If you’re Name’s not Down, you’re not Coming in…

Fortifying a network to ensure complete security from external threats is a burden, but an unquestionable necessity these days. What is required, however, is that access to information and resources isn’t denied to the people that need it most, and have permission to use it. Network Access Control solutions can make this balance a reality as Kevin Murray, Symantec’s Director of Product Marketing, Greg Day, Security Analyst for McAfee, and Ritchie Jeune, CEO of Evolution Security Systems, explain.

BM. Today’s workforce is increasingly mobile as laptops, PDAs and cell phones enable employees to be in constant contact with internal corporate resources. At the same time, enterprises must open up their internal networks to suppliers, customers and other guests in order to forge strong relationships. What challenges does this scenario present from a network security standpoint?
KM. In the past, this type of persistent connectivity was only optional or ‘nice to have’. This is no longer an option. Today, if you aren’t providing constant access to resources for your customers, users, and business partners your organization is at a serious business disadvantage. By virtue of extending connectivity to remote and many times non-corporate or unmanaged devices there are several very real risks to an organizations data and infrastructure. Three primary risks are the loss of confidential data, service disruption, and potential failure to meet regulatory compliance requirements.

To complicate matters even more, many organizations are finding it difficult to identify the internal stakeholders and appropriate operational resources when it comes to addressing these risks. Is the network team responsible for leading the charge since they own the ever-fading network perimeter? Or are the desktop management and individual application owners responsible for taking responsibility? What most organizations are figuring out is that they already have much of the requisite knowledge to effectively address the issues and that it lies across each of the teams. Now they just have to get them to work together.

GD. Mobile working was designed to increase employee productivity but at the same time it increases the security concern of the network IT manager. How does wireless access affect network access control policy? Whilst working on the train employees may not be able to access a full company network, just e-mail and an internet connection. What happens when that laptop returns to the company network at the office desk? Does it go through a quarantine period before being re-integrated?

As companies look for new ways to save money, flexible working will become increasingly popular. It is therefore crucial that organizations understand the benefits of a robust and comprehensive network security system to minimize the risks of mobilizing the workforce. Businesses need an integrated system that offers complete and manageable protection, minimizing security risk by continuously blocking threats and enforcing endpoint policy. This can also ensure that any guests logging onto the network are screened and any vulnerabilities are identified immediately and protected against.

RJ. The key issue is the need to be able to open up these business avenues, but at the same time it is critical to ensure that you can ask others “is it ok for me to vet security when you come on to my system?” The major challenge is therefore how to ensure that as you open up, the people that you are opening up to are on the same level of security as you.

BM. How are network access control (NAC) solutions helping to ensure networks and endpoints comply with corporate security policies? Why is policy compliance so important?
KM. Corporate IT security policy is the foundation upon which network access control builds and relies. Without well-defined and approved corporate policies, not to mention adherence to those policies, there is no method for organizations to effectively standardize and manage their infrastructures.

Reducing the complexity of the IT environment, minimizing risk exposure levels, and ultimately creating and ensuring confidence in your IT infrastructure, are the primary reasons policy compliance is so important. Having the right check boxes when it comes time for a compliance audit is great, but at the end of the day compliance is a result of well-implemented and enforced policy.

The largest challenge organizations faced in the past with network access control is the lack of ability to automatically evaluate endpoints and take corrective action for systems that don’t meet minimum policy requirements. Effective network access control solutions not only provide visibility into those systems, but also the enforcement and remediation technologies required to make it deployable when and where needed. Any time an organization can increase the effectiveness with which they manage systems they’re going to see a parallel increase in adherence to corporate policy.

GD. NAC allows companies to set a baseline of security and enforcement to ensure all connected systems meet a certain standard of security. Once this is achieved it gives businesses a visible baseline to work from. Further investment can be based on identifying and fixing new evolving security challenges, as opposed to trying to pull holes in their current security that may exist through non-compliancy issues. NAC gives businesses some visibility to see that their current security requirements are being met and enforced. From this, businesses can measure how effective their current security strategy is.

Businesses continue to struggle meeting compliance regulations, and with impending changes to legalization companies support is needed that enables businesses to automatically comply. The easiest way to ensure that compliance regulations are met is by implementing a compliance auditor solution, which cuts the costs of producing security compliance reports, automates manual processes to calculate compliance risks, quickly identifies policy violations and ensures business policy objectives are consistently being adhered to across the enterprise.

RJ. Policy compliance, in essence, enforces the level of risk an organization has already agreed is acceptable. From a management point of view, you will have needed to weigh up the business efficiency need against the potential, or the significance, of any threats that might be out there. If you haven’t enforced your policy you may be seen to be negligent and this could lead to jeopardization of the policy. Therefore, it is very important that the policy in place makes sure that everyone within the organization is at the same security risk level that has been agreed by the people in authority.

NAC helps take security to the next level and ensures applications are at the right level. It also helps to guarantee that the people accessing the systems also have the right level of security.

