Between hackers and unauthorized intruders working their hardest to pounce on your data and the growing variety of users within and outside of the organization accessing network resources to advance critical business objectives, information security has emerged as a huge cause for concern among small and mid-size businesses. This segment of the market is increasingly engaging and integrating independent contractors, suppliers, and partners to perform functions that used to be the exclusive domain of employees.
In all of these instances, corporate IT departments do not typically own or control the laptop or other mobile device used to access enterprise networks; nor do they necessarily know the operating system, applications, network connections or storage devices that they use to connect to the network. These unanswered questions are enough to give any security-minded manager an ulcer.
So, what’s an executive of a small or mid-size business to do, when closing the electronic doors is not an option?
Businesses can confirm ID of user and device
Many businesses are taking a closer look at network access control (NAC) technology. This term broadly refers to a set of solutions that address the security issues related to the new generation of devices and users that are today connecting to a corporate network.
It represents a major shift in focus away from determining security by simply identifying what devices can connect to a network. Instead, organizations are confirming the identity of user as well as devices that try to access key information resources, and establishing rules that determine what each user is allowed to do on the network based on a pre-determined profile of roles and responsibilities with the organization.
Because networks, processes and governance requirements are constantly changing, traditional security technologies -- such as firewalls, antivirus and encryption -- may not be enough any more. While those measures are still important, they are not enough to meet the demands and security issues of today’s networks.
“The ability to control access based on user identity -- and not just device [in order to] post the security posture is important,” says Andrew Braunberg, research director with consulting firm < a href= "http://www.currentanalysis.com">Current Analysis.
With NAC, every end point that is established when attempts are made to access the network (say from a mobile device, or from a remote desk-top that is using the Web to access the network) is vetted independently and consistently. This helps to determine if the user and the device is complying with a pre-determined set of policies before access to the network is granted.
Behavior is monitored on the network
Once on the network, behavior is continually monitored to ensure people and applications stay within the areas that they need to work in. They are not allowed to stray into areas that do not conform with their assigned function. Once a user leaves the network, the same process is applied when he or she tries to resume access.
“NAC is flourishing in networks that have a large amount of unmanaged assets,” said Greg Stock, CEO of Austin, Texas-based Mirage Networks, which sells NAC appliances that support 50, 100, 1,000 and 2,500 machines.
He points out that small and mid-size businesses typically do not have a large IT staff or a dedicated IT staff at all. So creating user profiles in easy to use formats are critically important to ensure both adoption by the business, and compliance by the different types of users.
In terms of the market, NAC adoption is growing quickly. IDC predicts investments in NAC will sell $3.2 billion in products and services a year by 2010, up from $526 million in 2005. The vendors in this space include smaller, niche players as well as larger more established vendors who are quickly moving in to get a piece of the action.
Microsoft has its own control it is calling its offering Network Access Protection (NAP), while Cisco is using the NAC acronym -- but calling its solution Network Admission Control. For those interested in more open solutions (as opposed to proprietary technologies) the Trusted Computing Group has developed a framework called Trusted Network Connect (TCG) to help businesses control who has access to what when they connect to the corporate network.
A fair amount of consolidation is expected in the space, so it is probably a good idea to take steps to ensure that the NAC provider you select is likely to be here for the long run. Nevertheless, if you are using mobility, collaboration and independent contractors to advance your business objectives, NAC is a technology that should not be ignored.