When implementing any insurance policy, you need to start with estimating the level of risk, the probability of that risk, and the potential damage should that risk become a reality.
One of the network risks that is often presented to demonstrate the ineffectiveness of 802.1x solutions is the ease of bypassing modern network access control (NAC) by using MAC spoofing. Usually, this involves spoofing the network printer or other vulnerable device.
Now, let’s put aside the fact that network printers today can support certificate or credential-based authentication, and that certain products have remedies against such attempts even when the authentication is based on MAC.
Let’s consider: is MAC spoofing a legitimate threat or an exaggerated, manageable flaw?
But before I try to analyze this risk, I want to point out the biggest advantage a NAC solution can give an organization to cope with modern cyber security threats: the ability to apply dynamic segmentation based on device type or identity.
Without going into too much detail, NAC is one of the only systems that can help you prevent lateral movement, indirectly allowing you to identify breaches and directly helping you to prevent the compromise of your crown jewels.
The threat landscape
Here are some of the most common adversaries when it comes to MAC spoofing:
The employee – a disgruntled current or former employee
The guest – a contractor, customer, patient, etc. who physically visits your organization for a period of time
The hacker – a malicious person trying to attack your network and steal information, causing harm to your organization
And here are the most common attack surfaces:
Wired, ethernet switches
One caveat: most wifi environments contain managed devices. So, for devices that do not have an 802.1x supplicant, and thus does not support certificate-based authentication (or credentials based), it is easy to setup an isolated segment and significantly lower the risk of attack.
As such, we’ll put our focus on examining wired environments, and how they’re vulnerable to the above adversaries.
Let’s be clear – MAC spoofing requires some technical knowledge to execute, which the non-technical lay person typically does not possess. Those doing it know what they’re doing, and they know it’s wrong.
With that said, it’s important to point out that a lot of damage is caused by the unintended – i.e. people clicking on a link in an email, deleting the wrong record or file, or even dropping a laptop into a pool.
Employees should be trustworthy. If they’re not, cyber security is likely not your problem. But, when someone is fired, laid off, or even just mistreated at work, there always exists the potential for them to hold a grudge. It’s human nature.
Disgruntled employees can pose a big risk. If an employee still works for an organization and he/she is determined to do damage, that’s a problem that’s nearly impossible to prevent. The network connection alone is not going to stop he/she from stealing data or worse. This individual likely already has access through other corporate devices and the credentials to access whatever data he/she wants.
At the end of the day, however, this individual’s risk of MAC spoofing can be categorized as “very low” with “low” probability and “low” potential for damage. The reason being is that the potential damage done is not necessarily related to network connection. The first line of defense against a disgruntled current of former employees is physical barriers – i.e. locked doors and other physical security.
A guest visiting your office might want to connect to your network. Most likely, this guest will not go to great lengths to hack your network if they are initially blocked. By supplying a guest network, such as a guest wifi, you will effectively eliminate that risk all together. Thus, like the employee, this individual’s risk of MAC spoofing can be categorized as “very low” for both probability and damage.
A hacker will need physical access to your network in order to do his/her job. Today, spearhead attacks can enable hackers to access your networks from afar. Doing so, however, typically requires some sort of motive.
This motivation is often dependent upon the type of business you operate. If you’re in military and defense, for example, you likely have a higher than average risk of being the target of such an attack. The same going for banking and financial services, healthcare and any other industry with highly sensitive and confidential data.
For most organizations, the threat of physical access hacking is typically low, while the potential for damage could be high. Should a retailer fear physical burglary just because a new device has connected to its network? I think not.
For most organizations, the risk of MAC spoofing is almost non-existent. This is usually fairly easy for an auditor to demonstrate, and would appear as part of a comprehensive security report. So in reality, the perception of the threat is that it’s a much larger problem than it actually is.
You can also prevent MAC spoofing by implementing stronger authentication methods that are fairly common today. One of the major roles of NAC is to provide secure authentication and authorization to the network. Thus, even if authentication is somehow breached, authorization serves as a second layer of defense that can limit access by putting potential individuals of risk in a specific “narrow” segment.
The segmentation of specific types of MAC-based devices is a best practice in NAC. Even if spoofing occurs, such a device won’t be able to access a particularly sensitive VLAN, such as those in Finance or HR, if proper segmentation has been established through your network security policies.
Cyber security data breaches are becoming increasingly common and severe. Today, banks, insurance companies, investment firms, and other financial institutions are considered to be prime targets. Due to the sensitivity and importance of their data, these institutions suffer approximately 300X more cyber breaches than any other industry.
In 2018, the financial sector reported 819 cyber incidents, an explosive increase from the 69 incidents reported for 2017 – including the infamous Equifax data breach. The total numbers for 2019 won’t be available until next year, yet we know that the financial sector has already experienced a number of significant attacks already this year. Such breaches included the attacks on Capital One, First American Financial Corp., Desjardins Group and Westpac/PayID.
Despite these pervasive cyber security threats, financial institutions are still failing to prevent, defend, prepare and respond effectively to attacks – particularly when it comes to network security. In many cases, the problem stems from executive leadership not prioritizing the cybersecurity budget or emphasizing its importance. Few organizations make prevention a priority, few apply the top recommended CIS controls or prepare employees on how to respond effectively in the event of a security incident. Unfortunately, poor network access control and other cyber security oversights lead to hundreds of millions of dollars in losses, the exploitation of personal data and more.
Some financial institutions, however, have already decided to take proactive measures this year to obtain risk monitoring, visibility and access controls. One such group is Royal London, the UK’s largest mutual life, pensions and investment company. Faced with limited network and device visibility, they had a variety of security and compliance issues to contend with. However, since implementing Portnox CORE, the company and all of its locations have instituted a higher level of cyber hygiene.
CORE is a simple to operate network access control solution that provides full visibility into every endpoint and component on the network, along with risk monitoring and enforcement capabilities. It is simple to deploy and manage and has received numerous cyber security awards.
From the moment Portnox’s on-premises NAC solution was implemented, Royal London’s security team has been able to successfully handle all challenges associated with visibility, control and compliance enforcement. This includes the ability to see all endpoints on the network, and ensure that they are properly secured according to company policies, privacy standards and regulatory compliance.
Furthermore, as risk-monitoring and other network security enforcement actions that would otherwise have to be done manually are now automated, Royal London’s IT team can devote their time to more important tasks, thereby increasing efficiency and productivity.
Fill out this form to immediately receive the full case study:
Portnox CLEAR is a cloud-based network security solution that provides role and risk-based network access control for corporate and BYOD endpoints across all access layers, including wired, wireless and VPN. CLEAR allows an IT administrator to discover and monitor unsecure, compromised and vulnerable devices, while being able to authorize and manage access to corporate networks based on device risk posture assessments.
