NAC: Not Dead Yet

I’m greatly amused. In 2008, former Gartner analyst Richard Stiennon said that NAC was worthless (see “Don’t even bother investing in Network Admission Control“). In a face-to-face debate on the topic a couple months later, Joel Snyder allegedly defeated Stiennon on the topic (and quite handily, if you agree with the account by then-NAC-vendor-CTO Alan Shimel). It’s interesting, then, that 2 years later Snyder has come out and basically declared the NAC market a complete mess and not really worth the cost.

Said Stiennon in 2008:

“Put it this way: Can you secure your network without NAC? Yes. Does NAC in anyway reduce your overall costs? No. Does NAC tie you down to one vendor’s eco-system? Yes, if you go down the Cisco, Juniper, or Microsoft route. Does NAC make you more secure? No.

“Then why would you invest in NAC?”

Imagine my surprise, then, to read the article “NAC: What went wrong?” by none other than Joel Snyder, in which he derides the vertical for being inconsistent and a poor investment. A couple choice quotes:

“After spending four months in the lab testing the 12 leading network access control products, we’ve come to this conclusion: Five years of hype, buzzwords, white papers, product launches, standards battles and vendor shakeouts have resulted in very little in the way of clarity.”

and

“There’s no such thing as ‘best of breed’ in NAC, because for the 12 vendors we evaluated, there are nearly 12 different ‘breeds’ of NAC product.”

Snyder goes on to list what he sees as 6 barriers to the success of NAC:

1. “Politics gets in the way” – Who will own, deploy, manage, and support it? Is this the right group?
2. “Too many vendor variations” – “NAC’s three components are authentication, end-point security and access control…” – vendors tend to skew their solutions toward whichever component is their strongest…
3. “Interoperability woes” – because each NAC solution tends to vary significantly from another, it makes it nearly impossible to compare them head-to-head, let alone replace one with another
4. “Deployment difficulties” – NAC is not a simple drop-in solution – it requires significant planning and testing, not to mention very well written and exercised business processes to support it
5. “Hidden scalability issues” – Scalability seems to be the bane of many security solutions, and NAC is no different.
6. “ROI is not balanced with cost” – As one might expect, these solutions tend to be very costly, due in large part to barriers 1-5, making it very difficult to show measurable gains that justify such an expenditure.

In the end, Snyder can’t completely give up on the product niche, saying “NAC has certainly not lived up to expectations, but NAC isn’t dead either.” It reminds me of that song “He Is Not Dead Yet” from the musical Spamalot:

I am not dead yet
I can dance and I can sing
I am not dead yet
I can do the Highland Fling

I am not dead yet
No need to go to bed
No need to call the doctor
Cause I’m not yet dead.

Let’s all hope that the NAC vendors can get their collective acts together soon, either to clarify the market or to eliminate the product niche. Maybe TCG’s Trusted Network Connect will help clarify the matter someday soon.