Do You Know “Who” is Doing “What” and “When” on Your Network?

Security without identity is like trying to catch a thief without knowing who the thief is. There is no difference in networking, even more so in today’s mobile work place. This is especially true for the finance industry where authentication, access and accountability are major IT business issues. For finance organizations, it is becoming increasingly important to not only know “what” is happening on the network and “when,” but to also know “who” the responsible party is.  As more regulations are being pushed onto organizations of all sizes, it is becoming increasingly important to manage networks and security with identity.  Companies with limited budgets and resources are getting squeezed as mandates are demanding more accountability and better record keeping of who is accessing what and when. 

Sarbanes Oxley and HIPAA garnered a lot of attention in past years.  And just recently, the United States amended the Federal Rules of Civil Procedure to pass laws to enforce stricter tracking and retention of digital information that affects companies of all sizes.  As of December 1, 2006, all companies must produce electronically stored information as evidence in civil court cases to facilitate faster processing.  For the purposes of compliance, reporting, forensics and network health, companies must seek cost-effective security tools that provide deeper visibility into user activity within the network – or risk the consequences of non-compliance.

But what does all of this mean for finance organizations?  Integrating identity management and instant user identity resolution for security and network issues has not been easy.  With heterogeneous network and security environments, identity management has become a large and over whelming task for all size corporations.  Trying to control user accounts and track user activity spread out over a multi-vendor environment that was not designed to work together is impossible to do with native tools.  And trying to correlate user activity, security alerts, network events and logs to produce centralized reports and audit trails for compliance reporting and record keeping has been time consuming manual tasks that have increased costs significantly for finance organizations large and small.

IDsentrie Appliance - Instant Identity Resolution, Password Management and Authentication
To help solve these pain points, A10 Networks provides affordable plug-and-play appliances that integrate networking, security and identity management features. A10’s IDsentrie network identity management appliance provides instant user identity resolution to any IP or MAC address through its IP-to-ID Service to immediately track which users are responsible for network activity. This functionality is deployed without a team of expensive consultants and through a vendor neutral approach. IDsentrie provides generic as well as high performance interfaces for any 3rd party vendors to quickly and easily resolve identity for any IP address in the network.

Especially in the finance market where customers’ online accounts and identities must be password protected, up to 40 percent of help desk time can be spent with password and account problems and forgotten passwords. The User Self Help Service within A10’s IDsentrie appliance empowers users with the ability to update passwords, reset locked accounts, recover from lost and forgotten passwords, and change account profile information through a Web-based portal - without summoning IT or help desk staff for support. The User Self Help Service within IDsentrie greatly reduces costs associated with password resets and account updates, while freeing up the help desk for other critical tasks and helping users and clients to manage their accounts much more effectively.

Other useful features in A10’s IDsentrie appliance include those that can help organizations manage users in different Enterprise directories – such as user account provisioning and authentication & guest access control. Simplifying user account management through the consolidation of user information from multiple data stores into a single, manageable virtual directory, IDsentrie provides provisioning, management and deprovisioning of user accounts from one central interface allowing for quick changes, which can be synchronized across all data stores to help improve accuracy, usability and security while lowering overhead. IDsentrie’s network authentication component provides centrally managed authentication services for remote access servers, wireless components, switches, routers and security devices such as firewalls to improve security and access controls.

Network security with identity allows administrators and security personnel a powerful tool to use in locating security issues, complying with different regulatory policies and most importantly – empowering them with the ability to better serve their companies by quickly and accurately protecting their valuable network resources from attacks and security exposures.

EX Series Appliance – Manage Bandwidth with Unprecedented User and Application Visibility
WAN optimization and visibility of bandwidth usage are also important for organizations where integrating identity with networking makes a lot of sense. Correlating and identifying which users are using how much WAN bandwidth allows system administrators to intelligently manage precious WAN resources.

The EX Series bandwidth management appliance by A10 Networks can manage capacity and traffic with unprecedented visibility into user activity for file transfers, email and instant messaging applications and more.  Unlike traditional WAN bandwidth appliances, the EX Series integrates identity resolution services with bandwidth consumption, applications usage visibility, quality of service, load balancing, and Denial of Service (DoS) protection.  This is a good example of the advantage of combining identity, security, and network management in one single appliance. Organizations can now fully take control of their WAN resources to identify problem users and misbehaving applications instantly while scaling and bullet-proofing their Internet and WAN services and applications.

Network management tools combining security and identity management features can save IT engineers many hours per week by instantly tracking network and application activity to responsible users.  After deploying networking tools with integrated security and identity management features, customers report that an average of 30 minutes can be saved for each network and security event that needs to be investigated.  In some cases where users logged in from remote locations where DHCP, authentication, external and internal IP addresses are involved, the time to resolve IP address to actual user can take hours. For organizations with tight resources, the integration of networking, security and identity management can greatly free up IT engineers to work on other critical projects and lower operational costs by dramatically reducing the time to track critical events and instantly identifying problem users. Organizations also reduce their exposure to risk and decrease the potential for damage to critical data infrastructures.   

The need to better integrate identity management and identity visibility into network and security functions has gained a lot of attention, and both customers and analysts alike are now searching for more intelligent and intuitive ways to manage the network.  A recent quote from Phil Schacter, vice president and research director at The Burton Group, demonstrates this need - “It’s only recently that identity forensics tools have been recognized as important to managing secure networks. Historically, identity awareness occurred in the networks only on the remote edges of the WAN but we expect over time, awareness of user information will be ubiquitous throughout the network.”

Another recent quote from Jon Oltsik, senior analyst for Enterprise Strategy Group reaffirms this trend – “Identity management is due for explosive growth as government initiatives, new device types, extranet applications and standards drive demand for better network information visibility and control. Vendors that deliver identity forensics within purpose-built network management tools provide value to customers by making identity integration cost effective, easy to deploy and easy to use.”

Security functions are an integral part of networking, and deploying networks without any security functions is un-thinkable today. The same is true for the convergence of identity management and network security. In today’s highly mobile and distributed network environment, network security without instant identity is like running a large ship without a global positioning system that can immediately and accurately pin-point locations and other ships. The risk of directing your ship into harms-way because of the inability to quickly identify, assess and maneuver away from the risks in front of you is a catastrophe that can be avoided with the right technology today.

John Chiong, Director of Software Engineering for A10 Networks
John has more than 20 years of experience in systems and networking. He is also the author of two networking books: "Internetworking of IP and ATM" and "Interconnections SNA" (McGraw-Hill).

About A10 Networks
A10 Networks was founded in 2004 with a mission to provide innovative networking and security solutions. A10 Networks makes high-performance products that help organizations accelerate, optimize and secure their applications. A10 Networks is headquartered in Silicon Valley with offices in the United States, Japan, China and Taiwan. For more information, visit www.a10networks.com.