Nevis Networks: Best Practices in LAN Security Across the

Nevis Networks: Best Practices in LAN Security
Across the Compliance Spectrum
A White Paper Prepared for Nevis Networks
June 2006
Table of Contents
Executive Summary.............................................................................................................................................................................1
Common Themes of Regulatory Requirements............................................................................................................................1
Cost-Effective Compliance: Meeting Multiple Requirements across the Regulatory Spectrum...........................................2
Processes..........................................................................................................................................................................................3
Controls............................................................................................................................................................................................3
“Audit-worthiness”.........................................................................................................................................................................4
Compliance and Nevis Networks’ LAN Security Solution..........................................................................................................5
Process..............................................................................................................................................................................................5
Process to Implement Trust Groups.....................................................................................................................................5
Process to Add and Change Users Dynamically ...............................................................................................................6
Process to Control Threats......................................................................................................................................................6
Process to Define and Protect Secure Assets .....................................................................................................................6
Control..............................................................................................................................................................................................7
Endpoint Admission................................................................................................................................................................7
User Authentication ................................................................................................................................................................7
Dynamic Access Control.........................................................................................................................................................7
Secure Asset Definition............................................................................................................................................................8
Threat Identification and Prevention....................................................................................................................................8
Audit..................................................................................................................................................................................................8
Identity-driven Policy Enforcement......................................................................................................................................9
Traffic Monitoring.....................................................................................................................................................................9
Audit Reports.............................................................................................................................................................................9
EMA’s Perspective................................................................................................................................................................................9
Appendix A: Nevis Networks Regulatory Support – Sarbanes-Oxley....................................................................................11
Appendix B: Nevis Networks Regulatory Support – SB 1386 (California Law on Notification of Security Breach)...14
Nevis Networks: Best Practices in LAN Security
Across the Compliance Spectrum
Executive Summary
With every passing year, the need to comply with a maze
of state, federal and even international regulations becomes a more pressing concern for companies around
the world. The issue may be customer or patient privacy;
safeguarding the integrity of the organization’s financial
results, or protecting customers or businesses from financial fraud. Not only are there more regulations each
year, but the penalties (either in the form of bad publicity, a drop in stock price, outright fines or even jail times
for executives) become more immediate and severe.
The requirements of various rules can overlap, creating
multiple mandates for the same organization. For example, the privacy requirements of the Health Insurance
Portability and Accountability Act (HIPAA) apply to
healthcare providers, healthcare insurers and related organizations that are also governed by industry-specific
regulations at the state and other levels. If an organization is involved in both health care and financial services
(say, a health care insurer) it is governed not only by
HIPAA but by the privacy requirements of the GrammLeach-Bliley Act (GLBA). If any of these companies
are publicly traded in the US, the requirements of the
Sarbanes-Oxley Act (SOX) may apply as well.
Regulatory requirements can also cross borders in unexpected ways. Although the many privacy measures
enacted by governments from U.S. States to national and
even international bodies such as the European Union
have much in common, they pose a significant challenge
to subject entities who must comply with multiple overlapping rules. Even harder than complying with a single
standard imposed by one jurisdiction is complying with a
mosaic of different laws in many different jurisdictions.
Finally, the need to ensure compliance is an ongoing,
weighty responsibility. Not only do some regulations require regular, scheduled audits to prove compliance, but
each organization’s compliance record is only as good
as the last transaction it performed, the last customer
record it archived or the last patient record it encrypted
before storing off-site.
In order to prioritize their compliance efforts on the
most pressing issues, and to acquire solutions that address multiple regulatory needs, organizations must
recognize the common requirements underlying many
different rules and regulations. These common requirements include:
• D
efined and enforceable business standards, policies and processes;
• S ubversion-resistant controls for their enforcement, and;
• R
ecords and reports that demonstrate continuous
compliance with these policies and processes.
Above all, compliance is all about defining, assuring,
enforcing and proving compliant behavior. This dictates
that processes, controls and demonstrations of effectiveness must be as specific to individuals as possible
and must extend enforcement throughout the entire
time that any individual has access to regulated information resources. Solutions are beginning to emerge with
powerful features to assure that each user has access to
only the proper information, and can execute only appropriate actions, for the entire time he or she is on the
corporate network.
In this paper, Enterprise Management Associates
(EMA) examines the broad requirements of regulatory
compliance and how the Nevis Networks product set
represents a front-line solution for providing the necessary levels of highly granular, continuous real-time
enforcement. Executives will gain an understanding of
how Nevis Networks LAN security systems provide
a part of the solution that helps an enterprise achieve
and continuously improve compliance with multiple,
evolving regulatory requirements. The Appendix of
this paper provides a detailed look at examples of how
Nevis’ solution helps to support compliance with the
Sarbanes-Oxley Act and the privacy breach notification
law known as California Senate Bill 1386—two of the
most significant mandates affecting IT today.
Common Themes of Regulatory
Requirements
As powerful information systems, databases and the
World Wide Web have become potent tools in our everyday lives, it is only natural that concerns would arise—
often with justification—about the improper use of
those systems and the data contained in them. This contradiction—the need to make information ubiquitously
available, and the conflict of this need with concerns
about information misuse—is one reason why regulatory compliance can be such a confusing challenge.
©2006 Enterprise Management Associates, Inc. All Rights Reserved.
Page Nevis Networks: Best Practices in LAN Security
Across the Compliance Spectrum
Privacy regulation is a prime example. Customers paying their bills online, checking their email from a coffee
shop or ordering a specialized product they could only
have found on the Web, all are benefiting from their
ability to leverage personal information (such as passwords and credit card numbers) over the Internet. This,
however, poses significant risk that personal information may be stolen, compromised or otherwise misused.
In response, initiatives such as California Senate Bill
1386 requires any company, no matter where it is located, to disclose the loss or theft of personal information of any customer who is a California resident. That
means, conceivably, that the name, physical address and
email resident of a Californian who registered to download a product or service from the Web could come
back to haunt a corporation in Europe or Asia. The
Personal Information Protection Act passed in Japan
in 2003 may, similarly, affect companies doing business in Japan (particularly those in the medical, financial credit, and telecommunication industries); as may
the European Union’s Data Protection and Electronic
Communications Privacy Directives.
been fined $100 million for violating U.S. AML restrictions on currency exchange with countries under sanction, through the concealment of prohibited transactions
in financial reporting. Clearly, there is a role for tools
that can enforce access to such sensitive IT resources
with high granularity, and with credibility that can stand
up to the rigors of today’s stringent regulatory audits.
