In the ever-evolving landscape of cybersecurity, organizations continuously seek robust mechanisms to protect their networks and data. One effective approach is implementing Network Access Control (NAC), which plays a critical role in meeting the stringent cybersecurity requirements set forth by the National Institute of Standards and Technology (NIST) in its Special Publication 800-53. This publication provides a catalog of security and privacy controls for federal information systems and organizations to enhance their security posture.
What is Network Access Control?
Network Access Control (NAC) is a security solution that enforces policy compliance on devices that attempt to access network resources. NAC can deny network entry, restrict access to certain areas, or place devices in a quarantined area until they meet the network’s security standards. This mechanism is vital in preventing unauthorized access and managing the security of devices over their lifecycle.
Alignment of NAC with NIST SP 800-53
NAC supports several key security controls outlined in NIST SP 800-53, ensuring that organizational networks remain secure and resilient against threats. Here’s how NAC aligns with some of these controls:
1. Access Control (AC)
NAC systems are paramount in enforcing access control policies by ensuring that only authenticated and authorized devices can access network resources. This is in line with AC-3 (Access Enforcement) and AC-17 (Remote Access), which mandate that access to organizational systems is controlled and managed effectively.
2. Identification and Authentication (IA)
By integrating with identity management solutions, NAC ensures that all devices are properly identified and authenticated before gaining network access, aligning with IA-2 (Identification and Authentication). This prevents unauthorized devices from accessing sensitive data and systems.
3. System and Communications Protection (SC)
NAC contributes to the protection of system boundaries through policies that isolate and control the flow of information between networks. SC controls, such as SC-7 (Boundary Protection), are supported by NAC solutions that monitor and control communications at the boundaries of network segments.
4. Audit and Accountability (AU)
NAC systems can log and monitor all attempts to access the network, providing a detailed account of device activities. This supports AU-2 (Audit Events) and AU-12 (Audit Generation) requirements by ensuring that actions affecting security are recorded and available for review.
5. Configuration Management (CM)
NAC aids in maintaining the security configuration of devices throughout their lifecycle. By ensuring devices comply with CM-7 (Least Functionality), NAC restricts software installations and functions that might compromise security.
Benefits of Implementing NAC in Alignment with NIST SP 800-53
Implementing NAC not only supports compliance with NIST SP 800-53 but also brings several benefits to organizational cybersecurity strategies:
- Enhanced Visibility and Control: NAC provides complete visibility of all devices on the network, including BYOD and guest devices, allowing for better control of who accesses what resources.
- Automated Response: NAC can automatically respond to non-compliance and security threats by restricting access or quarantining devices, thus reducing the risk of security breaches.
- Regulatory Compliance: For organizations subject to regulations, NAC helps in maintaining continuous compliance with security policies and regulations.
The alignment of Network Access Control with NIST SP 800-53 requirements is a testament to its value in a comprehensive cybersecurity strategy. By enforcing robust access control, ensuring proper identification and authentication, and supporting system integrity and accountability, NAC not only adheres to but enhances the security controls recommended by NIST. As cyber threats continue to evolve, the role of NAC in securing network environments remains indispensable, ensuring that organizations can protect their critical information assets effectively.
| Cloud Native | Faux Cloud | |
| Infrastructure | Provided, paid, and managed by the vendor; mostly invisible to anyone utilizing the service | Provided, paid, and managed by you through your own AWS or Azure account |
| Implementation | Quick time to value; much of the work is invisible to you | Depends on the complexity of the app, but it is your responsibility to do the work or pay someone else to do it |
| Pricing | Subscription with lower up-front cost | Perpetual license with expensive up-front cost that are amortized over time.
