What NAC Doesn't Solve

Is it too early in the NAC space to starting talking about revolution or evolution? Maybe. But there are some interesting changes going on. The whole of NAC has really been centered around assessing an endpoint's health and making an access decision like granting access or enforcing quarantine. That's all well and good, but really, your protecting the network from an infected or malicious host. It's not really access control. Is it too early in the NAC space to starting talking about revolution or evolution? Maybe. But there are some interesting changes going on. The whole of NAC has really been centered around assessing an endpoint's health and making an access decision like granting access or enforcing quarantine. That's all well and good, but really, your protecting the network from an infected or malicious host. It's not really access control.

Many products do take into account identity information before making an access decision, but the implementation is often course grained???either a host is managed or not or the user is known. Still not quite access control. The whole idea of ???identity based network access control??? is much more than that. It really comes down to granting access to resources based on who you are.

The problem with data security today is that in many organizations, access to resources is not well defined or controlled across a broad range of applications. It's impossible to centrally define a role with all the access controls for all the network applications a user might need because quite simply, there are no common standards that all the vendors from operating system, authentication system, and application vendors adhere to. Sure, there has been work with SAML, but few systems supporting it. Hell, I have a hard time enough just getting all my network stuff to authenticate to one user store. How much harder would it be to get role and access permissions too?

There are applications that do have identity based access control. For several years that have been products like Oracles Access Manager and RSA's Access Manager products that allowed specific roles and actions to be defined and assigned to users and groups. Hence, outside of the application itself, granular access control is applied to web applications. Other enterprise applications like SAP and PeopleSoft offer similar features. But for the rest of the stuff we use, the only identity based access control is a logon.

I like to think to the future and what I would like to see happen. There are two things that need to happen when making an access control decision. First, the host needs to be healthy to even access the network. If it isn't healthy, then it needs to be dealt with. That could mean remediation, quarantine, or simply only granted access to the internet and nothing else. Computer health doesn't matter who is sitting at the keyboard because malicious programs like worms and bots don't care who is logged in. A CEO with an infected laptop is just as big a threat as the lowly clerk. They need to be treated the same. Oh, I know. "It's the CEO, we can't cut him off!" And that might be the case. But it is unreasonable and I bet in many cases if you present a reasonable case for why this is a sound policy, it will be adopted. Doesn't hurt to try, right?The second thing that needs to happen is that only authorized people should have access to resources. This is beyond the purview of NAC as it is defined today and really has broad reaching implications. Because whether or not some has access to resources is entirely different than if someone's computer is infected. Just because a computer has a virus doesn't mean that it will adversely affect data it has access to. When the two requirements are conflated, that is when you get into these messy situations where it's OK for one group of people to have a computer on an undesirable state where others can't. What is worse? A host that mis-configured or one with a out of data virus definition file? Neither case means the host is vulnerable, right?

But that is what the features allow in NAC products today and maybe that is driven by market demand. I don't know. What I do know is that computer health access decisions need to happen first, and then identity based decisions can be applied. Avoid the exception policies for so-called high value people. That only leads to bigger problems.