Issue 1

‘By 2023, more than 30% of enterprise networks will implement a virtual segmentation strategy, which is a major increase from fewer than 1% in 2019.

Through 2023, enterprises that isolate/segment their campus network devices will experience 25% fewer successful cyberattacks.’ 1

The introduction of IoT devices on corporate networks is presenting new challenges for the organizations in terms of Enterprise security. Corporate devices have been ruled by policies and processes to control the Enterprise environment. Nonetheless, the advent of the Internet of Things (as much as it has beenuseful and tremendously efficient for the development of the organisations) has presented a new scenario. “A Gartner Wired and Wireless LAN Access Infrastructure customer survey noted that 80% of IT organizations found devices on their network that they had not deployed”.2 Given this scenario, throughout this report infrastructure leaders will find that, by creating and developing the following processes for their corporate networks, companies are likely to experience fewer successful attacks:

• A certification process for all connected devices.

• Risk categories for devices to successfully segment and isolate devices.

Introduction • A segmentation strategy for segmented and isolated devices across multivendor campus networks.

The process described in this report for the creation of a cross-functional-team to Develop Devices Certification Processes is extremely valuable to mitigate the risk of security breaches. What, we believe you will find extremely helpful and actionable is the list of a minimum of four risk categories in which devices should be placed to identify devices once they are connected to the Enterprise infrastructure. This is a simple recommendation that is easily implemented but has a huge impact on how you will be able to manage the risk presented by IoT to your organization moving forward.

It is exciting for our partners and our team to be part of the investigation and creation of new security paradigms for the new era of corporate networks clearly influenced by the irruption of IoT devices. That is why we strongly recommend a Deep read of the following Gartner report to lay the foundations of segmentation to mitigate potential risks involving devices connected to the enterprise network. At the end of the report our team will lay out some clear next steps to make the information actionable for you and your teams.

Enjoy the read. We are sure it will help you and your teams.

Albert Estrada

Managing the Risk of Devices on the Corporate Network: Segmentation or Isolation

1-2 Gartner Inc., Segmentation or Isolation: Implementing Best Practices for Connecting ‘All’ Devices, 26 September 2019, G00388335

Introduction 1

Research from Gartner Segmentation or Isolation: Implementing Best Practices for Connecting ‘All’ Devices 2

Creating a Certification Process For All Devices 7

Segment or Isolate Devices by Creating and Implementing a Minimum of Four Device Risk Levels 8

A Virtual Segmentation Archihtecture for Implementing a Segmented and Isolated Strategy for Devices Across Multivendor Campus Networks 9

About Open Cloud Factory 10

2

Segmentation or Isolation: Implementing Best Practices for Connecting ‘All’ Devices

Research from Gartner

A wide range of new devices are being connected to enterprise networks, often without official knowledge or authorization. Infrastructure and operations leaders must establish categorization, segmentation and isolation policies to avoid disaster.

Key Challenges

• In a Gartner customer survey, 80% of IT organizations noted they had found Internet of Things devices on their networks that they did not install, secure or manage.

• Internet-connected devices on enterprise networks can be hacked in as little as three minutes, and breaches may take six months or more to discover.

• The lack of standards for isolating or segmenting devices on multivendor campus networks makes deploying a strategic framework for all devices difficult.

Recommendations

Infrastructure and operations leaders deploying cloud and edge solutions with devices including IoT endpoints should:

• Create a certification process for “all” devices, written by a cross-functional team, before any device is connected to the enterprise network.

• Segment or isolate devices by creating and implementing a minimum of four device risk categories.

• Architect a virtual segmentation strategy for segmented and isolated devices across multivendor campus networks.

Strategic Planning Assumptions

By 2023, more than 30% of enterprise networks will implement a virtual segmentation strategy, which is a major increase from fewer than 1% in 2019.

Through 2023, enterprises that isolate/segment their campus network devices will experience 25% fewer successful cyberattacks.