Governments are not the only entities defining what
rules businesses must comply with in order to operate.
Recognizing the threat to electronic transactions posed
by attacks that increasingly have material objectives in
view, credit and debit card companies have issued their
own Payment Card Industry (PCI) data security standard, responding to initiatives such as Visa’s Cardholder
Information Security Program (CISP) that mandate requirements for securing card information whenever it is
obtained, used or transmitted.
Choosing a different compliance tool to meet each of
these different and often overlapping requirements
quickly becomes highly inefficient and cost-prohibitive.
A more cost-effective route is to select tools that can
satisfy a broad range of requirements.
Financial controls are a parallel example. Financial
mismanagement by a few firms led to broad investor
Cost-Effective Compliance: Meeting
accountability mandates such as the Sarbanes-Oxley
Multiple Requirements across the
Act. While SOX requires strict controls over financial
Regulatory Spectrum
systems and processes, it is again the behavior of those using information systems that
Processes
• Strategic Planning
SOX seeks to control. In order to be ef• Risk Assessment
fective, such control must govern behavior
• Policy Definition
• Business Process Workflows
during the entire time a legitimate, authen• Incident Response
• Control Management
ticated user has access to the system, since
sensitive corporate information is at risk
of being manipulated not just by hackers,
but any person with access to the company
network, from rank-and-file staff to senior
executives. A similar requirement applies to
network and system administrators, as well
as security managers, to ensure they can“Audit-Worthiness”
Controls
not abuse their positions of trust either to
• Policy Documentation
• Separation of Duties
• Compliance Monitoring
• Division of Responsibilities
commit wrongdoing or to open the door
• Exception Alerting
• Segregation of Resource Access
• Control Effectiveness Reporting
• Policy Enforcement
for others to do so. The rise of terrorism is
• Process Workflow Tracking
• Data Privacy and Security
• Incident Response Documentation
having a similar effect, in the form of the
Anti-Money-Laundering (AML) provisions
Figure 1: An overview of the compliance lifecycle. Requirements common across multiple regulatory
such as those of the USA PATRIOT Act.
initiatives are summarized. The Nevis Networks solution addresses each of the three primary
At least one international bank has already
compliance domains of process, control and “audit-worthiness,” with comprehensive, granular and
detailed capabilities in each domain to satisfy a wide range of regulatory requirements.
©2006 Enterprise Management Associates, Inc. All Rights Reserved.
Page Nevis Networks: Best Practices in LAN Security
Across the Compliance Spectrum
The best way to choose such tools is to focus first not
on the complex requirements of each rule or regulation,
but on the most critical requirements across a range of
mandates that are most relevant to an IT organization.
In general, they revolve around Processes, Controls and
“Audit-worthiness.”
Processes
In essence, regulatory requirements are broadly applicable statements of policy, and policies are ineffective
without well-defined processes to implement and enforce them. Such processes are key to compliance with
corporate governance requirements such as SOX, as
well as for the creation of necessary internal corporate
controls. There are two key areas of compliance-relevant
process: the definition of specific compliance-related
business processes that are consistent with regulatory
policy; and ongoing management of those processes.
Proper definition of business processes is crucial to
ensure they are in accordance with the relevant corporate governance policies and external regulations, and
to ensure that the proper access control and separation
of duties and divisions of responsibilities are spelled
out. Users must be accurately identified, along with their
roles, attributes and the types of information to which
they should be allowed access. The same is true for the
resources (the data and application services) to which
they are allowed access. Again, the stress should be on
defining, managing and controlling a user’s behavior
for the entire time they are connected to the corporate
network, not just on properly authenticating them at the
point of access.
The next step is to define the processes for provisioning
those resources, or making them available to employees,
customers or business partners when such access is appropriate. These processes must be clear and enforceable, yet flexible enough to allow the business to meet its
changing strategic needs. These processes should extend
through the lifetime of the resource, allowing for the ongoing creation, modification, suspension, revocation and
retirement of resources as well as the privileges accorded
to their use. They should also be highly granular and as
individually specific as both regulatory and corporate
requirements may demand, allowing for the fine-tuning
of controls, roles, and the appropriate segregation of
users, resources and communication channels based on
new or changing compliance or business requirements
as they emerge. Finally, in order to prevent compliance
breaches to the extent possible, these processes must be
enforceable through real-time controls, implemented
in the information technologies that enable access to
controlled resources. This highlights an area in which
IT can aid specifically with compliance-relevant process
management: in the automation of process events in IT
resources themselves.
Once they are defined, these processes must be managed,
on an ongoing basis, from the time they are created until
they are retired. This requires mechanisms that provide
an overview of the current state of processes, as well
as top-level controls on how policies and processes are
defined and managed.
Controls
The enforcement of controls is central to virtually all
regulation, and is particularly important in mandates
such as Section 404 of SOX. Section 404 is particularly
important to IT organizations because it requires the
implementation of a control framework and processes for
financial reporting, and the regular assessment of the
effectiveness of that framework by corporate management required by SOX Section 302. An example of a
framework was given in the SOX compliance rules issued by the US Securities and Exchange Commission
(SEC), which makes specific reference to the recommendations of the Committee of the Sponsoring
Organizations of the Treadway Commission (COSO)—
a SOX precursor—directly related to the preparation
of financial statements and the safeguarding of assets.
One of the most popular SOX control frameworks is
the IT Governance Institute’s Control Objectives for
Information and related Technology (COBIT). In its
guidance on SOX IT control objectives, the ITGI describes how multiple guidelines such as ISO 17799 best
practices in information security and IT Infrastructure
Library (ITIL) IT governance standards map to SOX
control requirements, as well as to COSO and COBIT.
The control requirements of these and many other
mandates range from the proper separation of duties
and the division of responsibilities among employees
required by SOX as well as the Basel Capital Accords
(“Basel II”), to controls on access to privileged information supported by an appropriate level of authentica©2006 Enterprise Management Associates, Inc. All Rights Reserved.
