Portnox CLEAR is a cloud-based network security solution that provides role and risk-based network access control for corporate and BYOD endpoints across all access layers, including wired, wireless and VPN. CLEAR allows an IT administrator to discover and monitor unsecure, compromised and vulnerable devices, while being able to authorize and manage access to corporate networks based on device risk posture assessments.
In order to provide these capabilities, our cloud-based NAC solution collects and stores data in the cloud. With the understanding that organizational data includes sensitive and important assets for each company, CLEAR uses the most advanced and secure protocols to protect this data in accordance with best practices in data access control in cloud computing. To better understand these cloud security techniques, we will review the security of data at rest, data in transit, administration, management and additional cloud security measures.
Data at Rest
Portnox CLEAR uses Microsoft Azure as its IaaS (Infrastructure as-a-Service), PaaS (Platform as-a-Service) and in some instances, it uses Azure-specific SaaS elements. Azure infrastructure was selected because of its high security standards and global availability. In fact, Azure has the widest spread of data centers across the globe today.
CLEAR stores all data on different Azure storage services such as Azure Storage Service Encryption (SSE) where data is encrypted and decrypted using 256-bit AES encryption. For CLEAR administrators’ passwords and Radius-shared secret keys, CLEAR uses Azure Key Vault where keys are stored in hardware security modules (HSMs).
Data in Transit
With Portnox CLEAR we protect all data traveling to and from CLEAR cloud services, and the methods are constantly being upgraded to stay ahead.
Ethernet Switches & Wireless Controllers
Ethernet switches and wireless controllers send AAA Radius authentication requests to CLEAR’s cloud Radius in order to validate and allow access of devices to networks protected by CLEAR services. All traffic is encrypted with a shared key between the NAS and CLEAR Radius.
In addition to that, TLS encapsulates the encrypted Radius packet and provides an extra layer of encryption.
There is an option to use RADSEC (Radius over TLS) protocol. RADSEC uses TLS in combination with the TCP protocol. This provides stronger security and reliability than UDP which is commonly used for Radius communication.
Additionally, CLEAR admins could restrict access to the CLEAR Radius service by choosing to allow access only from specific IP addresses. All other IP addresses would be denied access.
All traffic between the VPN and CLEAR’s Radius server is encrypted using a symmetric key – a long and random key, generated by cloud-based NAC solution that is manually copied to the VPN device. Furthermore, the authentication details for users usually include only hashes, but those capabilities vary between VPN GWs. CLEAR secures the VPN client’s connection by verifying that connected devices are complying with the organization’s risk-assessment policies and by using two factor authentication capabilities.
Portnox CLEAR Cloud Broker
The cloud broker is an application component that runs on-premises and is used as a bridge between CLEAR cloud services and the corporate on-premises Active Directory. The broker is deployed when there is a requirement for 802.1X credentials authentication with on-premises Active Directories and/or for AgentP enrollment by using on-prem AD.
AD users and groups include sensitive and important information for any organization and thus the following security measures are taken:
- The Broker application is installed on a domain-joined machine, while the LDAP queries user ID is a read-only user, and the LDAP communication can be LDAP or LDAPS (LDAP over SSL).
- The service user that connects to the LDAP is saved locally on the domain machine.
- The communication with CLEAR cloud services is always over TLS. All traffic is encrypted.
- CLEAR services are updated with group names and user IDs only, whereas passwords never travel to the cloud and the verification is done by using the MSCHAPv2 challenge response authentication protocol.
Portnox CLEAR’s AgentP
AgentP is a lightweight application that can be installed on most platforms, including Windows, MAC OS X, iOS, Android and Linux. Using AgentP offers many security advantages such as risk assessment capabilities, SSID configuration, 2FA for VPN / OKTA and CLEAR certificates deployment. Data collected by AgentP is sent via the Transport Layer Security (TLS) protocol. The data is never stored locally on the endpoint, but processed only via the device RAM and is sent periodically to CLEAR services.
Administration and Management
The available administrators’ repositories are: CLEAR (based on email domains), Azure AD, Google G Suite and OKTA.
For administrators on our cloud-based network security platform, password complexities and expiration policies are built-in and cannot be turned off. Two factor authentication is also available for CLEAR admins and authorization codes are sent via text message. Captcha verification processes are also included as part of the sign-up process.
For Azure AD, G Suite and OKTA, the authentication is determined by the authentication repository, including multi-factor authentication.
Role-based access control is supported and administrators can be added with full admin permissions, read only or guest management only permissions.
Additional Security Measures
Portnox’s DevOps team uses automated code and scripts to identify security issues in the code. In addition, Portnox uses third party technologies that specialize in conducting complex penetration tests for cloud products.
Our cloud-based network security solution is a SOC 2 Type 2 compliant technology. Regular audits are conducted to ensure that the requirements of SOC 2 Type 2 security principles are complied with:
- Security – The system resources are protected against unauthorized access.
- Availability – The system is available as committed.
- Processing Integrity– System processing is complete, accurate, timely and authorized.
- Confidentiality– Information that is designated as confidential is protected.
- Privacy – The privacy of the information that the service collects, retains, uses, discloses and disposes.
For more detailed information on CLEAR’s cloud-based network security measures, please contact your customer success representative, or visit the CLEAR support site.
See a Demo of CLEAR – Please fill out this form:
An Examination of NAC, its Use Cases & its Future
Network Access Control (NAC) sits within the larger field of cybersecurity, and more specifically network security. It is a technology that enables organizations to enact its own unique policy for how and when endpoints (desktops, laptops, smartphones, etc.) can connect to their corporate networks. NAC solutions are typically designed to allow IT security teams to gain visibility of each device trying to access its network, and specifically the type of device and access layer being used (i.e. wifi, wired ports, or VPN).
Today, NAC provides a number of powerful features on top of what it was originally designed for nearly 15 years ago. These include security posture assessments for endpoints, which pinpoints any associated endpoint risks, allowing network security administrators to control network access based on their organization’s risk tolerance threshold.
With the rise of cloud computing, remote workforces, bring-your-own-device (BYOD) policies, and the internet of things (IoT), network access control has become a much more critical part of the larger cybersecurity technology stack at most companies. The technology itself has also evolved quite drastically in response to these emerging trends and their impact on networking and ensuring network security.
The use cases for NAC today are constantly expanding. Network security professionals leverage NAC solutions for network visibility, the discovery of endpoints, security profiling, compliance enforcement, remediation…the list goes on. In general, NAC is designed to do two core tasks: 1) authenticate the endpoint trying to connect to the network, and 2) authorize access based on authentication and posture assessment.
Throughout this piece, we will examine how NAC is being used out in the real world, things to consider when defining your NAC policies, the best way to invest in NAC, and more. Feel free to skip to any section using the links below:
- The Value of NAC
- NAC Uses Cases
- Defining Your NAC Policies
- Common NAC Concepts
- Must-Have NAC Capabilities
- The Future of NAC
The Value of Network Access Control
Network access control delivers a host of benefits to the organizations that deploy it. Generally speaking, the value unlocked by NAC can be broken into three distinct areas of focus: 1) operational need, 2) security best practices, and 3) regulatory compliance.
