As enterprise compute and networking architectures evolve at a rapid pace – from traditional on-prem data centers to private/hybrid clouds, from desktop computing to laptops, and increasing adoption of enterprise BYOD and IoT, one thing has remained constant – the threat landscape continues to deteriorate and remains the top concern for security admins.
While perimeter and inline detection mechanisms are constantly improving, they still come up short every once in a while and motivated attackers still find ways to penetrate these defenses. As attacks continue to become more sophisticated and stealthy, we must improve our ability to detect and identify these attacks as quickly as possible.
With increased adoption of BYOD, campus mobility, and IoT, it is becoming clear that the policies that govern how, when and where users can access the network are becoming as important as perimeter security measures. Robust and pervasive admission control and policy enforcement are instrumental in managing risk and preventing the compromise of assets in the enterprise.
Is NAC the Revenant of Network Security?
A lot has changed with network access control (NAC) since it was introduced more than a decade ago. The technology has matured significantly and solutions are far easier to deploy, with pervasive support across the network fabric.
An increasingly mobile workforce that depends on ultra fast pervasive Wi-Fi combined with adoption of BYOD and IOT is driving the creation of digital workplaces in enterprises, making NAC more relevant and mission critical now more than ever before.
It is a no brainer that on the enterprise campus, employees, contractors and guests need seamless and secure access to the network and the Internet. Add to this, an increasing set of IOT devices that range from conventional printers and controllers to medical equipment, PLCs, SCADA & industrial control systems, and other equipment that varies by industry. IT has the unenviable job to provide access to all of this equipment while protecting the enterprise network and its assets.
In such a complex and dynamic IT environment, the challenge is not just to determine who gets access to the network, but to implement policies that determine the type of access granted to each device. Many of the larger security breaches in recent times have resulted because attackers compromised a server or controller in the network and launched an internal attack using this compromised system as ground zero. Robust policy control that prevents these devices from deviating from their stated behavior could have prevented many of these attacks, or atleast provided visibility by identifying the deviation in real time for further action from the network admin to limit damage.
However, establishing policy-based access controls based on user and mobile device context is just the tip of the iceberg.
Having a strong policy and enforcement framework is critical as the number and diversity of compute devices grows. Providing secure access to mobile devices will seem easy compared to the task of defining and enforcing policies for the many millions of sensors, beacons, environmental controls, physical security systems, and the many other smart devices that are a part of the IoT movement.
For a policy control framework to be effective in such scenarios, pre-defined static policies must be reinforced with elements of dynamic contextual assessment based on user roles, device types, device ownership, application usage, location and a host of other device specific attributes.
The need for policy-based controls expands to the data center, as well. As technology increasingly makes the data center more dynamic and automated, it's critical to have a robust framework that enables authentication and policy enforcement for the countless number of virtual machines, software containers and compute elements that make up the data center of the future.
Policy enforcement must become more coordinated and adaptive. Today, policies are relatively static, enforced when the user and device are first authenticated. But by incorporating not only contextual data but also sophisticated data analytics, policies can be enforced continually to ensure a true end-to-end security model.
With Aruba ClearPass we have developed and delivered a very strong industry leading authentication and policy framework that is primed to evolve to address these emerging use cases. Given how rapidly this space is evolving, it feels like we are just getting started!
In the short period I have been with Aruba, I am blown away by the expertise and passion of this team. A three pronged approach to delivering visibility and protection to our customers consists of – a holistic central policy engine that covers the entire digital workplace, enhanced by contextual exchange of data from our partners in the industry, and integration with the best inline security solutions for enforcement and protection.
We are making significant progress, so expect for me to share more insight with you on several of these areas very soon. I look forward to your thoughts about how NAC and policy-control frameworks will evolve in your environments.