Page Nevis Networks: Best Practices in LAN Security
Across the Compliance Spectrum
tion, and the creation of clearly defined roles, rights and
responsibilities for information consumers. Such access
is controlled within the healthcare industry by both
the privacy and security rules of the Health Insurance
Portability and Accountability Act (HIPAA). Controls
on access to personal information that could lead to
financial losses—personal as well as corporate—are
also mandated by initiatives such as the Payment Card
Industry (PCI) Data Security Standard, while international regulations such as the EU Data Privacy Directive
and Japan’s Personal Information Protection Act (PIPA)
mandate similar controls to protect personal information. Such protections are preventive measures for
mandates such as California SB 1386, which requires
disclosure in the event of unauthorized access to the
unencrypted personal information of Californians.
Implicit in the nature of IT controls is that they must
be effective throughout the entire time a network user,
endpoint or information consumer has the ability to access IT or information assets. Again, controls that focus
only on controlling initial access to the network are
inadequate. The real question that determines whether
compliance is effective is what happens once the user
is connected to the system. For example, a rogue trader
on the Singapore Exchange was able to hide the extent
of his abuses by reconciling his own trades. Proper controls on the separation of responsibilities for employees, and enforcement of those separate responsibilities
within the company’s information systems, could have
limited the abuse and perhaps saved the entire company
from failure.
From an IT perspective, enforcement of the proper
separation of duties and division of responsibilities can
be achieved through:
• T
he segregation of information users into groups
according to specific levels of trust appropriate to
each group (so-called “trust groups”);
• E
nforcing limitations on access to specific information resources to a specific trust group, and;
• M
onitoring enforcement and alerting on events
when exceptions are detected, and ideally, when
they are attempted.
Risk is not just the unmanaged or inappropriate activities
of users who were assumed to be trustworthy but who
©2006 Enterprise Management Associates, Inc. All Rights Reserved.
Page are not. It also includes vulnerabilities that employees or
outsiders can unwittingly introduce into the corporate
network, such as worms or Trojans that take advantage
of a legitimate user’s current (and authenticated) session
to exploit gaps in enforcement. Increasingly, these types
of attacks also threaten the confidentiality, integrity, and
security of personal or business-critical information
itself, exposing it to breach of privacy, abuse, or even
outright destruction.
For all these reasons, it is clear that controls must be
real-time, end-to-end and comprehensive in order to
prevent compliance breaches from occurring. Once an
event occurs, controls that are limited to reactive response may have lost the opportunity to avoid a compliance breach. Indeed, after-the-fact controls may actually
allow the precipitation of a compliance event, such as a
privacy breach that would require public disclosure as in
the case of SB 1386 requirements, with high potential
for resultant damage.
“Audit-worthiness”
To meet the demands of both external mandates and internal auditors, both access controls and the processes to
manage those controls must be auditable. Organizations
must be able to prove over time that policies and processes were followed and that controls in place were
adequate to enforce their compliance continuously.
Controls must have shown enough resistance to subversion to prove they achieve their aims, while process enforcement must demonstrate a high enough level of effectiveness and penalties to ensure compliance with the
mandates in question. Information resources, consumers, access methodologies and other subjects of compliance must be clearly and reliably identified. The reports
and “audit trail” must clearly correlate the existence of
mandated processes and controls with the information
resources, information consumers and access methodologies reported in actual operation. Alerting functions
must quickly notify managers of any attempts to subvert
controls and processes, and the audit must identify any
exceptions that were made to processes or controls, the
actions taken to ensure such exceptions did not violate
compliance guidelines, and how consistent exceptions
will be taken into account in the future.
Audit-worthiness goes beyond mere reporting and alerting to the transparent effectiveness of control. This means
Nevis Networks: Best Practices in LAN Security
Across the Compliance Spectrum
outside regulators and internal auditors must find proof
of the ongoing, continuous, real-time effectiveness of
the process and controls sufficiently convincing in
order to demonstrate actual compliance. Activities must
be consistently documented with few or no breaks in
the audit trail throughout a process, enabling an auditor to choose the audit trail of virtually any control or
process at random and determine that compliance has
been consistent.
Compliance and Nevis Networks’ LAN
Security Solution
Up to now, most compliance solutions have focused
on controlling access to sensitive resources via user authentication. To achieve more comprehensive compliance, enterprises are often forced to add-in additional
software, security systems and monitoring tools. Since
regulators increasingly demand transparent, continuous,
real-time enforcement specific to each individual information consumer, the added complexity of a piecemeal
approach poses risks of its own. Enterprises require
consistency in the assurance of real-time policy & process adherence, continuous controls, simple compliance
process deployment and powerful audit features.
Nevis Networks’ LANenforcer™ ASIC-based LAN
security systems and LANsight security manager provide a comprehensive approach to locking down LANs
to help in meeting regulatory compliance mandates.
Together, LANenforcer and LANsight comprise Nevis’
LANsecure LAN security architecture. An in-line network system located at the user-access edge of the LAN,
LANenforcer provides multiple layers of security policy
processing to deliver real-time, continuous enforcement
and threat protection at the point of network connection, without compromise to application performance.
Nevis’ LANsight™ security manager provides centralized security policy configuration, monitoring, event
correlation, and reporting for LANenforcer™ systems.
Its dynamic, role-based policy management and reporting gives network administrators substantial control and
visibility into security-related user activity throughout
the LAN. LANsight is the IT interface for compliance
process definition, policy deployment and audit output.
Nevis’ LANsecure provides a simple, network-based
framework for implementing the policy enforcement
processes, controls and audits that help support compliance with many of today’s regulatory demands.
Process
Businesses are increasingly looking to solutions for
securing the LAN itself, because enforcement at the
point of connection represents one of the most direct
ways to help assure clear and policy-compliant business
processes throughout the enterprise network. Nevis’ architecture creates a framework for definition of specific
compliance-related business processes that are consistent with regulatory policy, and ongoing management
of those processes.
Specifically, Nevis’ LANsecure architecture enables the
following processes by providing appropriate control
points and audit records:
• Process to implement trust groups
• Process to add and change users dynamically
• Process to control threats
• Process to define and protect secure assets
Process to Implement Trust Groups
Regulations with emphasis on corporate governance
such as SOX have much in common with rules such as
Basel II: namely, the separation of duties and division of
responsibilities that assure adequate oversight and limits on the uncontrolled access of individuals that could
have an adverse effect on critical information resources.
These rules converge with data security mandates such
as the PCI Data Security Standard or the HIPAA Privacy
Rule, which require the enforcement of confidentiality
in the handling of sensitive personal financial or medical
information. This directly indicates the regulatory necessity of processes that segregate individual users into
specific trust groups.
