Nevis Networks: Best Practices in LAN Security …...compliance domains of process, control and “audit-worthiness,” with comprehensive, granular and detailed capabilities in each

Nevis Networks: Best Practices in LAN Security Across the Compliance Spectrum

A White Paper Prepared for Nevis Networks June 2006

Table of Contents

Executive Summary ............................................................................................................................................................................1

Common Themes of Regulatory Requirements ...........................................................................................................................1

Cost-Effective Compliance: Meeting Multiple Requirements across the Regulatory Spectrum ..........................................2

Processes..........................................................................................................................................................................................3

Controls ...........................................................................................................................................................................................3

“Audit-worthiness” ........................................................................................................................................................................4

Compliance and Nevis Networks’ LAN Security Solution .........................................................................................................5

Process .............................................................................................................................................................................................5

Process to Implement Trust Groups ....................................................................................................................................5

Process to Add and Change Users Dynamically ...............................................................................................................6

Process to Control Threats .....................................................................................................................................................6

Process to Define and Protect Secure Assets ....................................................................................................................6

Control .............................................................................................................................................................................................7

Endpoint Admission................................................................................................................................................................7

User Authentication ................................................................................................................................................................7

Dynamic Access Control ........................................................................................................................................................7

Secure Asset Definition ...........................................................................................................................................................8

Threat Identification and Prevention ...................................................................................................................................8

Audit .................................................................................................................................................................................................8

Identity-driven Policy Enforcement .....................................................................................................................................9

Traffic Monitoring ....................................................................................................................................................................9

Audit Reports ............................................................................................................................................................................9

EMA’s Perspective ...............................................................................................................................................................................9

Appendix A: Nevis Networks Regulatory Support – Sarbanes-Oxley ...................................................................................11

Appendix B: Nevis Networks Regulatory Support – SB 1386 (California Law on Notification of Security Breach) ..14


Page �

©2006 Enterprise Management Associates, Inc. All Rights Reserved.

Executive SummaryWith every passing year, the need to comply with a maze of state, federal and even international regulations be-comes a more pressing concern for companies around the world. The issue may be customer or patient privacy; safeguarding the integrity of the organization’s financial results, or protecting customers or businesses from fi-nancial fraud. Not only are there more regulations each year, but the penalties (either in the form of bad public-ity, a drop in stock price, outright fines or even jail times for executives) become more immediate and severe.

The requirements of various rules can overlap, creating multiple mandates for the same organization. For exam-ple, the privacy requirements of the Health Insurance Portability and Accountability Act (HIPAA) apply to healthcare providers, healthcare insurers and related or-ganizations that are also governed by industry-specific regulations at the state and other levels. If an organiza-tion is involved in both health care and financial services (say, a health care insurer) it is governed not only by HIPAA but by the privacy requirements of the Gramm-Leach-Bliley Act (GLBA). If any of these companies are publicly traded in the US, the requirements of the Sarbanes-Oxley Act (SOX) may apply as well.

Regulatory requirements can also cross borders in un-expected ways. Although the many privacy measures enacted by governments from U.S. States to national and even international bodies such as the European Union have much in common, they pose a significant challenge to subject entities who must comply with multiple over-lapping rules. Even harder than complying with a single standard imposed by one jurisdiction is complying with a mosaic of different laws in many different jurisdictions.

Finally, the need to ensure compliance is an ongoing, weighty responsibility. Not only do some regulations re-quire regular, scheduled audits to prove compliance, but each organization’s compliance record is only as good as the last transaction it performed, the last customer record it archived or the last patient record it encrypted before storing off-site.

In order to prioritize their compliance efforts on the most pressing issues, and to acquire solutions that ad-dress multiple regulatory needs, organizations must recognize the common requirements underlying many different rules and regulations. These common require-ments include:

• Defined and enforceable business standards, poli-cies and processes;

• Subversion-resistant controls for their enforce-ment, and;

• Records and reports that demonstrate continuous compliance with these policies and processes.

Above all, compliance is all about defining, assuring, enforcing and proving compliant behavior. This dictates that processes, controls and demonstrations of effec-tiveness must be as specific to individuals as possible and must extend enforcement throughout the entire time that any individual has access to regulated informa-tion resources. Solutions are beginning to emerge with powerful features to assure that each user has access to only the proper information, and can execute only ap-propriate actions, for the entire time he or she is on the corporate network.

In this paper, Enterprise Management Associates (EMA) examines the broad requirements of regulatory compliance and how the Nevis Networks product set represents a front-line solution for providing the nec-essary levels of highly granular, continuous real-time enforcement. Executives will gain an understanding of how Nevis Networks LAN security systems provide a part of the solution that helps an enterprise achieve and continuously improve compliance with multiple, evolving regulatory requirements. The Appendix of this paper provides a detailed look at examples of how Nevis’ solution helps to support compliance with the Sarbanes-Oxley Act and the privacy breach notification law known as California Senate Bill 1386—two of the most significant mandates affecting IT today.

Common Themes of Regulatory RequirementsAs powerful information systems, databases and the World Wide Web have become potent tools in our every-day lives, it is only natural that concerns would arise—often with justification—about the improper use of those systems and the data contained in them. This con-tradiction—the need to make information ubiquitously available, and the conflict of this need with concerns about information misuse—is one reason why regula-tory compliance can be such a confusing challenge.


Page �


Privacy regulation is a prime example. Customers pay-ing their bills online, checking their email from a coffee shop or ordering a specialized product they could only have found on the Web, all are benefiting from their ability to leverage personal information (such as pass-words and credit card numbers) over the Internet. This, however, poses significant risk that personal informa-tion may be stolen, compromised or otherwise misused. In response, initiatives such as California Senate Bill 1386 requires any company, no matter where it is lo-cated, to disclose the loss or theft of personal informa-tion of any customer who is a California resident. That means, conceivably, that the name, physical address and email resident of a Californian who registered to down-load a product or service from the Web could come back to haunt a corporation in Europe or Asia. The Personal Information Protection Act passed in Japan in 2003 may, similarly, affect companies doing busi-ness in Japan (particularly those in the medical, finan-cial credit, and telecommunication industries); as may the European Union’s Data Protection and Electronic Communications Privacy Directives.

