Loading...
BNM RMiT · PCI DSS Req 1.2 · ISO 27001 · NIST 800-53
NAC-as-a-Service Malaysia
Network Access Control hardware leased on a 36-month bundle. Every device authenticated, every BYOD segmented, every IoT sensor profiled — before it communicates on your network.
Device Trust Problem
The network without NAC trusts every device that plugs in
A corporate network without Network Access Control has a fundamental trust problem: any device that connects to a network port or the corporate wireless network receives network access. The device could be a managed corporate laptop with all security controls. It could be a personal BYOD device with no endpoint protection. It could be a contractor's laptop with malware pre-installed. It could be a rogue device — a Raspberry Pi or a USB Ethernet adapter — planted by a threat actor who had physical access to the building. The network treats all of these identically: full connectivity.
This implicit trust model has become untenable as the device landscape has grown. Malaysian enterprises now routinely connect corporate laptops, personal BYOD devices, IP phones, printers, IP cameras, building management sensors, visitor devices, and an expanding set of IoT endpoints to the same physical network infrastructure. Without NAC, the security posture of the entire network is only as strong as the least-secure device connected to it.
Healthcare networks connecting medical devices alongside clinical workstations have a specific regulatory dimension under PDPA 2024 — any device with access to patient data is a potential data-breach vector. Manufacturing networks connecting OT devices alongside IT workstations risk cross-contamination between production and corporate environments. NAC enforces the segmentation that makes both of these risk scenarios manageable. See the managed security leasing overview and our Firewall-as-a-Service bundle for perimeter-layer segmentation alongside device-layer NAC enforcement.
IoT and Healthcare
NAC solves the IoT security problem that endpoint tools cannot
Endpoint detection and response tools require an agent running on the device to provide coverage. IoT devices — smart building sensors, industrial monitoring equipment, medical devices, IP cameras, network-attached printers — cannot run endpoint agents. They often run embedded operating systems with no software installation mechanism, limited memory, and no update path. This creates a security blind spot in every network that cannot be addressed by expanding your EDR deployment.
NAC addresses this at the network layer. Agentless device profiling identifies every device by its network behaviour patterns — DHCP fingerprinting, protocol analysis, connection patterns — and assigns it to a device class. Once classified, the NAC applies a per-class network policy: an IP camera receives access only to the video management server and outbound internet is blocked; a building management controller receives access only to the BMS network segment; a visitor laptop receives internet-only access. The device's inability to run an agent is irrelevant — its network access is controlled by the NAC regardless.
For healthcare organisations, this agentless device profiling is particularly valuable. Medical devices — infusion pumps, imaging equipment, patient monitoring systems — are frequently running end-of-life operating systems that cannot be patched and cannot run endpoint agents. Under PDPA 2024, these devices have access to patient data and are therefore a data-breach risk. NAC isolates them to a dedicated medical device VLAN with access only to the clinical systems they need, reducing the blast radius of any device compromise to the minimum necessary.
Frequently asked questions
What is 802.1X and why is it the foundation of network access control?
802.1X is an IEEE standard for port-based network access control. Before a device is allowed to communicate on the network, the switch or wireless access point challenges the device to authenticate against a RADIUS server. The device presents a certificate (for managed corporate devices) or user credentials (for BYOD). The RADIUS server validates the credentials and returns a policy decision — allow on the corporate VLAN, allow on the guest VLAN, or deny. This means that any unregistered device that is plugged into a network port or connects to the wireless network receives no access, rather than receiving full network access by default. 802.1X closes the most common insider and rogue-device threat vector.
How does the NAC handle devices that cannot do 802.1X, like IoT sensors and printers?
IoT devices, printers, IP phones, medical devices, and building management systems often cannot perform 802.1X authentication because they lack the software capability. These devices use MAC Authentication Bypass (MAB) — the NAC allows network access based on the device MAC address, but simultaneously profiles the device by analysing its network behaviour, DHCP fingerprint, and protocol patterns. The profiling engine assigns the device to a device class (printer, IP camera, BMS controller) and applies the corresponding policy — typically a restricted VLAN with access only to required destinations. Unknown devices receive a quarantine policy until classified.
What happens to BYOD personal devices?
