CS Mar-Apr 2020

expert insights
ESSENTIAL BUILDING BLOCKS
FROM NETWORK ACCESS CONTROL (NAC) TO NETWORK SEGMENTATION, ADDRESSING THE NEED FOR
A MORE SECURE NETWORK ARCHITECTURE IS VITAL, STATES MYLES BRAY, VP EMEA AT FORESCOUT
Myles Bray, Forescout.
Over the last 20 years, Network
Access Control (NAC) has
become a fundamental
component for enterprises looking to
ensure a resilient cyber strategy. The
technique, which applies policy-based
rules to grant or deny devices access
to a network, allows for a general and
somewhat basic level of network
security: in simple terms, it's basically
a 'you're in or you're out' approach.
Recently, however, the volume and
diversity of internet of things (IoT) and
operational technology (OT) devices has
increased so much that NAC now must
provide a deeper level of insight into
the posture of each device to correctly
provide or deny access at varying levels.
As diversification of devices continues,
full visibility, classification and enforcing
policies become more difficult.
In brief, this increased diversity
emerging technologies, such as IoT and
OT devices, has exposed the limitations
of the previous NAC models. Therefore,
a threshold for innovation has been
reached and many devices are now
connected to networks ill-equipped
to deal with the related risks.
SEGMENTATION IS THE NECESSARY
BARRIER TO CONNECTION
For organisations with flat networks,
the ease at which intruders can pivot
laterally results in greater disruption
of, and damage to, both property and
reputation. For example, the WannaCry
ransomware attack hit shipping
company Maersk, resulting in it halting
its entire operations to ensure the
network was clear of the ransomware.
This caused critical disruption across the
business and could have been averted,
had its network architecture limited
mobility, once access was gained.
Flat networks are unable to provide the
same level of granularity that segmented
networks achieve. When IoT and OT
devices gain access to a flat network,
they have the freedom to move laterally,
if not properly segmented, limiting
full visibility and creating blind spots
that can later be exposed. Network
segmentation, however, can be
dynamic. For example, by providing
a Zero Trust approach across all
environments and to all devices, with
different policies for the computer at
the front desk and the CEOs laptop,
the risk that is posed by attacks is
automatically limited.
CISOs are having a difficult time in
providing this security. Maintaining
close control of their networks and
device ecosystem continues to become
more difficult as IoT and OT devices
increase. In order to achieve effective
security, the full context of connected
devices must be available to regain both
visibility and control. From the data
centre to cloud and OT environments,
devices can be given appropriate access,
rather than access to the entire network.
eyeSegment product, Forescout's
answer to the enterprise-wide network
segmentation riddle, enables exactly
these measures. By tying together siloed
segmentation policies by fragmented
enforcement technologies with a unified
policy approach and enabling a Zero-
Trust approach, granular security
controls can be achieved.
Attempting to implement new security
controls across the extended enterprise
is no easy task. Grappling with the
growing number of attack vectors, while
meeting more and more compliance
directives, CISOs have their hands
full. The advancements in network
segmentation have been designed to
allow businesses to automate threat
detection and isolation without
impacting operations. Through limiting
risks, maximising control and assuring
controls are effectively implemented
across a network, enterprises can more
effectively prepare and manage the
inevitable next wave of cyber threats.
34
computing security Mar/Apr 2020 @CSMagAndAwards www.computingsecurity.co.uk