had a fine LAN-based NAC solution. I was just saying that the solution wasn’t designed for mobile devices as they are mobile, and many companies seeking a NAC solution don’t recognize this fact.
That was actually one of the main points of my presentation — knowing what threats the security solutions actually address. The chapter representa- tive (who is also a salesperson, by the way) then stated that I should not have said this in my presentation. I immediately mentioned that what I stated was factual, not said with malicious intent, and that pointing out this difference between LAN-based NAC and Mobile NAC was a key element of my pre- sentation. The representative stated again that this fact should not have been mentioned. I politely replied that I was relieved I didn’t say anything false or incorrect, and afterward, my colleague and I got a good laugh at this ridiculous confrontation.
So, there are a number of things that can be learned from this story: There are key differences between LAN-based NAC and Mobile NAC, and these differences will often be blurred.
Understanding these differences is key to providing an appropriate secu- rity solution to meet your needs.
Get the objective facts on how a prospective NAC solution works. Don’t rely on what you’re being told by a salesperson, or hearing via the grape- vine. (You’ll get this info in later chapters of this book.)
Evidentially, it’s bad form to point out differences in various security solutions to other security engineers if salespeople are present.
Why Companies Look to Mobile NAC
Chapter 4 discussed why companies are looking at LAN-based NAC solutions. This chapter will do the same with Mobile NAC solutions. Following are some key reasons why companies look to Mobile NAC solutions:
There are threats to mobile devices that need to be addressed. The company failed a security audit.
There is a need to comply with various compliance regulations.
Again, these reasons aren’t really different from the reasons that companies look to a number of different security solutions. The difference is in how Mobile NAC can help address these reasons.
Failing a security audit and recognizing the threats are pretty straightfor- ward reasons to seek a solution. In just a bit, I’ll explore in detail the threats and how they can be addressed. Anything compliance-related is always murky, so let’s talk about that one now.
130 Chapter 5 ■ Understanding the Need for Mobile NAC
Mobile NAC and Compliance Regulations
There are few buzzwords that stir the emotions as much as ‘‘compliance.’’ The government and other bodies demand it, companies must abide by it, and vendors love to attach it to their products and presentations.
One of the key challenges with many compliance regulations is that they are vague. This vagueness leads to subjectivity and confusion. This vagueness is also sometimes used as an excuse.
Earlier this year, I spoke at a security event in Chicago. I strive to make my presentations very objective, fact-based, and clear, so I usually don’t muddy the waters by talking about specific compliance regulations. This event was partially themed on compliance, so it was appropriate in this case to expand on regulations to fit in with the theme.
In keeping with my personal requirement of a presentation being fact-based, I decided to talk about the Health Insurance Portability and Accountability Act (HIPAA). Something that has always bothered me about HIPAA is how companies use its perceived vagueness as a crutch. ‘‘HIPAA doesn’t specifically say I have to use a specific technology, so I’m not sure if I really have to.’’ As a security guy at a major national bank astutely told me a few days ago, ‘‘If you’re following best security practices, you’re probably following compliance regulations anyway.’’ That is very true and very well said. You don’t just implement the best security practices to meet some guidelines from some organization; you try to do what’s best. If you do your best, you’ll likely be covered by any other guidelines anyway. You don’t look for excuses.
The first thing I ever did before I mentioned one word about HIPAA was to actually read the act itself. You may be surprised how many people spout off about HIPAA and other regulations and never actually take the time to read them. In reading HIPAA, I must tell you that I really didn’t find it to be very vague. Then again, I wasn’t looking to find vagueness and use it as an excuse. So, having read HIPAA, I used a portion of its own verbiage in my presentation. That portion was:
PUBLIC LAW 104-191 AUG. 21, 1996
HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996
Public Law 104-191 104th Congress
(2) SAFEGUARDS. — Each person described in section 1172(a) who maintains or transmits health information shall maintain reasonable and appropriate administrative, technical, and physical safeguards —
Why Companies Look to Mobile NAC 131
(B) to protect against any reasonably anticipated —
(i) threats or hazards to the security or integrity of the information; and
(ii) unauthorized uses or disclosures of the information; and
(C) otherwise to ensure compliance with this part by the officers and employ- ees of such person.’’
If you read this, it basically tells you to follow best security practices to protect against reasonably anticipated threats to the integrity of information and its unauthorized use or disclosure. Now, let’s take a look at another definition:
A vulnerability whose exploitation could result in a compromise of the confiden- tiality, integrity, or availability of user’s data, or of the integrity or availability of processing resources.
This definition seems to relate directly to HIPAA. If a company had a vulnerability as defined here, it would be logical (not vague) to think that the company wouldn’t be in compliance with the areas of HIPAA that I mentioned. So, what is this definition? This definition is Microsoft’s description of patches defined as ‘‘important.’’ To me, this means that important Microsoft patches are critical to HIPAA compliance.
In my presentation, I pointed this out by stating the following:
Is a company compliant with HIPAA even though they:
Have laptops that have access to protected information
Realize that unpatched machines can allow an attacker who successfully exploit- ed a known vulnerability to take complete control of an affected system and/or compromise the integrity and security of the data
Have absolutely no means to patch devices when they are mobile
Have no means to provide reporting into the patching levels of my machines, especially when they are mobile
Have no means to restrict access to sensitive information if Critical or Important vulnerabilities are present on a device
To me, the answer is, ‘‘No way!’’ If you’re tasked with protecting data and your machines that have this data can be easily exploited because they aren’t patched, you simply are not compliant. To me, this point isn’t even a little bit vague. An organization without insight into the current patch level of its devices, a means to restrict them if they are deficient, and a means to remediate them regardless of where they may be located, cannot seriously consider itself to be compliant with the spirit of any major compliance statute.
132 Chapter 5 ■ Understanding the Need for Mobile NAC
The next logical questions to ask are ‘‘How is this particular problem fixed?’’ and ‘‘Will LAN-based NAC fix the problem?’’ As much as the salesperson who confronted me last week would like to have you believe, the answer really is ‘‘No.’’ This is a perfect example of where Mobile NAC is required. These laptops with HIPPA-related information always need to be up to snuff and protected — not just when the devices decide to come back to the LAN. It’s pretty clear.