BM. The true definition of NAC seems to have been lost as the label has been applied to such a broad range of security solutions. What key functions do true NAC solutions have in common?
KM. True NAC solutions need to have three primary capabilities; endpoint evaluation, network enforcement and centralized management. Moreover, these three functions have to be integrated enough to be free of reliance on external components. Today, when you look at the NAC market there are many vendors attempting to capitalize on its explosive growth whose solutions only address either limited or very unique use cases. The last thing customers want or need is to implement multiple NAC point solutions, which require them to take on additional administrative burdens.

The NAC solution organizations are asking for is one that is able to provide access control regardless of how or where users connect to their systems and data, and it is one that doesn’t require monumental infrastructure upgrades or alterations to the networking environment. NAC is meant to help simplify the operational aspects of the infrastructure, not further exacerbate the current complexity.

GD. NAC solutions signify the reality that today’s business networks are open. Businesses require the ability to share data for example allowing roaming users, customers and partners to access the network. NAC is a methodology of validating the security of systems as they connect to an environment to ensure a consistent level of security is maintained. Where the requirements are not met, a good NAC system should try to remediate the issue or potentially route users via a more restricted/security screened access.

RJ. We see NAC as an authentication of applications and hardware platforms. There are many existing ways that you can authenticate users, but NAC actually looks at authenticating the environment that the user must be at before allowing access to the system. Everybody is trying to shoehorn their products into this new acronym. It’s very difficult to break down the boundaries and to assess when a product does and when it does not fit the name. For us, it is authenticating and ensuring that the applications and the workspace that the person is in meet a certain criteria before access is allowed to a network.

BM. There are concerns that current NAC technologies are not persistent or secure enough. To what extent would you agree with this, and what challenges still need to be overcome?
KM. Regardless of what some pundits might lead you to believe, NAC isn’t a panacea. You’re not going to successfully implement NAC without some careful planning and forethought, and you’re certainly not going to eliminate risk completely. However, with the right solution and planning, you can absolutely achieve a significant reduction in the current risk assumed for areas in your environment. More importantly, the right solution and plan positions you to extend those reductions out to new and growing segments of your environment.

When considering the achievable goals organizations set for their NAC deployments, some solutions available today have the persistence and level of security required to justify their deployment. Whether the goal is to secure the network or secure the endpoint, NAC is only a component of what should be a much larger endpoint security initiative.

Endpoint security, both on and off the managed network, is comprised of established endpoint protection technologies such as antivirus, anti-spyware, IPS and personal firewall with endpoint compliance delivered through NAC.

GD. NAC technology not only needs to assess systems as they enter the environment, but also manage post admission control, which is going back to re-assess systems already in the network. NAC is typically not a security system but a way of monitoring who is entering the network. This needs to be supplemented by an assessment tool to analyze the security risk. If a user on the network exhibits behavior to indicate they are a security risk or purely a periodic assessment (which is aimed more to review systems that may remain in the NAC environment for a long period) then this will protect the network.

The challenges today are often business-related as much as technology. Businesses need to be able to clearly determine who is responsible for enforcing access. In many instances it will involve multiple teams (such as risk, network and system management). Equally, once responsibilities have been defined, levels of enforcement can create consternation. It is often easy to see which systems are completely secure or insecure, but the grey zone in the middle is the challenge. Finally with third party systems it is unlikely you will actually have the right or permission to remediate where security does not meet the requirements. As such human and political factors can play a greater role than the technology.

RJ. I would agree that NAC in itself is not a silver bullet. NAC is an acronym that many suppliers are trying to pin their services and products to. For years and years, we have been in a blended threat environment and, from our perspective, NAC is just part of a blended solution. NAC plays an important role. It is a new environment and a new step in security that must sit on a solid security environment. It’s part of a blended security solution that companies need.

BM. Although the sector remains immature, what would you say are some of the most reliable solutions to have emerged so far? How do these help in improving control over network access and usage?
KM. NAC might live in the network, but what most people don’t consider is, “Whose network?” There are more laptop systems sold and deployed in the enterprise today than ever before. Many organizations are delivering over 50 percent of their new systems as laptops and a NAC strategy needs to take that into account. Those laptops are going to spend a vast amount of their time off the corporate network, so having NAC evaluation, enforcement, and remediation to the endpoint is absolutely mandatory.

Symantec Network Access Control provides each of these while also having the depth of evaluation and control options to integrate tightly into the existing corporate network in a hardware agnostic way. As the market continues to mature, more people begin to realize that NAC alone isn’t the answer. Organizations want NAC integrated with their other security initiatives. As the industry leader in security, Symantec is uniquely positioned in making that happen.

GD. Businesses looking to select a reliable NAC system need to choose solutions that are more than single vendor specific. The most effective technology can understand a number of environments and work at different levels so it can be easily configured and maintained allowing IT to tune the system as required. Opting for a flexible system enables IT to tune the technology dependent on the business requirement and enables integration without having to upgrade or replace the current environment.

RJ. As it is such as immature market we have a lot of core players out there trying to make inroads. We also have the larger players trying to tack on and act on some of their existing software. As with anything, a year down the line we will have a much more solid base. We will see more acquisitions with the big guys taking over some of the smaller enterprises and incorporating those. NAC has not really found an identity yet. At the moment NAC means a lot to different people. Once we get past this phase we will start to see a lot of real benefits from it.