Financial organizations, especially banks, have unique needs when it comes to protecting the network. In addition to patching common vulnerabilities and fending off outside attacks, financial organizations have the additional challenges of targeted attacks and risks from heightened insider threats .
The unique ecosystem of a financial organization demands fairly specific elements when looking at network access control (NAC) products. Here are five considerations financial-services firms should take into account when evaluating NAC tools.
1. Network uptime and availability
A few minutes of down time in the financial world can mean millions of dollars lost in the blink of an eye. Failed transactions, miscommunication or network unavailability of any kind can be detrimental to any type of financial organization. These organizations have an even greater burden than standard corporate environments since they're responsible not only for their own monetary transactions, but for those of all their customers and partners.
Network access control products are, by nature, restrictive systems and can easily be the cause of an inadvertent resource unavailability. If a connecting device or target resource were restricted from network access – legitimately or not - the result would be the equivalent of an unplanned down time.
Finding NAC products that meet both an organization's level of tolerance for availability and desired level of security is critical. Many NAC tools are flexible in their configuration and treatment of non-compliant devices. One organization may benefit from the increased and immediate security provided by device lockout or quarantining, while another firm may sacrifice some security and provision a grace period for remediation in order to maintain resource availability. Look for flexibility and be sure to architect a solution that is fault tolerant both in the physical and logical senses.
2. Compliance requirements
Too frequently, organizations evaluate IT security tools solely on technical features instead of first evaluating the ability of a product to solve a business need or enforce an administrative requirement. Due to the strict and unique compliance requirements in the financial industry, the IT teams of banks and other financial organizations are less susceptible to falling into the feature trap than others. Still, it's a pitfall to avoid when looking at NAC technology. Finding a solution that can enforce your business security needs while providing the reporting and accounting necessary for an audit are key to a successful NAC implementation for financial organizations.
3. Support for the current environment and advanced integration for the future
Finding a network access control product that supports the current network environment probably sounds like a "duh" statement, but you'd be surprised at how many organizations begin evaluating particular options before they have a perfectly clear understanding of how all the NAC puzzle pieces will fit together.
There's no single meaning for NAC in the industry and therefore no cohesive means for cross-comparison and evaluation between vendors and products. There are also a variety of ways to implement NAC, including Layer-2 enforcement using port-based security and Layer-3 enforcement using IP-based controls. Each product and implementation combination has a different requirement for components on the network and devices connecting to the network. In a financial world where networks are supporting basic Windows-based PCs, printers and VoIP phones in addition to ATMs, terminals and other critical infrastructure, understanding options in a network access control product before you get started is essential to supporting the environment.
Advanced NAC integration is a subject few organizations are thinking about currently, but it's going to be a growing factor in choosing NAC frameworks and vendors in the future. Advanced integration combines traditional logical IT security with physical security. A good example currently in use at some organizations is the restriction of access to IT resources by a user who has not physically authenticated with a badge into a building, office or data center. Again, this level of integration is not prevalent yet, but the implications and use cases for financial organizations are numerous. Keep an eye out for NAC vendors who have made a commitment to supporting standards- and framework-based integration. Right now the nonprofit Trusted Computing Group's Trusted Network Connect architecture is leading the way in these frameworks.
4. Granular endpoint integrity
Breaking into a highly secured bank infrastructure through a firewall proves to be much more difficult than going for softer targets, such as the uneducated user on the network. Malware, spyware and phishing attacks targeting employees of the financial organization are much more effective, much easier and often much more difficult to track down.
Finding a network access control product with very granular endpoint integrity checking and enforcement is vital to financial organizations and other high-risk networks needing protection from accidental and non-malicious activity by employees and network users. NAC tools with detailed endpoint integrity will typically include an agent that resides on the client to monitor, report on and control certain user actions. This component of NAC gives the organization an added layer of protection against malware by checking the security posture of the endpoint – for example, forcing up-to-date anti-virus definitions, confirming the presence of anti-spyware or prohibiting the user from accessing potentially harmful applications or online resources. These controls help protect the user from hidden threats that may introduce a vulnerability into the network without them even knowing. Financial organizations are frequent victims of targeted attacks on employees, making these controls essential. Remember, protecting users from themselves is often more difficult than protecting our network from those users.
5. Longevity and roadmaps
Last, but certainly not least, the one major consideration all organizations should take into account is the longevity of the product and the vendor's roadmap for supporting it. There's no clearly defined leader in the NAC space right now; vendors are all scratching and clawing their way to be the top. What that translates to is a market where vendors are making empty promises in order to win business, get reference accounts and move to the top. Always vet your vendors thoroughly and ask to see a 24- to 36-month roadmap for the technologies you're considering. Ask what standards and frameworks they support now and plan to support in the future, and make sure it all aligns with your needs.
About the author:
Jennifer Jabbusch is an infrastructure security consultant with Carolina Advanced Digital, Inc., a security integrator based in North Carolina. She specializes in network security, NAC/NAP, 802.1X and wireless security and consults for a variety of government agencies, educational institutions and Fortune 100 and 500 corporations. She serves as a contributing SME on access control, business continuity and telecommunications, and lead SME in the cryptography domains of the official (ISC)2 CISSP courseware and maintains the SecurityUncorked blog