NAC has inspired much controversy in its short life, including over what the acronym really means. But value-added resellers (VARs) who have invested substantial time in evangelizing the technology say long-standing pilot projects are finally turning into meaningful installations.
First, a word about that acronym. Depending on whom you ask, NAC stands for either network access control or network admission control. Either way, the intent is the same: to allow an organization to better control what devices are able to sign into a network and which resources, exactly, a particular endpoint has the right to use. The concern is protection -- from the introduction of viruses and other malware, as well as inappropriate behavior.
"You want everyone that is playing on the network to have the appropriate integrity," said Preston Hogue, chief security officer and director of the information security practice for Network Computing Architects in Bellevue, Wash. What's really changed over the past year, Hogue said, is that businesses and higher-education accounts -- where most of the early adoption has been taking place -- have deployed much of the infrastructure necessary for a NAC installation and have begun to consider the issue of access control for guest or unmanaged devices as part of a broader network management strategy rather than just a security concern.
Research firm IDC projects that investments in network access control will spur total annual revenue of $3.2 billion by 2010, compared with just $526 million in 2005. Gartner reports strong growth in large-company NAC deployments over the past two years and projects 2008 revenue of about $450 million. Forrester Research, meanwhile, reports that NAC has moved up in priority in the past 12 months when it comes to corporate adoption plans. According to the analyst firm's most recent survey of IT professionals representing small and midsized companies, about 24% of respondents have already adopted some sort of NAC technology. Another 13% intend to do so before the end of the year, and 17% percent are interested but have no current plans to adopt it. The good news is that regardless of the timing, approximately 45% of these organizations intend to purchase their network security or endpoint security products from a VAR or systems integrator. A separate survey by The 451 Group found that enterprise IT professionals are finally ready to deploy NAC to address guests and contractors and ameliorate regulatory compliance concerns.
Tim Evans, director of channel sales for Concord, N.H.-based Bradford Networks, a network access control startup, said his company's most successful VAR partners are those with experience with broad network installations and network policy enforcement. "If you do security, even better," he said. "But what we're really talking about is policy. You're really talking about the network and how it operates."
To date, Evans reports, many early NAC pilot projects have taken place at universities or at companies that support large numbers of network guest users, such as subcontractors, that need access to network resources but that use client systems that aren't under the control of a central IT department. That trend inspired Bradford Networks to introduce a specific guest module product in late March.
Hogue said one reason for NAC's relatively slow adoption, despite the obvious benefits, has been cost. Few companies are able to pony up the hundreds of thousands of dollars it can cost for an end-to-end deployment. So, they are starting slowly and building out modules in specific departments or divisions where it counts the most, he said. For that reason, the sales cycle is easily a year or longer. Where Network Computing Architects is finding success is with companies that are investing in PCI security initiatives or are facing network upgrades for other reasons, Hogue said.
Chris Poe, director of technical operations for Atrion Networking, a VAR in Warwick, R.I., said he believes that network access control products need to be tied more closely to security information and event management (SIEM) systems to be taken more seriously in the corporate environment. Right now, the two technologies seem to be evolving independently, he said. Another technical boost will come from Microsoft's plan to embed network access protection into its operating system, which will help eliminate the need to support separate NAC client software on individual endpoints, a factor that has also slowed down adoption, he said.
If you're not into NAC already, a word of caution about picking vendors: Aside from Bradford, another independent player worth investigating is ConSentry Networks, in Milpitas, Calif., which claims high-profile customers such as Continental Airlines. But the market has been rough on NAC startup vendors. Just last month, Lockdown Networks went out of business, despite relationships with both Microsoft and Cisco Systems. Another NAC specialist, Vernier Networks, has expanded its focus; TippingPoint, meanwhile, was early on acquired by network equipment company 3Com, and Perfigo was swallowed up by Cisco.
Another concern, one that will be both a challenge and opportunity for VARs making decisions on behalf of their clients, is the fact that the Trusted Computing Group, which is working on interoperability standards for NAC products, still doesn't count Cisco among its members. The group last year announced a partnership to ensure Microsoft's compatibility with the developer's Network Access Protection technology. This doesn't necessarily mean Cisco's technology will be incompatible, but it will be a factor in product discussions depending on whether or not a potential customer is a Cisco-heavy shop.
Chris Labatt-Simon, founder and CEO of D&D Consulting, a systems integration company in Albany, N.Y., said because network access control is being considered as part of network upgrades, his company is focusing on new EX-series Ethernet switches from Juniper Networks that were built from the ground up with access control concerns in mind.
For now, Atrion's Poe has chosen to hedge his bets by focusing on Cisco, which Atrion represents more broadly, and Bradford, with which the company has been working since its entry into this category. "We're keeping an open mind as to what vendors are out there," he said. "But we have solidified our position that NAC should be part of the overall network."
About the author
Heather Clancy is an award-winning business journalist and consultant on high-tech channel communications with SWOT Management Group. She can be reached at email@example.com.