Any networking person worth their salt knows that remote access is done using VPN and local access is controlled using Network Access Control (NAC). NAC offerings like Cisco ISE, ForeScout, HPE Aruba, and Pulse Policy Secure helped the NAC market grow to $2B in 2021. These products have been around for decades so it may be time to consider other, more modern options. Car owners looking to prevent theft gave up “The Club” for modern solutions like LoJack. You’ve traded in your Nokia for an iPhone or Android Smartphone.
Organizations that did deploy these traditional access methods have been aware of the drawbacks for years. Even solutions made by the same vendor often have different authentication, authorization, and device posture awareness policies. This means different end user experience based on where they are trying to connect from. And if you want a more complete picture, think about how your end users are accessing SaaS/cloud resources. This likely includes yet another set of credentials, along with different security and access policies based on what the SaaS/cloud provider supports.
Many IT teams have tried their best to deploy these models, but shortcuts are often seen. Some organizations only implement NAC for on-campus Wi-Fi and do almost nothing for the wired network. This has led to breaches like those experienced by Target and Home Depot via their point of sales (PoS) systems. Moreover, devices like Cisco telephones that have ports on the back may allow for access if switches are misconfigured and the 802.1x is only requiring a single authentication. IT teams deploying NAC must fully understand how the managed switches, wireless LAN controllers (WLCs), firewalls, and supplicants are all working together. VLAN segmentation and routers that trunk VLANs must also be deployed. And that’s just to get devices on the inside to talk to each other.
Visibility is also a hurdle when you have so many components. You can’t manage a system that requires logging to several devices just to see what a user is doing. SIEM (security information and event management) was created to give the admins visibility into all these varying systems. Yet another product to buy, deploy, and manage.
Enter Zero Trust Network Access (ZTNA). This approach takes into consideration that access is from anywhere to anywhere. No assumptions are made about user, device, or resource location. Wouldn’t it be nice to have a single access and security policy? Imagine how minimal the end user training is when your employees and contractors access their authorized resources the same way from everywhere. Consistent authentication, authorization, and device trust awareness simplifies access while ensuring the highest level of security. The cherry on top is having a single dashboard that shows who, from what device, is accessing all resources regardless of where those resources live (on-premises, private/public cloud, or SaaS).
ZTNA enables an organization to have an open network when on-premises. Employees and guests all get on the same network, either wired or wireless. Guests only get internet access and nothing more. Employees and contractors get to access all authorized corporate resources via the ZTNA solution. Everything that needs to be secured is sitting behind a hardened device usually called a connector or gateway. The only way to access any resource is to authenticate using single or multi-factor authentication (MFA) from devices that have been deemed safe. Once authenticated, granular access is authorized based on user identity and device trust level. Each user only has access to the resources they are authorized to use. A safe, secure access method without having to rely on traditional methods like VLAN segmentation and RADIUS return attributes, and traditional appliances like firewalls. Moreover, the same access method applies when your employee leaves HQ and goes to a local coffee shop or home.
Visit the Product Overview to learn more about how your local network can evolve.
*** This is a Security Bloggers Network syndicated blog from Banyan Security authored by Ashur Kanoon. Read the original post at: https://www.banyansecurity.io/blog/goodbye-nac-hello-ztna/