Financial controls are a parallel example. Financial mismanagement by a few firms led to broad investor accountability mandates such as the Sarbanes-Oxley Act. While SOX requires strict controls over financial systems and processes, it is again the behav-ior of those using information systems that SOX seeks to control. In order to be ef-fective, such control must govern behavior during the entire time a legitimate, authen-ticated user has access to the system, since sensitive corporate information is at risk of being manipulated not just by hackers, but any person with access to the company network, from rank-and-file staff to senior executives. A similar requirement applies to network and system administrators, as well as security managers, to ensure they can-not abuse their positions of trust either to commit wrongdoing or to open the door for others to do so. The rise of terrorism is having a similar effect, in the form of the Anti-Money-Laundering (AML) provisions such as those of the USA PATRIOT Act. At least one international bank has already

been fined $100 million for violating U.S. AML restric-tions on currency exchange with countries under sanc-tion, through the concealment of prohibited transactions in financial reporting. Clearly, there is a role for tools that can enforce access to such sensitive IT resources with high granularity, and with credibility that can stand up to the rigors of today’s stringent regulatory audits.

Governments are not the only entities defining what rules businesses must comply with in order to operate. Recognizing the threat to electronic transactions posed by attacks that increasingly have material objectives in view, credit and debit card companies have issued their own Payment Card Industry (PCI) data security stan-dard, responding to initiatives such as Visa’s Cardholder Information Security Program (CISP) that mandate re-quirements for securing card information whenever it is obtained, used or transmitted.

Choosing a different compliance tool to meet each of these different and often overlapping requirements quickly becomes highly inefficient and cost-prohibitive. A more cost-effective route is to select tools that can satisfy a broad range of requirements.

Cost-Effective Compliance: Meeting Multiple Requirements across the Regulatory Spectrum

Processes• Strategic Planning• Risk Assessment• Policy Definition

• Business Process Workflows• Incident Response

• Control Management

Controls• Separation of Duties

• Division of Responsibilities• Segregation of Resource Access

• Policy Enforcement• Data Privacy and Security

“Audit-Worthiness”• Policy Documentation • Compliance Monitoring

• Exception Alerting• Control Effectiveness Reporting

• Process Workflow Tracking• Incident Response Documentation

Figure 1: An overview of the compliance lifecycle. Requirements common across multiple regulatory initiatives are summarized. The Nevis Networks solution addresses each of the three primary

compliance domains of process, control and “audit-worthiness,” with comprehensive, granular and detailed capabilities in each domain to satisfy a wide range of regulatory requirements.


Page �


The best way to choose such tools is to focus first not on the complex requirements of each rule or regulation, but on the most critical requirements across a range of mandates that are most relevant to an IT organization. In general, they revolve around Processes, Controls and “Audit-worthiness.”

ProcessesIn essence, regulatory requirements are broadly appli-cable statements of policy, and policies are ineffective without well-defined processes to implement and en-force them. Such processes are key to compliance with corporate governance requirements such as SOX, as well as for the creation of necessary internal corporate controls. There are two key areas of compliance-relevant process: the definition of specific compliance-related business processes that are consistent with regulatory policy; and ongoing management of those processes.

Proper definition of business processes is crucial to ensure they are in accordance with the relevant corpo-rate governance policies and external regulations, and to ensure that the proper access control and separation of duties and divisions of responsibilities are spelled out. Users must be accurately identified, along with their roles, attributes and the types of information to which they should be allowed access. The same is true for the resources (the data and application services) to which they are allowed access. Again, the stress should be on defining, managing and controlling a user’s behavior for the entire time they are connected to the corporate network, not just on properly authenticating them at the point of access.

The next step is to define the processes for provisioning those resources, or making them available to employees, customers or business partners when such access is ap-propriate. These processes must be clear and enforce-able, yet flexible enough to allow the business to meet its changing strategic needs. These processes should extend through the lifetime of the resource, allowing for the on-going creation, modification, suspension, revocation and retirement of resources as well as the privileges accorded to their use. They should also be highly granular and as individually specific as both regulatory and corporate requirements may demand, allowing for the fine-tuning of controls, roles, and the appropriate segregation of users, resources and communication channels based on

new or changing compliance or business requirements as they emerge. Finally, in order to prevent compliance breaches to the extent possible, these processes must be enforceable through real-time controls, implemented in the information technologies that enable access to controlled resources. This highlights an area in which IT can aid specifically with compliance-relevant process management: in the automation of process events in IT resources themselves.

Once they are defined, these processes must be managed, on an ongoing basis, from the time they are created until they are retired. This requires mechanisms that provide an overview of the current state of processes, as well as top-level controls on how policies and processes are defined and managed.

ControlsThe enforcement of controls is central to virtually all regulation, and is particularly important in mandates such as Section 404 of SOX. Section 404 is particularly important to IT organizations because it requires the implementation of a control framework and processes for financial reporting, and the regular assessment of the effectiveness of that framework by corporate manage-ment required by SOX Section 302. An example of a framework was given in the SOX compliance rules is-sued by the US Securities and Exchange Commission (SEC), which makes specific reference to the recom-mendations of the Committee of the Sponsoring Organizations of the Treadway Commission (COSO)—a SOX precursor—directly related to the preparation of financial statements and the safeguarding of assets. One of the most popular SOX control frameworks is the IT Governance Institute’s Control Objectives for Information and related Technology (COBIT). In its guidance on SOX IT control objectives, the ITGI de-scribes how multiple guidelines such as ISO 17799 best practices in information security and IT Infrastructure Library (ITIL) IT governance standards map to SOX control requirements, as well as to COSO and COBIT.

