Network Computing is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Protecting Data Versus Network Security

Reading over the Aberdeen Groups October report ???Who???s got the NAC? Best practices in protecting network access???, I was struck by figure 4, Percentage of End-Users with ANC at the End-Point where 70% of best in class organizations, 80% of average organizations, and 69% of laggards planned to have NAC at the endpoint. What are they thinking?
Could this just be the result of Windows XP service pack 3 due out next year or the adoption of Microsoft Vista, both of which will have Microsoft???s NAP client? Maybe not. Our survey indicates that users are less enamored with NAP where any requirements to integrate with NAP were less then 30% and often far less.

Or is something else at work? In our last survey, about 48% of respondents deploying NAC indicated they would be willing to use host agents which is on par with other NAC deployments except in-line appliances which was slightly higher at about 60%. But surveys change and the answers depend on how the questions are asked.

I think there are a few reasons why Aberdeen is projecting an uptick. Integration either through frameworks like Microsoft???s NAP and Cisco NAC, or standards bodies like the Trusted Computing Group, mean agents from multiple vendors can feed data to the NAC agent seamlessly. Not only can the NAC system be used for access control, but the added visibility from the reporting hosts means administrators can generate configuration and inventory reports from the gathered data. I have heard from many organizations that even with desktop management, the reported status of hosts doesn???t always agree with the actual configuration. Users can disable agents, for example or mobile computers may be off-net for long periods. Having a product that corroborates other reports increases the liklihood that configurations are as they seem.

Maybe organizations realize the information security, a more holistic view of network security, means data has to be protected where ever it resides. Only host based NAC, which typically include permanent installed features like a desktop firewall, anti-malware, configuration control, and location based awareness, can ensure that a host is protected where it connects to the network. What is the point of letting company computers out into the wild hoping they will not get infected only to allow them back in and then try to clean them up. If the mobile computers are protected 24/7, they probably won???t pose much of a threat.

Now before my NAC friends get after me about the benefits of post NAC assessment (monitoring user activity) and how you can???t trust the host at all, yes, post assessment is still important to do. In fact in Aberdeens report, the top two technologies supplementing NAC were patch management at 78% and intrusion detection and prevention at 73% which speak to the need to watch the watcher (patch management) and monitor activity (IDS/IPS).

  • 1