Nevis Networks: Best Practices in LAN Security Across the Compliance Spectrum A White Paper Prepared for Nevis Networks June 2006 Table of Contents Executive Summary.............................................................................................................................................................................1 Common Themes of Regulatory Requirements............................................................................................................................1 Cost-Effective Compliance: Meeting Multiple Requirements across the Regulatory Spectrum...........................................2 Processes..........................................................................................................................................................................................3 Controls............................................................................................................................................................................................3 “Audit-worthiness”.........................................................................................................................................................................4 Compliance and Nevis Networks’ LAN Security Solution..........................................................................................................5 Process..............................................................................................................................................................................................5 Process to Implement Trust Groups.....................................................................................................................................5 Process to Add and Change Users Dynamically ...............................................................................................................6 Process to Control Threats......................................................................................................................................................6 Process to Define and Protect Secure Assets .....................................................................................................................6 Control..............................................................................................................................................................................................7 Endpoint Admission................................................................................................................................................................7 User Authentication ................................................................................................................................................................7 Dynamic Access Control.........................................................................................................................................................7 Secure Asset Definition............................................................................................................................................................8 Threat Identification and Prevention....................................................................................................................................8 Audit..................................................................................................................................................................................................8 Identity-driven Policy Enforcement......................................................................................................................................9 Traffic Monitoring.....................................................................................................................................................................9 Audit Reports.............................................................................................................................................................................9 EMA’s Perspective................................................................................................................................................................................9 Appendix A: Nevis Networks Regulatory Support – Sarbanes-Oxley....................................................................................11 Appendix B: Nevis Networks Regulatory Support – SB 1386 (California Law on Notification of Security Breach)...14 Nevis Networks: Best Practices in LAN Security Across the Compliance Spectrum Executive Summary With every passing year, the need to comply with a maze of state, federal and even international regulations becomes a more pressing concern for companies around the world. The issue may be customer or patient privacy; safeguarding the integrity of the organization’s financial results, or protecting customers or businesses from financial fraud. Not only are there more regulations each year, but the penalties (either in the form of bad publicity, a drop in stock price, outright fines or even jail times for executives) become more immediate and severe. The requirements of various rules can overlap, creating multiple mandates for the same organization. For example, the privacy requirements of the Health Insurance Portability and Accountability Act (HIPAA) apply to healthcare providers, healthcare insurers and related organizations that are also governed by industry-specific regulations at the state and other levels. If an organization is involved in both health care and financial services (say, a health care insurer) it is governed not only by HIPAA but by the privacy requirements of the GrammLeach-Bliley Act (GLBA). If any of these companies are publicly traded in the US, the requirements of the Sarbanes-Oxley Act (SOX) may apply as well. Regulatory requirements can also cross borders in unexpected ways. Although the many privacy measures enacted by governments from U.S. States to national and even international bodies such as the European Union have much in common, they pose a significant challenge to subject entities who must comply with multiple overlapping rules. Even harder than complying with a single standard imposed by one jurisdiction is complying with a mosaic of different laws in many different jurisdictions. Finally, the need to ensure compliance is an ongoing, weighty responsibility. Not only do some regulations require regular, scheduled audits to prove compliance, but each organization’s compliance record is only as good as the last transaction it performed, the last customer record it archived or the last patient record it encrypted before storing off-site. In order to prioritize their compliance efforts on the most pressing issues, and to acquire solutions that address multiple regulatory needs, organizations must recognize the common requirements underlying many different rules and regulations. These common requirements include: • D efined and enforceable business standards, policies and processes; • S ubversion-resistant controls for their enforcement, and; • R ecords and reports that demonstrate continuous compliance with these policies and processes. Above all, compliance is all about defining, assuring, enforcing and proving compliant behavior. This dictates that processes, controls and demonstrations of effectiveness must be as specific to individuals as possible and must extend enforcement throughout the entire time that any individual has access to regulated information resources. Solutions are beginning to emerge with powerful features to assure that each user has access to only the proper information, and can execute only appropriate actions, for the entire time he or she is on the corporate network. In this paper, Enterprise Management Associates (EMA) examines the broad requirements of regulatory compliance and how the Nevis Networks product set represents a front-line solution for providing the necessary levels of highly granular, continuous real-time enforcement. Executives will gain an understanding of how Nevis Networks LAN security systems provide a part of the solution that helps an enterprise achieve and continuously improve compliance with multiple, evolving regulatory requirements. The Appendix of this paper provides a detailed look at examples