Network Admission Control: Balancing Security and the User Experience
Two strategies and a dozen tips help you improve your user’s NAC
by Dana Hendrickson
While network access control (NAC) is one of the most talked-about network security topics, the NAC label itself is now applied to so broad a range of security solutions that it is practically meaningless—as vague as the term security itself. Fortunately, there is a common set of important security functions at the heart of most NAC solutions which everyone agrees is network admission control, the subject of this article. I refer to it here as small NAC (sNAC) as its scope is narrower: it enables authenticated users to access specific parts of a network based on the identity and security posture of their devices and helps them correct detected compliance problems.
A recent market research report by the Aberdeen group (“Endpoint Security Strategies Part 1,” November 2006) reveals many organizations are seriously considering sNAC solutions, with “reducing the incidents of malware propagation” the number one reason for their interest. Budgets are their biggest challenge, followed by “end user acceptance of endpoint auditing and controls.” While sNAC security is viewed as important, security and IT professionals worry about costs, including inconveniencing and frustrating their end user communities: employees, visitors, contractors, and business partners.
I recommend two broad strategies and a dozen tactics organizations can use when defining their sNAC security policies and selecting solutions. Together, they will help you improve the user experience, increase your users’ awareness of their security responsibilities, and reduce user support costs.
Strategy #1: Finding Balance
The first strategy for improving the end-user experience is to define security policies while balancing user productivity and organizational security.
SNAC solutions enable security policies that finely control many variables, including:
- who can be granted access
- under what conditions they can exercise their privileges (e.g., type of authentication, actual device, network access point)
- what compliance checks are required
- when such checks are run
- how access privileges will be treated if an endpoint fails specific checks
- what remediation options are made available
- what messages will be communicated to the user throughout the admission process
While this capability places great potential power in the hands of the IT department, you can avoid big problems by resisting the urge to fully use it. Here are specific tips for improving the user experience without significantly increasing security risk.
Tip 1: Keep your security policies simple. Some organizations use sNAC to simply authenticate users and monitor user devices. They seldom block or restrict access privileges. While this approach might not ultimately work for your environment, it can still be a smart one during the early phase of sNAC deployment—when IT is gaining operational experience and collecting valuable information about prevailing network usage and compliance.
Tip 2: If you are going to restrict or block access, do so only for critical compliance violations. Even though you might want to run hundreds of checks on endpoints, only a few failures will typically warrant disrupting the user’s workflow. Non-critical problems do not need to be fixed immediately.
Tip 3: Instead of completely denying network access or forcing immediate remediation of critical problems, give users the option to access a limited set of resources (such as the Internet or e-mail) so they can continue to work without interruption. Companies that employ excellent e-mail security should be sufficiently protected.
Tip 4: When you require users correct non-critical compliance problems (e.g., run routine virus scans which can easily last 10 minutes or more), offer them a reasonable grace period so this task can be performed at a convenient time. Whenever they connect to the network during this period, remind users when this privilege will expire.
Tip 5: If you run a very large set of compliance checks for specific software, versions, service packs, and patches, perform most of them after users are admitted to the network. Large scans can take many minutes, while checks for critical problems usually take less than five to 10 seconds. There is very little incremental risk in delaying these scans and running them in the background while users carry on with their work.
Tip 6: Always simplify and automate as much as possible the remediation of compliance problems. This tactic is especially important for critical problems where the immediate sNAC response is to deny users their normal access privileges. Make problem correction easy and fast and your help desks will receive fewer calls. Self-remediation will always perplex some users, so if your users are not computer proficient automate all processes.
Tip 7: Be prepared to handle exceptional user scenarios which could occur at any time. For example, if a natural disaster or another unusual problem prevents users from reaching their managed LAN-based computers, what access will be allowed from their remote computers? What if the failure to pass critical compliance tests prevents an executive from accessing time-critical information from their mobile computer? In both cases, how will the organization quickly enable appropriate access privileges?
Strategy #2: User Education
The second sNAC strategy for improving the end-user experience deals with user education. The central goal is to never surprise users nor put them in a position of uncertainty (where they perceive that something is either not working or not working well).
There will be times when users will need to patiently wait while required sNAC operations (such as agent downloads, compliance scans, and problem remediation) occur. What the user expects—and how they are treated—will significantly shape how users feel and what they do (such as calling the help desk to complain or demand immediate help).
Tip 8: Ensure all changes to the user experience attributable to sNAC are well-communicated before the user actually experiences them. This applies to your initial sNAC operations, subsequent changes in security policies, and any new demands placed on user communities.
Tip 9: If you will deploy a sNAC solution that will significantly alter the user experience, implement it in multiple incremental phases so users and help desks are not overwhelmed and frustrated.
Tip 10: During the introduction of new security policies, start with a transition period when users are simply informed of the new types of compliance problems being discovered on their devices. Explain how future enforcement could impact them and how their specific actions can minimize or avoid inconvenience.
Tip 11: Any time users must wait for more than a few seconds for the completion of a sNAC operation, keep them continuously informed of how much time remains before the task is completed. Visual cues will assure them that the system is working properly.
Tip 12: IT management should continually monitor how well the entire organization is dealing with a sNAC solution especially after any significant changes are implemented. Soliciting feedback from users, business managers, and help desk personnel enables IT to streamline communications, demonstrate sensitivity, and capture valuable ideas about ways to improve sNAC implementations and their support processes.
Striking the optimal balance between the user experience and security with network admission control will remain a never-ending challenge for most security professionals as new users, applications, and security policies are added to their networks. However, proactive learning and careful planning by IT makes a big difference. You can also count on market competition driving ever more versatile vendor solutions that reduce the required sacrifices for users and organizations.
Dana Hendrickson is a security industry analyst and publisher of the Secure Access Central portal. You can contact Dana about Network Admission Control: Balancing Security and the User Experience at firstname.lastname@example.org