tgreene
Executive Editor

Defining NAC roles is key

Opinion
Mar 31, 20092 mins

* NAC roles need to be defined to meet corporate business goals and security policies

Setting roles is a key part of any NAC deployment to help simplify configuration and management.

For example, unmanaged machines with non-employee users may be a category of users that a business might want to control. But that broad category could include several subsets that require differing access rights.

Visitors using the wireless LAN in the lobby to get to the Internet have different requirements from financial auditors who have different needs from consultants helping with engineering projects.

Consulting engineers may have the same needs as staff engineers, but should not have access to HR data, so they would be assigned different roles from a NAC perspective. Depending on the NAC vendor chosen and the enforcement method used to carry out NAC policies, the mechanics of creating profiles and enforcement rules will vary.

But it is important to discover the entire body of roles and to streamline them as much as possible. More important is that a full set of roles has been defined to meet corporate business goals and security policies.

These roles should be formulated by a task force that includes network, desktop, security and business group participation. The security team may know how to protect the data center, but not know who should be allowed to access what resources in order to properly do their jobs. Those decisions should be made by line-of-business managers, with the technical staff translating them into NAC policies.

This is a complex task that should begin early in NAC projects. The roles should be ranked for importance, then as NAC is rolled out, the roles can be brought online gradually in order to minimize the impact of whatever problems might arise unexpectedly.