[BreachExchange] The five pillars of Network Access Control (NAC) needed to enforce BYOD

Inga Goddijn inga at riskbasedsecurity.com
Sun Jul 3 17:26:23 EDT 2016


http://www.scmagazineuk.com/the-five-pillars-of-network-access-control-nac-needed-to-enforce-byod/article/504750/

In its latest Market Guide to Network Access Control (NAC), Gartner states
that monitoring and enforcing BYOD is one of the primary drivers for
organisations to invest in NAC. As BYOD has become increasingly popular and
indeed expected by employees, the need for it has, in turn, become more
accepted within the enterprise community. But BYOD today, encompassing
employees, plus guests and contractors all with various device types
connecting from numerous different locations, presents an enormous risk to
the enterprise and puts access control at the forefront of an enterprise's
IT security strategy.

So what should enterprises consider when choosing a NAC solution to help
monitor and enforce BYOD? There are five major considerations including
whether the solution is context-aware, vendor agnostic, easy-to-deploy and
use, meets regulatory compliance and whether it can all be seen in one
place.

*1.       Context-aware security:*

Context-aware security monitors a host of situational information involving
the user and the device, where they are geographically, what they are
trying to access and if this behaviour is usual, or not. This information
allows the system to make informed decisions about whether to grant access
from personal and remote devices, or not, which is the key to a successful
BYOD policy.

For example, it might not allow access to a device that is not in the same
location as another device belonging to the same user. Or, it might allow
some access to a user logging in over public Wi-Fi but restrict access to
certain files or parts of the network. Because the nature of BYOD
<http://www.scmagazineuk.com/the-byod-explosion-how-much-of-a-threat-do-personal-devices-really-pose-to-your-network/article/488961/>
means that you can't physically see what users are doing, arming the
organisation with as much information as possible, in as usable a way as
possible, will help your chances of allowing access which is needed for
productivity while also avoiding a data breach.

*2.       Vendor agnostic solution*

Solutions that are vendor-agnostic will often be easier to deploy and
manage in the short and long term as they will be compatible with the
leading technologies that the organisation is already using. Technologies
such as wired or wireless infrastructure, firewalls, or other third party
network or security solutions will often need to interact with a NAC
solution in some way. Deploying a NAC solution that's not compatible with
these kinds of existing technologies will likely significantly lengthen and
complicate the deployment process and potentially be much more expensive,
at least in terms of resource.

*3.       Easy-to-deploy and use *

Like all technology solutions, ones that are not easy-to-deploy or use will
quickly fail. This is especially true when it comes to BYOD with Gartner
predicting that 20 percent of BYOD programmes will fail this year because
of policies that are too restrictive. Factors like how intuitive the admin
interfaces are, are set-up wizards included in the solution, and how easy
is the on-boarding process when done remotely, are all real and important
questions when choosing a NAC solution.

Options that include self service on-boarding that configures devices with
settings and software for Wi-Fi, VPN etc will allow IT teams with
tech-savvy employees to have minimum touch and maximum control. Equally,
the ease of self-registration of the NAC solution for guests who are
bringing their own devices into your premises and onto your networks will
also free up IT resource while still protecting the network. And of course,
solutions that provide users with seamless remote access that doesn't
negatively impact productivity will be popular with employees who are then
unlikely to either need or want to find workarounds to security protocols
that almost always put the organisation at risk.

*4.       Regulatory compliance*

Regardless of what industry you're operating in, it's likely that there are
at least some regulations and compliance that you need to adhere to. In
order to future-proof your business's technology solutions, you should
consider a NAC solution that adheres to the toughest government standards
with FIPS 140-2 compliance and a Common Criteria assurance level of EAL3+.
And with the EU GDPR coming into force in less than two years, now is
certainly the time to make sure your i's are dotted and your t's are
crossed if you operate or have customers in countries adopting European
Union regulations.

*5.       Centralised management *

And finally, a NAC solution with one central management console that gives
the IT security team end-to-end visibility from endpoints to appliances and
converged policy management for remote, mobile, and campus access security,
is going to be a popular choice among those who can make or break the
success of BYOD solutions.

There is no doubt that BYOD is here to stay but this acceptance doesn't
mean that organisations are automatically equipped to offer the policy; the
right security solutions must be in place for BYOD to be deployed and
managed successfully. Giving the IT security team the right tools to
control access rights to the network is one of the major solutions that
will help to allow successful BYOD programmes while mitigating the risks
associated with these programmes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160703/977e3592/attachment.html>


More information about the BreachExchange mailing list