Network Access Control (NAC): Why is It Important?
Network access control (NAC) provides a way to embed access control and endpoint security policies within your organization’s network infrastructure. Typically adopted by large enterprises, NAC offers substantial benefits to companies with large workforces and device populations.
However, NAC has been less accessible to small and mid-sized organizations. Moreover, today’s cyber threat environment has eroded the effectiveness of traditional NAC solutions.
In the face of those issues, can more modern approaches secure sensitive resources while providing seamless, performant network access?
Let’s find out.
Network access control manages traffic on a network or between parts of a network through authentication and policy enforcement. When a user tries to connect to a network, the NAC system holds the connection while it performs a risk assessment.
A NAC system uses two approaches to protect networks. Pre-admission NAC blocks users, devices, and endpoints from making an initial connection to the network. It will only permit access if the attempt passes authentication, authorization, and compliance policies.
Rather than the simple validation of authorized users, a NAC system can help implement role-based access control (RBAC) strategies by evaluating whether the user’s role justifies access to the network.
At the same time that it authenticates and authorizes users, the NAC system evaluates their devices’ security posture. If a device is not compliant, the NAC will route its connection to a quarantined network for remediation.
The access that pre-admission NAC grants to users and devices does not extend to other parts of the network. Post-admission NAC applies the assessment and authorization process to any attempts to move through the network. This feature has made NAC a common way to manage access to segmented networks.
Large corporations were among the first to adopt NAC because it simplified the management of their complex networks and user bases. Among the benefits NAC offers:
NAC solutions block a significant hole in network security by denying network access to non-compliant user devices. NAC client agents — whether running on a managed laptop or a user’s cellphone — ensure all devices connected to the network have the latest security updates. The quarantine and remediation systems provide a final line of defense to keep compromised and non-compliant devices off the network.
User devices and endpoints are the primary vectors for cyber attacks. NAC solutions give security professionals detailed views of the devices connected to their networks and the security posture of each device. This visibility provides actionable insights into the network’s security risks.
NAC solutions are built into a company’s network infrastructure which automatically execute NAC policies. As users and devices navigate through a highly segmented network, the NAC solution’s automation reduces administrative overhead.
While these benefits should appeal to small and mid-sized companies as well, traditional NAC solutions require the resources of larger enterprises. Experienced professionals are needed to implement NAC within a segmented network architecture. In addition, NAC is not a set-it-and-forget-it solution. Dedicated employees must monitor the system, address emerging threats, and respond to business needs.
Yet even the largest corporations are struggling with NAC. Changing technology and shifts in the nature of the workforce have made access control complicated. Consider these recent survey results:
- 70% of IT professionals say employee-owned devices are allowed in the office — and 20% say the same about contractors’ personal devices. (TechRepublic)
- 82% of corporate leaders plan to integrate remote policies with their workforce after the pandemic ends. (Gartner)
- 60% of business leaders expect the use of freelance and other on-demand workers will let them shrink their core employee base. (Harvard Business School)
The mainstreaming of bring your own device (BYOD) policies pushes NAC solutions to their limits. Consider how hard it is to create consistent policies for users’ smartphones. Practically all iPhone users have simultaneous access to the latest iOS version but the fragmented Android ecosystem takes months or years to fully secure.
The modern workforce also makes NAC more difficult to manage. In addition to employees, companies rely on a mix of freelancers, consultants, and other third parties. These people come and go and their roles change frequently. Only a dedicated administrative team can keep up with the constant churn in permissions.
A particular weakness of many NAC solutions is their hardware dependence. Cisco first rolled out its NAC solution in 2004 by adding enforcement functions to its IOS routers. Cisco switches, concentrators, access points, and other devices followed the next year, pushing NAC to the network edge. Other hardware vendors followed Cisco’s lead and added NAC features to their network infrastructure offerings.
Unfortunately, the hardware-centric approach to network security is increasingly problematic. These devices become targets for cybercriminals — and not just the sophisticated actors with 0-day exploits. Many recent security breaches were the result of known security flaws that went unpatched:
- IBM’s Threat Intelligence Index identified network vulnerabilities as the top attack vector in 2020. Scan-and-exploit techniques accounted for 35% of all cyber attacks.
- Citrix hardware was a popular target as exploits found in 2019 and 2020 required companies to make frequent patches to their access control devices.
- Unpatched Pulse Secure VPN systems allowed ransomware attacks on currency exchange service Travelex in 2020 that sent the company into bankruptcy.
The relative obscurity of smaller organizations offers no protection. Small businesses are the target of 43% of cyber attacks and most of those successfully attacked shut their doors within six months.
Given the inherent weakness of hardware-based security approaches, organizations are turning to more modern approaches to network access control.
Rather than protecting a fraying physical network, they are adopting software-defined perimeters. SDPs focus on protecting individual resources by separating the logical network from the physical network. This approach offers another advantage: SDP lets companies manage on-premises and remote users within the same system.
The most robust way to address modern security threats is to implement an SDP with a Zero-Trust Network Access (ZTNA) solution. As the name implies, ZTNA does not assume that any user or device can be trusted at any time. Users are denied access by default unless they pass a need-to-know assessment. ZTNA also assesses the security posture of the user’s device and incoming network connection. The user, device, and network assessments determine what kind of permissions to grant.
Implementing SDP with a ZTNA-based product lets organizations establish secure, fine-grained perimeters around each resource without expensive investments in brittle hardware infrastructure. Cloud-hosted and X-as-a-Service resources can be protected within the same system.
Knowing your organization is the first step to selecting the right network access control product. You need a solution that can handle the nature of your workforce, the ecosystems of devices they use, as well as the variety of protected resources.
Map out the networks and resources you need to protect. Do not limit your survey to on-premises assets. You need to include all of your hybrid-cloud applications and XaaS cloud services as well. With this understanding, you can assess how well access control solutions protect the full scope of your resources.
You also need a clear picture of the ecosystem of devices — managed and user-owned — that connect to your resources. Then you can determine how easy it will be to provision these devices with a network access control solution’s software agents. You also need to consider how transparent those agents are on user-owned systems.
Finally, you need to take a look at your user base, flexible working policies, and the degree of contracting your company does. A network access control system should be robust enough to handle diverse, dynamic workplaces. At the same time, it cannot add administrative overhead.
Access control solutions that require extensive infrastructure upgrades could disrupt business operations. Phased implementations make the transition easier. Focus the first phase on workgroups that benefit most from a frictionless, performant access control solution. Migrate the solution out to other groups once the first phase is running smoothly.
In addition to supporting a phased implementation, consider how a network access control solution will scale with your organization. Is it responsive enough to handle short-term peaks and troughs in the user base? Can it handle rapid, long-term growth?
Traditional NAC solutions use the capabilities of a company’s physical network to automatically provide access to authenticated and authorized users — provided their devices’ security posture complies with established policies. For enterprises with the right resources, NAC secures segmented networks and provides actionable visibility over connected devices.
However, traditional NAC solutions are less effective in today’s cybersecurity environment. In some cases, NAC hardware is the vector through which cybercriminals breach the network’s secure perimeter.
Twingate offers a modern approach to network security that uses software-defined perimeters and principles of Zero Trust Network Access. Rather than granting access to networks and subnets, Twingate lets you protect each of your individual resources, whether on-prem or in the cloud. Your users can access the resources they need to get their jobs done whether at the office, at home, or on the road. Contact Twingate to learn more.