IT'S ALL ABOUT STANDARDS ... RIGHT?
IT shops don't care what standard or framework becomes dominant. In 2007, neither Cisco's NAC, Microsoft's Network Access Protection (NAP), the IETF's Network Endpoint Assessment (NEA), nor the Trusted Computing Group's Trusted Network Connect (TNC) spec broke out of single digits as a critical requirement. When we combined "very important" and "critical requirement" responses, only Cisco broke 20%. Our 2008 results don't show much of a shift. Cisco and Microsoft gained a few points in both "critical requirement" and "very important," while TNC fell, but more telling is that the number of readers expressing a preference for any industry-based framework fell from 2007 to 2008.
This isn't to say IT doesn't care about standards; it's more indicative that respondents are still in the evaluation process. A large percentage had at least heard of the frameworks and, in many cases, are actively investigating one or more of them. However, the deck is stacked against TNC in that most NAC vendors participate in Cisco's NAC and Microsoft's NAP partner programs, as do a growing number of non-NAC vendors that offer security and patch management software that also integrates with Windows. Despite the efforts of the Trusted Computing Group to get the word out about Trusted Network Connect, awareness hasn't grown since 2007.
The TCG did announce support for Microsoft's Statement of Health protocol as a TNC standard, which gives the NAP agent instant conformance to the TNC framework; however, widespread adoption hasn't occurred because Vista, which includes the NAP agent, has pretty much flopped in the enterprise, while Windows XP Service Pack 3 hasn't yet shipped.
The bright spot for standards is that 802.1x on wired networks is becoming more common as companies upgrade edge switches to current hardware and firmware. Two-fifths of respondents say 80% or better of their networks are capable of supporting 802.1x. The benefits of 802.1x in NAC is that enforcement occurs at the switch port, and computer control, including network addressing and VLAN assignment, can be dynamic and flexible. However, the percentage of networks actually using 802.1x is far lower that the number capable of supporting the standard, indicating that organizations are moving slowly.
DRIVERS AND BARRIERS
We asked respondents to identify the top three drivers for their NAC deployments. Compliance is a perennial impetus, at 56%, followed by enforcing control to network resources, at 55%. It's no wonder those two are near the top year over year. In broad terms, two aspects of NAC address compliance: access control and reporting. HIPAA regulations and PCI standards, for example, require IT to enforce access limits and apply controls to computers accessing or hosting sensitive information. The specifics within the regulations are vague, but the intent is clear.
NAC products certainly help enforce access control--at the very least ensuring that guest computers are segregated from the internal network. Systems that use in-band devices create the potential of user- or role-based firewalls to regulate which network devices and services are accessible. This is not to be confused with application access control, which is built into apps and can be fine-grained. Rather, with NAC at the server and service levels, you can set policies so that, for example, only employees can communicate with the HR portal. You don't necessarily need NAC to perform any of these functions, of course, a fact not lost on IT managers. You can get much of the segregation functionality needed to comply with today's security stances using existing technology, though the final result will be somewhat static.
The main barriers to NAC deployments continue to be cost, noted by 61% of respondents in our survey, and complexity, at 54%. Pricing for NAC products starts at $3,000 to $7,000 for software, $10,000 to $20,000 for a low-end appliance, and reaches upward of $50,000 for a high-end appliance. Annual maintenance typically runs 12% to 15% of the purchase price, plus applicable user licenses. Capital costs just to get started are daunting--and we haven't even factored in required network configuration changes or upgrades. It's a hard sell for a technology that doesn't add to the bottom line.
We hear over and over from integrators that they're called in for NAC consultations only after an organization has been successfully attacked. And of course, when you're in panicked reactive mode, it's the worst time to contemplate a technology as invasive as NAC. There are many complexities that organizations face, from simply building the policies that will define how NAC will function to implementing and integrating the chosen system. In addition, NAC products can be complex to install and subsequently modify, especially when they require changes to the physical infrastructure. The lesson: If you're sure NAC is in your future, now may be a good time to make the leap.
Subsea cable alternatives can provide a level of comfort for those concerned about disruptions. Realistically, they will continue to play a small, but critical role in the short term.
Maintaining existing network infrastructures often incurs huge technical debt before newer technologies are adopted over time.
Amid ongoing regional uncertainties, telecom infrastructure in the Middle East has expand to include terrestrial low-latency network infrastructure, which offers resilience and agility in navigating political complexities without relying solely on undersea networks.
