Enforcing Device Compliance at the Network Edge (Activity 2.2.1 “Implement C2C/Compliance Based Network Authorization Part 1”) 

We’re building a robust Zero Trust framework, establishing strong identities for users and non-person entities (NPEs) and gaining visibility into device health. Activity 2.2.1: Implement C2C/Compliance Based Network Authorization Part 1 controls access to the network itself based on the security posture of the connecting device. 

This activity elevates the importance of device compliance by requiring the Enterprise to refine policy, standards, and requirements for Comply to Connect (C2C). At the organization level it must implement and enforce compliance-based network authorization. This means putting the mechanisms in place to ensure that devices meet specific security criteria before or as they are granted network access. 

The outcomes for Activity 2.2.1 “Implement C2C/Compliance Based Network Authorization Part 1” are: 

  1. C2C is enforced at the Component level for all environments. 
  1. All mandated device checks are implemented using C2C.  

Ultimately, the end state goal for this activity is a foundational policy that underpins network access: A policy exists or is developed that dictates the need for all devices to be authorized, authenticated, and C2C compliant before connecting to the network. This represents a significant shift from allowing known users on a device to connect, to verifying the trustworthiness of the device itself as a prerequisite for network access. 

Solutions for Achieving Implement C2C/Compliance Based Network Authorization Part 1 

Implementing compliance-based network authorization requires a coordinated effort involving network infrastructure, identity systems, and endpoint security tools. Solutions focus on enforcing policy at the network access layer: 

  1. Network Access Control (NAC) Solutions: 
    • NAC is the primary technology for enforcing compliance-based network authorization. NAC solutions sit at the network edge (wired and wireless) and control device access based on policies. 
    • These solutions can profile devices, assess their compliance status by integrating with other security tools, and then grant, deny, or restrict network access accordingly (e.g., quarantine non-compliant devices). 
  2. Defining Compliance Policies and Mandated Device Checks: 
    • Establish clear enterprise-wide policies (refined by the Enterprise in this activity) that define what constitutes a “compliant” device. This includes mandated device checks based on security attributes identified in Activity 2.1.1 and assessed by tools. Examples of checks include: 
    • Up-to-date operating system and security patches. 
    • Presence and operational status of endpoint security software (antivirus, EDR). 
    • Disk encryption status. 
    • Specific configuration settings. 
    • Valid device certificate (from Activity 2.1.2). 
  3. Integration of Security Tools with NAC: 
    • This is crucial for the NAC to make informed compliance decisions. Integrate your: 
      • Enterprise IdP/IdAM solution: Provides device identity and authorization context. 
      • Endpoint Management (UEM/EM) tools: Report on device configuration, patch status, and compliance with management policies. 
      • Endpoint Detection and Response (EDR) / Device Posture Assessment tools: Provide real-time device health status, vulnerability information, and risk scores. 
    • The NAC solution consumes this data from these tools to assess the device’s compliance against the defined policies. 
  4. Implementing Enforcement at the Component Level: Deploy and configure the NAC solution to enforce the compliance policies at the network access points within each component environment.  

Key Items to Consider: 

  • Defining Clear and Enforceable Compliance Requirements: The success of C2C hinges on having well-defined and technically enforceable compliance policies that are relevant to your security posture. 
  • Integration Complexity: Integrating the NAC solution with disparate IdP, UEM, EDR, and other security tools across potentially varied component environments can be complex. 
  • Handling Non-Compliant Devices: Establish clear procedures for how non-compliant devices will be handled (e.g., quarantine, remediation steps, user notification). 
  • Network Infrastructure Compatibility: Ensure your existing network infrastructure (switches, wireless controllers) is compatible with the chosen NAC solution for effective enforcement. 
  • User Experience: Balance security requirements with user experience, providing clear communication and streamlined remediation processes for non-compliant devices. 

Relevant Technologies and Tools: 

Successfully implementing Activity 2.2.1 relies heavily on the interplay of several key technology categories: 

  • Network Access Control (NAC) Solutions: The core enforcement point at the network layer. Examples include products from Cisco, Aruba, ForeScout, and others. 
  • Enterprise Identity Provider (IdP) / Identity and Access Management (IdAM) Solutions: Provide the identity context for the device (if the device itself has an identity in the IdP, as per Activity 2.1.3) or the user of the device, and can be integrated with the NAC for authentication and initial authorization. 
  • Endpoint Management (EM) / Unified Endpoint Management (UEM) Tools: Manage device configurations, deploy security software, and report on compliance with management policies.  
  • Endpoint Detection and Response (EDR) / Device Posture Assessment Tools: Assess the real-time security health, vulnerabilities, and compliance of endpoints.  
  • Policy Orchestration Tools (Potentially): In complex environments, tools that can orchestrate policies and data exchange between the IdP, UEM, EDR, and NAC might be beneficial. 

The Technical Buyer’s Network Gatekeeper Mandate: 

Activity 2.2.1 is where you implement compliance as a gatekeeper for network access in your Zero Trust architecture. It’s about ensuring that every device connecting to your network meets a defined security standard. For technical buyers, success in this activity means selecting and implementing a robust NAC solution and effectively integrating it with your existing identity, endpoint management, and security posture assessment tools. This allows your NAC to make intelligent decisions about network authorization based on the trusted identity and verified compliance status of the connecting device. Achieving enforcement at the component level with all mandated checks implemented is a critical step in building a device-aware and policy-driven Zero Trust environment. 

Pillar: Device 

Capability: 2.2 Device Detection and Compliance 

Activity: 2.2.1 Implement C2C/Compliance Based Network Authorization Part 1  

Phase: Target Level 

Predecessor(s):  

  • 2.1.2 NPE/PKI, Device under Management 
  • 2.4.2 Managed and Limited Bring Your Own Device (BYOD) & IoT Support 
  • 2.5.1 Implement Asset, Vulnerability and Patch Management Tools, Partially & Fully Automated Asset 
  • 2.3.4 Integrate Next Generation Anti-Virus (NGAV) Tools with C2C 

Successor(s): 2.2.2 Implement C2C/Compliance Based Network Authorization Part 2 

Technology Partners