The control requirements of these and many other mandates range from the proper separation of duties and the division of responsibilities among employees required by SOX as well as the Basel Capital Accords (“Basel II”), to controls on access to privileged informa-tion supported by an appropriate level of authentica-


Page �


tion, and the creation of clearly defined roles, rights and responsibilities for information consumers. Such access is controlled within the healthcare industry by both the privacy and security rules of the Health Insurance Portability and Accountability Act (HIPAA). Controls on access to personal information that could lead to financial losses—personal as well as corporate—are also mandated by initiatives such as the Payment Card Industry (PCI) Data Security Standard, while interna-tional regulations such as the EU Data Privacy Directive and Japan’s Personal Information Protection Act (PIPA) mandate similar controls to protect personal informa-tion. Such protections are preventive measures for mandates such as California SB 1386, which requires disclosure in the event of unauthorized access to the unencrypted personal information of Californians.

Implicit in the nature of IT controls is that they must be effective throughout the entire time a network user, endpoint or information consumer has the ability to ac-cess IT or information assets. Again, controls that focus only on controlling initial access to the network are inadequate. The real question that determines whether compliance is effective is what happens once the user is connected to the system. For example, a rogue trader on the Singapore Exchange was able to hide the extent of his abuses by reconciling his own trades. Proper con-trols on the separation of responsibilities for employ-ees, and enforcement of those separate responsibilities within the company’s information systems, could have limited the abuse and perhaps saved the entire company from failure.

From an IT perspective, enforcement of the proper separation of duties and division of responsibilities can be achieved through:

• The segregation of information users into groups according to specific levels of trust appropriate to each group (so-called “trust groups”);

• Enforcing limitations on access to specific infor-mation resources to a specific trust group, and;

• Monitoring enforcement and alerting on events when exceptions are detected, and ideally, when they are attempted.

Risk is not just the unmanaged or inappropriate activities of users who were assumed to be trustworthy but who

are not. It also includes vulnerabilities that employees or outsiders can unwittingly introduce into the corporate network, such as worms or Trojans that take advantage of a legitimate user’s current (and authenticated) session to exploit gaps in enforcement. Increasingly, these types of attacks also threaten the confidentiality, integrity, and security of personal or business-critical information itself, exposing it to breach of privacy, abuse, or even outright destruction.

For all these reasons, it is clear that controls must be real-time, end-to-end and comprehensive in order to prevent compliance breaches from occurring. Once an event occurs, controls that are limited to reactive re-sponse may have lost the opportunity to avoid a compli-ance breach. Indeed, after-the-fact controls may actually allow the precipitation of a compliance event, such as a privacy breach that would require public disclosure as in the case of SB 1386 requirements, with high potential for resultant damage.

“Audit-worthiness”To meet the demands of both external mandates and in-ternal auditors, both access controls and the processes to manage those controls must be auditable. Organizations must be able to prove over time that policies and pro-cesses were followed and that controls in place were adequate to enforce their compliance continuously.

Controls must have shown enough resistance to subver-sion to prove they achieve their aims, while process en-forcement must demonstrate a high enough level of ef-fectiveness and penalties to ensure compliance with the mandates in question. Information resources, consum-ers, access methodologies and other subjects of compli-ance must be clearly and reliably identified. The reports and “audit trail” must clearly correlate the existence of mandated processes and controls with the information resources, information consumers and access method-ologies reported in actual operation. Alerting functions must quickly notify managers of any attempts to subvert controls and processes, and the audit must identify any exceptions that were made to processes or controls, the actions taken to ensure such exceptions did not violate compliance guidelines, and how consistent exceptions will be taken into account in the future.

Audit-worthiness goes beyond mere reporting and alert-ing to the transparent effectiveness of control. This means


Page �


outside regulators and internal auditors must find proof of the ongoing, continuous, real-time effectiveness of the process and controls sufficiently convincing in order to demonstrate actual compliance. Activities must be consistently documented with few or no breaks in the audit trail throughout a process, enabling an audi-tor to choose the audit trail of virtually any control or process at random and determine that compliance has been consistent.

Compliance and Nevis Networks’ LAN Security SolutionUp to now, most compliance solutions have focused on controlling access to sensitive resources via user au-thentication. To achieve more comprehensive compli-ance, enterprises are often forced to add-in additional software, security systems and monitoring tools. Since regulators increasingly demand transparent, continuous, real-time enforcement specific to each individual infor-mation consumer, the added complexity of a piecemeal approach poses risks of its own. Enterprises require consistency in the assurance of real-time policy & pro-cess adherence, continuous controls, simple compliance process deployment and powerful audit features.

Nevis Networks’ LANenforcer™ ASIC-based LAN security systems and LANsight security manager pro-vide a comprehensive approach to locking down LANs to help in meeting regulatory compliance mandates. Together, LANenforcer and LANsight comprise Nevis’ LANsecure LAN security architecture. An in-line net-work system located at the user-access edge of the LAN, LANenforcer provides multiple layers of security policy processing to deliver real-time, continuous enforcement and threat protection at the point of network connec-tion, without compromise to application performance.

Nevis’ LANsight™ security manager provides central-ized security policy configuration, monitoring, event correlation, and reporting for LANenforcer™ systems. Its dynamic, role-based policy management and report-ing gives network administrators substantial control and visibility into security-related user activity throughout the LAN. LANsight is the IT interface for compliance process definition, policy deployment and audit output.

Nevis’ LANsecure provides a simple, network-based framework for implementing the policy enforcement

processes, controls and audits that help support compli-ance with many of today’s regulatory demands.

ProcessBusinesses are increasingly looking to solutions for securing the LAN itself, because enforcement at the point of connection represents one of the most direct ways to help assure clear and policy-compliant business processes throughout the enterprise network. Nevis’ ar-chitecture creates a framework for definition of specific compliance-related business processes that are consis-tent with regulatory policy, and ongoing management of those processes.

