STANDARDS SHAKEUP
There are four standards in the NAC market:
• Cisco's Network Admission Control, which includes its NAC framework and NAC appliance;
• Microsoft's Network Access Protection (NAP), which relies on Windows Server 2008, Windows Vista, and Windows XP Service Pack 3;
• The Trusted Computing Group's Trusted Network Connect (TCG/TNC), which is promoted through the TCG and defines a set of APIs and protocols for NAC; and
• The IETF Network Endpoint Assessment (NEA) working group, which is really just a way to bring Cisco to the NAC standards discussion, since Cisco doesn't recognize TCG as a standards body and won't participate in TCG's proceedings. Got that?
For the third year, companies are still mostly in a research phase, with the majority of respondents evaluating the various frameworks. While 15% are either using or plan to use Cisco's NAC framework, 8% are using or plan to use NAP. Shares held by both Cisco and Microsoft are down slightly from 2007, while the TNC/TCG is holding steady with 5% planning or using that framework. The NEA retains its position as "protocolus obscurus"--48% of respondents aren't even aware it exists.
Both Cisco and Microsoft have active and well-supported partner programs, with third-party add-ons like antivirus, patch management, and host-based firewalls that integrate with the giants' frameworks, not to mention the marketing muscle to get the word out about their products. We're surprised that neither framework is dominant with respondents.
While Cisco has the largest market share (well over 50%) in the access switch market, and Microsoft is king of the desktop, we've been expecting demand for integration and interoperation, and thus conformance with their respective frameworks to rise. Yet respondents don't seem to care which framework wins, though they clearly want one to take over: 38% say it's either very important or critical for an industry standard to come to the fore, while 29% state a preference for Cisco and 23% for Microsoft.
Only 8% of respondents think standardization is unimportant.
Of course, Windows Server 2008 just shipped in January, so NAP hasn't been available long enough to be widely deployed. The importance of NAP may increase over time, particularly among Microsoft shops.
Another twist: Vendor claims that a product "integrates" with a framework can mean vastly different things. Without clear testing procedures that demonstrate a level of integration among products, a partnership program is just empty marketing. All too often, integration is so limited, fragile, or complex that it is of little value. A common example is interaction with a help-desk application, where integration is nothing more than automatically generated e-mail acknowledgements or an SNMP trap. Forty-four percent of respondents indicate that conformance testing by the vendor or a standards body is an important or critical requirement, while only 26% say third-party testing is the way to go.