Data points are building into trend lines that suggest 2007 will be the year of Network Access Control or NAC deployments. The data points are many. First and perhaps most important is that network and IT executives have turned the corner in their thinking from general interest to budgeted NAC projects as there are approximately 1500 companies who have deployed a commercial NAC solution today. There are non-commercial NAC implementations too, such as NESSUS scans which, if counted would drive the 1500 deployments up significantly. The number of NAC customers should well surpass 5000 in 2007 and there´s nothing to slow it down. With Microsoft´s Network Access Protection or NAP being dependent upon its Network Policy Server (NPS) in Longhorn, NAP will not be relevant until well into 2008. The real discussion in IT conference rooms will focus around spending budget on NAC appliance and/or infrastructure approaches. Enterprise buyers have become very pragmatic in solving their network access control problems. These problems are quickly turning into funded projects. Here are the reasons why 2007 will be the year of NAC.

A quick note on the term NAC. I use NAC as a generic, non-vendor term to describe access control to networked resources. In general NAC provides access control by assessing the posture of a computer´s health and its compliance to policy. The result of this posture check may be to grant access, grant limited access or quarantine a computer for remediation. NAC is media independent, meaning access can be LAN, WLAN, or WAN. During the posture check process NAC vendors are differentiating and innovating on ways to add value to the access control service, such as segmenting users, apply quality of service, monitoring behavior, etc.

Reason One: NAC Solves Real Problems

There are a set of real budgeted security problems that corporations need to solve. These include:

1. Controlling guest and contractor access
2. Protecting high-value corporate data and applications
3. Stratifying, segmenting and controlling user access to conform with regulatory compliance
4. Mitigating exploits from propagating throughout a corporate network

Of the 1500 companies mentioned above, NAC solutions have primarily solved controlling guest and contractor access security problems. But NAC solutions are diving deeper into applications and user behavior thanks to identity management allowing NAC to be part of the corporate regulatory compliance solution. This is big as NAC project expansions are being funded by compliance budget and championed by the CFO, CSO, CIO and Chief Legal Officer (CLO) in board meetings. But I´m ahead of myself. Let´s review the four key security problems NAC solves.

Problem One: Controlling Guest and Contractor Access

The adaptive corporation must offer Internet access to employees, customers, partners and other people who visit their premises. Hotel guests demand Internet access while corporate visitors expect they´ll be able to sit in a lobby or conference room, open their laptop, and connect to the Internet. Network executives must ensure that guests can´t reach corporate assets, such as data, applications, or services such as voice over IP (VoIP). In short, while visiting your corporation, guests need network access to do their job, such as making a presentation, demo-ing a product, accessing a support web-site, etc. Everyone needs access to the internet to be productive, even when visiting another company. In addition, enterprises demand that guests can´t spread exploits.

Contractors by definition require deeper access to IT resources. Contractor responsibility varies from service personnel who maintain everything from data center servers to MRI machines, as well as on-site contractors who perform functions ranging from project management to accounting. Contractors often need LAN access to perform their jobs. However, that access must be limited. An outsourced IT staff responsible for managing server blades in the data center should be restricted to accessing only those devices. Similarly, a contract accountant should have LAN access limited to a few key applications, such as email and accounting packages, and select data sets. Since data isn’t always protected as well as it should be within the enterprise, and getting to a safe data protection model is a hurdle, the network is being used to enforce controls on what assets the contractors can have access to. Ultimately NAC will provide these controls with data protection policy.

Contractor access is potentially more vulnerable and poses a higher security threat than guest. NAC solutions have leveraged identity management to offer deeper ?¬¢‚Äö?ᬮ??¨controlled?¬¢‚Äö?ᬮ¬¨?? access to IT resources as a means of mitigating this higher risk. Some IT departments learn the contractor´s identity by adding it to the corporate identity store such as Active Directory or RADIUS database or by creating a set of common user names that apply to all contractors working on a similar project. Other IT groups leverage role-based controls which define policies that control access to applications and resources based on a contractor´s or user´s group association or role within the enterprise. Some NAC solutions offer host posture check for end-points which are not owned or managed by the enterprise, thus mitigating exploit propagation. Other NAC solutions require non-managed end-point traffic to flow through in-line threat management or traffic management devices close to the end-point, where more trust might be applied to managed desktops and a more efficient path to resources can be dynamically plumbed.

