Novell Compliance Management Platform 1.0 Overview


A large part of my life is spent working in the Identity and Security Management (ISM) "space" which, at Novell, that means I play with eDirectory, Identity Manager, Sentinel, Access Manager, and other products. Luckily the last few years have taken me on a tour of most of the products in this Business Unit (BU) so I've at least had the opportunity to pick up some of the jargon and get a feel for how everything works together. In the last year Novell has released the Novell Compliance Management Platform (NCMP) which is designed to tie a lot of these components together in one great big mesh of happiness (so much happiness in fact that a demo system is named 'Utopia' which I presume leads directly to euphoria). Understanding the potential benefits of the NCMP for a company can take a bit of time but I wanted to provide that kind of an overview here. There will be some technical parts that I care about emphasizing but overall this is meant to cover what NCMP provides for those who really need to know.

So first the name.... Compliance Management Platform. Unless you have been out of the office since Y2K it is likely you have heard about companies doing bad things internally and getting away with it (Google for 'Arthur Anderson' or 'Enron' for more details). Also with the Information Age in its ballooning years (before now and still today) the ability to get data is increasing quickly, for better or for worse. So to protect the little guys in the world (you, me, etc.) a new buzzword was nominated and Compliance came to be a new favorite child of Security and Identity folks. Government and corporate regulations like Sarbanes-Oxley (SOX), Health Insurance Portability and Accountability Act (HIPAA), Payment Card Industry-Data Security Standard (PCI-DSS), and several others came into being and now companies must comply or suffer consequences. What kinds of consequences? That depends on who you are. For the head of whatever organization, jail/prison time may be in your future if found on the wrong side of a verdict. So the stakes can be high and if companies do not comply then financial or legal pains could be in order, neither of which make shareholders or anybody else with an interest in the company too thrilled.

Depending on a company's primary business one or more of these Compliance regulations may need to be followed. Doing this can be a large task but it is something that must be done properly. Knowing who does what and when and if they are allowed to do it means either being compliant or being out of work. Being able to prove that compliance is met as easily and quickly as possible is becoming more important. In some cases an audit, even one where compliance is found to be met, can cost the better part of one million dollars. If a point in the audit is missed that number starts to grow quickly to find all the possible ways to resolve it, implement those solutions, go back to see if the violation led to actual security breaches, etc.

The components of the NCMP are made to provide a full solution encompassing everything security-related in the Information Technology (IT) environment . For example web-based interactions and VPN sessions are all managed via Novell Access Manager 3.0.4. Identities for various systems are stored in eDirectory 8.8.3. Synchronization and provisioning of identities between various systems can be done quickly, reliably, and simply via Identity Manager 3.6. Administration is accomplished via iManager 2.7. All of the systems can send their audit events to Novell Sentinel (included) which can enforce rules defined by administrators based on the various types of expected (or unexpected) events. Ties between Sentinel for event data and Identity Manager for identity data are implemented so that events are tied to identities and not just accounts. Reports that monitor types of events relevant to the NCMP are shipped and more can be created as part of the Sentinel environment. A standardized Resource Kit for IDM is included to help implement best practices from the start for the most agility and security that comes from years of experience within Novell. IDM's Analyzer 1.0 product is included to ensure internal policies are adhered to for data quality including data analysis, cleansing, reconciliation, and monitoring/reporting. The IDM Role Based Provisioning Module (RPBM) is available for implementing workflows to take care of the various tasks requiring management input while providing an audited trail for those who need to know that processes are being followed properly. As you can see the "platform" has just about everything you could imagine included to help meet the expectations of any compliance regulations.

So for the price of all these products what do you get that doesn't come with the products' individual purchases? The biggest part for me is full identity/event integration. As mentioned when Sentinel and IDM play nicely together via the 'Identity Vault' collector (Sentinel side, not to be confused with the otherwise-available Identity Manager collector) and the Sentinel driver (IDM side) Sentinel is now able to know about all of the accounts associated with each identity. eDirectory user jsmith, MAD user (with sAMAccountName johnsmith) and the person with proximity card number 3253 are all the same person. The system is then able to make sure that a badge into the building @ 0800 as 3253, a login to OES as 'jsmith' at 0805 and a login to a windows server as at 0810 is all part of the same user's activities. This is important for a number of reasons that go back to business cases that revolve abound separation of duties and the security concept of least-privilege. Let's use one of the common examples to illustrate this full solution's potential.

