After the feverish hype of early 2006 and the cold splash of reality that followed, the network access control (NAC) market appears to be growing steadily, as products mature and enterprises get a better handle on what they are looking for and just what it will take to make it work.
"NAC is still absolutely a hot topic," said Robert Whitley, a senior analyst at Cambridge, Mass.-based Forrester Research Inc. "A lot of companies are trying to implement it, but many are frustrated by the time it takes and, ultimately, what they get out of it."
And, organizations are still wary about the maturity of the assorted NAC technologies, and vendor viability. There has been some notable consolidation in the market, starting with Cisco's acquisition of Perfigo in 2004, Symantec buying Sygate and, more recently, Sophos and Novell snapping up Endforce and Senforce, respectively. A gaggle of independent NAC vendors remain, although Citrix bought Caymas' assets last year, and Vernier Networks is in the process of reinventing itself as Autonomic Networks.
"NAC gets a bad rap," said Lawrence Orans, a research director at Stamford, Conn.-based Gartner Inc. "People are concerned about maturity, in large part because the industry giants are slow to deliver--Cisco did not deliver on early promises; Microsoft has been slow on NAP. But early adopters have had good success."
Analysts and vendors generally agree that's true, especially for deployments around an early driver for NAC, securing access for non-employees ("guests"), such as contractors, partners and vendors, but have found implementation expensive and more difficult than expected, especially as they move into more complex use cases, such as role-based access control.
"That's significantly harder to deploy," said Whitley. "You have to enforce at a more granular level and create hooks into identity management systems."
In Forrester's survey, Network Access Control Trends, released in January, companies rated securing both guest access and employee access as "Very Important" drivers almost equally, indicating they are maturing in their approach to NAC.
Operational and political issues come into play as well. Which of the IT silos owns NAC--security, networking, desktop? It will come down to some combination working cooperatively, regardless of who is driving. Business considerations come strongly into play, as no one want to explain why a lot of employees are drinking coffee while their laptops are updated on a quarantine VLAN or the COO can't use his computer until the latest Windows patches are installed.
Compliance and audit requirements bring other groups into play.
"You need to understand what you want in a solution, said Ofir Arkin, chief technology officer and co-founder of Insightix, a software network-based NAC vendor. "The reality was a solution would cost a lot of money, a lot of time to deploy, and a lot of resources. People were expecting one thing and got another."
Growing pains notwithstanding, NAC vendors are selling product. Current Analysis' five-year forecast in 2005 said the NAC market would reach $1 billion in 2010, a number that looks plausible now. Gartner said that its prediction the market would double from $100 million to $200 million in 2007 has held true, and believes it will double again this year.
Research also shows that companies are moving ahead with plans to deploy NAC. Information Security's Priorities 2008 survey, published this month, showed that 31% of the respondents have already deployed NAC, 16% will deploy this year and another 34% will evaluate NAC technologies.
Forrester's survey, released in January, showed that 26% of the companies surveyed have adopted NAC, and another 15% will deploy over the next 12 months.
If you're considering deploying NAC, however, what flavor or flavors will it be? That's where NAC gets even more complex.
Organizations have been slow to adopt Cisco's full NAC implementation, citing complexity and cost of refreshing their network infrastructure.
"To make NAC work you have to know a lot about users, their roles and entitlements," said .IRG co-founder Peter Christy, explaining that customers weren't all ready for NAC. It's an important problem, but the thinking in 2006 was, 'Cisco is making progress at the rate I'm making progress in 2006, so when I am ready to refresh, Cisco will be ready.'"
Cisco makes its Cisco NAC Appliance a focal point for its NAC implementation strategy, emphasizing the critical role of centralized policy control and management.
"NAC is an Easter egg hunt. Policy lives in a lot of different places, and you need to assemble it," said Brendan O'Connell, Cisco's product line manager for NAC. "If a customer does not have good handle on policies for admission, enforcement is difficult. The appliance puts policy in a central place."
The appliance-versus-client software schism is something akin to religious war in the NAC world. Appliance/network-based vendors like Cisco, Lockdown Networks and Mirage Networks, believe that the network approach is the only way to fully cover every device that seeks network admission, not just Windows computers. Endpoint vendors such as Symantec, McAfee and Sophos cite the expense of deploying multiple appliances throughout a large enterprise, and the benefits of integrating NAC clients and management into their traditional antivirus/antispyware products.
"Customers want a NAC solution, but don't want another console, another agent," said Patrick Wheeler, Symantec's senior manager for endpoint compliance. "We have definitely seen a lot of enthusiasm from our integration of NAC into Endpoint Security 11.0."
Wheeler emphasized, however, that client-based NAC alone won't completely solves the problem. "NAC can't be strictly host-based or network-based. That's why we take a combined approach."
Forrester's research supports that. Their survey showed 57% of their respondents who have either deployed or plan to deploy NAC favor a combined software, switch and appliance-based approach.
The same research shows only 4% favor an all-appliance approach, 9% switch-based, and 19% a software-only implementation.
"Software is the preferred method for enterprises," said Forrester's Whitley. "Deployment cost is lower, and you get richer policy."
"The preference all of last year for was for appliance-based offerings," said Gartner's Orans. "Now that endpoint protection vendors have added NAC to their, suites, they will offer more competition."
As Vista and Windows Server 2008 gains penetration and the infrastructure-based combination of Cisco NAC and Microsoft NAP takes hold, as those two behemoths collaborate.
"By 2011 … a lot of organizations will be 100 percent Vista that's a pretty compelling," said Oran. "If Cisco and Microsoft execute on their partnership, NAC will be embedded and interoperable." The pendulum will switch to infrastructure and endpoint protection suites."
"Microsoft will rely on the network for enforcement by collaborating with Cisco infrastructure," said Whitley. "It's a question is where you do policy. Cisco will take less of role on policy and more on enforcement."