Enterprises have trust groups of users already defined,
but many networks have not been able to fully extend
their value to network-wide policy enforcement. In such
cases, the network is at the mercy of user self-policing.
For example, some companies may state a policy of “third
party laptops are not allowed on our network”—but if
they have no mechanism for actually implementing this
stated policy, it is effectively, unenforceable. With the
LANsecure architecture, business groups immediately
become trust groups with access control policies. This
©2006 Enterprise Management Associates, Inc. All Rights Reserved.
Page Nevis Networks: Best Practices in LAN Security
Across the Compliance Spectrum
enables LANsight to directly extend the implementation of trust group definition and user provisioning
processes, integrating LANsight capabilities with those
of today’s sophisticated identity and access management
systems to retrieve group definitions and assign policies
to those groups. When a user is added via normal IT
processes, that user automatically receives access control
policies via LANsight.
Process to Add and Change Users Dynamically
Once trust group definition processes are established,
network security enforcement processes such as defining Access Control Lists (ACLs) for every switch port
via a command-line interface become intolerably brittle
when extended LAN-wide. Such unscalable approaches
effectively remove the LAN as an enforcement tool,
since very few enterprises would support such a cumbersome process for adding individual network user
access privileges, ensuring proper access to appropriate
resources, and restricting access from everything else.
LANsecure enables the enterprise to define networkwide processes for provisioning new users and giving
access to appropriate resources on the network. Users
are authenticated, along with their roles, attributes and
the types of information to which they should be allowed access.
Because policies are dynamically applied to users at
authentication time, LANenforcer provides a simple
process for authorizing third-party users such as contractors, consultants and guest visitors, ensuring their
ability to access relevant systems while restricting access
to everything else on the network. IT can configure
LANsight to assign specific access rights to each group
of non-employee users – some may be granted rights to
Internet only access; others may have access to a specific
server. Should third-party users be members of multiple
groups, LANsight takes the intersection of those two
groups and applies those to that user.
Process to Control Threats
Most regulatory mandates reference IT security best
practices such as the ISO 17799 guideline in shaping the
implementation of a security posture that enables the
enforcement of regulatory compliance. Initiatives from
SOX to the HIPAA Security Rule recognize the necessity for implementing threat controls in IT that address
the issues revealed in mandated risk and compliance gap
©2006 Enterprise Management Associates, Inc. All Rights Reserved.
Page analysis. Increasingly, gaps in IT security pose a significant risk to sensitive information itself, with potential
compliance impact ranging from privacy law breaches to
violations of the PCI Data Security Standard.
In addition to its user and trust management capabilities,
the Nevis LANenforcer system offers a means for defining a comprehensive process for threat protection that addresses commonalities among these and other mandates.
Nevis allows the enterprise to introduce the following
six-step threat control process with a single appliance:
• E
ndpoint host system integrity check for ensuring
minimum levels of preventative security implemented on the network at all times
• User authentication and group policy enforcement
• T
raffic inspection for matching signatures of
known spyware, adware, bots, and worms
• T
raffic, protocol, and behavioral anomaly inspection for zero-day malware
• A
utomatic quarantine for known and unknown
threats
• N
amed user and named attack reporting to complete the threat containment cycle
Process to Define and Protect Secure Assets
In addition to requirements for segregating trust groups
and mitigating threats, many regulatory initiatives—particularly those concerned with protecting sensitive
information from theft or abuse—have common standards for defining and protecting information assets
themselves. This is at the heart of SOX requirements
for assuring sound financial reporting, while the HIPAA
Security Rule mandates the segregation of sensitive
patient data from other data resources in certain cases.
The necessity of protecting assets that house tangible
assets, meanwhile, is central to the PCI Data Security
Standard. As described above, Nevis provides the ability
for IT to define “secure assets” (those resources containing especially valued or sensitive data). In doing so,
LANenforcer encrypts the traffic between the users and
the resource with sensitive data, without the need for
endpoint software or for the user to initiate the encryption. Encryption occurs completely seamless to the user
based upon policy. In addition, LANsight keeps an audit
trail of all users access of the secure resource.
Nevis Networks: Best Practices in LAN Security
Across the Compliance Spectrum
Control
Once compliant processes such as the risk and gap
analyses required by many mandates are carried out and
operational compliance processes defined, regulations
require controls to be implemented to assure the enforcement of compliance. All regulatory measures applicable to IT strive to control information and access to it.
To this end, the Nevis LANsecure architecture provides
highly granular controls on information and users on
the network. It is clear that control techniques must be
real-time, end-to-end, and comprehensive. LANsecure
employs a five-point approach to address information
resource control. These five components interact to
bring robust security controls to each endpoint on the
local area network:
• Endpoint admission control
• User authentication
• Dynamic access control
• Secure asset definition
• Threat identification and prevention
Endpoint Admission
The increased prevalence of threats that exploit sensitive information means that every endpoint on the network may present a point of regulatory risk, requiring
the enterprise to validate that systems attaching to the
network—especially those not owned by the company
itself—are appropriately controlled and protected. This
speaks to the requirements for threat protection mandated by all IT-relevant regulatory initiatives. LANenforcer
has the capability to check each machine, certifying antivirus, anti-spyware and OS patch levels before allowing
the system on the network.
Many endpoint compliance efforts fail because they are
intrusive to users. When, for example, client software
interferes with desktop applications or forces the user
into an unnatural or uncomfortable regime to get her or
his job done, controls are highly subject to subversion
as users seek ways to defeat them. With the LANsecure
architecture, controls are in the network, off the controlled host and therefore “clientless” and transparent to the end user, making them significantly more
resistant to subversion than client-based approaches
to information controls. In addition, Nevis takes the
additional step of allowing IT to specify that endpoint
security software scans take place at regular intervals
after a user gains access to the network. If a user, for
example, turns off their anti-virus software, they would
be placed into quarantine; similarly, if a critical patch
for anti-spyware is made available by the anti-spyware
vendor and the user does not download it, they would
also be quarantined. Reviewing the security posture of
each endpoint is required both prior to authorizing it
access to the network as well as during its access of the
network to best reduce risk.