of how Nevis’ solution helps to support compliance with the Sarbanes-Oxley Act and the privacy breach notification law known as California Senate Bill 1386—two of the most significant mandates affecting IT today. Common Themes of Regulatory Requirements As powerful information systems, databases and the World Wide Web have become potent tools in our everyday lives, it is only natural that concerns would arise— often with justification—about the improper use of those systems and the data contained in them. This contradiction—the need to make information ubiquitously available, and the conflict of this need with concerns about information misuse—is one reason why regulatory compliance can be such a confusing challenge. ©2006 Enterprise Management Associates, Inc. All Rights Reserved. Page Nevis Networks: Best Practices in LAN Security Across the Compliance Spectrum Privacy regulation is a prime example. Customers paying their bills online, checking their email from a coffee shop or ordering a specialized product they could only have found on the Web, all are benefiting from their ability to leverage personal information (such as passwords and credit card numbers) over the Internet. This, however, poses significant risk that personal information may be stolen, compromised or otherwise misused. In response, initiatives such as California Senate Bill 1386 requires any company, no matter where it is located, to disclose the loss or theft of personal information of any customer who is a California resident. That means, conceivably, that the name, physical address and email resident of a Californian who registered to download a product or service from the Web could come back to haunt a corporation in Europe or Asia. The Personal Information Protection Act passed in Japan in 2003 may, similarly, affect companies doing business in Japan (particularly those in the medical, financial credit, and telecommunication industries); as may the European Union’s Data Protection and Electronic Communications Privacy Directives. been fined $100 million for violating U.S. AML restrictions on currency exchange with countries under sanction, through the concealment of prohibited transactions in financial reporting. Clearly, there is a role for tools that can enforce access to such sensitive IT resources with high granularity, and with credibility that can stand up to the rigors of today’s stringent regulatory audits. Governments are not the only entities defining what rules businesses must comply with in order to operate. Recognizing the threat to electronic transactions posed by attacks that increasingly have material objectives in view, credit and debit card companies have issued their own Payment Card Industry (PCI) data security standard, responding to initiatives such as Visa’s Cardholder Information Security Program (CISP) that mandate requirements for securing card information whenever it is obtained, used or transmitted. Choosing a different compliance tool to meet each of these different and often overlapping requirements quickly becomes highly inefficient and cost-prohibitive. A more cost-effective route is to select tools that can satisfy a broad range of requirements. Financial controls are a parallel example. Financial mismanagement by a few firms led to broad investor Cost-Effective Compliance: Meeting accountability mandates such as the Sarbanes-Oxley Multiple Requirements across the Act. While SOX requires strict controls over financial Regulatory Spectrum systems and processes, it is again the behavior of those using information systems that Processes • Strategic Planning SOX seeks to control. In order to be ef• Risk Assessment fective, such control must govern behavior • Policy Definition • Business Process Workflows during the entire time a legitimate, authen• Incident Response • Control Management ticated user has access to the system, since sensitive corporate information is at risk of being manipulated not just by hackers, but any person with access to the company network, from rank-and-file staff to senior executives. A similar requirement applies to network and system administrators, as well as security managers, to ensure they can“Audit-Worthiness” Controls not abuse their positions of trust either to • Policy Documentation • Separation of Duties • Compliance Monitoring • Division of Responsibilities commit wrongdoing or to open the door • Exception Alerting • Segregation of Resource Access • Control Effectiveness Reporting • Policy Enforcement for others to do so. The rise of terrorism is • Process Workflow Tracking • Data Privacy and Security • Incident Response Documentation having a similar effect, in the form of the Anti-Money-Laundering (AML) provisions Figure 1: An overview of the compliance lifecycle. Requirements common across multiple regulatory such as those of the USA PATRIOT Act. initiatives are summarized. The Nevis Networks solution addresses each of the three primary At least one international bank has already compliance domains of process, control and “audit-worthiness,” with comprehensive, granular and detailed capabilities in each domain to satisfy a wide range of regulatory requirements. ©2006 Enterprise Management Associates, Inc. All Rights Reserved. Page Nevis Networks: Best Practices in LAN Security Across the Compliance Spectrum The best way to choose such tools is to focus first not on the complex requirements of each rule or regulation, but on the most critical requirements across a range of mandates that are most relevant to an IT organization. In general, they revolve around Processes, Controls and “Audit-worthiness.” Processes In essence, regulatory requirements are broadly applicable statements of policy, and policies are ineffective without well-defined processes to implement and enforce them. Such processes are key to compliance with corporate governance requirements such as SOX, as well as for the creation of necessary internal corporate controls. There are two key areas of compliance-relevant process: the definition of specific compliance-related business processes that are consistent with regulatory policy; and ongoing management of those processes. Proper definition of business processes is crucial to ensure they are in accordance with the relevant corporate governance policies and external regulations, and to ensure that the proper access control and separation of duties and divisions of responsibilities are spelled out. Users must be accurately identified, along with their roles, attributes and the types of information to which they should be allowed access. The same is true for the resources (the data and application services) to which they are allowed access. Again, the stress should be on defining, managing and controlling a user’s behavior for the entire time they are connected to the corporate network, not just on properly authenticating them at the point of access. The next step is to define the processes for provisioning those resources, or making them available to employees, customers or business partners when such access is appropriate. These processes must be clear and enforceable, yet flexible enough to allow the business to meet its changing strategic needs. These processes should extend through the lifetime of the resource, allowing for the ongoing creation, modification, suspension, revocation and retirement of resources as well as the privileges accorded to their use. They should also be highly granular and as individually specific as both regulatory and corporate requirements may demand, allowing for the fine-tuning of controls, roles, and the appropriate segregation of users, resources and communication channels based on new or changing compliance or business requirements as they emerge. Finally, in order to prevent compliance breaches to the extent possible, these processes must be enforceable through real-time controls, implemented in the information technologies that enable access to controlled resources. This highlights an area in which IT can aid specifically with compliance-relevant process management: in the automation of process events in IT resources themselves. Once they are defined, these processes must be managed, on an ongoing basis, from the time they are created until they are retired. This requires mechanisms that provide an overview of the current state