Jun 14

2017

When NAC Deployment Projects Fail

By Great Bay Software

Deploying a network access control (NAC) solution is one approach to reduce your risk of a network breach. At the same time, it’s accepted wisdom that not all NAC projects are successful. A scrapped deployment is costly; with lost investments in equipment purchases, software, service licenses, resources and time. NAC implementations are complex and, if canceled mid-stream, the risk of a crippling breach still remains. When any new project goes awry, the team responsible may lose the confidence of company leadership, project sponsors and users.


Risks and Rewards

Originally designed for network policy management, user access control and guest services, NAC systems typically rely on agent software to perform deep inspection and remediation at the expense of additional software on the endpoint. Most solutions also include “agentless” functionality; however, this brings potential risks:

  • Agentless NAC may be easier to deploy, but generally offers less control and fewer inspection capabilities
  • Some agentless deployments are configured with domain and read/write credentials in such a way that a single system has the power to log into almost every networked device

Most NAC systems use an agentless option only as a fallback. However, with the dramatic growth of IoT we find most security teams have limited or no visibility to tens of thousands of network devices. If a majority of your networked connected device are unknown, fallback is not an option.

 

The Devil is in the Detail

  • An effective NAC deployment depends on successful integration with your current and future security tools such NGFW, EMM, ATD, SIEM and others. This leads to big configuration and deployment challenges. These applications have different access functions, unique management consoles, and may apply separate controls to the network and connected devices.
  • Some NAC solutions require the licensing and deployment of add-on modules to support third-party systems. This not only leads to increased costs, it complicates acquiring and maintaining the appropriate licenses as your network evolves. For example, how might an NGFW upgrade or replacement impact your NAC deployment?
  • Keeping device agents current for multiple operating systems is extremely resource intensive. The highly publicized “Wannacry” attack highlights this challenge. Although a Microsoft update that protected Windows PCs was available, many organizations chose not to or were unable to install the update because of outdated operating systems, compatibility risks, network interruptions and potential downtime.

These challenges and their inherent risks are why we see security teams rethink their NAC deployments. This is especially true in IoT-dependent industries such as healthcare, finance and manufacturing.

 

Weigh the Costs and Risks of a Scrapped NAC Deployment

NAC Investments Cyberattack costs
1. Vendor and product evaluation 1. Client records recovery
2. Project proof-of-concept 2. Hit to reputation and market competitiveness
3. Equipment, software and service costs 3. Legal costs
4. Personnel training 4. Disruption of business operations
5. System deployment and integration 5. Cost of IT resources to find and fix
6. On-going maintenance, management and support 6. Loss of business

 

Security budgets are tight. Risks are high. Measure the true costs, time and resources to get a NAC system up and running. Agentless as a fallback for non-computing devices is not ideal. Any organization with IoT-critical applications should consider solutions that don’t depend on agents for effective device control. Overlay systems that use multiple data sources for discovery, profiling and control are far easier to deploy. This enables you to more effectively respond to attacks and protect your network, devices and data.

Check out our post about the Top 5 Reasons Why NAC Deployments Fail. To learn how Great Bay Software tackles these challenges visit www.greatbaysoftware.com.

Webinar | How to Decrease Cyber Risk at Your Credit Union

NCUA Audit Compliance Whitepaper

Comments

Related Posts

Mar 07

2017

Struggling with 802.1X roll-out? You are not alone.

I recently returned from a road trip where I met several customers who have decided to abandon 802.1X roll-outs after battling one challenge after another over multiple years.  The primary challenges...

Jan 24

2017

The Paradigm is Shifting – from Network Access Control to Endpoint Security

The Internet of Things (IoT) is driving innovation and remarkable new applications across many industries. We see huge business and consumer benefits ranging from improved healthcare to manufacturing...

Sep 29

2016

5 Reasons Small Banks Should be Cautious of Traditional NAC Systems

Financial institutions are continually under media and regulatory scrutiny as well as a source of public concern. Banking is subject to more security control audits than ever as industry...

Subscribe to Blog Updates