NAC is an important component of Zero Trust Network Access (ZTNA). It’s a powerful tool to secure IoT devices, protect remote workers, and provide protection for mobile and remote workers.
Network Access Control (NAC), a cybersecurity technique, prevents unauthorized users and devices from accessing private networks or sensitive resources. NAC, also known as Network Admission Control (NAC), was first introduced to enterprises in the mid-to-late 2000s. It is a method of managing endpoints using basic scan-and-block techniques.NAC solutions were created to authenticate users and manage endpoints, as well as enforce policies, as knowledge workers became more mobile.
How NAC works
NAC tools allow visibility into all devices connected to the network. Network Access Control software blocks unauthorized users from accessing the network. It enforces network security policies and controls endpoints to ensure that devices adhere to them. NAC solutions, for example, will ensure that endpoints have up-to-date anti-malware and antivirus protection.
Devices that are not in compliance with the rules may be removed from the network, quarantined, or granted restricted access rights.
NAC operates in two phases. The authentication stage identifies users and validates their credentials. Many Network Access Control tools allow for a range of authentication methods such as passwords, one-time pins, and biometrics.
NAC enforces several policy factors in the second stage. These include device health, location, and user role. NAC devices can also be configured to restrict access by user role. This allows users to access only the resources they need to complete their job.
The NAC tool can block or quarantine a device or user if they fail to authenticate or authorize.
What are the different types of NAC approaches?
While NAC approaches can differ in many ways, two things are common: how devices are inspected and how information is gathered from the network.
Pre-admission and post-admission: NAC has two methods of authorizing access to end devices. Pre-admission policies require that devices be inspected before they are allowed to access the network. This is the best approach for use cases in which devices may not have anti-malware and antivirus.
Post-admission design, on the other hand, is more focused on user behavior and less on device postures. This is a good approach for guest access cases, where online activities are limited to web browsing and checking emails.
Many NAC offerings offer a combination of all three. These may differ based on where they are located, the device type, or the user groups.
Agent-based design vs. agentless design: A second architectural distinction is agent-based information gathering versus agentless. NAC vendors may require that users download agent software to their clients’ devices. Agents then report the device characteristics to Network Access Control.
Alternatively, agentless NAC software continuously scans the network and inventory devices and relies on user and device behavior to trigger enforcement decisions.
Core capabilities of a Network Access Control system
NAC secures networks through several core capabilities. These include:
Authentication & authorization: Controls user and device access to resources.
Centralized policy lifecycle management manages policy changes across the enterprise while enforcing policies for all users and devices.
Discovery, visibility, & profiling: finds and locates devices on the network, recognizes them, groups them according to certain characteristics, and blocks unauthorized users and devices that aren’t compatible.
Guest networking access: manages visitors and grants temporary, frequently limited access to individuals using compatible devices via a configurable, self-service portal.
Security posture check: Assesses compliance with security policies based on user type, device type, and location.
NAC and Zero Trust
NAC is a technology that has been around for almost 20 years, but its widespread adoption has been limited to large and medium enterprises. NAC is now an enabler technology for Zero Trust security solutions as the network edge expands beyond the physical perimeter of enterprises and the COVID-19 pandemic accelerates acceptance of hybrid work environments.
As networks become more complex and distributed, cybersecurity teams need to find ways to keep visibility into devices that connect to the network’s farthest reaches. This capability is provided by NAC, which provides visibility and detection of all devices that enter the network. It also allows for central access control and policy enforcement.
Top use cases for Network Access Control
An increase in employee mobility, an increasing number of BYOD devices, and the need to support hybrid workplaces due to the pandemic have all led to the need for tighter network access controls.
Network Access Control is used in the following common cases:
Access for guests and partners: Network Access Control solutions enable organizations to grant temporarily restricted access to partners, contractors, guests, and other individuals. NAC solutions inspect guest devices to ensure they are in compliance with security policies.
BYOD and work-from-anywhere: Network Access Control is used by knowledge workers to authenticate users on unknown devices or in unknown locations. It also enforces policies regarding those users and devices. NAC protects corporate devices from malware when employees bring them home.
The COVID-19 pandemic saw the rise of hybrid and work-from-home environments. These were similar in that NAC solutions authenticated users and ensured policy compliance. Resources were also restricted based on user roles and location.
Network Access Control and regulatory compliance
Network Access Control adoption is increasing as more industries regulate how they handle consumer data and protect privacy. NAC systems are able to help organizations comply with a variety of regulations including HIPPA and PCI-DSS.
These privacy protections require that you understand who, what, when, and where devices are located on the network. Additionally, sensitive data should only be accessible to those who have a legitimate need to access it. It is essential to prove that you have followed all these steps through repeatable and auditable processes in order to comply.
Network Access Control can fulfill various regulatory requirements by providing access control, policy enforcement across devices and users, network visibility, audit trails, and network visibility. Many Network Access Control providers offer features that help organizations comply with the most common regulations such as HIPPA and PCI-DSS.