Introduction

In many ways, the introduction and discovery of Internet of Things (IoT) devices on campus networks are creating an environment that is out of control. When IT had to worry only about corporate devices, we slept easier, because we created processes and policies that provided control of the environment. The first sign of problems was the introduction of bring your own device (BYOD) initiatives, but guest access application and policies quickly quelled that. However, IoT devices have been silently connecting to the network; and in some situations and vertical markets they have been there for many years. Some studies show as much as 30% of undiscovered devices on campus networks, and many are deployed by other organizations, such as facilities management or a line of business (LOB). A Gartner Wired and Wireless LAN Access Infrastructure customer survey noted that 80% of IT organizations found devices on their network that they had not deployed.1

When video surveillance cameras and heating, ventilation and air conditioning (HVAC) — as well as LOB devices, such as medical or point of sale (POS) devices — are

vulnerable to some type of security breach, the door to the network is open. This research outlines a framework that organizations must deploy, not only to control IoT devices, but to reinforce the ability to control all devices that connect to the campus infrastructure, whether they are wired or wireless.

Analysis

Create a Device Certification Process for all Devices Passed by “Every” DeviceNetworking is not a core competency for manufacturers of the devices that LOB or building automation organizations are looking to connect to the network. IT must take the lead and educate the entire organization on the risk. In one research report, it was reported that 39.3% of publicly reachable building automation system (BAS) devices, such as HVAC programmable logic controls (PLCs) or access control PLCs, were vulnerable.2 Additionally, the same research found that over 90% of publicly reachable IP cameras were also vulnerable.

Many IT organizations already have standard practices for approving new laptops, tablets, and smartphones used for worker productivity. This practice doesn’t often extend past these standard endpoints into the world of IoT.

Gartner recommends that IT creates and leads a cross-functional-team that creates a preconnection device testing policy for all devices that will be connected to the campus network.

Managing the Risk of Devices on the Corporate Network: Segmentation or Isolation is published by Open Cloud Factory. Editorial supplied by Open Cloud Factory. is independent of Gartner analysis. All Gartner research is © 2020 by Gartner, Inc. All rights reserved. All Gartner materials are used with Gartner’s permission. The use or publication of Gartner research does not indicate Gartner’s endorsement of Open Cloud Factory.’s products and/or strategies. Reproduction or distribution of this publication in any form without prior written permission is forbidden. The information contained herein has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information. Gartner shall have no liability for errors, omissions or inadequacies in the information contained herein or for interpretations thereof. The opinions expressed herein are subject to change without notice. Although Gartner research may include a discussion of related legal issues, Gartner does not provide legal advice or services and its research should not be construed or used as such. Gartner is a public company, and its shareholders may include firms and funds that have financial interests in entities covered in Gartner research. Gartner’s Board of Directors may include senior managers of these firms or funds. Gartner research is produced independently by its research organization without input or influence from these firms, funds or their managers. For further information on the independence and integrity of Gartner research, see “Guiding Principles on Independence and Objectivity” on its website.

3

3

In most organizations, IT makes it easy for itself to add devices to the network, which in turn makes it easy for others. Rather than giving devices “free Dynamic Host Configuration Protocol (DHCP) service” on the network, an example policy might mandate that any new or unknown device isolated be run in a container or isolated network segment for a week. This will ensure that it acts/performs as predicted and only accesses predictable resources. In Gartner inquiries with IT organizations, we often hear that LOB owners or building automation owners typically want their devices on the network within 24 hours of a request. This also explains why some LOB owners or building automation owners will put devices on the network and fail to inform IT of their actions. Creating a process that doesn’t insert too much weight into the onboarding life cycle is important. To ensure the risk is reduced or eliminated, organizations will have to work cross-functionally to determine how simple or extensive the endpoint acceptance testing will be.

