In-Depth
SAM Delivers Multiplatform Security
Security is an increasingly important component of effective systems management. Mission-critical applications are proliferating and becoming more complex. At the same time, businesses are extending application access to greater numbers of end users – from consultants and temporary contract personnel working onsite, to external business partners and distant customers using private extranets and the Internet. At no previous time has there been a greater perception of the need for efficient security management.
To achieve control over access to sensitive applications and data located on host systems throughout the business enterprise, many companies are turning to vendors for automated security administration tools. Like Serge Beaulieu, IT Security Head for Aetna Information Management Services (Middletown, Conn.), they are finding that no silver bullets exist to solve the problem of enterprise security management. The problem of information security – and its solution – are too complex to be shrink-wrapped.
Policy and Infrastructure Are Key at Aetna
Beaulieu is no stranger to large-scale security administration requirements. His group manages 60,000 security credentials for 33,000 employees. In addition, they handle the administration of access to 600-plus NT network servers, more than 130 UNIX and VMS midrange systems, 800-plus Novell servers and 11 mainframes with 26 logical partitions operating under a mixture of security systems and hosting a wide array of database management systems (DB2, Oracle and Sybase).
In 1995, Beaulieu was tasked with finding a solution to address problems in existing security administration procedures. At that time, says Beaulieu, security administration at Aetna was "complex, inefficient and had audit and security compliance gaps" and procedures were "prone to errors and omissions, cumbersome and fragmented." He determined, early on, that what was needed was more than an off-the-shelf access management tool. To deliver information security to meet the company’s evolving requirements, Aetna needed a policy-based management capability.
Beaulieu believed in the concept of "Role-Based Access Control" and through his discussions with Schumann Security Software (Laurel, Md.), quickly seized on the model – and on Schumann’s security infrastructure product, Security Administration Manager (SAM) – to begin building a solution for Aetna.
"We began a project with the overall goal of improving the efficiency of security administration and monitoring. Our solution involved the redesign of workflows, the automation of administration where it made sense to do so and the establishment of a single point of contact for security administration and access control. Our aim was not to deploy a particular product to solve our problems, but to combine a role-based access control methodology together with appropriate security tools."
Beaulieu says that SAM provided a tool to build a repository "of who has access to what." He reports that SAM provided his group with the means for automating the administration of IDs and password resets in Top Secret, UNIX and NT, as well as integration points for interfacing SAM with other production applications.
"We acquired the product in First Quarter of 1997, tested it from April until May, then built an interface between SAM and our Human Resources systems to create a centralized repository of what employees have access to, based on our master personnel records."
The HR system link provided a powerful tool for managing additions and deletions of employee access rights in Aetna mission-critical systems. The link eliminated paper forms previously used to set up access and mitigated the likelihood of error in redundant data entry processes.
Seeing the potential of SAM as a means for improving the efficiency of access administration, Beaulieu turned his attention to the security requirements represented by thousands of temporary workers not handled by corporate human resources. SAM’s role was expanded to include the control and management of access rights afforded by all non-permanent staff.
"We work with seven to ten thousand temporary employees, including temps, contract employees and consultants, at any given time. Using SAM, we added all of these non-employee personnel to create a repository of all our employees and non-employees and their corresponding access rights."
Says Beaulieu, SAM was brought online for administering access to mainframe applications first. By October 1997, access to NT server-hosted applications was transitioned to SAM.
At approximately the same time, Beaulieu recounts, SAM was combined with a help desk Voice Response Unit (VRU) to provide an automated resource for end users who had forgotten passwords, "The VRU system brought some relief and some cost reductions to help desk operations. If an individual forgets his or her password, they select a password reset option when they call the help desk line. They enter their ID, then they can reset their password by responding to a SAM-directed challenge. Basically, the challenge uses a personal information algorithm to build a reset password. Only the individual employee would know the information used to build this reset password."
Beaulieu stresses that the SAM-VRU system doesn’t change a user’s password, "It only resets the password to a temporary password that is good for one use. Once the user logs on with the reset password, they are immediately challenged by the system they have accessed to enter a permanent password."
"Using the VRU-based password reset approach cut back on the volume of help desk calls related to password resets by 30 percent," Beaulieu says. He adds that the new system has reduced the time required to handle password-related calls from four minutes for an operator-assisted reset to about one-and-a-half minutes. In March, he reports, additional SAM help desk functionality was rolled out that "provides the same functionality as the VRU system, but presents it on a screen so the operator can guide the end user through the reset process."
Beaulieu reports that his implementation of SAM to date has focused on security administration infrastructure components, such as an access repository and several key administration elements, that are prerequisites for security administration efficiency. However, the work has not stopped with a product implementation.