(Note: many vendors are moving away from perpetual licensing for on-prem or faux cloud products, but as they do, their customers are getting the worst of both worlds – paying more annually while still being responsible for on-going maintenance of the product) |
| Total Cost of Ownership | The price of the product reflects the genuine cost of ownership | The price of the product is only one (and sometimes only a small) part of the total cost that is reflected in the staff time and public cloud expenses; in many instances, you may not even know what it is going to cost you until it is too late |
| Vendor Lock-In | Easy to switch to another vendor should your business needs change | Expensive license, deployment and maintenance costs make switching prohibitive, often for years |
| Access | Access anywhere via browser with internet connection | On-premises model often requires access via VPN
(Note: what happens when there is a problem with your solution and your VPN is configured to use your on-premises system? Sounds like someone is driving into the office!) |
| Scalability | Automatically scales with usage | Customer must increase capacity to keep up with usage |
| Updates | Vendor regularly updates the underlying components such as servers, databases, etc. This process will often be invisible to you. | You are responsible for ensuring that the entire tech stack – components, databases, servers, network – is updated with the latest patches |
| Upgrades | You seamlessly and transparently reap the benefit of new features, enhancements, and other improvements with zero effort | Any upgrade requires you to install, test, and then deploy the upgrade in production, often during nights and weekends in case something goes wrong |
| Accountability | The vendor takes ownership of the uptime and security, performance, and availability of the service | Apart from the infrastructure as a service, you are on the hook for the performance, health, security, and availability of the solution, lock stock and barrel |
Cloud Native
Infrastructure
Provided, paid, and managed by the vendor; mostly invisible to anyone utilizing the service
Implementation
Quick time to value; much of the work is invisible to you
Pricing
Subscription with lower up-front cost
Total Cost of Ownership
The price of the product reflects the genuine cost of ownership
Vendor Lock-In
Easy to switch to another vendor should your business needs change
Access
Access anywhere via browser with internet connection
Scalability
Automatically scales with usage
Updates
Vendor regularly updates the underlying components such as servers, databases, etc. This process will often be invisible to you.
Upgrades
You seamlessly and transparently reap the benefit of new features, enhancements, and other improvements with zero effort
Accountability
The vendor takes ownership of the uptime and security, performance, and availability of the service
Faux Cloud
Infrastructure
Provided, paid, and managed by you through your own AWS or Azure account
Implementation
Depends on the complexity of the app, but it is your responsibility to do the work or pay someone else to do it
Pricing
Perpetual license with expensive up-front cost that are amortized over time.
(Note: many vendors are moving away from perpetual licensing for on-prem or faux cloud products, but as they do, their customers are getting the worst of both worlds – paying more annually while still being responsible for on-going maintenance of the product)
Total Cost of Ownership
The price of the product is only one (and sometimes only a small) part of the total cost that is reflected in the staff time and public cloud expenses; in many instances, you may not even know what it is going to cost you until it is too late
Vendor Lock-In
Expensive license, deployment and maintenance costs make switching prohibitive, often for years
Access
On-premises model often requires access via VPN
(Note: what happens when there is a problem with your solution and your VPN is configured to use your on-premises system? Sounds like someone is driving into the office!)
Scalability
Customer must increase capacity to keep up with usage
Updates
You are responsible for ensuring that the entire tech stack – components, databases, servers, network – is updated with the latest patches
Upgrades
Any upgrade requires you to install, test, and then deploy the upgrade in production, often during nights and weekends in case something goes wrong
Accountability
Apart from the infrastructure as a service, you are on the hook for the performance, health, security, and availability of the solution, lock stock and barrel
About Version 2 Limited
Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.
Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.
About Portnox
Portnox provides simple-to-deploy, operate and maintain network access control, security and visibility solutions. Portnox software can be deployed on-premises, as a cloud-delivered service, or in hybrid mode. It is agentless and vendor-agnostic, allowing organizations to maximize their existing network and cybersecurity investments. Hundreds of enterprises around the world rely on Portnox for network visibility, cybersecurity policy enforcement and regulatory compliance. The company has been recognized for its innovations by Info Security Products Guide, Cyber Security Excellence Awards, IoT Innovator Awards, Computing Security Awards, Best of Interop ITX and Cyber Defense Magazine. Portnox has offices in the U.S., Europe and Asia. For information visit http://www.portnox.com, and follow us on Twitter and LinkedIn.。