How should user access be balanced with enterprise IT resources?
Management of user account lists, definition of permissions, monitoring applications…
Define who has the right to do what can quickly become a headache for a developer. How can the security of the system be maintained without slowing the company’s productivity?
Here are several ideas to help you orient yourself, and we recommend our favorite solution at the end of the article.
Securing the use of company resources is a delicate subject. It is no small task to combine system security and user autonomy.
A system that has too many constraints, while having the advantage of
being perfectly secure, will often prove to be a long-term obstacle for
a company’s reactivity. On the other hand, while giving users more
autonomy makes a company more reactive, it can entail security risks.
Let’s take a closer look at the daily task of user account and permission management. Here are several options that leave some room to maneuver:
User account management
This task takes a great deal of time and requires the mobilization of technical resources
What if it was possible to transfer this task to non-technical administrators?
A good security policy must be able to be adapted to the territory. It is most productive to know the daily users so that they can be given appropriate permissions.
Can we delegate this kind of task? This brings up both technical and strategic questions.
These choices require significant analysis to truly fit the business of each company.
Some key questions:
What tasks should be delegated to administrators?
The creation/deletion of accounts is a task easily delegated. It is simple to accomplish technically, and the impact on security is easily controlled.
The choice here is less obvious.
From a strategic point of view: do we wish to transfer this type of responsibility to non-technical administrators?
From a technical point of view: how can a “functional” permission attributed by an administrator be effectively applied to a user?
What kind of tools should be put in place?
We must find or create tools to execute these tasks.
Note: we cannot recommend highly enough that you take into account the perception of end users: Tools that are not user-friendly instinctively encourage users to find ways to work around the system, which put the security of your system at risk.
How to guarantee the reliability of the system?
To maintain a high level of security, you must be able to control what is done at the heart of the system (to know which administrator gave which permission, etc…). Therefore, auditing tools must be anticipated.
How many administrators are needed?
If there are many administrators, you must make appropriate arrangements for their roles and permissions in the administration tools. For example: a master administrator and many sub-administrators with more limited responsibility.
How to manage sites in different locations?
In relation to the structure of the company, it may be necessary to put in place administration tools that work without a direct link to the database to guarantee administrator autonomy.
This is one of the basic strategic decisions.
Access Control demands a specific line of questioning.
It is particularly difficult to develop a solution that, at the same time, is:
Moreover, the hidden costs put a strain on development budget in the long term:
The complexity of the subject justifies a preliminary study of existing
A precise estimate of the costs (short and long term) and the needs specific to the company will allow you to make the best decision.
Novalys has developed an access control solution that responds to a large number of the concerns discussed (Visual Guard). In particular:
Note: From a technical point of view, all .NET applications are supported: Winform, Webform, ASP.net, WCF, WPF, etc… as well as all PowerBuilder applications. The goal is to create a single, centralized security system for all applications. A multi-lingual version is in development to support other, non-.NET applications: Java, C++? PHP…
Note: In practical terms, this means that you can reuse Windows account to authenticate the users of your applications. This allows you to avoid creating an authentication system, and Windows Single Sign-On is automatically implemented.
Note: Technically, the tool is based on the .NET framework. The permissions are applied dynamically without passing through the deployment phase. Once a permission is assigned by an administrator, it is immediately active (See an example).
These functions allow you to combine a secure system and user flexibility.
From a functional perspective, the administrators have their own tool for account management.
According to the specific needs of the company, administrators can be allowed to only add users, or can be given more advanced privileges, like the ability to attribute permissions.
The different levels of roles allow a hierarchy to be established among the administrators. The log function guarantees that all security actions can be tracked.
From a technical perspective, there are many advantages to Visual Guard:
It is compatible with multiple authentication systems.
Windows authentication automatically implements Single Sign-On. The functions tied to permissions and auditing are standard features. Off-line and distance mode are both included.
Finally, externalizing both security updates and the ability to keep up with Microsoft’s technical evolutions equate to a significant savings of both time and money. The development teams can concentrate their effort on strategic tasks instead of daily maintenance.