Place “All” Devices Into One of Four Risk CategoriesOnce any device is connected to the enterprise infrastructure, it must be discovered. This goal sounds basic, but the reality customers experience using discovery tools indicates discovery is not easily obtained. Approved endpoints used by employees are by far the easiest to identify as IT organizations have lots of information for identification. Next, common BYOD equipment tends to be easy enough to profile,

FIGURE 1Four Risk Categories for Campus Network Devices

due to known patterns in Mac Access Control organizational unique identifier (MAC OUI), DHCP, HTTP and more.

The most difficult are the IoT devices that may use of a common hardware and OS platform but perform different functions, leverage protocols the network team is unfamiliar with, or be negatively impacted by profiling technologies. This can cause IT to disable such devices for that network segment. Even more troublesome are malicious endpoints that could be attempting to avoid detection. Numerous discovery and network access control (NAC) applications exist to attempt to discover, identify and categorize the plethora of endpoints, but no applications are 100% effective.

Once devices are discovered and identified, we advise enterprises to place them into a minimum of four risk categories as shown in Figure 1. Although we discuss the importance of having at least the following four categories, organizations with more robust segmentation requirements may further divide these categories into multiple segments per category.

Corporate Devices

Corporate devices are owned, managed and deployed by IT. Since they are known and owned by the enterprise, they must support the enterprise security policy and have the least risk associated when they connect to the campus network. This typically means support for 802.1X authentication with a strong Extensible Authentication Protocol

(EAP) type for any wired or wireless device to ensure devices are properly identified before gaining access to private resources.

Guest Devices or BYOD

Guest devices or BYOD policies will connect to the guest SSID for wireless connectivity and when port connected or wired, they will be directed straight to the captive portal for guest device registration. These devices, as the category denotes, are employee-owned devices which are usually looking for internet access. We don’t typically think of them as high-risk devices since they are commonly tunneled to the demilitarized zone (DMZ) with only access to the internet. Some organizations may elect to allow a guest device behind the firewall after it has been scanned through an agentless or onboard agent.If the guest access policy allows these devices behind the firewall, they should be given only to specific resources as defined by their role. Another consideration customers must address is the ability to isolate devices in this category so they can talk to resources (like the internet) but not to each other. This can help eliminate malicious behavior between clients and help reduce the attack surface of these networks.

Trusted or Known IoT Devices

Trusted or known IoT devices are devices the IT organization is aware of and has approved for use but don’t match the standard user endpoint profile. Often, these devices don’t support enterprise security protocols (such as 802.1X) and require authentication and security enforcement provided by the network. Devices that require physical proximity to users in a campus but require resources in an on-premises or cloud data center can be a challenge to segment. IP surveillance systems are a great example, because the cameras are in the campus, while DVRs are in a data center.

Customers have a couple of choices when creating a segmentation strategy for these types of devices. They can create segmentation that carries traffic all the way from a campus segment to a data center segment using tunneling technologies that allow Layer 3 traversal (for ease of deployment). They can also build bidirectional

4

FIGURE 2Virtual Segmentation Architecture

policies in the campus and data center that minimize the allowed traffic in either direction to only what is needed. These segmentation needs will become more and more common as time passes and customers should be ready for these devices to rapidly come onto the network. Like the guest category above, client isolation can be used in these segments to ensure the reduction of east-west malware propagation. An example is not allowing surveillance cameras talking to another surveillance camera but both need to talk to the DVR.

Untrusted or Unknown Devices

An untrusted or unknown device is one that does not fit into any of the categories already identified. Often, these will be IoT devices added without the knowledge of the IT organization. If the enterprise is using security monitoring tools to monitor traffic patterns, a device may start as a “corporate,” “BYOD,” or “Known IoT,” but then become untrusted due to its erratic or unexpected network behavior. A device in the untrusted state can also be moved into other categories once the appropriate action is taken to ensure it matches the organizations onboarding policies for that category.

