December 09, 2008, 1:37 PM — Cosmetics company Estee Lauder is relying in part on NAC technology to meet regulations imposed on it by the payment card industry (PCI) and the Sarbanes-Oxley law.
Specifically, the US$7 billion firm with more than 25,000 employees worldwide is using the security technology to meet PCI requirements to regularly update antivirus software and to develop and maintain secure systems and applications.
The company also faces Sarbanes-Oxley requirements that call for verification of policies, access-control assessment, audit capabilities and mitigation of shortcomings based on risk profiles, says Les Correia, senior manager of global enterprise security for the company.
In addition, Estee Lauder is in the midst of an internal initiative to increase the security posture of the Estee Lauder network as a whole. The company has more than a dozen network hubs worldwide that includes divisions acquired from other companies. These hubs had been allowed to run their networks as they saw fit, but now corporate security standards are being imposed, and NAC is playing its role, Correia says.
"We've got a whole bunch of consultants coming in and out and retail stores, people in the field," he says. "We wanted to better manage our security posture."
That concern led the company to buy StillSecure Safe Access NAC gear in 2006. Last year the company reevaluated Safe Access against Cisco and Bradford NAC gear as it launched its global security upgrade. Ultimately, it decided to stick with Still Secure without testing equipment from the other two vendors, Correia says. (Compare NAC products.)
"We were familiar with the vendor. We knew how nimble they were," he says, and Estee Lauder had done a bakeoff comparing different vendors' NAC gear before its initial buy.
Upgrades in the meantime gave Safe Access more centralized management tools and a way to assign different management rights to different IT groups - those who can set the NAC policies, those who do help desk work, security administrators.
The company is considering use of 802.1x authentication in parts of its network and liked that StillSecure supports the technology as an enforcement mechanism, Correia says.
Safe Access checks whether machines have critical operating system updates as well as antivirus software that is turned on and updated to meet standards.
For regulatory compliance, the company likes the reporting that the NAC gear provides because it tracks who accesses what, by what machine and whether that machine is compliant, he says.
The rollout of NAC to all company employees is ongoing, with deployment to sites in the Americas nearly complete, he says. The company is coordinating with sites in Europe and Asia to prepare them for the installation. "Historically, we let those companies work independently, if you will," he says. So imposing a global security policy like NAC requires some groundwork and diplomacy.
Estee Lauder is also coordinating downtimes that the deployment will cause to coincide with deployment of other network upgrades, including the implementation of SAP, Correia says.
The firm already used NAC to check the machines used by about 3,000 consultants that needed network access.
Scanning machines takes about 30 seconds each, and Estee Lauder uses all three options offered for doing that: a full NAC client, downloadable agents and clientless. For all company-managed machines, it uses the full client because that creates a single deployment method that is relatively simple to carry out. The client has become part of the standard-issue desktop software image, Correia says.
Users' attempts to acquire an IP address are intercepted by the StillSecure server, the machines are scanned and if they are compliant, the NAC server does an IP renew on behalf of the client, he says. The scan is repeated periodically after machines have been admitted to the network.
If a machine fails compliance, the NAC gear displays on the user machine a message about how to remediate the problem.
The NAC has been turned on first in monitor mode to set a baseline for compliance, and warning users to bring their machines into compliance. NAC is finding users who have turned off their antivirus software.
NAC acts as a backup confirmation of other tools, such as McAfee's ePolicy Orchestrator server, which pushes antivirus updates and gathers security data. In return, ePolicy Orchestrator can report shortcomings that it finds to the StillSecure gear, which can then quarantine offending machines until they are fixed to meet requirements, he says.
"We can use Safe Access to validate against our other validation tests," he says.
