This disconnect between interest and implementation is the result of different priorities between the information security personnel and the boardroom, noted Usman Sindhu, the Forrester analyst who prepared the report. For the report, Forrester surveyed over 1000 IT executives and technology decision makers in Europe and North America.
The low level of NAC deployment is not “surprising” to Sindhu. “This is something we’ve seen over the past five years….We need to get the interest [in NAC technology] to the board level to get the budget to implement this….Customers and security professional want this technology on their network”, he told Infosecurity.
To bridge that gap, Sindhu recommends that information security professionals focus on the specific use cases related to user access control and purchase NAC technology as part of a client or end point security suite, or as an extension of the existing infrastructure.
“NAC technologies will become much more useful in the future with the focus on the user access control specifically, not just the end point”, he said.
In addition, many security vendors have integrated NAC technology into their security offerings, a trend that is likely to push other vendors to abandon standalone NAC approaches. “I am predicting that the standalone NAC will fade away. Vendors will move toward a comprehensive bundle of features which control networks, applications, and devices”, he said.
Sindhu also predicted that a hybrid NAC solution – a combination of software and hardware – would become increasingly popular. In the past, organizations have primarily looked to hardware for a NAC solution. Now, companies have a combination of NAC solutions, such as domain and identity-based bundling, network security bundle, software-based, in-line infrastructure-based appliance, client security bundle, and out-of-band dedicated appliance. The key is to integrate these tools in an effective way, he said.
In addition, corporate and regulatory compliance are two leading drivers of NAC adoption, the analyst noted. This trend will expand as companies allow employee-owned wireless devices to access the network.
“Organizations want employees to be able to have these devices. There a lot of technologies out there to manage this portfolio of devices. What NAC does better is provide control from the front end”, he said.
For compliance, security professionals will need to establish auditing/reporting, admission controls, and fingerprinting. In addition, they will require rogue device detection, network-connected end point discovery, automated remediation, and virtual end point scanning, he said.
“You will see that NAC will become part of a broader bundle of solutions and will complement many different aspects of an organizational network security program”, Sindhu predicted.