In-Depth

Survey Sheds Light on Use, Maintenance of Network Access Control

A new survey shows that enterprise networking groups -- not IT security pros -- are usually responsible for day-to-day NAC administration.

• By Stephen Swoyer
• 09/23/2008

NAC -- network access control -- is a tech category that burst on the scene half-a-decade ago. Cisco Systems Inc. was first out of the gate and -- in the minds of many consumers -- all but synonymous with NAC, so it's no surprise that it's well recognized. What is surprising is that the once fledgling NAC segment is now a teeming marketplace, with smaller vendors vying with prominent players such as Cisco and Microsoft Corp. for leadership bragging rights.

Still more surprising, experts say, is how IT organizations are deploying and maintaining NAC. In practice network access control draws equally upon network and security talent, but enterprise NAC is a highly contentious affair. What's surprising is that enterprise networking groups -- and not IT security pros -- are nominally charged with day-to-day NAC administration.

So says a recent survey from market watcher Infonetics, "User Plans for Network Access Control: North America 2008," which tried to get a sense for how, why, and when hops are deploying -- or plan to deploy -- NAC technologies.

Cisco Has Small Lead

What's most surprising, according to Infonetics, is that outside of NAC recognition, Cisco isn't a runaway market leader.

Microsoft, Juniper, and a host of other established and upstart players are giving the networking giant -- and (in the minds of many consumers) NAC category creator -- a run for its money.

NAC amounts to a veritable gold mine for security (and other) players. It's an interdisciplinary effort, uniting endpoint security offerings (e.g., antivirus and intrusion prevention), user- or system-authentication components, and network security enforcement technologies. It's a gold mine for security suite vendors like Symantec Corp., McAfee Inc., and Trend Micro Inc., for example, because it gives them a single unifying impetus -- i.e., a NAC vision in which their network security software is able to make access (or even admission) control decisions based on feedback from endpoint components -- with which to market their otherwise disparate product offerings.

According to the Infonetics survey, Cisco receives top marks for its technology, road map, security, management, price-to-performance ratio, pricing, financial stability, service, and support, which is to be expected given Cisco's role in both productizing and pushing NAC across its network and security appliance products.

The surprise, according to Infonetics, is that competitors seem to have caught up to (or are otherwise nipping at the heels of) Cisco: Microsoft, for example, matched Cisco's score for financial stability and managed to nearly erase a perceived technology gap (in the minds of respondents).

Cisco archrival Juniper, on the other hand, received top marks for price-to-performance and was a close second to Cisco on the security tip, too.

A Split Deployment and Management Model

One big surprise concerns the way adopters actually maintain NAC technologies once they're deployed.

Common sense would suggest that NAC should fall under the purview of network or information security. In practice, Infonetics reports, that isn't happening. In fact, networking departments -- not enterprise security departments -- tend to take ownership of day-to-day NAC management.

"One of the most interesting findings from our NAC user study is that networking groups are responsible for day-to-day management of NAC at about two-thirds of the medium and large organizations we interviewed," said Jeff Wilson, a principal analyst with Infonetics, in a statement.

The upshot, Infonetics concludes, is that enterprise NAC involves challenging interdisciplinary deployment and maintenance scenarios. By the same token, NAC vendors must also figure out how best to market their technologies to two very different audiences.

"NAC is a very unique example of a critical piece of IT infrastructure that is entirely driven by security concerns but largely managed by networking gurus," Wilson comments. "Selling NAC solutions requires a certain amount of finesse; vendors need to understand how to appeal to both groups, and most importantly to acknowledge -- and handle -- the security team's concerns, while ultimately focusing on making a solution that is deployable by a networking professional."