The two biggest concerns organizations have when considering the use of cloud based services are the safety of personal data and complying with data protection laws (see complimentary Quocirca report, “The adoption of cloud based services,” downloadable here). The report shows that these are issues that those recognizing the benefits of such services overcome by investing in security technology.
The truth is that these concerns are high on the list of IT managers in all areas of IT deployment. The need to meet governance, risk and compliance (GRC) objectives is something that cannot be avoided. Another area where concerns have been increasing is the growing number of unmanaged devices that are attaching to networks as mobility becomes pervasive.
There are good reasons for providing network access to unmanaged devices. Most businesses now accept the reality of employees using their own devices for work purposes (“bring-your-own-device/BYOD”); even if they do not like the concept, businesses know these devices must be managed somehow.
Furthermore, there is an increasing need in many organizations to provide network access to guests (such as contractors and consultants) on an ad hoc basis. These two requirements have seen a resurgence of interest in network access control (NAC) systems from established vendors such as ForeScout Technologies, Bradford Networks, Cisco, Enterasys and Portnox.
A recent Quocirca report looks at the use of NAC by three very different businesses, which explain why they invested in the technology, how it helps them overcome GRC challenges and better enables both BYOD and guest network access. The Quocirca report, which was sponsored by ForeScout, can be downloaded here.
In brief, the benefits outlined by each user were as follows:
- UK-based finance sector organization: in financial services, regulations are imposed by regulatory bodies. This organization was held back from trading if it was unable to demonstrate that its employees’ end points were secure. Implementing NAC meant the status of the systems and security software on all end points could be checked and, when necessary, updated every time they accessed the network. As the NAC system used was agentless, this could all be achieved regardless of whether the device was previously known or not. An audit trail to prove compliance could be made available to auditors.
- UK-based healthcare trust: healthcare also is a tightly regulated sector; here it is not just money that is at stake, but lives. The end points on the organization’s networks included a wide range of medical devices as well as end user ones. NAC was used to replace an aging intrusion prevention system (IPS), the former being much more dynamic, enabling all sorts of devices to safely share the same network whilst ensuring, and being able to prove, necessary levels of security and compliance.
- Creative media company: for some organisations GRC controls are necessary to inspire confidence in customers and suppliers rather than satisfy regulators. This was certainly the case with the media service organization Quocirca interviewed. It needed to make sure that its customers felt their own data was safe when their clients’ employees were working as guests on its premises. It also needed to ensure and prove its use of certain software was in-line with vendor licence agreements. NAC enabled both of these requirements.
As organizations struggle to meet GRC requirements in the face of the changing way IT systems are deployed and accessed, all areas of IT security are coming under review and advanced technologies are supplementing or replacing conventional ones. There is no silver bullet for achieving the often related goals of better security and compliance, but NAC is proving for many to be a key building block in their overall IT security architecture.