Why has NAC, like DLP, failed to take off?

Why are organisations not investing in systems that are designed to keep malicious actors out of their networks?

Traditional IT security is focused on the network, so for many organisations controlling access to the network is a logical place to focus attention.

In response, security suppliers have launched a slew of network access control (NAC) products that they claimed would solve the problem of intruders.

But like data loss prevention (DLP) technologies and other strongly-hyped security point solutions, businesses are not investing in NAC systems, a survey of IT security purchasing intentions has revealed.

Why are organisations not investing in systems that are designed to keep malicious actors out of their networks?

Struggling to understand benefits

One of the main reasons is that many firms live in ignorance of the reality of the threat environment, according to Andrew Rose, principal analyst security and risk at Forrester Research.

Modern attackers do everything they can to remain under the radar and many firms struggle to understand the benefit of NAC, he said.

Consequently, almost half of organisations do not use NAC, a poll of more than 250 IT professionals by Computer Weekly and TechTarget showed.

Of those who do use NAC, most use it for remote access (29%) and LAN access (27%), followed by 18% who use it only for guest access, 2% who use it for pre-connect assessment only and 2% who use it for both pre- and post-connect assessment.

The shifting landscape

The relatively low adoption of NAC, despite the fact that the technology has been around for years, can be ascribed in part to the fact that IT departments still believe they live in the world where the majority of users have desktops and few laptops are brought into the office regularly, said Rose.

“They do not recognise that the landscape has shifted and that many users now bring their own device (BYOD), or work away from the office for weeks at a time,” he said.

According to Rose, the fact that the basic network segmentation that some organisations have in place, perhaps where servers and desktops are segregated, or teams that work with sensitive data are screened from the network, may also serve to make the IT teams feel that NAC is non-essential.   

Networking infrastructure integration issues is the biggest challenge to implementing NAC systems, according to half of those polled.

Read more about NAC:

  • McAfee Focus 2012: NAC supplier ForeScout joins McAfee SIA scheme
  • Global manufacturer revamps access control with ForeScout NAC
  • NAC technology evolves in a BYOD policy world
  • NAC protection: Network access control policy, deployment guidelines\
  • Endpoint protection advice: Improving NAC with secure endpoints
  • NAC security guide: How to achieve secure network access in the enterprise
  • Preventing network outages: UK university employs a NAC solution

Other challenges include directory/authentication integration issues (32%) and end user resistance (22%). These were followed by complaints that NAC systems are too complex to manage (16%), too complex and time consuming to deploy (15%), and too expensive (12%).

Rick Holland, senior analyst, Forrester Research said that some organisations would have to upgrade their switching gear to be able to implement NAC effectively, and then they would have to manage it all, which introduces complexity.

“In addition, NAC is a significant investment and the firms I speak with would rather invest their money elsewhere. To be honest, I am surprised the complexity responses aren't higher,” he said.

According to 40% of respondents, the top criterion for purchasing NAC was features, followed by platform support (31%), price (23%) and supplier support (6%).

Barriers to implementation

NAC presents similar complexity issues to DLP, despite having been around for some time. About seven years after the first NAC solutions came into being, there remains a raft of barriers to its successful implementation in organisations.

“Internal politics frequently gets in the way and NAC often gets downscaled to providing protection solely at the edge of the network,” said Adrian Wright, vice-president of research for ISSA-UK.

“There still appears to be little consistency between supplier offerings, making head-to-head evaluation and selection difficult. This combined with interoperability woes means each NAC supplier has a preferred set of other security products they work with and if you try and bring different products into the mix, you may find your NAC deployment can't – or won't – support these changes,” he said.

Deploying NAC is expensive because even if the software is virtually free, it takes considerable time - which equates to money – plus there may be hidden scalability issues, said Wright.

“You might have to upgrade or buy new switches and other infrastructure. It is possible to derive efficiency benefits from NAC quite apart from the obvious security ones.

“Justifying the cost and deployment overheads based on security needs alone is a tough call, so suppliers and end users need to leverage better ROI arguments in order to justify the costs and difficulties incurred by large scale roll-outs of NAC,” he said.

The barriers of complexity, interoperability and high total cost of ownership are held in common with other similarly-hyped security point solutions, such as DLP.

Once organisations have factored in all the issues they need to overcome, the final ROI argument they are left with can be difficult to justify, said Wright.

Conversely, if they fail to identify all the costs and challenges upfront, deployment programmes can quickly run out of senior management support and finances, leading to aborted or vastly scaled-back use of these technologies.

In all cases, he said, organisations need to include the right stakeholders in the deployment programme and socialise well with them to iron out issues as they arise.

Read more on Identity and access management products