Posted by: Nick Burrows Posted date: 28 November 2016

The case for Context based Access Control for all devices (not just wireless)?

Secure Campus Mobility Blog 3 - The business case for Context based Access Control for ALL devices.jpg

While the workloads from user devices are increasingly air-borne, the converged nature of printers, access control systems, CCTV, lighting, HVAC and Building Management Systems (yes, I know the trendy parlance is ‘Internet of Things’) alongside enduring desktop PCs and servers means that the campus network is unlikely to end up wire-free any time soon.  

You would think that the wired nature of this would give controlling types peace of mind, but the flow of data down physical avenues that can easily be subjected to threat mitigation tech doesn’t seem to be stopping the IoT becoming a massive security threat.  Indeed, the largest ever recorded DDoS attack that occurred in October was launched from compromised CCTV DVRs – most if not all of which were on wired networks.

OK, perhaps that attack was more about the IoT devices themselves than the networks on which they reside (though we all know that when it comes to security, IoT devices are ‘stupid’ so the network should play the responsible adult role, right!?), but my point is that a wired network should be easier to secure than one that uses air for the last transmission hop.  

Conversely the historical concerns about easier interception and infiltration of traffic flows with wireless created an environment for a range of cool, built in mechanisms for authentication and authorisation that have set strong precedents for the security of connected devices.  Whilst these mechanisms are for the most part possible in the wired domain, many who have tried have found themselves plagued by patchy supplicant support and clunky, ineffective controls. 

In addressing the challenges that mobile devices create in the campus, it remains just as important that wired devices cannot be physically plugged into a network and granted access to the wrong things.    Rather than use multiple systems and protocols, Campus connectivity can benefit from a unified approach to making sure that access and permissions are granted based on user, device, location and security posture – or Context. 

This concept is nothing new of course; Network Access Control (NAC) has long been an ambition or many organisations, but cost and complexity have previously presented a sometimes insurmountable barrier to making things fly. 

Luckily we see this changing. 

The systems required to make contextual access possible, across both the wired and wireless estate have become dramatically easier to deploy and administer, ensuring that users are granted appropriate access privileges, based on user role, device type, MDM data, certificate status, location, day of the week and time of day, regardless of access media type. 

With the volume of security threats increasingly daily and the significance of a compromised machine having access to the crown jewels increasingly well understood (cryptolocker anyone!?) contextual access controls are becoming an imperative rather than merely a ‘nice to have’ in any defensive line-up. 

To be clear, I am not saying that contextual access is a mythical silver bullet that kills al threats dead (though there are plenty of security vendors claiming this right now), but I would argue this approach will be an increasingly important arrow in the defender’s quiver in a future where automated quarantine and remediation might be a significant way of keeping on top of threats in campus networks. 

Nick Burrows