In order to provide these capabilities, our cloud-based NAC solution collects and stores data in the cloud. With the understanding that organizational data includes sensitive and important assets for each company, CLEAR uses the most advanced and secure protocols to protect this data in accordance with best practices in data access control in cloud computing. To better understand these cloud security techniques, we will review the security of data at rest, data in transit, administration, management and additional cloud security measures.
Data at Rest
Portnox CLEAR uses Microsoft Azure as its IaaS (Infrastructure as-a-Service), PaaS (Platform as-a-Service) and in some instances, it uses Azure-specific SaaS elements. Azure infrastructure was selected because of its high security standards and global availability. In fact, Azure has the widest spread of data centers across the globe today.
CLEAR stores all data on different Azure storage services such as Azure Storage Service Encryption (SSE) where data is encrypted and decrypted using 256-bit AES encryption. For CLEAR administrators’ passwords and Radius-shared secret keys, CLEAR uses Azure Key Vault where keys are stored in hardware security modules (HSMs).
Data in Transit
With Portnox CLEAR we protect all data traveling to and from CLEAR cloud services, and the methods are constantly being upgraded to stay ahead.
Ethernet Switches & Wireless Controllers
Ethernet switches and wireless controllers send AAA Radius authentication requests to CLEAR’s cloud Radius in order to validate and allow access of devices to networks protected by CLEAR services. All traffic is encrypted with a shared key between the NAS and CLEAR Radius.
In addition to that, TLS encapsulates the encrypted Radius packet and provides an extra layer of encryption.
There is an option to use RADSEC (Radius over TLS) protocol. RADSEC uses TLS in combination with the TCP protocol. This provides stronger security and reliability than UDP which is commonly used for Radius communication.
Additionally, CLEAR admins could restrict access to the CLEAR Radius service by choosing to allow access only from specific IP addresses. All other IP addresses would be denied access.
All traffic between the VPN and CLEAR’s Radius server is encrypted using a symmetric key – a long and random key, generated by cloud-based NAC solution that is manually copied to the VPN device. Furthermore, the authentication details for users usually include only hashes, but those capabilities vary between VPN GWs. CLEAR secures the VPN client’s connection by verifying that connected devices are complying with the organization’s risk-assessment policies and by using two factor authentication capabilities.
Portnox CLEAR Cloud Broker
The cloud broker is an application component that runs on-premises and is used as a bridge between CLEAR cloud services and the corporate on-premises Active Directory. The broker is deployed when there is a requirement for 802.1X credentials authentication with on-premises Active Directories and/or for AgentP enrollment by using on-prem AD.
AD users and groups include sensitive and important information for any organization and thus the following security measures are taken:
The Broker application is installed on a domain-joined machine, while the LDAP queries user ID is a read-only user, and the LDAP communication can be LDAP or LDAPS (LDAP over SSL).
The service user that connects to the LDAP is saved locally on the domain machine.
The communication with CLEAR cloud services is always over TLS. All traffic is encrypted.
CLEAR services are updated with group names and user IDs only, whereas passwords never travel to the cloud and the verification is done by using the MSCHAPv2 challenge response authentication protocol.
Portnox CLEAR’s AgentP
AgentP is a lightweight application that can be installed on most platforms, including Windows, MAC OS X, iOS, Android and Linux. Using AgentP offers many security advantages such as risk assessment capabilities, SSID configuration, 2FA for VPN / OKTA and CLEAR certificates deployment. Data collected by AgentP is sent via the Transport Layer Security (TLS) protocol. The data is never stored locally on the endpoint, but processed only via the device RAM and is sent periodically to CLEAR services.
Administration and Management
The available administrators’ repositories are: CLEAR (based on email domains), Azure AD, Google G Suite and OKTA.
For administrators on our cloud-based network security platform, password complexities and expiration policies are built-in and cannot be turned off. Two factor authentication is also available for CLEAR admins and authorization codes are sent via text message. Captcha verification processes are also included as part of the sign-up process.
For Azure AD, G Suite and OKTA, the authentication is determined by the authentication repository, including multi-factor authentication.
Role-based access control is supported and administrators can be added with full admin permissions, read only or guest management only permissions.
Additional Security Measures
Portnox’s DevOps team uses automated code and scripts to identify security issues in the code. In addition, Portnox uses third party technologies that specialize in conducting complex penetration tests for cloud products.
Our cloud-based network security solution is a SOC 2 Type 2 compliant technology. Regular audits are conducted to ensure that the requirements of SOC 2 Type 2 security principles are complied with:
Security – The system resources are protected against unauthorized access.
Availability – The system is available as committed.
Processing Integrity– System processing is complete, accurate, timely and authorized.
Confidentiality– Information that is designated as confidential is protected.
Privacy – The privacy of the information that the service collects, retains, uses, discloses and disposes.
For more detailed information on CLEAR’s cloud-based network security measures, please contact your customer success representative, or visit the CLEAR support site.
Network Access Control (NAC) sits within the larger field of cybersecurity, and more specifically network security. It is a technology that enables organizations to enact its own unique policy for how and when endpoints (desktops, laptops, smartphones, etc.) can connect to their corporate networks. NAC solutions are typically designed to allow IT security teams to gain visibility of each device trying to access its network, and specifically the type of device and access layer being used (i.e. wifi, wired ports, or VPN).
Today, NAC provides a number of powerful features on top of what it was originally designed for nearly 15 years ago. These include security posture assessments for endpoints, which pinpoints any associated endpoint risks, allowing network security administrators to control network access based on their organization’s risk tolerance threshold.
With the rise of cloud computing, remote workforces, bring-your-own-device (BYOD) policies, and the internet of things (IoT), network access control has become a much more critical part of the larger cybersecurity technology stack at most companies. The technology itself has also evolved quite drastically in response to these emerging trends and their impact on networking and ensuring network security.
The use cases for NAC today are constantly expanding. Network security professionals leverage NAC solutions for network visibility, the discovery of endpoints, security profiling, compliance enforcement, remediation…the list goes on. In general, NAC is designed to do two core tasks: 1) authenticate the endpoint trying to connect to the network, and 2) authorize access based on authentication and posture assessment.
Throughout this piece, we will examine how NAC is being used out in the real world, things to consider when defining your NAC policies, the best way to invest in NAC, and more. Feel free to skip to any section using the links below:
Network access control delivers a host of benefits to the organizations that deploy it. Generally speaking, the value unlocked by NAC can be broken into three distinct areas of focus: 1) operational need, 2) security best practices, and 3) regulatory compliance.