"We are going to a role-based access control methodology using SAM. We are documenting access requirements by job and defining job models [as part of pilots initiated in our field offices and elsewhere]. Fifty-two models have been generated thus far. These models will be used to identify roles that can be used to assign security more efficiently."
In time, Beaulieu envisions that a single electronic form will be completed by employees or electronically-triggered, based upon a new hire in the HR system, to identify their jobs.
"The electronic form or trigger will be used to add a user to a centralized security administration facility and to ensure that all of the proper accesses are provided."
Beaulieu says that his enhanced role-based access procedures may also lead to efficiencies in other aspects of information systems management at Aetna, "It is possible that these forms and triggers will also be used by our Distributed Computing Administration personnel to ensure that the appropriate software is automatically distributed to the end user’s desktop."
In the meantime, Beaulieu reports that significant gains in security administration efficiency have already been realized, "The business case for developing streamlined security administration is compelling. We used to have a five day turnaround on user access requests and a significant backlog. With the work that we have done thus far, we have eliminated the backlog and we have documented a 55 percent reduction in turnaround time on user security set up. We are accomplishing more in the same timeframe. Since we deployed SAM, we have increased the number of security requests we are able to handle by 113 percent. 45,000 employees are now centrally managed through SAM. At the same time, we have made significant strides in our audit and security compliance capabilities."
Colonial Penn Realizes Cost Efficiency Goals
Beaulieu’s positive experience with SAM and role-based access control is echoed by Ken Cooper at Colonial Penn Insurance (Philadelphia, Pa.). Cooper, a Data Security Administrator, recalls his requirements in 1996 for a security administration solution.
"We had a population of about 2,000 users, and growing, who required access in various combinations to IBM OS/390 mainframe applications, DB2 databases, and Novell and NT hosts. There were IDs required to access the network, plus we used RACF on the mainframe and DB2 with access controls. The typical end user was a customer service representative who needed different accesses at different times to different systems."
Cooper says that most security administration systems available at that time consisted of authentication credential management utilities. These products could be used to centralize user IDs and passwords in a cross-reference list in order to provide single sign-on access for users, but they did not address the longer-term problem of account administration.
"It was difficult enough to keep track of user IDs, but we needed more [than credential management systems could offer]. We needed to find a way to locate a person’s access on every system in the company and to delete it if a person changed jobs or left the company."
Cooper describes the job of overseeing the security of companywide information resources with a staff of only two persons as nothing short of Herculean, "We needed to find a security management solution that would support the streamlining and automation of security administration processes. We looked at various products. Everyone had pamphlets, but no one showed us a product that would provide a cost-effective solution."
That was, until a demonstration of SAM, conducted by Schumann Security Software in late September. "SAM offered the capabilities and cost-benefits we were seeking," says Cooper.
According to Cooper, SAM allows his staff to manage authentication credentials and to access the actual access control facilities of various application hosts, "SAM gives us a centralized point of control. We can set up worlds: [customized TSO-accessible panels that contain typical security definitions associated with specific types of users]. We use a TSO session to access SAM’s ISPF panel interface. Then, this console is used to establish and maintain every user’s access rights on every system and network in the company."
Cooper adds that the product has enabled him to offload some password administration tasks to the company help desk, "The help desk can resume and reset passwords upon request of a user who may have forgotten his. We are in the process of implementing SAM’s new help desk functionality that will speed up this function."
T. Rowe Price Leverages SAM Layers
According to Randy Hulse, Enterprise Security Team Member with T. Rowe Price (Baltimore), the quest for "an overall security management, analysis and automation solution" for the financial services and investment firm led him to the determination that only SAM could meet his company’s enterprise security needs.
"We considered products from two other vendors besides SAM. By July 1997, we had determined that SAM offered the right set of capabilities for our environment. It included interfaces for the operating systems we wanted to work immediately, plus the ability to be customized to support projects we wanted to work later."
Hulse says that one strength of SAM is that it provides "a single interface to manage all our major operating systems." This continues to be important given the diversity of systems deployed by the company, the more than 9,000 IDs that need to be administered and the corporate IT culture at T. Rowe Price, which Hulse says favors centralized management and control.
"We had SAM managing Netware 3 and 4 network servers, which were converted to Microsoft Windows NT. Today, NT comprises several domains and 100-plus servers. We also have Sun Solaris and IBM AIX operating systems on 100-plus servers, several Distributed Computing Environment cells and two MVS/ESA mainframes. Obviously, we needed an operating system-independent product for security administration. We also needed something that could provide batch security updates within each system. SAM fit the bill."
"We did an initial load and testing of SAM in October 1997, then built a production database and began deployment in November. SAM was in operational use by February 1998 and in production on all systems by mid-May," Hulse recounts.
