CS Mar-Apr 2020
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
expert insights<br />
ESSENTIAL BUILDING BLOCKS<br />
FROM NETWORK ACCESS CONTROL (NAC) TO NETWORK SEGMENTATION, ADDRESSING THE NEED FOR<br />
A MORE SECURE NETWORK ARCHITECTURE IS VITAL, STATES MYLES BRAY, VP EMEA AT FORESCOUT<br />
Myles Bray, Forescout.<br />
Over the last 20 years, Network<br />
Access Control (NAC) has<br />
become a fundamental<br />
component for enterprises looking to<br />
ensure a resilient cyber strategy. The<br />
technique, which applies policy-based<br />
rules to grant or deny devices access<br />
to a network, allows for a general and<br />
somewhat basic level of network<br />
security: in simple terms, it's basically<br />
a 'you're in or you're out' approach.<br />
Recently, however, the volume and<br />
diversity of internet of things (IoT) and<br />
operational technology (OT) devices has<br />
increased so much that NAC now must<br />
provide a deeper level of insight into<br />
the posture of each device to correctly<br />
provide or deny access at varying levels.<br />
As diversification of devices continues,<br />
full visibility, classification and enforcing<br />
policies become more difficult.<br />
In brief, this increased diversity<br />
emerging technologies, such as IoT and<br />
OT devices, has exposed the limitations<br />
of the previous NAC models. Therefore,<br />
a threshold for innovation has been<br />
reached and many devices are now<br />
connected to networks ill-equipped<br />
to deal with the related risks.<br />
SEGMENTATION IS THE NECESSARY<br />
BARRIER TO CONNECTION<br />
For organisations with flat networks,<br />
the ease at which intruders can pivot<br />
laterally results in greater disruption<br />
of, and damage to, both property and<br />
reputation. For example, the WannaCry<br />
ransomware attack hit shipping<br />
company Maersk, resulting in it halting<br />
its entire operations to ensure the<br />
network was clear of the ransomware.<br />
This caused critical disruption across the<br />
business and could have been averted,<br />
had its network architecture limited<br />
mobility, once access was gained.<br />
Flat networks are unable to provide the<br />
same level of granularity that segmented<br />
networks achieve. When IoT and OT<br />
devices gain access to a flat network,<br />
they have the freedom to move laterally,<br />
if not properly segmented, limiting<br />
full visibility and creating blind spots<br />
that can later be exposed. Network<br />
segmentation, however, can be<br />
dynamic. For example, by providing<br />
a Zero Trust approach across all<br />
environments and to all devices, with<br />
different policies for the computer at<br />
the front desk and the CEOs laptop,<br />
the risk that is posed by attacks is<br />
automatically limited.<br />
CISOs are having a difficult time in<br />
providing this security. Maintaining<br />
close control of their networks and<br />
device ecosystem continues to become<br />
more difficult as IoT and OT devices<br />
increase. In order to achieve effective<br />
security, the full context of connected<br />
devices must be available to regain both<br />
visibility and control. From the data<br />
centre to cloud and OT environments,<br />
devices can be given appropriate access,<br />
rather than access to the entire network.<br />
eyeSegment product, Forescout's<br />
answer to the enterprise-wide network<br />
segmentation riddle, enables exactly<br />
these measures. By tying together siloed<br />
segmentation policies by fragmented<br />
enforcement technologies with a unified<br />
policy approach and enabling a Zero-<br />
Trust approach, granular security<br />
controls can be achieved.<br />
Attempting to implement new security<br />
controls across the extended enterprise<br />
is no easy task. Grappling with the<br />
growing number of attack vectors, while<br />
meeting more and more compliance<br />
directives, CISOs have their hands<br />
full. The advancements in network<br />
segmentation have been designed to<br />
allow businesses to automate threat<br />
detection and isolation without<br />
impacting operations. Through limiting<br />
risks, maximising control and assuring<br />
controls are effectively implemented<br />
across a network, enterprises can more<br />
effectively prepare and manage the<br />
inevitable next wave of cyber threats.<br />
34<br />
computing security <strong>Mar</strong>/<strong>Apr</strong> <strong>2020</strong> @<strong>CS</strong>MagAndAwards www.computingsecurity.co.uk