Network security must balance accessibility and security, and this requires effective protection at the edge of the network, as well as effective role-based rules for access to processes and information in the core of the network, says digital security firm Gemalto Africa business development marketing manager Jeremy Osborne.

Effective edge protection involves securing access provided by mobile and end-point devices, especially in light of multiple devices used in corporate environments. This can be achieved through secure identification of the devices and strict control of what processes or information can be accessed when using these devices.

“As the name implies, the subscriber identity module (SIM) card in a cellphone is a security element because it can be used to identify the device and, thus, the user for the purpose of accessing secure portions of the company’s network.”

Additional layers of security can then be added to improve security, such as biometrics, passwords and digital access tokens, which provide temporary permission for the device to access parts of the network, says Osborne.

Gemalto is also involved in the security features and systems implemented for the new smart identify document cards in South Africa.

However, once a device and a user are granted access to the core elements of the network, the capabilities of the user must be constrained by role-based permissions to ensure that the user accesses only relevant portions of the information or processes, says Gemalto Africa identity and data protection manager Neil Cosser.

The permissions based on the role that a user is fulfilling can also be constrained to consider the device or location of the user and, depending on the sensitivity of the process, can also require active permission granted by a security administrator or that a user can access only portions of a business process once other users have completed their portions of the workflow.

“Crucial for core security is that users can access only the information and processes that are relevant to their role at that time. “Thus, best practice would be to restrict access to information, except when invoked for a specific process by a specific user or set of users.”

For example, a financial manager should not be able to access sensitive records from his or her personal device, except at specific times for work purposes or when he or she is at the company’s headquarters. Blanket access is a risk and is unnecessary for most applications, which must be managed through role-based rules, says Cosser.

Meanwhile, biometric identification is increasingly being included to add additional verification and authorisation security, and is also increasingly being used when digital signatures are placed on documents.

“We are moving to a situation where mobile devices and identification are merging and, while we will need multiple forms of identification, this trend allows user access, security and convenience to be balanced according to the sensitivity of the process in question,” says Osborne.

Securing the devices that are allowed access to the network core is an effective way of managing heterogeneous work environments, but must be linked to a clearly defined security strategy and management oversight, concludes Cosser.