NAC buyers and sellers are circling one another warily, awaiting the opportune moment to make a move. On the supply side, we expect vendor consolidation this year. Meanwhile, enterprises are evaluating network access control's ability to help in compliance efforts--without lost productivity or connectivity. Those are just a few conclusions drawn from our third annual survey on NAC. We received 702 total responses; final results reflect only participants involved in the decision-making process. These 471 business technology pros are interested in access control, but leery of its cost and complexity.
Even though standards as a whole evoked yawns, we saw increased interest in frameworks from Cisco Systems and Microsoft, two companies that already enjoy strong enterprise ties. Yet the NAC market boasts no fewer than 20 vendors, many of them startups, all vying for business worth $225 million in 2006, according to Gartner. That's not enough to go around, apparently--Caymas Systems closed its doors in 2007, and Lockdown Networks went bust in March. Vernier Networks, aka Autonomic Networks, is looking to get out of the NAC market.
Slowing sales aren't the whole story. The number of companies deploying NAC is down 50% from 2007, when we first asked the question. This represents a fairly typical cycle: Early adopters rush to deploy, followed by a slowdown as more conservative organizations appraise their options. The economy likely also plays a role. In a recent InformationWeek Research survey of 374 business technology professionals, 57% said their budgets are under pressure.
The news isn't all bad for NAC--more than half of respondents are evaluating or planning to deploy--yet we were interested to see that of companies with no NAC plans, 55% based that decision on concern that NAC won't improve their security stances or live up to promises. This represents a reality check: NAC is no silver bullet, and information security professionals realize that a host that passes inspection when it logs on to the network may later become malicious. More important, NAC solves a very small subset of security problems, and success depends on the architecture. In-band products tend to focus on granular network access control and application monitoring, while out-of-band systems are better at host assessment and deciding who gains admission to the network.
An even larger concern, cited by 66% of respondents not planning to deploy NAC, is productivity impact. Given the raison d'etre of NAC--disrupting network connectivity--this is a valid worry. You certainly don't want staff spending hours manually overriding access for users. In response, NAC vendors have developed fairly flexible policy-development features so IT can balance automated access control with reasonable limits. From a features standpoint, the ability to quickly and easily recover a quarantined computer or override host status varies greatly based on enforcement method.
Finally, 65% of those deploying, planning to deploy, or evaluating say it's very important that a NAC device failure doesn't compromise network resiliency. Depending on how the access control product is implemented, different methods for ensuring continuous throughput are used. In-band devices, for example, should be able to participate in Layer 2 resiliency functions in an active or passive manner, while in out-of-band setups, where the NAC appliance is the Radius or DHCP server, a combination of appliance redundancy and switch features that use multiple servers can do the trick.