Struggling with 802.1X roll-out? You are not alone.
I recently returned from a road trip where I met several customers who have decided to abandon 802.1X roll-outs after battling one challenge after another over multiple years. The primary challenges were:
- Managing 802.1X supplicants
- Authenticating legacy devices
- IT/OT/Physical Security convergence
- Growth in IoT devices
Managing 802.1X Supplicants
One customer enabled 802.1X in a couple of locations. Managing 802.1X supplicants, however, turned out to be a nightmare. Updates to other endpoint agents unintentionally interfered with the 802.1X supplicant, as did OS updates. The enterprise was left fighting one fire after another where authorized devices were being denied access to the network. They decided to abandon this approach after several years of fruitless efforts.
Authenticating Legacy Devices
The customers I spoke with typically still had to support 60-70% of the devices (printers, VoIP phones, IP-enabled cameras / DVRs, etc.) that were not capable of 802.1X. They needed to provide MAC Authentication Bypass (MAB) or more intelligent authentication capabilities such as device profile-based trust. Frequently, there was no single solution that could provide all of the above, and segments of the network remained unsecured due to resource constraints. Since these types of devices lack strong authentication capability, they are a primary target for intruders. Monitoring behavior of such devices therefore becomes critical – sadly, for most traditional NAC solutions profiling is an afterthought and behavior monitoring is non-existent.
IT/OT/Physical Security Convergence
The #1 market trend outlined by the Gartner report Predicts 2017: Information Security Management is the convergence of the Internet of Things, operational technology, and physical security systems. My discussions with a financial services customer, who is collapsing the physical security network onto their primary IT network, validated the trend. They are concerned about a new attack vector created by the addition to the primary network of DVRs, video surveillance cameras and HVAC systems with well-known vulnerabilities. Most of these devices do not support 802.1X – this strengthens the argument for device behavior monitoring. Several of our manufacturing customers are also in the process of bridging traffic from OT devices in their plants onto the IT network, which raises concerns about OT devices introducing new attack vectors into their enterprise.
Growth in IoT Devices
One recent prospect in financial services had to deal with a branch manager using his discretionary budget to purchase a connected coffee machine that could automatically place re-supply orders over the Internet. Another prospect was concerned about the security of connected TVs used in conference rooms. Such concerns are growing across industries as more and more previously offline appliances and devices get connected to the network. Gartner is predicting that the IoT installed base will reach 21 billion by 2020, with nearly 7 billion making their way into enterprises. They have been vocal about the threat posed by the poor built-in security of IoT devices and have published a research note titled Real-time Discovery, Visibility and Control are Critical for IoT Security. The fact that most IoT devices do not support 802.1X is compounding the challenge.
One common theme among many Great Bay Software customers is the growing disillusionment with 802.1X in this rapidly evolving network environment. Fortunately, these customers are already relying on our Beacon Endpoint Profiler to discover, profile, monitor and control these unmanaged / unmanageable devices. Many are now in the process of moving towards deploying the Beacon Product Suite (which includes Beacon Endpoint Enforcement) to authenticate these unmanaged devices, as well as their existing managed devices, by leveraging Beacon’s unique intelligent MAC Authentication. Beacon’s agentless approach ingests and correlates hundreds of endpoint attributes across dozens of data sources to create an accurate device profile, which is harnessed to more intelligently authenticate devices without disrupting day to day operations. Integrated device monitoring that can detect unexpected changes in identity, location and behavior adds additional layers of security. This approach eliminates the cost and complexity associated with rolling out traditional NAC solutions and maintaining 802.1X supplicants. If you are struggling with deploying 802.1X or a traditional NAC solution, you are not alone. More importantly, alternatives are available that are easier to deploy and manage, and that can help you control network access without compromising security.