tag:blogger.com,1999:blog-4255193939909462606.post8927327106750848195..comments2023-07-13T06:46:05.437-04:00Comments on Ogren Group Security Vibes: NAC and VDI work well togetherEric Ogrenhttp://www.blogger.com/profile/12401647238457809070noreply@blogger.comBlogger3125tag:blogger.com,1999:blog-4255193939909462606.post-21460058661886349512013-03-20T14:51:45.903-04:002013-03-20T14:51:45.903-04:00I like Eric's commentary as it relates to NAC ...I like Eric's commentary as it relates to NAC being a complementary control and a control enabler. NAC has real-time visibility to BYOD devices, that are unmanaged, and corporate managed devices, where host-based controls are often inactive, out-of-date, corrupt or non-existent. In both cases, the corporation is blind to the actual security and management posture of the device. NAC can not only assess and remediate the endpoint, but can initiate enrollment to application or a process based on applying policy against captured attributes. The assumption of better security with VDI systems and that there would be no affect on user experience for remediation is not the case with enterprises we have worked with. A policy violation triggering an action would be similar for VDI and non-VDI endpoints - and such actions are still pre and post network admission. There is also the presumption that all NAC enforcement needs to be disruptive - this too is not the case and NAC enforcement / quarantine options and flexibility varies by vendor. I agree with JBrown comments (yes we are both from NAC vendors). There is plenty of commentary on VDI security (read recent blog commentary by Andrew Wood and Mike More). "With VDI or any remote terminal you don't know what is wrapped around the remote access and what it can do and that needs also needs to be considered in the arguments on security." So if you have a rooted BYOD device and then initiate a VDI session... are you ok? Net Net... we are back to a layered model... control application by use case and consequence.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4255193939909462606.post-88059648513165160422012-02-20T17:11:54.472-05:002012-02-20T17:11:54.472-05:00Good point - it is not perfect, but least the user...Good point - it is not perfect, but least the user can get work done.Eric Ogrenhttps://www.blogger.com/profile/12401647238457809070noreply@blogger.comtag:blogger.com,1999:blog-4255193939909462606.post-24619510890355837082012-02-15T15:15:42.981-05:002012-02-15T15:15:42.981-05:00I agree with your concept: it's a clever idea....I agree with your concept: it's a clever idea. I think it's a great way to allow commercial entities to use guilty-until-proven-innocent NAC while ensuring that productivity is minimally impacted when endpoints are quarantined.<br /><br />One thing to point out, however, is that VDI will not be a clone of your normal desktop in most cases. Likely your normal desktop will have some local apps or files not stored in VDI, and being forced into VDI by NAC will mean you will temporarily lose access to that data and capabilities.<br /><br />The more cloud-leveraged environments will see far less impact, of course. I would expect some impact on productivity in any case, but still a far better option than losing network access entirely.jbrown@stillsecure.comhttp://www.stillsecure.comnoreply@blogger.com