Architect a Virtual Segmentation Strategy for Segmented or Isolated Requirements Across Multivendor Campus NetworksHistorically, when organizations were looking to group devices to reduce congestion or create a broadcast domain that limited the devices that heard a network message, they were segmented into Level 2 virtual local-area networks (VLANs). In an ideal situation, organizations would create L2 VLANs for each type/role of IoT device. For example, placing all video surveillance cameras into a single “cameras” VLAN. The issue is that the application that the cameras are communicating with is located on a video server in the data center or in the cloud. For either destination, the video camera traffic

must cross a router to a DVR in the data center or the cloud. Once the video camera traffic is on the other side of the router, it is no longer in the “camera” VLAN. With 90% of video cameras having security vulnerabilities, it is easy to ascertain that a hacker could take control of a video camera. If the device was not cordoned off from other parts of the network, there could be a security breach.

Implement Segmentation

Hence, there is a need for a tunnel that crosses the Layer 3 (switch or router) boundary and keeps the traffic on target to its intended destination. Although vendors may

call it different names, virtual segmentation is the ability to set up a tunnel from a device to a target application across an L3 (switch or router) boundary.

Figure 2 shows the high-level architecture of how the traffic must traverse the network. However, campus network vendors have different options for how this is accomplished and the ability to accomplish the task is limited in environments where there are different network vendor components. Table 1 shows the capabilities for four campus network vendors.

5

5

Standards-Based Segmentation for Multivendor Networks Requires Testing and Limited Encryption Options

One issue with segmentation is that each vendor has a differing implementation that is not supported by other vendors. Organizations that have multivendor networks will have to pay close attention to their implementation. One option for resolving a multivendor network is to ensure that the same vendor’s equipment is on the end generating and terminating the tunnel.

An alternative option is using VxLAN, which is an IETF (RFC7348) standards-based solution, but has options that don’t guarantee connectivity unless the solution has been tested with each vendor.

There are several ways that VxLAN can be implemented:

• Option 1 — Implement VxLAN bridging to extend the Visual Networking Index (VNI) from a VXLAN Tunnel Endpoint (VTEP) originated from a switch or access point that is mapped to a device and is connected to another VTEP at the location of the application.

Vendor Implementation

Cisco Implement Cisco SD-Access for a converged fabric technology across Cisco switches and wireless access points based on VxLAN, LISP and Scalable Group Tags (SGT). SD-access extension for IoT can support devices that do not natively support VxLAN and the technology can also traverse multivendor networks.

HPE Aruba Implement HPE Aruba ClearPass Policy to create encrypted GRE tunnels from Aruba wired switch ports and wireless access points to a centralized policy controller, which routes the packet to the application destination. GRE tunnels can be created across non-Aruba components to allow for multivendor support*.

Extreme Network

Implement Extreme Control to create granular policies. Use shortest path bridging (SPB) specified by 802.1aq as a campus fabric, which creates tunnels (ISID microsegments) that can incorporate VLANs and be encrypted. Use IoT Defender to connect legacy devices that don’t natively support SPB. The flexibility of SPB allows L3 routing functionality. Allows for non-Extreme Network components to be in the path which allows support for multivendor networks*.

Juniper — Mist

Implement Juniper-Mist with Personal-WLAN in conjunction with WxLAN Policy to be applied on wired and wireless IOT devices. Based on the device and the policy, WxLAN will leverage Juniper EVPN-VxLAN to securely tunnel traffic directly to the application destination. The tunneling capabilities allow them to traverse non-Juniper-Mist components for multivendor support*.

Table 1. Virtual Segmentation Vendor Implementation

* All solutions must have vendor components on each end of tunnel.Source: Gartner (September 2019)

• Option 2 — Set up the VTEP from the switch or access point connection (that is mapped to the device) to a firewall which can be used to enforce policy and set up the corresponding destination VTEP connection.

Isolation May Be Needed in Addition to Segmentation

While segmentation separates the traffic, it can still be seen on the network since most segmentation solutions are only tagging the traffic. However, there are situations where segmentation and isolation or encryption are needed. For example:

• For compliance: In retail for PCI compliance, encrypting the credit card communication from the point of sale (POS) to the application eliminates the need to apply the compliance requirements to the entire retail in-store network.

