INFO & INSIGHTS
END USERS: THE
ACHILLES HEEL OF
CYBERSECURITY
5 Key Considerations When Implementing User-Based Access Controls
End users, the very community of individuals chartered to preserve the integrity of your business, embody a profound vulnerability point within your network’s security infrastructure. By
the year 2020, IDC expects mobile workers in the United States alone will account for nearly
three-quarters of the total workforce.1 As a result, IP addresses are no longer an effective
proxy for end users as they are constantly moving to different physical locations and using
multiple devices, operating systems, and application versions to access the data they need.
It’s now critical to an organization’s risk posture to identify who the network’s users are –
beyond IP address – and the inherent risks they bring based on the device being used.
To control the threat exposure unknowingly caused by the end-user community and protect
your organization from breaches, leverage user-based access controls. With user-based access controls, you can allow access to sanctioned applications based on user identity information, rather than IP address, providing visibility into who is using which applications on the
network and who is possibly introducing threats into your organization by transferring files.
When applied correctly, user-based access controls can reduce incident-response times
and strengthen your organization’s security posture. Outlined below are five key points
to consider when applying user-based access controls to your next-generation firewall
(NGFW) security infrastructure.
1Understand the organization’s user environment and architecture
To do this, ask yourself the following questions:
• In which locations does my organization operate? An organization might
operate in several different locations, such as a main campus, branch offices or
remote locations.
U.S. Mobile Worker Forecast, 2015–2020, International Data Corporation (IDC), May 2015:
http://www.idc.com/getdoc.jsp?containerId=256194
1
© 2016 Palo Alto Networks, Inc. Palo Alto Networks is a registered trademark of Palo Alto Networks. A list of our trademarks can be found at
http://www.paloaltonetworks.com/company/trademarks.html. All other marks mentioned herein may be trademarks of their respective companies.
INFO & INSIGHTS
• What authentication method is used in each location? Do users log in directly
to directory servers, or are they authenticated and authorized on wireless LAN
(WLAN) controllers, VPN systems or network access control (NAC) devices?
•What are the operating systems in each location? There could be heterogeneous environments with Windows®, Mac® and Linux® capabilities or homogeneous environments with only one OS.
•How do endpoints log on to the network? Are endpoints identified and
­authenticated prior to logging on to the network?
2Figure out supported user-to-IP mapping strategies, and determine the ones
you will use
Figure out what user-to-IP mapping strategies are supported by your next-­
generation firewall. A number of mechanisms are typically supported to identify
users – third-party proxy servers, WLAN controllers, terminal services agents,
­directory service logs, and more.
Based on discoveries in the first step, select the user-to-IP mapping strategies that
apply to your environment.
3Implement the selected user-to-IP mapping strategy for user visibility
Implement the selected strategy to gain visibility into users’ behavior. Collaboration
with other team members, such as IT architects, security operators and network
admins, is critical here.
This visibility will enable the identification of activities and usage patterns tied to
­users, instead of IP addresses, including insights such as top users and browsing
­history, top apps accessed by users in the marketing group in the last 24 hours, or
software-as-a-service (SaaS) application usage broken down by user – all p
­ roviding
valuable data points around which to formulate appropriate user-based access
­controls.
Share the visibility reports and data with other team members with whom you
­collaborated.
4Ensure business policies exist to justify user-based access controls
Before rolling out user-based access controls, ensure supporting business policies exist that define access parameters. Typically, such policies are established by
­Human Resources (HR) and Legal. If such policies do not exist, collaborate with HR
and Legal to establish policies, leveraging the user-based reports as your guide.
© 2016 Palo Alto Networks, Inc. Palo Alto Networks is a registered trademark of Palo Alto Networks. A list of our trademarks can be found at
http://www.paloaltonetworks.com/company/trademarks.html. All other marks mentioned herein may be trademarks of their respective companies.
INFO & INSIGHTS
In addition, when defining user-based access controls, it’s best to do so in terms of
groups, rather than individual users. Instead of marketers Jane, John and Joe, think
of the three individual users as the marketing group. This will go a long way toward
simplifying policies and keeping administrative overhead to a minimum.
5Implement user-based access policy
Once corresponding business policy is aligned and user groups are defined,
­user-based access controls can be implemented. Create a list of security rules that
whitelist acceptable applications and websites and deny access to ALL else, and then
implement the policy – one group at a time.
The user groups impacted by the new access controls will likely have questions.
­Communication is key here. Let the impacted user groups know what you plan to
do and when you plan to do it. Organizations can also consider forming a special
­incident-response team to field the higher-than-average volume of inquiries related
to the ­implementation to ease the minds of users and drive a smooth execution.
With these considerations in mind, implement user-based access controls on your
NGFW security infrastructure to defend against successful cyberattacks and make the
most of your security investment. For a deeper dive into the technology and benefits,
check out the PAN-OS Administrator’s Guide or visit the Palo Alto ­Networks®
Live Community.
© 2016 Palo Alto Networks, Inc. Palo Alto Networks is a registered trademark of Palo Alto Networks. A list of our trademarks can be found at
http://www.paloaltonetworks.com/company/trademarks.html. All other marks mentioned herein may be trademarks of their respective companies.