Implementing Zero Trust Requires Network Access Control (NAC)

What do Network Access Control (NAC) and zero trust have in common? How do they fit together? Are they the peas and carrots of IT? Can one exist without the other? How does a Zero trust approach fit within an organization’s NAC strategy or vice versa?

Before we dive into these weighty questions, let’s recap what they mean and how they apply to IT security both together and separately.

 

Understanding Network Access Control (NAC)

NAC is the act of keeping unauthorized users and devices out of a private network. Solutions typically include a combination of policy enforcement, authentication, and authorization capabilities that CSIOs can use to verify the identity of users and devices, ensure that they comply with security policies, and grant or deny access to the network accordingly.

In a post-COVID world where BYOD, cloud computing, and remote and hybrid work has increased by 30% since last year, there is the increased use of wired and wireless access points and a significant impact on enterprise network resources.

This remote access along with the digital transformation expanded the attack surface and network access complexities, calling for 802.1X network access control port-based solutions. These tools enable administrators to provide uniform access control policies across wired and wireless networks. It also helps CISOs improve gateway security while lowering the total cost of ownership (TCO).

By implementing NAC, organizations can improve their security posture and reduce the risk of unauthorized access to their network and resources, both from outside and within. This breadth of protection can help prevent data breaches, insider threats, and other security incidents that could compromise their data and systems’ confidentiality, integrity, and availability.

One critical advantage of NAC is that users must be authenticated via multi-factor authentication, which is far more secure than identifying users based on IP addresses, usernames, password combinations, or even a VPN.

 

Understanding Zero Trust

“Zero Trust” is a term that gets bandied about and has become the “it” strategy for network security. It’s deemed one of the most potent initiatives organizations can implement to prevent man-in-the-middle and DDoS attacks and keep their networks safe from bad actors who would gladly install malware or carry out a zero-day attack.

Zero trust assumes the posture of “never trust, always verify,” where no device or user is granted network access until they have been thoroughly authenticated. Every user, device, and network resource is considered potentially hostile until proven otherwise.

This strict access methodology is comparable to the pre-connect NAC method that takes an unconstitutional “guilty until proven innocent” approach. It assumes every device trying to access a network is misconfigured, insecure, or ineligible of admission to the inner IT sanctum.

 

How NAC & Zero Trust Fit Together

NAC systems were designed to protect the network at its edge. However, with the increasing complexities of applications, the cloud, and virtualization, this security structure is no longer sufficient. In addition, with the rapid adoption of IoT devices with virtual machines that reside on different servers within a public or private cloud or network, NAC’s role within the network has become challenged.

Add these borderless technologies to the growing sophistication of cyber threats, and companies must realize there is no more network edge. This chasm is where security developments like micro-segmentation and zero trust pick up where NAC leaves off.

Even with the boundlessness brought upon networks with the digital transformation, NAC still plays a critical role in today’s IT environment. Defending the network’s edge is still crucial, especially with an IoT ecosystem.

A recent report shows that the Global Enterprise IoT Market is expected to reach $681.4 billion by 2028. With the rapid adoption of virtualization and IoT devices in the enterprise space, the threat landscape broadens as IoT devices typically don’t include an antivirus or antimalware software installed. These devices have been used to spread malware and instigate malicious attacks.

This concern has NAC providers scrambling to provide solutions and ensure these devices are configured correctly and monitored constantly.

In a zero trust security model, network boundaries are obsolete. Access to resources is only granted on a need-to-know basis, i.e., those who can view specific information based on their job responsibilities and only after the user or device has been authenticated and authorized. NAC solutions help enforce these policies by performing various checks and validations before allowing anyone or anything to access the network.

A NAC-defined perimeter is a moat that protects the network edge. Zero trust protects the surrounding area and beyond by preventing nefarious intrusions from getting past any invisible borders. This multi-layer approach is the peanut butter to chocolate of IT security.

Here are some reasons why Network Access Control remains a key security technology for organizations seeking to adopt a zero trust security model:

1. Provides ubiquitous visibility: Network Access Control solutions can discover and profile all devices connected to the network, including IoT, BYOD, and guest devices. This visibility enables organizations to enforce security policies, monitor for risks, and identify and remediate any security vulnerabilities.
2. Ensures device compliance: NAC systems can assess the security posture of connected devices and ensure they comply with the organization’s security policies and procedures before granting them network access. This insurance assures the IT team that only trusted and secure devices are allowed on the network.
3. Principle of least privilege (PoLP) access: PoLP covers non-human users such as system accounts, applications, services, and devices. Because NAC is a crucial component of endpoint security, a PoLP-based NAC system ensures that malware, such as ransomware, trojans, or spyware, cannot spread freely through your system.
4. Enhances network segmentation: CISOs can leverage NAC solutions to create segments within their network through virtual local area networks (VLANs) and subnets using IP addresses that divide the network. In addition, IT security managers can customize these segments based on the level of trust and risk associated with each device, user, department, or group, which reduces the attack surface and makes it more difficult for attackers to infiltrate and move laterally throughout the network.
5. Continuous monitoring: The ability to monitor network activity and immediately take action against unauthorized users or unusual behavior means that malware threats and other cyberattacks can be immediately detected and mitigated if not avoided altogether. This ability to supervise a network helps organizations maintain their compliance and enhance their security posture.

Other key NAC uses include:

1. Authentication and Authorization: NAC solutions verify the identity of a user/device and determine if they are authorized to access a particular resource or information. This verification ensures that only legitimate users/devices are granted access.
2. Device Health Checks: NAC solutions can perform health audits on devices before granting them access to the network. This checkup helps ensure the device meets the organization’s security standards and policies.
3. Policy Enforcement: NAC solutions can enforce security policies and restrictions, such as limiting access to specific resources or requiring multi-factor authentication.

While zero trust is practically a surefire way to thwart outside attacks as it trusts no one, no matter whom they say they are, NAC is a befitting partner to zero trust because it adds an extra layer, should a zero trust breach occur. It is an essential security technology for organizations who want to take a full-stack approach to their cybersecurity strategy and architecture.

By controlling network access, verifying device and user identities, enforcing security policies, providing continuous monitoring, and trusting no one, not even your CEO’s mother, NAC combined with zero trust can help organizations reduce their security risk, improve their overall security posture, meet compliance regulations, and ensure no security gap is left behind.