of processes, as well as top-level controls on how policies and processes are defined and managed. Controls The enforcement of controls is central to virtually all regulation, and is particularly important in mandates such as Section 404 of SOX. Section 404 is particularly important to IT organizations because it requires the implementation of a control framework and processes for financial reporting, and the regular assessment of the effectiveness of that framework by corporate management required by SOX Section 302. An example of a framework was given in the SOX compliance rules issued by the US Securities and Exchange Commission (SEC), which makes specific reference to the recommendations of the Committee of the Sponsoring Organizations of the Treadway Commission (COSO)— a SOX precursor—directly related to the preparation of financial statements and the safeguarding of assets. One of the most popular SOX control frameworks is the IT Governance Institute’s Control Objectives for Information and related Technology (COBIT). In its guidance on SOX IT control objectives, the ITGI describes how multiple guidelines such as ISO 17799 best practices in information security and IT Infrastructure Library (ITIL) IT governance standards map to SOX control requirements, as well as to COSO and COBIT. The control requirements of these and many other mandates range from the proper separation of duties and the division of responsibilities among employees required by SOX as well as the Basel Capital Accords (“Basel II”), to controls on access to privileged information supported by an appropriate level of authentica©2006 Enterprise Management Associates, Inc. All Rights Reserved. Page Nevis Networks: Best Practices in LAN Security Across the Compliance Spectrum tion, and the creation of clearly defined roles, rights and responsibilities for information consumers. Such access is controlled within the healthcare industry by both the privacy and security rules of the Health Insurance Portability and Accountability Act (HIPAA). Controls on access to personal information that could lead to financial losses—personal as well as corporate—are also mandated by initiatives such as the Payment Card Industry (PCI) Data Security Standard, while international regulations such as the EU Data Privacy Directive and Japan’s Personal Information Protection Act (PIPA) mandate similar controls to protect personal information. Such protections are preventive measures for mandates such as California SB 1386, which requires disclosure in the event of unauthorized access to the unencrypted personal information of Californians. Implicit in the nature of IT controls is that they must be effective throughout the entire time a network user, endpoint or information consumer has the ability to access IT or information assets. Again, controls that focus only on controlling initial access to the network are inadequate. The real question that determines whether compliance is effective is what happens once the user is connected to the system. For example, a rogue trader on the Singapore Exchange was able to hide the extent of his abuses by reconciling his own trades. Proper controls on the separation of responsibilities for employees, and enforcement of those separate responsibilities within the company’s information systems, could have limited the abuse and perhaps saved the entire company from failure. From an IT perspective, enforcement of the proper separation of duties and division of responsibilities can be achieved through: • T he segregation of information users into groups according to specific levels of trust appropriate to each group (so-called “trust groups”); • E nforcing limitations on access to specific information resources to a specific trust group, and; • M onitoring enforcement and alerting on events when exceptions are detected, and ideally, when they are attempted. Risk is not just the unmanaged or inappropriate activities of users who were assumed to be trustworthy but who ©2006 Enterprise Management Associates, Inc. All Rights Reserved. Page are not. It also includes vulnerabilities that employees or outsiders can unwittingly introduce into the corporate network, such as worms or Trojans that take advantage of a legitimate user’s current (and authenticated) session to exploit gaps in enforcement. Increasingly, these types of attacks also threaten the confidentiality, integrity, and security of personal or business-critical information itself, exposing it to breach of privacy, abuse, or even outright destruction. For all these reasons, it is clear that controls must be real-time, end-to-end and comprehensive in order to prevent compliance breaches from occurring. Once an event occurs, controls that are limited to reactive response may have lost the opportunity to avoid a compliance breach. Indeed, after-the-fact controls may actually allow the precipitation of a compliance event, such as a privacy breach that would require public disclosure as in the case of SB 1386 requirements, with high potential for resultant damage. “Audit-worthiness” To meet the demands of both external mandates and internal auditors, both access controls and the processes to manage those controls must be auditable. Organizations must be able to prove over time that policies and processes were followed and that controls in place were adequate to enforce their compliance continuously. Controls must have shown enough resistance to subversion to prove they achieve their aims, while process enforcement must demonstrate a high enough level of effectiveness and penalties to ensure compliance with the mandates in question. Information resources, consumers, access methodologies and other subjects of compliance must be clearly and reliably identified. The reports and “audit trail” must clearly correlate the existence of mandated processes and controls with the information resources, information consumers and access methodologies reported in actual operation. Alerting functions must quickly notify managers of any attempts to subvert controls and processes, and the audit must identify any exceptions that were made to processes or controls, the actions taken to ensure such exceptions did not violate compliance guidelines, and how consistent exceptions will be taken into account in the future. Audit-worthiness goes beyond mere reporting and alerting to the transparent effectiveness of control. This means Nevis Networks: Best Practices in LAN Security Across the Compliance Spectrum outside regulators and internal auditors must find proof of the ongoing, continuous, real-time effectiveness of the process and controls sufficiently convincing in order to demonstrate actual compliance. Activities must be consistently documented with few or no breaks in the audit trail throughout a process, enabling an auditor to choose the audit trail of virtually any control or process at random and determine that compliance has been consistent. Compliance and Nevis Networks’ LAN Security Solution Up to now, most compliance solutions have focused on controlling access to sensitive resources via user authentication. To achieve more comprehensive compliance, enterprises are often forced to add-in additional software, security systems and monitoring tools. Since regulators increasingly demand transparent, continuous, real-time enforcement specific to each individual information consumer, the added complexity of a piecemeal approach poses risks of its own. Enterprises require consistency in the assurance of real-time policy & process adherence, continuous controls, simple compliance process deployment and powerful audit features. Nevis Networks’ LANenforcer™ ASIC-based LAN security systems and LANsight security manager provide a comprehensive approach to locking down LANs to help in meeting regulatory compliance mandates. Together, LANenforcer and LANsight comprise Nevis’ LANsecure LAN security architecture. An in-line network system located at the user-access edge of the LAN, LANenforcer provides multiple layers of security policy processing to deliver real-time, continuous enforcement and threat protection at the point of network connection, without compromise to application performance. Nevis’ LANsight™ security manager provides centralized security policy configuration, monitoring, event correlation, and reporting