Network Computing is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Serious About NAC

The vast majority of organizations are either deploying network access control or planning to. That was the finding of our survey earlier this year of 325 IT professionals, which is the basis for our NAC Analytics report. The numbers are up sharply this year, with only 15% having no plans for implementation versus 46% a year ago, indicating that NAC has evolved from an interesting concept to a valid and valued enterprise technology. However, what IT pros who are planning deployments think they'll get from NAC is turning out to be different from what implementers are actually getting, and while there seems to be general agreement that NAC is a good thing, there's no agreement on the best architectural approach. Because the differences between planners and implementers were significant throughout our survey, we chose to break down results by those two groups and to compare each to the results we obtained in 2006.

Increasingly, there's consensus on the drivers for NAC: resource access control and regulatory compliance. It's compliance, however, that's coming to the forefront, especially for those who are already implementing the technology. Where in 2006 only 52% of respondents saw NAC as a response to compliance needs, now 63% of implementers see it that way. The numbers are even starker for those concerned with individual regulations like Sarbanes-Oxley. Fifty-two percent of implementers now see specific regulatory requirements as driving NAC adoption, while only 22% of those still planning for NAC are so driven.

Both needs are fundamentally the same. No regulation actually calls for anything as specific as implementing NAC. Instead, the law talks of concepts like managing and protecting hosts that access data. That leaves a lot of room for interpretation. NAC--which assesses a host's condition and, based on that assessment, grants or denies access to the network and its resources--is seen as one way to satisfy regulations and appears to be well on its way to becoming a best practice. Best practices are often emergent in a market rather than dictated--if most companies follow a certain convention, as is becoming the case with NAC, that convention becomes a best practice.

Status Of NAC Plans, 2007: Is your organization deploying NAC?

NAC isn't a complete access control system. It functions to grant access to the network, but not generally as part of the access control mechanism for applications. A host may pass a host assessment, for example, and be granted access to the network, but once on the network, NAC may be unable to prevent malicious user behavior, such as application-level attacks like SQL injection into a Web application, or even more pedestrian problems, such as saving data to removable media like USB drives or other external storage devices. Most of the products discussed in our full NAC report don't include mechanisms for controlling access to removable media.

  • 1