Is NAC as a concept dead?

February 24, 2019
2 minute read

A recent tweet from Kevin Beaumont (@GossiTheDog) and following threat on why nobody really implements NAC got me thinking because I like the idea as a concept very much.

I guess we all agree that knowning what you assets are and what’s on your network is critical for securing an environment. There’s a good reason why the first of the CIS Controls is “Inventory and Control of Hardware Assets” with the explanation

Actively manage (inventory, track, and correct) all hardware devices on the network so that only authorized devices are given access, and unauthorized and unmanaged devices are found and prevented from gaining access.

Hence I always thought NAC should be foundational. So this made me think again. I still think it’s useful and sensible to monitor what systems are connected and what security posture they have. Simply monitoring however lowers the bar for technical measures and MAC address bypass may be a good enough solution.

Still this leaves two main issues open:

Thus it may simple make no sense anymore to control who is “on the network” if that’s more or less everything. As an example: if you use Office 365 and allow direct connections to it from everywhere (which is useful for your users) all their home networks, hotel, coffeshop networks and so on become “the network”.

If that’s the case shouldn’t we rather concentrate on securing the data people or systems access and limit that rather than limiting network access? Maybe NAC is just a too low level abstraction to be useful anymore.

If that’s true then maybe NAC as a concept needs to be replaced by better identity management combined with rights management solutions. It may not matter much which device I use to access sensitive data but more if I’m allowed to access it in the first place and what I’m allowed to do with it.

Let me know your thoughts in the comments!

Share on:

Using SSH Agent on Windows

November 10, 2021
2 minute read
security software

Attribution in Cyber Security

October 22, 2021
3 minute read

Adapt security to cloud-native environments

January 24, 2021
4 minute read
security cloud
comments powered by Disqus