Learning About NAC From Higher Education

By Jason Prost ·

Network Access Control (NAC) is something that people are talking about everywhere, whether they realize it or not. It’s not that they are determining how to utilize standards such as 802.1XIF-MAP and MS-NAP, or marveling at how cool and exciting they might be. Instead, the discussions are around business decisions and initiatives that are being driven by business challenges and needs. These challenges and needs relate to NAC.

For instance, NAC has been finding increased traction within the traditional enterprise as businesses expand their use of SaaS solutions and cloud services. Just think about how many sales organizations have implemented online cloud-based CRM offerings such as Salesforce.com or NetSuite. More and more companies are moving away from purely in-house solutions, and looking at MSPs and saying, “I want you to manage my X” or “I want to leverage your infrastructure to do Y.”   As a result, companies are employing a combination of on-premise equipment and cloud services. And, oftentimes, that erodes their security focus. Instead of discussing NAC strategies and how they can help protect corporate assets, companies talk about how they can secure the cloud services, SaaS, and other services beyond their perimeters that they don’t necessarily control.

NAC is also finding its place as growing IT environments become increasingly difficult to manage and maintain. A homogenous Windows environment may still have four different flavors of Windows running, two different versions of Windows server… you get the point.  That is a challenge in and of itself, but add the need to support Smartphones (Androids, iPhones, Blackberries, etc), iPads, hand scanners, you name it, and you’ve got a growing, disparate environment that is further dissolving the hard perimeter of yesteryear. Don’t forget about trends such as telecommuting! The results? A management conundrum as the perimeter continues to deteriorate.  The big question is: how do we secure all those devices?

Higher education has been successfully dealing with these very challenges for quite some time. Students want to use divergent technologies, such as laptops for doing schoolwork, Smartphones, gaming consoles, and DVRs, all of which connect to the network and want Internet access. This alone creates a heterogeneous environment that is challenging to manage. Higher education institutions have responded in a number of ways including strategically using NAC to adapt effectively to the hyper-changing environments.

Rather than trying to control and manage every end point, NAC audits the end point and enforces access based on the results. Auditing end points enables organizations to provide healthy networking environments. This concept can be equated to secondary school requirements that parents deal with every year - every child must have an annual doctor’s check-up and be up-to-date on certain immunizations so that he or she can attend school. Within information security, organizations can see whether or not a user has up-to-date antivirus software, a firewall running, etc., segregate them into the environment based on the results, and allocate specific resources to the user to make them healthy. For example, if a user doesn’t have the latest antivirus software, the organization can restrict access to all network resources except those necessary to update their antivirus software. The user is granted access to the rest of the network only after the antivirus software is downloaded.

Commercial organizations are now revisiting NAC and looking at the solutions and strategies that Higher Education as employed. Do you think it’s possible for them to achieve this level of control?