NAC Gaining Momentum

The Challenge:

Permitting internal & external users with secure access to resources. Secure access mean:

• properly authenticated & authorized
• free of spyware and viruses
• access only to information users need to do their job

NAC: Securing access to information

The Network Access Control space has received much press over the past few years. Many companies have been leary of making the jump citing implementation complexities, lack of standards and the inability to source a product that met all company requirements.

However, a recent report by Network Computing based on a broad survey stated that; "most said NAC is easier to deploy, is less disruptive and requires fewer changes to network configurations, and has less of an impact on productivity than was expected."

This is not to say that there are no longer difficulties or complaints. There are over 30 vendors in this space with 4 - 6 competitors occupying the lions share. The proliferation of proprietary standards poses challenges to interoperability. Word to the wise, understand your requirements thoroughly before jumping in - NAC implementations can be expensive with the mean average of survey respondents having spent 12% of their entire enterprise IT budget on the project.

Additional NAC Points of Interest:

Infrastructure Impact:

• NAC deployments are notorious for demanding infrastructure changes - on average, respondents expected to have to change up to 30% of their infrastructure for NAC readiness
• Understanding what the impact on the network is is critical to accurate budgeting and product selection processes.
  

Productivity Impact:

• There have been concerns that NAC might keep legitimate users from doing their jobs - and add work for IT. These concerns may be unfounded given the opportunity for productivity enhancements, i.e. allowing infected systems to be quarantined and remediated in an automated fashion.

Interoperability, Frameworks & Standards:

• Here is a general pictorial of the NAC standard
• Cisco and Microsoft have announced an initiative to ensure interoperability between their platforms - putting a wrench into the Trusted Computing Group's attempt to create an open standard based on non-proprietary technologies.
• Cisco and Microsoft are coincidently "most trusted" in this space

In spite of their being numerous proprietary methodologies in place, there are a number of "common" enforcement techniques, as this article explains well.

Suggestions for NAC consideration:

• Measure twice, cut once: plan, plan plan first - this is critical to success. Understand exactly what you'd like to accomplish.
  

Choosing a NAC vendor is largely dependent on the primary issue you want address, since vendors now tend to be either good at posture assessment, quarantine, remeditation and ongoing threat assessment, or identity-based policy enforcement--but not both. If you're like most respondents, you want it all--in which case you may want to wait until best of breed solutions emerge.

• Set expectations with senior management: the ROI on NAC is difficult to quantify - but regarded by those who have implemented NAC as worthwhile
• Evaluate impacts to existing infrastructure