One of the most interesting aspects of NAC is the fact that unlike many other areas of network security, it brings more than just the value of security to the table. In particular, NAC delivers three core operational values:
- Device Onboarding – Properly connecting and removing new non-managed devices to/from the network.
- Guest / Contractor Access – Securely granting limited access for third-parties connecting to the network, either for short or long periods of time.
- Asset Profiling – Identifying which devices exist in your organization and where they are connecting from.
Security Best Practice
The importance of network security goes without saying. Network access control, however, checks the boxes for a variety of IT security best practices, including:
- WiFi Security – Nearly 20% of SMBs experience a data breach by a former employee who still has WiFi access…make sure you can control all WiFi connections.
- Visibility – See all devices on your network – no matter device type, location, or access layer used to connect.
- Containment – The ability to quarantine, block, or provide limited (guest) access to endpoints that do not meet your internal risk policies.
- Asset Profiling – see above.
Highly regulated industries like banking, financial services, and healthcare require strict compliance policies when it comes to their networks. NAC helps to deliver this and more through:
- Posture Assessment – Continually assess the risk posture of connecting devices across the network, no matter location or access layer.
- Port / Wired Security – Ensuring no un-trusted device can physically connect to the network via wired ports in the office.
- Segmentation – Properly directing employees into their respective departmental VLANs, or pushing visitors to the guest network.
- WiFi Security – see above.
Individual Use Cases for Network Access Control
Within each of the three primary areas of value of NAC are a variety of different use cases for NAC. These include…
NAC is frequently used for device onboarding, which is the process of providing new devices with access to the corporate network for the first time. It sounds simple, but it’s anything but. Business units and even departments (think Finance & Accounting, for example) often have their own VLANs since they’re dealing with very sensitive, confidential data.
The task of setting up such VLANs and onboarding new devices is just one of dozens of tasks overseen by frequently overburdened IT teams. So, if not done correctly at first, it can open the door to potential network vulnerabilities, such as a person gaining access to a part of the network he/she should not have the privileges for.
At a small scale, managing access manually if often sufficient. For larger organizations, however, this just isn’t sustainable. As a result, many large organizations that don’t have a secure onboarding process will often compromise on network security hygiene.
At some point in the workday, most companies will have non-employees visiting their offices for meetings and business dealings. These guests are typically on-site for brief periods of time but may need wifi access during the course of their stay.
Typically, each organization defines the level of authentication and monitoring they want for their visitors. Common policies include:
- Disclaimer Only – Notifying the rules for which they might need to abide while using the company network.
- Pre-Generated Username & Password – Simple authentication for better control of whom is connecting the network
- Sponsorship – Authentication based on an individual working for the organization. Usually, the sponsor will receive an email to approve the connected guest.
Many organizations offer a guest network, where day-to-day visitors are directed. This approach effectively eliminates the most common threat – someone that is just looking to be connected to the internet. The most common way to implement network access for guests is through the use of a captive portal.
Additionally, many businesses hire contractors or consultancies to tackle specific projects. These individuals and groups will need network access for extended periods of time and will need to be granted access to company resources and sensitive, proprietary data. NAC is used to dictate and enforce the level of access these types of individuals receive based on internal policies.
In recent years, remote work has soared due to a greater demand for mobility and flexibility. This has given rise to the adoption of bring your own device (BYOD) policies within many organizations. Now, while this approach makes operational (and even financial) sense, it does come with a caveat. By allowing employees, contractors, and guests alike to use their own devices to connect to the network, you’re immediately faced with issues like data leakage, malware infections, the mixing of corporate and personal data, and more.
With BYOD, a network access control solution can effectively secure such a fragmented network through multiple methods of authentication, and by making sure device risk posture is valid and continuously remediating any security issues in real-time. First, network security administrators can use a dedicated SSID for employee device authentication – no matter if it’s managed or personal. They can then create a separate SSID for guests and contractors to authenticate those individuals to the guest wifi.
The other option available for authentication is through the use of directory credentials. Integrating tools like Okta or Active Directory with your NAC can allow you to authenticate manage corporate devices through certificates, and personal credentials for BYOD.
Captive portal is a web page for authenticating users and verifying their device type and posture state. While this method is sufficient for visitors, it is an insufficient solution for employees or permanent visitors on your network. The most common use cases for captive portal are:
- Guest access
- Self-service portal for BYOD / IoT on-boarding
It’s important to note that this is an interactive method to access the network, so when non-interactive devices, such as IoT are “pushed” to a captive portal, they can not react and thus can not gain access to the network. In order to use IoT onboarding with a captive portal, the end-user should either register the IoT in the self-service portal or download some form of credentials to be inserted to the IoT device (such as a digital certificate).
For fully remote employees or contractors, companies have traditionally relied on VPNs to establish secure encrypted connections for remote access to the corporate network. A VPN does not stop an endpoint from accessing the network, however – it’s only a way of providing remote network connectivity. By itself, a VPN is missing the ability to authenticate a user – it can not prevent “unhealthy” devices from connecting to the network.
In the instance of remote access, NAC can be layered over the top of a VPN, VDI or other remote access methods, such as a Meraki Z3 Teleworker Gateway, to provide effective authentication and access control, as well as endpoint risk profiling – just like any other access layer (i.e. wifi or wired port).
Device Risk Posture Assessment
Your corporate network is only as strong as its weakest security link. This means continuous risk posture assessment is paramount. By continually monitoring the network, your network and security teams can stay ahead of cyberattacks with the ability to identify new risks in real-time, react to these risks, and take action. In a world with ever-expanding boundaries and an exponential increase in types of endpoints, continuous risk posture assessment must function no matter location, device type, or the type of data is being transferred.
Having a rapid remediation plan in place will not only help prevent further damage or the lateral spread of attacks but also allow for business continuity. Effective endpoint remediation consists of:
- Automated Patch Updates Across the Network – Enforce necessary patch, anti-virus, operating system, and application updates across managed and unmanaged endpoints.
- Immediate Incident Response – Contain ransomware events by remotely disconnecting endpoints from the network without the need for manual intervention.
- Armed Incident Response Teams – Arm IT professionals and network admins with the ability to remotely take actions on employees’ devices.
The proliferation of IoT devices over the last decade has prompted a growing number of network security concerns. With all of these devices – printers, CCTV cameras, ATMs, MRI machines, etc. – now connected to their respective networks, it’s exponentially expanding corporate threat surfaces.
To combat the many risks posed by these new endpoints, companies are turning to NAC to gain visibility, knowledge, and control over IoT devices – much the same as traditional PCs and VoIP phones based in the office. There is a huge variety of IoT devices, and in general, there’s a serious lack of centralized management with regards to their security posture. Many of these IoT devices still rely on IT security technology from the 1980s, with no password brute force controls and no available patches.
