In the world of zero trust networking, organizations are asking how a zero trust approach fits in with their network access control (NAC) strategy. Here are some thoughts on what you should be considering as you navigate zero trust and NAC.
Concepts vs. products
The first major difference in zero trust and NAC is that zero trust is a concept or trust model for information security, versus NAC which is a specific product category. Although there are different types of NAC products today, the market has settled down considerably and all operate within a relatively narrow scope of enforcement and features compared to ten years ago.
The many flavors of zero trust architectures
Before we continue, let's untangle the co-mingling of zero trust as it relates to network and application access versus access between virtualized hosts. Although conceptually the same - the goal of zero trust being to move from an implicit to more granular explicit authorization - the execution, products, and vendors are very different for network-based technologies than for virtualized environments (whether they be on-prem, in cloud, or hybrid).
For today's discussion, we're focused on the former - the technology that would/could replace (or enhance) traditional network-based NAC products for identification and authorization of users and endpoint devices in your environment. We'll leave the other topic for another day.
Implicit vs explicit authorization
The model of a zero trust architecture is to "verify then trust" versus the more common approach of NAC with the "trust but verify" sequence. While - yes - some NAC implementations do offer a "verify then trust" model, the next step after trust is typically an implicit authorization to a network or networks, which is exactly what zero trust security tries to avoid.
Network-based vs. application-based enforcement
Strictly speaking in a perfect world, a zero trust approach will include a trust model that offers a user (or device) only the specific access to the resources needed per-task. That's a tall order with the current technologies we have, and traditional NAC vendors will all fall short here, even with the holy grail that is microsegmentation. At best with NAC, we're doing identification and authentication of a device and/or user, and then giving them some level of access at network layers 2 or 3. Contrast this with the approach of a zero trust solution performing the same (or more extensive) identification and authentication, but with the added ability to control resource access up through the application layer.
One of the reasons secure access service edge (SASE) solutions fit so well with zero trust strategies is because of the ability to make very granular authorizations to a user or device, based on myriad contextual elements (who, what, when, where, how).
Managing users on-prem vs. remote
The next bugaboo with NAC is the limitations in controlling resource access on remote users and devices. Our current network-based NAC products are designed to control access at the point of (managed) network connection - that could be at a wired port in the facility, a corporate wireless SSID, or a remote access VPN in to the organization. But then, that's it. Traditional NAC products weren't designed to manage and control connections from endpoints floating out and about on the internet as people travel or work from home.
The conversation could again turn towards SASE and the features that swirl around it - SD-WAN, CASB, and SWG specifically. However, certainly not all organizations have moved to a 100% remote workforce, meaning there's still a need to secure access to internal resources when a user is in the office. This reality makes traditional NAC a still-attractive offering, and is an area SASE will need to continue developing.
Can NAC products play a role in a zero trust strategy?
Yes, absolutely - but with some caveats. If your NAC-based zero trust strategy relies on microsegmentation, know that it's not really the holy grail it's touted to be, and among other limitations it's not the easiest architecture to implement. As we just mentioned, there's still a place in the world for traditional NAC for organizations with a primary focus on on-prem security. Plus, in recent years most NAC vendors have bolstered their endpoint agents and are heading towards the type of granular control organizations will want in a zero trust network.
