In 2006, network access control went from being a solution in search of a problem to an implementable product category. In 2007, IT managers likely will be able to use NAC tools to tie identity to resource access without having to do a forklift upgrade to the network environment.
Before I prognosticate about NAC product directions, however, it is necessary to say a few words about policy development. NAC can be used effectively only if there is a clear policy in place that governs who has access to what information, from what location and on what platform.
IT managers will have to involve line-of-business managers in the process of deciding access policies. Can a salesperson on the road—and without the most current anti-virus signature file—access the CRM (customer relationship management) system? If not, when the salesperson attempts to access the CRM system, will his or her system be shunted to a remediation portal for updates before gaining access to the network? Or will the system be shut out of the network altogether?
Once the policy questions are answered, IT managers will need to make NAC buying decisions based on a clearly articulated RFP (see eWEEK Labs NAC RFP.
In 2006, it seemed clear that the organizations that would benefit most from NAC solutions would be the ones with large numbers of external users—such as contractors and business partners—who need access to sensitive network resources. In such a scenario, the IT department has almost no control over the devices of these external users, and NAC solutions add some protection.
The problem with providing this level of access control was partially alleviated by the use of so-called dissolving client agents. However, even these agents still require some form of user acceptance to function, and that has held back NAC deployment in some organizations.
In the year ahead, that issue may become moot as more vendors put forward some form of agentless NAC solution. Agentless NAC likely will increase in use as vendors add more capabilities to their appliance-based systems. Some of these appliances will operate out of band, such as Mirage Networks Endpoint Control, while some will be deeply integrated with the switch or router infrastructure.
All agentless NAC systems will improve as vendors increase their ability to monitor and analyze application traffic. Still, we expect that agent-based NAC systems will provide the best level of resource protection.
Of the many functions that may be included with an agent-based NAC product are anti-virus, personal firewall and anti-spam. Companies such as Symantec and Trend Micro, for example, offer NAC products that combine desktop protection with network protection for a powerful combination punch.
Well see more NAC/security hybrids come to the forefront in 2007.
In many ways, this makes total sense because prevention is still the best approach to network security. If endpoint devices can be kept free of viruses, Trojans, worms and other forms of malware, then the admission of these devices to the network will necessarily be a less risky proposition.
Speaking of risk, risk analysis will become a much more relevant—and likely abused—term in the coming year. IT managers who run networks that are exposed to contractors and other outside users will need to do a thorough risk analysis of their current network architecture. Risk assessment is best done using staff inside the organization in combination with trusted consultants.
We expect that “risk assessment” will be the new “return on investment” when it comes to the marketing pitches of security vendors. The best way to understand organizational risk is to conduct an assessment when there is no urgency. Of course—in classic Catch-22 fashion—a lack of urgency can be an impediment to making risk assessment a high priority.
Technical Director Cameron Sturdevant can be reached at [email protected]
Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Ryan Naraines eWEEK Security Watch blog.