Security takes time – Sometimes for a reason

Tim Green’s latest article at Network World titled “Security takes time” discusses the NAC admission process and patience of users.

Tim argues that a longer NAC admission (and remediation) process might trigger a user to be impatient and not use the network resources.

I generally agree with the assumption that the NAC admission process of an element to the network should not take long. But, I believe Tim may have mixed up several things in his article.

Tim writes about NAC admission, the process of evaluating whether a new element attached to the network complies with a defined security policy. The process might include examining service pack information, patches installed, installed applications, running applications, A/V (installed, running, updated), FW status and more.

This is Admission.

If the element does not comply with the network admission security policy, the user, or the NAC solution, should remediate the issues preventing the element from accessing the network.

This is remediation. And here Tim mixes up two issues, self-remediation and automatic remediation.

If the user is to perform self-remediation, time is less problematic. It is since the user must be aware that s/he needs to take an action in order to access the network. During the remediation process the user is made aware of what exactly is happening with its system and what it is undergoing (and why it takes longer to access the network).

If automatic remediation is performed the user will not always be knowledgeable of the processes running in the background causing its machine not to connect to the network. This, in some cases, would result with users getting impatient not understanding what is going on.

This is what Tim Green suggests to his readers:

“… Customers should also test the gear with end users in various departments to find out whether the technology eats up too much time for some users, and whether some dispensation from NAC should be allowed in critical cases.”

NAC, according to my definition, is a security and compliance solution. The fact that an element is checked to verify it is inline with the network access security policy of an organization means that a certain risk to the stability and integrity of the enterprise LAN is minimized. When we start to put exceptions to the rule, we end up where some organizations are – lack of control over the enterprise LAN.

If we will take into account user complaints with security-based products we will never have them in place (i.e. firewall blocking P-2-P applications).



Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: