Experts Say Dump The NAC Word

Vendors have suggested that a vast range of security problems including worms, malware and employee misbehaviour can be solved by a solution called NAC – but they are oversimplifying the situation and raising false hopes in users, according to experts

“The problem is that security is based on a bad paradigm,” said Jan Guldentopps, analyst at BA Test Labs, speaking in a debate at the NetEvents industry gathering in Barcelona. It is assumed that bad guys are outside and good guys are inside the firewall, he said. The problem NAC is supposed to address is managing access rights to networked resources.” NAC is supposed to give IT managers the ability to identify who is logging in, and also spot undesirable behaviour when it happens, said Rik Moy, president of NSS Labs. It has to work on a wide variety of devices including laptops, desktops and phones.

NAC has been supposedly on the verge of taking off for some years, said Guldentopps, but has not: “Let’s be honest – NAC is a marketing term for Microsoft and Cisco to continue to monopolise their markets. Microsoft’s version is called NAP for network access protection, he said, but both are more to do with marketing than technology.

Now is the time to realise that the problem can’t be solved by throwing money at it, and get back to security basics, said Guldentopps: “There has got to be realism.”

Perhaps surprisingly, the security vendors on the panel agreed NAC is oversold and unable to deliver its promises: “It’s just authentication, period” said Jeff Prince, chief technical officer of Consentry. “It’s not a homogeneous world,” said Brett Eldridge, marketing vice president of Infoblox. “NAC can’t solve that problem.”

The only place that NAC really works is in a single-vendor solution, said Guldentopps. “The big success of BlackBerry is that RIM manages the whole thing. It works perfectly as long as you are on a BlackBerry. Now imagine doing that with all the PDAs on the market!”

“Your satisfaction level is inversely proportional to the size of your enterprise,” said Prince. Large enterprises find it so cumbersome to arrange access control for all their staff, all their devices, and all their services, that “Half way through, you want to slash your wrists.”