Sneak Peek At Our Third Annual NAC Reader Survey

Apr 25, 2008 (08:04 PM EDT)

Read the Original Article at

NAC buyers and sellers are circling one another warily, awaiting the opportune moment to make a move. On the supply side, we expect vendor consolidation this year. Meanwhile, enterprises are evaluating network access control's ability to help in compliance efforts--without lost productivity or connectivity. Those are just a few conclusions drawn from our third annual survey on NAC. We received 702 total responses; final results reflect only participants involved in the decision-making process. These 471 business technology pros are interested in access control, but leery of its cost and complexity.

Even though standards as a whole evoked yawns, we saw increased interest in frameworks from Cisco Systems and Microsoft, two companies that already enjoy strong enterprise ties. Yet the NAC market boasts no fewer than 20 vendors, many of them startups, all vying for business worth $225 million in 2006, according to Gartner. That's not enough to go around, apparently--Caymas Systems closed its doors in 2007, and Lockdown Networks went bust in March. Vernier Networks, aka Autonomic Networks, is looking to get out of the NAC market.

InformationWeek Reports

Slowing sales aren't the whole story. The number of companies deploying NAC is down 50% from 2007, when we first asked the question. This represents a fairly typical cycle: Early adopters rush to deploy, followed by a slowdown as more conservative organizations appraise their options. The economy likely also plays a role. In a recent InformationWeek Research survey of 374 business technology professionals, 57% said their budgets are under pressure.

The news isn't all bad for NAC--more than half of respondents are evaluating or planning to deploy--yet we were interested to see that of companies with no NAC plans, 55% based that decision on concern that NAC won't improve their security stances or live up to promises. This represents a reality check: NAC is no silver bullet, and information security professionals realize that a host that passes inspection when it logs on to the network may later become malicious. More important, NAC solves a very small subset of security problems, and success depends on the architecture. In-band products tend to focus on granular network access control and application monitoring, while out-of-band systems are better at host assessment and deciding who gains admission to the network.

Chart: Is Your Organization Deploying NAC?
An even larger concern, cited by 66% of respondents not planning to deploy NAC, is productivity impact. Given the raison d'etre of NAC--disrupting network connectivity--this is a valid worry. You certainly don't want staff spending hours manually overriding access for users. In response, NAC vendors have developed fairly flexible policy-development features so IT can balance automated access control with reasonable limits. From a features standpoint, the ability to quickly and easily recover a quarantined computer or override host status varies greatly based on enforcement method.

Finally, 65% of those deploying, planning to deploy, or evaluating say it's very important that a NAC device failure doesn't compromise network resiliency. Depending on how the access control product is implemented, different methods for ensuring continuous throughput are used. In-band devices, for example, should be able to participate in Layer 2 resiliency functions in an active or passive manner, while in out-of-band setups, where the NAC appliance is the Radius or DHCP server, a combination of appliance redundancy and switch features that use multiple servers can do the trick.

IT shops don't care what standard or framework becomes dominant. In 2007, neither Cisco's NAC, Microsoft's Network Access Protection (NAP), the IETF's Network Endpoint Assessment (NEA), nor the Trusted Computing Group's Trusted Network Connect (TNC) spec broke out of single digits as a critical requirement. When we combined "very important" and "critical requirement" responses, only Cisco broke 20%. Our 2008 results don't show much of a shift. Cisco and Microsoft gained a few points in both "critical requirement" and "very important," while TNC fell, but more telling is that the number of readers expressing a preference for any industry-based framework fell from 2007 to 2008.

This isn't to say IT doesn't care about standards; it's more indicative that respondents are still in the evaluation process. A large percentage had at least heard of the frameworks and, in many cases, are actively investigating one or more of them. However, the deck is stacked against TNC in that most NAC vendors participate in Cisco's NAC and Microsoft's NAP partner programs, as do a growing number of non-NAC vendors that offer security and patch management software that also integrates with Windows. Despite the efforts of the Trusted Computing Group to get the word out about Trusted Network Connect, awareness hasn't grown since 2007.

chart: What Are The Top Barriers To NAC Adoption In Your Organization?
The TCG did announce support for Microsoft's Statement of Health protocol as a TNC standard, which gives the NAP agent instant conformance to the TNC framework; however, widespread adoption hasn't occurred because Vista, which includes the NAP agent, has pretty much flopped in the enterprise, while Windows XP Service Pack 3 hasn't yet shipped.

The bright spot for standards is that 802.1x on wired networks is becoming more common as companies upgrade edge switches to current hardware and firmware. Two-fifths of respondents say 80% or better of their networks are capable of supporting 802.1x. The benefits of 802.1x in NAC is that enforcement occurs at the switch port, and computer control, including network addressing and VLAN assignment, can be dynamic and flexible. However, the percentage of networks actually using 802.1x is far lower that the number capable of supporting the standard, indicating that organizations are moving slowly.

We asked respondents to identify the top three drivers for their NAC deployments. Compliance is a perennial impetus, at 56%, followed by enforcing control to network resources, at 55%. It's no wonder those two are near the top year over year. In broad terms, two aspects of NAC address compliance: access control and reporting. HIPAA regulations and PCI standards, for example, require IT to enforce access limits and apply controls to computers accessing or hosting sensitive information. The specifics within the regulations are vague, but the intent is clear.

NAC products certainly help enforce access control--at the very least ensuring that guest computers are segregated from the internal network. Systems that use in-band devices create the potential of user- or role-based firewalls to regulate which network devices and services are accessible. This is not to be confused with application access control, which is built into apps and can be fine-grained. Rather, with NAC at the server and service levels, you can set policies so that, for example, only employees can communicate with the HR portal. You don't necessarily need NAC to perform any of these functions, of course, a fact not lost on IT managers. You can get much of the segregation functionality needed to comply with today's security stances using existing technology, though the final result will be somewhat static.

chart: Security Promise -- What's your level of concern that NAC won't substantially increase security?
The main barriers to NAC deployments continue to be cost, noted by 61% of respondents in our survey, and complexity, at 54%. Pricing for NAC products starts at $3,000 to $7,000 for software, $10,000 to $20,000 for a low-end appliance, and reaches upward of $50,000 for a high-end appliance. Annual maintenance typically runs 12% to 15% of the purchase price, plus applicable user licenses. Capital costs just to get started are daunting--and we haven't even factored in required network configuration changes or upgrades. It's a hard sell for a technology that doesn't add to the bottom line.

We hear over and over from integrators that they're called in for NAC consultations only after an organization has been successfully attacked. And of course, when you're in panicked reactive mode, it's the worst time to contemplate a technology as invasive as NAC. There are many complexities that organizations face, from simply building the policies that will define how NAC will function to implementing and integrating the chosen system. In addition, NAC products can be complex to install and subsequently modify, especially when they require changes to the physical infrastructure. The lesson: If you're sure NAC is in your future, now may be a good time to make the leap.

chart: Security Vs. Time -- What's your level of concern regarding the trade-off between security and initial network access time when using NAC?