Financial sector IT concerns
Customers want simple, fast access to their financial information and the ability to easily conduct transactions. The needs of the customer are offset though by increasingly sophisticated attacks, as well as government and industry regulations that demand tighter security. Network and security administrators in the finance sector have a delicate balance to strike.
Remote workers, branch offices, and a distributed user base combined with a proliferation in the variety of devices capable of accessing the network make the task of protecting data more difficult. Adding to that complexity, the trend of industry consolidation requires that diverse, heterogonous networks be merged securely as well.
Protecting the network with NAC
Financial institutions have a number of regulatory requirements and industry mandates to comply with. Many of them govern how companies in the financial sector must protect their networks and their data.
Some regulations, such as the Sarbanes-Oxley Act, do not specifically address network security controls; however, it does require that financial information is protected by ensuring that there are policies and controls in place to ensure its integrity. Most companies rely heavily on their network and computer resources to generate, transmit, and store such data which brings the realm of network security into play in order to achieve compliance.
The NAC acts as the gatekeeper to the network, validating identity, verifying compliance with internal security policies, ensuring that the endpoint device has the prerequisite level of patching and the appropriate antimalware and firewall systems before it will allow the device to connect with the network.
Depending on the product used, and how it is implemented, NAC can enable policy management, authentication, access control, security remediation, as well as providing a compliance and audit trail. Not only can NAC deliver these aspects of network security and regulatory compliance, but it can automate them as well, freeing network personnel for tasks that require cognitive intervention.
Network access control functions
A comprehensive NAC solution that manages both pre- and post-access concerns and addresses security policies, endpoint compliance, and identity authentication and verification can be an effective tool for protecting network resources and sensitive data while also achieving compliance. Below is a description of network security controls and the functions of NAC that address them.
- Identity verification: NAC can tie in with identity and access management and ensure that users are authorized and have the appropriate credentials (username and password, two-factor authentication, etc.) to be granted access. Ensuring that only authorized users are able to connect with the network protects against many potential threats.
- Access control: Once identity is confirmed, resources can be allocated based on role-based or location-based policies. Different groups or individuals may be restricted to certain network resources. In addition, policies can be constructed so that users accessing the network from public kiosks or hot spots are granted access to an even more restricted area of the network in order to protect the rest of the network from potential attack or compromise.
- Policy compliance: Before the NAC allows a device to connect to the network, it also scans the device to ensure it is in compliance with internal security policies. The NAC can check to ensure a personal firewall is active on the system, that appropriate antimalware software is installed and up to date, and that the device is current on its operating system and application patching. Devices that do not meet the requirements of internal security policies can be denied access entirely, or redirected to a segregated portion of the network where they can be directed to the software and updates they need to achieve compliance.
- Remediation: Some NAC devices only control the initial access. A more comprehensive tool will continue to monitor network traffic and the state of the endpoint devices to ensure they remain in compliance with internal security policies. NAC can also watch for suspicious activity that suggests an attack from the endpoint or that the endpoint has been compromised, and shut down or remove access for that device. Administrators can configure alarms or alerts to notify them when suspicious or malicious activities occur.
- Auditing and logging: Even for financial organizations that have achieved compliance with the various legislative and industry requirements, documenting that compliance and performing periodic audits of compliance can be a daunting task. NAC can generate logs and reports that can be used to automate compliance auditing and provide a method for administrators to monitor compliance on an ongoing basis.
A NAC is not a silver bullet though. There are potential downsides that must be considered as well. NAC is subject to false positives, possibly blocking access to devices that are secure and comply with internal policies. It may also be subject to false negatives, allowing access to compromised or infected systems. One other concern, and perhaps the biggest for companies that place their trust in NAC, is if the NAC itself is compromised by an attacker. Organizations looking at NAC to protect their environment need to be aware of these potential issues and keep them in mind as they explore the available options.
About the author:
Tony Bradley is a CISSP, and a Microsoft MVP. He is a Director with Evangelyze, a Microsoft Gold Certified and Voice Premier Partner focused on unified communications technologies. Tony is also a respected expert and author in the field of information security whose work is translated and read around the world. He contributes regularly to a variety of Web and print publications, and has written or co-written eight books. In addition, Tony is the face of the About.com site for Internet / Network Security, where he writes articles and tips on information security and has almost 40,000 subscribers to his weekly newsletter. Mr. Bradley has consulted with Fortune 500 companies regarding information security architecture, policies and procedures, and his knowledge and skills have helped organizations protect their information and their communications.