Network Computing is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

What NAC Doesn't Solve

Is it too early in the NAC space to starting talking about revolution or evolution? Maybe. But there are some interesting changes going on. The whole of NAC has really been centered around assessing an endpoint's health and making an access decision like granting access or enforcing quarantine. That's all well and good, but really, your protecting the network from an infected or malicious host. It's not really access control.
Is it too early in the NAC space to starting talking about revolution or evolution? Maybe. But there are some interesting changes going on. The whole of NAC has really been centered around assessing an endpoint's health and making an access decision like granting access or enforcing quarantine. That's all well and good, but really, your protecting the network from an infected or malicious host. It's not really access control.

Many products do take into account identity information before making an access decision, but the implementation is often course grained???either a host is managed or not or the user is known. Still not quite access control. The whole idea of ???identity based network access control??? is much more than that. It really comes down to granting access to resources based on who you are.

The problem with data security today is that in many organizations, access to resources is not well defined or controlled across a broad range of applications. It's impossible to centrally define a role with all the access controls for all the network applications a user might need because quite simply, there are no common standards that all the vendors from operating system, authentication system, and application vendors adhere to. Sure, there has been work with SAML, but few systems supporting it. Hell, I have a hard time enough just getting all my network stuff to authenticate to one user store. How much harder would it be to get role and access permissions too?

There are applications that do have identity based access control. For several years that have been products like Oracles Access Manager and RSA's Access Manager products that allowed specific roles and actions to be defined and assigned to users and groups. Hence, outside of the application itself, granular access control is applied to web applications. Other enterprise applications like SAP and PeopleSoft offer similar features. But for the rest of the stuff we use, the only identity based access control is a logon.

I like to think to the future and what I would like to see happen. There are two things that need to happen when making an access control decision. First, the host needs to be healthy to even access the network. If it isn't healthy, then it needs to be dealt with. That could mean remediation, quarantine, or simply only granted access to the internet and nothing else. Computer health doesn't matter who is sitting at the keyboard because malicious programs like worms and bots don't care who is logged in. A CEO with an infected laptop is just as big a threat as the lowly clerk. They need to be treated the same. Oh, I know. "It's the CEO, we can't cut him off!" And that might be the case. But it is unreasonable and I bet in many cases if you present a reasonable case for why this is a sound policy, it will be adopted. Doesn't hurt to try, right?

  • 1