Network access control promised a much-anticipated, multi-faceted set of tools that could check endpoints for compliance, fix machines that flunked, define and enforce user access rights, and monitor user activity to assure continued compliance.
So, why are most NAC deployments targeted at the most basic task of keeping guest users off the corporate network?
The short answer: NAC turned out be far more difficult to roll out across a large enterprise than customers imagined.
"It was supposed to be what people have been looking for -- the weaving together of infrastructure and security," says Yankee Group analyst Phil Hochmuth. "It turned out to be a lot harder than anyone thought it would be. A lot of stuff didn't work or wasn't delivered for a long time."
Forrester analyst Rob Whitely says NAC's reputation has taken a beating of late perhaps because users misunderstood the complexities of deploying it successfully. Businesses installed NAC appliances for guest access then tried to expand to screening for security compliance and controlling access for all managed corporate endpoints, he says. That increased the load on the NAC machines to the point where the gear can't handle it.
"Now you're probably spending more time and energy retrofitting your environment than you ever did on the initial deployment," Whiteley says.
Making NAC Work for You
Of course, NAC isn't an all-or-nothing proposition. There are plenty of useful things that companies can do with NAC that fall between guest access on one end of the spectrum and a full-out deployment that takes advantage of all of NAC's capabilities.
"Companies are beginning to get a little more savvy about how they approach network access control and as a result they're getting out what they put in," Whiteley says.
In fact, Gartner predicts that sales of NAC gear will double this year. Gartner's long-term view is that sales of NAC-specific products will continue to increase in 2009 and 2010, then flatten out and begin to decline as other NAC options -- installing it on endpoints, embedding it in switches, servers and computer operating systems -- start to take hold as the preferred methods of deploying the technology.
These non-appliance methods of deployment scale better and will shepherd in use of more NAC features, Whiteley says. For now, many who have tried NAC focus on a single use.
For instance, Harvard University's Kennedy School of Government deployed NAC just to identify machines on its network that were causing trouble and cut them off, says Kevin Amorin, and information security manager at the school.
He wasn't interested in having NAC automatically tell users how to remediate their machines because those instructions generated more help-desk work than they prevented. "All I needed was a process that would identify and isolate," he says.
American Bancard, in Boca Raton, Fla., uses StillSecure's SafeAccess NAC software to help meet requirements of the payment card industry standards, says the company's CTO Steven Scop. His company processes credit card claims from merchants, so it must comply with PCI and be able to prove that compliance to auditors.
StillSecure's NAC can help with part of that, he says, because the tools have compliance reporting features that are designed to address specific aspects of PCI. So the software can demonstrate that only certain machines gained access to sensitive data and that they were given a health check before they were allowed to.
And the reports also help American Bancard identify its PCI shortcomings and correct them. "There's different things that it looks for, and based on the different PCI auditing questions, it says this has hit the mark and this hasn't," he says. "There's a lot of things it finds that we needed to change."