This invention relates to the fields of computer systems and data security. More particularly, apparatus and methods are provided for protecting network resources from unauthorized access, while allowing a new client device access to the network resources.
The level of knowledge needed to effectively configure and operate networked computer systems can be quite high. Large organizations typically maintain a relatively large IT (Information Technology) staff to configure new equipment, maintain existing equipment, assist users with operation of their equipment, apply security policies, monitor network security, etc. However, some organizations, particularly those that are smaller, cannot afford sufficient experienced full-time IT staff for performing the same functions, and whoever may be tasked with IT responsibilities within such an organization may be unprepared for the myriad problems that may arise.
For example, securing an organization's network resources from unauthorized access is a critical task that can easily be performed in an incomplete or ineffective manner. Due to the complexity of the problem, the lack of effectiveness may not be apparent to the organization until the network has been breached. The amount of data stored electronically is prodigious and grows daily, and makes network security all the more important.
One reason it can be difficult to adequately secure network resources is the tension between the need to permit legitimate use of the resources without unreasonable difficulty, and the desire to prevent all illegitimate use. This tension increases as the number and type of resources deployed increases.
Each new type of resource may be configured in a different way to access permitted resources, apply a desired level of security, etc. Securing an organization's network resources is just one of many tasks and, without adequate IT staffing, this task may receive short shrift in the face of users' demands for real-time assistance. Thus, configuring and monitor network security must compete with tasks such as helping users configure their equipment for use within the organization.
Some organizations choose to use automated provisioning to prepare new devices for use within their network. However, if an organization's security policies do not encompass the automated provisioning equipment and utilities, and cooperate with the configuration of a new device's security profile, security vulnerabilities may be introduced into an organization along with the new device. Or, if the provisioning is performed in a haphazard or hurried manner, security policies may not be applied correctly or completely.
In short, installation or configuration of a new network device is too often performed without proper application of appropriate security policies, especially if the organization does not have sufficient full-time and well-trained IT personnel.