FOR

User access has become a major headache for organizations today. Even as recently as 10 years ago, keeping track of your employees was a relatively simple exercise; it was unlikely that you would have more than a hundred or so people on your network, which was small and self-contained. Not only that, but staff turnover was far lower than it is today; the concept of 'jobs for life' permeated many companies, and roles and responsibilities changed infrequently, if at all. Today, the situation is very different. The idea of a job for life evaporated a good few years ago, and the corporate network has been forced to expand to include distributed WANs and the Internet. Throw remote access and a high level of freelance employment into the mix, and you have a recipe for disaster.

What happens when you employ someone to work in a sensitive area of your company for a few months? How do you ensure that they cannot misuse that access after they have left? Indeed, how can you ensure that they don't misuse it while they are still there? Blanket security is no longer the answer; even in the same department, different users have different responsibilities and therefore require different levels of access.

Managing access in today's business environment now requires the strict enforcement of a security policy, but in many cases this is, in practice, well beyond the abilities of even the most skilled network administrator. How do you make sure that employees have the correct level of access to the correct network resources? How do you keep track of changing responsibilities among a changing workforce?

This is the problem that Access360 is addressing with its enRole product. enRole is a policy-based access rights provisioning system, an impressive way of saying that it enforces a company's security policy (indeed, it forces a company to have such a policy in the first place) by ensuring that all user access to every part of the network is validated. This also includes external access, which adds a level of protection to extranets, which have always been a worrying weak link in any corporate network.

Installation is far from easy, but that is to be expected when rolling out a system of this complexity. It requires a large amount of forward planning, but companies which intend to install enRole are effectively instigating a full-scale overhaul of their security policy, which is never a bad thing. One estimate is that it can take up to six weeks to get enRole up and running in a medium size company; but if that six weeks means that you have added an extra level of security to your business, it is time well spent. One of the first tasks is to run a complete audit of the network, seeing who has access to what. According to Access360, this can be something of an eye-opener for many companies, as they discover passwords and access rights belonging to long-departed employees, or employees with access to systems they have no right to go near. Indeed, Access360 claims that this audit often finds that up to 30 percent of all account profiles are invalid.

Once a company has become painfully aware of its security shortcomings, it is time to begin formulating the security policy. This is a question of defining job functions or roles that accesses are associated, with via policy, and then assigning users to roles. This is the lengthiest part of the process, but one that has to be done properly or else everything that follows is a waste of time. The actual installation of the software is far from difficult. enRole is effectively a client-server product, with the central enRole server coordinating with agents across the entire network. Access360 offers over 40 agents tailored for a variety of different platforms and network resources; these include the majority of operating systems, and most major applications such as Lotus Notes and Microsoft Exchange.

This client-server model means that any access changes can be specified at the server level, and automatically rolled out across the network. The agents keep in constant communication with the server, allowing the administrator to see exactly who is doing what, or attempting to do what across the entire network.

Once the policy has been defined and enRole installed, it is simply a matter of ensuring that the employee access records are kept up to date. enRole will only allow user profile updates if the person updating them is authorized to do so. From this point on, all user access is strictly enforced by the policies that have been put in place, and a complete audit trail is produced. This is especially important for companies that need to demonstrate the level of security they have in place, such as those with government contracts or which require certain quality assurances with business partners.

Documentation was a little disappointing. Each agent comes with a guide in PDF format, but the ones that we looked at were far from readable, with stilted and frequently impenetrable text. However, enRole is not the sort of product that you would install without considerable support from the vendor or an independent consultant.

Despite the need for considerable planning before full implementation, enRole is replete with functionality and the complete answer for any company that needs to track employee access. And in today's world, that means you.  

SC On-Line
SC Magazine
www.scmagazine.com