Cosmetics company Estee Lauder is relying in part on NAC technology to meet regulations imposed on it by the payment card industry (PCI) and the Sarbanes-Oxley law.
Specifically, the US$7 billion firm with more than 25,000 employees worldwide is using the security technology to meet PCI requirements to regularly update antivirus software and to develop and maintain secure systems and applications.
The company also faces Sarbanes-Oxley requirements that call for verification of policies, access-control assessment, audit capabilities and mitigation of shortcomings based on risk profiles, says Les Correia, senior manager of global enterprise security for the company.
In addition, Estee Lauder is in the midst of an internal initiative to increase the security posture of the Estee Lauder network as a whole. The company has more than a dozen network hubs worldwide that includes divisions acquired from other companies. These hubs had been allowed to run their networks as they saw fit, but now corporate security standards are being imposed, and NAC is playing its role, Correia says.
"We've got a whole bunch of consultants coming in and out and retail stores, people in the field," he says. "We wanted to better manage our security posture."
That concern led the company to buy StillSecure Safe Access NAC gear in 2006. Last year the company reevaluated Safe Access against Cisco and Bradford NAC gear as it launched its global security upgrade. Ultimately, it decided to stick with Still Secure without testing equipment from the other two vendors, Correia says.
"We were familiar with the vendor. We knew how nimble they were," he says, and Estee Lauder had done a bakeoff comparing different vendors' NAC gear before its initial buy.
Upgrades in the meantime gave Safe Access more centralized management tools and a way to assign different management rights to different IT groups - those who can set the NAC policies, those who do help desk work, security administrators.
The company is considering use of 802.1x authentication in parts of its network and liked that StillSecure supports the technology as an enforcement mechanism, Correia says.
Safe Access checks whether machines have critical operating system updates as well as antivirus software that is turned on and updated to meet standards.
For regulatory compliance, the company likes the reporting that the NAC gear provides because it tracks who accesses what, by what machine and whether that machine is compliant, he says.