“IT defenses need to evolve to address the changing risk landscape and user behavior,” said Bob Tarzey, analyst and director at security research firm Quocirca. “NAC has played an important role for a number of years policing what devices are allowed on a network and that their configuration meets required policies. NAC is also now recognized as a key technology to manage the unstoppable trend for users to access a business's IT resources with their own devices."
Hadassah Medical Center is a keystone customer for ForeScout. The Center was founded in 1934, one of the largest medical complexes in Israel. It includes two university hospitals, in Jerusalem, Ein Kerem and Mount Scopus. The center employs 7,000 people, includes an internal wired and wireless network for employees with nearly 10,000 network-connected devices and also houses a wireless guest network for patients and visitors.
As with hospitals everywhere, securing patient medical records is a top priority and a key driver in shaping technology policies, staff told Infosecurity. The IT team noticed that more and more doctors and researchers were bringing in their personal smartphones and tablets and trying to connect them to either the hospital’s internal Wi-Fi network, or the public guest Wi-Fi.
While the safest approach to handle the phenomenon would be a network policy that prohibited those devices from connecting to either network, the enhanced productivity and patient care that a BYOD approach would have drove the hospital to find a solution that offered a balance between security and mobility.
The biggest fear that Barak Shrefler, chief information security officer (CISO) at the hospital, had was that mobile devices could become the weakest security link, and a prime vector for introducing a virus or vulnerability into the medical center’s network. So, one of the requirements was that if a user’s personal device becomes compromised, the system must be able to spot this before it connects to the corporate network. Specifically, Shrefler wanted a system that gave him insight into access and control, spanning the network, device, user, application and data controls. He needed to know instantly who and what systems were on his network and be able to automatically block unauthorized users or authorized users partaking in risky or suspicious behavior. Additionally, it was important to disable screen captures and cameras, so that patient records would stay protected and not be compromised.
As personal devices, however, they needed to be fully functional for the owner’s or physician’s own use at the same time.
The hospital settled on ForeScout’s CounterACT platform, which gave the team visibility to see every endpoint connected to the network, to whom the device belonged and the activity each individual device was engaged in via a comprehensive tactical map. For example, if a doctor wanted to use a mobile device for an activity such as downloading music or accessing Dropbox, which isn’t allowed on the internal wireless network, he or she would often disconnect from the internal network and connect to any available public or unsecured Wi-Fi to complete the task. Today if a wireless hop occurs, CounterACT immediately blocks the device’s access to all networks and then alerts the IT team to the issue. The IT team then identifies the user and if necessary tracks them down to investigate why hospital policy is being violated.
“We have three campuses and previously if something was wrong on the network, we didn’t know it until users called to alert us,” said Shrefler. “Now with the tactical map, we can see which campus is having an issue. If it’s a BYOD device, we can click on the map to get all the details of the incident and dispatch a security team member to the site if needed.”
Also, when a new device is brought onto the medical center’s network, it is automatically checked for compliance with anti-virus and current security certifications. It is also analyzed to make sure it doesn’t have any cloud storage services such as Dropbox that would allow files to be easily sent outside the network, or have Bluetooth enabled, since Bluetooth is seen as a weak spot and a preferred method for hackers to access and compromise networks.
“BYOD is not something that IT departments can ignore; it’s inevitable,” said Shrefler. And in that spirit, he said, that the Medical Center is moving from allowing BYOD to embracing it. “In fact we are now working on an iOS app that will allow doctors more access to patent data via their iPads, which will help us improve patient care,” he said.
The implementation at Hadassah illustrates the idea behind the new product, which is simply to make it easier to deploy, manage and scale network access control, ForeScout said, so that enterprises and government agencies can achieve continuous network access and endpoint compliance without impacting the user experience.
"ForeScout's CounterACT 7.0 makes the job of securing BYOD easier as it supports both 802.1X and agentless NAC to discriminate between managed, unmanaged and non-compliant devices for smartphones and tablets, as well as PCs,” Tarzey said.
The company also has built in functionality for easier management. By offering a built-in RADIUS service, proxy for RADIUS and agentless authentication, ForeScout CounterACT lets IT managers deploy NAC more quickly and thoroughly, including locations where the network infrastructure does not, cannot or would take time to support 802.1X device authentication.
Meanwhile, advanced search capabilities give IT managers the ability to dice and slice security and operational data to locate and report on device types, operating systems, applications, violations and important mobile attributes such as rooted smartphones and tablets, or rogue wireless access points. Also, a new tactical map provides at-a-glance view of site compliance and issues, along with the ability to drill down to investigate and remediate problems. Operators can see vitals on thousands of devices and gain situational awareness by location, device type, violation or business unit. And finally, it includes comprehensive monitoring of an organization’s endpoint security posture.
The need for advanced NAC-based security will continue to be particularly critical in first-adopter verticals, like healthcare, where BYOD tablets and smartphones used over the Wi-Fi network have become invaluable tools for doctors and other staff. “For any health institution, patient care is paramount,” explained Steve Orman, director of IM&T at NHS Royal Surrey County Hospital. “IT must enable clinicians to take advantage of the latest technologies that can best serve the patient, often supporting both hospital-provisioned and personal devices, but mindful of protecting sensitive information.”