When it's OK to use NAC endpoint checking sporadically

Clarifying issues surrounding this emerging security architecture

A recurring theme among NAC customers is they use NAC endpoint checking sporadically. When a computer has been scanned and found compliant once, it is designated good to connect to the network for an extended period of time - a month is the timeframe that keeps coming up.

The reason customers give is preserving a speedy login for end users. Waiting to be scanned and waiting even longer to remediate problems found is too high a price to pay. The cost-benefit of time and complaints vs. the incremental security the endpoint check gives to the organization seems to favor keeping the scans to a minimum.

These customers aren’t cavalier. They aren’t abdicating their responsibilities to keep their networks safe, they’re just facing the business reality that end user frustration can be counter productive, both in IT costs and in user distraction from achieving business goals.

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

A recurring theme among NAC customers is they use NAC endpoint checking sporadically. When a computer has been scanned and found compliant once, it is designated good to connect to the network for an extended period of time - a month is the timeframe that keeps coming up.

The reason customers give is preserving a speedy login for end users. Waiting to be scanned and waiting even longer to remediate problems found is too high a price to pay. The cost-benefit of time and complaints vs. the incremental security the endpoint check gives to the organization seems to favor keeping the scans to a minimum.

These customers aren’t cavalier. They aren’t abdicating their responsibilities to keep their networks safe, they’re just facing the business reality that end user frustration can be counter productive, both in IT costs and in user distraction from achieving business goals.

If the NAC endpoint checks are minimal, customers must use other means to protect their networks, either using post-admission NAC resources or other tools such as intrusion-prevention systems and strict asset-management enforcement.

This reduced frequency for endpoint scanning seems to work for students at universities and for wired desktops at corporations, according to NAC implementers. In practice both these populations prove stable enough that they don’t cause severe enough problems that would call for more stringent scrutiny.

But the relaxed posture is not extended to guests, contractors and vendors, who are a less known quantity and whose patience is required as a cost of doing business.

Read more about security in Network World's Security section.

Tim Greene is senior editor at Network World.