A recent tweet from Kevin Beaumont (@GossiTheDog) and following threat on why nobody really implements NAC got me thinking because I like the idea as a concept very much.
InfoSec vendors: We have this new thing called Network Access Control, it’s the best!
— Kevin Beaumont (@GossiTheDog) February 20, 2019
*nobody buys it*
InfoSec vendors: We have this new thing called Zero Trust Networks, it’s the best!
*spoiler: nobody buys it*
I guess we all agree that knowning what you assets are and what’s on your network is critical for securing an environment. There’s a good reason why the first of the CIS Controls is “Inventory and Control of Hardware Assets” with the explanation
Actively manage (inventory, track, and correct) all hardware devices on the network so that only authorized devices are given access, and unauthorized and unmanaged devices are found and prevented from gaining access.
Hence I always thought NAC should be foundational. So this made me think again. I still think it’s useful and sensible to monitor what systems are connected and what security posture they have. Simply monitoring however lowers the bar for technical measures and MAC address bypass may be a good enough solution.
Still this leaves two main issues open:
- it’s exceptionally difficult to know all the hardware on the network that require special treatment and a lot of coordination effort across different teams to figure out
- the clear demarcation between “the network” and the rest of the Internet doesn’t exist reliably any more.
Thus it may simple make no sense anymore to control who is “on the network” if that’s more or less everything. As an example: if you use Office 365 and allow direct connections to it from everywhere (which is useful for your users) all their home networks, hotel, coffeshop networks and so on become “the network”.
If that’s the case shouldn’t we rather concentrate on securing the data people or systems access and limit that rather than limiting network access? Maybe NAC is just a too low level abstraction to be useful anymore.
If that’s true then maybe NAC as a concept needs to be replaced by better identity management combined with rights management solutions. It may not matter much which device I use to access sensitive data but more if I’m allowed to access it in the first place and what I’m allowed to do with it.
Let me know your thoughts in the comments!