One of the most interesting aspects of NAC is the fact that unlike many other areas of network security, it brings more than just the value of security to the table. In particular, NAC delivers three core operational values:
Device Onboarding – Properly connecting and removing new non-managed devices to/from the network.
Guest / Contractor Access – Securely granting limited access for third-parties connecting to the network, either for short or long periods of time.
Asset Profiling – Identifying which devices exist in your organization and where they are connecting from.
Security Best Practice
The importance of network security goes without saying. Network access control, however, checks the boxes for a variety of IT security best practices, including:
WiFi Security – Nearly 20% of SMBs experience a data breach by a former employee who still has WiFi access…make sure you can control all WiFi connections.
Visibility – See all devices on your network – no matter device type, location, or access layer used to connect.
Containment – The ability to quarantine, block, or provide limited (guest) access to endpoints that do not meet your internal risk policies.
Asset Profiling – see above.
Highly regulated industries like banking, financial services, and healthcare require strict compliance policies when it comes to their networks. NAC helps to deliver this and more through:
Posture Assessment – Continually assess the risk posture of connecting devices across the network, no matter location or access layer.
Port / Wired Security – Ensuring no un-trusted device can physically connect to the network via wired ports in the office.
Segmentation – Properly directing employees into their respective departmental VLANs, or pushing visitors to the guest network.
WiFi Security – see above.
Individual Use Cases for Network Access Control
Within each of the three primary areas of value of NAC are a variety of different use cases for NAC. These include…
NAC is frequently used for device onboarding, which is the process of providing new devices with access to the corporate network for the first time. It sounds simple, but it’s anything but. Business units and even departments (think Finance & Accounting, for example) often have their own VLANs since they’re dealing with very sensitive, confidential data.
The task of setting up such VLANs and onboarding new devices is just one of dozens of tasks overseen by frequently overburdened IT teams. So, if not done correctly at first, it can open the door to potential network vulnerabilities, such as a person gaining access to a part of the network he/she should not have the privileges for.
At a small scale, managing access manually if often sufficient. For larger organizations, however, this just isn’t sustainable. As a result, many large organizations that don’t have a secure onboarding process will often compromise on network security hygiene.
At some point in the workday, most companies will have non-employees visiting their offices for meetings and business dealings. These guests are typically on-site for brief periods of time but may need wifi access during the course of their stay.
Typically, each organization defines the level of authentication and monitoring they want for their visitors. Common policies include:
Disclaimer Only – Notifying the rules for which they might need to abide while using the company network.
Pre-Generated Username & Password – Simple authentication for better control of whom is connecting the network
Sponsorship – Authentication based on an individual working for the organization. Usually, the sponsor will receive an email to approve the connected guest.
Many organizations offer a guest network, where day-to-day visitors are directed. This approach effectively eliminates the most common threat – someone that is just looking to be connected to the internet. The most common way to implement network access for guests is through the use of a captive portal.
Additionally, many businesses hire contractors or consultancies to tackle specific projects. These individuals and groups will need network access for extended periods of time and will need to be granted access to company resources and sensitive, proprietary data. NAC is used to dictate and enforce the level of access these types of individuals receive based on internal policies.
In recent years, remote work has soared due to a greater demand for mobility and flexibility. This has given rise to the adoption of bring your own device (BYOD) policies within many organizations. Now, while this approach makes operational (and even financial) sense, it does come with a caveat. By allowing employees, contractors, and guests alike to use their own devices to connect to the network, you’re immediately faced with issues like data leakage, malware infections, the mixing of corporate and personal data, and more.
With BYOD, a network access control solution can effectively secure such a fragmented network through multiple methods of authentication, and by making sure device risk posture is valid and continuously remediating any security issues in real-time. First, network security administrators can use a dedicated SSID for employee device authentication – no matter if it’s managed or personal. They can then create a separate SSID for guests and contractors to authenticate those individuals to the guest wifi.
The other option available for authentication is through the use of directory credentials. Integrating tools like Okta or Active Directory with your NAC can allow you to authenticate manage corporate devices through certificates, and personal credentials for BYOD.
Captive portal is a web page for authenticating users and verifying their device type and posture state. While this method is sufficient for visitors, it is an insufficient solution for employees or permanent visitors on your network. The most common use cases for captive portal are:
Self-service portal for BYOD / IoT on-boarding
It’s important to note that this is an interactive method to access the network, so when non-interactive devices, such as IoT are “pushed” to a captive portal, they can not react and thus can not gain access to the network. In order to use IoT onboarding with a captive portal, the end-user should either register the IoT in the self-service portal or download some form of credentials to be inserted to the IoT device (such as a digital certificate).
For fully remote employees or contractors, companies have traditionally relied on VPNs to establish secure encrypted connections for remote access to the corporate network. A VPN does not stop an endpoint from accessing the network, however – it’s only a way of providing remote network connectivity. By itself, a VPN is missing the ability to authenticate a user – it can not prevent “unhealthy” devices from connecting to the network.
In the instance of remote access, NAC can be layered over the top of a VPN, VDI or other remote access methods, such as a Meraki Z3 Teleworker Gateway, to provide effective authentication and access control, as well as endpoint risk profiling – just like any other access layer (i.e. wifi or wired port).
Device Risk Posture Assessment
Your corporate network is only as strong as its weakest security link. This means continuous risk posture assessment is paramount. By continually monitoring the network, your network and security teams can stay ahead of cyberattacks with the ability to identify new risks in real-time, react to these risks, and take action. In a world with ever-expanding boundaries and an exponential increase in types of endpoints, continuous risk posture assessment must function no matter location, device type, or the type of data is being transferred.
Having a rapid remediation plan in place will not only help prevent further damage or the lateral spread of attacks but also allow for business continuity. Effective endpoint remediation consists of:
Automated Patch Updates Across the Network – Enforce necessary patch, anti-virus, operating system, and application updates across managed and unmanaged endpoints.
Immediate Incident Response – Contain ransomware events by remotely disconnecting endpoints from the network without the need for manual intervention.
Armed Incident Response Teams – Arm IT professionals and network admins with the ability to remotely take actions on employees’ devices.
The proliferation of IoT devices over the last decade has prompted a growing number of network security concerns. With all of these devices – printers, CCTV cameras, ATMs, MRI machines, etc. – now connected to their respective networks, it’s exponentially expanding corporate threat surfaces.
To combat the many risks posed by these new endpoints, companies are turning to NAC to gain visibility, knowledge, and control over IoT devices – much the same as traditional PCs and VoIP phones based in the office. There is a huge variety of IoT devices, and in general, there’s a serious lack of centralized management with regards to their security posture. Many of these IoT devices still rely on IT security technology from the 1980s, with no password brute force controls and no available patches.
