Welcome to Scribd. Sign in or start your free trial to enjoy unlimited e-books, audiobooks & documents.Find out more
Download
Standard view
Full view
of .
Look up keyword
Like this
0Activity
0 of .
Results for:
No results containing your search query
P. 1
Next-generation network access control

Next-generation network access control

Ratings: (0)|Views: 52|Likes:
Published by quocirca

More info:

Published by: quocirca on Dec 04, 2013
Copyright:Attribution Non-commercial

Availability:

Read on Scribd mobile: iPhone, iPad and Android.
download as PDF, TXT or read online from Scribd
See more
See less

12/04/2013

pdf

text

original

 
 
Copyright Quocirca © 2013 Bob Tarzey Quocirca Ltd Tel : +44 7900 275517 Email: 
Bernt Østergaard Quocirca Ltd Tel: +45 22 11 55 91
Next
-
generation network access control
 
 Advancing governance, risk and compliance controls in the frenetic enterprise
August, 2013
There are a range of pressures, both internal and external, that are brought to bear on any organisation with regard to its governance, risk and compliance (GRC) obligations and the IT controls needed to meet them. These must be met against a background of rapid change in the way IT systems are deployed and data is accessed and used, including changing patterns of end user device use, new network configurations, virtualisation and the growing use of cloud-based services. To keep users, their devices and the networks that provide them with access to systems, data and applications compliant and secure, many are turning to next-generation network access control systems (NG-NAC). This report looks at the applied use of NG-NAC to support IT-GRC controls, through the lens of three real world case studies in financial services, healthcare and creative media services.
 
 
Next-generation network access control
© Quocirca 2013 - 2 -
Next
-
generation network access control
 
 Advancing governance, risk and compliance controls in the frenetic enterprise
Next-generation network access control (NG-NAC) systems enable organisations to not just know who and what is on their network, but also to put in place the role and device-based policy controls. The aim is to ensure devices are compliant before full or limited network access is granted by fixing configuration and security issues and then, once access is granted, maintain control and prevent on-going policy violation.
IT governance, risk and compliance controls challenge all organisations
 
There are numerous requirements of any organisation with regard to meeting its governance, risk and compliance (GRC) obligations. These are necessary to meet internal and external business expectations as well as those legally imposed by industry or government regulators. To this end the IT function has to map management and security tools against varying control specifications. Maintaining these IT controls presents one of the biggest challenges when it comes to satisfying GRC objectives.
Diversity in the way IT resources are accessed exacerbates the problem
 
The growing use of mobile devices, the trend to bring-your-own-device (BYOD), broad availability of network-based resources, the growing use of wireless networking, cloud-based services and end-point proliferation through increased virtualisation all add complexity to the task of making sure IT systems are capable of meeting GRC control requirements.
NG-NAC enables IT-GRC controls and increases competitiveness
 
NG-NAC can enable network visibility and granular policies around all users, devices, configurations and applications. NG-NAC can ensure any IP-enabled endpoint is in compliance before access is granted and to take remedial action if it is not. The broad capabilities of NG-NAC systems enable a level of visibility and reporting that many organisations have found hard to achieve before and are providing those that have deployed them with a competitive edge.
Deployment must be sensitive to the requirements of the business and users
 
Whilst it is in the interests of a business to ensure the use of its IT resources is in line with GRC controls it is also necessary to make sure that the restrictions put in place do not overly limit users from doing their jobs and the business from achieving its goals. To this end NAC deployments need be staged, with policies being tested and adjusted according to business requirements as well as user, device and data access risks. Policy flexibility and manageability are critical since policies will change over time as both business requirements and technology evolves.
NG-NAC delivers IT resource optimisation
 
NG-NAC systems interface with network infrastructure and security systems. Through such interoperability real-time operational and compliance details can be provided to IT managers. Furthermore, details can be provided to other systems such as security information and event management (SIEM) and mobile device management (MDM) tools. Conversely, these external reporting and alerting systems can send instructions to NG-NAC tools to request the mitigation or remediation of certain issues.
NG-NAC satisfies GRC requirements across different industries
 
The financial services sector is highly regulated and likely to become more so. For the organisations reviewed in this report, NAC ensures IT managers know about everything on their network and that traders are working on compliant systems. The healthcare industry is also heavily regulated and, beyond traditional endpoints, medical devices also need managing. In the creative services industry there is a need to secure both employee and visitor use of unmanaged PCs, tablets and smartphones whilst maintaining a good user experience.
Conclusions
The three case studies presented in this report show how NG-NAC has been effectively deployed to satisfy various industry requirements to improve not only GRC controls, but also operational efficiency and competitive advantage. They have used NG-NAC (in this case Fo
reScout’s CounterACT)
to support a range of IT applications, optimised the use of IT resources and created a more secure work environment for all users, be they employees or guests.
 
 
Next-generation network access control
© Quocirca 2013 - 3 -
Introduction: the network control challenge
 
There are requirements of any organisation with regard to meeting its governance, risk and compliance (GRC) obligations. These may be to satisfy internal business expectations, to reassure customers, partners and suppliers or to meet the legally imposed requirements of industry or government regulators. These compliance mandates often relate to how a company maintains the integrity and security of its information technology (IT) operating environment, including how it secures endpoint devices and networks as well as assures the appropriate access to, and use of, sensitive resources and data. The necessary policies and controls must be mapped to the specifications of these multiple internal and external mandates as pa
rt of any organisations’ drive
 to stay in compliance. To this end various IT management processes and security tools need to be compared against compliance specifications. The challenge in enacting and maintaining IT controls is exacerbated by increased diversity in the way systems and data are accessed. Five major IT trends are driving this:
 
The growing use of personal mobile devices
 
The broader accessibility of network-based resources, in particular for external users
 
The growing use of wireless networking
 
The increased use of cloud-based services
 
Increased virtualisation, which, among other things, can increase the number endpoints on a given network Traditional security measures such as firewalls and host-based protection are no longer sufficient on their own to protect data and satisfy compliance requirements. It is essential to be able to track who is doing what from where to which systems using which devices, as well as to understand the security state of those devices. A big part of this is knowledge of what devices are attaching to networks, the application of policies before access is granted and controlling what users can do. Both before and after network access has been provided, devices and their users should be monitored to ensure that they adhere to policy and do not exhibit unwanted behaviour. This will depend on the policies of a given organisation; examples could include:
 
Controlling the use of an instant messaging or peer-to-peer application to make sure logging and security controls are active
 
Preventing users or the system from disabling a required host-based security control such as encryption A business can apply policies to devices it owns and manages with relative ease; even then basic device-based controls, such as patching or the running of security software, can be challenging. However, a far greater challenge is the deluge of personal mobile devices that are owned by employees or external users that are being brought into the work environment. Although access policies may vary between employees and guests, both are part of the growing trend to
bring-your-own-device
 (BYOD), a big part of the consumerisation of IT (another term used is CYOD, choose-your-own-device, where employers still own devices but allow employees to choose from a prescribed range). To maintain controls
and ensure the ‘good
 
health’ of endpoints
, some organisations rely on the installation and use of device-based agents to maintain device security and integrity; for example making sure security and operating system software is up to date and correct. If these device-based agents are not installed, are deactivated, or not functioning correctly then the device cannot be managed, leaving the organisation concerned with security and compliance gaps. Some industry estimates suggest as many as 20% of devices on a corporate network may be
“unknown” and as many
 as 30% non-complaint. Worse still, when a device is not owned by the business, agent-based security controls simply cannot be relied on, as it will often not be possible to install the agent. This requires a different, agentless approach whereby there is a

You're Reading a Free Preview

Download
scribd
/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->