Be mindful of changing access methods
Many organizations have expanded their remote access options to accommodate + their remote workforces. This often includes a VPN+RADIUS setup. If your organization has configured their infrastructure in such a way, it would be efficient to integrate your on-premise switches and access points into the same network access scheme.
In cases where port-based access control is not used or not supported in your on-premise environment, or if you want to exercise additional control over connected devices, you should review your criteria for determining what devices should be on the network and what their privilege levels should be. The Genians Network sensor can leverage powerful Device Platform intelligence (Included with Genian NAC or available as a standalone service) and arp enforcement technology to microsegment your networks in real-time based on changing contextual information about the platforms that are detected, which users have authenticated, time of day, and many more factors.
Plan your onboarding & enforcement in phases
As you begin to accept more devices onto on-premise networks, consider using a gradual enforcement approach.
For example, you may start allowing only some devices full network permissions, and allowing most other devices limited access. In most environments, a least privilege approach is best, as it is safer, and it is easier to locate and resolve a false-positive threat, than it is to deal with an undetected threat. Users whose devices have restricted network access should be allowed the necessary network permissions to contact your IT administrators and request the level of privilege needed, but no more.
With this in mind, be very mindful of which conditions you use to allow broader network access. Using a combination of authentication, MAC addressing, IP addressing and other factors can be a simple way to determine which devices should be allowed to access the network with fewer restrictions.
Take note of changing attack surfaces
- Make efficient use of your infrastructure and solutions
- Leverage multiple forms of authentication and identification for security and management
- Aim to implement least-privilege
- Plan your project in phases
- Tailor your approach to the specific environment