When network access control (NAC) vendor Vernier Networks admitted it was quietly re-launching itself under a new name and approach, some in the industry suggested it was the beginning of difficult times in the NAC market.
One analyst suggested the NAC market had grown too crowded and that smaller companies would either follow Vernier's lead or go away because far fewer enterprises are adopting the technology than vendors had initially expected or hoped.
With that in mind, SearchSecurity.com spent the past week asking users, analysts and vendors the big question -- is NAC dead? After all, most enterprises seem to have dismissed NAC as too complicated and expensive for their environment, and as 451 Group Senior Analyst Paul Roberts noted, IT professionals have found ways to bolster access control using the technology they already have instead of investing in new NAC products.
Based on the feedback that has come in, the answer is no. It's not that IT professionals see no value in NAC, it's just that they're waiting for the market to mature. Many seem content to wait for bigger IT infrastructure vendors like Microsoft and Cisco to flesh out their NAC programs.
"We explored using off-the-shelf NAC solutions, including Vernier, and we concluded the technology is only good if you can cover every port in your company," said Dave Bixler, CISO for Siemens IT Solutions and Services Inc., a subsidiary of Munich-based Siemens AG. "We had to weigh if NAC was something we had to put at the top of our list or if we could wait 18 months to see what Microsoft does. We decided we can wait."
Rich Mogull, a former Gartner analyst and founder of independent security consultancy Securosis, said many enterprises have taken Bixler's approach, which is bad news for the smaller NAC vendors.
"The NAC market faces a challenge because two of the biggest forces on Earth -- Cisco and Microsoft -- have decided they want the technology," he said. As a result, enterprises have frozen their NAC plans, waiting to see what happens with these two vendors. "Eventually getting NAC from a larger IT vendor makes sense to many companies that would rather have it built into their larger infrastructure than spend the money on a bolt-on NAC product," he added.
Bixler noted that his company is like a lot of Windows-based operations: They are waiting for Microsoft to release its Longhorn Server, and many hope that will be enough to meet their NAC requirements without the need to invest in the products of smaller vendors.
That doesn't mean smaller NAC vendors should be dismissed as an endangered species, Mogull said.
"In the long term, everyone will have to work with Cisco and Microsoft. On the other hand, Microsoft and Cisco haven't successfully provided all the manageability and functionality customers want, and that's where there's opportunity for the smaller companies that can understand that," he said.
Mike Chapple, an IT security professional with the University of Notre Dame, said he's not surprised to see some of the smaller players dropping out of the market, since they have a couple of strikes against them when compared to product offerings from the larger companies.
"I think many IT folks want to deal with as few vendors as possible to simplify their infrastructures, and when [you can] purchase a NAC solution from the same company that provides your switch gear, you don't lose sleep worrying about incompatibility issues," he said, adding that it's also hard to ignore that larger companies have more marketing muscle and can easily promote their products both within their existing customer base and with new customers.
In the final analysis, he said, instability in the NAC market should not be interpreted as the coming demise of NAC as a technology. The market is simply starting to mature and consolidate down to the major players.
"The major players will see a bigger piece of a bigger pie over the next few years as enterprises begin or continue NAC deployments," Chapple said.
Mogull agreed, saying that NAC isn't going to go away because it offers too much value to just disappear. "The bottom feeders of the market will go away, but not the technology itself," he said.
As enterprises try to sort out their NAC plans, Burton Group analyst Pete Lindstrom said it's important to think of NAC as an emergent property of all their products working together.
"[Enterprises] should evaluate all of their technical solutions' ability to integrate with each other," he said. "That typically means sticking to the fewest number of vendors possible."