5 Key Considerations When Implementing User-Based Access Controls

Jan 18, 2017
5 minutes
... views

End users, the very community of individuals chartered to preserve the integrity of your business, embody a profound vulnerability point within your network’s security infrastructure. By the year 2020, IDC expects mobile workers, in the United States alone, will account for nearly three quarters of the total workforce*. As a result, IP addresses are no longer an effective proxy for end users as they are constantly moving to different physical locations and using multiple devices, operating systems, and application versions to access the data they need. It’s now critical to an organization’s risk posture to identify who the network’s users are – beyond IP address – and the inherent risks they bring based on the device being used.

To control the threat exposure unknowingly caused by the end user community and protect your organization from breaches, leverage User-ID, user-based access controls, on your Palo Alto Networks next-generation firewall (NGFW). With User-ID, you can allow access to sanctioned applications based on user identity information, rather than IP address, providing visibility into who is using what applications on the network, and who is transferring files and possibly introducing threats into your organization.

When applied correctly, user-based access controls can reduce incident response times and strengthen your organization’s security posture. Outlined below are five key points to consider when applying User-ID technology to your NGFW security infrastructure.

1. Understand the organization’s user environment and architecture

To do this, ask yourself the following questions:

  • Which locations does my organization operate in? An organization might operate in several different locations, such as a main campus, branch offices or remote locations.
  • What authentication method is used in each location? Do users log in directly to directory servers, or are they authenticated and authorized on wireless LAN (WLAN) controllers, VPN systems or network access control (NAC) devices?
  • What are the operating systems (OS) in each location? There could be heterogeneous environments with Windows®, Mac and Linux capabilities, or homogenous environments with only one OS.
  • How do endpoints log on to the network? Are endpoints identified and authenticated prior to logging on to the network?

2. Figure out supported user-to-IP mapping strategies, and determine the ones you will use

Figure out what user-to-IP mapping strategies are supported by your next-generation firewall. A number of mechanisms are typically supported to identify users – third party proxy servers, WLAN controllers, terminal services agents, directory service logs, and more.

Based on discoveries in the first step, select the user-to-IP mapping strategies that apply to your environment.

3. Implement the selected user-to-IP mapping strategy for user visibility

Implement the selected strategy to gain visibility into user’s behavior. Collaboration with other team members, such as IT architects, security operators and network admins, is critical here.

This visibility will enable the identification of activities and usage patterns tied to users, instead of IP address, including insights such as top users and browsing history; top apps accessed by users in the marketing group in the last 24-hours; or Software-as-a-Service (SaaS) application usage broken down by user – all providing valuable data points around which to formulate appropriate user-based access controls.

Share the visibility reports and data with other team members with whom you collaborated.

4. Ensure business policies exist to justify user-based access controls

Before rolling out User-ID-based controls, ensure supporting business policies exist that define access parameters. Typically, such policies are established by human resources (HR) and legal. If such policies do not exist, collaborate with HR and legal to establish policies, leveraging the user-based reports as your guide.

In addition, when defining user-based access controls, it’s best to do so in terms of groups, rather than individual users. Instead of marketers, Jane, John and Joe, think of the three individual users as the marketing group. This will go a long way to simplify policies and keep administrative overhead to a minimum.

5. Implement user-based access policy

Once corresponding business policy is aligned and user groups defined, user-based access controls can be implemented. Create a list of security rules that whitelist acceptable applications and websites, and deny access to ALL else, and then implement the policy, one group at a time.

The user groups impacted by the new access controls will likely have questions. Communication is key here. Let the impacted user groups know what you plan to do and when you plan to do it. Organizations can also consider forming a special incident response team to field the higher-than-average volume of inquiries related to the implementation to ease the minds of users and drive a smooth execution.

With these considerations in mind, implement User-ID on your Palo Alto Networks NGFW security infrastructure to defend against successful cyberattacks and make the most of your security investment.

To learn more about the benefits of leveraging User-ID, user-based access controls, on your Palo Alto Networks NGFW:


* U.S. Mobile Worker Forecast, 2015–2020, International Data Corporation (IDC), May 2015  



Subscribe to the Blog!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.