The truth is that these concerns are high on the list of IT managers in all areas of IT deployment. The need to meeting governance, risk and compliance (GRC) objectives is something that cannot be avoided. Another area where concerns have been increasing is the growing number of unmanaged devices that are attaching to networks.
There are good reasons for providing network access to such devices. Most businesses now accept the reality of employees using their own devices for work purposes ("bring-your-own-device/BYOD"); even if they do not like the concept, they know it must managed somehow. Furthermore, there is an increasing need in many organisations to provide network access to guests (such as contractors and consultants) on an ad hoc basis. These two requirements have seen a resurgence of interest in network access control (NAC) systems from established vendors such as ForeScout, Bradford Networks and Portnox.
At the Infosec Europe event in April this year, Quocirca chaired a panel session where three users of NAC from very different business sectors explained why they had invested in the technology, how it helps them overcome GRC challenges and better enables both BYOD and guest network access. The session was sponsored by ForeScout and the panellists were all using the vendor's CounterACT NAC product. The findings of the session have been written up in a freely available report that can be downloaded here.
In brief, the benefits outlined by each user were as follows:
- UK-based finance sector organisation: in financial services, regulations are imposed by regulatory bodies. This organisation was held back from trading if it was unable to demonstrate that its employees' end points were secure. Implementing NAC meant the status of the systems and security software on all end points could be checked and, when necessary, updated every time they accessed the network. As the NAC systems used was agentless, this could all be achieved regardless of whether the device was previously known or not. An audit trail to prove compliance could be made available to auditors.
- UK-based healthcare trust: healthcare is also a tightly regulated sector; here it is not just money that is at stake, but lives. The end points on the organisation's networks included a wide range of medical devices as well as end user ones. NAC was used to replace an aging intrusion prevention system (IPS), the former being much more dynamic, enabling all sorts of devices to safely share the same network whilst ensuring, and being able to prove, necessary levels of security and compliance.
- Creative media company: for some organisations GRC controls are necessary to inspire confidence in customers and suppliers rather than satisfy regulators. This was certainly the case with the media service organisation Quocirca interviewed. It needed to make sure that its customers felt their own data was safe when their clients' employees were working as guests on its premises. It also needed to ensure and prove its use of certain software was in-line with vendor licence agreements. NAC enabled both of these requirements.
As organisations struggle to meet GRC requirements in the face of the changing way IT systems are deployed and accessed, all areas of IT security are coming under review and advanced technologies are supplementing or replacing conventional ones. There is no silver bullet for achieving the often related goals of better security and compliance, but NAC is proving for many to be a key building block in their overall IT security architecture.