Valiente Balancing It SecurityCompliance, Complexity & Cost
Sites Collaboration Ma Resources Res
1. RES Software and Security: Realizing Asset
Centric and User Centric Approaches to Security
Executive Summary
In the rush to meet regulatory or customer although assets still need to be kept secure, the
mandates, organizations have spent millions of need arises for a user-centric security approach
dollars implementing security and compliance where security rules are aligned with the use of
measures either issue-by-issue or regulation-by- those assets.
regulation. This has resulted in an asset-centric
security approach, where we focus on the IT This white paper presents an overview of both the
infrastructure and make sure that this is secure. asset-centric and the user-centric approaches to
security. These approaches will be mapped towards
However, in the current versatile user community, the standard for Information Security: ISO 17799.
a user is no longer bound to a single device. So,
Security
Why Does Security Matter? Availability
Information is an important asset in our current Currently, an important job for many
market. As a result, businesses want to manage administrators is to ensure that authorized users
information as an asset, but at the same time, they have access to information and the associated
are evolving towards collaboration with other assets when required.
companies in order to fulfill customer needs more
quickly. This approach has increased the pressure Focus on Assets
on IT departments. On the one hand, they need to Currently, the most common approach is to focus
make information available for more users. On the on assets. This approach originates from a risk
other hand, they need to keep this information management approach:
secure and share it only with the appropriate
individuals and organizations. In a Microsoft Windows environment, this means
that the following tasks need to be performed on a
So security matters, and any approach will have to regular basis:
focus on two things: Scanning machines for vulnerabilities, i.e.
querying installed operating system patches
Availability: making sure that information is and installed software, querying NTFS and
available for use. share right assignments, querying service
Confidentiality: making sure that only prop-erties, and running MBSA queries.
authorized people can access it. Taking counter measures for certain risks,
i.e. installing patches, changing service
parameters, changing NTFS and share rights
assignments.
These standard, frequently repeated tasks can be
easily automated with a solution for IT run book
automation for Windows, such as RES Automation
Manager.
RES Software and Security: v.1.0-9.30.10 Page 1 of 3
Realizing Asset Centric and User
Centric Approaches to Security
2. Users are No Longer Bound to a Single Device Ensuring that information is accessible only to
The question arises whether this asset-centric those who are authorized to access it is a
approach that defines threats as external forces is challenging task in the current environment. If a
enough. Does this approach ensure availability of user is not bound to one single workstation, it is no
the service? In the current user environment, users longer possible to allow or disallow access based on
no longer have their own desktop (asset) on which the workstation (asset). The asset-centric
they use their services. In today’s IT world, a user approach, though important, is not sufficient. A
can have a laptop or desktop for use at the office user-centric approach is needed as well, so that a
during the day, and a desktop made available via user can get access to the services, but only after
server-based computing for use from home or from the following checks:
any other place outside the office. This results in
new challenges for IT departments because the Who is the user? This question is answered
main focus is on ensuring availability of a user’s using authentication based on username
services. and password.
Where is the user? This is important,
Users want their services (applications plus their because where a user starts a service can
settings) to be available, whatever the method of determine whether that service (such as
delivery, and they want changes made in one the application plus its settings and
environment to be reflected in all the others resources) should be available.
automatically. This results in the next approach to What time is it? Some services may have
availability: the user-centric approach, which is scheduled maintenance windows during
achieved through user workspace management. In which they are not available.
this approach, all user settings are disconnected Does the user have the necessary
from the underlying application delivery solution, credentials? In some cases, you may want
and are applied when a user starts an application. to base access to a service on additional
This gives the user a unified workspace levels of authentication, because the
independent of an application delivery solution. application contains too much sensitive
information.
New Challenges: Confidentiality
Focusing on the availability of services to users, Besides the internal user, businesses are
both in and outside the office, enhances user collaborating more with other companies. These
productivity and business performance. collaborative initiatives will need to share
information, and so they need to be supported by
However, this approach does pose new challenges IT. The asset-oriented approach tries to make sure
to the IT department, and these challenges need to that external threats don’t come in. This is not
be addressed. A user now has access to the possible in a collaborative enterprise because
company network from outside the office too, but people from other companies do need to get inside
some services and their corresponding resources your network. But you only want to grant them
should not be available from outside the office. access to the services they need. This requires a
different approach— one that starts from the inside
Once you have established the availability of a and works out, instead of the other way round. This
service to a user, you need to make sure that this is what you deliver with a user-centric security
service is only available for those who are approach.
authorized. This is confidentiality, the focus of the
next part of this whitepaper. You grant a user access to a service, namely the
application with its settings. Based on this access,
you can then grant the user access to related:
Files and folders
Local storage
Removable storage
Network resources
Confidentiality
RES Software and Security: v.1.0-9.30.10 Page 2 of 3
Realizing Asset Centric and User
Centric Approaches to Security
3. Conclusion
The ISO 17799 standard is related to information centric and user-centric. The asset-centric
security. This standard defines information as an approach ensures that the infrastructure is
asset that may exist in many forms, and that has available, and helps protect it against external
value to an organization. The goal of information threats. But in the current versatile user
security is to protect this asset suitably, so that environment, this approach by itself is not enough
business continuity is ensured, business damage is to make services available to users. Because the
minimized, and return on investments is user is working from multiple desktops both in and
maximized. According to ISO 17799, information out of the corporate network, a user-centric
security is characterized as the preservation of: approach is needed as well. Combining these
Integrity: safeguarding the accuracy and approaches will result in better availability, but,
completeness of information and of even more importantly, will greatly improve the
protection methods. confidentiality as described by ISO 17799. The user-
Availability: ensuring that authorized users centric security approach is delivered through user
have access to information and associated workspace management. This gives the desired
assets when required. availability of the services to end users, without
Confidentiality: ensuring that information compromising the necessary security policy.
is accessible only to those authorized to
have access. Together, the RES Software products RES
Automation Manager and RES Workspace Manager
As discussed in the previous paragraphs, there are deliver both the asset-centric and the user-centric
two approaches in Information Security: asset- security approach.
RES Software
RES Software, the proven leader in dynamic desktop solutions, is driving a transformation in the way
organizations manage, maintain and reduce the cost of their desktop infrastructure. The RES Software award-
winning, patented products enable IT professionals to manage and deliver secure, personalized and compliant
desktops independent of the underlying computing infrastructure – thin clients, virtual desktops, physical
desktops, or server-based computing environments. The company empowers customers, from small to medium-
sized businesses to global enterprises, to reduce desktop complexity and meet the essential needs of a dynamic
workforce that requires on-demand access to their personalized workspaces. For more information, follow
updates on Twitter @RESSoftware and visit www.ressoftware.com.
RES Software and Security: v.1.0-9.30.10 Page 3 of 3
Realizing Asset Centric and User
Centric Approaches to Security