A new report by Forrester Research predicts the network access control market will expand beyond the network edge to include applications and mobile devices.
A new report by Forrester Research predicts the network access control (NAC)
market will increasingly shift to a new model called "layered access
In "Network Access Control Predictions: 2011 And Beyond," the
analyst firm describes a future where NAC encompasses not only the network, but
also applications and mobile device access control.
"Corporate may have a policy that you may access Facebook but you can't
access FarmVille," explained Forrester analyst Usman Sindhu, co-author of
the report. "NAC can enforce these policies and automate this rather than
restricting access manually. On top of that development of APIs or XML, schemas
like TNC IF-MAP
can help connecting policy and enforcement from the network all the way up to the
The idea, the report states, is that the layered access control model will
provide enforcement regardless of how users connect.
"The consumerization of IT is a large, long-term trend," said Gord
Boyce, CEO of ForeScout. "Employees are
bringing their own personal devices and applications into the workplace. This
is bad for security, and it is causing security managers to look for products
that can identify and control these unknown
devices and applications
In a survey in the report, Forrester found that many
companies have a variety
of NAC deployments. Thirty-eight percent of
respondents, for example, employ NAC as part of a domain and identity-based bundle,
essentially the same number as those who deploy it as part of a software-based
bundle (36 percent) and a network security bundle (38 percent).
"We have yet to find a customer that thinks only hardware or software
is truly what they look for," Sindhu said. "It's often a combination,
and customers don't have any distinct choice here. They think network-based NAC
is good for enforcement but software-based NAC is good for management. The data
shows some trends on how consumers are implementing NAC. There is no
pure-network or pure-endpoint NAC deployment. We see this continuing in the
next year as well."
Sindhu predicts "modest growth" for the NAC market in 2011, with
10 percent of security organizations planning to adopt the
technology in the next 12 months. The features most in demand for those
interested in NAC are scanning virtual machine traffic, fixing client machines
without user interaction, and discovering and tracking network-connected IP
endpoints. Vendors are improving their portfolios to include these features,
the analyst said.
"For instance, discovering and tracking IP endpoints is coming up
often," he said. "It could be a compliance and audit requirement to
show controls for the IP connected devices. Sometimes non-compute devices like
IP phones could allow bypassing security controls, and thus they can pose
serious issues to the network. Some of these features are [more] mature than
others. But [the] appetite is slowly building."
Compliance requirements have become a driver of NAC adoption among
enterprises, said Pamela Chang, a product manager at Symantec.
"When enterprises need to maintain security and application
configuration status at a higher level in order to meet compliance
requirements, NAC technology can help enforce security and application
compliance, as well as help automate remediation of compliance issues,"
she said. "For example, if an employee on a laptop returns from vacation
after few weeks and tries to connect to the corporate network and their virus
definitions are out of date, we can check if that laptop is in compliance with
corporate policy and remediate to update their virus definitions before letting
the user back on the network."
Businesses thinking of NAC should not only think of restricting
non-corporate assets or controlling guest users, Sindhu said.
"They should make a strategy around what kind of users are accessing
the network and how to give them access without violating corporate and
regulatory compliance," he said. "Today users have iPhones [and]
iPads, and they use social media [and] Web 2.0. The NAC policies should go
beyond just layer one and layer two, but look at these apps as well."