New information and communication technologies and a growing dependence on the Internet pose new challenges to enterprise managements today.

Information leakage: Can you detect whether an employee has leaked confidential business information over email?

Potentially harmful Web browsing: Can you detect which employee is browsing pornographic Websites from office? (Such actions can invite sexual harassment lawsuits against your organisation from his colleagues.)

Retrieving old emails: Can you extract emails sent and received by employees a few years ago, even long after those employees have left your employ?

Uncontrolled network traffic: Do you have automatic reports and archival data of the data traffic volume on your WAN links, so that you can be alerted of a sudden surge of unexpected traffic on a particular leg?

Ex-employee accounts on systems: Do your systems support limited-period user accounts, which will automatically expire after a given date? (Unused or "dead" accounts are a major security vulnerability and have been consistently exploited by internal miscreants and external intruders.)

User account misuse: Do you get reports of accounts being used when a user is on vacation? (Such usage is a clear sign of account misuse by people other than their owners. If this usage cannot be tracked, your infrastructure will find it difficult to clear IS audits.)

Virus and worm attack alerts: Do you get reports of surge in outgoing emails from a user's account? (Such surges usually indicate an infected computer sending out worm-generated emails by the thousands, potentially bringing down the email flow of the entire company and leaking confidential information as attachments.)

In this kind of scenario, you need a set of mechanisms to protect your information assets from misuse. The modern threats faced by organisations are as much from employee action or inaction as from external intrusion. Just denying services to employees is not an option, because they need these infrastructure services to perform. Therefore, the only answer is controlled access.

The guiding philosophy behind Merce's LAC strategy is based on the following points:

Log all significant events. All events in the management of IS infrastructure need to be logged. We keep asking this question to CIOs we encounter: how do you say your router configuration is trusted if an authorised system administrator can remove an ACL entry from the router's configuration for a few hours or a few days, and re-insert it well before the next IS audit? Will you ever know that this was done?

We believes that this is the kind of systemic weakness which has been part of the IS infrastructure community for as long as this community has existed.

Logs must be post-processed. Merce believes that logs should be treated like data. They should be stored in a format which is secure, protected from casual corruption, and easy to process for post facto analysis.

System configuration change should be auditable. This implies that configuration snapshots need to be taken after each change, and audit trails of the identities of authorised personnel making the changes need to be recorded, with other information. Purely paper trail of authorisation is not useful -- this must be accompanied by an electronic snapshot of the new configuration. Most organisations we have worked with do not even have audit trails of user account creation and deletion on their servers. Merce believes this must be rectified.

System usage should be auditable. All usage must be logged. This brings up classic trade-offs of too much logged information versus too little for forensic analysis. Whatever be the optimum level of logging for each enterprise context, there is urgent need for logging all relevant information about system usage.

Services must be offered with full controls. Most organisations are limited by the degree of controls they can impose on their communications structure. Legacy email systems often do not allow the system administrator to decide which users can send email attachments of a certain MIME type. Is it necessary to allow all your employees to send spreadsheets out of the company as attachments? Instant messaging in most legacy networks cannot be enabled or disabled per user. Merce believes that greater controls are needed.

Today's IS infrastructure technologies have been able to deliver services with reasonable reliability and scalability, but have generally failed to provide controls and auditability. We feel the modern organisation needs next-generation IS infrastructure with at least the following capabilities:

Who watches the traffic? You need detailed reports of email and Web access traffic. These reports should be easy to read and allow quick identification of unusual patterns. There should be a software layer which analyses raw logs and presents relevant data in a usable format.

Accountability: You need to tie all Web accesses to individual user IDs so that you can correlate suspicious activity to specific humans. A lot of older-generation enterprise Web access systems tied accesses to desktops, not human users. This is clearly meaningless and provides management no evidence of human accountability.

Log that data: All data logged by the IS infrastructure management layer should be archived in a database for easy querying and customised reports at later dates. Mere presentation through an attractive graphical interface is insufficient for serious data mining for future analysis.

Message archiving: You should be able to search old system logs using an easy, intuitive UI and see what messages have been sent or received by a user. This ability should extend to free Web-based email Websites and other media too, to the extent possible.