Posted by Bryan Vale / December 21, 2017
In the mid-2000s, network access control (NAC) became the accepted solution for on-premises networks. NAC restricted access for devices that did not comply with company policy or had become infected with malware.
NAC developed for environments in which company data was stored on internal servers and employee devices connected to localized, on-premises Wi-Fi networks. If devices ever left the network and became infected, or if devices were used improperly and were in danger of being compromised, NAC could restrict access to these internal servers and thus prevent infected or otherwise noncompliant endpoints from connecting to corporate data.
But it is no longer the mid-2000s, and in 2018 and beyond, NAC should for all intents and purposes be considered outmoded.
1. The Cloud
The localized Wi-Fi/internal servers network model has been thoroughly disrupted by cloud computing. Corporate servers are hosted in the cloud – that is to say, in servers that are physically located around the world – and corporate applications can be accessed from anywhere by any device using any network.
There is no one localized network perimeter to defend anymore.
2. SaaS Applications
Traditional NAC solutions were designed when PCs were the predominant access device and applications were hosted in the main data center. In this model, remote access was a one-way traffic direction in a hub-and-spoke network model, facilitated by a perimeter VPN (virtual private network) gateway.
Today, SaaS applications can be accessed from anywhere, by anybody, from any device. They are hosted through the cloud and often have in-browser portals, and users just need their credentials to access them. NAC solutions dependent on VPNs for outside-the-perimeter application access and authorization require hairpinning of data traffic to facilitate access.
When all desktop computers were owned by the organization and the Blackberry was the world's only smartphone, it was simple to make and maintain whitelists of allowed devices and blacklists of disallowed ones.
However, that is not the case for modern organizations.
BYOD (bring your own device) environments have complicated the network access picture. More devices and more kinds of devices than ever are connecting to corporate networks. Even if employees do not use their personal devices for official business purposes, they may expect to be able to connect their personal devices to the network and to sensitive cloud resources anyway. Additionally, office visitors – partners, contractors, interviewees, etc. – will likely expect access to the network on their devices.
4. Shadow (Cloud) IT
"Shadow IT" refers to systems or processes that have been set up within an organization that are not sanctioned or monitored by that organization's IT department. Many enterprises today likely have to deal with shadow cloud IT.
Official IT infrastructure for many organizations is still all on-premises. But employees may be using the cloud anyway, finding it easier to work, collaborate, and share documents in Google Drive or Office 365.
This is another form of SaaS application adoption, except that it is unsanctioned by organizations.
5. Shadow BYOD
Even if it's against company rules, it's highly common for employees to use their own devices at work. According to multiple studies, about 70% of employees use their personal devices for work – at least 20% in spite of anti-BYOD corporate policies.
Unsanctioned BYOD usage introduces yet more possibilities for infection; conversely, disallowing BYOD usage may result in employees finding ways to get around the policy in order to access Wi-Fi, email, files, and other resources.
This variant on the rise of BYOD introduces more corner cases that existing security policies may not consider.
6. Too Many Integrations
Many NAC solutions have been retrofitted for the new situation created by these developments, but this only introduces more layers of complexity to an already complex access control situation.
NAC solutions adapted for the cloud need to be integrated with a number of other solutions in order to be effective. To properly enable users to sign in and access SaaS applications, NAC solutions will need to be integrated with identity providers (IdPs). To monitor devices and protect corporate data stored on endpoints, endpoint monitoring, endpoint detection and response (EDR), and mobile device management (MDM) solutions may be necessary. NAC solutions may also be integrated with VPNs to keep network traffic secure.
NAC was effective for the problem it was created to solve, but subsequent technological advancements and the consumerization of portable computing devices have introduced new problems.
The new computing model requires new cyber security solutions, and OPSWAT released MetaAccess earlier this year just for this reason. MetaAccess is a cloud-native solution that addresses all these concerns by assessing device health and blocking noncompliant devices. Built specifically for the cloud, MetaAccess does this without necessitating the complex integrations common to NAC solutions.