Whether you’re managing IT for a small business just getting started or a major multinational corporation, there are two critical concerns that you have to meet: security and regulations. The two often go hand in hand, though security usually concerns itself with safeguarding your firm’s assets and customer information. Regulatory concerns are related to government oversight and the consequences that can be enforced should a security breach occurs that compromises those assets and customer information.
If you’ve worked in IT for any significant amount of time, you are aware of the lag that often occurs when talking about technological advancement and the crafting of laws to address the new challenges presented by that technology. When government agencies do eventually catch up, compliance with regulations becomes critical to a firm’s continuing success. For example, there are some big changes coming for businesses that collect user data in Europe.
If your organization does business within a country that is part of the European Union, you are already aware of the EU General Data Protection Regulation (GDPR). If not, you have until May of 2018 to become compliant with the regulations that have been established. Here is what you need to know about the GDPR, the common issues that make compliance difficult, and how Network Access Control (NAC) can help you better secure your network to maintain compliance.
Key points of GDPR
The GDPR was established by the EU to protect the data of its citizens, essentially. Many of the provisions of the GDPR pertain to the storage, handling, and transfer of user data in an effort to strengthen privacy rights. If your organization collects customer information in the EU, you must be compliant with GDPR by 2018.
While many business owners are aware of data laws, a plurality are not aware what changes the GDPR is bringing and when it actually takes effect. This is especially true when talking about Small and Medium-sized Enterprises (SMEs). For example, here’s a report that recently came out addressing Ireland SME and their level of preparation. In an effort to get up to speed in less than a year’s time here is what you need to know:
- The GDPR affects not only businesses located in the EU, but any business that manages data that comes from customers in the EU. U.S. companies, for example, need to be mindful of these regulations as well.
- Fines for non-compliance can be up to 100 million euros.
- Security breaches are the biggest concern and there is a rule a business must publicly acknowledge a breach within 72 hours.
One of the largest contributors to security breaches is unauthorized access via rogue devices. This can take the form of a Wi-Fi enabled device that makes up what is referred to as the Internet of Things (IoT) such as a smart thermostat or camera. It may be a personal device an employee brought in for their convenience. Unfortunately, they sometimes do not notify IT about this device. A laptop or even smartphone accessing your network without the proper security configurations can lead to a breach. In many instances, it could be something like a cheap router that wasn’t accounted for.
Whatever the actual culprit, device visibility and access management are key to thwarting malicious attempts at stealing sensitive customer data. Not only can being compromised cost your firm a lot of money and customer goodwill, but with regulations like GDPR coming into play the monetary costs can be even higher due to fines.
Genian NAC is the versatile and scalable solution that integrates with your existing infrastructure to provide the control you need to manage all devices trying to access your network.
How Genian NAC can help (Secure data at the network and endpoint layer)
Genian NAC leverages context-aware enforcement in order to give visibility to critical information on all devices trying to access the network, and identifying activity that is out of the ordinary. The software has been designed with the ability to help enforce security compliance. How does Genian NAC accomplish this?
To simplify the process of setting up your security baseline, you will work with Nodes and Policies, which define specific conditions that must be met to be “in compliance”. There are two groups that define what you are controlling:
- Policy Group: Group based on Node-related information such as Node type, address information (IP/MAC), user information (authentication), accessing time, and more.
- Status Group: Group based on the Node status measured by policies and the associated conditions. It can be used to enforce policy on non-compliant Nodes
Grouping Nodes provides significant administrative benefits by simplifying tasks, organizing resources, and applying policies dynamically across the network. When you need to make changes affecting every Node in a group, it is easier to modify the settings for the Node group.
A Node is a general term to describe any type of device with network interfaces to access the network. Essentially, each network interface is a Node. Each Node corresponds to the IP address with the MAC address of the device attempting to connect to the network. Often, a device has multiple MAC addresses, such as a switch, server or laptop with Ethernet and Wireless network interface cards (NIC). This means that this laptop (host) is associated with more than one Node network interface.
Policies, Actions, and Permissions
Once a targeted Node group is ready, you can set up specific policies with appropriate actions and permissions.
Define a security policy that describes how to secure access to Nodes when endpoints attempt to access your internal network. There are three types of policies:
- Node Policy: Secure endpoints (authentication and system management) using Agent plugins.
- Enforcement Policy: Manage secure access control using the Sensors and Agent.
- Compliance Policy: Apply a Node to multiple Node groups so you can easily identify the overall Node status of compliance defined by the Node groups. This kind of policy setup process can support various regulatory compliances, such as PCI, HIPAA, FERPA, GDPR more dynamically and effectively.
Policies can be executed by Actions. Various Actions can be supported by Agent plugins.
To apply policies more accurately, you need to specify a scope with 3 different objects: Network, Service and Time.
- Network: A range of IP address, network segments (IP netmasking)
- Service: Transport and Network layer protocols (TCP, UDP, ICMP)
- Time: A range of Date, Days, Times
Once the Node policy is turned on, you can immediately see those devices that are not in compliance with the policy. From this baseline, you can determine what to do with those non-compliant devices.
Genian NAC powered by Device Platform Intelligence performs ongoing compliance checks more effectively to ensure all devices on your network are continually identified and authorized, are given access control based on your policies, and are constantly referenced against vendor/manufacturer information to determine if they need to be retired. Genian NAC can maximize IT operational efficiency at a fraction of the cost of traditional NAC.
Brett is a Cisco CCNP and has over 25 years of experience in networking. During the last 15 years he has specialized as an SME in Designing and Deploying Network Access Control solutions. Prior to focusing on NAC, Brett served as a Cryptologic Technician in the U.S. Navy as well as providing network consulting services such as Enterprise-scale WAN projects for financial institutions and data center BGP connectivity to Service Providers.