Survey: CEOs Crave Better Perimeter and Access Controls

Not knowing who’s accessing what is a recipe for auditing disasters

What’s the most important IT investment for the next two years? No surprise that in a survey, 97 IT executives in a range of industries cited security as their chief concern, trumping any other worries by a three-to-one margin.

For companies highlighting security as their top concern, improved perimeter controls and access controls were the highest priorities. Respondents also cited complying with industry and government regulations as a pressing concern, and said it was the most-important factor in their IT spending for the upcoming year.

Those results come from a survey conducted by Simon Management Group (SMG) for security appliance vendor Gold Wire Technology between October 2003 and February 2004. Participants included CIOs, vice presidents, directors and senior managers of IT and information security in medium-size and large organizations. Over half of the respondents hailed from companies with more than $1 billion in annual revenues.

According to Boston-based Yankee Group, operator access-control problems are pervasive, with 58 percent of large retailers admitting they’d fail an audit against Visa’s stringent Cardholder Information Security Program (CISP) because of poor access control. In addition, 68 percent of large retailers use what Yankee characterizes as inadequate infrastructure access controls.

“Operator access control techniques have been sorely neglected,” says Thomas Browne, Gold Wire Technology’s CEO. While poor access control techniques means companies “won't pass an audit under Sarbanes-Oxley, ISO 17799 or [CISP],” he says, the new study also shows “IT executives are becoming aware of their vulnerabilities and are actively seeking to address them.”

Thank regulations for focusing their concerns. “Regulatory and standards compliance is placing pressure on IT executives and managers to better manage, secure, and control technology infrastructure,” says IDC analyst Stephen Elliot. “Controlling configuration changes through access controls, configuration verification, and change process enforcement is finally receiving the attention it deserves from IS organizations.”

Organizations are overhauling those controls, helping boost the overall identity management market, predicts Yankee, from $2.3 billion in revenues in 2003 to over $3 billion by 2007.

One solution to improving infrastructure access controls is to implement single sign-on to a variety of network-access devices, including firewalls and routers. A number of companies offer software or appliances to do that. Some smaller, relative newcomers include Alterpoint, Gold Wire Technologies, Rendition Networks, Tripwire, and Voyence.

Staples recently deployed Gold Wire’s management appliance, Formulator, to help control access to network devices across its nearly 1,600 retail locations. The appliance enables the company to centralize access control to network devices, track device-configuration changes, and verify devices are compliant with Staple’s internal policies. The product also maintains an audit trail of all device changes.

Besides helping organizations comply with regulators, single sign-on and centralized infrastructure management makes it much easier to apply changes across the site, no matter how geographically dispersed. Case in point: Staples says it has reduced the time needed to make changes to all network devices “from days to hours.”

About the Author

Mathew Schwartz is a Contributing Editor for Enterprise Systems and is its Security Strategies column, as well as being a long-time contributor to the company's print publications. Mr. Schwartz is also a security and technology freelance writer.