Network Access Control Market to Shift to 'Layered Access Control'

A new report by Forrester Research predicts the network access control (NAC) market will increasingly shift to a new model called "layered access control."

In "Network Access Control Predictions: 2011 And Beyond," the analyst firm describes a future where NAC encompasses not only the network, but also applications and mobile device access control.

"Corporate may have a policy that you may access Facebook but you can't access FarmVille," explained Forrester analyst Usman Sindhu, co-author of the report. "NAC can enforce these policies and automate this rather than restricting access manually. On top of that development of APIs or XML, schemas like TNC IF-MAP can help connecting policy and enforcement from the network all the way up to the app layer."

The idea, the report states, is that the layered access control model will provide enforcement regardless of how users connect.

"The consumerization of IT is a large, long-term trend," said Gord Boyce, CEO of ForeScout. "Employees are bringing their own personal devices and applications into the workplace. This is bad for security, and it is causing security managers to look for products that can identify and control these unknown devices and applications."

In a survey in the report, Forrester found that many companies have a variety of NAC deployments. Thirty-eight percent of respondents, for example, employ NAC as part of a domain and identity-based bundle, essentially the same number as those who deploy it as part of a software-based bundle (36 percent) and a network security bundle (38 percent).

"We have yet to find a customer that thinks only hardware or software is truly what they look for," Sindhu said. "It's often a combination, and customers don't have any distinct choice here. They think network-based NAC is good for enforcement but software-based NAC is good for management. The data shows some trends on how consumers are implementing NAC. There is no pure-network or pure-endpoint NAC deployment. We see this continuing in the next year as well."

Sindhu predicts "modest growth" for the NAC market in 2011, with 10 percent of security organizations planning to adopt the technology in the next 12 months. The features most in demand for those interested in NAC are scanning virtual machine traffic, fixing client machines without user interaction, and discovering and tracking network-connected IP endpoints. Vendors are improving their portfolios to include these features, the analyst said.

"For instance, discovering and tracking IP endpoints is coming up often," he said. "It could be a compliance and audit requirement to show controls for the IP connected devices. Sometimes non-compute devices like IP phones could allow bypassing security controls, and thus they can pose serious issues to the network. Some of these features are [more] mature than others. But [the] appetite is slowly building."

Compliance requirements have become a driver of NAC adoption among enterprises, said Pamela Chang, a product manager at Symantec.

"When enterprises need to maintain security and application configuration status at a higher level in order to meet compliance requirements, NAC technology can help enforce security and application compliance, as well as help automate remediation of compliance issues," she said. "For example, if an employee on a laptop returns from vacation after few weeks and tries to connect to the corporate network and their virus definitions are out of date, we can check if that laptop is in compliance with corporate policy and remediate to update their virus definitions before letting the user back on the network."

Businesses thinking of NAC should not only think of restricting non-corporate assets or controlling guest users, Sindhu said.

"They should make a strategy around what kind of users are accessing the network and how to give them access without violating corporate and regulatory compliance," he said. "Today users have iPhones [and] iPads, and they use social media [and] Web 2.0. The NAC policies should go beyond just layer one and layer two, but look at these apps as well."