NAC Attack: Today's Products Will Fail, Report Says

Apr 07, 2007

Vendors say modern NAC products will fall by the wayside in favor of software-based technologies that manage risk by integrating endpoint security, access control, identity and risk management.

Forrester Research analysts are urging corporations to prepare for a shift in the Network Access Control market in the years to come, as NAC vendors move toward new software-based tools that leverage endpoint technology to proactively manage risk.

In a report titled "Client Management 2.0," Forrester analysts Natalie Lambert and Robert Whiteley forecast the death of modern NAC products, which they say feature too much complexity and not enough interoperability. Operations management teams want a unified solution, Lambert said in an interview with eWEEK.

"They feel they deploy tools to solve business problems but then find themselves with more solutions than they can handle," she said. "They want to consolidate, but they aren't seeing any compelling solutions that bring together the functionality they need."

The report also contends that many NAC products focus solely on compliance with security policies instead of the remediation problematic machines, and are not able to defend against newly emerging threats.

In addition, the researchers stated that existing NAC systems often result in multiple policies being established to control the same processes.

Lambert and Whiteley's answer to the situation is policy-based software technologies that manage risk by integrating endpoint security, access control, identity and risk management.

They dub this new generation of client and network security products "proactive endpoint risk management," or PERM.

Proactive endpoint risk management benefits enterprises from both an operational and technical standpoint, Lambert said.

Most firms, she said, are evolving their security teams to focus on risk and higher-level regulatory compliance issues, she said.

As threat protection and systems compliance mature, they will get thrown over the fence to IT operations functions. She called it a mistake for NAC solutions to focus on the network operations team.

"Network ops staffers typically don't focus on dynamic, policy-intensive tasks that require the management of tens of thousands of devices," Lambert said. "We think that desktop operations - which has been working with policy-intensive security and management tools for years - is a much more suitable home for defining NAC policies."

From a technical perspective, it's a more complete management solution, she added.

"Securing an endpoint means managing its entire life cycle," Lambert said. "But today's current NAC solutions don't focus on a complete life cycle. Instead, they specialize in either pre-admission scans or post-admission monitoring - some solutions - do - both - but don't focus on remediation."

Before PERM becomes a reality in the marketplace, however, Lambert foresees widespread product and vendor consolidation - a process she said has already begun, with vendors such as McAfee integrating traditional client security with information leak prevention and vulnerability management.

For their part, several vendors said NAC products will change. However, not all said they would change in the way Forrester predicts.

At Cisco, company officials said Forrester used too narrow a definition of a NAC product because it only includes a health check of an endpoint.

Brendan O'Connell, product marketing manager within Cisco's NAC unit, said many NAC providers focus solely on whether or not a computer has the latest anti-virus software, and he called that a "mental blind spot."

NAC, he continued, should be composed of four things: authentication, quarantine, posture assessment and remediation.

"There are a lot of other NAC products out there that may have only a subset of those components," O'Connell said.

Contrary to the report's conclusion that the network needs to be de-emphasized, Cisco NAC Marketing Manager Irene Sandler said NAC has to be a network enforcement product - and that the network is where the bulk of the decision-making must lie.

Microsoft executive Mike Schutz said policy has a home in the network, though he said NAC products will evolve beyond the network device-centric approach commonplace today.

"Customers today deploy multiple point security products such as AV and patch management, but these products rely on the end user to keep these solutions running and up-to-date," said Mike Schutz, director of security and access product management at Microsoft.

"It's easy for users to fall out of compliance, and NAP - Network Access Protection - addresses this problem by pushing IT policy into the network."

Lambert, however, said firms should de-couple their network access policy from their network hardware.

"This policy should then be mapped to the current security and management technologies that can do the heavy lifting and leave the enforcement to the network," she said.

In addition, she advocated realigning IT organizations so that those responsible for endpoint operations are security and IT ops professionals who know how best to create policy to secure and manage the environment.

Copyright 2007 by Ziff Davis Media, Distributed by United Press International

Explore further: Microsoft to spotlight new Windows software September 30

add to favorites email to friend print save as pdf

Related Stories

Astronomers pinpoint 'Venus Zone' around stars

2 hours ago

San Francisco State University astronomer Stephen Kane and a team of researchers presented today the definition of a "Venus Zone," the area around a star in which a planet is likely to exhibit the unlivable ...

History books becoming next fight in Texas schools

3 hours ago

The next ideological fight over new textbooks for Texas classrooms intensified Wednesday with critics lambasting history lessons that they say exaggerate the influence of Moses in American democracy and negatively portray ...

Amazon deforestation up 29 pc in 2013

3 hours ago

Deforestation in the Amazon rose 29 percent between August 2012 and July of last year to 5,891 square kilometers (2,275 square miles), Brazilian officials said Wednesday, posting an amended figure.

Recommended for you

Better non-functional security tests for software

23 hours ago

The integration of digital expert knowledge and automation of risk analyses can greatly improve software test procedures and make cloud computing more secure. This is shown by the latest results of a project ...

'Grand Theft Auto V' to hit PS4 and Xbox One

Sep 12, 2014

Rockstar Games on Friday announced that the latest installment of its crime-themed blockbuster video game "Grand Theft Auto" will hit PlayStation 4 and Xbox One consoles in November.

What's at stake with Windows 9?

Sep 12, 2014

When Microsoft presents its first public glimpse of Windows 9 - it's expected to happen late this month or early next - a lot more than just an operating system is at stake.

User comments : 0