for LANenforcer™ systems. Its dynamic, role-based policy management and reporting gives network administrators substantial control and visibility into security-related user activity throughout the LAN. LANsight is the IT interface for compliance process definition, policy deployment and audit output. Nevis’ LANsecure provides a simple, network-based framework for implementing the policy enforcement processes, controls and audits that help support compliance with many of today’s regulatory demands. Process Businesses are increasingly looking to solutions for securing the LAN itself, because enforcement at the point of connection represents one of the most direct ways to help assure clear and policy-compliant business processes throughout the enterprise network. Nevis’ architecture creates a framework for definition of specific compliance-related business processes that are consistent with regulatory policy, and ongoing management of those processes. Specifically, Nevis’ LANsecure architecture enables the following processes by providing appropriate control points and audit records: • Process to implement trust groups • Process to add and change users dynamically • Process to control threats • Process to define and protect secure assets Process to Implement Trust Groups Regulations with emphasis on corporate governance such as SOX have much in common with rules such as Basel II: namely, the separation of duties and division of responsibilities that assure adequate oversight and limits on the uncontrolled access of individuals that could have an adverse effect on critical information resources. These rules converge with data security mandates such as the PCI Data Security Standard or the HIPAA Privacy Rule, which require the enforcement of confidentiality in the handling of sensitive personal financial or medical information. This directly indicates the regulatory necessity of processes that segregate individual users into specific trust groups. Enterprises have trust groups of users already defined, but many networks have not been able to fully extend their value to network-wide policy enforcement. In such cases, the network is at the mercy of user self-policing. For example, some companies may state a policy of “third party laptops are not allowed on our network”—but if they have no mechanism for actually implementing this stated policy, it is effectively, unenforceable. With the LANsecure architecture, business groups immediately become trust groups with access control policies. This ©2006 Enterprise Management Associates, Inc. All Rights Reserved. Page Nevis Networks: Best Practices in LAN Security Across the Compliance Spectrum enables LANsight to directly extend the implementation of trust group definition and user provisioning processes, integrating LANsight capabilities with those of today’s sophisticated identity and access management systems to retrieve group definitions and assign policies to those groups. When a user is added via normal IT processes, that user automatically receives access control policies via LANsight. Process to Add and Change Users Dynamically Once trust group definition processes are established, network security enforcement processes such as defining Access Control Lists (ACLs) for every switch port via a command-line interface become intolerably brittle when extended LAN-wide. Such unscalable approaches effectively remove the LAN as an enforcement tool, since very few enterprises would support such a cumbersome process for adding individual network user access privileges, ensuring proper access to appropriate resources, and restricting access from everything else. LANsecure enables the enterprise to define networkwide processes for provisioning new users and giving access to appropriate resources on the network. Users are authenticated, along with their roles, attributes and the types of information to which they should be allowed access. Because policies are dynamically applied to users at authentication time, LANenforcer provides a simple process for authorizing third-party users such as contractors, consultants and guest visitors, ensuring their ability to access relevant systems while restricting access to everything else on the network. IT can configure LANsight to assign specific access rights to each group of non-employee users – some may be granted rights to Internet only access; others may have access to a specific server. Should third-party users be members of multiple groups, LANsight takes the intersection of those two groups and applies those to that user. Process to Control Threats Most regulatory mandates reference IT security best practices such as the ISO 17799 guideline in shaping the implementation of a security posture that enables the enforcement of regulatory compliance. Initiatives from SOX to the HIPAA Security Rule recognize the necessity for implementing threat controls in IT that address the issues revealed in mandated risk and compliance gap ©2006 Enterprise Management Associates, Inc. All Rights Reserved. Page analysis. Increasingly, gaps in IT security pose a significant risk to sensitive information itself, with potential compliance impact ranging from privacy law breaches to violations of the PCI Data Security Standard. In addition to its user and trust management capabilities, the Nevis LANenforcer system offers a means for defining a comprehensive process for threat protection that addresses commonalities among these and other mandates. Nevis allows the enterprise to introduce the following six-step threat control process with a single appliance: • E ndpoint host system integrity check for ensuring minimum levels of preventative security implemented on the network at all times • User authentication and group policy enforcement • T raffic inspection for matching signatures of known spyware, adware, bots, and worms • T raffic, protocol, and behavioral anomaly inspection for zero-day malware • A utomatic quarantine for known and unknown threats • N amed user and named attack reporting to complete the threat containment cycle Process to Define and Protect Secure Assets In addition to requirements for segregating trust groups and mitigating threats, many regulatory initiatives—particularly those concerned with protecting sensitive information from theft or abuse—have common standards for defining and protecting information assets themselves. This is at the heart of SOX requirements for assuring sound financial reporting, while the HIPAA Security Rule mandates the segregation of sensitive patient data from other data resources in certain cases. The necessity of protecting assets that house tangible assets, meanwhile, is central to the PCI Data Security Standard. As described above, Nevis provides the ability for IT to define “secure assets” (those resources containing especially valued or sensitive data). In doing so, LANenforcer encrypts the traffic between the users and the resource with sensitive data, without the need for endpoint software or for the user to initiate the encryption. Encryption occurs completely seamless to the user based upon policy. In addition, LANsight keeps an audit trail of all users access of the secure resource. Nevis Networks: Best Practices in LAN Security Across the Compliance Spectrum Control Once compliant processes such as the risk and gap analyses required by many mandates are carried out and operational compliance processes defined, regulations require controls to be implemented to assure the enforcement of compliance. All regulatory measures applicable to IT strive to control information and access to it. To this end, the Nevis LANsecure architecture provides highly granular controls on information and users on the network. It is clear that control techniques must be real-time, end-to-end, and comprehensive. LANsecure employs a five-point approach to address information resource control. These five components interact to bring robust security controls to each endpoint on the local area network: • Endpoint admission control • User authentication • Dynamic access control • Secure asset definition • Threat identification and prevention Endpoint Admission The increased prevalence of threats that exploit sensitive information means that every endpoint on the network may present a point of regulatory risk, requiring the enterprise