User Authentication
The enforcement of user authentication and trust group
definition defined in the preceding discussion of compliance processes must rely on measures that enforce
compliant access controls. Most enterprise networks
today may be thought of as “anonymous” in the sense
that, once a user logs on, network traffic is typically
monitored only in terms of source and destination IP
address. This is subject to variability in highly common
dynamic addressing regimes, since addresses may change
each time a computer connects. The advent of authentication protocols such as 802.1X are important, but
many networks only use the authentication information
to allow general network access. While user groups may
be common to operating system environments or within
identity management regimes most commonly applied
to applications and systems, only rarely have network
trust groups been established to date, while network
policies may be inconsistently applied and network usage
may be completely unmonitored. With LANenforcer,
by contrast, users are not only authenticated, but they
are subsequently controlled by policy group, and their
activities tracked by user name.
Dynamic Access Control
Trust groups already exist within organizations. Business
units, functional roles, and information access policies
are typically defined and stored in a directory such as
ActiveDirectory or LDAP. The enterprise compliance
challenge is that network infrastructure has, up to now,
made little use of that trust group information. The
Nevis LANenforcer creates a transparent policy control
point that uses these trust groups for granular access
control. Each group member is explicitly authorized to
access appropriate resources. Users can be members of
multiple groups and LANenforcer will enforce the combination of those policies.
©2006 Enterprise Management Associates, Inc. All Rights Reserved.
Page Nevis Networks: Best Practices in LAN Security
Across the Compliance Spectrum
Because the system is deployed at the user-access edge
of the network, every user can be controlled individually
at every port on the LAN. Regardless whether the network is accessed by mobile employees or third parties,
access is authenticated, trust groups are identified, and
policies are automatically enforced.
Secure Asset Definition
Regulations can be highly specific regarding the information resources to be protected. Social Security and
driver’s license numbers, for example, are among the
most personally identifiable information, linking to data
ranging from personal credit history to health status.
Accordingly, resources that contain such information
are the focus of regulatory protections including the PCI
Data Security Standard, HIPAA Privacy and Security
Rules, California SB 1386. Similarly identifying information is the subject of privacy regulation worldwide. IT
assets are the repositories of such information, as they
are for sensitive financial reporting and critical liquidity
information subject, for example, to regulations such
as SOX and Basel II, respectively. The ability to specify
secure assets and enforce the policies that govern them
is thus central to IT compliance generally.
For example, to demonstrate due care of sensitive data
in the network, regulations such as the PCI Data Security
Standard, the HIPAA Security Rule, or preventive measures intended to limit the risk of privacy breaches that
would precipitate an SB 1386-mandated disclosure, may
call for end-to-end encryption to protect sensitive data
in transit. However the cost of Virtual Private Network
(VPN) concentrators and the complexity of IPSec VPN
configuration may prohibit many companies from taking action to meet these demands. With LANenforcer,
administrators simply identify network resources that
contain sensitive information. These resources are defined by Nevis as “secure assets.” When the user connects to a secure asset, 128-bit Advanced Encryption
System (AES)-encrypted IPSec VPN tunnels are automatically established transparently between the user access point and the secure asset. This reduces the need
for VPN clients, expensive dedicated devices, and many
problematic issues of cryptographic key management,
while helping to meet requirements for protecting compliance-sensitive information assets.
©2006 Enterprise Management Associates, Inc. All Rights Reserved.
Page Threat Identification and Prevention
The commonality of threat mitigation requirements
among all IT-relevant compliance initiatives demand
more than access control. They seek to force corporations to manage compliance risks which may include
those posed by malicious software and hackers as well.
To this end the LANenforcer incorporates a robust
threat identification and prevention mechanism.
Intrusion detection systems have long used signatures
and traffic anomalies to identify attacks on a corporate
network. However, cost and performance issues may
impact the effectiveness of their deployment in the data
path at the security perimeter separating the trusted
enterprise LAN from untrusted public networks. The
Nevis LANenforcer extends a potentially more costand performance-effective, distributed threat identification and prevention approach to every endpoint on the
LAN at wire speed. With a LAN-focused signature set,
the LANenforcer identifies spyware, adware, “bots,”
Trojans, worms, and other attacks by name and associates them with the current user and system accessing
a given LAN port. To prevent unknown, zero-day attacks before signatures exist, the LANenforcer system
employs advanced traffic, protocol and behavioral
anomaly monitoring. Once detected, Nevis Labs supports LANenforcer deployments by quickly creating
signatures for zero-day attacks.
Threat control features of the LANenforcer give the
enterprise an ability to protect against malware, and
control many information leakage risks at the level of
each network-connected system, while simultaneously
reducing other significant threats such as spoofing and
session hijacking.
Audit
Organizations must be able to prove over time that the
controls and processes were in effect, and that they
worked. Common audit requirements may be quite
granular, as in the case of SB 1386, which requires
notification in the event of a privacy breach to specific
unencrypted personal data items such as first and last
name or driver’s license number. Audit records must
therefore clearly identify when and where such information is accessed, or if a breach of access control can
be established. Records retention policies may mandate
the maintenance of activity records for several years.
Nevis Networks: Best Practices in LAN Security
Across the Compliance Spectrum
HIPAA, for example, requires covered entities to provide a record of all disclosures of health information to
any requesting individual for up to six years.
The audit capabilities of the LANsecure architecture provide high levels of visibility to the enterprise. Auditability
features are organized into three major areas:
• Identity-driven policy enforcement
• C
omprehensive traffic monitoring for complete
visibility
• Audit reporting for simple output
Identity-driven Policy Enforcement
With the LANsecure architecture, every user on the
LAN is authenticated and network usage is no longer
anonymous. When a security policy is violated, the
LANenforcer alerts IT in real time, by user name and
policy violation. For example, when a curious network
user probes for access to servers to which he is not authorized, administrators are immediately alerted of the
user’s name, the policy violated, and the server to which
access was attempted. As a result, administrators have
confidence that the assets are protected as processes
require, and that attempts to circumvent mandated processes have been identified and prevented.
Traffic Monitoring
Unlike traditional network LAN switches, the
LANenforcer secure access switch has the ability to
monitor all network traffic in real time. The event history this affords offers significant advantages for regulatory compliance purposes. For example, the information
can be used for detailed audit inquiries, such as what
a particular employee may have done during their last
two weeks with a company. It may also support general
policy enforcement reporting, such as documentation
of those who connected in a given quarter to a resource
to which only a specific executive group has access.
