Authentication is Just One Piece of the Network Security Posture Puzzle

Establishing an Effective Network Security Posture Requires the Unification of Access Control, Risk Mitigation & Endpoint Remediation Capabilities

There’s a movement underway in cybersecurity today to adopt tools for enterprise network authentication – whether it be for WiFi authentication or wired port authentication. This trend makes sense. After all, authentication is just a fancy way of saying identity verification. Proving one’s identity has been a way of granting one’s access to something since time immemorial. From the secret passwords used to enter Chicago’s famed speakeasies to the retinal scanners used to clear you through airport security today – proving identity ensures trustworthiness and minimizes risk. 

Today, there are three primary methods that organizations rely on for network and application authentication: 

• Password-Based Authentication – Passwords are the most common methods of authentication. Passwords can be in the form of a string of letters, numbers, or special characters. To protect yourself you need to create strong passwords that include a combination of all possible options. Of course, humans are lazy and tend to stick to what they know…meaning the same password gets used almost universally 
• Multi-Factor Authentication – MFA authentication methods and technologies increase the confidence of users by adding multiple layers of security. MFA may be a good defense against most account hacks, but it has its own pitfalls. 
• Certificate-Based Authentication – Certificate-based authentication technologies identify users or devices by using digital certificates. A digital certificate is an electronic document based on the idea of a driver’s license or a passport. This is perhaps the strongest means of authentication. 

Now, Mission Impossible fans might say hey, wait a minute, biometric authentication is missing off this list. They’re not wrong, but frankly we’re not really focused on physically breaching CIA headquarters at Langley to get our hands on the coveted NOC list here. Rather, let’s focus on the day-to-day use of authentication techniques adopted by employees during business hours. 

I’m On the Network: Great, Now What?

The efficacy of the network authentication methods above can be debated to no end. That’s not why we’re here. Once a person’s device is authenticated to a corporate network, there are several security considerations that pure-play authentication tools can’t address. 

For example: 

• Is the connected user an employee, guest, or contractor? 
• What’s the user’s role within the organization (i.e. seniority or department)? 
• What can the user access on the network? 
• What’s stopping the user from accessing resources that shouldn’t be available to them? 
• How do you monitor the risk posture of the connected device? 
• How do you know if that user’s device becomes infected with malware? 
• Can you prevent that infected device from moving across the network? 
• Is there a way to return a non-compliant device back to a healthy state? 

Inside that medley of questions are a grab bag of other more detailed and technically intricate considerations that network security administrators may worry about. The point is this: once a user authenticates their device to the network, how can you prevent that device from posing a risk to the organization, even if unintentional? If you’re solely relying on authentication methods for a better network security posture, the answer is: you can’t. 

Closing the Gap on Network Security Posture Blind Spots

The list of considerations above boils down to needing three primary capabilities on top of network authentication when it comes to your network security posture. Without these, you’re essentially flying blind, unable to determine the true security posture of your network.  

These capabilities include: 

• Access Control – If authentication is the first step, employing access control is the second. Here, you’re aiming to dictate who can access what across your network. For example, you may not want Marketing to access Accounting’s VLAN. Why? Because Accounting’s VLAN holds sensitive financial information that has no bearing or relevancy to the day-to-day operations of Marketing.  In practice, this can be executed via dynamic assignment.
• Endpoint Risk Posture Assessment – The ability to continually monitor the risk threshold of each endpoint connected to your network means knowing how vulnerable you are to compromise. Network administrators will typically define a risk assessment policy, which assigns a risk score to each device. This score will indicate the level of risk posed by the device, taking into consideration the status of the device’s firewall, antivirus, applications in use and more. 
• Proactive Device Remediation – In some instances, the network security team may define a series of remediation policies. Essentially, a remediation policy consists of unattended corrective and preventive actions (CAPA), automatically applied to devices upon every transmission or on a recurring basis. A remediation policy can be used to reduce devices’ risk scores and increase compliance levels for network access. 

Unifying these Security Essentials With NAC

There is only one type of cybersecurity technology that brings together network authentication, access control, risk monitoring and remediation. That’s network access control (NAC). NAC, such as Portnox Cloud, unifies these network and endpoint security essentials in a single platform, and helps you fill in these critical gaps that an authentication-only approach fails to cover: 

• Device profiling for contextual understanding 
• Role-based and location-based access control 
• Segmentation through dynamic VLAN assignment upon authorization 
• Risk mitigation through device posture monitoring 
• Device quarantining based on risk score policies 
• Automated device remediation of non-compliant devices 
• …the list goes on… 

Ultimately, an effective network security posture must be established through a NAC system that brings together these essential capabilities. Otherwise, you’re holding on to a hope and a prayer. Rely on standalone authentication tools at your own peril – we’ll just have to say we told you so.