to validate that systems attaching to the network—especially those not owned by the company itself—are appropriately controlled and protected. This speaks to the requirements for threat protection mandated by all IT-relevant regulatory initiatives. LANenforcer has the capability to check each machine, certifying antivirus, anti-spyware and OS patch levels before allowing the system on the network. Many endpoint compliance efforts fail because they are intrusive to users. When, for example, client software interferes with desktop applications or forces the user into an unnatural or uncomfortable regime to get her or his job done, controls are highly subject to subversion as users seek ways to defeat them. With the LANsecure architecture, controls are in the network, off the controlled host and therefore “clientless” and transparent to the end user, making them significantly more resistant to subversion than client-based approaches to information controls. In addition, Nevis takes the additional step of allowing IT to specify that endpoint security software scans take place at regular intervals after a user gains access to the network. If a user, for example, turns off their anti-virus software, they would be placed into quarantine; similarly, if a critical patch for anti-spyware is made available by the anti-spyware vendor and the user does not download it, they would also be quarantined. Reviewing the security posture of each endpoint is required both prior to authorizing it access to the network as well as during its access of the network to best reduce risk. User Authentication The enforcement of user authentication and trust group definition defined in the preceding discussion of compliance processes must rely on measures that enforce compliant access controls. Most enterprise networks today may be thought of as “anonymous” in the sense that, once a user logs on, network traffic is typically monitored only in terms of source and destination IP address. This is subject to variability in highly common dynamic addressing regimes, since addresses may change each time a computer connects. The advent of authentication protocols such as 802.1X are important, but many networks only use the authentication information to allow general network access. While user groups may be common to operating system environments or within identity management regimes most commonly applied to applications and systems, only rarely have network trust groups been established to date, while network policies may be inconsistently applied and network usage may be completely unmonitored. With LANenforcer, by contrast, users are not only authenticated, but they are subsequently controlled by policy group, and their activities tracked by user name. Dynamic Access Control Trust groups already exist within organizations. Business units, functional roles, and information access policies are typically defined and stored in a directory such as ActiveDirectory or LDAP. The enterprise compliance challenge is that network infrastructure has, up to now, made little use of that trust group information. The Nevis LANenforcer creates a transparent policy control point that uses these trust groups for granular access control. Each group member is explicitly authorized to access appropriate resources. Users can be members of multiple groups and LANenforcer will enforce the combination of those policies. ©2006 Enterprise Management Associates, Inc. All Rights Reserved. Page Nevis Networks: Best Practices in LAN Security Across the Compliance Spectrum Because the system is deployed at the user-access edge of the network, every user can be controlled individually at every port on the LAN. Regardless whether the network is accessed by mobile employees or third parties, access is authenticated, trust groups are identified, and policies are automatically enforced. Secure Asset Definition Regulations can be highly specific regarding the information resources to be protected. Social Security and driver’s license numbers, for example, are among the most personally identifiable information, linking to data ranging from personal credit history to health status. Accordingly, resources that contain such information are the focus of regulatory protections including the PCI Data Security Standard, HIPAA Privacy and Security Rules, California SB 1386. Similarly identifying information is the subject of privacy regulation worldwide. IT assets are the repositories of such information, as they are for sensitive financial reporting and critical liquidity information subject, for example, to regulations such as SOX and Basel II, respectively. The ability to specify secure assets and enforce the policies that govern them is thus central to IT compliance generally. For example, to demonstrate due care of sensitive data in the network, regulations such as the PCI Data Security Standard, the HIPAA Security Rule, or preventive measures intended to limit the risk of privacy breaches that would precipitate an SB 1386-mandated disclosure, may call for end-to-end encryption to protect sensitive data in transit. However the cost of Virtual Private Network (VPN) concentrators and the complexity of IPSec VPN configuration may prohibit many companies from taking action to meet these demands. With LANenforcer, administrators simply identify network resources that contain sensitive information. These resources are defined by Nevis as “secure assets.” When the user connects to a secure asset, 128-bit Advanced Encryption System (AES)-encrypted IPSec VPN tunnels are automatically established transparently between the user access point and the secure asset. This reduces the need for VPN clients, expensive dedicated devices, and many problematic issues of cryptographic key management, while helping to meet requirements for protecting compliance-sensitive information assets. ©2006 Enterprise Management Associates, Inc. All Rights Reserved. Page Threat Identification and Prevention The commonality of threat mitigation requirements among all IT-relevant compliance initiatives demand more than access control. They seek to force corporations to manage compliance risks which may include those posed by malicious software and hackers as well. To this end the LANenforcer incorporates a robust threat identification and prevention mechanism. Intrusion detection systems have long used signatures and traffic anomalies to identify attacks on a corporate network. However, cost and performance issues may impact the effectiveness of their deployment in the data path at the security perimeter separating the trusted enterprise LAN from untrusted public networks. The Nevis LANenforcer extends a potentially more costand performance-effective, distributed threat identification and prevention approach to every endpoint on the LAN at wire speed. With a LAN-focused signature set, the LANenforcer identifies spyware, adware, “bots,” Trojans, worms, and other attacks by name and associates them with the current user and system accessing a given LAN port. To prevent unknown, zero-day attacks before signatures exist, the LANenforcer system employs advanced traffic, protocol and behavioral anomaly monitoring. Once detected, Nevis Labs supports LANenforcer deployments by quickly creating signatures for zero-day attacks. Threat control features of the LANenforcer give the enterprise an ability to protect against malware, and control many information leakage risks at the level of each network-connected system, while simultaneously reducing other significant threats such as spoofing and session hijacking. Audit Organizations must be able to prove over time that the controls and processes were in effect, and that they worked. Common audit requirements may be quite granular, as in the case of SB 1386, which requires notification in the event of a privacy breach to specific unencrypted personal data items such as first and last name or driver’s license number. Audit records must therefore clearly identify when and where such information is accessed, or if a breach of access control can be established. Records retention policies may mandate the maintenance of activity records for several years. Nevis Networks: Best Practices in LAN Security Across the Compliance Spectrum HIPAA, for example, requires covered entities to provide a record of all