This article can also be found in the Premium Editorial Download "Information Security magazine: Keep today's threats close and tomorrow's closer."
Download it now to read this article plus other related content.
Post-admission controls would shore up NAC/NAP shortcomings.
If anything, the endpoint security story has been one of how the marketing power of industry giants can stall customer purchase decisions.
Cisco Systems' Network Admission Control (NAC) and Microsoft's Network Access Protection (NAP) initiatives both emphasize pre-admission control, quarantining non-compliant endpoints to protect against attacks. It has taken the collective voice of small endpoint security vendors to raise awareness of the greater demand for post-admission control. After all, blocking people is easy; the hard job is finding ways to safely conductbusiness when the unmanaged endpoint of a business partner or customer is not up to snuff.
Customers I talk to want more out of NAC/NAP, and many are holding off on the technologies until they can get it. The problem is how to handle customer or partner devices that cannot be quarantined or forced to comply with a higher security standard than that which their organizations require. Asking third parties to install software to conduct business is not a long-term solution for endpoint security.
Few companies want to condemn a business partner to the quarantine abyss. I consistently hear demands for the following three post-admission control capabilities in NAC/NAP, and increasing calls for the fourth:
Enforce identity-based networking. The network should only disclose applications to users who have valid
Prevent the rampant outbreak of an infection. While network security cannot always save endpoints from an attack, it should try to control the spread of the attack to protect the entire network.
Reduce operational costs. The automation of labor-intensive tasks allows IT to better service corporate stakeholders. Pre-admission control lets IT discover and update managed endpoints when they report for duty; post-admission control ensures continuous compliance of endpoints.
Keep confidential data private. Protecting confidential information will be the next major requirement of endpoint security. The ability to track the flow of confidential data, clean up repositories and use virtualization to keep information in the data center is key for securing intellectual property.
No single vendor can satisfy the full range of these requirements. But organizations can push the post-admission mantra by asking the major infrastructure vendors for capabilities such as the following:
Allow endpoints to dynamically signal broader definitions of health. Updated signature dictionaries and patch levels are nice, but let's allow installed security products to also have input about such things as system performance, acceptable device and application use, exposure risk of confidential data, and login account compliance.
Support dynamic post-admission features. These are critical network features that allow an organization to safely do business with unmanaged endpoints and non-compliant devices. They include restricting application protocols from infected devices, altering access rights according to changes in endpoint health profiles, and choosing virtualized application delivery mechanisms that balance performance needs with confidential data protection.
It is time for the security industry to extend today's NAC/NAP vision beyond pre-admission control to secure critical business processes in our highly interconnected world.
This was first published in January 2007