It’s not a question of if vulnerabilities exist on IoT devices, this is a given. Today, it’s a matter of ensuring these devices can be properly controlled to they can’t compromise the network. Currently, the only line of defense is segmenting them out of the network. Making sure only authorized users and devices can access them – this is exactly what NAC solutions are doing in an automatic method.
Industries like banking, financial services, and healthcare are typically subject to a plethora of compliance regulations, such as SOX, HIPAA, PCI-DSS, GLBA, and now GDPR. Embedded in many of these regulations are certain network security parameters that necessitate access control so that sensitive personal and confidential information is not compromised.
Once a company has defined its internal network security compliance policies, it needs to implement a network access control solution to put in them into effect in order to continually assess its compliance standing.
NAC is used to enforce regulatory policies and maintain compliance across the organization. In practice, this typically means:
Understanding how mobile, BYOD, and IoT devices will affect and transform not only the organization but the industry and implementing the right processes and tools control them.
Tracking any network related device or program in real-time via a centrally secured platform providing full and actionable visibility.
Controlling access to the network and to cloud applications, even based on the geographical locations of users.
Ensuring that the business is in compliance with governmental regulations like SOX, PCI DSS, HIPPA, FINRA, FISMA, GLBA among others. Strict compliance will provide legitimacy with clients and partners.
Common Network Access Control Policies
Access Control Policies
Network security teams define and activate access control policies to control device access to the corporate network, which is ultimately based on the device authorization state. Once a device is authorized for network access, a network access policy determines which specific virtual LAN (VLAN) that device or user is directed to. On top of that, the policy also defines, for each type of authorization violation, whether to deny entry or whether to quarantine the device by assigning it to a specific VLAN or apply an ACL.
Risk Assessment Policies
In addition to defining an access control policy, network administrators will typically define a risk assessment policy, which assigns a risk score to each device. This score will indicate the level of risk posed by the device. Depending on the NAC solution in use, these risk scoring systems may differ. A risk assessment policy defines, for each device attribute (such as OS, security posture, geo-location, and more), the risk rating to apply if the device violates the current policy in use. At the end of the day, the risk score is used to determine whether allow, block, or quarantine from accessing the network. This is the backbone of NAC.
In some instances, the network security team may define a series of remediation policies. Essentially, a remediation policy consists of unattended corrective and preventive actions (CAPA), automatically applied to devices upon every transmission or on a recurring basis. A remediation policy can be used to reduce devices’ risk scores and increase compliance levels for network access.
Common Network Access Control Concepts
Post-Connect vs. Pre-Connect
Within the world of network access control, “post-connect” refers to a device being allowed to connect to the network and immediately being checked for authentication. If a device does not meet the organizational criteria for authentication, it will be blocked from having access to the network (or access will be limited).
In contrast, “pre-connect” means that authentication decisions are being made before a device is allowed on the network. Only once the device is authenticated will it be granted access to the network based on the policy. 802.1X is a traditional pre-connect method.
In general, a pre-connect approach is more secure since the device is granted access to the network only after identified as an organizationally trusted device. Post-connect is more operational for end-users, as they are granted access to the network before a decision is made.
Agent-Based vs. Agentless
Today, most NAC solutions can perform authentication and authorization without the need of an agent. Agents are typically employed for the following reasons:
Risk Posture Assessment – This mainly the case for companies with BYOD policies.
Remediation – In order to know if a firewall or anti-virus is out-of-date, you must have an agent.
On-Boarding of Unmanaged Devices – Again this mainly applies to BYOD.
In some cases, the agent does not need to live within the network access control solution. Rather, third-party agents such as mobile app management software (MAM/MDM) and services can be leveraged to execute the above functions.
Cloud NAC vs. On-Prem NAC
As we go into further detail below, if you can move NAC to the cloud, you should. There is a myriad of benefits to doing so. At a high-level, these include operational time savings thanks to easier deployment and less on-going maintenance, better accessibility (especially for distributed enterprises), more flexibility as your business needs change, etc. In general, enterprises are increasingly adopting purpose-built cloud technologies for different operational needs, and NAC is no exception.
Not every organization has the ability to deploy a cloud NAC solution, however. One of the main hindrances of doing so is a lack of openness or internal expertise for cloud services. There still remain dwindling concerns, misconceptions and unrealistic expectations over the potential benefits and overall security of public cloud services, which has resulted in some industries such as government agencies, healthcare, and education – to name a few – to be slow in adopting new enterprise cloud technologies.
Passive Profiling vs. Active Profiling
A core function of NAC is the profiling of network traffic and connected devices. In general, there are two approaches to profiling: 1) passive profiling and 2) active profiling.
Passive profiling means that a company’s NAC solution has been allowed to see all traffic across the network, and uses this intelligence to observe and analyze traffic to develop a passive profile of each device. On the other hand, active profiling means that a company’s NAC solution has been configured to initiate requests to the endpoints so that each device can have a profile created for it.
Must-Have Network Access Control Solution Capabilities
Full Access Layer Coverage
As today’s networks explode in size and scope, particularly with remote workforces on the rise, it’s imperative that your NAC solution can manage access control across all existing access layers. This includes the obvious – wired ports and WiFi. It also must be able to manage the various remote access methods used within your organization. These may include VPN, virtual desktop infrastructure (VDI), Meraki Z-Series Teleworker Gateways, and beyond.
Nearly primary management and productivity tool used by businesses have shifted to the cloud. Network access control is no exception. The inherent productivity, operational, economic, and accessibility benefits have driven this trend in the last fifteen years.
When it comes to NAC, however, there is a big difference between cloud-based and cloud-delivered. Some NAC providers offer an accessible cloud-based platform from which to manage network access, but this typically still requires on-site hardware to be installed. With a cloud-delivered approach, you stand up everything from a RADIUS server in the cloud to allow for centralized authentication and authorization up to certificate authority. This saves a significant amount of time and means that even large distributed organizations can implement NAC across their many locations in a fraction of the time as traditional on-premise network access control solutions.
Today, 802.1X is the standard protocol for network access control. When searching for a NAC solution, the ability of the system to deliver 802.1X authentication is of the utmost importance. With access control based on 802.1X, network administrators can confidently block rogue devices, quarantine noncompliant endpoints, limit access to specified resources – whatever your internal policy calls for. 802.1X remains one of the best ways to authenticate devices because of its continuous and direct communication, in contrast to post-scanners, or other less secure authentication solutions that expose the network to vulnerabilities.