BYOD devices — employee personal laptops, smartphones, tablets — are directed to a self-service guest portal where the user authenticates with corporate credentials. The NAC checks device compliance state (if you have an MDM like Microsoft Intune, the compliance certificate from Intune is verified). Compliant BYOD devices receive a policy appropriate for personal devices — typically internet-only access or limited corporate resource access depending on your policy. Non-compliant BYOD devices are directed to a remediation VLAN with access only to the remediation resources (patch server, MDM enrolment). Personal devices never receive the same network access as managed corporate devices.
How does NAC satisfy PCI DSS Requirements 1.2 and 1.3?
PCI DSS Requirements 1.2 and 1.3 require that network configurations restrict connections between untrusted networks and the cardholder data environment, and that all connections between untrusted systems and the CDE are authorised and justified. NAC enforces this by ensuring only authenticated and policy-compliant devices receive network access, and that the cardholder data environment is in a separate VLAN accessible only to devices with the correct policy attributes. nCrypt provides a PCI DSS network segmentation attestation document as part of the NAC deployment, covering the device policy matrix and VLAN architecture.
Does deploying NAC risk disrupting our operations during rollout?
The rollout follows a monitor-then-enforce pattern. In weeks one to three, the NAC runs in monitor-only mode — it profiles every device and logs what policy would apply, but does not actually enforce anything. During this phase, nCrypt reviews the device inventory with your IT team to identify any devices that would receive incorrect policies. Policy tuning happens in monitor mode. Enforcement is then enabled one VLAN at a time, starting with the lowest-risk network segments, allowing the IT team to observe and correct any issues before proceeding to sensitive segments. A big-bang cutover is never used.
How does NAC-as-a-Service integrate with Microsoft Intune and Entra ID?
Integration with Microsoft Intune uses the Network Policy Server extension for Intune. When a device connects, the NAC queries Intune compliance status in real time — a non-compliant device (missing patches, disabled encryption) receives a remediation policy regardless of whether its 802.1X certificate is valid. Entra ID (Azure AD) integration provides user identity for BYOD authentication and conditional access policy mapping. For organisations heavily invested in Microsoft 365 and the Microsoft security stack, NAC integrates into the same compliance posture management system rather than creating a parallel management layer.
Hardware-as-a-Service · 36-month bundle
Network Access Control, leased and managed. From RM1,800/month.
InfoExpress CGX — every device authenticated, every connection profiled, every guest contained. BYOD-ready and RMiT-aligned.
What's included in the bundle
NAC appliance (CGX or ISE), HA pair on Mid-Market+
802.1X policy design and RADIUS integration
Device profiling library (IoT fingerprints)
Guest portal with self-service onboarding
Quarterly policy reviews
Hardware refresh at month 30
Who this is for
- ✓BYOD-heavy organisations needing device-level visibility
- ✓Healthcare networks segmenting medical devices
- ✓Manufacturing isolating OT from IT
- ✓Compliance-driven enterprises (RMiT, ISO 27001)
Deployment timeline
Week 1
Network discovery, RADIUS planning, switch/AP integration design
Week 2-3
Appliance install, monitor-only enforcement, profiling library tuning
Week 4-5
Phased 802.1X enforcement by VLAN
Ongoing
Monthly policy tuning, quarterly reviews
Sample bundles by company size
SMB
RM 1,800 – 3,000 / month
Single appliance, 100-300 endpoints, single site
MidMarket
RM 3,000 – 7,500 / month
HA pair, 500-2,000 endpoints, multi-site
Enterprise
RM 7,500 – 20,000+ / month
Multi-DC, 5,000+ endpoints, IoT segmentation, full guest portal
Aligned to your regulatory obligations
BNM RMiTISO 27001PCI DSS Req 1.2 / 1.3NIST 800-53
Frequently asked questions
Need a one-off engagement instead of a leased bundle?
See our consulting service →Get a NAC leasing quote
Share your user count, locations, and current stack. We'll respond within 24 hours.
Ready to size NAC for your environment?
Three minutes in the calculator. A precise quote emailed within 24 hours.
Financing available via our partner financial institutions. Indicative monthly figures based on standard 36-month terms; final pricing subject to credit assessment and signed master service agreement.