2.5. NAC and Compliance
A litany of compliance regulations (which industry and government entities launch and enforce) scrutinize many companies, as well as their networks, applications, and data. Various compliance regulations may
Prescribe how the company must assure data and network integrity.
Demand that users comply with company security policies.
Mandate companies implement policies that adhere to the regulations and dictate penalties if the company or their users don't meet policy.
2.5.1. The difficult news
Many industry and government regulations have been created, and most of them focus on specific industries or markets. These regulations include Payment Card Industry Data Security Standards (PCI DSS), Health Insurance Portability and Accountability Act (HIPAA), and Sarbanes-Oxley (SOX), just to name a few. If you Google any of these regulations, you can spend a fun-filled afternoon reading about them.
In many cases, compliance regulations reach around the world, such as PCI DSS; but many countries or world regions also have their own compliance regulations, in addition to worldwide compliance regulations. Many of these national or regional regulations have additional paragraphs and sections that dictate protection for the company, users, and data from unauthorized access, as well as for non-compliance and non-adherence. Particularly if a breach or attack occurs, or if an audit or check is failed, your organization may face severe ramifications — including fines and, in extreme cases, imprisonment of the violating company's senior officials.
For example, many compliance regulations require companies to ensure that an organization authenticate users who and devices that request network connection before bestowing network access. Many times, these same regulations require two-factor authentication, which means that the company needs to require more than just a user name and password to enable network access. The company would require users to use an additional authentication method, such as a password key, identity card, biometrics, or other means before they could be granted network access.
Here are some examples of other compliance issues that you might encounter:
Device adherence: Some regulations require all devices that request network connectivity to have the latest, most up-to-date antivirus software and signatures up and running. These same regulations mandate that devices have installed the most current patches and hotfixes for operating systems and applications before they can gain access to a company's network. And organizations must provide proof to a compliance authority — an industry body, government agency, or another similar authorizing organization — that they're following and meeting these requirements.
Data protection in transit: Most compliance requirements have a stipulation about protecting data in transit to and from the user's device and the network. They require that the data — which can include sensitive patient data, credit cardholder information, or financial records, to name a few examples — be encrypted in some manner — via software or hardware encryption, by a client or other means — while that data is communicated between the user's device and the network so that no one can hack, steal, or render useless the sensitive data.
Segmentation: Regulatory bodies can also require that companies segment their most secretive, sensitive data from the rest of their network and user community when companies store that data on their network. They can also stipulate that accessing the stored data requires additional authorizations.
Proof of compliance: Industry and governmental regulatory agencies require proof of adherence to their rules and regulations. In many cases, the regulatory bodies perform their own audits of participating companies. Or they may require that a certified third party audit the security records of companies annually or on a defined periodic basis to ensure their compliance with the entity's rules and regulations. A company that doesn't comply with the industry or government regulations may face severe penalties, including fines.
Although all these rules and regulations might seem like overkill, you can face large penalties for not complying with industry or government regulations: Stolen user data or hacked systems can lead to fines, imprisonment of company officials (in the most egregious cases), and significant loss of reputation and revenue.
Your company can find losing reputation many times worse, and much more costly and time-consuming to gain back, than a simple fine. Loss of revenue just makes matters worse.
2.5.2. The good news
NAC addresses most, if not all, of the requirements placed on corporations by industry and government regulatory bodies, which we talk about in the following sections.
So, if your network and company needs to comply with any kind of industry or governmental regulation, no matter how complex, NAC can protect against data breaches; data and identity theft; and other forms of data snooping, hacking, and unauthorized access. A NAC solution allows you to address regulatory compliance and keep your company's reputation intact.
2.5.2.1. Network security
A NAC solution can check a user's device to ensure that it has the latest, most up-to-date antivirus signatures, that its operating systems and applications include the most current patches and hotfixes, and that they're all operating. A NAC solution usually can perform these tasks for a number of other anti-malware and security applications, as well.
2.5.2.2. Encryption
Most NAC solutions provide a level of encryption for data being transmitted from the user device to the network. Some NAC solutions also offer data encryption from the network to the device, as well. The level and standard of encryption can vary.
2.5.2.3. Insider threats
As discussed in the section "Wireless Networks and NAC," earlier in this chapter, some forms of NAC implement the IEEE's 802.1X standard as part of their deployment. The 802.1X standard, which requires the user or organization to deploy and load a client (or, in 802.1X parlance, a supplicant) to the user's device, can help to ensure data security and integrity while that data is in transit. The 802.1X standard uses powerful, standards-based encryption on data communicated from the user's device to the network, effectively discouraging data snooping and theft. Some NAC solutions also provide encryption for data communicated over a wired network. Many NAC solutions can provide encryption via the implementation of the 802.1X standard, by Internet Protocol Security (IPSec), or other means. This level of NAC can protect against insider threats, such as information theft or hacking by trusted employs who use managed devices. We talk more about this scenario in the section "Insider Access and Threats," later in this chapter.
2.5.2.4. Authorization
NAC can effectively segment sensitive data from unauthorized users. Whether through re-authentication before data access or by checking the user's role — if data access is identity- or role-based — a NAC solution can make sure that only authorized users, whether external or internal to the network, may access sensitive data.
2.5.2.5. Logging and reports
Most NAC solutions provide comprehensive logs and, in many instances, detailed reports on user actions. In the case of logs, you can often import the logs into existing reporting tools or report structures, providing regulatory compliance audits and auditors with the reports and data that they need. You can also export NAC reports to existing reporting tools and report structures, in most cases, which aids in viewing the collected data and regulatory compliance audits. Depending on the particular NAC solution, the logs or reports may correlate IP addresses to user identity, making it easier to follow and understand which user accessed sensitive data at what time.