Safe or sorry? The place of access control in your security solution

boat-deck-dock-harbor-137533-1The status quo in IT security is focused on detection. Virus scanners and network analysers control traffic on the network or chase down the bad guys. That worked well in the past, when people, devices and data weren’t roaming on and off the network. But today, all these elements need to have freedom of movement, and access, for businesses to run well. And there’s the challenge for you as an IT manager. Should you double, or triple your cyberattack police force to run down wrongdoers? Or should you start focusing on access control and prevent instead of cure? In this blog, we tell you how to take on a more proactive approach to IT security, in a way that your co-workers won’t feel a thing. 


Be proactive instead of reactive

Imagine your company network as a ship. A modern ship has different compartments, so that if there’s a leak, the ship won’t go down like the Titanic. If one compartment got hit there’d be damage for sure, but it would be limited to a minimum. You can do the same with your network, that can be divided into compartments of your choosing. This can be done with a port-based NAC solution that allows you to be proactive instead of reactive. This works in two ways. First, NAC helps you to create separate areas for privately-owned devices like employee or freelance laptops and smartphones (solving BYOD headaches and minimising risks). Company-owned devices, on the other hand, can be given wider access as they’ve been “cleared” with a certificate. Second and just as importantly, access to a specific segment can be granted depending on user role. For example, CFOs can gain access to the financial systems whereas HR employees can’t. All users are automatically authenticated, authorised and accounted by the NAC solution, so that no one will ever end up in the wrong segment.


The case of the intern and the CFO

How do these principles play out? Let’s have a look. It’s 3pm on a Tuesday and both an intern and the company’s CFO are logging into the company network. The intern is at HQ and logging in at a company PC. As he’s an HR intern, he’s granted access to a segment that gives limited access to the corporate systems. But as he’s using a company-owned and cleared PC, he’s allowed access to a network segment that gives him some freedom of movement. He sometimes accesses the network on his mobile phone, but then, he gains access to a segment that only allows him into his email. Across town, the CFO is logging into the network from home on her work laptop, using a VPN. Since she’s the CFO, she’s allowed access to the network segment including all the financial systems. And since she’s using a company-owned device with a security certificate, she’s not held back by the fact that she’s working from home. She’s working on a trusted device.


Compartments first, water pumps second

How would this situation play out if there was only one single network segment? If a virus or piece of malware were to enter the network from the intern’s phone or – especially – the CFO’s VPN connection, damage could be enormous (and enormously expensive). That’s because most security solutions, such as virus scanners, are reactive and must chase malware, whereas NAC takes on a more proactive approach and simply blocks most of the company’s compartments. Now imagine you were just using NAC without any virus scanners and other network analyses tools (which we wouldn’t recommend). With only a NAC solution in place, there would be some damage, but only a single compartment would be infected, making it easier to isolate and resolve. This is why we advise to take NAC as the foundation of your security solution. Of course, you can add “water pumps” like virus scanners and firewalls to the mix (you should!), but they’re often too expensive or complex to be stand-alone security solutions for the entire company network.


Reduce costs on your security solution

Because of the risk limitation, using a NAC solution saves out on costs you’d normally spend on additional security measures. After all, preventing is always less expensive than fixing. Arming your network to the teeth, on the other hand, is costly, not waterproof and often unnecessary. Because NAC relies on compartmenting, you don't have to secure what can't be touched – you can safely lock away sensitive data simply by giving fewer users access. For example, as the damage of stolen financial data is often high, the risk is high too, meaning you should limit the number of people with access rights. When it comes to other departments, the need for strict security might be lower, meaning you can let more users in. That’s what makes NAC such a safe and watertight security solution. Once you’ve adapted the level of security per compartment (and applied virus scanners, etc.), you can rest easier knowing that your network can weather today’s storm of people and devices. And it’s as safe – and steady – as a ship on the right course.

Want to learn more about how you can safely steer your IT organisation? Download our free white paper below.

Learn more about NAC

Hans-Peter Ponten

Subscribe Here!