Being a NAC Slacker Costs Big Bucks

A new report finds that if you don't do NAC right, your network will still be full of costly holes.

If you don't do Network Access Control right, not only will your network still be full of holes, but you'll wind up paying more than the company down the road that did it right and has shrunk unauthorized network access to zilch.

Doing NAC wrong combines insult and injury in one ratty little package, according to a report from Aberdeen Group released on Nov. 8. The report, titled "Who's Got the NAC? Best Practices in Protecting Network Access," found that out of 384 companies surveyed, those deemed NAC "laggards" are paying on average $229,327 for NAC hardware and $187,000 for NAC software. That compares to the outfits that Aberdeen has deemed "best in class," which are paying on average only $102,206 for NAC hardware and $123,881 for NAC software.

And by "laggards," Aberdeen doesn't mean late adopters. Rather, it means lackadaisical adapters—those who have some type of NAC infrastructure but aren't necessarily authenticating users entering the network, enforcing network security policies, defining groups of network users for specific policy enforcement, monitoring user behavior and stopping inappropriate activity after users have been admitted onto the network. Those are the attributes of best-in-class NAC adopters, according to the report.

The difference between being best in class or a NAC slacker is stark. Out of the best companies, which formed 20 percent of Aberdeen's group, 100 percent reported that successful network breaches have decreased or stayed the same over the past two years. Those same best-in-class NAC adopters report zero incidents of unauthorized network attacks and zero incidents of network downtime related to network attacks in the past year.


Click here to read about what organizations must know before they deploy NAC systems.

Out of the bottom 30 percent of Aberdeen's group—the laggards—only 29 percent reported that network breaches had gone down or stayed the same in the previous two years. None of them could brag that they had no unauthorized network attacks in the previous year. To break that down further, 30 percent admitted experiencing unauthorized network activity, whereas a whopping 70 percent didn't have a clue whether or not their networks had been violated or don't even measure to find out.

Why does it cost more to stink at NAC? Aberdeen's not quite sure. Carol Baroudi, a research director in IT security at Aberdeen and an author of the report, said that she plans to look into that question further in coming months, but that she suspects that it has to do with buying too much technology and then underdeploying it.


"In one interview a network engineer explained that they had bought a lot of capabilities that they never actually turned on," she told eWEEK. "Could it be that they overbought and underdeployed? … Part of [the complaint from those surveyed] was the early vendor hype, and now that the dust has settled, the desire to really look and see what they have and scale back to what they're actually using."

It could also be confusion as to what, exactly, NAC is. That in fact was the third-biggest challenge cited by laggard companies in the survey, behind cost and the effect on ease of use with regard to desktops, laptops or networks.

Those organizations that are succeeding with NAC say that these things are the most important things to expect out of a NAC product, in order:

  • Prevents unauthorized users from accessing the network
  • Causes minimal operational impact on users, help desk and network performance
  • Supports/enforces policies specific to different user groups
  • Logs all network access events for auditing
  • Prevents unauthorized devices from accessing the network
  • Centrally records all events
  • Can be installed without directly impacting network performance
  • Is transparent to the user
  • Supports enforcement for remote users
  • Can quarantine unhealthy machines without cross-infection
  • Assesses endpoint security status
Check out's Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK's Security Watch blog.