• For confidentiality: In an enterprise, this may apply to Human Resources or legal where there is a need or requirement to encrypt the departmental communication but not the entire network.

• For shared service infrastructure: In this situation, an airport may provide the network, but an airline may want to secure their data, or a mail may provide the network infrastructure, but a retail may want to secure their traffic and data.

If isolation is required, enterprises must be certain they identify it to the vendor as a requirement. This will ensure they can implement it, since some implementations cannot natively support isolation inside a segment, including a basic VxLAN standard implementation. If a tunnel encryption is required, the packet must be encrypted in an extra step in the communication process.

In today’s complex campus network environment, we continue to see the convergence of networks onto a single enterprise communication infrastructure that is being inundated by the influx of more and more IoT devices. New application requirements mean that a virtual segmentation strategy should be a requirement for every organization.

6

Acronym Key and Glossary Terms

PCI Payment Card Industry

EVPN Ethernet VPN

VNI VxLAN Network Identifier

VTEP VxLAN uses VxLAN tunnel endpoints (VTEPs) to map tenant end devices to VxLAN segments and to perform encapsulation and de-encapsulation.

Virtual LAN (VLAN) A virtual LAN (VLAN) is any broadcast domain that is partitioned at the data link layer (OSI Layer 2).

Virtual Segmentation Virtual segmentation is a broadcast domain (typically implemented by a tunnel) that may be encrypted, but crosses the network layer (OSI Layer 3) to connect a port or WLAN access point (usually connecting to an endpoint) to a defined port to communicating to a specific application.

Building Automation/Facilities Management

Enterprise organization that is responsible for the physical building including HVAC, lighting, etc.

Evidence1 Wired and Wireless LAN Access Infrastructure — Magic Quadrant Customer Reference Survey (n = 137) “We have building automation, facilities management devices (e.g., video surveillance cameras, access security, energy management and HVAC) on the network.”

2 Forescout, The Current State of Smart Building Cybersecurity, 2019

Source: Gartner Research, G00388335, Tim Zimmerman, 26 September 2019

7

7

Through the OpenNAC Enterprise Compliance module network administrators can establish a set of minimum requirements to access the network; but how does it works?

Define

Refers to define end-point compliance policy. In this step the administrators should collect and establish the minimum software requirements to access the network and its resources. Software requirements such as:

- Profile information: O.S, O.S version, device tipology, among others

- Security information: Antivirus installed, antivirus update, antispyware installed, antispyware version

- Application information: programs and application installed, programs and application version

- Network information: TCP open ports,

- Custom information: Any software or hardware information custom by customer

This information is collected for each asset and can be evaluated by building access policies called end-point compliance policies to permit or deny network access or access to specific network resources.

Apply

As soon as the asset tries to access the network by wire, wi-fi or remote access (VPN), OpenNAC Enterprise identifies the connection and evaluates the access policy rules, looking for the correct match. When a match occurs, the actions specified as postconditions are executed, each rule has postconditions associated. Several postconditions can be applied; assign the asset to a specific network segment is the most common action, but some additional actions through plugins can be used also as postcondition of a rule such as double factor authentication to name but a few.

Segment

Network segmentation is one of the most common and basic network access controls implemented in corporative environments,

Creating a Certification Process For All Devices

OpenNAC Enterprise can perform the network segmentation after applying the access rules included in the policy.

Most commonly, each enterprise will have a different way to approach its network segmentation, sometimes the network is divided into departments, buildings, floor levels, hierarchy, no matter what the specific guideline is you can use OpenNAC Enterprise to perform the network segmentation.

Audit

OpenNAC Enterprise provides different outputs, one of them is the graphic data representation,

FIGURE 2End-Point Compliance Dashboard

Source: Open Cloud Factory

it can be customized to each customers specific needs, in real time end-point compliance policies statistics, and network segmentation data can be presented.