Zero-Trust for Endpoints
While “zero-trust” has become another overused buzzword in the world of network security, it is, in fact, an effective approach to sealing your network off from rogue devices. With zero-trust, an organization inherently does not trust any endpoint inside or outside its perimeters. A zero-trust network access control solution can eliminate the need for extensive endpoint scanning since the status of a device is already known. This doesn’t eliminate all of the attack surfaces, but it does help in protecting both endpoints and your network.
Endpoint Risk Assessment
The ability to continuously assess the risk of devices connected to or trying to connect to your network is paramount. Understanding the risk posture of devices – on-site or remote – and proactively taking action based on endpoint risk – such as allowing, quarantining, or denying access across access layers – is the best way to ensure network threats are kept at bay.
The world is changing – threat surface is expanding, and companies are increasingly turning to purpose-built enterprise cloud applications to streamline business processes. Today, it’s not enough to just protect what’s on-premise – you need to know the risk posture assessment of every device that connects to corporate resources, no matter location.
Continuous Device Remediation
Awareness is only a piece of the puzzle, however. When considering a NAC solution, it’s important to understand if it can easily remediate devices that sit outside of internal risk policies and restore those devices to the proper posture to eventually grant network access. Put simply, ensuring devices are healthy reduces security risk. That means network administrators can sleep a bit more soundly at night.
As we covered earlier, real-time device remediation has a major operational benefit as well – it saves time! By eliminating the need for network or security administrators to fix devices manually, you’re freeing them up for more important tasks.
Corrective & Preventative Action (CAPA)
Risky technology behavior like inserting an untrusted USB drive, or failing to update a firewall or anti-virus is prevalent. We’re almost all guilty of it. The ability to prevent this risky behavior is thus important. Not just for the sake of lowering the exposure time, also saving important time for the organization by fixing the issue automatically and preventing a potential breach.
Multi-Factor Authentication (MFA)
Leveraging MFA for NAC that looks at a user’s credentials and an enrolled device is critical to ensuring access control across today’s expanding networks. MFA should be integrated within your NAC, especially on remote access. This approach ensures that security is offered on two levels: protection of the user identity, and authorization of the device – making sure only managed and secure devices are allowed to gain access. With MFA, if a user’s credentials are compromised, they’re effectively useless and if the device being used is not enrolled with the NAC you cannot access the VPN, VDI, or cloud applications.
The Future of Network Access Control
NAC and the Rise of SD-WAN
The adoption of Software-as-a-Service (SaaS) and cloud services has decentralized data traffic flows, making Multiprotocol Label Switching (MPLS) inefficient for wide area network (WAN) transport. This has given rise to SD-WAN for the implementation of software-defined branch (SD-branch), now allowing IT environments to be extended to branches outside of the headquarters that need high-quality network connectivity.
Traditionally, in order for NAC to effectively operate, it has needed a direct connection to headquarters and appliances deployed on-site at individual branches. This is a costly, time-consuming endeavor, and has historically limited the use of SD-WAN and SD-branch. NAC has adapted by moving to the cloud, eliminating the need for on-site appliances and on-going maintenance. Now, all one needs is an internet connection to implement.
The Impact of Secure Access Service Edge (SASE) on NAC
In 2019, Gartner introduced SASE as a new enterprise networking technology category. In essence, SASE converges the functions of network and security solutions into a single, unified cloud service. This marks an architectural transformation within the realm of enterprise networking and security, and it means that IT teams can now deliver a holistic and flexible service to their businesses.
The logical next step in the evolution of network security is for organizations to be able to leverage a NAC solution that’s delivered as a cloud service. This eliminates the need for costly on-site appliances and on-going maintenance. Now, all that’s needed to control network access at branches and the headquarters alike, is an internet connection.
As the demand for mobility continues to increase, and Wi-Fi continues to replace Ethernet as the preferred corporate access layer, many organizations are facing similar security issues and requirements. This is particularly significant with the increasing number of guests, contractors and employees who are using their own devices on corporate networks. In recent years, there has been an increase of personal devices entering the workplace with many organizations adopting BYOD policies.
Overall, having a Bring Your Own Device (BYOD) policy has proved to be a good business policy. By allowing employees, contractors and guests to connect their own devices, such as laptops, smartphones, and tablets, to the corporate wireless network, enterprises have been able to save money while increasing productivity and team motivation (Frost & Sullivan). However, there are certain challenges to securing the organization’s WiFi network in a BYOD environment. Without addressing these issues properly, you are leaving your company’s assets and data vulnerable.
Approaches to BYOD on WiFi
Some companies allow BYOD usage for everybody, on the company WiFi, whether employees, contractors or guests, while others maintain a strict Zero BYOD-WiFi hookup. There are companies that choose the middle ground approach of allowing employees to connect their own devices on the corporate wireless network but have a separate WiFi network for guests and contractors, and some allow contractors to connect to the company WiFi for specific tasks. Either way, the question of how to handle BYOD and WiFi security seems to come up in many conversations we have with IT teams in regards to network security and secure mobile device management.
How Does BYOD Impact the Security of Company Wireless Networks?
In general, security risks comprise the most serious challenges in a BYOD environment (other than the danger of overloading your bandwidth and IT support issues). Once employees leave the company, they take their personal devices. This could mean that sensitive corporate data and assets (intellectual or physical) are unsecured, especially in environments that use passkeys for WiFi access. Enforcing security policies on the endpoints that are not owned by the company is not practiced by many companies as it seems like an impossible task for IT Departments, however, below we will discuss the easier methods and controls that can be implemented, rather easily, to make sure that WiFi-BYOD security is properly addressed.
Malware infections – If an employee were to accidentally install malware onto their device, while it is connected to the corporate WiFi network, they could spread the malware to other devices. The employee might even unknowingly install keylogging software, thereby enabling unauthorized users to obtain company usernames and passwords, and use them to gain access to sensitive or private enterprise data.
IT infrastructure – Most organizations with BYOD policies must invest time, energy, and money to assure that BYOD policies are compliant with security and privacy policies. To avoid the need to divert more time and resources later on to fix problems, IT personal must make sure to implement BYOD nac exactly according to policy from the beginning.
Mixing corporate and personal data – Sometimes it is difficult to distinguish between personal data and corporate data. If the endpoint were to be lost or stolen, company data would be at risk of exposure. There are also privacy concerns when employees leave the company.
Employee, Guest and Contractor BYOD – The Differences
Guests – Typically, these are visitors that are around for short visits, and in some work places we have observed that the same WiFi network that is used for employee devices is made available to guests.
