The question that many IT security pros are asking is: Why hasn’t network access control (NAC) lived up to its promise?
I certainly did. And what I discovered helped me to make a career move.
I’ll explain, starting with what NAC does. Then I’ll get to the personal part.
NAC provides enterprises the ability to authenticate devices as they enter the network, monitor those devices, and deal with those devices that do not meet security requirements.
That all makes sense. Yet the history of NAC adoption has been less than stellar, even in recent years. Why? I think it’s because NAC still doesn’t meet the needs of today’s enterprises. NAC products are complex to deploy, scale, and manage. They’re also not able to stop an attack from an outsider who has compromised an internal device. Once you are in, you’re in.
The NAC value proposition is a victim of its own self-inflicted shortcomings, from access control list fatigue to obsolete posture check parameters. NAC complexity combined with technical constraints, contribute to a very challenging business case for most enterprises. Substantial upfront hardware investments are typically required, followed by high ongoing operating expenses.
These investments are the high table stakes to get the weak outcomes promised by network security hardware architected for simpler days and more primitive attacks. Today, things get even worse for hardware-bound solutions facing agile, dynamic software-based attacks.
Those medieval fortresses and walls scattered around the world are now only being used to lure tourists. No one uses them anymore for protection because they’ve become anachronisms, symbols of fixed defenses that worked in their day. Today we live in fast-moving times, where the spirit of entrepreneurship sometimes takes the form of cybercrime. Network defense schemes from more than a decade ago are already starting to resemble their tourist trap predecessors.
Unlike the rise of WLANS (and internet worms), which helped NAC solutions establish a foothold in enterprise security, cloud and digitalization initiatives are destroying the last remnants of the NAC payoff by magnifying the negative impacts of existing NAC technical and operational shortcomings.
NAC solutions only protect internal servers. Any hybrid or cloud-centric network would need a different approach to access control. With digitalization, business-critical servers and databases will be more accessible to other servers and often larger populations of users.
Adequate protection would require even bigger initial investments and likely infrastructure upgrades. Then you’ll need more highly-skilled people to manage the complex weave of devices and permissions and access points. As your network grows sequentially your costs and complexities grow exponentially.
The problem: NAC’s lack of granular access controls requires security teams to create and manage hundreds of ACLs with thousands of potential rules, even for smaller networks. Existing security teams might have to double or triple in size to simply keep up with the management overhead of these new initiatives, after those substantial initial hardware investments.
This explains why a host of companies are now talking about the Software Defined Perimeter, or the use of a single layer of software to protect large, complex networks. Its ability to scale up or extend enforcement across dynamic infrastructure is far superior than any approach requiring dedicated hardware, specialized skills and manually-driven lists.
So… after four-plus great years at CloudVelox I joined Vidder. I met Vidder’s CEO Mark Hoover more than ten years ago. Before I joined CloudVelox we discussed working together again as well as the new enterprise security demands taking shape. Vidder was on the way to re-inventing access control by blending trust metrics with the Software Defined Perimeter.
So here I am, years later at Vidder in the midst of a new asymmetric cyber war between nation states, hacktivists and societies dependent upon trust for their very way of life. Goodbye NAC! Hello Vidder!