Specifically, Nevis’ LANsecure architecture enables the following processes by providing appropriate control points and audit records:

• Process to implement trust groups

• Process to add and change users dynamically

• Process to control threats

• Process to define and protect secure assets

Process to Implement Trust GroupsRegulations with emphasis on corporate governance such as SOX have much in common with rules such as Basel II: namely, the separation of duties and division of responsibilities that assure adequate oversight and lim-its on the uncontrolled access of individuals that could have an adverse effect on critical information resources. These rules converge with data security mandates such as the PCI Data Security Standard or the HIPAA Privacy Rule, which require the enforcement of confidentiality in the handling of sensitive personal financial or medical information. This directly indicates the regulatory ne-cessity of processes that segregate individual users into specific trust groups.

Enterprises have trust groups of users already defined, but many networks have not been able to fully extend their value to network-wide policy enforcement. In such cases, the network is at the mercy of user self-policing. For example, some companies may state a policy of “third party laptops are not allowed on our network”—but if they have no mechanism for actually implementing this stated policy, it is effectively, unenforceable. With the LANsecure architecture, business groups immediately become trust groups with access control policies. This


Page �


enables LANsight to directly extend the implementa-tion of trust group definition and user provisioning processes, integrating LANsight capabilities with those of today’s sophisticated identity and access management systems to retrieve group definitions and assign policies to those groups. When a user is added via normal IT processes, that user automatically receives access control policies via LANsight.

Process to Add and Change Users Dynamically Once trust group definition processes are established, network security enforcement processes such as defin-ing Access Control Lists (ACLs) for every switch port via a command-line interface become intolerably brittle when extended LAN-wide. Such unscalable approaches effectively remove the LAN as an enforcement tool, since very few enterprises would support such a cum-bersome process for adding individual network user access privileges, ensuring proper access to appropriate resources, and restricting access from everything else. LANsecure enables the enterprise to define network-wide processes for provisioning new users and giving access to appropriate resources on the network. Users are authenticated, along with their roles, attributes and the types of information to which they should be al-lowed access.

Because policies are dynamically applied to users at authentication time, LANenforcer provides a simple process for authorizing third-party users such as con-tractors, consultants and guest visitors, ensuring their ability to access relevant systems while restricting access to everything else on the network. IT can configure LANsight to assign specific access rights to each group of non-employee users – some may be granted rights to Internet only access; others may have access to a specific server. Should third-party users be members of multiple groups, LANsight takes the intersection of those two groups and applies those to that user.

Process to Control ThreatsMost regulatory mandates reference IT security best practices such as the ISO 17799 guideline in shaping the implementation of a security posture that enables the enforcement of regulatory compliance. Initiatives from SOX to the HIPAA Security Rule recognize the neces-sity for implementing threat controls in IT that address the issues revealed in mandated risk and compliance gap

analysis. Increasingly, gaps in IT security pose a signifi-cant risk to sensitive information itself, with potential compliance impact ranging from privacy law breaches to violations of the PCI Data Security Standard.

In addition to its user and trust management capabilities, the Nevis LANenforcer system offers a means for defin-ing a comprehensive process for threat protection that ad-dresses commonalities among these and other mandates. Nevis allows the enterprise to introduce the following six-step threat control process with a single appliance:

• Endpoint host system integrity check for ensuring minimum levels of preventative security imple-mented on the network at all times

• User authentication and group policy enforcement

• Traffic inspection for matching signatures of known spyware, adware, bots, and worms

• Traffic, protocol, and behavioral anomaly inspec-tion for zero-day malware

• Automatic quarantine for known and unknown threats

• Named user and named attack reporting to com-plete the threat containment cycle

Process to Define and Protect Secure Assets In addition to requirements for segregating trust groups and mitigating threats, many regulatory initiatives—par-ticularly those concerned with protecting sensitive information from theft or abuse—have common stan-dards for defining and protecting information assets themselves. This is at the heart of SOX requirements for assuring sound financial reporting, while the HIPAA Security Rule mandates the segregation of sensitive patient data from other data resources in certain cases. The necessity of protecting assets that house tangible assets, meanwhile, is central to the PCI Data Security Standard. As described above, Nevis provides the ability for IT to define “secure assets” (those resources con-taining especially valued or sensitive data). In doing so, LANenforcer encrypts the traffic between the users and the resource with sensitive data, without the need for endpoint software or for the user to initiate the encryp-tion. Encryption occurs completely seamless to the user based upon policy. In addition, LANsight keeps an audit trail of all users access of the secure resource.


Page �


ControlOnce compliant processes such as the risk and gap analyses required by many mandates are carried out and operational compliance processes defined, regulations require controls to be implemented to assure the en-forcement of compliance. All regulatory measures appli-cable to IT strive to control information and access to it. To this end, the Nevis LANsecure architecture provides highly granular controls on information and users on the network. It is clear that control techniques must be real-time, end-to-end, and comprehensive. LANsecure employs a five-point approach to address information resource control. These five components interact to bring robust security controls to each endpoint on the local area network:

• Endpoint admission control

• User authentication

• Dynamic access control

• Secure asset definition

• Threat identification and prevention

Endpoint AdmissionThe increased prevalence of threats that exploit sensi-tive information means that every endpoint on the net-work may present a point of regulatory risk, requiring the enterprise to validate that systems attaching to the network—especially those not owned by the company itself—are appropriately controlled and protected. This speaks to the requirements for threat protection mandat-ed by all IT-relevant regulatory initiatives. LANenforcer has the capability to check each machine, certifying anti-virus, anti-spyware and OS patch levels before allowing the system on the network.