It’s not a question of if vulnerabilities exist on IoT devices, this is a given. Today, it’s a matter of ensuring these devices can be properly controlled to they can’t compromise the network. Currently, the only line of defense is segmenting them out of the network. Making sure only authorized users and devices can access them – this is exactly what NAC solutions are doing in an automatic method.
Industries like banking, financial services, and healthcare are typically subject to a plethora of compliance regulations, such as SOX, HIPAA, PCI-DSS, GLBA, and now GDPR. Embedded in many of these regulations are certain network security parameters that necessitate access control so that sensitive personal and confidential information is not compromised.
Once a company has defined its internal network security compliance policies, it needs to implement a network access control solution to put in them into effect in order to continually assess its compliance standing.
NAC is used to enforce regulatory policies and maintain compliance across the organization. In practice, this typically means:
- Understanding how mobile, BYOD, and IoT devices will affect and transform not only the organization but the industry and implementing the right processes and tools control them.
- Tracking any network related device or program in real-time via a centrally secured platform providing full and actionable visibility.
- Controlling access to the network and to cloud applications, even based on the geographical locations of users.
- Ensuring that the business is in compliance with governmental regulations like SOX, PCI DSS, HIPPA, FINRA, FISMA, GLBA among others. Strict compliance will provide legitimacy with clients and partners.
Common Network Access Control Policies
Access Control Policies
Network security teams define and activate access control policies to control device access to the corporate network, which is ultimately based on the device authorization state. Once a device is authorized for network access, a network access policy determines which specific virtual LAN (VLAN) that device or user is directed to. On top of that, the policy also defines, for each type of authorization violation, whether to deny entry or whether to quarantine the device by assigning it to a specific VLAN or apply an ACL.
Risk Assessment Policies
In addition to defining an access control policy, network administrators will typically define a risk assessment policy, which assigns a risk score to each device. This score will indicate the level of risk posed by the device. Depending on the NAC solution in use, these risk scoring systems may differ. A risk assessment policy defines, for each device attribute (such as OS, security posture, geo-location, and more), the risk rating to apply if the device violates the current policy in use. At the end of the day, the risk score is used to determine whether allow, block, or quarantine from accessing the network. This is the backbone of NAC.
In some instances, the network security team may define a series of remediation policies. Essentially, a remediation policy consists of unattended corrective and preventive actions (CAPA), automatically applied to devices upon every transmission or on a recurring basis. A remediation policy can be used to reduce devices’ risk scores and increase compliance levels for network access.
Common Network Access Control Concepts
Post-Connect vs. Pre-Connect
Within the world of network access control, “post-connect” refers to a device being allowed to connect to the network and immediately being checked for authentication. If a device does not meet the organizational criteria for authentication, it will be blocked from having access to the network (or access will be limited).
In contrast, “pre-connect” means that authentication decisions are being made before a device is allowed on the network. Only once the device is authenticated will it be granted access to the network based on the policy. 802.1X is a traditional pre-connect method.
In general, a pre-connect approach is more secure since the device is granted access to the network only after identified as an organizationally trusted device. Post-connect is more operational for end-users, as they are granted access to the network before a decision is made.
Agent-Based vs. Agentless
Today, most NAC solutions can perform authentication and authorization without the need of an agent. Agents are typically employed for the following reasons:
- Risk Posture Assessment – This mainly the case for companies with BYOD policies.
- Remediation – In order to know if a firewall or anti-virus is out-of-date, you must have an agent.
- On-Boarding of Unmanaged Devices – Again this mainly applies to BYOD.
In some cases, the agent does not need to live within the network access control solution. Rather, third-party agents such as mobile app management software (MAM/MDM) and services can be leveraged to execute the above functions.
Cloud NAC vs. On-Prem NAC
As we go into further detail below, if you can move NAC to the cloud, you should. There is a myriad of benefits to doing so. At a high-level, these include operational time savings thanks to easier deployment and less on-going maintenance, better accessibility (especially for distributed enterprises), more flexibility as your business needs change, etc. In general, enterprises are increasingly adopting purpose-built cloud technologies for different operational needs, and NAC is no exception.
Not every organization has the ability to deploy a cloud NAC solution, however. One of the main hindrances of doing so is a lack of openness or internal expertise for cloud services. There still remain dwindling concerns, misconceptions and unrealistic expectations over the potential benefits and overall security of public cloud services, which has resulted in some industries such as government agencies, healthcare, and education – to name a few – to be slow in adopting new enterprise cloud technologies.
Passive Profiling vs. Active Profiling
A core function of NAC is the profiling of network traffic and connected devices. In general, there are two approaches to profiling: 1) passive profiling and 2) active profiling.
Passive profiling means that a company’s NAC solution has been allowed to see all traffic across the network, and uses this intelligence to observe and analyze traffic to develop a passive profile of each device. On the other hand, active profiling means that a company’s NAC solution has been configured to initiate requests to the endpoints so that each device can have a profile created for it.
Must-Have Network Access Control Solution Capabilities
Full Access Layer Coverage
As today’s networks explode in size and scope, particularly with remote workforces on the rise, it’s imperative that your NAC solution can manage access control across all existing access layers. This includes the obvious – wired ports and WiFi. It also must be able to manage the various remote access methods used within your organization. These may include VPN, virtual desktop infrastructure (VDI), Meraki Z-Series Teleworker Gateways, and beyond.
Nearly primary management and productivity tool used by businesses have shifted to the cloud. Network access control is no exception. The inherent productivity, operational, economic, and accessibility benefits have driven this trend in the last fifteen years.
When it comes to NAC, however, there is a big difference between cloud-based and cloud-delivered. Some NAC providers offer an accessible cloud-based platform from which to manage network access, but this typically still requires on-site hardware to be installed. With a cloud-delivered approach, you stand up everything from a RADIUS server in the cloud to allow for centralized authentication and authorization up to certificate authority. This saves a significant amount of time and means that even large distributed organizations can implement NAC across their many locations in a fraction of the time as traditional on-premise network access control solutions.
Today, 802.1X is the standard protocol for network access control. When searching for a NAC solution, the ability of the system to deliver 802.1X authentication is of the utmost importance. With access control based on 802.1X, network administrators can confidently block rogue devices, quarantine noncompliant endpoints, limit access to specified resources – whatever your internal policy calls for. 802.1X remains one of the best ways to authenticate devices because of its continuous and direct communication, in contrast to post-scanners, or other less secure authentication solutions that expose the network to vulnerabilities.
Zero-Trust for Endpoints
While “zero-trust” has become another overused buzzword in the world of network security, it is, in fact, an effective approach to sealing your network off from rogue devices. With zero-trust, an organization inherently does not trust any endpoint inside or outside its perimeters. A zero-trust network access control solution can eliminate the need for extensive endpoint scanning since the status of a device is already known. This doesn’t eliminate all of the attack surfaces, but it does help in protecting both endpoints and your network.