Contractors – Most often these are professionals, outsourced to perform a specific job or project, sometimes collaborating with employees, and therefore they remain at the company (physically or virtually) for longer time periods compared with guests, and require the use of their own devices. In this case we have observed access that is granted to more sensitive data and resources, depending on the project, such as accounting, HR, legal, insurance, IT, intellectual data, technology, and more.
Employees – the permanent team members who may require access 24/7/365 depending on how geo-distributed the organization is and how quickly they need to be able to access corporate data to perform their duties.
When examining WiFi security, it is crucial to consider the method being used to authenticate to the network. At Portnox we recommend WPA2-Enterprise, also referred to as WPA-802.1X mode. It authenticates to WiFi by using different identities instead of a single password. An identity can be credentials (user + password) or it can be a digital certificate. The WPA2-Enterprise authentication method is a great fit for any enterprise, large or small, allowing organizations to properly secure their wireless networks and making sure that they are compliant with security best practices.
By implementing enterprise-grade WiFi security that can authenticate all devices requesting access to the network, all endpoints are better protected. Access can be set to identify suspicious endpoints and to deny network access. This would protect the most internal network with the most important data and assets as wells as help to safeguard technology assets and employee devices.
Implementing identity-based WiFi access control would mean that employees are granted access based on their personal user ID or credentials, thus dramatically reducing the chances of unauthorized access to the organization’s Wi-Fi network, and it would ensure a much better security standard over the shared password practice. Team members will have access to corporate WiFi, that would allow them access to the systems and information to best perform their jobs. However, if they leave the company, instead of having to change everybody’s password for WiFi, you only have to cancel out those individual credentials.
Practices for Securing BYOD
Using enterprise-grade WiFi security enables the company to allow access to specific SSIDs and to authenticate based on any method. Some companies set up an SSID dedicated to employees for both company-issued and personal devices. This means that employees can connect their smartphones, tablets, etc. to that WiFi network, and it is a separate SSID from the one used for guests and contractors. The guests at these companies can connect to a pure guest internet connection.
In cases where the company is using Active Directory credentials to authenticate to the network, the company cannot stop employees from connecting their BYOD. So the best practice in cases like these is to have managed corporate devices authenticated with certificates, to use personal AD credentials to authenticate employee BYOD and to have easy onboarding for guests and contractors via a separate SSID. If contractors need access to certain corporate data, temporary user credentials could be provided.
Some companies do not have Public Key Infrastructure (PKI) so they are “stuck” using personal credentials and thus, cannot completely control employee BYOD and enforce to use company vs. BYOD network. Still, when using SaaS/cloud-delivered WiFi security such as Portnox CLEAR, CLEAR itself includes a certificate authority. This means that companies can issue network authentication certificates to their corporate endpoints, without the need to deploy PKI (unless there is already such infrastructure in place).
Taking the Next Step
Allowing employees, contractors and guests to connect their devices to the company WiFi network can be done in a secure and simple way. By taking a few easy steps online, you can keep your WiFi network, company assets and data secure while incorporating a productive and user-friendly BYOD environment. Regardless of how you would like to authenticate devices, Portnox CLEAR’s Secure WiFi can help you navigate through the process and provides easy SaaS implementation within a few minutes. Contact Portnox Security today for expert advice to help you move forward with your secured BYOD & WiFi.
When examining WiFi security, the first layer of defense is the method being used to authenticate to the network. The most widely used methods of authentication are Open authentication, WPA2-PSK (Pre-Shared Key) and WPA2-Enterprise (read more about WPA protocols below).
Other authentication methods such as WEP (Wired Equivalent Privacy) and WPA-PSK (without the 2, also referred to as WPA-Personal) are used as well, but they are relatively easy to hack, and therefore are not really worth mentioning, besides making a general note here – to utterly avoid them.
As the name implies, an open authentication network allows access to all, and users are not required to authenticate at the association level. It is important to know that open networks are not encrypted, and so everything transmitted can be seen by anyone in its vicinity.
The best security practice is to completely avoid connecting to open networks. If there is an immediate need to connect, it is best not to allow devices to connect automatically but rather to select the network manually in the device settings. Open networks are easily forged, and hacking tools such as Pineapple use the fact that mobile devices are constantly searching to connect automatically to an open network. These tools perform Man-in-the-middle attacks to steal data such as passwords, credit cards, etc.
WPA / WPA2 / WPA3
WPA stands for WiFi Protected Access. This authentication method uses different encryption algorithms to encrypt the transport. Therefore, this type of network cannot be forged easily, unlike open networks, and users get privacy. Today, WPA2 is probably the most commonly used method to secure WiFi networks.
Sadly, WPA and WPA2 protocols have been hacked and are considered to be less secure. Performing a WPA2 hack requires a lot of time and is somewhat theoretical. Slowly, we are noticing a move to the WPA3 method, but for that to happen, different infrastructure is needed to support that protocol.
WPA2-PSK (and WPA3-PSK) is WiFi Protected Access (WPA) with a Pre-Shared Key. In simple terms, it is a shared password to access the WiFi network. This method is commonly used for home and small office WiFi networks. Even in a small office setting, using this method is problematic, because each time an employee leaves the company, the password must be replaced; otherwise, the former employee could still connect to the company WiFi.
Furthermore, employees tend to share the password with guests, visitors and contractors in the building, and you shouldn’t have the whole building connecting to the internet at your expense, risking the security of your data and assets in the process.
This method, also referred to as WPA-802.1X mode, authenticates to WiFi by using different identities instead of a single password. An identity can be credentials (user + password) or it can be a digital certificate.
This authentication method is better suited for enterprise networks and provides much better security for wireless networks. It typically requires a RADIUS authentication server as well as a configuration process to different repositories, enabling the organization to authenticate different types of endpoints.
The underlying protocols to secure the authentication vary between different Extensible Authentication Protocols such as EAP-TTLS / EAP-TLS, EAP-PEAP, each one representing a different type of authentication method and level of security.
With WPA2-Enterprise one can use advanced features such as assigning each endpoint after authentication to a specific VLAN or assigning ACLs (Access Control Lists) to specific sections. Additionally, enterprises can audit the connection with additional details. These features are important as they allow enterprises to properly secure their wireless networks and to make sure that they are compliant with security best practices.
CLEAR is a SaaS, cloud-delivered, WiFi access control solution that allows you to secure your WiFi based on WPA2/3-Enterprise, using personal identities or digital certificates. CLEAR supports a wide range of authentication providers, from on-premises AD through cloud providers such as GSuite and Azure AD. CLEAR comes with a cloud-RADIUS, therefore there is no overhead, as there is no equipment to install or maintain. It requires no training or skilled personal to deploy and operate. In less than 10 minutes, large and small companies are deploying CLEAR’s enterprise-grade Wi-Fi security.
