There is no standardized, sure-fire way to enforce user security policies. That leaves lots of room for creativity and even more room for error, according to security management expert Todd Lawson.
Policy-based management, or the enforcement of user security policies, is an extension of managing user identity and enterprise access rights. Because there are many approaches to policy management, goals can be hard to define, said Lawson, president and CTO of Orem, Utah-based NetVision, Inc., a security management software company.
To help IT managers define goals and avoid common security enforcement mistakes, he offered these "dos and don'ts" tips.
Do focus on user activities. "Policies must focus on user activities, particularly activities of authenticated users inside the firewall," said Lawson. Whether the users are employees, customers, or partners, most policy violations are still perpetrated by insiders, not by outside hackers. "Internal security holes are usually created by people, not technology," he said.
Don't forget to detect events in real-time. Don't query log files and session data just once a week or even once a day, said Lawson. Proactive, real-time detection identifies policy breaches in time to stop them before the damage is done, he said.
Do establish an ironclad policy breach response process. "Identifying a policy breach in real-time is only partially effective," Lawson said.
Do set up a three-phase policy enforcement process: correct, alert and audit.
- First, establish a way to quickly correct or restore what was changed by the policy violation.
"The system should effectively disallow an inappropriate action by fixing it or restoring it to its
proper state upon detecting the attempt to change it," Lawson said.
- Then, set up a policy enforcement system that notifies both the user and management when a
violation occurs. It must educate the user as to what policy was violated and how to comply in the
- Finally, be sure to log and audit the event to verify what happened, who did it, when it was done and what resulted. "This creates awareness and future deterrent," he said. "It also documents a secure audit trail which can be used as forensic evidence in court if needed to prove that the event took place and when."
Do customize event filtering. "Internal security risks fall into three general categories: mistakes, intentional mischief and user ignorance," said Lawson. Keep in mind that not all events are of the same magnitude. Security policy breaches can range in seriousness from "innocent" to "suspicious" to "malicious," said Lawson. Set up a good policy management process for filtering and categorizing events as they are detected.
This was first published in August 2002