While there is a whole lot of conversation going on these days about network access control (NAC) the adoption rate surrounding these technologies has generally failed to keep pace with the amount of talk.
That may improve somewhat in the coming months now that more appliance type products are starting to hit the market that help automate some of the difficult work associated with deploying an enterprise wide NAC system. In addition, Microsoft is now shipping its version of NAC, referred to as Network Access Prevention, so more people are coming up to speed on the subtle differences between NAC and NAP thanks to new books such as Implementing NAP and NAC Security Technologies: The Complete Guide to Network Access Control by Dan Hoffman.
Hoffman is a senior system engineer at Fiberlink Communications, which makes a set of tools that make it easier to manage security across devices used by a mobile workforce. In that capacity, Hoffman has a vested interest in promoting the security concepts around NAC. But even with that caveat he makes a few good points.
The majority of the discussion surrounding NAC is based on what happen when the device connects to the network. There is very little discussion about NAC solutions for mobile devices even though it's when devices are accessing public networks outside of the corporate network that causes the biggest security headaches. For example, most public Web sites, whether it's a wireless network at and airport or a Web site such as YouTube or Facebook, are loaded with malware. No NAC solution for the network is going to be able to screen all the mobile devices for every threat out there so enterprise customers need a solution that helps solve the problem at the point of attack on the mobile device.
Unfortunately, as much sense as that might make we're currently constrained on security budgets. Forthcoming research conducted by Baseline, a sister publication of eWeek, that will be published in June shows that vast majority of security spending today is be allocated to pay for license renewals for the host of security point products that IT organizations have deployed over the last several years. And to make matters worse, IT organizations are paying top dollar for the people needed to manage what amounts to an ad hoc security framework that provides next to no cross sharing of security information and alerts.
This creates a security conundrum because in theory investing in NAC should eliminate the need for a lot of the point solutions and the costs associated with managing them. But in a soft economy most organizations don't have the resources available to finance a forklift security upgrade.
What all this means is that we're still likely to be talking about NAC issues for another five years or more because even as NAC solutions get easier to deploy there is always going to be the problem of reconciling whatever NAC framework that will be deployed tomorrow with all the work that has gone before it.