Compliance on a Budget – Some Network Monitoring is Better than None

Secure the Network

With businesses holding more data than ever before, the frequency of cyber breaches can only be expected to increase. Every business that handles personally identifiable data is subject to various privacy regulations and standards, such as US government privacy standards for health information (HIPPA), industry required standards for credit card transaction data (PCI-DSS), and voluntary standards for information security management (ISO 27001), etc.. Compliance often requires some form of network monitoring as both a best practice and security measure.  In this blog, we will pick the specific sections of these three standards and show how even a simple network access control device will satisfy these fundamental requirements.

The Health Insurance Portability and Accountability Act (HIPAA) establishes the standard for protecting sensitive patient data. Some people think this is a requirement limited to the Medical profession, however, any company that deals with protected health information (including their own employee’s data obtained in the course of normal Human Resources interactions)must be protected.  Entities must ensure that all the required physical, network, and process security measures are in place and enacted. Sections 164.306 and 164.312 set forth general rules for security standards and technical safeguards(key portions are underlined).

  • § 164.306 Security standards: General rules.
    (a) General requirements. Covered entities and business associates must do the following:

(1) Ensure the confidentiality, integrity, and availability of all electronic protected health information the covered entity or business associate creates, receives, maintains, or transmits.
(2) Protect against any reasonably anticipated threats or hazards to the security or integrity of such information.

§ 164.306 Security standards: General rules
A covered entity must, in accordance with the general rule:
(a) Standard: Access control. Implement technical policies and procedures for electronic information systems that maintain ePHI to allow access only to those persons or software programs that have appropriately granted access rights.

Like many standards, the broad requirement lacks specific requirements for the level of protection required.  Instead, it relies upon the organization to implement the level of security appropriate for “reasonably anticipated” issues proportional to the volume and sensitivity of the data possessed by the organization.  A large hospital network will definitely be held to a higher standard for allowed access than a small business that uses self-insurance health plans.  However, both will be required to show what technology, policies and steps have been taken to “allow access only to those… appropriately granted access rights.”

The Payment Card Industry Data Security Standards (PCI-DSS) are technical and operational requirements set by the PCI Security Standards Council (PCI SSC) to protect cardholder data. The standards apply to all organizations that store, process or transmit cardholder data. Objective 4 and Objective 5 set forth access control and monitoring requirements (key portions are underlined).

Objective 4: Implement Strong Access Control Measures
Requirement 7: Restrict access to cardholder data by business need-to-know

7.1: Limit access to computing resources and cardholder information
only to those individuals whose job requires such access.

 Objective 5: Regularly Monitor and Test Networks
Requirement 10: Track and monitor all access to network resources and cardholder data

Similarly to HIPPA, some proportionality in enforcement and expectations will be applied.  Large banks will be expected to have much higher standards for a Big Box retailer than the independent coffee shop down the street.  However, if they have a network that transmits their credit card data along with other data (register data, PCs, wi-fi, etc.) then they will be expected to be able to demonstrate how they “track and monitory all access to network resources” to “limit access…only to those individuals whose job requires such access.”

While a voluntary standard, ISO/IEC 27001 is the best-known standard for providing requirements for an information security management system. Thus, these standards often become the baseline or minimum requirements for SMBs who act as vendors for larger enterprises that are subject to more stringent compliance standards.  Section 9 addresses access control (key portions are underlined).

  1. 9. ACCESS CONTROL

9.1 Business requirements of access control
9.1.2 Access to networks and network services. Limit user access to the network and monitor use of network services.

As with the HIPPA and PCI-DSS standards, the fundamental requirement for compliance is to be able to demonstrate how the network is monitored and how access was limited.  So how is that requirement accomplished?

Many businesses, especially SMBs, face fines by not having the appropriate level of control of who and what is on the network. Although compliance is often a neglected priority, it isn’t getting any easier by waiting.

To begin with, today’s network environment constantly evolves in complexity. Endpoints are no longer strictly corporate-issued computers but also a largely unmanaged mix of personally owned devices. Along with your employees, people connecting to enterprise networks are contractors, service providers, partners, vendors and guests. And who knows what is on their devices!

As if BYOD isn’t challenging enough, we now have the Internet of Things (IoT). IoT devices are entering the enterprise at breakneck speed as employees plug in a wide array of ‘smart’ devices from TVs to coffee cups. The challenge is that most IoT devices are not designed with security in mind and are thus vulnerable to cyberattacks. Who know what these devices are up to!

Lastly, we have the malicious actor. In IT Security there’s an ever-looming threat of bad actors seeking to gain network access. Every device on the network is a potential point of entry for hackers to exploit in search of sensitive company and user information. Once inside, there’s no telling how much damage will be done – or how quickly!

At a time when knowing what devices are on the network and maintaining compliance has never been more important, it’s never been more difficult. Fortunately, there’s NAC. Network Access Control solutions are able to see which devices are connecting to the network and provide information regarding suspicious behavior or connections. By controlling access, organizations are able to keep rogue or compromised devices off of the network and meet a growing body of compliance standards and regulations.

NAC is an excellent tool to control and restrict access to network resources; however, it can be costly and complicated to deploy. Further, NAC technologies have evolved from basic device access authorization to Security Automation and Orchestration driven by mobility, cloud and virtualization trends. While large enterprises have the budgets and personnel sufficiently robust to welcome these advancements, for smaller offices and retail stores, a plethora of advanced features only becomes a fog of more. In choosing a NAC system, SMBs need to consider:

  • Cost – How much can you spend? Are you getting your money’s worth?
  • Network size – How many users share your network? How many subnets?
  • Form factor – Are you willing to install, configure and troubleshoot NAC software on a server or would a dedicated NAC appliance be best?
  • Administrative burden – How much time can staff members spare to deal with NAC?
  • Hardware fit – Will the NAC system work with the network?

Often, an SMB can barely find the time to consider the questions, let alone answer them – even with the help of their favorite MSP or VAR.  For these customers, they need a simple solution that tackles the fundamental requirements of compliance: monitoring and control.

Purposely designed for smaller organizations with limited IT resources or branch offices looking to manage remote devices and sub-networks, NetAttest LAP One provides just enough to get the job done within a reasonable budget. First, it is easy to deploy.  One simply plugs the hardware into one or two network segments and then manages the device from an easy-to-use interface.  The device then begins to detect and catalog the various devices that currently connect to the network via MAC address tracking.  This satisfies the requirement to monitor the network. To control the network the administrator has options to block or permit existing or new devices on the network.  Additionally, NetAttest LAP One offers flexible network access control with ARP Jamming to redirect requests for network access and provides continuous monitoring to automatically detect, analyze and control new devices on the network.  It can  automatically block unauthorized devices regardless of location, time-of-day or endpoint type.

Since the complexity of network security access continues to increase many smaller businesses have tried to avoid the issue.  However, with increasing regulation and the impact of non-compliance, one must do something to monitor and control the network.  Fortunately, the fundamental requirements are simple enough that even a modest investment can not only improve security, but also achieve the basic requirements for compliance.

 

For information about LAP One, please click here to download the data sheet.

 

Links:

PCI Quick Reference Guide. https://www.pcisecuritystandards.org/pdfs/pci_ssc_quick_guide.pdf

HIPAA Survival Guide. http://www.hipaasurvivalguide.com/

ISO/IEC 27001:2013 Standard. https://www.iso.org/standard/54534.html