When NAC Deployment Projects Fail
Deploying a network access control (NAC) solution is one approach to reduce your risk of a network breach. At the same time, it’s accepted wisdom that not all NAC projects are successful. A scrapped deployment is costly; with lost investments in equipment purchases, software, service licenses, resources and time. NAC implementations are complex and, if canceled mid-stream, the risk of a crippling breach still remains. When any new project goes awry, the team responsible may lose the confidence of company leadership, project sponsors and users.
Risks and Rewards
Originally designed for network policy management, user access control and guest services, NAC systems typically rely on agent software to perform deep inspection and remediation at the expense of additional software on the endpoint. Most solutions also include “agentless” functionality; however, this brings potential risks:
- Agentless NAC may be easier to deploy, but generally offers less control and fewer inspection capabilities
- Some agentless deployments are configured with domain and read/write credentials in such a way that a single system has the power to log into almost every networked device
Most NAC systems use an agentless option only as a fallback. However, with the dramatic growth of IoT we find most security teams have limited or no visibility to tens of thousands of network devices. If a majority of your networked connected device are unknown, fallback is not an option.
The Devil is in the Detail
- An effective NAC deployment depends on successful integration with your current and future security tools such NGFW, EMM, ATD, SIEM and others. This leads to big configuration and deployment challenges. These applications have different access functions, unique management consoles, and may apply separate controls to the network and connected devices.
- Some NAC solutions require the licensing and deployment of add-on modules to support third-party systems. This not only leads to increased costs, it complicates acquiring and maintaining the appropriate licenses as your network evolves. For example, how might an NGFW upgrade or replacement impact your NAC deployment?
- Keeping device agents current for multiple operating systems is extremely resource intensive. The highly publicized “Wannacry” attack highlights this challenge. Although a Microsoft update that protected Windows PCs was available, many organizations chose not to or were unable to install the update because of outdated operating systems, compatibility risks, network interruptions and potential downtime.
These challenges and their inherent risks are why we see security teams rethink their NAC deployments. This is especially true in IoT-dependent industries such as healthcare, finance and manufacturing.
Weigh the Costs and Risks of a Scrapped NAC Deployment
|NAC Investments||Cyberattack costs|
|1. Vendor and product evaluation||1. Client records recovery|
|2. Project proof-of-concept||2. Hit to reputation and market competitiveness|
|3. Equipment, software and service costs||3. Legal costs|
|4. Personnel training||4. Disruption of business operations|
|5. System deployment and integration||5. Cost of IT resources to find and fix|
|6. On-going maintenance, management and support||6. Loss of business|
Security budgets are tight. Risks are high. Measure the true costs, time and resources to get a NAC system up and running. Agentless as a fallback for non-computing devices is not ideal. Any organization with IoT-critical applications should consider solutions that don’t depend on agents for effective device control. Overlay systems that use multiple data sources for discovery, profiling and control are far easier to deploy. This enables you to more effectively respond to attacks and protect your network, devices and data.