"SAM makes it practical for six people to manage all of the security administration for 4,000 personnel. We have the ability to manage accounts and groups in the major operating systems. We can also manage resources to varying degrees depending on the operating system. We particularly like the batch update mode, which enables us to make large updates at night."
These are baseline functions to Hulse, however, "Now we are moving up to higher levels [of abstraction]. We are building models for application-based access control – identifying typical access requirements based on application use. These groups will coalesce into roles.
Eventually, an employee will be identified by a role and will automatically receive all application accesses based on that role," Hulse says.
Developing a role-based security model will take time, Hulse notes, saying, "It is a bigger project than anticipated. There are many nuances to consider and the user community has to be a willing participant."
In the meantime, he is happy with the efficiencies that are being realized with SAM in day-to-day operations, "Synchronizing user IDs across multiple UNIX boxes, independently of the UNIX operating system version and hardware platforms is a challenge. With SAM, we can do in a few minutes what used to require days. SAM really gets beneficial when you consider how it expedites account setup."
SAM Advances Security Administration to the Next Level
Like his counterparts at Aetna and Colonial Penn, Hulse says that the infrastructure provided by SAM enables true security administration. In the past, "security administration systems" have been offered by vendors who promised that they would simplify security management by providing a "single point of authentication" – or single sign-on access – for all applications in the organization. While such systems have contributed to the simplification of user access to applications disbursed across heterogeneous platforms, they have created more problems than they have fixed with regard to improving the overall efficiency of cross-platform security administration.
With most authentication management products, a new authentication management host must be implemented to cross-reference user-entered IDs and passwords with a listing of credentials (other ID/password pairs) associated with the user and with each application host. If the correct ID and password are entered by the end user, and if this ID/password pair is recognized by the management system which successfully transmits the correct set of cross-referenced credentials to the correct application host, access is granted to the user for the application he is seeking. This process is transparent to the user, and provides the illusion of one-time ID/password entry for access to all appropriate information system resources.
While helpful, such a security administration approach is limited in several ways. First, the authentication administration system must be compatible with all of the heterogeneous operating systems that are in use at the business. Stated simply, the system must be able to communicate with the login facilities of any installed mainframe, midrange and small server operating system in order to pass "authenticated" user credentials for access.
Secondly, for this security administration approach to be successful, substantial effort must be undertaken to set up user permissions and access controls within each host system. Setting up secure "accounts" for the same end user on several systems requires that work be performed by a systems administrator (and a database administrator, depending on the application involved) for each and every host (or database) involved. This is tedious and labor-intensive activity that must be undertaken successfully so that each end user is afforded proper access rights once authenticated.
In fact, setting up and maintaining user access rights is among the most labor-intensive activities in security management. This burden is not mitigated in the least through the deployment of authentication management systems. Such systems, in fact, exacerbate the labor costs of security management by adding yet another server – the authentication management system host itself – to the list of servers that must be kept current with user credential information.
Given the "security management systems" described above, it is no wonder that the mention of centralized security administration often causes an IT professional’s eyes to glaze over. Security administration products have traditionally increased, rather than decreased, the workload on security administrators. They offered little capabilities designed to streamline security administration. Few enabled the resetting of passwords on application host systems. Fewer still provided security administrators with the ability to manipulate application host access controls, which are used to set up and remove user permissions.
According to Philip Rosch, Managing Director for Giga Information Group IT Practices (Norwell, Mass.), authentication management systems reflect a growing trend within corporate IT toward recentralization of security management and policy-making processes. He is quick to point out, however, that early efforts at recentralizing security management have suffered from a lack of discipline and capability.
"Implementing an effective system for role-based access control entails more than implementing a tool. Tools are important, but they must be preceded by a plan. Companies need the discipline to work their plan, to stay with it. Moreover, the tools that are eventually implemented must be non-invasive. You must be able to bring them on board without disrupting current security and in a way that considers existing security systems – even home-grown ones."
Rosch points out that he rarely evaluates specific security products, but instead focuses on determining how products are being used and what results they yield, "In the case of Schumann Security Software’s Security Administration Manager, I have met with several companies that have had very good experiences with it."
According to the experiences of SAM users described above, and of those companies studied by Rosch, the architecture of the SAM solution – its central security directory, in particular – provides deep support for access control at the system level. SAM provides more than simple administration of user IDs and group permissions; it also enables integration with automated management and control technologies, such as Voice Response Units and automatic password reset processes.
About the Author: Jon William Toigo is an independent writer and consultant specializing in business automation solutions. He can be reached at (727) 736-5367, or via e-mail at jtoigo@intnet.net.