Ornamental dots. Two rows of three dots. The top row is a light blue. The bottom row is one light blue dot followed by two orange dots. Blog

The Evolution from Network Access Control to Network Segmentation

Michael DeCesare, Chief Executive Officer and President | November 6, 2019

For the past 20 years, the principles of network access control have remained mostly the same.

Organizations would implement NAC in a super binary way. Devices were either allowed on the network or they were blocked. They either got corporate-level access or they were restricted to guest. Those were the options.

But the technology landscape changed in a big way, seemingly overnight. Internet of Things (IoT) exploded and the influx of devices that were coming online moved quickly beyond Windows and Linux. Many these new IoT and operational technology (OT) devices were never built to consume agents, which meant NAC no longer applied. Not being able to protect – or even see – these devices meant leaving your organization open for attack.

Going Agentless

The first major evolution of NAC was to go agentless. Forescout led this charge many years ago where our vision was to offer the same enforcement and control principles to all devices – from corporate owned computers to IOT devices to OT to the cloud. For this to work the solution had to be agentless to truly be an enterprise wide solution. 

That was an immense technical challenge, but one that proved to be right in today’s connected world. Now, only approximately 25% of our 76 million devices under management are Windows or Linux. The very reason NAC was first built is only a quarter of the population of the devices that we see. Other vendors are recognizing these same trends and you’re starting to see Device Visibility & Control – as we now call it – gaining serious steam as a category.

Segmentation Brings It All Together

But the technology landscape has continued to change. Networks have become increasingly complex and interconnected across the campus, data center, cloud and OT environments and the ability for organizations to put a defendable perimeter around their organization has dissolved.   

These trends have prompted the next major shift to macro network segmentation. This is happening right now. Organizations want to adopt a Zero Trust model that assumes all devices are untrusted. The way to accomplish this is by implementing dynamic network segmentation. This means devices are grouped with devices of like type to restrict east-west traffic. Then it has the ability to adapt those policies if a device becomes compromised or less trusted, shrinking the number systems it has access to until the device is cleared or blocked all together.

The problem that organizations run into when they try to implement network segmentation is that the tools available only solve these challenges in pieces. Historically there hasn’t been a single product that can achieve their goals across the entire enterprise. The result is a fragmented environment that is inefficient and expensive. One that only gets more unwieldly for enterprises as they add millions of new devices and other technologies, like cloud. It’s no wonder most organizations today still stuck with a large flat network that is vulnerable to breaches.

Network Segmentation for the Modern Network

Today Forescout launched eyeSegment, a cloud-based product that, when paired with the Forescout device visibility and control platform, can tell organizations what devices are on their network and what those IP addresses are communicating with. It turns that data into a logical taxonomy of users, applications, services, and devices across the entire enterprise – that’s the kind of deep granularity you need as a baseline for network segmentation.

From there, organizations can use logical business context to set policies and orchestrate them across enforcement solutions, like your next-generation firewall or SDN. In short, eyeSegment allows organizations to apply a dynamic Zero Trust approach across all environments and to all devices, with different policies for the computer at the front desk and the CEOs laptop.

When devices step outside of those policies or normal patterns of behavior, eyeSegment flags them. For instance, if a security camera normally only talks to three specific servers in the data center, then starts dialing into something it normally wouldn’t (like the Internet). It also lets organizations test those policies before they are put into action, meaning more effectiveness and less business disruption.

This is what true network segmentation should look like, with the ability for organizations to roll it out enterprise wide across the campus, data center, cloud and OT. It’s finally giving CISOs the ability to stop lateral threat movements in their tracks. All in a way that’s built around an open, heterogenous network environment.

Forescout is in a unique position to make this happen. We were there for the first iteration of NAC, back when it was only about binary control. We drove the agent-less transformation and now we are putting our stake in the ground around network segmentation as the future.

Excited to launch eyeSegment today. It’s going to change the way we help CISOs solve their biggest problems in security.

Demo Request Forescout Platform Top of Page