If your company hasn’t updated its network access control (NAC) solution in a few years, resolve to look at the next generation of products now on the market. Current products are designed to make enabling BYOD (bring your own device) a whole lot easier.
If your company hasn’t updated its network access control (NAC) solution in a few years, resolve to look at the next generation of products now on the market. Products in this category are designed to make enabling BYOD (bring your own device) a whole lot easier.
Previous incarnations of NAC were designed to work with company-owned and company-managed static endpoints such as desktops and laptops. The purpose of the NAC appliance was to be restrictive—to allow authenticated, fully managed devices onto the network and to prevent access for all other devices.
The kind of policy that associates one worker with just one standard desktop computer seems like something from the Stone Ages now. Today’s workers are very typically mobile, use two or more devices to access the corporate network, and those devices are often personally-owned, unmanaged and “non-standard.” It’s quite difficult to develop and enforce security policies for today’s computing landscape with an old generation NAC.
By contrast, a Next Gen NAC (sometimes called a 3rd Generation NAC) has the characteristics and features that allow you to maintain tight control over network access while still allowing workers to use their own mobile devices. Here’s a quick look at the functionality of these modern solutions that specifically addresses the challenges of BYOD.
* Visibility. In a BYOD and mobile work environment, people and devices come and go on the network all day long. Because it’s likely that most of these devices are not strictly managed by your enterprise, you have no idea how they are configured or what state they are in. Therefore the NAC needs to discover and interrogate all potential users and their devices before they are granted network access. This requires pre-connection knowledge of who the user is, what their device is, and what the risk is to allow user and device access to the network.
To have true visibility, the NAC solution must look at not only the device type, but also its software configuration; the user and the device(s) associated with that user; and the location and time of day of the access request. This level of visibility is critical to take the next step of automating access according to granular policies.
* Automated Access Control. A Next Gen NAC allows administrators to create and automatically enforce granular access policies that define who can access what part of the network, using which devices, and under what circumstances. Ideally this function integrates with your organization’s directory system to understand more about the users and their access rights.
With granular and flexible policies, users and their devices can be directed to pre-determined network segments such as Internet-only for guest users and unsupported devices, or full network access for authorized users and registered devices. In some cases, a user may be isolated or directed to remedial services if their device has security issues, and this happens before the device is granted access to the corporate network.
It’s possible that a user and device combination that is perfectly legitimate during regular work hours should not be granted automatic access during off-schedule hours. For example, a doctor using his own tablet in a hospital during daylight hours when he usually makes his rounds is approved for full access, but he’s not automatically approved if he’s using his smart phone in the hospital at night. In this case, he may be limited in what he can do on the network.
The network access policies of a Next Gen NAC also may be used to control bandwidth usage. “Net neutrality” doesn’t have to apply to a private network, and policies can determine priority usage and place restrictions on users or devices when bandwidth resources are constrained.
* Automated Provisioning. In our “gotta have it now” world, no one wants to wait to get to the network resources they need to perform their job. There’s no time to fill out a request and wait for an admin to provision access, so automated provisioning is absolutely critical in a NAC.
Automated self-provisioning allows potential users to register themselves and their devices. The NAC solution can then do its risk assessment based on the Who, What, When and Where attributes of both the user and device, and provision the right level of access to the network based on the current circumstances. So for example, if the user is approved for access but his device is afflicted with malware, he can be directed to an intermediary site for remediation.
Deprovisioning and off-boarding people and devices are important, too. It’s essential to quickly shut off access once an end user separates from your organization.
* Integration with MDM. Perhaps your enterprise uses a mobile device management (MDM) solution to control the configurations of workers’ smart phones and tablets. In a BYOD environment where people are bringing in all sorts of devices on a massive scale, your organization’s security ecosystem – including MDM and NAC – must work together to assess and control the health status of a device and make a decision about its access rights.
NAC solutions that provide an open architecture enable your organization to leverage current and future point solutions to create a secure, integrated and automated BYOD environment that is appropriate for the risk posture that your organization aims to maintain.
* Analytics. You’ll need to do long-range planning, and today’s NAC solutions can help you do that through analytics. By analyzing and visualizing large volumes of network access data over time, a NAC managing a BYOD environment should provide you with detailed reports that provide the long-term visibility and answers you need to make better business decisions; for example, to plan wireless network capacity, to manage software licenses, to provide better mobile device support, and to meet compliance requirements.
If your enterprise is using old NAC technology, or you aren’t using NAC at all, it’s time to take a look at what Next Gen NAC solutions can do to facilitate BYOD within your organization. This latest generation of NAC strengthens enterprise security by supporting role-based access control, enforcing device security compliance, and providing visibility and intelligence for better business decisions.
Linda Musthaler (LMusthaler@essential-iws.com) is a Principal Analyst with Essential Solutions Corp. which researches the practical value of information technology and how it can make individual workers and entire organizations more productive. Essential Solutions offers consulting services to computer industry and corporate clients to help define and fulfill the potential of IT.