I came across an interesting article discussing how the U.S. Department of State has recently shown interest in adopting network access control (NAC) tools that perform pre-admission access control. The intent is driving the development of standards that help organizations secure their network from malicious hacker attempts. There is a mounting concern that the nation's critical infrastructure — ranging from the electricity grid to banking systems to defense contractors — is far from being secure. To this end, the SANS (SysAdmin, Audit, Network, Security) Institute has worked with security professionals both inside and outside of government agencies to develop the Consensus Audit Guidelines. There are 20 controls in this program to tackle cybersecurity issues. NAC is identified to help with “Critical Control 12: Malware Defenses.”

 

NAC helps organizations create or leverage existing security policies by enforcing them at the various layers of the network. The most common use case for NAC is to enforce policies for keeping endpoints up-to-date; this includes patch management and system configuration. However, this is a pretty rudimentary use case. NAC is much more valuable when applied to the automation of various security, asset management, and access control policies. That’s why NAC is such a good fit in many cybersecurity initiatives. Specifically, it can help: 1) develop a secure B2B environment; 2) build a secure Smart Grid; and 3) streamline government and industry compliance mandates like FISMA, NERC, PCI DSS, and HIPAA.

  

We predict NAC tools will play an important role in end-to-end access control lifecycle management. The majority of cybersecurity initiatives require an ongoing management of user identity tied to specific users’ devices and applications. But there will need to be some enhancements beyond today’s standard NAC deployment. The industry needs to build out support for the TNC IF-MAP standards. Doing so will make sure NAC plays a critical component in building out: 1) IAM-based solutions to provide role-based access control; and 2) next generation SOC initiatives that leverage SIM to monitor assets and devices for vulnerabilities and threats.

 

The U.S. Department of State’s interest in implementing Consensus Audit Guidelines in conjunction with NAC is encouraging, but at the same time it's important not to pigeonhole NAC’s functions to commodity features like pre/post admission, remediation, and policy enforcement. Organizations should look at the bigger picture and specifically how NAC can help streamline security operations by automating and performing recursive security tasks.

Can NAC help the federal government to streamline controls for cybersceurity initiative?