In addition, audit monitoring is configured automatically
when a system is defined as a secure asset. For systems
with critical data, the LANenforcer enables a straightforward mechanism to identify, encrypt, and audit all the
traffic to and from the asset.
Audit Reports
LANsight reports and audit trails simply document
that policies and processes were continuously enforced
across all information resources, information consumers
and access methodologies. User activities are similarly
documented continuously. This creates an environment
with no breaks in the audit trail throughout a process.
The LANsight system comes with preconfigured reports
that help answer key regulatory questions, such as: What
are the defined security policies and processes in place?
What is the evidence of their enforcement? Where have
violations been attempted, and what was done about
those attempts? All audit reporting identifies the user
name and relevant policies.
Since user names, assets, and IP addresses are searchable,
rapid and highly responsive compliance reporting is possible. Network usage is auditable by user name, end host,
application, server, time and duration of transactions.
EMA’s Perspective
Up to now, most companies have focused on regulatory penalties when estimating the cost of non-compliance. To estimate the average risk to which enterprises
are exposed, EMA calculated the averages of either the
maximum prescribed criminal penalty, or the penalties
imposed in actual cases, across six compliance domains
affecting corporate governance, financial services regulation and information privacy. It found the average
maximum criminal penalty in these cases was over US$5
million dollars. Taking a mere five percent of that figure
as an estimate for what the far more probable civil penalties would be (that is, for simply failing to comply as opposed to criminal intent) the annual risk to an enterprise
is still more than US$250,000—per mandate, per year,
since compliance is typically reckoned annually in many
cases. Particularly for industries faced with multiple requirements, this scale indicates just how serious an issue
compliance breach prevention has become.
Now that many compliance initiatives have been put
into effect, EMA expects that, in their annual reviews,
auditors will increasingly be looking for continuous improvement of compliance processes. That means enterprises need to extend their IT compliance efforts beyond one-size-fits-all authentication that simply grants
or denies users access to the network. In their annual
compliance reviews, auditors and outside regulators are
expected to look for increasingly granular, real-time,
continuous regulatory enforcement of the behavior of
each individual IT user or information consumer. The
©2006 Enterprise Management Associates, Inc. All Rights Reserved.
Page Nevis Networks: Best Practices in LAN Security
Across the Compliance Spectrum
intention of this level of granularity is to gain visibility
into non-compliant behavior as specifically as possible.
By definition, this granularity is most effective when it
pinpoints the behavior source itself. This highlights the
value of solutions that enforce security and compliance
policies at the point of network access.
Nevis Networks exemplifies the type of real-time,
continuous compliance enforcement solution that this
increasingly demanding regulatory climate will require,
not just to contain breaches and punish offenders, but to
achieve the actual aim of regulatory mandates: the prevention of non-compliance, before the fact, wherever possible.
By focusing on the point of network access, the Nevis
LANsight system not only enforces compliant behavior
by sharply defining access privileges and making all other
access unavailable, it provides a point of high leverage
and control for the management of a number of security and compliance risks, before they can reach the
network—let alone sensitive information resources.
This represents a new class of network security and
compliance solutions that not only increase the value of
the strategic investment made in front-line enforcement
tools such as identity management, but leverage the
network itself as a primary tool for extending process
disciplines, access controls, user and trust group management, and threat protection with high granularity
down to the level of each individual user and system
that interacts with high-value IT assets.
©2006 Enterprise Management Associates, Inc. All Rights Reserved.
Page 10
Nevis Networks: Best Practices in LAN Security
Across the Compliance Spectrum
Appendix A: Nevis Networks Regulatory Support – Sarbanes-Oxley
The Sarbanes-Oxley Act of 2002 mandates the adoption of corporate governance standards for many public companies and registrants with the US Securities and Exchange Commission (SEC). Section 404 of the Act specifically
requires companies to report annually on their internal controls over financial reporting. In its enforcement of these
provisions of the Act, the SEC has recognized the following:
• S EC compliance rules mandate the use of a recognized internal control framework. These rules make specific
reference to the recommendations of the Committee of the Sponsoring Organizations of the Treadway
Commission (COSO) directly related to the preparation of financial statements and the safeguarding of
assets.
• I n 2004, the SEC approved the adoption of the US Public Company Accounting Oversight Board (PCAOB)
Audit Standard No. 2 (PCAOB Release No. 2004-003), establishing a standard governing the auditing of
internal controls relevant to the Act.
These standards have direct implication for IT systems involved in compliance with Sarbanes-Oxley (“SOX”).
While many internal control frameworks have been adopted in response, the following are examples of common
framework elements relevant to IT, with examples of how Nevis Networks helps to support compliance:
PROCESSES
Domain
Relevance to SEC Standards
Nevis Networks Support
Key areas of IT focus in
implementing SOX-compliant
business processes include:
COSO:
The Nevis Networks solution
helps support the implementation
of SOX-compliant business
processes through:
• Control Environment
• Control Activities
• S
trategic planning, development,
• Information and Communications • The classification of users and IT
acquisition and maintenance of
IT resources
resources according to risk and
• Monitoring
compliance sensitivity
• Assessment of IT-relevant risks· • Risk Assessment
Personnel management
• Capabilities for implementing the
PCAOB:
real-time enforcement of which
• Development of policies and
users should have access to
• Program Development
procedures
which resources, according to
• Program Changes
• Management of configuration
defined policy
and change
• Computer Operations
• Tools for managing changes to
• Event and incident management • Access to Programs and Data
access rights and privileges
• S
trong process enforcement
through controls on the network
environment
• F
inely grained reporting and
alerting of all network activity
• A
utomated elevation of alerts in
response to attempts to subvert
IT controls
• A
utomated engagement of
stronger IT controls in response
to an attempted compliance
breach
©2006 Enterprise Management Associates, Inc. All Rights Reserved.
Page 11
Nevis Networks: Best Practices in LAN Security
Across the Compliance Spectrum
CONTROLS
Domain
Relevance to SEC Standards
Nevis Networks Support
Asset classification and control
COSO: Risk Assessment, Control
Activities
Networks, servers, applications
and users are defined within
LANsight Security Manager in
order to create comprehensive
access control or security policy.
