Clarifying the NAC approach

Each year, cybercrime costs UK businesses hundreds of millions of pounds in downtime, remediation costs and lost commercial opportunity. Spyware, Trojan horses, viruses and worms are among the plethora of electronic security threats faced by today’s organisations. Hackers, viruses, vindictive employees and even human error all represent clear and present dangers to networks in the corporate environment.

It is imperative that these threats are addressed in order to preserve the network in general and, in particular, data security. Just consider the disastrous effects when the Sasser worm was unleashed at the end of April last year – hundreds of thousands of computers crashed worldwide as the worm rapidly spread across the Internet.

Companies across all of the well-known vertical sectors have come to realise the importance of having a clean corporate network. This is evidenced by the consistent rise in IT security spend over recent years. Many companies have recognised that effective Network Access Control (NAC) is an essential requirement for ensuring the integrity of any large organisation’s corporate network.

While all responsible organisations will have a security policy in place, it’s a fact that most employees rarely know what it is or the implications of non-adherence to it.

Enabling continuous protection

NAC offers companies a systematic, automatic process for managing their security, eliminating exposures and enabling continuous protection. NAC reveals the integrity of the machine itself, and whether or not it complies with an organisation’s corporate security policy. Identifying the security of an endpoint is crucial as users often change machines, particularly in today’s world of mobile working.

Employees can easily access the corporate network from outside the office, connecting many wireless devices to the network and opening many more productivity channels. The proliferation of Broadband has enabled home working to become an economically viable option, while the dramatic fall in the price of laptops – allied to the explosion in WiFi technology – has rendered mobile working the norm for many companies.

At this point, it must be stressed that a company’s ability to enforce corporate security policy diminishes severely once a computer is used outside of the office environment. For example, if a worker takes a company laptop for a week, who is responsible for ensuring that corporate security policy is followed when the machine is being used? The use of airport kiosks and hotel Business Centres also presents the same associated risks.

However, while companies generally understand the benefits of NAC, many do not know how to implement it effectively. There are key issues which must be addressed for the successful implementation of NAC: flexibility, open standards solutions and finding the right balance among them.

Adaptivity and flexibility

The variety of different security measures needed for individual departments within a single organisation requires that a Network Access Control solution is able to provide adaptive and flexible policy-based protection for all user groups and environments. It is absolutely vital that the larger enterprise harbours the ability to accommodate the entire internal user population without adding to administrative overheads for policy creation and management.

An effective NAC solution needs to quickly and automatically restore non-compliant machines to a trusted state, ensuring 100% policy compliance on contact before corporate network access is granted. Fast remediation of non-compliant devices is crucial to eliminate user efforts, Help Desk calls or costly technician repairs

Successful NAC implementations will bring significant security and business benefits, but organisations need to think carefully about becoming locked-in to individual suppliers and the associated potential single point of failure. Companies with a sole vendor could find

themselves forced into making expensive software upgrades and leave themselves open to attack – there is no safety net to catch a security breach at a second stage. There is also widespread concern about the cost of becoming NAC-compliant.

Both of these issues can be addressed by adopting an open standards solution and a layered approach to security (whereby organisations can benefit from enforcing NAC without the cost and implementation burden of core infrastructure upgrades).

Enforcement without exception

Effective NAC requires policy enforcement without exception. A major challenge associated with this is striking the right balance between blocking user access or non-compliant machines without restricting user productivity in any way.

Certain web sites and downloads may be blocked, and connections denied. However, policies must be put into practice in a strategic fashion such that they take into account different users’ specific needs or seniority in order to ensure that the security policy doesn’t interfere with tasks users need to perform in their everyday jobs.

The same ‘rule’ applies to unknown users who need to access a company network. Security policy must allow for them to be given limited access. Take a bank, for example. Consultants or auditors need to access a bank’s network, but must only be entitled to gain entry to certain areas.

Continuous network integrity

An effective NAC solution needs to quickly and automatically restore non-compliant machines to a trusted state, ensuring 100% policy compliance on contact before corporate network access is granted. Fast remediation of non-compliant devices is crucial to eliminate user efforts, Help Desk calls or costly technician repairs.

In conclusion, then, Network Access Control is a vital component of any corporate network. When implemented effectively, it allows businesses to achieve compliance with corporate policies, gain control over how people, applications and devices act on a network, swiftly remediate any non-compliant devices and – perhaps most important of all – ensures continuous network integrity.