Endpoint Risk Assessment
The ability to continuously assess the risk of devices connected to or trying to connect to your network is paramount. Understanding the risk posture of devices – on-site or remote – and proactively taking action based on endpoint risk – such as allowing, quarantining, or denying access across access layers – is the best way to ensure network threats are kept at bay.
The world is changing – threat surface is expanding, and companies are increasingly turning to purpose-built enterprise cloud applications to streamline business processes. Today, it’s not enough to just protect what’s on-premise – you need to know the risk posture assessment of every device that connects to corporate resources, no matter location.
Continuous Device Remediation
Awareness is only a piece of the puzzle, however. When considering a NAC solution, it’s important to understand if it can easily remediate devices that sit outside of internal risk policies and restore those devices to the proper posture to eventually grant network access. Put simply, ensuring devices are healthy reduces security risk. That means network administrators can sleep a bit more soundly at night.
As we covered earlier, real-time device remediation has a major operational benefit as well – it saves time! By eliminating the need for network or security administrators to fix devices manually, you’re freeing them up for more important tasks.
Corrective & Preventative Action (CAPA)
Risky technology behavior like inserting an untrusted USB drive, or failing to update a firewall or anti-virus is prevalent. We’re almost all guilty of it. The ability to prevent this risky behavior is thus important. Not just for the sake of lowering the exposure time, also saving important time for the organization by fixing the issue automatically and preventing a potential breach.
Multi-Factor Authentication (MFA)
Leveraging MFA for NAC that looks at a user’s credentials and an enrolled device is critical to ensuring access control across today’s expanding networks. MFA should be integrated within your NAC, especially on remote access. This approach ensures that security is offered on two levels: protection of the user identity, and authorization of the device – making sure only managed and secure devices are allowed to gain access. With MFA, if a user’s credentials are compromised, they’re effectively useless and if the device being used is not enrolled with the NAC you cannot access the VPN, VDI, or cloud applications.
The Future of Network Access Control
NAC and the Rise of SD-WAN
The adoption of Software-as-a-Service (SaaS) and cloud services has decentralized data traffic flows, making Multiprotocol Label Switching (MPLS) inefficient for wide area network (WAN) transport. This has given rise to SD-WAN for the implementation of software-defined branch (SD-branch), now allowing IT environments to be extended to branches outside of the headquarters that need high-quality network connectivity.
Traditionally, in order for NAC to effectively operate, it has needed a direct connection to headquarters and appliances deployed on-site at individual branches. This is a costly, time-consuming endeavor, and has historically limited the use of SD-WAN and SD-branch. NAC has adapted by moving to the cloud, eliminating the need for on-site appliances and on-going maintenance. Now, all one needs is an internet connection to implement.
The Impact of Secure Access Service Edge (SASE) on NAC
In 2019, Gartner introduced SASE as a new enterprise networking technology category. In essence, SASE converges the functions of network and security solutions into a single, unified cloud service. This marks an architectural transformation within the realm of enterprise networking and security, and it means that IT teams can now deliver a holistic and flexible service to their businesses.
The logical next step in the evolution of network security is for organizations to be able to leverage a NAC solution that’s delivered as a cloud service. This eliminates the need for costly on-site appliances and on-going maintenance. Now, all that’s needed to control network access at branches and the headquarters alike, is an internet connection.
Currently, many Network Access Control (NAC) solutions support 802.1X authentication on wireless and wired networks by using Microsoft Domain attributes, such as the credentials of domain users or computer domain membership. In addition, there are plenty of domain-group synchronization scenarios for applying access policies and posture assessments.
Let’s think of an example, such as an organization where the members of a development team are allowed to connect to the corporate wireless network and are then assigned a VLAN or an access list upon successful authentication. Another example could be a finance team whose members are authorized access to the network once their endpoints are running the latest versions of antivirus and their drives are adequately encrypted, while at the same time, helpdesk team members are only required to have the most recent antivirus updates.
Most NAC solutions can handle these basic scenarios with an on-premises RADIUS server and an on-premises Active Directory, but what are you going to do if your organization decides to move the Active Directory to the cloud, for example, to Azure?
Azure AD and 802.1X
As part of the global trending increase in cloud data consumption, Gartner predicts that by 2023 80% of enterprises will also adopt two or more cloud-based security services. In this category we have seen a shift in enterprises from using on-premises Active Directories to cloud-delivered Active Directories. This significant change has added the need to consider certain adjustments to corporate information security.
One of these adjustments pertains to 802.1X authentication by domain attributes. Have you ever thought about 802.1X and Azure AD together? Or how network access control solutions will be able to adapt from the former on-premises legacy security vision to pure cloud-to-cloud integrations?
Converting your access and authentication controls to suit Azure AD requires the ability to have visibility into all devices before they connect to the network no matter where they are connecting from – VPN, wired, wireless or cloud. If security best practices are important at your organization, this visibility should include checking each endpoint, profiling it in terms of its security posture and providing it with a certain score. Once your system has this information it is possible to mitigate risks by applying controls that either prohibit suspicious endpoints from connecting to the enterprise network or more sensitive sections of it, or forcing them to update their security to be able to gain access.
Pure Cloud to Cloud Integrations
This is where cloud-delivered NAC solutions can benefit our new Azure AD players. One of the pioneer features in cloud-delivered NAC is pure cloud to cloud integration with Active Directory in Azure. By deploying it, you will be able to authenticate and authorize users and endpoints by Az-AD attributes without installing anything on-premises. Enabling Azure Active Directory Domain Services is not mandatory for authentication, so everything can be cloud-based and agentless.
If your organization is in the middle of a migration process, and you have both on-premises and AD-Az users, the ideal solution is to enable integration with Azure via a hybrid NAC solution, where your Azure users are managed by a cloud-delivered NAC and Azure integration, and your non-Azure users are managed by an on-premises NAC Directory Broker.
Furthermore, it is recommended to have a NAC solution with a readily available integration with Microsoft Intune cloud service where you will be able to use Intune agents for setting your company’s risk assessment policies and thus enhance a pure cloud-to-cloud interaction in your organizational services.
For those interested in reviewing the future of simplified cloud-delivered network security, I would recommend reading more about how it works here.
Some argue that NAC (Network Access Control) is no longer relevant in today’s world of the mobile workforce and distributed (or decentralized) organizations that have moved to using cloud applications for the most part. Adding the fact that many organizations are allowing personal devices to be used in the corporate environment (BYOD) and the fact that IoT devices are used everywhere, some might consider this to be further evidence to the conclusion that NAC is no longer relevant or needed.
