Network Computing is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Compliance Should Not Drive You to NAC

There is so much hype in the IT media and vendor product pitches about policy compliance it makes my head swim. Survey results published by Network Instruments shows many organizations don???t think they have the data or the means to meet compliance regulations.
No wonder. Compliance is not about products but process. Compliance regulations are still relatively new and as far as I know, there haven't been any legal proceedings or regulatory actions that help define what compliance to a specific regulation means.
Logging and auditing seem to be a particular hot button with vendors because who knows what information is important to log (so log it all!) and different products have different views of activity, so it may or may not be useful. I am a huge fan of logging for troubleshooting and monitoring purposes. Clearly defined and detailed logs are useful while cryptic logs are not. But just because a product logs events doesn't mean it is particularly useful for reporting and auditing.

Many in-line NAC vendors, make a point of saying how the products can be used for activity auditing. Web servers, for example, log activity, but the server logs don't tie usernames to IP addresses. HIPAA CFR 164.308(a)(1i)(D) Information system activity review and, a required process states activity logs must be gathered and reviewed while CFR 164.308(a)(5i)(C) Log-in Monitoring suggests that login monitoring should be done. In-line NAC solutions are in a position in the network to determine which users are using specific computers and to see the unencrypted application traffic which potentially allows them to passively monitor activity.

However, regulations (or suggestions) such as CFR 164.308(a)(5i)(B) Protection from malicious software CFR 164.312(c)(1) Standard: Integrity stipulate that steps should be taken to ensure that systems are securely managed and that data has not been altered. A NAC system that does host assessments could report on host integrity and corporate configuration compliance, but I bet you have the information in other systems just waiting to be integrated into a report.

There are many other useful drivers for NAC like automated user-based network access control, malicious activity control, and containment to name a few, but compliance should not be a driver. Audit and event data can be gathered from other sources. Judicious use of existing security technology (and documentation of same) can demonstrate and enforce access control requirements. But most important is that you company need to have a program in place.