What if partners could sell network access control (NAC) as a service?
The rise of bring your own device programs in the enterprise may make this a prime time for a NAC services market to emerge, said Rob Ayoub, research director for information security and information communication technologies with Frost & Sullivan.
“As a market, NAC has struggled. Yet when you look at the mobile explosion we have today with tablets, phones, etc. in the enterprise, we are back to [needing] granular control. Yet if you can move that all to a service provider who can host the infrastructure and deploy it as a service, you get rid of a lot of the cost and complexities that plagued NAC from the beginning,” Ayoub said.
Selling NAC-as-a-Service also means the ability to reach a more diverse set of customers. Originally the technology wasn't aimed at the SMB market because of its hardware complexities, but NAC-as-a-service is much more accessible.
“Before NAC-as-a-Service, [NAC technology] was [a] more difficult sale. It required channel partners to interact with vendors and work with a ton of moving pieces. In a managed environment, administrators can now focus more on the policy piece while service providers handle the monitoring,” Ayoub said.
NAC services emerge and aim for simplicity and interoperability
ForeScout Technologies is hoping partners will jump on the NAC services train with its CounterACT NAC solution, which can be sold as an on-premises solution that is remotely managed or as a completely off-premises cloud service.
“The premise around our NAC solution is to allow, deny or limit access to network resources based on who the user is, what device they have, the configuration of the device, where they’re located and what time it is. Those are all the attributes you can write a policy around,” said Scott Gordon, ForeScout’s vice president of worldwide marketing.
CounterACT can be all on-premise or partially on- and off-premises solution as a hybrid cloud service. “You have a virtual appliance that runs on the customer premise, which could be in multiple parts of the customer’s environment. Then you have an enterprise manager virtual appliance, which can also run in the customer’s environment where a managed service provider can remote into that to manage the system,” Gordon explained. “The manager appliance can also sit outside of the customer premise in the service provider’s cloud and be managed by a third party.”
Network access control services address security and mobility
Mobility is high on the list of reasons to implement a network access control solution, and ForeScout addresses this trend through its service. For example, when a personal mobile device makes a request for Internet services on the network, ForeScout's device -- whether hosted or not -- can seize that request, require the user to register his or her device and place the user onto the VLAN. This only allows the user access to the Web or specified applications.
“With mobile security, we can identify all the non-corporate devices entering the network. We can identify the BlackBerrys, iPads and Androids that are accessing the network and then define policies based on who the user is, the device, where they are, to say what resources they can or cannot have access to,” Gordon added.
Using NAC services for compliance
As part of its NAC services, ForeScout offers compliance auditing, where the appliances produce reporting and audit logs to show that policy is being followed.
“Most compliance mandates are centered around whether you have proper policies and security provisions on folks or systems accessing the sensitive information, whether you have proper configuration management and whether you have proper means to respond to incidents in a timely fashion. Our solution aligns to those types of mandates. For example, we built in reports for very specific compliance mandates like HIPAA or PCI,” Gordon said.
Policy implementation and compliance reporting can actually be automated as part of offering ForeScout's NAC services. “We can automate guests getting onto a network without IT intervention and have the ability to identify all systems on your environment. We also phase in policy and handle exception without impacting or disrupting end users. Then we enable self-remediation of security issues, so the end users help themselves,” said Gordon. “The ability to auto-remediate fixes problems like inactive client security software.”
Network access control services mean different training and business models
Selling a service that monitors every detail of a network can require partners to gain a deeper level of networking expertise -- it also requires a new business model for many partners.
“We look at the fact that typically [our partners] customers will subscribe to an annual service and pay monthly, so we’ve packaged our services for service providers in the same way. They can buy our solutions and pay a monthly fee,” said Gordon.
ForeScout also allows partners to white label NAC services. “We allow service providers to modify the license at the end of any given quarter where they can increase or lower the license provision as needed,” Gordon said.
Ayoub said that partners will adapt quickly to this new NAC business model.
“Removing the complexity opens up the opportunity for folks to make the services a lot easier to sell when it’s just a CAPEX monthly investment. It becomes a viable alternative for MDM or enterprises that don’t need a large-scaled mobile device plan,” said Ayoub. “As these NAC services come out from other vendors, as long as the service level is consistent and the services work as designed, I think we will see increased growth.”
With NAC services, partner challenges?
Oscar Pérez Cano, chief operations officer for DTXT, a ForeScout partner, said the only challenges he foresees might be for customers who are not yet sure of the type of policy they want to work with. “It depends how quickly they want to deploy the policies and how mature the company is. If a company already has a policy in place, it will be a faster and smoother implementation. [Challenges] are not related directly to the technology,” he said.
If there is a troubleshooting or monitoring need, that will become part of the service that channel partners can offer, Gordon said.