In 2004 the first NAC products came on the scene and signaled the start of a new segment in Information Security. At the time, most organizations still had a physical perimeter, desktops were still the main PC to be used at the workplace and laptops were starting to make a wide appearance. BYOD (bring your own device), IoT (Internet of Things) and multi-branch, geo-distributed organizations that rely heavily on cloud services were not prevalent yet. Accordingly, the standards for NAC were very different from what they are today and mainly focused on the wired environment. NAC solutions were then primarily based on using 802.1x pre-connect enforcement with supplicants which were not part of the operating system. Organizations trying to implement NAC solutions only had the option of deploying 802.1x – which ended up with long, complex deployment and implementation, leaving them with a bad taste for NAC.
Over the past 20 years, NAC technologies have evolved exponentially. Vendors introduced control and discovery techniques that have yielded better and faster deployments and ROI. Just as the enterprise network and endpoints have evolved, NAC solutions have evolved from merely allowing or blocking endpoints onto the network into a broader security solution that provides network visibility, endpoint profiling, security posture assessments, risk management and compliance.
Additionally, some solutions have scaled to suit the modern workforce, heterogeneous networks, hybrid cloud and on-prem environments, diverse endpoint environments (such as IoT and BYOD) and globally distributed organizations. This increase in number of devices connecting to the network and change of working environments has been our reality for the past 10 years and has evoked a new NAC. Hence, the resurrection of NAC continues to be upon us.
Future of NAC
At this point in 2019, over 60% of enterprise data is stored in cloud applications (public cloud, private cloud and a hybrid of both). By 2020, just a year from now, it is predicted that 83% of enterprise workloads will be taking place in the cloud (1). According to IDG, 77% of enterprises have at least one application or a portion of their enterprise computing infrastructure in the cloud. Additionally, more technology-dependent industries including manufacturing, high-tech, and telecom are being led by executive management to become 100% cloud-based. Therefore, it is crucial to make sure that only company owned and secured devices gain access to corporate intelectual property and information in the inner most circles of the enterprise. According to Gartner research , by 2023 80% of enterprises will adopt two or more cloud-based security services. This is no coinsidence. The complexities in the cyber security landscape alongside the increasing shortage in skilled security professionals is leading towards a greater adoption of cloud-based security services and specifically to the adoption of NAC as-a-Service.
Another factor in future solutions is related to increaseing IoT adoption by enterprises and factories. Visibility and monitoring of IoT must be done by an agentless solution. We believe that having agentless solutions that are centrally controlled will be preferred by many organizations in 2019 and the years to come.
Lighter, adaptable and agile solutions will be necessary in the new era. Enterprises will transition into using easier NAC solutions such as centralized NAC, agentless NAC, NAC delivered from the cloud and Software-as-a-Service. These NAC solutions will save time and money on deployment, training and implementation, while at the same time providing the visibility and accuracy needed to handle today’s complex and hybrid networks. Next-gen solutions are able to cope fully with today’s decentralized organizations and the old NAC configurations will no longer suffice as they are perimeter focused.
NAC was effective for the problem it was created to solve in the mid-2000s, but subsequent technological advancements in cloud applications and the mass-adoption of mobile computing devices by the mobile workforce, and IoT have introduced new complexities and challenges. The new computing model requires new cyber security solutions, and the new, NAC technologies are uniquely positioned to be among them. Cloud-native solutions will address concerns of lengthy deployments and geo-distribution. Agentless and centralized solutions will shorten and simplify implementations and everyday usage that were once the dread of CISOs and IT security teams in the enterprise.
You can see the ease of use and the benefits of cloud-delivered NAC by starting your own a free trial of CLEAR (Cloud-delivered solution) today.
- LogicMonitor’s Cloud Vision 2020: The Future of the Cloud Study
- The State of Network Security in the Cloud Era, Lawrence Orans, 2018 Gartner Security & Risk Management Summit.
- 2.9 million according to (ISC)2
In recent months, Portnox and Palo Alto Networks joined forces to better deal with the current cyber security threat-landscape. Network security teams in the enterprise must cope with several challenges that impact their traditional network infrastructure. Here are some of those challenges.
A significant challenge to network and data security is the lateral movement of cyber security hazards such as malware (or even ransomware) from one compromised endpoint to others.
In recent years, cyber offenders have carried out large-scale attacks targeting organizations by exploiting known vulnerabilities and security gaps on endpoints. WannaCry, NotPetya and Bad Rabbit are malware attacks that used lateral movement to spread in large-scale campaigns during 2017. Using a single entry-point, typically the most vulnerable endpoint detected by the hackers; proliferation via lateral movement can influence an entire organization. In this way, unpatched or unprotected systems can be taken down in no time, leaving an entire organization paralyzed while the offenders achieve their goals.
IoT, BYOD & Unmanaged Endpoints
According to cyber security experts, the majority of harmful attacks exploit well-known vulnerabilities and security gaps on endpoints. Most organizations are unaware of a significant percentage of the endpoints on their network as these are Bring Your Own Device (BYOD), Internet of Things (IoT), guest and other unmanaged endpoints. Additionally, many IoT devices are found to be placed in network segments that are being used by other company devices and IoT endpoints are particularly vulnerable to being breached. These endpoints aren’t transient and typically go undetected by periodic scans. As such, security teams remain unaware of the attack surface on these devices.
The growing decentralization and de-perimeterisation of worldwide organizations is a crucial factor as well. Once a threat has been identified inside or outside the enterprise perimeter, security teams must be able to handle and contain the threats at HQ and at branch offices anywhere in the world; as well as to be able to secure the devices being used by traveling or telecommuting team members.
Today’s threats are evolving rapidly. The current velocity and evasiveness of targeted and sophisticated attacks has never been seen before. These attacks rely on stealth, perseverance and the ability to overcome many cyber security defenses. Oftentimes these attacks use multiple vectors of attack and focus on acquiring crucial personal data, company intellectual property or other insider information. Unfortunately, compromised devices and data breaches can often remain undetected for weeks or months. Detecting advanced threats and infected endpoints will require new and adaptive security controls.
Once a threat is detected, how can one see what kind of device has been compromised? Is it a laptop? A phone? An IoT device? Who is the user behind it? Where is it located on the network?
Today’s security analysts are spending too much time trying to pinpoint the compromised endpoint and figuring out who else in the organization has been affected, especially when lateral movement is such a big risk. Oftentimes data breaches remain undetected for extended periods of time (with more than 80% of breaches undetected, Gartner 2017*). Even when detected, if a threat moved laterally before being shut down, there is a lack of information regarding which other endpoints have been compromised; on or off premise.
Response & Control.
Actions must be taken. Stopping lateral movement and other endpoints from being infected is crucial. Compromised devices must be quarantined or blocked from accessing the network, regardless of how they are connected to the network (wired, wireless, VPN, cloud).
Future Risk Mitigation.
Blocking the current threat and preventing it from infecting other endpoints is a great start, but not enough to maintain optimal network hygiene. Continuously analyzing the security posture of all organizational devices is crucial. This includes the ongoing review of existing threats and Indicators of Compromise (IOC) to determine which endpoints are granted access to the network each time.
