Securing Network Access Control
When our credit card bank failed a security audit, it was clear that “the usual” approach to network security compliance just wasn’t enough.
Credit First National Association (CFNA), the credit division of tire and rubber products manufacturer Bridgestone, is a federally chartered, limited-purpose credit card bank that issues credit cards to customers of Firestone Complete Auto Care Stores and independent dealers that have commercial relationships with Bridgestone America Tire Operations.
With a diverse IT environment and 700 network ports, we are required by the Office of the Comptroller of the Currency, an arm of the Treasury Department, to ensure the security of more than four million database records. At the same time, we must provide convenient wired access for our 200 users—a challenging balancing act.
CFNA’s environment included a legacy network access control (NAC) solution. When an auditor conducted an internal penetration test during a periodic check and was able to access the network in less than 10 minutes with just a laptop—easily bypassing the company’s NAC tool—our network administrators were shocked.
The team immediately began to search for a next-generation NAC solution that would prevent rogue devices from penetrating our network and provide our network administrators with a high degree of visibility and control.
Improving the end-user experience was also a priority for us. CFNA’s legacy NAC solution prevented our users from logging on while policy scans were completed—a process that sometimes took several minutes. It also forced users to call the help desk for remediation any time they failed a scan. Replacing this legacy software meant that we could deploy a solution that would simplify and speed user authentication and also deliver a self-service remediation process.
Improved Security and Visibility
After evaluating a number of alternatives, we chose Network Sentry from Bradford Networks. As an adaptive network security (ANS) platform, the product dynamically adapts to our changing security needs by responding automatically and securely provisioning network resources based on pre-established policies.
In addition, Network Sentry provides us with a view across all brands of equipment and devices so that nothing falls through the cracks. The ANS platform integrates and correlates our network resources and user and device information to make our networks both more secure and more accessible.
It took us just days to implement Network Sentry, and a follow-up penetration test quickly demonstrated the impenetrability of the network and the effectiveness of the new solution. In the second phase of deployment, we integrated the product with its BigFix patch-management system.
The rollout went so smoothly that our users didn’t even know it had occurred. When our IT team announced at a quarterly management meeting that the new solution had been up and running for several weeks—without affecting end-user productivity—the group received a round of applause from the executives.
Since deploying this solution, CFNA has achieved measurable benefits in security and usability. First, by authenticating all users and controlling access automatically, we have completely eliminated all rogue connections to the network. If an unauthorized user tries to connect to the CFNA network, our network administrators can see the attempt—including the location—immediately.
This increase in visibility and control saves time and resources for our network administrators, who can easily make configuration changes and monitor network ports and devices. In fact, administrative problems associated with the legacy NAC used to take as long as two hours each day to resolve, but now our team spends less than two hours each week administering the solution—reducing administration time by 80 percent.
At the same time, end-user satisfaction has increased significantly, thanks to a simplified remediation process and policy scans that are completed in seconds and are virtually invisible to our users. Since remediation can be accomplished automatically, the user experience has been improved, and remediation-related calls to our help desk have been reduced by 75 percent.
Equally important, CFNA can now ensure continuous compliance with the regulations set by the Office of the Comptroller of the Currency, and we feel confident that user and customer data is protected.
In the coming months, CFNA plans to deploy wireless access and will begin the conversion to voice over IP. Based on our success with Network Sentry so far, we will use it to secure those implementations as well.
Timothy Lynch Childress is the manager of network services at Credit First National Association.