Many endpoint compliance efforts fail because they are intrusive to users. When, for example, client software interferes with desktop applications or forces the user into an unnatural or uncomfortable regime to get her or his job done, controls are highly subject to subversion as users seek ways to defeat them. With the LANsecure architecture, controls are in the network, off the con-trolled host and therefore “clientless” and transpar-ent to the end user, making them significantly more resistant to subversion than client-based approaches to information controls. In addition, Nevis takes the additional step of allowing IT to specify that endpoint

security software scans take place at regular intervals after a user gains access to the network. If a user, for example, turns off their anti-virus software, they would be placed into quarantine; similarly, if a critical patch for anti-spyware is made available by the anti-spyware vendor and the user does not download it, they would also be quarantined. Reviewing the security posture of each endpoint is required both prior to authorizing it access to the network as well as during its access of the network to best reduce risk.

User Authentication The enforcement of user authentication and trust group definition defined in the preceding discussion of com-pliance processes must rely on measures that enforce compliant access controls. Most enterprise networks today may be thought of as “anonymous” in the sense that, once a user logs on, network traffic is typically monitored only in terms of source and destination IP address. This is subject to variability in highly common dynamic addressing regimes, since addresses may change each time a computer connects. The advent of authen-tication protocols such as 802.1X are important, but many networks only use the authentication information to allow general network access. While user groups may be common to operating system environments or within identity management regimes most commonly applied to applications and systems, only rarely have network trust groups been established to date, while network policies may be inconsistently applied and network usage may be completely unmonitored. With LANenforcer, by contrast, users are not only authenticated, but they are subsequently controlled by policy group, and their activities tracked by user name.

Dynamic Access ControlTrust groups already exist within organizations. Business units, functional roles, and information access policies are typically defined and stored in a directory such as ActiveDirectory or LDAP. The enterprise compliance challenge is that network infrastructure has, up to now, made little use of that trust group information. The Nevis LANenforcer creates a transparent policy control point that uses these trust groups for granular access control. Each group member is explicitly authorized to access appropriate resources. Users can be members of multiple groups and LANenforcer will enforce the com-bination of those policies.


Page �


Because the system is deployed at the user-access edge of the network, every user can be controlled individually at every port on the LAN. Regardless whether the net-work is accessed by mobile employees or third parties, access is authenticated, trust groups are identified, and policies are automatically enforced.

Secure Asset DefinitionRegulations can be highly specific regarding the infor-mation resources to be protected. Social Security and driver’s license numbers, for example, are among the most personally identifiable information, linking to data ranging from personal credit history to health status. Accordingly, resources that contain such information are the focus of regulatory protections including the PCI Data Security Standard, HIPAA Privacy and Security Rules, California SB 1386. Similarly identifying informa-tion is the subject of privacy regulation worldwide. IT assets are the repositories of such information, as they are for sensitive financial reporting and critical liquidity information subject, for example, to regulations such as SOX and Basel II, respectively. The ability to specify secure assets and enforce the policies that govern them is thus central to IT compliance generally.

For example, to demonstrate due care of sensitive data in the network, regulations such as the PCI Data Security Standard, the HIPAA Security Rule, or preventive mea-sures intended to limit the risk of privacy breaches that would precipitate an SB 1386-mandated disclosure, may call for end-to-end encryption to protect sensitive data in transit. However the cost of Virtual Private Network (VPN) concentrators and the complexity of IPSec VPN configuration may prohibit many companies from tak-ing action to meet these demands. With LANenforcer, administrators simply identify network resources that contain sensitive information. These resources are de-fined by Nevis as “secure assets.” When the user con-nects to a secure asset, 128-bit Advanced Encryption System (AES)-encrypted IPSec VPN tunnels are auto-matically established transparently between the user ac-cess point and the secure asset. This reduces the need for VPN clients, expensive dedicated devices, and many problematic issues of cryptographic key management, while helping to meet requirements for protecting com-pliance-sensitive information assets.

Threat Identification and PreventionThe commonality of threat mitigation requirements among all IT-relevant compliance initiatives demand more than access control. They seek to force corpora-tions to manage compliance risks which may include those posed by malicious software and hackers as well. To this end the LANenforcer incorporates a robust threat identification and prevention mechanism.

Intrusion detection systems have long used signatures and traffic anomalies to identify attacks on a corporate network. However, cost and performance issues may impact the effectiveness of their deployment in the data path at the security perimeter separating the trusted enterprise LAN from untrusted public networks. The Nevis LANenforcer extends a potentially more cost- and performance-effective, distributed threat identifica-tion and prevention approach to every endpoint on the LAN at wire speed. With a LAN-focused signature set, the LANenforcer identifies spyware, adware, “bots,” Trojans, worms, and other attacks by name and associ-ates them with the current user and system accessing a given LAN port. To prevent unknown, zero-day at-tacks before signatures exist, the LANenforcer system employs advanced traffic, protocol and behavioral anomaly monitoring. Once detected, Nevis Labs sup-ports LANenforcer deployments by quickly creating signatures for zero-day attacks.

Threat control features of the LANenforcer give the enterprise an ability to protect against malware, and control many information leakage risks at the level of each network-connected system, while simultaneously reducing other significant threats such as spoofing and session hijacking.

AuditOrganizations must be able to prove over time that the controls and processes were in effect, and that they worked. Common audit requirements may be quite granular, as in the case of SB 1386, which requires notification in the event of a privacy breach to specific unencrypted personal data items such as first and last name or driver’s license number. Audit records must therefore clearly identify when and where such informa-tion is accessed, or if a breach of access control can be established. Records retention policies may mandate the maintenance of activity records for several years.


Page �


HIPAA, for example, requires covered entities to pro-vide a record of all disclosures of health information to any requesting individual for up to six years.

The audit capabilities of the LANsecure architecture pro-vide high levels of visibility to the enterprise. Auditability features are organized into three major areas:

• Identity-driven policy enforcement

• Comprehensive traffic monitoring for complete visibility

• Audit reporting for simple output

Identity-driven Policy EnforcementWith the LANsecure architecture, every user on the LAN is authenticated and network usage is no longer anonymous. When a security policy is violated, the LANenforcer alerts IT in real time, by user name and policy violation. For example, when a curious network user probes for access to servers to which he is not au-thorized, administrators are immediately alerted of the user’s name, the policy violated, and the server to which access was attempted. As a result, administrators have confidence that the assets are protected as processes require, and that attempts to circumvent mandated pro-cesses have been identified and prevented.

