Printer Friendly Version

While writing this article I was reminded of a scene from the military thriller "Crimson Tide" featuring Denzel Washington and Gene Hackman. At the height of the two characters' conflict and struggle to regain control of a U.S. nuclear submarine, Denzel pulls one of his shipmates aside and says, "These are the keys to the entire submarine."

It may be scary to think that there are those who hold in their hands the ability to access and do anything they want. But, of course, they don't because they're responsible people — or so we hope. We need to realize that for all the technological security mechanisms we put into place to protect our intranets and their content, there are still human beings on the other side who must manage all of it.

Any security put into place will only be as good as those holding the keys to grant access to secured content and to reconfigure system setups. They are also the ones who will be held accountable if something goes wrong.

But managing access to intranet content and resources should never fall into a single person's hands. Information — especially confidential information — may be less tangible than the hardware we use to hold it, but it shouldn't be treated with any less care. So how do you keep your intranet resources safe, and who do you give your keys to?

Protecting Your Resources

Since the beginning of the technological age, the most common way to secure private information from prying eyes has been with the use of passwords. They're used to authenticate network users, lock personal PCs, and secure documents. But a password is only as effective as the person holding it and if it's actually kept private. Nothing prevents password holders from writing it down on a piece of paper and leaving it lying on their desk, sharing it with colleagues, or blurting it out within earshot of other people.

Casual computer users rarely think of the ramifications of allowing their passwords to fall into the wrong hands. And this occurs much more often as a result of carelessness rather than active pursuit by malicious third parties bent on acquiring their password (see my article "The Spy Who Flubbed Me: Intranet Security Begins With Education" for more on this).

While a simple password may be adequate for protecting a Word document containing the exploits of your early college days, confidential corporate information must be secured by something more effective. It can be a combination of something you know and something you have. The table below lists some examples of common access methods to either physical or electronic resources:

Access via something you know	Access via something you have
User-name and password login for network or Web site access Numeric combination for a mechanical or digital door lock PIN number for an ATM	A key to a door lock A badge for a magnetic reader A smart card for remote network login Fingerprints, retina, iris, voice, facial pattern for biometric scanning

Site and Content Access Levels

True large-scale corporate intranets — those that cater to the entire organization and not to special niche groups within the company — will often house various content types. Some will cater to all employees, while others will need to be secured to specific projects or groups.

Information type can be broadly divided into:

• General public Information: Information that can obtained through any public medium and can be posted on an organization's Internet, as well as intranet, site.

• Company information: Information that's accessible by all employee's within an organization, but not to the public.

• Restricted information: Information that can only be accessed by those directly involved in the activities of their department, workgroup, or project.

Because of these varying levels of content sensitivity, the security model you put into place to protect your information must be multi-tiered. Unlike an all-or-nothing approach — whereby a single point-of-entry is secured and gaining access to this "front gate" allows an authenticated user to access all subsequent content — multi-tiered security prevents someone with only general site permissions from accessing more sensitive information.

Smaller intranets with a limited user-base can get away with using an all-or-nothing approach, but when you're dealing with multiple departments and workgroups — all of which are involved in different product lines and projects — access to content must be granted on a strict need-to-know basis.

It's the responsibility of your intranet systems administrators — those holding the keys to the entire system — to assign permissions according to users and their functions. They need to work with the various content owners to identify which users in their department or workgroup will be able to access or change the different types of content that are housed in the system.

Access to an intranet can be divided into these security classifications:

• General site access: Access to your overall intranet, or what I like to call the "front gate." Logging onto an intranet involves providing the system with your user credentials in order to identify yourself to the system.

• Secured content access: Once the system identifies you as a valid user, access control lists (ACL) will determine what resources you'll have access to and what you can do on the site (i.e., read-only or update).

• Site management access: Access to add and edit intranet content is usually restricted to the content owners of their respective sections.

• Administrator access: Access to the entire system — content, hardware, software, system configurations. This type of access is reserved for your development and/or systems administrator teams.

Implementing an Access Requisition Approval Process

Requests for site and content access should never be done casually; there must be a formal requisition process with authorization by someone in authority. This leaves an audit trail and will go a long way towards preventing those "How did so-and-so get access to this content?" questions.

Content owners know their content best, so it stands to reason that they're the one's to decide who should be able to access their confidential information — not IT. While IT personnel are the one's physically granting access to secured content at the server level, they should never be the one's to authorize this access. They don't need the added responsibility of hunting down each requester's manager or supervisor in order to confirm whether they should be granted access. Someone who's more familiar with the content and the people making the request will be in a far better position to decide this.

Smaller sites may have a single point of authorization, but larger multi-disciplinary intranets will require each section to have its own point of authorization — each content owner being responsible for providing access request authorization to their respective content. This process can be either paper-based or electronic, via an on-line access requisition form. This will lift the responsibility off the shoulders of your IT staff and place it in the hands of those who are most familiar with the content.

Limiting Access to Server Room Resources

Not only does your intranet content need to be secured from unauthorized access but so does the hardware holding it. Most production servers are kept in a secure and controlled environment under proverbial lock-and-key — a numeric code, a magnetic badge reader, biometric scanning, or any combination of these — and monitored with cameras.

Like all secure facilities, server room environments should not be subjected to high amounts of walk-in traffic. Access must be limited to people who really need to be in there such as systems administrators, backup administrators, and disaster recovery personnel.

How Many Administrators is Enough?

Placing your intranet and confidential information in someone else's hands is a bit of a balancing act. While you don't want to leave any one single IT person responsible for being the "gatekeeper," you also want to limit the number of people with full administrative privileges.

Having only one person with the knowledge and skills to maintain the technological nuts-and-bolts of your intranet — the part your content owners rarely see — doesn't provide a large user community with enough of a fail-safe in the event the person is tied up somewhere else, transfers departments, or leaves the company. On the flip-side, having too many people with full administrative access to your intranet and its resources may be opening too many doors — especially for highly secure systems. The more points-of-entry, the more can go wrong.

However, there's a middle ground between too few and too many: An administrative team can be made up to support your intranet with consistent transfer of knowledge between team members (the size of this team will depend on the size of your site and the number of people involved). But only a core number of "active" team members will have the required administrative privileges. The remaining members will act as backups, understudies ready to fill in at a moments notice. This way only a handful of people will have full access at any given time.

Final Thoughts

Security involves a lot more than just the technology. Technology is indifferent; it's the people behind it that give it life. Even great technology can be stunted by poor user implementation. And all the security bells-and-whistles won't prevent an IT neophyte from leaving a great big hole in your system. In the end, the integrity of a security model will be judged by the proficiency of those who put it into place — so make sure that you're handing your keys to the proper people.