Compliance Should Not Drive You to NAC

There is so much hype in the IT media and vendor product pitches about policy compliance it makes my head swim. Survey results published by Network Instruments shows many organizations don???t think they have the data or the means to meet compliance regulations.
No wonder. Compliance is not about products but process. Compliance regulations are still relatively new and as far as I know, there haven't been any legal proceedings or regulatory actions that help define what compliance to a specific regulation means.
Logging and auditing seem to be a particular hot button with vendors because who knows what information is important to log (so log it all!) and different products have different views of activity, so it may or may not be useful. I am a huge fan of logging for troubleshooting and monitoring purposes. Clearly defined and detailed logs are useful while cryptic logs are not. But just because a product logs events doesn't mean it is particularly useful for reporting and auditing.

Many in-line NAC vendors, make a point of saying how the products can be used for activity auditing. Web servers, for example, log activity, but the server logs don't tie usernames to IP addresses. HIPAA CFR 164.308(a)(1i)(D) Information system activity review and, a required process states activity logs must be gathered and reviewed while CFR 164.308(a)(5i)(C) Log-in Monitoring suggests that login monitoring should be done. In-line NAC solutions are in a position in the network to determine which users are using specific computers and to see the unencrypted application traffic which potentially allows them to passively monitor activity.

However, regulations (or suggestions) such as CFR 164.308(a)(5i)(B) Protection from malicious software CFR 164.312(c)(1) Standard: Integrity stipulate that steps should be taken to ensure that systems are securely managed and that data has not been altered. A NAC system that does host assessments could report on host integrity and corporate configuration compliance, but I bet you have the information in other systems just waiting to be integrated into a report.

There are many other useful drivers for NAC like automated user-based network access control, malicious activity control, and containment to name a few, but compliance should not be a driver. Audit and event data can be gathered from other sources. Judicious use of existing security technology (and documentation of same) can demonstrate and enforce access control requirements. But most important is that you company need to have a program in place.

Tags:

Commentary

Careers and Certifications

Recommended For You

Cloud-Native Software: What it Is, How We Got Here, and Why it Matters

Kiran Bhageshpur

April 22, 2024

To realize the benefits of cloud-native software, an application must actually be cloud-native—designed to run in the cloud, interacting with disaggregated cloud services, fully manageable as code—to deliver the expected benefits.

Cisco-led Big Tech Consortium Addresses the AI Skills Gap

Zeus Kerravala, Founder and Principal Analyst with ZK Research

April 09, 2024

By combining resources and expertise, the AI-Enabled ICT Workforce Consortium will offer a blueprint for how industries can adapt to an AI-dominated future.

Which Cybersecurity Practices Matter Most? The Cyber Insurance Industry Offers Data-Driven Insight

Will Teevan, CEO, Recast Software

January 26, 2024

IT leaders should heed the guidance of cybersecurity insurance providers who think businesses should prioritize security education, incident preparedness, regular internal audits, and ongoing vulnerability scanning and patching.

Search form