To be sure the inevitable "bandwagon" effect does have vendors rolling out NAC products that would clearly have been labeled something else a year ago. In spite of these concerns, I would still like to make the case for a broader definition of NAC than was originally envisioned.
A complete NAC solution should include the following capabilities: host- posture checking; quarantine and remediation; identity-aware and policy-based authentication and resource access control; and post-admission threat protection, quarantine and remediation.
The benefit of user identity awareness within NAC solutions is really a no-brainer. It's interesting that NAC solutions are so commonly positioned as security solutions because they are only tangentially about security. As originally envisioned, NAC did not provide any additional security functionality, but rather it ensured that organizations were fully leveraging their existing security investments (e.g., check that the antivirus software is installed, turned on, and updated).
It would be at least as obvious to position NAC as a systems management, audit and compliance solution. But to fully exploit NAC's potential as an audit and compliance management tool, the solution needs to be able to tie network traffic to particular users and to specific policy. The fact that existing solutions typically do this with an application-centric approach is perhaps more by accident than design. This week's announcement that Oracle (the paragon of the application-centric approach to identity management) was partnering with Identity Engines Inc. (an identity-aware NAC player) is an early data point in what is sure to become a trend that will deliver identity awareness to NAC solutions more quickly and more completely.
To become an active security system, NAC solutions need to support post-admission threat prevention. Many NAC solutions today do support periodic rechecking of host configurations post-admission. If a device is found to have slipped out of policy compliance, then it can be placed into quarantine and remediated. A much more powerful capability, however, would be to leverage NAC enforcement points to block network traffic or to quarantine specific devices based on threat detection from existing network or host-based security products. As NAC functionality is baked into the network infrastructure, security vendors can go back to doing what they do best, which is detecting emerging threats, and hopefully networks can be simplified by eliminating dedicated inline security devices.
We are a long way from seeing comprehensive NAC solutions with this breadth of functionality deployed, but certainly the first step is agreeing on the utility of moving in this direction. Market demand is coalescing around these broader solutions so expect to see vendors partnering for, and acquiring, the technology they need to deliver them.
About the author: As a Senior Analyst in the Information Security module at Current Analysis, Andrew Braunberg's main responsibility is tracking the identity management and security management market segments. Prior to joining Current Analysis, Andrew was a journalist covering information technology in the defense and telecommunications sectors. Andrew holds an M.A. from George Washington University in Science, Technology and Public Policy and a B.S. in Engineering Physics from Rensselaer Polytechnic Institute.