PCAOB: Computer Operations,
Access to Programs and Data
Appropriate separations of duties
and divisions of responsibilities,
including user authentication,
access control, and controls
on the complete user account
lifecycle (policy definition, account
creation, modification, suspension,
revocation, closure)
COSO: Risk Assessment, Control
Activities, Monitoring
Network security controls,
including perimeter security,
intrusion detection and prevention,
anti-malware and protections
against software and application
vulnerabilities
COSO: Risk Assessment, Control
Activities, Information and
Communications, Monitoring
Protection of sensitive data, in
storage as well as in transit,
including encryption where
appropriate
COSO: Risk Assessment,
Control Activities
Enforcement of IT configuration
and change controls
COSO: Risk Assessment, Control
Activities, Monitoring
PCAOB: Computer Operations,
Access to Programs and Data
PCAOB: Computer Operations,
Access to Programs and Data
PCAOB: Computer Operations,
Access to Programs and Data
PCAOB: Computer Operations,
Access to Programs and Data
©2006 Enterprise Management Associates, Inc. All Rights Reserved.
Page 12
Nevis’ dynamic access control
feature enables simple, robust
definition of system access, based
on groups, or job responsibilities.
LANenforcer utilizes signature
matching, network, protocol and
behavioral anomaly detection
enabling the deployment of this
technology to every port on the
LAN.
LANenforcer enables the
straightforward deployment of
data encryption in combination
with host protection and access
control, with many robust features.
An administrator defines a “Secure
Asset” for servers that contain
high-risk personal information.
Once defined, LANenforcer
automatically and transparently
configures IPSec tunnels from
client endpoint to server endpoint.
All data is automatically encrypted
with 128-bit AES encryption. This
helps to reduce capital such as
those necessary to implement
VPN concentrator hardware or
the operational costs of VPN
client software. The Secure
Asset functionality automatically
configures access control policies
and audit logging for all access to
protected information.
Nevis tracks all changes made to
the LANsight security manager—
user identity, date, and action
taken— allowing IT to carefully
monitor all security policy changes.
Nevis Networks: Best Practices in LAN Security
Across the Compliance Spectrum
AUDIT-WORTHINESS
Domain
Relevance to SEC Standards
Nevis Networks Support
Monitoring and ongoing evaluation
of the IT environment
COSO: Risk Assessment, Control
Activities, Information and
Communication, Monitoring
LANenforcer automatically
monitors network activity for
attempted policy violations,
prevents violations and alarms
on attempts.Because of its robust
policy creation and enforcement
features, the LANenforcer makes
it simple to monitor and enforce
compliance among employees,
third-party personnel, and all other
users on the network.
PCAOB: Computer Operations,
Access to Programs and Data
Exception or event alerting and
notification
COSO: Risk Assessment, Control
Activities, Information and
Communication, Monitoring
PCAOB: Computer Operations,
Access to Programs and Data
Control adequacy
COSO: Risk Assessment,
Monitoring
PCAOB: Program Development,
Program Changes, Computer
Operations, Access to Programs
and Data
Control audit and validation:
internal as well as external and
independent
COSO: Control Environment,
Monitoring
PCAOB: Program Development,
Program Changes, Computer
Operations, Access to Programs
and Data
All monitored network, security,
and access events are forwarded
and stored by LANsight Security
Manger. These can trigger
numerous actions including alarms
or alerts.
IP and MAC addresses have
weaknesses when used to identify
network activity, as they can be
manually modified or “spoofed.”
By tying user name to all network,
security, and access events,
administrators can be certain that
any security issues are directly
attributable to a particular user.
The comprehensive reporting
capabilities of LANsight supports
the direct documentation of actual
IT controls in place, helping
to enforce SOX compliance
and credible demonstration of
mandated controls.
©2006 Enterprise Management Associates, Inc. All Rights Reserved.
Page 13
Nevis Networks: Best Practices in LAN Security
Across the Compliance Spectrum
Appendix B: Nevis Networks Regulatory Support – SB 1386 (California Law on
Notification of Security Breach)
Senate Bill 1386 (“SB 1386,” also introduced as Assembly Bill 700) of the 2001-2002 session of the California State
Legislature was adopted and entered into effect July 1, 2003, amending and adding Sections 1798.29, 1798.82 and
1798.84 to Chapter 1798 of the California Civil Code, also known as the Information Practices Act of 1977. SB
1386 mandates that government agencies, people, and businesses in California must notify any California resident
in the event that the security, integrity or confidentiality of their unencrypted personal information is compromised
by unauthorized acquisition.
Personal information subject to the notice requirement includes the combination of name (first name or initial and
last name) plus any of the following: a) driver’s license or California Identification Card number; b) Social Security
number, or; c) financial account, credit, or debit card number in combination with any security code, PIN or password that would enable access to the individual’s financial account. In the event of a breach, the law requires that
notification be given “in the most expedient time possible and without unreasonable delay.”
Nevis Networks LANsecure technology—implemented in Nevis’ LANenforcer LAN security systems and LANsight
solutions—offers LAN security functionality that provides a framework for implementing the processes, controls
and audits that help support compliance efforts relevant to SB 1386. Features of these offerings include:
• D
ynamic access control, readily enabling definitions of who has access to which resources on the network,
which supports the enforcement of control at every port on the LAN
• Management reporting
• Highly-detailed event management
• Key features supporting compliance enforcement, such as Secure Asset and transparent VPN encryption
The Office of Privacy Protection of the California Department of Consumer Affairs has published its Recommended
Practices on Notification of Security Breach Involving Personal Information1, which includes the following recommended
practice guidelines for information protection, incident prevention, and notification preparation relevant to SB
1386. These guidelines are correlated with examples of how the Nevis Networks solution helps to support their
guidance:
PROCESSES
Recommended Practice
Nevis Networks Support
Inventory records systems, critical computing
systems and storage media to identity those
containing personal information.
Nevis’ LANsight provides IT with an audit trail of all
user network activity, creating an audit trail of which
users attached to which resources and when.
• Include laptops and handheld devices used to store
personal information.
Classify personal information in records systems
according to sensitivity.
• Identify notice-triggering information.
Review your security plan at least annually or
whenever there is a material change in business
practices that may reasonably implicate the security
of personal information.
Nevis’ LANsight can alert IT should a user attempt
access to a resource for which they do not possess
access rights.
Nevis’ LANsight integrates reports that assist in the
planning activities accelerating the planning as well
as day-to-day operations management processes.
(continued on next page)
Office of Privacy Protection, California Department of Consumer Affairs, Recommended Practices on Notification of Security Breach Involving Personal
Information, October 10, 2003, http://www.privacy.ca.gov/recommendations/secbreach.pdf
1
©2006 Enterprise Management Associates, Inc. All Rights Reserved.
