Developing a Comprehensive Remote Access Security Framework: Identities and Roles

by VPNHaus | 10/21/2013

Every enterprise should consider implementing a comprehensive remote access security framework in light of increased workplace mobility and the BYOD trend. In our last post on the topic, we highlighted what makes mobile endpoints, such as smartphones, tablets and laptops, so vulnerable to malicious attacks. One of the most common security risks networks face today is unauthorized network access, not only by unknown devices but also by known users connecting via unsecure networks. A defense in-depth security framework is necessary to prevent network breaches, and clearly defining and managing both device and user identities and roles are critical for enterprises to increase network security.

Efficient endpoint management can make up for the vulnerabilities inherent with the use of personal devices for work purposes, but companies need to know where to start. Every authentication, authorization, and accounting (AAA) event depends on the access credentials provided by the endpoint, so it’s important to find solutions that ensure credentials are valid. Establishing and clearly defining identities is a pretty safe bet, as identities or composite identities, which consist of a number of identity elements, represent the basis of any access transaction.

In the network communication context, an identity element is an attribute that is organized in specific repositories to verify various aspects of a device or user identity. Common user identity elements are username, password, PIN numbers, certificates, etc., and device identity elements can include IP or MAC addresses, the model of the device, IMEI and more. If a user and device do not have all of the proper identity credentials, access to the network will be denied. This identity verification process allows IT administrators to be alerted, for example, when an unauthorized device attempts to access the network.

Additionally, chances are that a C-level executive is going to need access to more sensitive data than the entry level employee will. That’s where the additional complexity of roles comes into play. If an IT employee is using the company iPad to work remotely, they’re unlikely to be granted access to invoices. On the other hand, a CFO really needs to be able to access that information, and based on his role, he would be allowed to do so.

Assuming the device and user identities have been verified, further restricting network access by roles limits the areas of a network a user can access and adds an additional security hurdle that people with malicious intent must clear to enter a corporate network.

Roles are determined by a lookup and mapping operation via a user directory or identity management system. A user may have the proper identity credentials, but if they do not have a certain AD group membership, for example, network access will be denied. Such restrictions make secure remote access more comprehensive and also a bit more human proof.

Managing identities and roles should certainly be a part of developing a comprehensive remote access security framework, but they are not a strong enough defense on their own. Coming up, we will discuss how mobile device and network health and policy enforcement must also be a part of a bigger, defense-in-depth security framework.