Device network access in a Zero Trust world

Achieving Zero Trust for an organisation requires several different solutions all working together dynamically, and modern network access control (NAC) approaches have a key role to play.

Device network access in a Zero Trust world

Achieving Zero Trust for an organisation requires several different solutions all working together dynamically, and modern network access control (NAC) approaches have a key role to play.

Natalie Walker
Natalie WalkerPortfolio Director, BT Security, Business

Since its inception in 2019, the concept of ‘Zero Trust’ has become a guiding principle for many cyber-security practitioners.

In an Executive Order on 12 May 2021, the United States government specifically called on federal agencies and their suppliers to ‘modernise [their] approach to cybersecurity’ by accelerating the move to secure cloud services and implementing a Zero Trust architecture

When many people think of NAC, they often only think about perimeter security, leading to questions about its continued relevance in Zero Trust network environments. However, NAC solutions have evolved to support many of the capabilities that are essential to a dynamic Zero Trust architecture – and have a critical role to play in helping organisations on their Zero Trust journey.

The complexity behind ‘Zero Trust’

According to the US National Institute of Standards and Technology (NIST) Special Publication 800-207, “Zero Trust is not a single architecture, but a set of guiding principles for workflow, system design and operations”.

As with many IT concepts, a single phrase such as ‘Zero Trust’ brings with it a range of interlinked challenges, projects and other considerations. Most security vendors today can justifiably link their solutions to Zero Trust, and there are numerous lists of the ‘top 10 Zero Trust security solutions’ on the internet.

As humans we like easy fixes, so it’s in vendors’ interests to simplify a problem to a single solution that can answer all the customer’s security challenges.

However, the problem with this ‘silver bullet’ approach is that it ignores the real and messy environments that all organisations need to navigate. No single vendor can achieve Zero Trust for an organisation as it requires several different solutions all working together dynamically.

Plus, many experienced chief information security officers (CISOs) see Zero Trust as an aspirational goal that is several years away and not a one-off solution. What’s critical is to make technology decisions now that will move you along the Zero Trust pathway, while avoiding decisions that will force backwards steps later on.

The addition of Internet of Things (IoT), Internet of Medical Things (IoMT) and Operational Technology (OT) devices has also increased the challenge, because it’s impossible to control many of these devices using traditional agents and authentication processes.

NAC evolution

NAC as a concept is great: prevent unauthorised access to your networks by controlling who and what can access it. However, many organisations have struggled to roll out traditional NAC solutions, finding projects extremely time-consuming, with lower-than-expected return on investment and unwelcome user friction. This meant many organisations decided NAC projects were too difficult.

Additionally, many have thought NAC is only about perimeter security and have argued that NAC solutions aren’t relevant as we move towards a Zero Trust world.

However, modern NAC solutions have evolved significantly since the days of the 802.1X network authentication protocol, and all the challenges that go with managing clients, certificate trusts and insecure bypass lists.

Modern approaches to NAC don’t need 802.1X (except for wireless) and go beyond simplistic perimeter policing. Today, NAC solutions focus on continuous device visibility and identification, posture assessment and compliance. They tackle control across all types of networks (wired, wireless, cloud) and all types of devices (IT, Enterprise IoT, Industrial IoT, and Medical IoT). They also support integration between multiple different security vendors.

These capabilities are all essentials for a dynamic Zero Trust architecture.

Reassessing NAC solutions

Another benefit of modern NAC solutions is that they support a defence-in-depth strategy. They enable a Zero Trust policy with an enforcement point at the edge of the network, so can limit the lateral spread of a threat. For example, network edge enforcement can prevent cyber attackers from using a compromised IoT device to move laterally into a device with more privileged access to key resources.

It’s time to reassess how you see NAC solutions. Look for:

  • The ability to discover all devices on your network – not just those associated with a human user.
  • Continuous visibility and device control.
  • Orchestration of security controls across multiple vendor solutions.


Continuous detection and control are essential to Zero Trust

When we look more closely at definitions of Zero Trust, we can see where modern NAC solutions fit in.

The NIST Special Publication, published in August 2020, established an abstract definition of Zero Trust and Zero Trust Architecture (ZTA). While targeted at US federal agencies, the publication also documented general deployment models, use cases and a high-level roadmap for implementing a ZTA approach for enterprises.

It also developed seven key tenets of Zero Trust. The seventh tenet states: “The enterprise collects as much information as possible about the current state of assets, network infrastructure and communications and uses it to improve its security posture.”

It’s clear that in order to do this, some ability to continuously detect and control devices and assets connecting to the network is needed.

Choosing a platform for your Zero Trust journey

When considering which device management solution to choose to support your Zero Trust strategy, look for a platform that can automate the discovery and classification of all IP-connected devices, as well as continuous risk and posture assessment. This continuous situational awareness will allow you to automate the enforcement of dynamic least-privilege access policies based on user, device, connection, posture and compliance – a key element of a Zero Trust approach.

Forescout solutions are an effective route to achieving this. In fact, NIST’s National Cybersecurity Center of Excellence (NCCoE) ‘Implementing a Zero Trust Architecture Project’ selected the Forescout platform to help shape and build Zero Trust design.

Implementing your end-to-end modern NAC solution

BT is a Forescout Global Platinum Partner, and we recently added support for the Forescout EyeExtend module to our managed service. This means we can support the end-to-end Forescout platform through our Security Operations Centres and service wrap – helping you to secure your end-to-end digital environment.