Establishing Digital Trust: Don't Sacrifice Security for Convenience
Network access control (NAC) is back.
To get an idea of the NAC sales boom currently underway, Frost & Sullivan estimates that sales will grow by almost 14 percent a year for the next two years to hit $310 million, while Gartner expects the market to jump by a whopping 63 percent in 2013 to over $390 million. Frost & Sullivan believes almost two-thirds of that spending will go to the three biggest players in the NAC market: networking heavyweights Cisco Systems and Juniper Networks, and California-based specialist NAC vendor Forescout Technologies.
First, let's be clear what is meant by NAC. Frost & Sullivan defines it as:
"a self-contained solution capable of policy creation/management, authentication, endpoint assessment, enforcement, and remediation. NAC determines access to a very specific set of network resources based on user identity and endpoint health posture. NAC provides control mechanisms to enforce these policies and prevents users from circumventing the authentication process."
It's been around since 2004, and until recently it never made much headway. So what's driving the current NAC revival?
The simple answer is the trend for Bring Your Own Device (BYOD) programs, according to Lawrence Orans, a Gartner analyst. "The main concern is personally owned mobile devices, and what's pushing NAC sales is the desire to apply policy to the network," he says.
NAC allows companies to see what is connecting to their networks, and control which parts of the network employees and guests can access with their mobile devices.
NAC's Third Wave: Simpler and More Sophisticated
The current wave of NAC products is the third iteration of the concept. (The first wave was the original NAC products back in 2004, while the second wave was aimed at controlling guest access to mainly wired networks.)
The third wave of NAC systems is also more sophisticated, with its recognition that blocking devices from the network is not always the answer, says Christopher Rodriguez, a Frost & Sullivan analyst.
"They are granular enough to recognize who users are, and if it is the CEO they may make an exception if the risk they pose is not severe. They may give a grace period and warn the person that they need to put their device right," Rodriguez says. "Blocking people outright was the scariest bit of NAC for many organizations."
Gartner's Orans agrees. "What we are seeing now is a much more laid back form of NAC. If an endpoint that tries to join the network is not compliant (for example because it has no anti-virus software), in most cases it will still be let on, and it will be able to carry out remediation after the fact."
One of the reasons the first wave of NAC products failed to take off when they were first introduced back around 2004 (aside from the cost) was the fact that they were too restrictive and disruptive, according to Rodriguez.
"Early NAC applied strict security by blocking devices if they were not in compliance," he says. "But most organizations found it was not acceptable to do this, especially if it was the CEO's device, and that was the end of NAC."
Other reasons include that fact that special hardware was often required, and integration had to be carried out with SIEM systems, endpoint security software Rodriguez says.
Implementation is now considerably easier, with most companies choosing a plug-and-play appliance that is attached to a span port on a distribution layer switch on the network. Some vendors also offer virtual appliances and a few -- like Bradford Networks -- offer cloud-based NAC as a service offering.
NAC and MDM: A Good Marriage
You might think that mobile device management and security is something that organizations should be looking to a mobile device management (MDM) system to provide, but there's a subtle difference. "MDMs are device specific, and give the ability to apply policies to mobile devices. What NAC is doing is applying policies to the network," says Orans.
Many organizations and vendors see MDM platforms and NAC as complementary, though, leading to MDM and NAC vendors forging partnerships to integrate the functionality of their products.
"The reason for NAC/MDM integration is that many companies have invested a lot of money into MDM platforms," Orans explains. "They want to be able to set NAC policies which say that if a device is not enrolled with the MDM system, it can't get on to the network."
Examples of NAC vendors integrating with MDM vendors include:
- Aruba Networks (with Fiberlink and MobileIron)
- Bradford Networks (with AirWatch)
- Cisco (with AirWatch, Good Technology, MobileIron and Zenprise)
- Forescout (with Fiberlink and MobileIron)
One stumbling block to much more widespread NAC adoption is the cost: NAC solutions don't come cheap. As a rule of thumb, the total cost may be as high as $20 to 30 per end-user. That's enough to put off many organizations, even if they have or are considering a BYOD program.
Short List of NAC Vendors
NAC vendors include:
Aruba Networks: Clearpass
Cisco Systems: Identity Services Engine (ISE)
Enterasys Networks: Enterasys Network Access Control
Juniper Networks: Universal Access Control (UAC)
Paul Rubens has been covering IT security for over 20 years. In that time he has written for leading UK and international publications including The Economist, The Times, Financial Times, the BBC, Computing and ServerWatch.