OpenNAC Enterprise administrators can verify the graphic statistics for compliance policies in real time at any moment, auditing the compliance status and end-point baseline security for the network.

Using OpenNAC Enterprise, certification process for all devices can be created; these can be written by a cross-functional team before any device is connected to the enterprise network and then applied once created.

Source: Open Cloud Factory

FIGURE 1End-Point Compliance Process

Source: Open Cloud Factory

End -Point Compliance Process

De�ne Apply Segment Audit

7Total Devices with Agent - Count

2Application Compliant Devices - Count

2Microsoft Compliant Devices - Count

5Security Compliant Devices - Count

0Full Compliance Devices - Count

Total count of agents reporting back to openNAC

Agentless Devices (89,39%)

Agent Ok (10,61%)

Asset Types

Application Compliant User Devices Windows Compliance User Devices

Microsoft Compliance (28,57%)

Microsoft Not Comliance (71,43%)App Compliance (71,43%)

App Not Compliance (28,57%)

EPT_MOBILE

EPT_DESKTOP

EPT_OPENNAC

EPT_NETWORK

EPT_UNKNOWN

EPT_MEDIA_DEVICE

EPT_DOMAIN_CO...

EPT_GENERAL_SE...

EPT_REMOTE_MA...

EPT_CAMERA

EPT_INDUSTRIAL

EPT_IP_PHONE

250Total Devices - Count

Agentless Devices

Agent Ok

App Compliance

App Not Compliance

Microsoft Not Comliance

Microsoft ompliance

EPT_MOBILE ( 48,12%)

EPT_DESKTOP (27,2%)

EPT_OPENNAC (15,48%)

EPT_NETWORK_DEVICE (1,67%)

8

Segment or Isolate Devices by Creating and Implementing a Minimum of Four Device Risk Levels

As we mentioned before each company can segment the network according to its own guidelines, Gartner recommends to “…place “All” Devices Into One of Four Risk Categories for Campus Network Devices:

- Corporative Devices

- Guest Devices or BYOD

- Trusted IoT Devices

- Untrusted or Unknown Devices”1

OpenNAC Enterprise tags each device according to the collected device information, with this data we can determine and assign any of the four categories by applying a risk tag to the device. However, companies can define their own guidelines to segment the network and associate a risk tag to each device connected to the network to specify one of the four risk categories in any asset and give it the appropriate treatment.

Once companies have defined a set of network VLANs, OpenNAC Enterprise, after authenticating connections has been performed, can apply network segmentation using one of the three following methods:

Dynamic VLAN assignment

This is achieved through radius parameters. OpenNAC Enterprise sends VLAN ID information to the switch to configure a specific network port for the device involved in this event.

ACL on Network Devices

This is achieved through Security Profiles, and you can be configured using two types of ACLs; static and dynamic. This will depend on network device ACL support; the configuration information sent via radius parameters for both Static and Dynamic cases.

Using Static ACL’s, administrators need to create the ACL(s) before using it in OpenNAC Enterprise and select the ACL through OpenNAC policy in the Security Profile section, after validation of the policies preconditions the Security profiles act as the policies postconditions, assigning an ACL to the specific network port for the device involved in this event.

Using Dynamic ACL’s, administrators need to define the ACL’s settings into business profiles, this configuration will be sent via radius parameters. After validating the policy preconditions the Security profiles acts as the policies postconditions, setting the ACL string¿? to the specific network port for device involved in this event.

NGFW Integration

OpenNAC Enterprise can be integrated with NGFW’s and using plugins you can modify the NGFWs access rules defined in its policy. Also, OpenNAC Enterprise can be integrated with NGFWs and other security solutions / platforms to execute actions over network and its devices as a network orchestrator platform. For example, you can modify the firewall policy based on access rules defined in a openNAC Enterprise policy, an input or pre condition could be the antivirus update status on end-points etc.

