As many IT industry veterans may know, a technology product market hasn't really arrived until it's been the subject of a Gartner magic quadrant. The Gartner magic quadrant, for those of you who aren't familiar with the gimmick, is Gartner's proprietary analysis schema that seeks to assess a given technology market by sorting vendors into four categories (leaders, challengers, visionaries and niche players) and then mapping them on a quadrant grid to see how they stack up. Vendors love the magic quadrant because any vendor's VP of marketing can easily spin the outcome positively in a press release, the media love it because a new quadrant always makes for an easy and fun news story, and customers love it because they can use it to easily determine which vendors to evaluate when conducting due diligence.
Gartner chose 2009 as the time to produce a magic quadrant on NAC, claiming that NAC represents a $221 million market segment with 50% growth since 2007. Additional evidence of the NAC appeal is the fact that three NAC companies received late rounds of venture funding in 2008: Bradford Networks Inc. raised $8 million; ConSentry Networks Inc. raised $9.4 million; and ForeScout Technologies Inc. raised $8 million. This is a case where the market numbers and analyst hype can mislead IT to spend resources on a false trend, when the resources can be better applied to more strategic efforts.
What's more interesting (and telling) is that there is no NAC category for exhibiting vendors at the 2009 RSA Conference, but there are 73 other security categories from which vendors can choose. Traditional NAC, where non-compliant endpoints are redirected to quarantine sites, is inherently an infrastructure capability requiring coordination between endpoints, network devices and policy management servers. The market size numbers and implied enterprise demands are greatly skewed, as the leading NAC vendors -- Cisco Systems Inc., Juniper Networks Inc., and Symantec Corp. -- throw in NAC products as sweeteners for many of their corporate deals. These purchase agreements are wired in at the executive level, meaning there are relatively few competitive NAC deals for the privately held vendors to fight over.
The reality is that it's time to dismiss NAC as a strategic security directive. IT executives should remove NAC as an explicit line item in their security budgets and place a financial and strategic emphasis on access control, endpoint configuration control, and post-connect antimalware protection as business priorities dictate.
The multipurpose definition of NAC requirements exceeds the ability of most vendors to implement and most security teams to manage. An enterprise security program should enable the organization's business to be conducted, but that job cannot be met by quarantining endpoints that fail a NAC product's configuration compliance tests. Instead, vendors should take the best features of their NAC "solutions" and apply them as features to other infrastructure products:
- Enforce acceptable use policies to isolate non-employees from sensitive areas of the network -- This prevents guests or non-employees from accessing confidential resources on the network, and is one of the persistent market drivers for NAC. These access decisions are predominantly functions of user identity and roles, and not functions of endpoint health; endpoint compliance is a greater factor in how access should be granted (virtualized, cloud-based, local processing). Instead, enterprises should invest in authentication of wireless and network connections to be sure all users are identified and decisions about application access can be effectively based on security policy.
- Reduce endpoint configuration maintenance costs -- A side-benefit of NAC is that end users are automatically instructed to upgrade (without the involvement of IT) when their software and systems are not in compliance with security policies. However, this self-service system places a burden on untrained end users, who will revolt against invasive security products. Security organizations would be better served refining automated endpoint configuration management systems to make them easier for end users, or by virtualizing applications so IT can more easily provide pristine images from controlled management servers.
- Mitigate the impact of infected endpoints before it becomes a network epidemic -- Compliant endpoints can still be the source of malware infections that can easily spread across the network, even after they've passed a NAC system's validation tests. This is the classic case of compliance not ensuring security. An endpoint cannot be trusted to report that it is infected. Network vendors are becoming adept at catching command and control dialogs and malware propagation protocols. Security managers should talk with network security vendors about catching malicious traffic to reduce the risk of attack.
About the author:
Eric Ogren is founder and principal analyst of the Ogren Group, which provides industry analyst services for vendors focusing on virtualization and security. Prior to founding the Ogren Group, Eric served as a security industry analyst for the Yankee Group and ESG. Ogren has also served as vice president of marketing at security startups Okena, Sequation and Tizor. He can be reached by sending an email to firstname.lastname@example.org.