Yesterday I had the honor of presenting to fellow security professionals at CUISPA 2013, one of the credit union industry’s most highly regarded information security and risk management conferences. The summit gathers together information technologists, regulators, service providers, and, of course, security specialists under one roof to discuss compliance, risk management, cloud computing, and more.
As you may know, the Federal Financial Institutions Examination Council (FFIEC) recently provided guidance that all credit unions ensure they have the technology to quarantine endpoints based on their compliance with defined security policy so risky vulnerabilities can be remediated before a network is exposed to those vulnerabilities as a potential attack vector. Because network access control (NAC) fits this need perfectly, it’s definitely a hot topic in the industry right now as many IT Managers are scrambling to comply.
During my presentation, I spoke about what we at StillSecure have recognized for years – mainly that NAC offerings, such as our Safe Access solution, should be relatively quick and painless to deploy as well as deliver a full range of functionality to provide the most up-to-date picture of compliance across the network, and provide customers with the ability to isolate and patch devices in a totally automated fashion. Among its advantages, NAC shows a single picture of security postures across multiple security software vendors, providing a way to verify reports from vendor management consoles. It also provides identity and access control for guest users and unmanaged devices, so it’s perfect for managing BYOD!
While NAC solutions assist credit unions looking to comply with FFIEC regulations, selecting the best installation for your organization and policies for your users can prove challenging. Here are some helpful tips:
- Interrogation only – If you’re just getting started, this installation is worth considering. NAC can be deployed without access control to interrogate endpoints only.
- Inline – This installation ensures the compliance of endpoints connecting to your network.
- DHCP – The easiest way to start enforcing access controls; does not require any changes to your network.
- 802.1X – The most secure deployment for your internal network but also the most complex and expensive to install. Note: 802.1X can be phased in slowly, increasing your security level, and spreading costs and network impact over time.
- White list with or without testing – This policy is best for VIPs or unmanaged devices.
- Innocent until proven guilty – Most managed users fit here.
- Guilty until proven innocent – This policy works well for handling managed users accessing sensitive networks and high-risk managed users.
- Blacklist with or without testing – Blocks specified devices or users without a means of getting on the network.
NAC is by no means a one size fits all security solution, and it is important to determine your organization’s specific needs. Whether you have a specific concern about an installation or just want to know how much enforcement your environment requires, we’re here to answer all of your questions. Leave a comment, send us an email, or give us a call – we’re never more than a few clicks or phone rings away.