Chapter 16: IT Security and Service Management 197
Taking a Structured Approach to IT Security
Most people in IT security know that the best they can do for any computer network is significantly reduce the risk of a successful attack. Therefore, IT security is an exercise in risk management.
In general, follow these steps to reduce the risk of suffering security breaches:
1.Authenticate all people accessing the network.
2.Frame all access permissions so that any given user has access only to the applications and data that she’s been granted specific permission to access.
3.Authenticate all software running on any computer — and all changes to such software.
You need to automate and authenticate software patches and configuration changes, as well as manage security patches in a proactive way.
4.Formalize the process of requesting permission to access data or applications.
5.Monitor all network activity, and log all unusual activity.
In most cases, you should deploy intruder-detection technology.
6.Log all user activity and program activity, and analyze it for unexpected behavior.
7.Encrypt, up to the point of use, all valuable data that needs extra protection.
8.Regularly check the network for vulnerabilities in all software exposed to the Internet or external users in any way.
If you read these steps and don’t think that they’ll be too hard to carry out, you don’t know how complex it is to implement all these rules across a large network. Very few networks come close to this level of protection.
The reality of IT security is that point solutions usually are put in place to cover specific vulnerabilities. Thus, companies use firewalls to protect the internal network from the Internet, antivirus software to protect individual computers against known viruses, and VPNs to protect external connections coming into the network. Such security products reduce the risk of specific threats but don’t constitute an integrated approach to IT security. Right now,
198 Part IV: Nitty-Gritty Service Management
that approach doesn’t exist outside the realm of government organizations such as the National Security Agency, and it may not exist inside such organizations, either.
But some important products can make a significant contribution to building an integrated IT security platform. They come in three categories:
Identity management
Detection and forensics
Data encryption
We discuss these products separately in the following sections.
Implementing Identity Management
We discuss identity management systems in conjunction with the configuration management database in Chapter 18, focusing on the way systems capture data for use by other service management applications. The role of an identity management system is much wider, of course.
Identity management’s primary goal is managing personal identity information so that access to computer resources, applications, data, and services is controlled properly. Identity management is the one area of IT security that offers genuine benefits beyond reducing the risk of security breaches.
Benefits of identity management
The benefits of identity management come in three flavors:
Improved security: Such security improvements clearly have some financial value by virtue of the security breaches they prevent, but attaching a meaningful figure to that value is difficult.
Directly reduced costs: Direct cost reductions come from the following benefits:
•Improved user productivity: Productivity improvement results from simplification of the sign-on interface (see “Single sign-on,” later in this chapter) and the ability to get access rights changed quickly. Productivity is likely to improve further where you provide user self-service.
Chapter 16: IT Security and Service Management 199
•Improved customer and partner service: This benefit is the same as the simplified procedures described in the preceding paragraph, but delivered to partners and customers.
•Reduced help desk costs: Reductions in help desk costs usually contribute significantly to overall cost reduction, mostly because IT doesn’t have to field so many calls about forgotten passwords.
•Reduced IT costs: Identity management enables automatic provisioning — providing or revoking users’ access rights to systems and applications. Provisioning happens whether you automate it or not. When provisioning is manual, normally it’s carried out by members of the IT operational staff or departmental staff. Considerable time and cost savings are possible when you automate the process (see “Provisioning,” later in this chapter).
Compliance: If your company must meet IT security compliance, identity management will inevitably help in that area.
Aspects of identity management
In this section, we cover the various aspects of an identity management program.
Data collation and management
Identity data generally is scattered around systems. Establish a common database or directory as a first step in gaining control of this information. This step involves inputting data and gathering data from various user directories.
Integration
An identity management system must integrate effectively with other applications to exchange identity information. In particular, it must have a direct interface to the human resources system — the place where new joiners and leavers are first recorded. It also must have a direct interface with supplychain systems (if partners and suppliers are to use corporate systems) and customer databases (if customers require access to some systems), although customer identity management normally is handled by a separate component of an identity management system.
Stronger authentication
When you require authentication stronger than passwords, the identity management system must work with products that provide that authentication,
200 Part IV: Nitty-Gritty Service Management
such as biometric systems (fingerprints, handprints, iris verification, and the like) and identity token systems.
Provisioning
When you link all systems that use identity information, you can automate provisioning. If this process is automated, a single status change (of an employee or anyone else with access rights) can be defined in the identity management system and sent across all affected systems from that point.
Implementing a new application or changes in department business processes may affect the access requirements of individual users or user roles. Provisioning cuts across departments, possibly involving human resources, IT, and other departments.
When the process is automated, errors in providing users a broader level of access than necessary occur far less frequently or not at all. Providing broad levels of access happens frequently in manual provisioning, because it’s easier to specify broad access than to specify a much more detailed granular level of access. Additionally, an automated process never fails to revoke former employees’ access to the network.
When provisioning is complex, perhaps requiring approvals by several people in different departments, it requires a workflow arrangement. Ideally, you base the provisioning process on user self-service backed by a well- thought-out approval process.
Single sign-on
Single sign-on means providing all users an interface that validates identity as soon as a user signs on anywhere; this interface requires the user to enter a single password. Thereafter, all systems should know the user and her permissions.
Some single-sign-on products don’t provide the full gamut of identity management capabilities, but all identity management products deliver single-sign-on capability.
Rather than being assigned to individuals, permissions are often assigned to roles (accounts clerk, sales assistant, programmer, and so on). Therefore, single sign-on also means capturing information about the administration hierarchy. Single sign-on naturally goes with portal technology, with the user having a Web-based initial interface that provides access to all applications that he’s entitled to access. Thus, single sign-on may need to interface with a portal product.