For many IT managers, security strategies and policies have been directed toward managing external risks and threats to their organisations such as spam, malware and network intrusion. But, several trends in work and IT are effectively changing this situation.
For one, the growth in mobility — employees working from home, on the road or onsite with the customer — has effectively broadened the network and taken it outside the relative safety of an organisation’s physical presence.
For another, argues analyst firm Gartner, technologies such as cloud computing and service-oriented architecture are challenging the established definition of the enterprise perimeter. The nature of the current business environment also means that networks need to be open to business partners, contractors, guests and other outsiders, all while protecting the organisation’s IT infrastructure, applications and data.
Combined with a growing realisation that internal staff can also pose risks to the organisation — through accessing and/or stealing sensitive company data — IT managers are now turning to technologies, chiefly network access control (NAC), which can authorise people and machines before they access the network.
The definition of NAC varies depending on who you speak to. At its core, however, NAC comes down to setting and enforcing policies that detail which device and which users are allowed to access your a) network and b) company resources and applications, says to Gartner’s Research Director, Lawrence Orans.
Forrester’s NAC expert, Usman Sindhu, says the technology has evolved beyond simple concepts of admission control to a wide range of functions and tasks including: performing posture checks on managed devices, managing guest/business partner/remote user access control; rogue device detection; discovery and device fingerprinting; quarantine and remediate users.
Gartner’s Orans says there four main usage cases for NAC, chief of which is the use of NAC to establish enforce which machines are and aren’t allowed onto a network.
“When someone goes into your offices and connects to your network — if you have implemented NAC correctly — you will know that the machine is not one of yours and NAC will either shut that device down completely with no network access, or moves it to a guest network segment where all it has is Internet access,” he says.
The next most common NAC usage is a process called ‘baselining the endpoint’. Here, NAC looks at the configuration of an endpoint to ensure it has up-to-date patches and anti-virus definitions and an active personal firewall. If the endpoint isn’t configured properly the NAC will quarantine it to limit access — effectively ‘baselining’ what devices look like before they are allowed access the network.
NAC can also be used in an identity-based networking approach where access to the network is dictated by the person, rather than by the machine being used. This approach is predicated on the fact that a company CEO should and will have greater access to company information and resources than a guest user or outsourcing partner. If somebody not authorised to access certain data or applications tries to do so, the NAC effectively shuts the machine down by dropping its network packets or by other methods.
Lastly, NAC can be used for ‘monitoring in containment’. This post-connection policy approach checks to ensure that a machine remains configured properly and that it is not a source of malicious traffic. It is often a complementary approach to the base-lining model, Orans says.
Forrester’s Usman Sindhu says the first thing IT managers need to know about NAC is that it is not a turn-key technology. Organisations often suffer from failed deployments because they don’t take into account the complexity of the NAC solution, he says. Sindhu therefore advises IT managers to focus on three to four leading scenarios that require NAC implementation and start with a phased approach that spans at least six to 12 months.
“In this time, test the solution, do a limited implementation, make users aware of any disruptions, and then do a full enforcement,” he says. “NAC 101 — plan your NAC deployment, make reference architecture and test it out in phases.”
Gartner’s Orans says that although there are independent players offering stand-alone NAC solutions, NAC functionality is being increasingly embedded by infrastructure vendors in products such as LAN and ethernet switches and security companies are embedding it in their firewalls, intrusion detection systems and end-point agents.
Symantec’s Lancaster says there is a perception that NAC offerings can introduce complexity and too many disruptions to the IT infrastructure or that these solutions lack the flexibility to meet the organisation’s needs, such as appropriately accommodating guest and temporary workers.
However, he says, most NAC solutions today offer effective network access control solutions that are flexible and can introduce new or temporary endpoints without posing a threat to the network and adding complexity to the existing IT environment.
Each organisation’s network environment has evolved over time and is therefore unique; no single enforcement method can effectively control access to all points on the network. It’s very important, therefore, for organisations to choose a NAC solution that is flexible, reduces complexity and offers the highest level of protection for the organisation, Lancaster says.
IBM’s Lawson says that IT managers should start with a clear idea of how NAC will contribute to the wider goal of securing organisational data. IT managers should then look to ensure they have a strategy to address well researched and defined risks in their environments.
NAC should not be a purchase decision just because you have firewalls and anti-virus and are wondering what you should install next, Lawson says. Rather, it is a mechanism to address only a piece of your compliance and security requirements.
“You need to pick the fights you can win with a technology like NAC, as it might not functionally address the risk you are trying to mitigate against,” he says.
A good example of when to deploy would be where assets are reasonably static on the network, say, in an architectural engineering firm that needs to protect a lot of intellectual property, Lawson says.
“It’s critical for such an organisation to only have authorised employee access to the company’s sensitive assets,” he says. “However if you are an online business, or one that is adopting software as a service (salesforce.com, cloud email, CRM, HR and so on), NAC is not likely going to be one of the key technologies to focus on dealing with the risk.”
Lawson advises IT managers to ask themselves: with a significant shift to virtualisation and the Web, will NAC be a technology that is going to serve longer term strategic needs?
“This is important in light of the significant shift to virtualisation and its push into almost all organisations and businesses in some form or another,” he says. “Can you get value from a network-centric NAC solution if you have virtualised desktops that are all running on a small number of big servers with a network centric NAC model?”
These types of low-level deployment scenarios are critical to get right if you hope to make NAC effective in your environment not only today, but into the future, he says. Avoiding vendor lock-in in regards to the network and the operating system are more advantageous for business agility and strategy.
Next: Approaching and evaluating NAC