Network access control has a bad name, so let's change it.
Over the last decade, network access control earned a reputation for failed deployments and overzealous policy enforcement after more than one CEO found that his laptop couldn't access the network following his IT department's NAC implementation.
But things have changed. NAC is no longer about access control, experts say. It's about providing endpoint visibility and contextual security. Research from Enterprise Strategy Group suggests that NAC is evolving into a new class of product called endpoint visibility, access and security (EVAS), a platform that enables contextual security, feeding information to other security platforms while enforcing the policies those platforms dictate.
Early NAC solutions ran health checks on user devices to make sure they were free of infections and properly protected by endpoint security software before allowing them on the network. Later, NAC added checks for software patches and proper configuration. Now NAC solutions are evolving into EVAS platforms in order to meet enterprise demands for better contextual security, argued Jon Oltsik, senior principal analyst with ESG. He said Cisco, Juniper Networks, ForeScout and Bradford Networks are all moving in this direction.
EVAS is distinguished by two new capabilities, Oltsik said. The platforms can integrate into other security and policy systems, and they can address a wider set of endpoints than the traditional PCs that early NAC systems focused on.
"EVAS is built for integration into the rest of the infrastructure, whether with MDM [mobile device management], identity and RADIUS servers and things like that. It's meant to provide information for analysis or to provide a place to enforce policy," he said. "And EVAS is built for the next generation of endpoints. It's not just PCs. It's mobile endpoints, other IP devices like printers, and control systems, or medical equipment or anything else on the network that you need to know about. It has the ability to recognize and give you contextual information about [those devices]."
Enterprises have plenty of security analytics available to them, whether from security and event management platforms, packet capture analysis or flow analysis, Oltsik said. What security engineers really lack is more detail on what underlies those analytics.
"When you say who was using what device, what activity did they do, how was their system configured at the time, a lot of that information is missing and hard to capture," Oltsik said. "EVAS acts as a middleman to capture that information and provide greater levels of detail." EVAS also enforces policy, which analytics platforms can't do, he said.
Endpoint visibility versus access control: New names or new technology?
NAC isn't necessarily evolving into a new product, said Chris Rodriguez, industry analyst for network security at Frost & Sullivan. But the technology has added new functions in recent years as customers find use cases for the technology beyond simple access control.
The EVAS appellation is "an attempt to convey the value of NAC a little more appropriately," Rodriguez said. It's also an attempt to step away from the tarnished reputation that the NAC market gained during those failed deployments over the years, a reputation that is no longer fair, he said.
"Customers consistently say that with NAC they can see more than with any other endpoint management solution, and they can see more than just corporate-owned devices," Rodriguez said. "They can see employee-owned devices and devices that can't support agents, like control systems and healthcare monitoring devices."
EVAS controls endpoints but not data
While more visibility and context is important, not everyone agrees that the endpoint is the best element to focus on. John Kindervag, principal analyst with Forrester Research, said security vendors should be focusing on the thing that really matters -- data.
"I agree that we need visibility, but we don't need it on the endpoint. We need it much closer to the data, because there are too many [endpoints]. You can't control them," Kindervag said. "We need to look at the thing that we might have a chance of controlling, which is the data."
To protect data, enterprises need to be inspecting and monitoring all traffic because that will tell them what's happening with data. Worrying about who has access to the network is a waste of time, he said.
"Traffic is the valuable thing here. Traffic is the thing that tells us everything that is happening on the endpoint without having to be on the endpoint. It's a much more scalable place to do it," Kindervag said. "It's not about things coming into [the network]. We have to get that through our heads. The perimeter is dead. Deal with it."
Kindervag said that endpoint-based control also creates a false sense of security and complacency.
"Yes, everyone who's on our network is approved to be on our network. Let them come in the front door. Well, let everyone come in the front door, but keep an eye [on your data]. If anyone tries to touch it and take it, that's when you get concerned about it. There could be some uplift on endpoint [protection] after you focus on the data, but don't think you are going to solve this problem on the endpoint."
Kindervag and Forrester Research have advocated for a few years that enterprises adopt a "zero trust" security model in which all traffic is untrusted and subject to inspection and analysis. Even if authorized users get on the network with devices that are policy-compliant, they can still threaten the company's data. So enterprises must track the transit of data, rather than who and what are accessing the network.
NAC/EVAS vendors argue that they contributed to this zero-trust approach.
"Say you have a corporate policy that requires a user's personal firewall be active, requires a certain patch level and requires that data loss protection not only be installed but active," said Scott Gordon, chief marketing officer of ForeScout. "Our system can dynamically verify that pre-admission and post-admission to the network. If data loss prevention [DLP] is installed but not running, then you run the risk that the [DLP] management system thinks everything is fine."
A NAC/EVAS platform can detect that DLP is not active on an endpoint and instruct a DLP system to engage with the agent on that device, he said.