With so many challenges to factor-in and the all-time record of the number of vendors offering solutions in the cyber security space, all seemingly overlapping, it is no surprise that security teams have a difficult time sorting through many vendor claims till they finally select the services or products that will best match their security and budget requirements.
The CLEAR App Solution.
In mid-October 2018, the Portnox CLEAR App went live on the Palo Alto Networks Application Framework. This joint solution, between Portnox CLEAR’s cloud-delivered network access control and the Palo Alto Networks firewall, allows security teams to set enforcement policies based on threats detected by the Firewall. The App prevents the lateral spread of malware throughout the organization and effectively isolates the compromised endpoints in real time. The Palo Alto Application Framework is designed from the cloud and therefore this cloud to cloud solution will allow organizations to provide remote branches the same security as at HQ, allowing for a much better handling of threats in and outside of the perimeter.
Security teams can rapidly enable the App without worrying about adding any infrastructure or appliances. Additionally, organizations can create customized policy via CLEAR with the flexibility to assign the right impact on the endpoint’s continuous risk assessment and security posture. This is done by correlating advanced threat categories from the Palo Alto Networks firewall with the organization’s access and risk assessment policies for devices. In essence this will allow the organization to leverage the Palo Alto Network advanced threat detection to better secure the access of all endpoints, including BYOD and IoT devices.
Accelerating the Response to Threats.
The joint solution will accelerate the response to threats by identifying all compromised devices that share the same threat using CLEAR’s unique visibility and data discovery capabilities.
Palo Alto Networks next-gen firewalls identify evasive and sophisticated threats and automatically thwart them through multiple means. The technologies use analysis of all allowed traffic, using multiple advanced threat-detection and prevention technologies.
Continuous Risk Mitigation.
Based on the advanced threat detection data received from the Palo Alto Networks firewall (i.e. detecting malware that is new or has no signature), CLEAR enables the discovery of other endpoints with the same threat. Moreover, CLEAR will provide the user ID, office location, switch location, etc., regarding the compromised endpoints. Once the advanced threat detection alerts are received in the Palo Alto Networks Application Framework, CLEAR quarantines or blocks these compromised endpoints. Automated response actions are customized and tailored by the organization’s requirements. IOCs and vulnerabilities indicated by the Palo Alto Networks firewall are correlated with the risk-score of each endpoint and the appropriate response is issued by CLEAR.
CLEAR continuously monitors and evaluates each endpoint on the network, establishing a risk-score for it over and over again, whether the device is connected on or off premise. This knowledge is used to define access policies and continuous risk-monitoring takes place. Security admins can determine, customize and tailor the access policy based on the organization’s security requirements. If the risk-score is high, CLEAR will not allow access or will allow limited access by quarantining the endpoints to a certain VLAN. If the risk-score is low – CLEAR continues to monitor the endpoint.
The day-to-day operation of the application will enable customers to monitor a network or endpoint threat-indications from the Palo Alto Networks Application Framework, to update the risk score of devices, and to identify all devices that share the same threat.
The fact that CLEAR is delivered from the cloud as a SaaS solution, has many positive ramifications from every aspect: security, operations, cost efficiency and more. For example, CLEAR is always running the latest version, with seamless upgrades, delivering the most up to date technology advancements to the subscriber. This can save a lot of time and needless worry for the administrators and assures the usage of the best security. Additionally, using a cloud-delivered solution allows for scalability and is geo-distributed across the world, making it a must-have for decentralized and growing enterprises. All of these, contribute greatly to a substantial reduction in the Total Cost to Ownership (TCO).
Additionally, cloud-delivered security solutions allow that managing risks and threats will no longer depend on an IT security team administrator being physically present within the perimeter of the enterprise location. Changes can be made from where the security admin is located at the time, from a central account, allowing for faster hands-on solutions as required. In our ever evolving work spaces, this is a crucial mode of operation.
With the Portnox CLEAR application on the Palo Alto Networks Application Framework, companies can continuously monitor endpoints on the network and scan for a wide variety of IOCs, for the rapid pinpointing of compromised endpoints, stopping lateral movement and completely avoiding costly data breaches.
With the prevalence of digital transformation in the enterprise, there is a clear necessity to balance IoT security issues and BYOD security measures that will prevent suspicious or malicious devices from gaining access to the enterprise’s assets and data centers, while at the same time, making sure that productivity and easy onboarding of devices is maintained. Employees, guests and contractors are bringing all kinds of Wi Fi enabled devices to the enterprise environment and they expect easy and quick network connectivity.
Onboarding is the process in which new devices gain access to the enterprise for the first time. Unfortunately IT departments can sometimes experience additional workloads while endeavoring to get all the devices on the network so as not to hinder business productivity. At the same time, if they are not handling the process with top security standards in mind, they could potentially place users, devices, enterprise data and the network itself at risk. The question arises: how should IT Security teams allow for BYOD, IoT, contractors, guests, etc. to securely and quickly connect to the network without placing any of its components at risk of a breach or ransomware attack? The answer: automation.
By automating the entire onboarding process enterprises can achieve the following benefits:
- Reducing the costs that are typically associated with manual work (including configuration and support activities).
- Enhancing productivity – getting team members, contractors and guests connected to work faster.
- Increasing end-user satisfaction – instead of hassling end-users with onboarding procedures, the whole process can and should be seamless.
- Decreasing the risks – unmanaged, unpatched, high-risk devices should be blocked or connected from the beginning to a separate segment of the network from where the key corporate assets are stored (the “crown jewels” of the company).
Employees, students, contractors, partners and guests should onboard their devices once and then automatically re-authenticate after that, within an environment that continuously monitors all devices on the networks and automatically provides a risk score for every device. This ongoing scoring allows security teams to understand the security posture of the devices and the network as a whole, at any given moment. At the same time, there is no need to have end users repeatedly re-enter credentials on subsequent network connections unless a device is deemed to have a high risk-score. This way the enterprise can easily onboard BYOD devices belonging to employees that are traveling, working remotely or working at a satellite office location. Additionally, this allows onboarding of IoT and smart devices for business such as flat screens, printers and IoT devices, as well as gaming consoles, smart refrigerators and more. These items, of course, must be on a separate segment from where company assets are kept.
Reducing Risks on the Network
A while ago Ofer Amitai, Portnox CEO, wrote about tips for securing endpoint devices on college campuses, institutions that are always desiring a relatively simple onboarding process. He discussed how changes in onboarding and guest access policies could reduce risks and improve network visibility and control. The principals for securing the enterprise require these steps and more. Having a clear onboarding set of policies will allow IT teams to have automated actions applied (see examples in the next section).
After handling the company’s initial network security audit and collecting the security posture of all devices, it is important to make sure that the enterprise authorization policies include conducting automated and continuous security assessments of the network. This way, every device employs baseline security measures before being allowed to connect. Additionally, the IT security team should use granular policies to govern the level of access while maintaining full visibility and control over network connected devices with the ability to revoke access at any time.