Traffic MonitoringUnlike traditional network LAN switches, the LANenforcer secure access switch has the ability to monitor all network traffic in real time. The event his-tory this affords offers significant advantages for regula-tory compliance purposes. For example, the information can be used for detailed audit inquiries, such as what a particular employee may have done during their last two weeks with a company. It may also support general policy enforcement reporting, such as documentation of those who connected in a given quarter to a resource to which only a specific executive group has access.

In addition, audit monitoring is configured automatically when a system is defined as a secure asset. For systems with critical data, the LANenforcer enables a straight-forward mechanism to identify, encrypt, and audit all the traffic to and from the asset.

Audit ReportsLANsight reports and audit trails simply document that policies and processes were continuously enforced

across all information resources, information consumers and access methodologies. User activities are similarly documented continuously. This creates an environment with no breaks in the audit trail throughout a process.

The LANsight system comes with preconfigured reports that help answer key regulatory questions, such as: What are the defined security policies and processes in place? What is the evidence of their enforcement? Where have violations been attempted, and what was done about those attempts? All audit reporting identifies the user name and relevant policies.

Since user names, assets, and IP addresses are searchable, rapid and highly responsive compliance reporting is pos-sible. Network usage is auditable by user name, end host, application, server, time and duration of transactions.

EMA’s PerspectiveUp to now, most companies have focused on regula-tory penalties when estimating the cost of non-compli-ance. To estimate the average risk to which enterprises are exposed, EMA calculated the averages of either the maximum prescribed criminal penalty, or the penalties imposed in actual cases, across six compliance domains affecting corporate governance, financial services regu-lation and information privacy. It found the average maximum criminal penalty in these cases was over US$5 million dollars. Taking a mere five percent of that figure as an estimate for what the far more probable civil pen-alties would be (that is, for simply failing to comply as op-posed to criminal intent) the annual risk to an enterprise is still more than US$250,000—per mandate, per year, since compliance is typically reckoned annually in many cases. Particularly for industries faced with multiple re-quirements, this scale indicates just how serious an issue compliance breach prevention has become.

Now that many compliance initiatives have been put into effect, EMA expects that, in their annual reviews, auditors will increasingly be looking for continuous im-provement of compliance processes. That means enter-prises need to extend their IT compliance efforts be-yond one-size-fits-all authentication that simply grants or denies users access to the network. In their annual compliance reviews, auditors and outside regulators are expected to look for increasingly granular, real-time, continuous regulatory enforcement of the behavior of each individual IT user or information consumer. The


Page �0


intention of this level of granularity is to gain visibility into non-compliant behavior as specifically as possible. By definition, this granularity is most effective when it pinpoints the behavior source itself. This highlights the value of solutions that enforce security and compliance policies at the point of network access.

Nevis Networks exemplifies the type of real-time, continuous compliance enforcement solution that this increasingly demanding regulatory climate will require, not just to contain breaches and punish offenders, but to achieve the actual aim of regulatory mandates: the preven-tion of non-compliance, before the fact, wherever possible. By focusing on the point of network access, the Nevis LANsight system not only enforces compliant behavior by sharply defining access privileges and making all other access unavailable, it provides a point of high leverage and control for the management of a number of se-curity and compliance risks, before they can reach the network—let alone sensitive information resources.

This represents a new class of network security and compliance solutions that not only increase the value of the strategic investment made in front-line enforcement tools such as identity management, but leverage the network itself as a primary tool for extending process disciplines, access controls, user and trust group man-agement, and threat protection with high granularity down to the level of each individual user and system that interacts with high-value IT assets.


Page ��


Appendix A: Nevis Networks Regulatory Support – Sarbanes-OxleyThe Sarbanes-Oxley Act of 2002 mandates the adoption of corporate governance standards for many public com-panies and registrants with the US Securities and Exchange Commission (SEC). Section 404 of the Act specifically requires companies to report annually on their internal controls over financial reporting. In its enforcement of these provisions of the Act, the SEC has recognized the following:

• SEC compliance rules mandate the use of a recognized internal control framework. These rules make specific reference to the recommendations of the Committee of the Sponsoring Organizations of the Treadway Commission (COSO) directly related to the preparation of financial statements and the safeguarding of assets.

• In 2004, the SEC approved the adoption of the US Public Company Accounting Oversight Board (PCAOB) Audit Standard No. 2 (PCAOB Release No. 2004-003), establishing a standard governing the auditing of internal controls relevant to the Act.

These standards have direct implication for IT systems involved in compliance with Sarbanes-Oxley (“SOX”). While many internal control frameworks have been adopted in response, the following are examples of common framework elements relevant to IT, with examples of how Nevis Networks helps to support compliance:

PROCESSESDomain Relevance to SEC Standards Nevis Networks SupportKey areas of IT focus in implementing SOX-compliant business processes include:• Strategic planning, development,

acquisition and maintenance of IT resources

• Assessment of IT-relevant risks· Personnel management

• Development of policies and procedures

• Management of configuration and change

• Event and incident management

COSO:• Control Environment• Control Activities• Information and Communications• Monitoring• Risk Assessment

PCAOB:• Program Development• Program Changes• Computer Operations• Access to Programs and Data

The Nevis Networks solution helps support the implementation of SOX-compliant business processes through:• The classification of users and IT

resources according to risk and compliance sensitivity

• Capabilities for implementing the real-time enforcement of which users should have access to which resources, according to defined policy

• Tools for managing changes to access rights and privileges

• Strong process enforcement through controls on the network environment

• Finely grained reporting and alerting of all network activity

• Automated elevation of alerts in response to attempts to subvert IT controls

• Automated engagement of stronger IT controls in response to an attempted compliance breach


Page ��


CONTROLSDomain Relevance to SEC Standards Nevis Networks SupportAsset classification and control COSO: Risk Assessment, Control

Activities

PCAOB: Computer Operations, Access to Programs and Data

Networks, servers, applications and users are defined within LANsight Security Manager in order to create comprehensive access control or security policy.

