Art Wittman's recent column in Network Computing on how "Security Drives Everything" highlights some of the findings in the latest NAC survey from the Network Computing/Current Analysis collaboration. Art comments that the healthcare industry, at least as embodied by Kaiser Permanente, has not embraced NAC because NAC can't help secure its medical devices.
Then Amrit, Shimel, and Stiennon are once again getting all worked up about the value of NAC. Amrit and Stiennon are boxing it into a corner saying it buys you minimal security and Shimel, understandably, is arguing the other side.
I have to say, I end up agreeing more with Amrit and Stiennon on this one - the way most NAC is positioned, especially Cisco's NAC and CCA/NAC Appliance, there isn't much value. Checking the integrity of a machine before admitting it, and verifying the user as authenticated, just doesn't buy you much. Is it a good best practice, and should it help define the access policy for your users? Yes. Does it set the bar for security? Far from it. That's why the Kaiser guy says NAC isn't for him - in that form, it can't support one of his most critical issues, which is to protect the medical devices on his LAN.
To meet Stiennon's Venn diagram take on what security should encompass, it must provide far more than pre-admission control. The big risk to organizations is what users can do after they're on the LAN, so network ACCESS control, in the broadest sense of what you should be allowed to access on the LAN, is key for businesses to protect their data.
It's also how the Kaiser guy can get his medical devices protected. Agent-based NAC won't help him at all. Instead, he needs a way to place that device into a "medical device" role and control what devices it can receive from and send to and what protocols it can run. That's how he can protect a CT scan machine from getting hit by a virus or other attack and protect against the machine or its port from being co-opted and used for evil.
IT needs to be thinking about network access control in its broadest form, and that really means having full control over all your users and devices, the whole time they're on the LAN.
Related to this broader definition, Rothman comments on Art's column and makes the point that too many IT folks see security as an after thought rather than fundamental to their business. He argues that to do things right, IT has to "talk business to the business people." Part of the challenge there is that the security products have to let IT implement controls using business logic. When all you have are VLANs and ACLs, it makes it pretty tough for IT to talk business.
Instead, they need tools that let them map those business policies much more intelligently into network enforcement practices. They also need infrastructure that embeds the security directly, rather than forcing IT to bolt on new features or use old dogs like VLANs and ACLs to perform new tricks like identity-based control. We talk about embedded security as Secure Switching - the ability to control every user and secure every port on the LAN. Whether it's an appliance, which is pragmatic for organizations not doing a switch refresh, or whether it's a secure switch if a company is upgrading their switches, the key is to have control capabilities embedded directly in the infrastructure.
That way, you're getting far more than NAC - which at the end of the day should simply be a feature on a switch. And you're not stuck with security as an after-thought - it's enabled in the infrastructure, supported by the tools to apply business logic so IT can finally talk business to the business people.
--Michelle McLean
mmclean-at-consentry-dot-com
Comments