Imagine your company network as a ship. A modern ship has different compartments, so that if there’s a leak, the ship won’t go down like the Titanic. If one compartment got hit there’d be damage for sure, but it would be limited to a minimum. You can do the same with your network, that can be divided into compartments of your choosing. This can be done with a port-based NAC solution that allows you to be proactive instead of reactive. This works in two ways. First, NAC helps you to create separate areas for privately-owned devices like employee or freelance laptops and smartphones (solving BYOD headaches and minimising risks). Company-owned devices, on the other hand, can be given wider access as they’ve been “cleared” with a certificate. Second and just as importantly, access to a specific segment can be granted depending on user role. For example, CFOs can gain access to the financial systems whereas HR employees can’t. All users are automatically authenticated, authorised and accounted by the NAC solution, so that no one will ever end up in the wrong segment.
How do these principles play out? Let’s have a look. It’s 3pm on a Tuesday and both an intern and the company’s CFO are logging into the company network. The intern is at HQ and logging in at a company PC. As he’s an HR intern, he’s granted access to a segment that gives limited access to the corporate systems. But as he’s using a company-owned and cleared PC, he’s allowed access to a network segment that gives him some freedom of movement. He sometimes accesses the network on his mobile phone, but then, he gains access to a segment that only allows him into his email. Across town, the CFO is logging into the network from home on her work laptop, using a VPN. Since she’s the CFO, she’s allowed access to the network segment including all the financial systems. And since she’s using a company-owned device with a security certificate, she’s not held back by the fact that she’s working from home. She’s working on a trusted device.
How would this situation play out if there was only one single network segment? If a virus or piece of malware were to enter the network from the intern’s phone or – especially – the CFO’s VPN connection, damage could be enormous (and enormously expensive). That’s because most security solutions, such as virus scanners, are reactive and must chase malware, whereas NAC takes on a more proactive approach and simply blocks most of the company’s compartments. Now imagine you were just using NAC without any virus scanners and other network analyses tools (which we wouldn’t recommend). With only a NAC solution in place, there would be some damage, but only a single compartment would be infected, making it easier to isolate and resolve. This is why we advise to take NAC as the foundation of your security solution. Of course, you can add “water pumps” like virus scanners and firewalls to the mix (you should!), but they’re often too expensive or complex to be stand-alone security solutions for the entire company network.
Because of the risk limitation, using a NAC solution saves out on costs you’d normally spend on additional security measures. After all, preventing is always less expensive than fixing. Arming your network to the teeth, on the other hand, is costly, not waterproof and often unnecessary. Because NAC relies on compartmenting, you don't have to secure what can't be touched – you can safely lock away sensitive data simply by giving fewer users access. For example, as the damage of stolen financial data is often high, the risk is high too, meaning you should limit the number of people with access rights. When it comes to other departments, the need for strict security might be lower, meaning you can let more users in. That’s what makes NAC such a safe and watertight security solution. Once you’ve adapted the level of security per compartment (and applied virus scanners, etc.), you can rest easier knowing that your network can weather today’s storm of people and devices. And it’s as safe – and steady – as a ship on the right course.
Want to learn more about how you can safely steer your IT organisation? Download our free white paper below.