Appropriate separations of duties and divisions of responsibilities, including user authentication, access control, and controls on the complete user account lifecycle (policy definition, account creation, modification, suspension, revocation, closure)

COSO: Risk Assessment, Control Activities, Monitoring


Nevis’ dynamic access control feature enables simple, robust definition of system access, based on groups, or job responsibilities.

Network security controls, including perimeter security, intrusion detection and prevention, anti-malware and protections against software and application vulnerabilities

COSO: Risk Assessment, Control Activities, Information and Communications, Monitoring


LANenforcer utilizes signature matching, network, protocol and behavioral anomaly detection enabling the deployment of this technology to every port on the LAN.

Protection of sensitive data, in storage as well as in transit, including encryption where appropriate

COSO: Risk Assessment, Control Activities


LANenforcer enables the straightforward deployment of data encryption in combination with host protection and access control, with many robust features. An administrator defines a “Secure Asset” for servers that contain high-risk personal information. Once defined, LANenforcer automatically and transparently configures IPSec tunnels from client endpoint to server endpoint. All data is automatically encrypted with 128-bit AES encryption. This helps to reduce capital such as those necessary to implement VPN concentrator hardware or the operational costs of VPN client software. The Secure Asset functionality automatically configures access control policies and audit logging for all access to protected information.

Enforcement of IT configuration and change controls

COSO: Risk Assessment, Control Activities, Monitoring


Nevis tracks all changes made to the LANsight security manager— user identity, date, and action taken— allowing IT to carefully monitor all security policy changes.


Page ��


AUDIT-WORTHINESSDomain Relevance to SEC Standards Nevis Networks SupportMonitoring and ongoing evaluation of the IT environment

COSO: Risk Assessment, Control Activities, Information and Communication, Monitoring


LANenforcer automatically monitors network activity for attempted policy violations, prevents violations and alarms on attempts.Because of its robust policy creation and enforcement features, the LANenforcer makes it simple to monitor and enforce compliance among employees, third-party personnel, and all other users on the network.

Exception or event alerting and notification

COSO: Risk Assessment, Control Activities, Information and Communication, Monitoring


All monitored network, security, and access events are forwarded and stored by LANsight Security Manger. These can trigger numerous actions including alarms or alerts.

Control adequacy COSO: Risk Assessment, Monitoring

PCAOB: Program Development, Program Changes, Computer Operations, Access to Programs and Data

IP and MAC addresses have weaknesses when used to identify network activity, as they can be manually modified or “spoofed.” By tying user name to all network, security, and access events, administrators can be certain that any security issues are directly attributable to a particular user.

Control audit and validation: internal as well as external and independent

COSO: Control Environment, Monitoring

PCAOB: Program Development, Program Changes, Computer Operations, Access to Programs and Data

The comprehensive reporting capabilities of LANsight supports the direct documentation of actual IT controls in place, helping to enforce SOX compliance and credible demonstration of mandated controls.


Page ��


Appendix B: Nevis Networks Regulatory Support – SB �� (California Law on Notification of Security Breach)Senate Bill 1386 (“SB 1386,” also introduced as Assembly Bill 700) of the 2001-2002 session of the California State Legislature was adopted and entered into effect July 1, 2003, amending and adding Sections 1798.29, 1798.82 and 1798.84 to Chapter 1798 of the California Civil Code, also known as the Information Practices Act of 1977. SB 1386 mandates that government agencies, people, and businesses in California must notify any California resident in the event that the security, integrity or confidentiality of their unencrypted personal information is compromised by unauthorized acquisition.

Personal information subject to the notice requirement includes the combination of name (first name or initial and last name) plus any of the following: a) driver’s license or California Identification Card number; b) Social Security number, or; c) financial account, credit, or debit card number in combination with any security code, PIN or pass-word that would enable access to the individual’s financial account. In the event of a breach, the law requires that notification be given “in the most expedient time possible and without unreasonable delay.”

Nevis Networks LANsecure technology—implemented in Nevis’ LANenforcer LAN security systems and LANsight solutions—offers LAN security functionality that provides a framework for implementing the processes, controls and audits that help support compliance efforts relevant to SB 1386. Features of these offerings include:

• Dynamic access control, readily enabling definitions of who has access to which resources on the network, which supports the enforcement of control at every port on the LAN

• Management reporting

• Highly-detailed event management

• Key features supporting compliance enforcement, such as Secure Asset and transparent VPN encryption

The Office of Privacy Protection of the California Department of Consumer Affairs has published its Recommended Practices on Notification of Security Breach Involving Personal Information1, which includes the following recommended practice guidelines for information protection, incident prevention, and notification preparation relevant to SB 1386. These guidelines are correlated with examples of how the Nevis Networks solution helps to support their guidance:

PROCESSESRecommended Practice Nevis Networks SupportInventory records systems, critical computing systems and storage media to identity those containing personal information.• Include laptops and handheld devices used to store

personal information.

Nevis’ LANsight provides IT with an audit trail of all user network activity, creating an audit trail of which users attached to which resources and when.

Classify personal information in records systems according to sensitivity.• Identify notice-triggering information.

Nevis’ LANsight can alert IT should a user attempt access to a resource for which they do not possess access rights.

Review your security plan at least annually or whenever there is a material change in business practices that may reasonably implicate the security of personal information.

Nevis’ LANsight integrates reports that assist in the planning activities accelerating the planning as well as day-to-day operations management processes.

