Why controlling device network access remains relevant in a Zero Trust world

Achieving Zero Trust for an organisation requires several different solutions all working together dynamically, and modern NAC approaches have a key role to play. Todd Schoeman, BT Client Business Director in South Africa

Since its inception in 2019, the concept of Zero Trust has become a guiding principle for many cybersecurity practitioners. In an Executive Order on 12 May 2021, the United States government specifically called on federal agencies and their suppliers “to modernise [their] approach to cybersecurity” by accelerating the move to secure cloud services and implementing a Zero Trust architecture.


When many people think of Network Access Control (NAC) they often only think about perimeter security, leading to questions about its continued relevance in Zero Trust network environments. However, NAC solutions have evolved to support many of the capabilities that are essential to a dynamic Zero Trust architecture – and have a critical role to play in helping organisations on their Zero Trust journey.


The complexity behind the ‘Zero Trust’ term


“Zero Trust is not a single architecture, but a set of guiding principles for workflow, system design and operations.” - National Institute of Standards and Technology Special Publication 800-207


As with many IT concepts, a single phrase such as ‘Zero Trust’ brings with it a range of interlinked challenges, projects and other considerations. Most security vendors today can justifiably link their solutions to Zero Trust, and there are numerous lists of the ‘top 10 Zero Trust security solutions’ on the Internet.


As humans we like easy fixes, so it’s in vendors’ interests to simplify a problem down to a single solution that can answer all the customer’s security challenges.


However, the problem with this silver bullet approach is that it ignores the real and messy environments that all organisations need to navigate. No single vendor can achieve Zero Trust for an organisation – it requires several different solutions all working together dynamically.


Added to this, many experienced CISOs see Zero Trust as an aspirational goal that is several years away, and not so much as a one-off solution. What’s critical is to make technology decisions now that will move you along the Zero Trust pathway, while avoiding decisions that will force backwards steps later on.


The addition of Internet of Things (IoT), Internet of Medical Things (IoMT) and Operational Technology (OT) devices has also increased the challenge, because it’s impossible to control many of these devices using traditional agents and authentication processes.


Network Access Control has evolved


NAC as a concept is great – prevent unauthorised access to your networks by controlling who and what can access it. However, many organisations have struggled to roll out traditional NAC solutions, finding projects extremely time-consuming, with lower-than-expected return on investment, and unwelcome user friction. This meant many organisations decided NAC projects were too difficult.


Added to this, many have thought NAC is only about perimeter security, and have argued that NAC solutions aren’t relevant as we move towards a Zero Trust world.


However, modern NAC solutions have evolved significantly since the days of the 802.1X network authentication protocol, and all the challenges that go with managing supplicants, certificate trusts, and insecure bypass lists.


Modern approaches to NAC don’t need 802.1X (except for wireless) and go beyond simplistic perimeter policing. Today, NAC solutions focus on continuous device visibility and identification, posture assessment and compliance. They tackle control across all types of networks (wired, wireless, cloud) and all types of devices (IT, Enterprise IoT, Industrial IoT, and Medical IoT). They also support integration between multiple different security vendors.


These capabilities are all essentials for a dynamic Zero Trust architecture.


Another benefit of modern NAC solutions is that they support a defence in depth strategy. They enable a Zero Trust policy with an enforcement point at the edge of the network, so can limit the lateral spread of a threat. For example, network edge enforcement can prevent cyber attackers from using a compromised IoT device to move laterally into a device with more privileged access to key resources.


It’s time to reassess how you see NAC solutions. Look for:

  • The ability to discover all devices on your network - not just those associated with a human user
  • Continuous visibility and device control
  • Orchestration of security controls across multiple vendor solutions.


Continuous detection and control are essential to Zero Trust


When we look more closely at definitions of Zero Trust, we can see where modern NAC solutions fit in.


The US National Institute of Standards and Technology (NIST) Special Publication 800-207, published in August 2020, established an abstract definition of Zero Trust and Zero Trust Architecture (ZTA). While targeted at US federal agencies, SP 800-207 also documented general deployment models, use cases and a high-level roadmap for implementing a ZTA approach for enterprises.


The NIST Special Publication also developed seven key tenets of Zero Trust. The seventh tenet states: “The enterprise collects as much information as possible about the current state of assets, network infrastructure and communications and uses it to improve its security posture.”


It’s clear that in order to do this, some ability to continuously detect and control devices and assets connecting to the network is needed.


Choosing a platform for your Zero Trust journey


When considering which device management solution to choose to support your Zero Trust strategy, look for a platform that can automate the discovery and classification of all IP-connected devices, as well as continuous risk and posture assessment. This continuous situational awareness will allow you to automate the enforcement of dynamic least-privilege access policies based on user, device, connection, posture and compliance – a key element of a Zero Trust approach