Problem Two: Protecting High-value Corporate Data and Applications

This is an area where NAC will have a significant impact on corporations during 2007. In short the problem here is to secure access to KEY data, applications, work product and services. Most enterprises have sensitive financial and human resources data that only appropriate staff access. For example, a university needs to limit access to its grading system to faculty. IP telephony is a good example of a service needing protection. In a contact center, the IP telephony service is essential, so IT must protect the call processor to ensure uninterrupted voice service.

It´s not feasible for IT to explicitly define what data and which applications each user can access. As mentioned above data protection is difficult and evolving, but it´s a direction the industry requires. NAC contributes to data protection by cooperating with data access policies and enforcing access to critical resources. IT should have the ability to identify particular applications and resources and specify which users are allowed to use them. NAC solutions tie users to traffic and the path of traffic flows (or restrictions) offering IT the ability to control and see what resources and applications a given user has tried to use as well as what they have used. NAC ties users to paths of access to data and applications. Just as above, by applying role-based control but in real time IT can specify which users can access which resources. Another benefit is that NAC solutions enable individual user traffic engineering, application access control and visibility into these flows.

Problem Three: Stratifying, Segmenting and Controlling User Access to Conform with Regulatory Compliance Requirements

Controlling guest, contractor and user access to network segments, applications, data, work product and services with visibility into a user´s behavior and use of IT resources provides a level of flexibility network and IT departments have not had in LAN systems. One key area that will drive NAC solutions deeper into organizations in 2007 is regulatory compliance. To comply with various regulations, organizations need a means to segment users so that only authorized users can access sensitive data and demonstrate compliance to auditors. For example, some organizations need to restrict access to credit card data to comply with the Payment Card Industry (PCI) data security standard. Hospitals and medical facilities must protect patient records to comply with the Health Insurance Portability and Accountability Act (HIPAA).

Enterprises need the ability to restrict access to critical information based on a user´s role. In addition, to prove they have effective controls in place, organizations need a means to audit data and application usage and to document that access is indeed restricted. A good NAC solution will protect sensitive data, limit the scope of an audit to a subset of user and server systems subject to the regulation and provide reports and views which are friendly to auditors.

NAC can be funded with compliance budgets if they provide the following key services: policy-based access controls which track all user activity and traffic flows on the network; application access control at layer 7 limits which applications a user can run on the network; documented polices that allow IT to document what control policies are in place and to whom they apply. This is a key auditing tool for demonstrating that users excluded by a policy cannot reach sensitive data. Further controls include activity reports for both users and application/services; user reports including every application, server, and resource a user touched in a given timeframe; application/service reports providing details about all users who ran a particular application or accessed a particular resource during a given period.

Problem Four: Mitigating Exploits from Propagating Throughout A Corporate Network

This has been the main value proposition promoted by NAC vendors, which is to assess an end-point´s posture and determine if it´s in compliance with corporate security standards for computing. If the end-point fails the posture check then the end-point is placed into a quarantine VLAN, remediated, and then its posture can be reassessed. The vendor community is building up this core NAC feature set by standardizing on the process and expanding deeper into user and application control. This is not to say that NAC access control is matured and further investment will be limited.

Behavior anomaly detection is the next huge investment area being added to NAC as well as various post access control features. NAC vendors must address post-NAC monitoring or post access control since the initial NAC event determines the computer´s behavior which should be expected. The initial NAC event provides the profile definition necessary to monitor behavior. Post access control is the most significant NAC feature set going forward. Network and IT departments will look to understand a computer´s relationship to ongoing real-time monitoring and how a user’s behavior impacts network activity. This insight is gained through behavior monitoring.

