3.1. Policy and the NAC Lifecycle

Any NAC solution will go through five steps in determining the level of access provided to a user or machine:

You must incorporate continual updates to policy into every step, ensuring that while the security and access control needs of your organization change, so too do the policies and actions that your NAC deployment takes. These necessary changes will help you to refine your NAC lifecycle as business needs change.

Figure 3-1 shows these steps in the NAC lifecycle. In the shaded area, you define the security policy that ultimately determines how your organization implements every step in the NAC process.

When rolling out NAC across your organization, you need to understand the implications of your corporate security policy and its impact on NAC, shown in the shaded area of Figure 3-1. NAC is the key component of your corporate security policy when it comes to how you handle access control on your corporate networks.

Chapter 6 covers how you actually write a corporate security policy.

For the first step in the lifecycle, the NAC implementation team reviews the corporate security policy and, from that document, develops a more detailed policy and implementation plan for your NAC deployment.

This plan includes the specific policies that your organization implements:

• The corporate security policy might stipulate that end users must use strong authentication in order for employees to access the corporate network.

• Your corresponding NAC policy might detail that stipulation, indicating that the organization will implement strong authentication in the form of a token-based one-time password system from Vendor X.

• The NAC policy might also specify the level of access that an employee in the Finance department gets from his or her smartphone, or the consequences for having an improperly patched machine that an NAC system can't remediate.

  Figure 3.1. The basic steps of NAC implementation.

  

Like with any rules and regulations, both the corporate security policy and your NAC policy must evolve over time to accommodate changing business and security requirements.

Ensure that while these changes occur, you feed these changing business requirements back into the NAC lifecycle as part of a continual change process.

Schedule periodic reminders or meetings to re-evaluate your NAC policies or build continual update reviews into your normal work processes.

After you have a mechanism to ensure that your policies are up to date and you deploy NAC in your network, you need to move to the five continual phases of the NAC lifecycle.