Best Practices for Network Access Control
Network access control prevents unauthorized users and devices from connecting to network assets. To do this, NAC solutions use a combination of verification, authentication, and authorization.
These systems can be deployed out-of-band or in line with existing network infrastructure devices. Out-of-band solutions offer scalability and flexibility. For example, administrators can instantly edit policies for tens of thousands of connected devices.
Inventory Your Devices
Keeping an eye on the devices on your network can save you time, bandwidth, and money. When you use device inventory, you can see which computers, printers, IoT devices, and other systems are connected to the network so that you can make sure they are accounted for and have access privileges. For example, you can track which software licenses are being used so that you don’t run afoul of your software licensing agreement. You can also use device inventory to address issues like software bugs or connectivity problems quickly.
With an effective device inventory strategy, you can automatically register and authenticate all devices attempting to connect to your network. This automation enables you to reduce the risk of data breaches, malware infections, and other security threats.
To ensure you’re tracking everything, look for a solution that provides visibility on all devices, including IoT and mobile devices. It would help if you also considered enabling DHCP server logging to capture details on every system that connects to your network. For instance, Duo’s Endpoint Remediation can inform you about whether a system is company or employee-owned and if it has out-of-date software.
Unlike agent-based solutions, Duo’s device inventory collects detailed information on every device authenticating into your network without needing agents to be installed on each device. This enables you to make informed decisions about access rights for all types of devices — from desktops and laptops to mobile phones and IoT.
Monitor Access Logs
Network access control examples should include various features that help prevent malware infections, monitor threats, and identify users violating security policies. These solutions should also ensure the privacy of user account names, passwords, and other sensitive data. They should allow administrators to track all activity on a system for root-cause analysis.
For example, an NAC solution may use a web filter to block access to certain websites, which can be tracked in logs that provide valuable insights about the types of content users view. These logs indicate that a particular user is trying to access a restricted page, and the NAC solution can respond by either blocking the attempt or sending a notification email to the user.
Alternatively, an NAC solution could require new devices to register with the system before accessing internal networks. This could mitigate risks associated with BYOD policies by ensuring that guest users or contractors have a different network access level than full-time employees. This could also help administrators identify rogue devices, which can then be quarantined or shut down before they can further threaten the organization.
Most NAC solutions can be configured to monitor access rather than automatically approve or deny access so that the impact of policies can be tested before they are put into effect. This is a vital step, especially as security policies evolve to address evolving threats and new types of endpoints.
Implement Multi-Factor Authentication (MFA)
The goal of MFA is to make it difficult for attackers to take over accounts by using stolen passwords. The key to success is a good rollout plan that makes the process easy for employees and reduces user frustration with additional authentication steps.
The first step is a thorough inventory of all applications, networks, and other devices that staff use. Look for systems that don’t support MFA (or anything more than a password) and find ways to upgrade or replace them. Focus on critical systems, like internal business applications and older email systems that use legacy or basic authentication.
Next, create an MFA roadmap with specific target dates for deploying new authentication methods. This will allow you to track progress and respond quickly to issues that arise, keeping security measures up and running without impacting productivity.
Consider how to deploy MFA with high-value users in mind, from finance staff handling payroll to developers with commit rights. These people can benefit most from a more secure environment but may also be more likely to be targeted by phishing attacks or other types of malware. A pilot deployment can help you optimize MFA for these groups to protect them but not suffer undue disruption. Make change management a central strategy, emphasizing employee education and communication.
Enable Temporary Privileges
The process of granting temporary elevated access helps strike a balance between providing users with the privileges they need to do their jobs and improving security posture by reducing the risk of abuse through prolonged or unnecessary elevated access. This practice, or breakglass access, provides just-in-time access to systems or data, enabling administrators to resolve critical issues quickly without disrupting current workflows.
Typically, new hires are granted privileges based on their assigned roles, with the permissions associated with each part being inherited from those of higher-level roles. However, this approach can result in benefit creep over time. It can also be challenging to track the full permissions granted for a given role, making it hard to know whether a person can access sensitive data or applications.
Using an application allowing managers to grant their privileges can reduce inefficiencies and help control privilege levels. For example, Coveo’s R&D Defense team built a small API and front-end app to allow a manager to easily grant their colleagues in the same team and level as themselves without needing IT to open an IT request or clone colleague groups, which could expose them to privilege creep. Similarly, it is essential to ensure that all temporary employees are provisioned and de-provisioned as soon as their assignments are complete to eliminate the opportunity for unauthorized access.