If schools had technology that could stop students from coming to class unless their homework was complete, would they turn students away at the door if they hadn't finished their assignments? Or give them a warning but let them come to class? And would the policy become stricter based on the type of homework?
It's an interesting analogy to automating security policy enforcement on enterprise networks.
Historically, enterprise security policies have been distributed via books or e-mail and users are expected to comply, but compliance is hard to enforce. With network access control (NAC), it's possible to automate enforcement. But as with the school scenario, we need to think through what enforcement means in practice.
Surprisingly, with all the hype around NAC, this topic has received little attention, yet it may be one of the most significant determinants of a deployment's success.
The goal of NAC is not to keep devices off the network; it's to make sure the network isn't compromised by problem devices or unauthorised access.
Consider this policy: All computers must have anti-virus software profiles updated within 72 hours, scan for viruses weekly, have a firewall running and install operating-system patches within 96 hours.
Some NAC solutions allow this policy to be enforced automatically, but here's the interesting part: If the CEO's virus signatures were out of date, would enforcement be quarantine and remediation? Should a mailserver be treated like a laptop? The answer is almost always No.
It boils down to the fact that NAC is not a one-size-fits-all approach to policy enforcement. A well-built policy is a lot like good journalism. It must address who, what, when, where and why - or the results may not align with enterprise objectives.
From a NAC perspective, who maps to identity-based decisions for users and devices such as:
What addresses factors related to the nature of the problem:
When includes such parameters as:
Where has a huge impact on policy:
For example, devices in a data centre or test labs probably should be held to different standards than PCs used for e-mail or browsing.
Last, comes why. In NAC, there must be a motive to take an action. Why is going to be highly dependent on enterprise objectives, but a few examples include:
Pulling these ideas together, consider some sample policies:
In the light of all this, the school homework policy should be IF student IN classroom, AND homework done, smile, ELSE log and deliver stern notification.
Dan Clark is vice president of marketing for Lockdown Networks.