Automated Device Onboarding and Network Authentication
Having an automated onboarding set of policies can allow for automated actions such as:
- Immediately allowing Internet access
- Blocking/ disconnecting
- Segmenting a device to a separate network section
- Remediation actions
For example, IoT devices are considered to be easy to hack. Therefore, once connected to the enterprise network, these devices should be separated from where core assets are located. Having different segments on the enterprise network is a good solution for that. Additionally, if a visitor is being connected, the visitor should gain access to the Internet and not to company files, even when plugging the computer to the wired network.
Two important advanced guest network onboarding features are recommended to be included:
- Easy guest access – allowing for simple and fast connections together with the ability to continuously monitor all devices and ensure security.
- Agentless access – once the IT administrators have set up the onboarding policy – contractors and guests on protected networks should be able to self-onboard without installing an endpoint agent.
Acquiring Advanced Onboarding Capabilities
One of the technologies that can help with safe onboarding is network access control (NAC). In the past, companies used only desktops and laptops, connected and authenticated over a wired network, however; nowadays wireless networks and mobile technologies have introduced personal devices (via BYOD policies) and Internet of Things (IoT) to the workplace. In addition, increasingly stringent compliance standards, such as PCI-DSS, SOX, and ISO standards require companies to openly communicate their security controls to external auditing authorities. All of these can be achieved via NAC solutions. Network access security should be a priority for all companies moving forward.
Every enterprise today must support a rapidly proliferating world of devices and platforms. From an operational view point, this shouldn’t pose an obstruction of workflows and productivity. Ideally, the enterprise IT team will automate and secure network onboarding and authentication so that the IT helpdesk doesn’t have to intervene when guests, contractors and IoT devices need to connect. Additionally, an effective plan for secure network onboarding will on one hand improve end-user experience for BYOD, IoT, users and guests and on the other hand improve IT security as part of a layered protection strategy.
Looking to set IT security policies and automate your device onboarding?
Portnox CLEAR offers easy onboarding while never compromising on network security across the enterprise.
Implementation Issues Solved with 802.1X NAC Delivered from the Cloud
In parts 1 and 2 of this blog series we spoke about the idea that decentralized organizations, where mobility plays an important role in network security functionality and visibility; should seriously consider implementing NAC solutions delivered from the cloud, as-a-Service, due to the fact that endpoint risk assessment, as well as network visibility and control can be obtained for all locations and provide flexibility in terms of growing the coverage as the company grows.
With that in mind, today I will explain the five points that we believe are essential in choosing your next network security solution.
When deploying 802.1X NAC as-a-Service, complaints about lengthy deployments, implementation hassles and limited capabilities do not have to be prevalent any longer. In fact, IT security teams can now succeed where others have failed and be the superheroes of network security projects. NAC doesn’t have to be complicated. With NAC as-a-Service, there is no need for physical deployment or network hardware (unless it already exists, such as RADIUS or Active Directory servers), which significantly cuts the costs and deployment-time that were previously associated with the 802.1X authentication protocol.
Additionally, NAC as-a-Service allows for secure and remote access for the geo-distributed workforce, without the need for localized branch appliance deployments. It also enables business continuity, because if appliances go offline at one of the locations, the rest of the locations and endpoints can continue accessing the network without interruptions and regardless of which type of device is being used (corporate, BYOD, IoT, etc.).
As you can see, the NAC as-a-Service cloud delivery model is a different approach altogether for dot1X authentication in the enterprise, as it solves key security issues with the ease, agility and efficiency of a SaaS solution.
Here are the top 5 items you should look for in selecting your next 802.1X NAC solution.
I. SaaS delivery – With the shift to cloud-based solutions in businesses world-wide, many businesses no longer maintain their own data centers and have come to expect and rely on many solutions to be Software as-a-Service orientated. 802.1X NAC solutions provided from the cloud fit the bill and allow for easier and more cost-effective deployments and implementations.
II. Turn-key solutions with pay-as-you-go options – your next network security solution should have a low TCO – Total Cost to Ownership (both in terms of price and man hours), without forcing you to have so many pieces of equipment, installations and cumbersome access controls. These are the traits of NAC solutions which are not a good fit for decentralized organizations. A simple, pay-as-you-go model will allow you to gradually implement your NAC solution, while maintaining the highest standards for network security. While TCO is a major driver for IT infrastructure management, there is no reason to compromise on a network security project, but rather choose a solution that will provide a full and mature solution from day one.
III. A scalable and adaptive multi-branch solution – with enterprise mobility and multi branch businesses that in some cases span across countries and continents (without always having an IT professional available), your NAC solution should be able to follow your company wherever it goes. Your solution should also be able to adapt to growth in the number of endpoints, locations and ports, no matter where they are and which layer of the network is being utilized (wired, wireless, VPN).
IV. A Holistic approach to cyber security – your 802.1X NAC solution should not be limited just to port security. It is advisable to have a system in place that can provide a full network security vulnerability assessment. Once your solution can provide full visibility of all network access layers as well as all types of devices that are currently connected on the network, your IT managers can maintain tighter controls and set up automated actions.
V. Automated policies and actions – automation is a must-have option, as there are so many challenges to deal with in keeping today’s organizational network secured. Having one simple and consolidated platform that handles all access layers and all potential port security dilemmas, will allow for easier automation, configuration and segmentation (as required) of the endpoints for a connection that is based on group permissions. dot1X port control allows for full end-to-end provisioning, automated deployment, management and troubleshooting tasks.
Taking these top 5 points into consideration before selecting an 802.1X solution will assure that decentralized organizations wind up with an easier deployment process in terms of time and budget, as well as a holistic solution that does not ignore any part of the network.
Portnox CLEAR is the recommended solution for simple 802.1X deployment. Without compromising on security across the enterprise. By using a RADIUS and repository servers from the cloud, dot1X port control is delivered as-a-Service, and admins can embrace the benefits of dot1X authentication by deploying a zero-touch solution that eliminates geo-redundancies. Within weeks, it is easy to see and control every device connected to the network and thanks to automated monitoring, risk assessments and automated actions it isn’t necessary to be glued to the admin console ever again.
To find out how 802.1X authentication delivered from the cloud works, read more in the White Paper, “802.1X Authentication Is Simpler Than You Think“.
The Business of Risk Assessment
Classical port security is not always understood. Originally it involved the equipment and particularly computers within the physical perimeter. At that point, NAC came into play if someone penetrated the network from a physical port, on-premise. This all changed in the last 15 years, when enterprise mobility and digital transformation took over. These required different levels of authentication to fit the different devices, including managed devices (company owned), unmanaged devices (where Bring Your Own Device – BYOD policies are at play) and IoT devices. The homogenous ways of the old made way for the heterogeneous reality of the new, turning device and port security into the business of risk assessment.