disclosures of health information to any requesting individual for up to six years. The audit capabilities of the LANsecure architecture provide high levels of visibility to the enterprise. Auditability features are organized into three major areas: • Identity-driven policy enforcement • C omprehensive traffic monitoring for complete visibility • Audit reporting for simple output Identity-driven Policy Enforcement With the LANsecure architecture, every user on the LAN is authenticated and network usage is no longer anonymous. When a security policy is violated, the LANenforcer alerts IT in real time, by user name and policy violation. For example, when a curious network user probes for access to servers to which he is not authorized, administrators are immediately alerted of the user’s name, the policy violated, and the server to which access was attempted. As a result, administrators have confidence that the assets are protected as processes require, and that attempts to circumvent mandated processes have been identified and prevented. Traffic Monitoring Unlike traditional network LAN switches, the LANenforcer secure access switch has the ability to monitor all network traffic in real time. The event history this affords offers significant advantages for regulatory compliance purposes. For example, the information can be used for detailed audit inquiries, such as what a particular employee may have done during their last two weeks with a company. It may also support general policy enforcement reporting, such as documentation of those who connected in a given quarter to a resource to which only a specific executive group has access. In addition, audit monitoring is configured automatically when a system is defined as a secure asset. For systems with critical data, the LANenforcer enables a straightforward mechanism to identify, encrypt, and audit all the traffic to and from the asset. Audit Reports LANsight reports and audit trails simply document that policies and processes were continuously enforced across all information resources, information consumers and access methodologies. User activities are similarly documented continuously. This creates an environment with no breaks in the audit trail throughout a process. The LANsight system comes with preconfigured reports that help answer key regulatory questions, such as: What are the defined security policies and processes in place? What is the evidence of their enforcement? Where have violations been attempted, and what was done about those attempts? All audit reporting identifies the user name and relevant policies. Since user names, assets, and IP addresses are searchable, rapid and highly responsive compliance reporting is possible. Network usage is auditable by user name, end host, application, server, time and duration of transactions. EMA’s Perspective Up to now, most companies have focused on regulatory penalties when estimating the cost of non-compliance. To estimate the average risk to which enterprises are exposed, EMA calculated the averages of either the maximum prescribed criminal penalty, or the penalties imposed in actual cases, across six compliance domains affecting corporate governance, financial services regulation and information privacy. It found the average maximum criminal penalty in these cases was over US$5 million dollars. Taking a mere five percent of that figure as an estimate for what the far more probable civil penalties would be (that is, for simply failing to comply as opposed to criminal intent) the annual risk to an enterprise is still more than US$250,000—per mandate, per year, since compliance is typically reckoned annually in many cases. Particularly for industries faced with multiple requirements, this scale indicates just how serious an issue compliance breach prevention has become. Now that many compliance initiatives have been put into effect, EMA expects that, in their annual reviews, auditors will increasingly be looking for continuous improvement of compliance processes. That means enterprises need to extend their IT compliance efforts beyond one-size-fits-all authentication that simply grants or denies users access to the network. In their annual compliance reviews, auditors and outside regulators are expected to look for increasingly granular, real-time, continuous regulatory enforcement of the behavior of each individual IT user or information consumer. The ©2006 Enterprise Management Associates, Inc. All Rights Reserved. Page Nevis Networks: Best Practices in LAN Security Across the Compliance Spectrum intention of this level of granularity is to gain visibility into non-compliant behavior as specifically as possible. By definition, this granularity is most effective when it pinpoints the behavior source itself. This highlights the value of solutions that enforce security and compliance policies at the point of network access. Nevis Networks exemplifies the type of real-time, continuous compliance enforcement solution that this increasingly demanding regulatory climate will require, not just to contain breaches and punish offenders, but to achieve the actual aim of regulatory mandates: the prevention of non-compliance, before the fact, wherever possible. By focusing on the point of network access, the Nevis LANsight system not only enforces compliant behavior by sharply defining access privileges and making all other access unavailable, it provides a point of high leverage and control for the management of a number of security and compliance risks, before they can reach the network—let alone sensitive information resources. This represents a new class of network security and compliance solutions that not only increase the value of the strategic investment made in front-line enforcement tools such as identity management, but leverage the network itself as a primary tool for extending process disciplines, access controls, user and trust group management, and threat protection with high granularity down to the level of each individual user and system that interacts with high-value IT assets. ©2006 Enterprise Management Associates, Inc. All Rights Reserved. Page 10 Nevis Networks: Best Practices in LAN Security Across the Compliance Spectrum Appendix A: Nevis Networks Regulatory Support – Sarbanes-Oxley The Sarbanes-Oxley Act of 2002 mandates the adoption of corporate governance standards for many public companies and registrants with the US Securities and Exchange Commission (SEC). Section 404 of the Act specifically requires companies to report annually on their internal controls over financial reporting. In its enforcement of these provisions of the Act, the SEC has recognized the following: • S EC compliance rules mandate the use of a recognized internal control framework. These rules make specific reference to the recommendations of the Committee of the Sponsoring Organizations of the Treadway Commission (COSO) directly related to the preparation of financial statements and the safeguarding of assets. • I n 2004, the SEC approved the adoption of the US Public Company Accounting Oversight Board (PCAOB) Audit Standard No. 2 (PCAOB Release No. 2004-003), establishing a standard governing the auditing of internal controls relevant to the Act. These standards have direct implication for IT systems involved in compliance with Sarbanes-Oxley (“SOX”). While many internal control frameworks have been adopted in response, the following are examples of common framework elements relevant to IT, with examples of how Nevis Networks helps to support compliance: PROCESSES Domain Relevance to SEC Standards Nevis Networks Support Key areas of IT focus in implementing SOX-compliant business processes include: COSO: The Nevis Networks solution helps support the implementation of SOX-compliant business processes through: • Control Environment • Control Activities • S trategic planning, development, • Information and Communications • The classification of users and IT acquisition and maintenance of IT resources resources according to risk and • Monitoring compliance sensitivity • Assessment of IT-relevant risks· • Risk Assessment Personnel management • Capabilities for implementing the PCAOB: real-time enforcement of which • Development of policies and users should have access to • Program Development procedures which resources, according to • Program