This IDC release, posted at Tekrati, describes a study that predicts the network access control (NAC) market will jump from $526 million in 2005 to $3.2 billion in 2010. We are just about halfway through the period tracked by the study, so indications must be that the market is about on track.
It's hard to clearly define NAC because it is more a concept than a specific technology. In general, NAC prevents users from gaining access to a network unless they can prove that they are authorized. In addition, NAC approaches ensure that security software is up to date and compliant with network requirements and that access is granted only to the extent that policies allow. A remotely working CFO will have different access rights than the CEO -- and NAC systems will make sure such distinctions are enforced.
The study has a lot of good news for the NAC sector. It says that vendors are beginning to agree on interoperability between devices, that IT executives see NAC as a core security tool, and that the approach is attractive to IT departments because it isn't disruptive and is simple to use.
This piece, which actually is a chapter in a book from the Cisco Press entitled Cisco Network Admission Control, Volume I: NAC Framework Architecture and Design, provides a tremendous amount of information on what NAC is and where it may be going. Though it naturally focuses on the Cisco perspective, the chapter is valuable to IT and security folks seeking a deeper understanding of NAC technology. The piece offers a good working definition for lay people:
NAC is analogous to a policeman who protects and enforces a variety of rules that users must abide by to have the privilege of traversing your information highway.
The authors discuss how already known information and existing tools can be leveraged into an ongoing NAC initiative and provides a good deal of context.
Though NAC may be growing, the sailing apparently will be anything but smooth, according to this InfoWorld story. This spring, Forrester released a report that said that enterprises rushed into buying the current crop of NAC devices and that they have "struggled" to install and maintain the systems. They will move onto to other approaches. The main problems Forrester cited include confusion about the multitude of products available and the fact that NACs tend to create too many policies aimed at doing about the same thing. Interoperability between devices also is a problem. Forrester, apparently, isn't alone in its skepticism.
This link at ISP Planet is to the first installment of a four-part series on NAC by well known consultant Lisa Phifer. The first part explains why NAC is needed. NAC, Phifer says, simply is a strategy to limit access based on user identity, the security status of the end point asking for access and the organization's policies on access. Those are very important tasks, of course, but the bottom line is that NAC seems a monstrously complex undertaking. Links exist to the three other parts of the series. The series focuses on determining an organzation's NAC needs, comparing alternative approaches, and concludes with a close look at Juniper's UAC 20.
The bottom line is that the NAC landscape still is forming. While the future looks great, it seems likely that NAC platforms available when that future fully arrives will be far different than what's available today.