Page 14
Nevis Networks: Best Practices in LAN Security
Across the Compliance Spectrum
PROCESSES
Recommended Practice
Nevis Networks Support
Before sending individual notices [in the event of a
notice-triggering incident], make reasonable efforts to
include only those individuals whose notice-triggering
information was acquired.
The granularity of control offered by Nevis’ solution
gives highly specific visibility into exactly who had
access to what information resources at what time.
This limits the potential scope of an SB 1386 incident
to a known range of specific individuals, resources,
times and methods of access, which, in turn, can
significantly limit the impact of a notification event.
CONTROLS
Recommended Practice
Nevis Networks Support
Use physical and technological security safeguards
as appropriate to protect personal information…
Nevis’ dynamic access control enables simple, robust
definition of system access, based on groups, or job
responsibilities.
• A
uthorize employees to have access to only the
specific categories of personal information their job
responsibilities require.
• W
here possible, use technological means to
restrict internal access to specific categories of
personal information.
• R
emove access privileges of former employees
and contractors immediately.
Use intrusion detection technology and procedures
to ensure rapid detection of unauthorized access to
higher-risk personal information.
LANenforcer utilizes signature matching, network,
protocol and behavioral anomaly detection for
identification and prevention of known and unknown
intrusions, enabling the deployment of this security to
every port on the LAN.
Wherever feasible, use data encryption, in
combination with host protection and access control,
to protect higher-risk personal information.
LANenforcer enables the straightforward deployment
of data encryption in combination with host protection
and access control, with many robust features
• D
ata encryption should meet the National
Institute of Standards and Technology’s Advanced
Encryption Standard.
An administrator defines a “Secure Asset” for servers
that contain high-risk personal information.
Once defined, the LANenforcer automatically and
transparently configures IPSec tunnels from client
endpoint to server endpoint. All data is automatically
encrypted with 128-bit AES encryption. This helps
to reduce capital costs such as those necessary
to implement VPN concentrator hardware or the
operational costs of VPN client software.
The Secure Asset functionality automatically
configures access control policies and audit logging
for all access to protected information.
(continued on next page)
©2006 Enterprise Management Associates, Inc. All Rights Reserved.
Page 15
Nevis Networks: Best Practices in LAN Security
Across the Compliance Spectrum
CONTROLS
Recommended Practice
Nevis Networks Support
Plan for and use measures to contain, control and
correct any security incident that may involve higherrisk personal information.
Nevis’ LANsecure technology offers three benefits
for companies to contain, control and correct security
incidents:
1. Role-based access control – allows the
administrator to restrict access to high-risk
personal information before incidents happen.
2. Encrypted access to secured resources
3. Comprehensive user audit and reporting of all
user-network activity based on a query of the
user’s name. What did they access and when?
Once threats are detected, via policy violation,
signature match or network anomaly, rapid threat
containment features are invoked. For servers
containing high-risk personal information (“Secure
Assets” as defined by Nevis Networks products),
security events are raised in priority by the
event correlation system. This priority elevation
automatically increases the sensitivity of behavioral
anomaly detection, which in turn drives alarms,
quarantine of attacking or threatening hosts, and
isolation of systems at risk.
AUDIT-WORTHINESS
Recommended Practice
Nevis Networks Support
• M
onitor employee compliance with security and
privacy policies and procedures.
LANenforcer automatically monitors network activity
for attempted policy violations, prevents violations
• Include all new, temporary, and contract employees and alarms on attempts. Because of its robust policy
creation and enforcement features, the LANenforcer
in security and privacy training and monitoring.
makes it simple to monitor and enforce compliance
• Monitor and enforce third-party compliance with
among employees, third-party personnel, and all
your privacy and security policies and procedures. other users on the network.
• Monitor employee access to higher-risk personal
information.
Document response actions taken on an incident.
This will be useful to your organization and to law
enforcement, if involved.
(continued on next page)
©2006 Enterprise Management Associates, Inc. All Rights Reserved.
Page 16
Nevis Networks: Best Practices in LAN Security
Across the Compliance Spectrum
AUDIT-WORTHINESS
Recommended Practice
Nevis Networks Support
In determining whether unencrypted notice-triggering
information has been acquired, or is reasonably
believed to have been acquired, by an unauthorized
person, consider the following factors, among others:
The granularity of control offered by Nevis’ solution
gives highly specific visibility into exactly who had
access to what information resources at what time.
This limits the potential scope of an SB 1386 incident
to a known range of specific individuals, resources,
times and methods of access, which, in turn, can
significantly limit the impact of a notification event.
1. Indications that the information is in the physical
possession and control of an unauthorized
person, such as a lost or stolen computer or other
device containing unencrypted notice-triggering
information.
2. Indications that the information has been
downloaded or copied.
3. Indications that the information was used by an
unauthorized person, such as fraudulent accounts
opened or instances of identity theft reported.
If you cannot identify the specific individuals whose
notice-triggering information was acquired, notify
all those in the groups likely to have been affected,
such as all whose information is stored in the files
involved.
©2006 Enterprise Management Associates, Inc. All Rights Reserved.
Page 17
About Enterprise Management Associates, Inc.
Enterprise Management Associates, Inc. is the fastest-growing analyst firm focused on the management
software and services market. EMA brings strategic insights to both vendors and IT professionals
seeking to leverage areas of growth across e-business, network, systems, and application management.
Enterprise Management Associates’ vision and insights draw from its ongoing research and the
perspectives of an experienced team with diverse, real-world backgrounds in the IT, service provider,
ISV, and publishing communities, and is frequently requested to share their observations at management
forums worldwide.
Corporate Headquarters:
Enterprise Management Associates
2585 Central Avenue, Suite 100
Boulder, CO 80301, U.S.A.
Phone: 303.543.9500
Fax: 303.543.7687
info@enterprisemanagement.com
www.enterprisemanagement.com
1135.060606
This report in whole or in part may not be duplicated, reproduced, stored in a retrieval system, or retransmitted without prior written
permission of Enterprise Management Associates, Inc. All opinions and estimates herein constitute our judgement as of this date and are
subject to change without notice. Product names mentioned herein may be trademarks and/or registered trademarks of their respective
companies. ©2006 Enterprise Management Associates, Inc. All Rights Reserved.