1 Office of Privacy Protection, California Department of Consumer Affairs, Recommended Practices on Notification of Security Breach Involving Personal Information, October 10, 2003, http://www.privacy.ca.gov/recommendations/secbreach.pdf

(continued on next page)

http://www.privacy.ca.gov/recommendations/secbreach.pdf


Page ��


PROCESSESRecommended Practice Nevis Networks SupportBefore sending individual notices [in the event of a notice-triggering incident], make reasonable efforts to include only those individuals whose notice-triggering information was acquired.

The granularity of control offered by Nevis’ solution gives highly specific visibility into exactly who had access to what information resources at what time. This limits the potential scope of an SB 1386 incident to a known range of specific individuals, resources, times and methods of access, which, in turn, can significantly limit the impact of a notification event.

CONTROLSRecommended Practice Nevis Networks SupportUse physical and technological security safeguards as appropriate to protect personal information…• Authorize employees to have access to only the

specific categories of personal information their job responsibilities require.

• Where possible, use technological means to restrict internal access to specific categories of personal information.

• Remove access privileges of former employees and contractors immediately.

Nevis’ dynamic access control enables simple, robust definition of system access, based on groups, or job responsibilities.

Use intrusion detection technology and procedures to ensure rapid detection of unauthorized access to higher-risk personal information.

LANenforcer utilizes signature matching, network, protocol and behavioral anomaly detection for identification and prevention of known and unknown intrusions, enabling the deployment of this security to every port on the LAN.

Wherever feasible, use data encryption, in combination with host protection and access control, to protect higher-risk personal information.• Data encryption should meet the National

Institute of Standards and Technology’s Advanced Encryption Standard.

LANenforcer enables the straightforward deployment of data encryption in combination with host protection and access control, with many robust featuresAn administrator defines a “Secure Asset” for servers that contain high-risk personal information.Once defined, the LANenforcer automatically and transparently configures IPSec tunnels from client endpoint to server endpoint. All data is automatically encrypted with 128-bit AES encryption. This helps to reduce capital costs such as those necessary to implement VPN concentrator hardware or the operational costs of VPN client software. The Secure Asset functionality automatically configures access control policies and audit logging for all access to protected information.



Page ��


CONTROLSRecommended Practice Nevis Networks SupportPlan for and use measures to contain, control and correct any security incident that may involve higher-risk personal information.

Nevis’ LANsecure technology offers three benefits for companies to contain, control and correct security incidents:1. Role-based access control – allows the

administrator to restrict access to high-risk personal information before incidents happen.

2. Encrypted access to secured resources3. Comprehensive user audit and reporting of all

user-network activity based on a query of the user’s name. What did they access and when?

Once threats are detected, via policy violation, signature match or network anomaly, rapid threat containment features are invoked. For servers containing high-risk personal information (“Secure Assets” as defined by Nevis Networks products), security events are raised in priority by the event correlation system. This priority elevation automatically increases the sensitivity of behavioral anomaly detection, which in turn drives alarms, quarantine of attacking or threatening hosts, and isolation of systems at risk.

AUDIT-WORTHINESSRecommended Practice Nevis Networks Support• Monitor employee compliance with security and

privacy policies and procedures.• Include all new, temporary, and contract employees

in security and privacy training and monitoring.• Monitor and enforce third-party compliance with

your privacy and security policies and procedures.• Monitor employee access to higher-risk personal

information.

LANenforcer automatically monitors network activity for attempted policy violations, prevents violations and alarms on attempts. Because of its robust policy creation and enforcement features, the LANenforcer makes it simple to monitor and enforce compliance among employees, third-party personnel, and all other users on the network.

Document response actions taken on an incident. This will be useful to your organization and to law enforcement, if involved.



Page ��


AUDIT-WORTHINESSRecommended Practice Nevis Networks SupportIn determining whether unencrypted notice-triggering information has been acquired, or is reasonably believed to have been acquired, by an unauthorized person, consider the following factors, among others:1. Indications that the information is in the physical

possession and control of an unauthorized person, such as a lost or stolen computer or other device containing unencrypted notice-triggering information.

2. Indications that the information has been downloaded or copied.

3. Indications that the information was used by an unauthorized person, such as fraudulent accounts opened or instances of identity theft reported.

If you cannot identify the specific individuals whose notice-triggering information was acquired, notify all those in the groups likely to have been affected, such as all whose information is stored in the files involved.

The granularity of control offered by Nevis’ solution gives highly specific visibility into exactly who had access to what information resources at what time. This limits the potential scope of an SB 1386 incident to a known range of specific individuals, resources, times and methods of access, which, in turn, can significantly limit the impact of a notification event.

About Enterprise Management Associates, Inc.

Enterprise Management Associates, Inc. is the fastest-growing analyst firm focused on the management software and services market. EMA brings strategic insights to both vendors and IT professionals seeking to leverage areas of growth across e-business, network, systems, and application management. Enterprise Management Associates’ vision and insights draw from its ongoing research and the perspectives of an experienced team with diverse, real-world backgrounds in the IT, service provider, ISV, and publishing communities, and is frequently requested to share their observations at management forums worldwide.

Corporate Headquarters: Enterprise Management Associates 2585 Central Avenue, Suite 100 Boulder, CO 80301, U.S.A.

This report in whole or in part may not be duplicated, reproduced, stored in a retrieval system, or retransmitted without prior written permission of Enterprise Management Associates, Inc. All opinions and estimates herein constitute our judgement as of this date and are subject to change without notice. Product names mentioned herein may be trademarks and/or registered trademarks of their respective companies. ©2006 Enterprise Management Associates, Inc. All Rights Reserved.

Phone: 303.543.9500Fax: 303.543.7687

[email protected]

1135.060606

mailto:[email protected]

http://www.enterprisemanagement.com

Documents

Nevis Networks: Best Practices in LAN Security …...compliance domains of process, control and “audit-worthiness,” with comprehensive, granular and detailed capabilities in each