No matter which method you choose for network segmentation, each network asset will have a tag to indicate the risk category associated to it, to give the appropriate treatment and send to the corresponding network segment.

Source: Open Cloud Factory

1 Gartner Inc., Segmentation or Isolation: Implementing Best Practices for Connecting ‘All’ Devices, 26 September 2019, G00388335

9

9

A Virtual Segmentation Archihtecture for Implementing a Segmented and Isolated Strategy for Devices Across Multivendor Campus Networks

Most commonly enterprises will have multiple vendors across its corporate network,. OpenNAC Enterprise works with standard industry protocols such as 802.1 to achieve IT objectives such as network segmentation.

Each company has its own business requirements and its own technological context. For example; network capacity, potential improvements, constraints, even vulnerabilities and the most urgent challenges to address.

In addition, each campus network is comprised of multiple device typologies; Ip phones, Cameras, desktop, laptop, IoT devices. Each can differ greatly in regards to traffic volume, risk and quality amongst others.

Regardless of device typology distribution, the network requirements must be met with the constraints and the context given, and this goal can be achieved via a segmentation strategy that must work in a multivendor network as a means to guarantee the business requirements.

OpenNAC Enterprise works with standard industry protocols, can be integrated with any platform and is hardware agnostic. In addition, for any device connected to the network, customized tags can be defined and applied to the assets description. Using customized tags as a policy precondition, openNAC Enterprise can assign the network segment as a policy postcondition. For instance, once a network connection

is identified, openNAC Enterprise can determine if the connection is a camera (for example), based on this it can assign the video platform VLAN segment, reducing the overall network risk. This in turn can achieve a business requirement of optimizing network performance.

Customized tags and / or any asset characteristic can be used to isolate devices from parts of the network. This is achieved by defining and applying compliance policies for any network connection / device. OpenNAC Enterprise can display, via realtime dashboards, the most relevant information regarding; network events, network connections and the corresponding compliance statistics.

Source: Open Cloud Factory

FIGURE 1Network Segmentation Use Case in OpenNAC

Source: Open Cloud Factory

EDGE

80%IoT devices not Deploy Secure

or manage

50%undiscovered

devices

90%were

vulnerable

Cameras

BAS Devices

Financial

Help Desk

Human Resources

Technicians

SecuritySegmentation +

Compliance

Segmentation +Compliance

Visibility

Visibility + Compliance

39,3%were

vulnerable

CAM

PUS

DATA CENTER

CORE

B

Service

A

Service

C

Service

D

Service

10

Open Cloud Factory is a European based security vendor focused on securing the corporate network (IT/OT) through visibility, control and compliance of all connected assets.

The company was established in Spain in 2012 with the aim of developing advanced NAC (Network Access Control) technology. The solution was first commercialized in 2016. In 2018, Open Cloud Factory’s technology was included as a Representative Vendor in the 2018 Gartner Market Guide for Network Access Control1 for the first time.

Since then the company has received Industry Recognition, such as the Common Criteria Certification. Open Cloud Factory is currently trusted by well-known worldwide companies.

With OpenNAC Enterprise, we provide companies with full visibility, control and compliance of everything connected to the corporate network (both IT and OT). The software solution offers different mechanisms for discovery, profiling, segmentation and access control to the corporative network. Contact Open Cloud Factory for further information about OpenNAC Enterprise.

RECOGNITION AND AWARDS

- Open Cloud Factory was included as a Representative Vendor in the 2017 and 2018 Gartner Market Guides for NAC (Network Access Control)

- OpenNAC Enterprise is a product with the globally-recognized Common Criteria Certification.

- OpenNAC Enterprise is included in Spain’s highest authority for Security Solutions portfolio (CCN-CERT).

About Open Cloud Factory

Contact us https://www.opencloudfactory.com/en/contact

1Gartner Inc., Market Guide for Network Access Control, 31 July 2018, G00332886