As long as enterprise organizations try to maintain private networks, the challenge of determining which devices are considered safe for entry will remain. Whether this access decision is made via physical or virtual enforcement controls does not matter from a policy perspective. Organizations desiring private LANs will want something workable to determine which devices are allowed admission, and which are not.
Traditional enterprise security teams have relied on network access control or NAC to provide such policy enforcement. NAC is sort of like transportation security at your local airport: You arrive at a checkpoint, you present requested credentials, you go through some careful screening, and then an access decision is made. None of this is convenient, and none of it happens instantaneously. But we all agree that it is necessary.
I had the opportunity to sit down recently in Midtown Manhattan with Ofer Amitai, Founder and CEO of Portnox, a cyber security company with significant expertise in implementing NAC for the enterprise. I was keen to ask Ofer about his views on the prospects for NAC in a world where the traditional LAN is being rapidly evolved by mobile and cloud. I was also interested in his thoughts on the disappointment many security experts have previously expressed with NAC. Here is what I learned:
Amitai was certainly aware of the challenges of enterprise NAC, agreeing that many 802.1X-based implementations have been burdened by unbridled complexity. But he was upbeat about the prospects for improved NAC in the modern enterprise, coupled with powerful means for extending such protections to the cloud. "Next generation network access controls for cloud," he explained, "will be a critically important component of the virtual enterprise."
The original approaches to NAC had several challenges from the outset. First, they tended to be vendor specific, with required endpoint agents, and mitigations based on network traffic manipulation. These methods carried considerable downside. For example, few non-trivial networks are built on the capability and offerings of a single network vendor. Even in the presence of standards, interoperability issues were often the root cause of problems.
Portnox has focused its NAC product efforts on addressing these familiar challenges directly for both the enterprise LAN and the extended hybrid cloud (to include IoT systems as well). Seamless, agnostic coverage of multiple vendor deployments, for example, is one of the focus areas of Portnox - and this should be welcome news to any network security manager supporting complex functional requirements for the hybrid enterprise. I was happy to see it emphasized.
Perhaps the most evolved NAC consideration in the Portnox suite is its emphasis on visibility across access layers. Surprisingly, early attempts at visibility from NAC were downplayed, simply because the (stubborn) presumption was that access policy would be enforced at LAN admission time. This carries the logical assumption that only good devices would ever be permitted entry to the LAN - which we all know is not how things evolved.
This is good news for any CISO team gradually shifting their perimeter-based LAN to hybrid cloud. We know that the requirement to protect device admission to the corporate network will remain in compliance frameworks, regardless of any architectural evolution. So, teams should partner now with NAC vendors who get both the present and future. The Portnox platform seems to fit that bill well.