10 years into a NAC implementation and still finding control gaps and other issues?

Moving Beyond NACs: The Core Issues

Moving Beyond NACs: The Core Issues


Securing networking infrastructure to meet financial institution grade toughness requires protection from unauthorized devices and potential security threats, allowing only authorized users, devices, and systems to connect to the network. Over the past decade, every bank we talk to has turned to implementing a NAC solution to meet this need.

However, when we asked CISOs why they implemented a NAC, the majority said regulatory requirements were the driving force.

Across the globe, regulatory bodies from industry and government have been working to help ensure financial institutions are able to protect their sensitive data and transactions. For example, the New York State Department of Financial Services (23 NYCRR 500) requires written policies reviewed and approved by an internal governing body to cover, amongst others, controls for asset inventory, network access, and identity management. NACs made up the natural way to check the box for the early versions of most relevant regulations.

But secular trends are forcing regulators around the globe to reprioritize risks and add new protection requirements.

Like a general preparing for the last war, NACs new and old are designed for yesterday’s environment and have not kept up with today’s trends. The move to the cloud, the hybrid work model, increasingly convoluted supply chains, decentralization (e.g., BYOD), proliferation of IoT, and the increasing availability of sophisticated physical attack tools reduce the effectiveness of even the most widely implemented NACs.

The approach of prioritizing regulatory needs over better security controls and risk mitigation needs has a shelf life as many global regulations either already or soon will require protection greater than what a NAC can natively provide. CISOs need to orient their organizations to creating solutions that already meet tomorrow’s security needs and the stricter device level protections regulators are moving towards.

The Core Issues When It Comes to NACs

Implementation: Implementing a NAC can be complex and challenging, particularly for large and distributed financial institutions. It is well known that NAC implementation projects take longer than originally planned (sometime years) and cost significantly more than originally budgeted. NAC implementations require specialized skill sets that make identifying the suitable team an additional challenge. As a result, many NAC implementation projects don’t make it to original planned outcome and thus cover only a portion of the organization’s network infrastructure.   

Maintenance: On-going management and maintenance of NAC systems is a known operational and administrative burden on the security IT team as it requires ongoing manual support to address and adjust NAC configuration to meet the organization changes.

Scalability: As financial institutions grow, the number of devices and users connecting to the network increases while network boundaries also change. For example, additional branches are added to or removed from the network, or additional types of devices are added or removed. Each change requires significant internal resources to test and update and extend the NAC. At the pace of changes in today’s world, the NAC is consistently behind, causing gaps in protection.

Cost: Due to the complexity and support that NACs require to work effectively, the costs, especially specialized labor, jump dramatically and create a barrier to acquisition and/or full implementation for smaller and medium-sized institutions. As a result of that, most projects fall short to complete full network infrastructure coverage.

False Positives: NAC systems are known to produce false positives, disrupting workflow by blocking legitimate users and devices. This is frustrating for any financial institution implementing a NAC and leads to unnecessary loss of productivity. False positives can emerge from a multitude of reasons, e.g., misconfiguration, outdated software, hybrid work environment, and many more. As a result of that, most NAC systems are not put in the enforcement mode, but rather left for visibility only.   

Visibility: Most NAC profiling techniques do not provide sufficient visibility and context for IoT and OT devices. This is due to the diversity and complexity of IoT and OT devices, leading NACs to allow these devices to be based on only simple identifiers such as a MAC address or IP. This means that the NAC has no ability to track these assets or confirm their legitimacy on the network.  

Security Bypasses: Talking with red teams and evidence from prior breaches show that NACs are not especially burdensome to bypass, whether through spoofing an identity or using hardware tools such as rubber duckies to control authenticated hosts. In addition, large visibility gaps make documenting ownership and firmware updates of risky assets impossible, leaving further security control gaps.

Regulation: As discussed, financial institutions are subject to many regulatory requirements and industry standards, e.g. Payment Card Industry Data Security Standard (PCI DSS) and governmental privacy laws around the world. Ensuring compliance with all these regulations is challenging especially as they become more stringent in their asset inventory and access controls, requiring timely documented updates of all assets an organization owns. NACs are not designed to meet today’s challenges in creating asset inventories and documentation, leaving regulations un-fulfilled.

Addressing the state of NACs

How do we improve all these issues related to NACs and what can be done to address NACs’ original implementation goals?

The answer differs depending on whether an organization has already implemented a NAC to its fullest coverage.

To improve your NAC coverage, your best and most cost-effective approach is to add an additional defense layer that provides completeness and truth of assets connected to your network infrastructure. The data from this additional defense layer needs to include all assets, regardless of if they are actively communicating, IoT/OT/IT or even peripherals, 802.1x compliant, or any other new category to find. The data needs to be fresh with near real-time updates and scale across your entire ecosystem without impacting production traffic, causing contention to the network infrastructure, or requiring additional hardware overhead to compensate.

If you are early in your NAC journey or would like to complement your current coverage with an additional layer, there are a number of approaches you can take to either replacing the NAC which will leave you in a better global security posture without the headaches or replace portions of the NAC implementation. The various approaches will be discussed in a future article but include implementing Zero Trust Network Access, and utilizing what Gartner refers to as “lightweight NAC”.

In any of these approaches, complete visibility and asset identity truth again become critical to network infrastructure security controls. At the time of connection, devices need firstly to be discovered, correctly identified, assessed for potential risk and outcome to determine the suitability of access, and, if necessary, blocked.

If you need help along your journey of improving your NAC or moving beyond it, Sepio is here. Sepio is purpose built to solve these issues plaguing security teams by allowing for a complete, trafficless global solution that gives you ultimate visibility, true asset identity, and risk mitigation.

© 2023 SRC Cyber Solutions LLP. All Rights Reserved.