Are you using a pre-shared passkey to allow access to the organization’s WiFi?
Securing WiFi access in businesses has been historically weak. Oftentimes, companies protect their Wi-Fi access with a pre-shared password, sometimes posting it on whiteboards within the company or placing it for all to use at the reception desk to enable easy access. This is primarily for modern convenience purposes, as businesses would like to enable productivity and collaboration with contractors and guests, as well as allow for staff mobility within the premises of the enterprise.
What’s the problem? And why should I care?
The problem with this practice is that this is a “home style” level of security that places the company’s data and assets (whether intellectual or physical) at risk of being damaged or stolen. If an outsider successfully connects to the company’s WiFi, they could bypass the Firewall and all traditional cyber security mechanisms applied by most companies today. Once inside, they could damage the organization’s reputation by accessing illegal web sites, or company data, whether it resides on premises or in the cloud. Accessing these items is easy, and there are many automated network tools that can enable “non-techies” to do the work. Additionally, this type of hack could easily be achieved via simple social engineering. Another reason to be worried about the use of passkeys is that WiFi hacks and damages do not require being physically present at the organization. These simple actions could be taken from a nearby public space such as the parking lot and would leave no trace. Trying to track who accessed the enterprise WiFi by using a shared password is almost impossible.
Internal players – disgruntled and former employees
One of the scariest scenarios are the hacks performed by disgruntled employees that can use their remaining access to perform nefarious activities, including damaging, sabotaging or stealing company data, resources and assets. Roughly one out of five organizations has experienced a data breach by a former employee. The Gartner analysis of criminal insiders found that 29 percent of employees stole information after quitting or being fired for future gains, while 9 percent were motivated by simple sabotage.
Attacks by disgruntled employees who commit deliberate sabotage or intellectual property theft are considered to be among the costliest risks to an organization. For example, one of our customers, a food manufacturer in the United States, fired an employee. The disgruntled employee decided to get even. Using the organization’s Wi-Fi password, he connected to the network from the parking lot and changed the temperature setting for the refrigerators. The result was the destruction of food inventory to the tune of hundreds of thousands of dollars.
Bottom line? Former employees, even those who left amicably, should no longer have access to any part of the network.
Removing employees’ access to all accounts immediately after leaving the company is the best practice to use; however, typically it is not possible to revoke all access due to shared passwords for certain systems and services. In some cases, these systems do not require a password at all, such as printers and Point of Sale devices. For certain organizations, such as law firms and medical facilities, these represent the crown jewels in terms of company data and therefore should be highly secured.
Do I have important assets on the network that I should be protecting?
With the growing numbers of Wi-Fi connected IoT devices (IP cameras, printers, etc.) in the enterprise, each network has a lot of devices that could be compromised and thereby causing data leaks, denial of service attacks or severe damage to the organization. Therefore, ensuring that IoT endpoints are segmented into separate sections of the network and cannot be accessed by outsiders is crucial.
What is the alternative to PSK?
Using enterprise-grade authentication & access services is a good idea. The best security practice would be to have digital certificates, but at the very least, it is recommended to establish a personal identity-based authentication solution. It would enforce network access via unique user credentials, thereby dramatically reducing the chances of unauthorized access to the organization’s Wi-Fi network, and it would ensure a much better security standard over the shared password practice. Traditionally, this was difficult, as setting up such services required high levels of technological knowledge, as well as extensive maintenance and long and complicated deployments.
CLEAR is a cloud-delivered, WiFi access control solution that among other benefits provides a cloud-RADIUS, therefore requiring no training or skilled personal to deploy and operate. There is no overhead, as there is no equipment to install or maintain, and the service is inexpensive and based on the number of devices in the enterprise. Additionally, there is no need to manage a WiFi password as authentication is based on user accounts or digital certificates (customer’s choice), and therefore all passwords are unique. In less than 10 minutes, companies are deploying CLEAR’s enterprise-grade Wi-Fi security, providing the highest level of security to any enterprise, large or small.
Currently, many Network Access Control (NAC) solutions support 802.1X authentication on wireless and wired networks by using Microsoft Domain attributes, such as the credentials of domain users or computer domain membership. In addition, there are plenty of domain-group synchronization scenarios for applying access policies and posture assessments.
Let’s think of an example, such as an organization where the members of a development team are allowed to connect to the corporate wireless network and are then assigned a VLAN or an access list upon successful authentication. Another example could be a finance team whose members are authorized access to the network once their endpoints are running the latest versions of antivirus and their drives are adequately encrypted, while at the same time, helpdesk team members are only required to have the most recent antivirus updates.
Most NAC solutions can handle these basic scenarios with an on-premises RADIUS server and an on-premises Active Directory, but what are you going to do if your organization decides to move the Active Directory to the cloud, for example, to Azure?
Azure AD and 802.1X
As part of the global trending increase in cloud data consumption, Gartner predicts that by 2023 80% of enterprises will also adopt two or more cloud-based security services. In this category we have seen a shift in enterprises from using on-premises Active Directories to cloud-delivered Active Directories. This significant change has added the need to consider certain adjustments to corporate information security.
One of these adjustments pertains to 802.1X authentication by domain attributes. Have you ever thought about 802.1X and Azure AD together? Or how network access control solutions will be able to adapt from the former on-premises legacy security vision to pure cloud-to-cloud integrations?
Converting your access and authentication controls to suit Azure AD requires the ability to have visibility into all devices before they connect to the network no matter where they are connecting from – VPN, wired, wireless or cloud. If security best practices are important at your organization, this visibility should include checking each endpoint, profiling it in terms of its security posture and providing it with a certain score. Once your system has this information it is possible to mitigate risks by applying controls that either prohibit suspicious endpoints from connecting to the enterprise network or more sensitive sections of it, or forcing them to update their security to be able to gain access.
Pure Cloud to Cloud Integrations
This is where cloud-delivered NAC solutions can benefit our new Azure AD players. One of the pioneer features in cloud-delivered NAC is pure cloud to cloud integration with Active Directory in Azure. By deploying it, you will be able to authenticate and authorize users and endpoints by Az-AD attributes without installing anything on-premises. Enabling Azure Active Directory Domain Services is not mandatory for authentication, so everything can be cloud-based and agentless.
If your organization is in the middle of a migration process, and you have both on-premises and AD-Az users, the ideal solution is to enable integration with Azure via a hybrid NAC solution, where your Azure users are managed by a cloud-delivered NAC and Azure integration, and your non-Azure users are managed by an on-premises NAC Directory Broker.
Furthermore, it is recommended to have a NAC solution with a readily available integration with Microsoft Intune cloud service where you will be able to use Intune agents for setting your company’s risk assessment policies and thus enhance a pure cloud-to-cloud interaction in your organizational services.