Reason Two: More Potent NAC Technology

The second reason why 2007 will be the year of NAC is because the technology is maturing in smaller deployable increments. NAC solutions are becoming increasingly potent as defenses to mitigate against LAN attacks and tools to hasten audits and assure regulatory compliance. Much of NAC´s value comes from the fact that NAC solutions are being tightly linked with identity management software. Most, if not all, NAC providers deliver their own identity management software which enables identity-based access control. That is, NAC solutions are capable of identifying users, guests, contractors, etc., and applying access rules uniquely to each person based upon their role in the enterprise. Identity management is increasingly being linked with applications too, offering IT management greater granularity of access control.

While creating policy which runs role-based access control can be daunting, the good news is that NAC is being packaged in multiple ways to address different sized problems. Many network and IT executives postponed their NAC deployments as its scope was overwhelming. In 2005 and early 2006 the industry thought of infrastructure NAC as the main approach to access control. But two things happened: infrastructure companies such as ProCurve offered appropriate scaled NAC infrastructure solutions while a host of companies including Cisco, ConSentry, Lockdown Networks, Nortel, Juniper, et al., added more value to their NAC appliances. This reduced the overwhelming scope and rationalized the infrastructure impact, product confusion and deployment choices. NAC appliances allow enterprises to be selective in where they place NAC and to experiment with policy. NAC appliances will also help bridge the gap in heterogeneous NAC environments as well as allow co-existence with non-NAP clients.

The key question is how will NAC appliances work with NAC infrastructure? For Cisco they are integrating their NAC appliance and infrastructure back-end and client components so that customers can pick and choose how they want to implement NAC across their companies. This allows customers to have the flexibility to accommodate different realities such as departmental budgets where one group (network infrastructure) may have more budget than another (e.g., the
security/infosec team), network typologies that can’t be upgraded but can be enhanced via an appliance and the need for NAP interoperability.

But there will not be a transition from NAC appliance to NAC infrastructure. In 2007 there will be an increase in overall NAC products and solutions whether appliance- or infrastructure-based. Chances are there could be a round of consolidation of the appliance vendors too, as customers gravitate towards
the major players.

So how will NAP and NAC evolve and will NAP slow down NAC? The fact is, NAC is the general framework for IT security while Microsoft´s NAP/NPS is a part of that framework. NAC and NAP will not compete but NAP will be part of a NAC framework. As mentioned in the opening NAP is really a 2008 event. Also what Microsoft´s NAP/NPS will do effectively is perform posture assessment by validating a computer´s health and provide remediation instructions if needed. NAC solutions will build upon NAP by performing enforcement based upon NAP posture data while NAP will pass posture/health data to NAC-based identity management. The bottom line is that NAC is here today solving real security access problems. With NAP/NPS a 2008 event, there is plenty of time for NAC vendors to collaborate and test interoperability with Microsoft as Cisco has been demonstrating. This fact has not gone unnoticed to most CIOs who look to maximize their large IT infrastructure investments. NAP/NPS will not slow down 2007 from being the year of NAC, but accelerate NAC deployments in 2008.

Reason Three: Growing Adoption Curve

The third reason 2007 is the year of NAC is that there is comfort in large numbers. While there are approximately 1500 NAC installations world wide today, our estimate of 5000 is just that, an estimate. The bottom line is that the number of commercial NAC deployments will more than double in 2007 including most of the F500 and all of the major financial services firms. As more firms deploy NAC, industry knowledge is created, fostering greater comfort that the technology has matured and is ready for prime time.

So is 2007 the year of NAC? It´s as easy as one, two, three: 1) NAC solves real problems; 2) NAC technology works; and 3) enterprises are deploying NAC. The data points are building and the trend line is becoming clear. 2007 is the year of NAC.

Posted 16 October 2006 at 2:04 pm under Lippis Report, Network Access Control and Protection, Enterprise Mobility. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.