds simple, there are a few challenges. First, IAM is a cross-functional business imperative, rather than strictly an IT infrastructure-led engagement. This means the human resource process of adding a new employee to an IAM system, expanding their access privileges or removing them from the system must be tightly integrated with the specific IT requirements of IAM technologies to include internal employees, external consultants and suppliers.
Complicating things a bit more, IAM must be integrated across all devices, as well as any place that could be attacked—including the realms of mobility and the cloud.
3. Threat Intelligence
Prakash Nagpal: Say a masked man walks into a bank. While he appears to be an obvious threat, the police can’t arrest him until they know who he is, what his intentions are and how he got past security. Threat intelligence is a product capability that answers these questions about potential threats on a network.
The information provided by threat intelligence provides context about what the threat is, the potential impact, what failed to block it, where it came from and how to resolve it.
Kurt Roemer: Threat intelligence is a service that identifies relevant known “bad actors” that can reasonably be anticipated to affect confidentiality, integrity and/or availability. Information is correlated from multiple probes across the globe that recognize and report the threats associated with these attacks, and deliver the bad news via an information feed or through a portal.
Scott Montgomery: Think about threat intelligence like a credit bureau and your credit rating. There are a number of different credit bureaus, just like there are different information security and privacy vendors with useful information. Imagine that you’re trying to decide whether or not to give someone a loan. You’d want to know a variety of different things that credit bureaus track, such as:
- Does the person owe more than they earn?
- Do they pay their bills on time?
- How many other recent large loans have they taken out?
- Have they defaulted on loans in the last seven years?
- Have they gone bankrupt in the last seven years?
Threat intelligence gives you the ability to learn what to expect from a variety of Internet entities, such as IP addresses, domain names and URLs. When you allow something to connect to your network, you have the right to know everything there is to know before allowing that connection. McAfee and other threat intelligence brokers can answer various types of “credit bureau” questions based on what’s been observed about particular Internet entities.
Michael Fimin: Threat intelligence is a combination of products and services that allow users to analyze different sources of data and determine events that could lead to a security breach (or analyze an event that has already happened). In order to achieve the goals of Threat Intelligence, you may have to buy software products and pay for services (e.g. hire a consultant or managed service provider) to do the job.
Who are these solutions for?
Although every business needs to think about security, the solutions defined here may not apply to every business. For instance, IAM solutions are usually better suited to large organizations.
As security expert Tim Singleton points out in our guide to business security software: “If someone walks into a small business and starts typing on a computer, everyone knows if they’re an intruder or not. If that happens at an enterprise, everyone assumes they have a right to be there. So small businesses and large businesses do face different security challenges from that point of view.”
However, Nagpal stresses that all businesses need to think about the issues these tools are designed to resolve, and says that IAM can be “simple or sophisticated, and will depend on the sophistication or importance of the information being protected.”
NAC can also be simplified, says Nagpal, and not every business will need to invest in a separate system. For instance, small organizations “may have only one computer and will require access control for its single router. In a case like that, NAC may already be built into the router.”
As for threat intelligence, Nagpaul says: “There are two types of organizations in the world: those have been compromised and know it, and those that have been compromised and don’t know it. Those that have been compromised require threat intelligence in order to react faster and prevent it from happening again. Those that don’t know they’ve been compromised need it so they can learn what threats they face and what compromises have been happening.”
Perhaps it can all be summed up with a few parting words from Confucius: “He that would perfect his work must first sharpen his tools.”
Meet Our Experts
Prakash Nagpal is senior VP of marketing and product marketing at Narus. Prior to joining Narus, Nagpal was responsible for strategy, product and channel marketing at Actelis Networks, an innovator for ubiquitous broadband delivery. Nagpal has an MBA from Cornell University and a master’s in computer science from the University of Louisiana at Lafayette.
Scott Montgomery is the VP and CTO of public sector for McAfee. He runs worldwide government certification efforts and works with industry and government thought leaders and public sector customers worldwide to ensure that technology, standards and implementations meet information security and privacy challenges. His dialogue with the market helps him drive government and cybersecurity requirements into McAfee’s products and services portfolio and guide McAfee’s policy strategy for the public sector, critical infrastructure and threat intelligence.
Kurt Roemer, chief security strategist for Citrix, leads the security, compliance, risk and privacy strategies for Citrix products, and is a member of the Citrix CTO Office. An information services veteran with more than 20 years experience, his credentials include the Certified Information Systems Security Professional (CISSP) designation, and he served as commissioner for the U.S. public-sector CLOUD2 initiative.
Michael Fimin is CEO of Netwrix, a leading provider of change and configuration auditing solutions for optimizing organizational security, governance and compliance. An enterprise IT visionary, he is an accomplished expert in IT change and configuration best practices. Prior to joining Netwrix, Fimin held several key positions at Quest Software (later acquired by Dell), driving the company’s top-selling security and compliance product.
Curt Aubley is the VP and CTO of the Americas for McAfee. He’s responsible for thought leadership, technical vision and strategy to help deliver innovative, intelligence-driven cyber solutions for the North and South American markets. He leads cross-McAfee initiatives on securing cloud computing and developing emerging technologies that deliver end-to-end, adaptive security and intelligence to protect critical infrastructure both within and across sectors.
Confucius (551BC- 479BC) Ancient Chinese thinker and educator who developed the social and political philosophy that bears his name and which is still highly influential in China. His life and thoughts are recorded in the Analects, which was compiled by his disciples shortly after his death.