Some argue that NAC (Network Access Control) is no longer relevant in today’s world of the mobile workforce and distributed (or decentralized) organizations that have moved to using cloud applications for the most part. Adding the fact that many organizations are allowing personal devices to be used in the corporate environment (BYOD) and the fact that IoT devices are used everywhere, some might consider this to be further evidence to the conclusion that NAC is no longer relevant or needed.
In 2004 the first NAC products came on the scene and signaled the start of a new segment in Information Security. At the time, most organizations still had a physical perimeter, desktops were still the main PC to be used at the workplace and laptops were starting to make a wide appearance. BYOD (bring your own device), IoT (Internet of Things) and multi-branch, geo-distributed organizations that rely heavily on cloud services were not prevalent yet. Accordingly, the standards for NAC were very different from what they are today and mainly focused on the wired environment. NAC solutions were then primarily based on using 802.1x pre-connect enforcement with supplicants which were not part of the operating system. Organizations trying to implement NAC solutions only had the option of deploying 802.1x – which ended up with long, complex deployment and implementation, leaving them with a bad taste for NAC.
Over the past 20 years, NAC technologies have evolved exponentially. Vendors introduced control and discovery techniques that have yielded better and faster deployments and ROI. Just as the enterprise network and endpoints have evolved, NAC solutions have evolved from merely allowing or blocking endpoints onto the network into a broader security solution that provides network visibility, endpoint profiling, security posture assessments, risk management and compliance.
Additionally, some solutions have scaled to suit the modern workforce, heterogeneous networks, hybrid cloud and on-prem environments, diverse endpoint environments (such as IoT and BYOD) and globally distributed organizations. This increase in number of devices connecting to the network and change of working environments has been our reality for the past 10 years and has evoked a new NAC. Hence, the resurrection of NAC continues to be upon us.
Future of NAC
At this point in 2019, over 60% of enterprise data is stored in cloud applications (public cloud, private cloud and a hybrid of both). By 2020, just a year from now, it is predicted that 83% of enterprise workloads will be taking place in the cloud (1). According to IDG, 77% of enterprises have at least one application or a portion of their enterprise computing infrastructure in the cloud. Additionally, more technology-dependent industries including manufacturing, high-tech, and telecom are being led by executive management to become 100% cloud-based. Therefore, it is crucial to make sure that only company owned and secured devices gain access to corporate intelectual property and information in the inner most circles of the enterprise. According to Gartner research , by 2023 80% of enterprises will adopt two or more cloud-based security services. This is no coinsidence. The complexities in the cyber security landscape alongside the increasing shortage in skilled security professionals is leading towards a greater adoption of cloud-based security services and specifically to the adoption of NAC as-a-Service.
Lighter, adaptable and agile solutions will be necessary in the new era. Enterprises will transition into using easier NAC solutions such as centralized NAC, agentless NAC, NAC delivered from the cloud and Software-as-a-Service. These NAC solutions will save time and money on deployment, training and implementation, while at the same time providing the visibility and accuracy needed to handle today’s complex and hybrid networks. Next-gen solutions are able to cope fully with today’s decentralized organizations and the old NAC configurations will no longer suffice as they are perimeter focused.
NAC was effective for the problem it was created to solve in the mid-2000s, but subsequent technological advancements in cloud applications and the mass-adoption of mobile computing devices by the mobile workforce, and IoT have introduced new complexities and challenges. The new computing model requires new cyber security solutions, and the new, NAC technologies are uniquely positioned to be among them. Cloud-native solutions will address concerns of lengthy deployments and geo-distribution. Agentless and centralized solutions will shorten and simplify implementations and everyday usage that were once the dread of CISOs and IT security teams in the enterprise.
From a certain perspective, 2018 hasn’t been as dramatic a cyber-security year as 2017, in that we haven’t seen as many global pandemics like WannaCry. Still, Ransomware, zero-day exploits, and phishing attacks, were among the biggest threats facing IT security teams this year. 2018 has not been a dull year as far as breaches. The cycle of exploit to discovery to weaponization has become shorter, and unfortunately, it has become more difficult to protect the enterprise network and the various devices connected to it. In 2017, roughly 63% of organizations experienced an attempted ransomware attack, with 22% reporting these incidents occurred on a weekly basis (*ESG Master Survey Results, 2018 IT Spending Intentions Survey, December 2017). We expect to wind up with close statistics for 2018.
Here are five trends we believe will dominate cyber security in 2019.
Security and Privacy Merge.
Despite the fact that everyone is still trying to understand the new privacy landscape and perhaps because they haven’t fully grasped the new realities, everyone is paying attention. Perhaps it is our ever increasing focus on privacy in general and GDPR specifically. Perhaps it is because more organizations will be working long hours to embrace the compliance measures that are needed to protect privacy that we won’t see a major lawsuit against a company. All we know is that we have seen an increase in companies seeking NAC solutions to keep up with all the new compliance regulations and it is very satisfying to hear that sigh of relief, when a company has implemented their solution.
AI + ML = forensics and investigations.
Artificial Intelligence (AI) and Machine Learning (ML) are going to be implemented into the arena of practical usage in cyber security – mainly for forensics and identification of culprits in cyber events. Investigating security events is costly both in terms of time and the expertise required. We believe that AI and ML are well positioned to help in these investigations for obvious reasons, relating to computing power and specialized programming of what to look for and the ability to learn. AI and ML enable the clustering and analysis of monumental volumes of data that would otherwise be impossible to do within a reasonable amount of time even if you had the best trained minds in the business working on the investigation.
Ransomware – more targeted attacks are expected against wealthy and famous individuals.
Social networks offer a world of insights and information on almost anyone who has an account. Unfortunately, it provides a lot of details that assist cyber offenders in the monetization of attacks (due to bitcoin) and the ease of performing spear phishing attacks – all will be combined for a more targeted approach.
IoT security issues will increase.
IoT will be deployed in more business usages and scenarios. The risk will rise and eventually this will cause more issues with a few headlines of devices that were used to hack networks.
The conversation – Whose job it is to protect organizations in the public and private sector?
Nationwide attacks on large businesses will bring up the discussion of who should protect a country and a business from cyber security attacks. Should the state and country be active in the defense of the private sector? In the same respect, you wouldn’t expect a bank branch to deploy anti-missile defense systems against the possibility of an offending country.
At Portnox, we will continue to innovate our network security and risk control tools to provide solutions to all, empowering our customers with valuable, holistic solutions to protect their networks.
From all of us here at Portnox, we wish you happy holidays and a great new year!