2.8. Insider Access and Threats

After you have a NAC solution in place, you can begin to address a growing problem that sometimes seems rampant — insider access and threats.

An insider is a trusted network user who has a managed device. The user is authenticated, his or her device meets policy, he or she is authorized to be on the corporate network, and all necessary and required processes have checked him or her — all of which ensure and validate trust in the user and his or her device.

Then, it happens: The user or their device begins to snoop internal data, accessing servers, files, and folders that he or she isn't authorized to access; and the user can begin removing sensitive data or transferring it from the network.

How can a company stop such an insider threat scenario from playing out, even though the user is trusted, and his or her device clears policy?

If your company effectively segments your network using your NAC solution — alone or in concert with network enforcement points, you can ensure that even trusted users can gain access to only the servers and data to which they have approved access. If a trusted user attempts to access a server or data to which he or she doesn't have approved access, the NAC solution — alone or via enforcement points — can deny him or her access.

For example, say that the NAC solution has granted a user who has access rights to the engineering servers, but she attempts to access the finance server. If you have a NAC solution, the solution (alone or in concert with network enforcement points) will invoke the appropriate access control policy, and denies her access to the finance server, logs her attempted access of the finance server, and (depending on the NAC solution), flags the unapproved access attempt, or alerts an administrator of this access attempt.

Most NAC solutions include a flagging and/or alerting mechanism, or they may interface with existing alert systems or security information and event management (SIEM) systems that have threat detection or network behavior anomaly detection (NBAD). NAC solutions may even be able to leverage the threat detection and NBAD data to identify and mitigate threats.

A NAC solution can also interoperate with existing network infrastructure and security components, such as intrusion detection system (IDS) and intrusion protection system (IPS) appliances. If the NAC solution interfaces with an IDS/IPS appliance, it may (depending on the interaction) enable the IDS/IPS to notify the NAC solution of anomalous network behavior. If identity-enabled, it may even be able to isolate the anomalous behavior down to a specific user or device, thus empowering the NAC solution to apply decisive, actionable policy against the offending user or device, depending on the corporate policies in place. This level of NAC interaction with existing network components can stop an insider threat before it can even get started.

Unapproved resource or asset access by trusted users and devices can lead to loss of revenue, fines, lawsuits, ransom demands, and even prison for perpetrators or company officials, not to mention loss of reputation and profits. A NAC solution that can interact with existing network and security infrastructure while effectively segmenting network assets can stop these transgressions from happening.