Changes • Management of configuration defined policy and change • Computer Operations • Tools for managing changes to • Event and incident management • Access to Programs and Data access rights and privileges • S trong process enforcement through controls on the network environment • F inely grained reporting and alerting of all network activity • A utomated elevation of alerts in response to attempts to subvert IT controls • A utomated engagement of stronger IT controls in response to an attempted compliance breach ©2006 Enterprise Management Associates, Inc. All Rights Reserved. Page 11 Nevis Networks: Best Practices in LAN Security Across the Compliance Spectrum CONTROLS Domain Relevance to SEC Standards Nevis Networks Support Asset classification and control COSO: Risk Assessment, Control Activities Networks, servers, applications and users are defined within LANsight Security Manager in order to create comprehensive access control or security policy. PCAOB: Computer Operations, Access to Programs and Data Appropriate separations of duties and divisions of responsibilities, including user authentication, access control, and controls on the complete user account lifecycle (policy definition, account creation, modification, suspension, revocation, closure) COSO: Risk Assessment, Control Activities, Monitoring Network security controls, including perimeter security, intrusion detection and prevention, anti-malware and protections against software and application vulnerabilities COSO: Risk Assessment, Control Activities, Information and Communications, Monitoring Protection of sensitive data, in storage as well as in transit, including encryption where appropriate COSO: Risk Assessment, Control Activities Enforcement of IT configuration and change controls COSO: Risk Assessment, Control Activities, Monitoring PCAOB: Computer Operations, Access to Programs and Data PCAOB: Computer Operations, Access to Programs and Data PCAOB: Computer Operations, Access to Programs and Data PCAOB: Computer Operations, Access to Programs and Data ©2006 Enterprise Management Associates, Inc. All Rights Reserved. Page 12 Nevis’ dynamic access control feature enables simple, robust definition of system access, based on groups, or job responsibilities. LANenforcer utilizes signature matching, network, protocol and behavioral anomaly detection enabling the deployment of this technology to every port on the LAN. LANenforcer enables the straightforward deployment of data encryption in combination with host protection and access control, with many robust features. An administrator defines a “Secure Asset” for servers that contain high-risk personal information. Once defined, LANenforcer automatically and transparently configures IPSec tunnels from client endpoint to server endpoint. All data is automatically encrypted with 128-bit AES encryption. This helps to reduce capital such as those necessary to implement VPN concentrator hardware or the operational costs of VPN client software. The Secure Asset functionality automatically configures access control policies and audit logging for all access to protected information. Nevis tracks all changes made to the LANsight security manager— user identity, date, and action taken— allowing IT to carefully monitor all security policy changes. Nevis Networks: Best Practices in LAN Security Across the Compliance Spectrum AUDIT-WORTHINESS Domain Relevance to SEC Standards Nevis Networks Support Monitoring and ongoing evaluation of the IT environment COSO: Risk Assessment, Control Activities, Information and Communication, Monitoring LANenforcer automatically monitors network activity for attempted policy violations, prevents violations and alarms on attempts.Because of its robust policy creation and enforcement features, the LANenforcer makes it simple to monitor and enforce compliance among employees, third-party personnel, and all other users on the network. PCAOB: Computer Operations, Access to Programs and Data Exception or event alerting and notification COSO: Risk Assessment, Control Activities, Information and Communication, Monitoring PCAOB: Computer Operations, Access to Programs and Data Control adequacy COSO: Risk Assessment, Monitoring PCAOB: Program Development, Program Changes, Computer Operations, Access to Programs and Data Control audit and validation: internal as well as external and independent COSO: Control Environment, Monitoring PCAOB: Program Development, Program Changes, Computer Operations, Access to Programs and Data All monitored network, security, and access events are forwarded and stored by LANsight Security Manger. These can trigger numerous actions including alarms or alerts. IP and MAC addresses have weaknesses when used to identify network activity, as they can be manually modified or “spoofed.” By tying user name to all network, security, and access events, administrators can be certain that any security issues are directly attributable to a particular user. The comprehensive reporting capabilities of LANsight supports the direct documentation of actual IT controls in place, helping to enforce SOX compliance and credible demonstration of mandated controls. ©2006 Enterprise Management Associates, Inc. All Rights Reserved. Page 13 Nevis Networks: Best Practices in LAN Security Across the Compliance Spectrum Appendix B: Nevis Networks Regulatory Support – SB 1386 (California Law on Notification of Security Breach) Senate Bill 1386 (“SB 1386,” also introduced as Assembly Bill 700) of the 2001-2002 session of the California State Legislature was adopted and entered into effect July 1, 2003, amending and adding Sections 1798.29, 1798.82 and 1798.84 to Chapter 1798 of the California Civil Code, also known as the Information Practices Act of 1977. SB 1386 mandates that government agencies, people, and businesses in California must notify any California resident in the event that the security, integrity or confidentiality of their unencrypted personal information is compromised by unauthorized acquisition. Personal information subject to the notice requirement includes the combination of name (first name or initial and last name) plus any of the following: a) driver’s license or California Identification Card number; b) Social Security number, or; c) financial account, credit, or debit card number in combination with any security code, PIN or password that would enable access to the individual’s financial account. In the event of a breach, the law requires that notification be given “in the most expedient time possible and without unreasonable delay.” Nevis Networks LANsecure technology—implemented in Nevis’ LANenforcer LAN security systems and LANsight solutions—offers LAN security functionality that provides a framework for implementing the processes, controls and audits that help support compliance efforts relevant to SB 1386. Features of these offerings include: • D ynamic access control, readily enabling definitions of who has access to which resources on the network, which supports the enforcement of control at every port on the LAN • Management reporting • Highly-detailed event management • Key features supporting compliance enforcement, such as Secure Asset and transparent VPN encryption The Office of Privacy Protection of the California Department of Consumer Affairs has published its Recommended Practices on Notification of Security Breach Involving Personal Information1, which includes the following recommended practice guidelines for information protection, incident prevention, and notification preparation relevant to SB 1386. These guidelines are correlated with examples of how the Nevis Networks solution helps to support their guidance: PROCESSES Recommended Practice Nevis Networks Support Inventory records systems, critical computing systems and storage media to identity those containing personal information. Nevis’ LANsight provides IT with an audit trail of all user network activity, creating an audit trail of which users attached to which resources and when. • Include laptops and handheld devices used to store personal information. Classify personal information in records systems according to sensitivity. • Identify notice-triggering information. Review your security plan at least annually or whenever there is a material change in business practices that may reasonably