It’s not surprising to see the last two acquisitions in the NAC world (as discussed here). Managed security providers are coming together with NAC product vendors. I’ve spent time in both markets, so I can see it from both sides. I have to admit that when I first entered the NAC market, it was a thrilling concept for a security geek like me (and I suspect I’m not alone here). Don’t let “dirty” computers connect to my network. Fix them first, then let them in. It’s even cooler when you can assign specific network privileges to a computer once you know who is using it. (Click on title to read full story.)
But in practice, it’s not trivial to implement. For each stage in that “simple” process, there are myriad decision points as well as enforcement points (at the network and system level).
First, the decision points:
Is the computer managed by me? If it is, then I want to remediate it. Okay. How do I do that? I need to give it enough access to remediate without impacting the network, and I need to validate the remediation. Okay. What if it’s not managed by me? Do I offer up an opportunity for remediation? Or do I give just a subset of access that can’t totally destroy the sanctity of my network? These are just a few of the questions organizations struggle with and we still haven’t gotten to the “post-connect” discussion. And that’s the most critical part of the conversation, where constant assessment and remediation are essential. It’s even better if I can assess, remediate and enforce using a single solution, but most technologies haven’t gotten to that level of integration.
Speaking of assessment and enforcement, at which level do I conduct the assessment? From the network perspective or at the endpoint? Which device should conduct the enforcement? And what technique should I use? For some vendors, it’s DHCP filtering, for others its 802.1x authentication. Which is better? Under which conditions and use cases?
The industry has been arguing over NAC standards for years, and where have we ended up? A NAC vendor buys an MSP and an MSP buys a NAC vendor. It makes a lot of sense. Whenever I can’t figure out how to approach a project, I consult an expert. After bringing home a chew-crazy puppy a few weeks ago, I hired a professional pet trainer. Rather than agonizing over how to handle every hair-pulling behavioral pattern, I get to defer to a domain expert. And if a technique doesn’t work, I have someone else to blame.
There’s another lesson here. Great security ideas remain theoretical – until and unless they can be managed effectively.