As a new employee to Digital Airlines, and as a security guard for the company, I have certain responsibilities that are my own and a lot of "power" because I can go all kinds of places in the company as part of my security job. After all if a bad guy gets into a secure area I need to be able to go in there and remove the individual. With this said I have no business knowing anything about the company finances, or having anything to do with the IT department. My "night job" of being a malicious computer hacker (cracker) is my unknowing employer's worst nightmare. To make life complicated for me, all of the secure servers I want access to are locked in a "secure facility" whose business policies prohibit any kind of remote access; if somebody wants to work on a machine there they had better be in the building doing it directly. Like any business policy it may or may not be followed by everybody in the organization and I'm counting on it not being followed very closely. So off I go trying to find a weakness in the system and a route into the network. My previous work as a security guard has landed some nice sticky notes with passwords for users who have access to data I want (financial, for example). So I start trying to login to servers to see what I can find.

So in the case above a security hole exists, though because of the preliminary work done (likely to be done in most sophisticated attacks) the chances of seeing failed logins or brute force attacks may be very small. The problem of locking out intruders is handled by eDirectory and has been done for years. The problem of access control lists is handled by every application in the world already. The problem in this case is one of policy, and because of the company policies access to the desired data is not allowed in this manner. Let's switch over and see what this (plus the day's earlier events) looks like to Sentinel.

0755 - BadgeID 12345 enters secure facility

0805 - Jane Smith logs into her Linux/Mac/windows workstation.

0915 - cn=jsmith.o=digitalairlines.dc=org accesses company financial information via a website fronted by Novell Access Manager (new session)

0930 - janesmith accesses financial database directly for daily work

1423 - janesmith logs out of the financial database system

1702 - BadgeID 12345 exits secure facility

2212 - cn=jsmith.o=digitalairlines.dc=org accesses company financial information via a website fronted by Novell Access Manager (new session) #this is the attacker

2215 - janesmith accesses financial database directly #this is the attacker

2309 - janesmith logs out of the financial database system #this is the attacker

So based on these events in the system what is actually wrong? No brute force password attacks, failed logins, or even a single user accessing resources that shouldn't be authorized, and yet we know that the attacker has done this. Because of the company policies requiring a user to actually be somewhere in order to access the secure financial data it is a fairly simple exercise with the data in this format to identify a problem as long as we know that badge number 12345 is also Jane Smith who has a username of jsmith and janesmith depending on the system being accessed. This is where the Compliance Management Platform does what nobody else can do. Tying identity along with events together we know that a woman named Jane Smith who has badge number 12345 is also cn=jsmith.o=digitalairlines.dc=org in eDirectory as well as 'janesmith' in the financial database. We know all of these things because Novell Identity Manager (IDM) takes care of the provisioning of users to various systems based on their roles and also reports those provisioned accounts to Sentinel in a way that ties them all together. When Novell's Modular Authentication Service (NMAS) sees Jane swipe her card to access the facility that is noted and from then on access to various systems inside the facility is granted in business rules as well as via the normal technical limitations requiring valid credentials. When she swipes her card to leave that right is revoked in policies even though the ability to login to various systems may still remain. Technically it would also be possible to actually disable logins in various applications while a person was not in the building but that still involves this same type of check.

So in Sentinel along with all of the identity information stored for various applications courtesy of Novell's CMP a rule is also created that adds a person to a list of people in the building whenever they enter the building, and one that removes them from the list when they leave the building. All that remains is to do a quick check during a login to a secure system to see if the user is in the secure facility. If not then a violation is reported and remediation actions can take place including disabling the account, locking down or turning off a computer from which the login occurred, or any other appropriate actions. What is important to note, regardless of the actions taken, is that the violation is known in realtime. Further damage is prevented and current damage may be able to be stopped because of good policies and a way to enforce them regardless of the "account" used by a living, breathing person to access one system or another.

Novell's Compliance Management Platform provides the needed integration of the Identity and Security components to provide a way to prove that the policies in place are in fact enforced or, at the very least, that violations are properly identified as quickly as possible. Being able to prove compliance is met for a given set of regulations quickly and reliably saves thousands or millions of dollars in a single audit and provides peace of mind for those who can be held financially and legally responsible for violations so their focus can be on more-relevant tasks.


How To-Best Practice
Comment List