implicate the security of personal information. Nevis’ LANsight can alert IT should a user attempt access to a resource for which they do not possess access rights. Nevis’ LANsight integrates reports that assist in the planning activities accelerating the planning as well as day-to-day operations management processes. (continued on next page) Office of Privacy Protection, California Department of Consumer Affairs, Recommended Practices on Notification of Security Breach Involving Personal Information, October 10, 2003, http://www.privacy.ca.gov/recommendations/secbreach.pdf 1 ©2006 Enterprise Management Associates, Inc. All Rights Reserved. Page 14 Nevis Networks: Best Practices in LAN Security Across the Compliance Spectrum PROCESSES Recommended Practice Nevis Networks Support Before sending individual notices [in the event of a notice-triggering incident], make reasonable efforts to include only those individuals whose notice-triggering information was acquired. The granularity of control offered by Nevis’ solution gives highly specific visibility into exactly who had access to what information resources at what time. This limits the potential scope of an SB 1386 incident to a known range of specific individuals, resources, times and methods of access, which, in turn, can significantly limit the impact of a notification event. CONTROLS Recommended Practice Nevis Networks Support Use physical and technological security safeguards as appropriate to protect personal information… Nevis’ dynamic access control enables simple, robust definition of system access, based on groups, or job responsibilities. • A uthorize employees to have access to only the specific categories of personal information their job responsibilities require. • W here possible, use technological means to restrict internal access to specific categories of personal information. • R emove access privileges of former employees and contractors immediately. Use intrusion detection technology and procedures to ensure rapid detection of unauthorized access to higher-risk personal information. LANenforcer utilizes signature matching, network, protocol and behavioral anomaly detection for identification and prevention of known and unknown intrusions, enabling the deployment of this security to every port on the LAN. Wherever feasible, use data encryption, in combination with host protection and access control, to protect higher-risk personal information. LANenforcer enables the straightforward deployment of data encryption in combination with host protection and access control, with many robust features • D ata encryption should meet the National Institute of Standards and Technology’s Advanced Encryption Standard. An administrator defines a “Secure Asset” for servers that contain high-risk personal information. Once defined, the LANenforcer automatically and transparently configures IPSec tunnels from client endpoint to server endpoint. All data is automatically encrypted with 128-bit AES encryption. This helps to reduce capital costs such as those necessary to implement VPN concentrator hardware or the operational costs of VPN client software. The Secure Asset functionality automatically configures access control policies and audit logging for all access to protected information. (continued on next page) ©2006 Enterprise Management Associates, Inc. All Rights Reserved. Page 15 Nevis Networks: Best Practices in LAN Security Across the Compliance Spectrum CONTROLS Recommended Practice Nevis Networks Support Plan for and use measures to contain, control and correct any security incident that may involve higherrisk personal information. Nevis’ LANsecure technology offers three benefits for companies to contain, control and correct security incidents: 1. Role-based access control – allows the administrator to restrict access to high-risk personal information before incidents happen. 2. Encrypted access to secured resources 3. Comprehensive user audit and reporting of all user-network activity based on a query of the user’s name. What did they access and when? Once threats are detected, via policy violation, signature match or network anomaly, rapid threat containment features are invoked. For servers containing high-risk personal information (“Secure Assets” as defined by Nevis Networks products), security events are raised in priority by the event correlation system. This priority elevation automatically increases the sensitivity of behavioral anomaly detection, which in turn drives alarms, quarantine of attacking or threatening hosts, and isolation of systems at risk. AUDIT-WORTHINESS Recommended Practice Nevis Networks Support • M onitor employee compliance with security and privacy policies and procedures. LANenforcer automatically monitors network activity for attempted policy violations, prevents violations • Include all new, temporary, and contract employees and alarms on attempts. Because of its robust policy creation and enforcement features, the LANenforcer in security and privacy training and monitoring. makes it simple to monitor and enforce compliance • Monitor and enforce third-party compliance with among employees, third-party personnel, and all your privacy and security policies and procedures. other users on the network. • Monitor employee access to higher-risk personal information. Document response actions taken on an incident. This will be useful to your organization and to law enforcement, if involved. (continued on next page) ©2006 Enterprise Management Associates, Inc. All Rights Reserved. Page 16 Nevis Networks: Best Practices in LAN Security Across the Compliance Spectrum AUDIT-WORTHINESS Recommended Practice Nevis Networks Support In determining whether unencrypted notice-triggering information has been acquired, or is reasonably believed to have been acquired, by an unauthorized person, consider the following factors, among others: The granularity of control offered by Nevis’ solution gives highly specific visibility into exactly who had access to what information resources at what time. This limits the potential scope of an SB 1386 incident to a known range of specific individuals, resources, times and methods of access, which, in turn, can significantly limit the impact of a notification event. 1. Indications that the information is in the physical possession and control of an unauthorized person, such as a lost or stolen computer or other device containing unencrypted notice-triggering information. 2. Indications that the information has been downloaded or copied. 3. Indications that the information was used by an unauthorized person, such as fraudulent accounts opened or instances of identity theft reported. If you cannot identify the specific individuals whose notice-triggering information was acquired, notify all those in the groups likely to have been affected, such as all whose information is stored in the files involved. ©2006 Enterprise Management Associates, Inc. All Rights Reserved. Page 17 About Enterprise Management Associates, Inc. Enterprise Management Associates, Inc. is the fastest-growing analyst firm focused on the management software and services market. EMA brings strategic insights to both vendors and IT professionals seeking to leverage areas of growth across e-business, network, systems, and application management. Enterprise Management Associates’ vision and insights draw from its ongoing research and the perspectives of an experienced team with diverse, real-world backgrounds in the IT, service provider, ISV, and publishing communities, and is frequently requested to share their observations at management forums worldwide. Corporate Headquarters: Enterprise Management Associates 2585 Central Avenue, Suite 100 Boulder, CO 80301, U.S.A. Phone: 303.543.9500 Fax: 303.543.7687 info@enterprisemanagement.com www.enterprisemanagement.com 1135.060606 This report in whole or in part may not be duplicated, reproduced, stored in a retrieval system, or retransmitted without prior written permission of Enterprise Management Associates, Inc. All opinions and estimates herein constitute our judgement as of this date and are subject to change without notice. Product names mentioned herein may be trademarks and/or registered trademarks of their respective companies. ©2006 Enterprise Management Associates, Inc. All Rights Reserved.