Risk assessment and full network visibility are the virtual doormen at the party who will allow the organization’s invitees to enter. Instead of naïvely allowing anyone to access the network, there should be a continuous and automated system performing risk-profiling and allowing full visibility of everything on the network. Where traditional, on premise NAC is limited to a few actions and parameters that do not reflect the complexities outlined above and in part 1 of this blog, a robust NAC solution should be able to scan all access layers and all endpoints for all users. Once this is achieved, continuous endpoint risk assessment becomes a reality, providing a wider solution that is required for today’s complex networks and decentralized organizations.
802.1X Network Security Projects
In today’s 24/7 hyper news cycle, we are constantly learning of new data breaches, costly malware attacks and the need to have solid network security solutions. 802.1X, the trusted authentication protocol used for Network Access Control (NAC) solutions, was initially considered a success when implemented on wired networks, within the framework of a traditional, on-premise solution. However, later on, as more companies became decentralized and shifted to wireless networks and VPNs, traditional on-premise 802.1X solutions no longer fit the bill.
Unfortunately , many companies were burnt by these on-prem 802.1X NAC projects. True, the protocol itself is extremely trustworthy, however, with most solutions there seems to be a never-ending patching and configuration job going on. That’s assuming they have completed the labor intensive and expensive deployment that in many cases, includes moving a lot of equipment around. If this is a decentralized organization, such as a multi-national company with many access points, each location will require a way to protect all endpoints and company assets. In some cases, this could become costly and create a lack of cohesiveness within the organization.
To solve these and many of the challenges discussed in part 1, lighter, adaptable and agile solutions have become necessary in the new reality. Organizations must transition into using easier NAC solutions such as NAC delivered from the cloud and Software-as-a-Service. Among other attributes, a SaaS delivery model will save time and money on deployment, training and implementation, while at the same time providing the agility, visibility and accuracy needed to handle today’s complex and multi component networks. Next-gen solutions offered as-a-Service are able to cope fully with today’s decentralized organizations and the on-prem 802.1X solutions can no longer suffice. Thankfully, there is such a solution. While it provides robust coverage, it is easy to implement in a few simple steps, the first of which is an easy software download.
NAC Solutions Delivered as-a-Service from the Cloud
Using a next-gen 802.1X cloud solution will allow organizations of any size and with any number of geo-locations to gain full visibility of all endpoints on the network, regardless of what the access layer is or which type of device is being used (company issued, BYOD, IoT, etc.). 802.1X is one of the most secure ways to authenticate devices connecting to the network because it is based on set protocols and a verified standard. While other authentication methods may simplify the implementation and management, as of now there are very few solutions that can match the security and strength of 802.1X authentication on all VPNs, wired and wireless networks.
For those concerned with the notion of having security provided from the cloud, it should be noted that according to Gartner’s research, “by 2023, 80% of enterprises will adopt two or more cloud-based security services”. As more companies become decentralized, we believe that more of them will adopt security services delivered from the cloud.
***Tune in next week for part 3: The 5 “must-haves” in your 802.1X NAC solution. ***
The Perimeter is Dead
We know that our businesses are becoming more digital and connected every minute, of every hour, of every day. This is a global trend and the foundation for increased delivery speeds, efficiency and productivity in all organizations. Organizations these days are no longer limited to their physical office premises as they once were. In many cases, team members are allowed the flexibility of working remotely, telecommuting and working in different branches across different countries, sometimes working in shared co-work offices with other remote employees and business owners. That said, IT Security Officers have their work cut out for them, whether they are handling a large multi-national organization or a small-to-medium business. We all know and feel the incredible threats looming on our networks and the constant care that must be taken to assure the security and integrity of our organization’s assets, whether they are physical or intellectual. In this, first post of a series of three, we’ll review a few challenges with network security and then consider some solutions in parts 2 and 3 of this blog.
We Adore Our Mobility
There is a lot of satisfaction that comes with the increased productivity, flexibility and mobility offered by digital transformation. Is there anyone out there who would like to trade their smartphone back to a flip phone? Their laptop for a desktop? The answer is clear: obviously – no. We all adore our mobility and digital advancements. So much so, that IDC predicts that within the next two years there will be close to 200 billion Internet connected devices.
If you are reading this article, there is an excellent chance that you use 5-6 connected devices, including your smartphone, a wearable of some sort, a laptop or two and a tablet or two. Perhaps you have a few IP cameras monitoring your home and office while you are away. And that’s just you. Now think of all the people bringing their own devices to the enterprise these days.
Next, let’s think of the IoT (Internet of Things) devices that are increasing their presence everywhere, according to IDC, there will be 80 billion connected IoT devices by 2025, enhancing a security concern stemming from the fact that IoT devices are almost invisible on many enterprise networks. Additionally, employees are accessing any kind of application under the sun (or florescent light), on their own devices and via the Internet on their company managed computer. These applications and websites are used for both personal and work-related purposes, placing the organizations’ assets at risk.
In today’s decentralized enterprises there are multiple access layers at play, including the use of wired, wireless and VPN connections. This is one of the core security issues with complex networks in decentralized organizations with locations in different states and countries. Multinational organizations suffer from increased risk due to their IT security loopholes and the abundance of access ports and end-users. It is no wonder then that many IT departments have settled for half-promises of asset security and network controls. They must work within the constant cyber threats that seem to be spreading faster and everywhere these days. Unfortunately, one of these half-promises leads to uncompleted NAC implementations (Network Access Control) and to lengthy and unsuccessful projects.
Security Vendor Fragmentation
Vendor fragmentation is an incredible headache that must be handled. It seems like there is a solution for every inch on the network, as long as you are willing to work with five different vendors. Implementation is labor intensive and expensive. Moreover, IT leadership struggles when selecting vendor software because the solutions are diverse with no single vendor able to meet all requirements and use cases, especially with decentralized organizations.
Safely On-boarding All Devices
On-boarding devices onto the network in a distributed organization is not hassle-free, often slowing productivity down. Additionally, compliance must be enforced across the organizational network, no matter which location around the world or which device is being used. At the same time, if one of your team members lost their computer, there should be a clear path to prevent that device from on-boarding the network.
Many CIOs and CISOs have the constant burden of dealing with and maintaining the organization’s cybersecurity posture while potentially being targeted for cyber-attacks. With cyber-attacks being on the rise and in the news every week, it is no longer a question of if, but rather a question of when one’s organization will be under attack. And so the question arises – are we as prepared as we could and should be?
The network complexities outlined here may be preventing many from establishing optimal solutions and procedures for their organization, especially those that allow full visibility and risk management, not even imagining how serious the threats are till it is too late. Is it really going to take a complete data breach before we do anything about it? Can’t we just learn from other organizations’ mistakes and misfortunes? (Note the 2017 WannaCry attacks for example). Still, once IT departments have been burnt by unsuccessful NAC projects, they might be slow and cautious before initiating the implementation of a new and ideally – better – technology.
Looking for an easier NAC project?