7.5. Compliant with Compliance
The need to meet an increasing number of industry and government regulations and requirements faces most — if not all — of today's organizations, regardless of location or industry.
But meeting specific requirements set forth by industry bodies and government entities is just part of the problem that organizations today have to deal with. The other part of the problem involves the mandate that organizations prove their adherence to these government and industry regulations.
Adhering to (and proving adherence to) specific industry and governmental regulations places a tremendous burden on already-taxed network and security resources — both physical and human resources. Already stretched thin by being forced to do more with less, complying with industry or governmental regulations may stretch an organization's teams to the breaking point. We see it all the time.
So, we advocate that organizations create compliance teams (if they already haven't), either full or part time (based on your organization's needs). A compliance team has to
Identify and fully understand the industry and government regulations to which the organization must adhere.
Call out the various requirements and line items in each regulation that affect your organization and their business.
Identify the means within the organization — the technology, processes, policies, and so on — that already exist or that you need to create to address the requirements in the regulations.
Work with other teams (such as the networking team, security team, desktop team, and others) to ensure that the organization scopes, defines, and satisfactorily implements the necessary technologies, processes, and policies to meet the stipulations and requirements of the required industry and government regulations.
Ensure that any compliance solutions (or solutions) capture and store any data pertinent to their organization's adherence to the industry and government regulations, and that the organization uses that data if the compliance governing body or regulatory agency requires an audit to prove the organization met the stipulations of the compliance regulations.
More and more organizations are turning to NAC to address their regulatory compliance requirements. NAC can address compliance requirements for the same reason you, the reader, may find it so difficult to get a NAC project approved, implemented, and deployed within your organization — NAC is ubiquitous. It touches on every aspect of daily networking and computing, as well as the users themselves.
NOTE
NAC deals with and touches nearly every device (and every person) that attempts to connect or actually connects to a network:
Endpoint devices (particularly if your NAC solution includes a client, or a persistent or dissolvable agent, to check on the security state of the device prior to the solution granting that device network access)
Users (ensuring that the NAC solution authenticates and authorizes the user to access the network, as well as specific servers, applications, and data stored on the network)
The network's policies (enabling an organization to define or redefine their security and access policies, and often allowing them to interact with existing or supplying new security, antivirus and anti-malware, patch management, and access control policies).
NAC can deliver network admission control based on specific authentication and authorization, specific actions and policies, identity-based network and application access control, and user roles. These identity-based admission and access control, authentication and authorization, and policy management capabilities, makes NAC ideal for regulatory compliance needs because of its ability to combine all of these capabilities into one solution, and leverage other network and security components to deliver regulatory compliance.
Regardless of your industry or the government regulations to which your organization must adhere, many industry and governmental entities mandate several common requirements in their regulations that organizations must meet.
7.5.1. Antivirus (and Anti-malware)
Nearly every compliance regulation requires that an endpoint device have at least antivirus software (and, in some instances, additional types of anti-malware software) resident, operational, and current before that device receives network access. Most NAC solutions can address this requirement through endpoint security checks, which check an endpoint device for antivirus or other anti-malware products, whether the user or their device has invoked the antivirus or anti-malware, and whether that software is current before the NAC solution allows the device to access an organization's network. A NAC solution may not grant devices that don't meet the base level of antivirus or anti-malware policy state for network access until they do meet the baseline. Some NAC solutions can quarantine a non-compliant device, and some of those solutions can bring the device into compliance with the baseline through manual or automatic remediation.
7.5.2. Authentication
Most industry or government regulations require that an organization authenticate all users before those users can be granted access to the organization's network. Many NAC solutions include the means to support user authentication. Some NAC solutions support different forms and types of authentication, which can include unique user names and passwords, two-factor authentication, token devices and biometric devices, and password encryption and management. Some NAC solutions interface with an organization's existing authentication database or data store, others require a secondary interface to existing authentication stores, and some require that the data store reside on or in the NAC device.
7.5.3. Identity
Some compliance regulations require that an organization identify a user or device by more than just an IP address because hackers and malevolent users can easily spoof IP addresses. These regulations require identity-based controls. Some NAC solutions already deliver access control that's user identity-based, others offer access control that's role-based, and some provide both. By enabling identity-based or role-based access control, an organization gets to know who's accessing their network and sensitive applications, and when.
7.5.4. Access control
Many compliance regulations require organizations to restrict access to sensitive data and information stored on the organization's network. Many NAC solutions can address this requirement, some more easily and quickly than others. Some NAC solutions are designed, from the ground up, to deliver network and application access control. Those solutions have the native ability to separate and secure network devices or network areas that store sensitive data so that no unauthorized person or device can access that data. These solutions virtually segment the network. If a user or device doesn't have the authorization to access the device or area that stores the sensitive information, the NAC solution denies that user or device access. This type of NAC solution enables an organization to not only meet and address regulatory compliance, but it also helps inoculate the organization against data breaches and ensure the credibility of the organization — because no organization likes to see themselves as the spotlight story on 60 Minutes as the poster child for information breaches (or to put out a press release about and have to pay compensation to their customers for stolen personal information and data).
7.5.5. Encryption
Most compliance regulations include a requirement that data communicated or transmitted — usually outside of the network — remain secure. However, several regulations now expand this requirement to cover data communicated within the LAN, as well, because of the growing propensity for insider threats and security breaches, which now happen more frequently and cost more for an organization to fix than external breaches (not to mention the cost to the organization's reputation if the hacker, users, or even the compliance governing agency publicizes the breach).
7.5.6. Audits
Many compliance regulations require an organization to prove that they adhere to many of the requirements listed in the regulation. Some specific regulations require proof of adherence by authorized users, access to protected resources (such as stored sensitive data), and so on. NAC solutions can offer audit trails and logs, and some even include reports on network and application access, authentication, authorization, and so on. Some NAC solutions can export their logs to external devices, such as security information and event management (SIEM) products, which can correlate and analyze the log information; or to existing report-generation files and products. A few NAC solutions that deliver identity-based and role-based controls can correlate user identity and role information to network and application usage to provide detailed logs and reports, ready for regulatory compliance audits.
If the compliance team is involved in the NAC solution decision, they will likely want to understand how the NAC solution helps them address
the appropriate compliance regulations to which they must adhere
how the NAC solution addresses each one of the compliance requirements that they must meet (probably in detail)
their compliance audit needs
NOTE
Be prepared to discuss, in some detail, how your selected NAC solution addresses regulatory compliance and audits. Focus on how it can help the compliance team, and gain them as backers of your selected NAC solution, instead of having to deal with a compliance team that's opposed to the solution.