RSA 2009: TippingPoint laments access policy complexity

Traditional access policies generate too many rules and tables, according to TippingPoint

TippingPoint chief technical officer Brian Smith on Wednesday presented a new system for managing access rights, which the company hopes will greatly simplify the process of securing enterprise networks.

The new framework addresses what Smith sees as a growing problem with assigning and managing access rights, while still providing security and data protection.

Smith explained that many enterprises currently have access settings for each device, location and user. As more and more devices become connected to corporate networks from more locations, those tables become larger and harder to manage.

"It just takes up too much memory and eventually it explodes on you," he said.

Rather than set the multiple tables for each user, Smith suggested a new system that combines certain access rules and directions with a set of 'tags' for certain conditions.

When a user attempts to access a network, the IP address is scanned and tags are assigned based on the address. Later, tags are assigned for a device's type, platform and behaviour. Those tags are then run through specified tables and rules, which then recommend an action.

By using such a method, Smith suggests that the process of managing access and security could become far less complex.

"It turns out you can do that computation really, really fast," Smith said. "And it also gives you a framework for automation."

The system also paves the way for what Smith sees as a security market similar to the current smartphone application markets, such as those for the iPhone or Android handset, in which third parties write smaller applications for each platform.

Smith sees third-party security developers stepping in to patch the smaller flaws and vulnerabilities in individual applications that the larger operating system and security vendors leave open due to high development and deployment costs.

"If the business case is not there for the vendors, the problem is not going to be solved," Smith explained.

"But if you can take that stuff and package it, you change the model."