Serious About NAC

The vast majority of organizations are either deploying network access control or planning to. That was the finding of our survey earlier this year of 325 IT professionals, which is the basis for our NAC Analytics report. The numbers are up sharply this year, with only 15% having no plans for implementation versus 46% a year ago, indicating that NAC has evolved from an interesting concept to a valid and valued enterprise technology. However, what IT pros who are planning deployments think they'll get from NAC is turning out to be different from what implementers are actually getting, and while there seems to be general agreement that NAC is a good thing, there's no agreement on the best architectural approach. Because the differences between planners and implementers were significant throughout our survey, we chose to break down results by those two groups and to compare each to the results we obtained in 2006.

Increasingly, there's consensus on the drivers for NAC: resource access control and regulatory compliance. It's compliance, however, that's coming to the forefront, especially for those who are already implementing the technology. Where in 2006 only 52% of respondents saw NAC as a response to compliance needs, now 63% of implementers see it that way. The numbers are even starker for those concerned with individual regulations like Sarbanes-Oxley. Fifty-two percent of implementers now see specific regulatory requirements as driving NAC adoption, while only 22% of those still planning for NAC are so driven.

Both needs are fundamentally the same. No regulation actually calls for anything as specific as implementing NAC. Instead, the law talks of concepts like managing and protecting hosts that access data. That leaves a lot of room for interpretation. NAC--which assesses a host's condition and, based on that assessment, grants or denies access to the network and its resources--is seen as one way to satisfy regulations and appears to be well on its way to becoming a best practice. Best practices are often emergent in a market rather than dictated--if most companies follow a certain convention, as is becoming the case with NAC, that convention becomes a best practice.

PAIN POINTS
NAC isn't a complete access control system. It functions to grant access to the network, but not generally as part of the access control mechanism for applications. A host may pass a host assessment, for example, and be granted access to the network, but once on the network, NAC may be unable to prevent malicious user behavior, such as application-level attacks like SQL injection into a Web application, or even more pedestrian problems, such as saving data to removable media like USB drives or other external storage devices. Most of the products discussed in our full NAC report don't include mechanisms for controlling access to removable media.It appears that application-level control is on the minds of NAC implementers and planners. Controlling access to data center resources--something that almost always requires application knowledge--is seen as the most important resource for NAC to protect. After the data center comes the more traditional NAC functions, with wired, remote, and branch office access cited as the next three most important protection points. Lowest on the list are two concerns originally touted as NAC selling points: guest and contractor access. It appears that many organizations may have sufficiently tackled these problems in other ways, such as limiting access based on the typical network points of entry for guests and contractors. Some organizations have also required that contractors use the company's systems rather than bringing in their own. While this is a sensible security measure, it also runs afoul of IRS guidelines that define the difference between a contractor and an employee. Contractors use their own equipment, employees use the company's--at least according to the IRS.

(click image for larger view)

NAC CONCERNS
NAC isn't without its problems--both real and perceived. A NAC deployment requires much more than introducing some new hardware to the network. A great deal of work is involved in determining access policies and to which groups or individuals they should be applied. A NAC deployment will produce changes in how users are provisioned and new problems the help desk must sort out; in addition, a NAC deployment will introduce other operational concerns, especially surrounding issues such as deploying patches and new applications. In some cases, when remediation is part of the NAC architecture, it simplifies the process of deploying patches and applications, as both can be part of the remediation process.

The top three concerns for implementing NAC are compatibility issues between NAC and other productivity products, the trade-off between security and productivity, and concerns for increased help desk load--all of which are valid and should be vetted during evaluations. Interestingly, those who are planning but haven't yet begun implementation are more concerned that NAC won't really increase the organization's overall security stance than those who've already implemented NAC. Two forces are most likely at work here. While it appears that those who've implemented the technology are more satisfied, it's also at least as likely that those who weren't early adopters stayed away because, as they perceived it, NAC couldn't solve some critical needs. Nonetheless, greater satisfaction on the part of implementers leads us to believe that for most organizations, the perceived problems are solvable.

While many organizations are implementing NAC, many aren't doing so pervasively. The twin bugaboos of cost and complexity are by far the most significant barriers to adoption. Cost is rated as a top-three barrier by more than 60% in our 2007 survey, and while that's still the largest concern, it's down from 85% in 2006. The drop in cost concerns probably has something to do with having a good number of actual implementations as guides. It's likely also because of the greater number of architectural options, some of which are considerably cheaper to deploy than the first NAC architectures described. Complexity concerns remain about the same, being a worry to about 60% in both polls. The next-most-cited barrier to adoption is market and product immaturity, with 35% of respondents citing it.

DEPLOYMENT
NAC deployments are indeed complex. While 56% of those planning for deployment in 2006 thought it would take less than six months, only 38% of those who completed deployment in 2007 did it in six months; the other 62% were split evenly among seven to 12 months, 13 to 24 months, and more than 24 months. Still, as major IT initiatives go, NAC rollouts are comparatively quick. (See chart, p. AB7, for estimates vs. actual implementation times for a NAC solution.)Four methods have emerged for deploying NAC. Each comes with benefits and drawbacks, and none has emerged as the architecture of choice (see our NAC tutorial at nwc.com/go/nac-tutorial for more detail). Secure-switch-based systems require support from all switches at the network's edge, as well as the addition of policy assessment appliances and operations consoles. This system was the basis for Cisco's original CNAC architecture. It appears to be well understood and accepted, with 48% of our poll respondents saying they'd be willing to upgrade their LAN switching infrastructure. While it's a well understood architecture, it's also by far the most expensive to implement pervasively. So much so that Cisco itself now sells an appliance-based out-of-band solution.

(click image for larger view)

In-band systems were the most preferred, with more than 60% saying they'd add in-line appliances to their network. These systems have the benefit of evaluating all network traffic, making them much harder to circumvent than out-of-band systems. They can also watch for anomalous behavior, which could indicate an attack--something other solutions don't do. In theory, in-line systems can track user activity down to the application level. This may account for their relative popularity as they can facilitate a level of granular access control not possible with other technologies. On the downside, these systems amount to a new single point of failure and potential bottleneck--a concern that vendors are keen to assuage. Current designs perform well and are based on highly robust hardware, with such features as redundant fans and power supplies.

Also In This Report

Get the full-length report at businessinnovation.cmp.com/
governance

Out-of-band appliances use a variety of methods to enforce their policies. Because the appliances don't directly control the flow of traffic, out-of-band solutions are seen as more easily circumvented. While that's true, these systems are typically cheaper to deploy since many don't include per-user licensing fees and aren't affected by high levels of network traffic. About 45% in our poll indicated a willingness to use out-of-band products. Microsoft's Network Access Protection is the best-known example of this architecture.

Finally, a new class of host-based products is emerging. These systems are independent of network design or even the presence of a network. One can think of them as similar to a personal firewall, except that these systems evaluate the state of the host rather than the state of incoming network traffic. Our survey showed 47% willing to implement this solution.While most organizations will likely start with one architecture, it's quite likely that more than one architecture may preferable. For instance, a university might prefer a more affordable out-of-band system in student dorms but choose a more robust in-line product for its academic and administrative data processing needs.