I was surprised during my debate with Joel Snyder this week how much he fell back on access management as a value of NAC (now defined by just about everybody to be Network Access Control). Joel has an equation (he claims it is calculus because of the time component but no Joel, it is algebra) that ignores units but defines NAC as access control plus end point configuration plus network behavior.
I find that most of the irate vendors that have piled on my lonely rail against NAC focus on the fact that I hate using end point state as part of the authorization process. They realize that that concept, first put forth by Cisco, is flawed from a security standpoint but, because they cobbled a solution together they are pushing it and cannot abide my critique. Thus, the debate quickly turns to access control which of course is as fundamental to security as firewalls and AV. You may have seen my Good NAC versus Bad NAC column where I specifically break access control out as a good thing.
So, alright, the industry is going to re-label the technology. Fine. I will continue to criticize using end point health for anything tied to user rights management.
One of the greatest disservices the analyst community, vendors, and consultants such as Joel have done for the security industry is this attempt to co-opt an entire industry segment. From questions received during the live debate you could tell that folks think that without NAC they have no way to manage user access to their networks. Well here are some resources you can use to answer the question: “How do I control access to my network ?” It’s called Identity and Access Management which includes enterprise single sign-on, provisioning, revocation, etc. Vendors include Oracle which has rolled up a number of specialist vendors such as Oblix, Phaos, and OctetString. You may recognize other vendors in this space including Sun, IBM/Tivoli , Courion, Imprivita, Beta Systems, BMC Software, CA, Novell, M-Tech, HP, MaXware, nCipher, Siemens, and Microsoft (thanks to Dave Kearns for those names) With a vendor list like that I have trouble understanding why people are looking at StillSecure, Mirage, Napera, Forescout, Infoexpress, for network access control. (See comparisons )
So if you are responsible for network security within your organization, before you start to evaluate NAC solutions check with your identity and access management team. You might discover that you already have the technology you need in-house.
About Stiennon
Richard Stiennon is a security industry analyst. He is currently consulting, speaking and writing on all manner of security topics for IT-Harvest, the IT research firm he founded to cover the security space. He was most recently chief marketing officer for Fortinet. He has served stints at PricewaterhouseCoopers, Gartner, and Webroot Software.
The opinions expressed in this Weblog are those of the writer and may not represent the opinions of Network World.
|
|
You just don't get it
Richard - Joel wouldn't let you wander in the debate, so you wander here on the blog. At the end of the day though, you just don't get it. Yes Identity access control and management is a part of NAC. Yes there are vendors who do just IAM now. But that is just a part of NAC. The endpoint health check is another part of it and monitoring traffic and behavior is another aspect. Remediation can be another aspect. NAC is more than just any one of these, but is a system encompassing all of them. I am tired of playing this story on the blog, so am not going to bother responding in full. But I do hope one day you realize where you went wrong here.
RE: Why you use NAC when you have IAM?
Richard,
I work for an IAM Vendor and I sell everyday IAM, most of IAM vendors have their advantages and disadvantages.
Why do you need NAC is very simple, NAC adds an extra 1st layer that is needed for Organizations to be more secure and have better control of their infrastructure.
If I was an end user myself, I would go for both since both solve the problem of security, administration and compliance. They solve the GRC requirements.
I would not recommend to look at CISCO but I would buy Consentry NAC Solution. It is maturing NAC solution.
NAC and IAM compliment each other, but you need more than that. You need SIEM solution, you need IPS, WIPS and more and more IAM does not solve all your problems but helps you gain more time to do other things.
Best regards,
Orhan
ARGH!
I think he does realize it but "Pundit Law" nearly requires he not ever back up off the stake in the ground.
The oddest part about most of this is that some of what you have said lately Richard is just out and out crazy talk considering the state of the digital ecosystem and how inter-connected it all is at this point and time.
Grudgingly we get this from you:
Stiennon wrote:
So, alright, the industry is going to re-label the technology. Fine. I will continue to criticize using end point health for anything tied to user rights management.
Mea culpa with a small side of tantrum?
Currently you continue to demean the evolution of the concept of distributed visibility coupled with access management and that is unlike you considering your original musings on topics associated with NetFlow (SNF anyone)etc. The internet is a wonderful place. I will be glad to start linking the stuff.
These UTM boxes you keep screaming about are simply not going to be able to scale to the levels you are implying based on the explosive numbers of vectors and blended threats. They can certainly play a critical role in the equation but they are not the end all and be all of saviors here.
I know you know this and get what is going on here. I also realize that contrarian is sexy. Just make sure you do not "Nicholas Carr" yourself here for the purposes of relevance or the lack thereof.
Constantly having to backtrack sticks out in people's minds but doing it for the right reasons is sometimes necessary. Use your brain to further the evolution of the concepts that matter and realize that most of it has to come together at some point to draw us away from this chasm at which we stand.
Was that last statement sensationalist enough?
How about this?
SNF STIENNON VERSUS NAC MOTHRA!!!! MANY INNOCENTS WILL PERISH!
Regards,
David
Good and bad linkage
David: Thanks for your cogent comments. I agree that the INternet is a great thing and that linking information, people, and computing resources is what makes it great. But there are some things that should never be linked. I believe and will not back down from the idea that end point "health" should never be linked to a user's ability to get access to network resources.
It is too expensive, does not provide enough reduction in risk, and it tends towards a monolithic world of compatible networking and end points: ie. all Microsoft, or all Cisco.
In this extended debate I seem to be the recipient of all the name calling. Pundit, idiot, ingnorant, marketing wonk, are all epithats that have been hurled at me, mostly by vendors of NAC products.
Well: Anyone who has declared someone else to be an idiot, a bad apple, is annoyed when it turns out in the end that he isn't. - Friedrich Nietzsche
Wow... Nietzsche... Good
Wow...
Nietzsche...
Good stuff.
One of my favorites...
"The victorious strategist only seeks battle after the victory has been won, whereas he who is destined to defeat first fights and afterwards looks for victory."
- Sun Tzu
Back to the topic...
While I think you have gone way to far the other way here, I do not believe you are an idiot. Far from it really and no matter how intense I come across at times, my goal is never to demean. I believe instead you have some concept in your mind here to bring it back to center at some point in the future. I keep waiting for that point. WHERE IS IT?!??!?! ;)
Anyone that knows the slightest thing about me or asks me will know that I am by no means the supporter of any sort of homogeneous monolithic worship of either Cisco of Microsoft. That concept makes me want to gag a bit to be perfectly blunt. Instead, what I believe is that as you folks continue to not find that common ground (as good a press as it may be) on the concepts you accidentally push people exactly in that direction because it looks like all the "upstarts" out there do not agree on much of anything while the default choices at least say they know what they are talking about. Do they have to? No. Hell, someone I respect a great deal said to me a while back that Cisco could make a Ham and Cheese sandwich and call it NAC and get 40% share. That is certainly not the way we want to go and so a standards situation of any sort that actually is customer co-led is critical to the overall success of this ecosystem.
I do believe a healthy debate on this topic is necessary. What I also believe is that while some folks are ripping each other to shreds the real customers are out there kinda standing around in either awe or disgust. That is a sad state and I for one am simply not going to sit around while this goes the old tried and true path.
I have no stake in this game other than to push for standards at every turn in everything we do in order to really facilitate solutions to what I see as potentially catastrophic problems that reach far beyond the basic enterprise. That to me is what matters.
To be clear, I sell no product. I use what makes sense where appropriate and am willing to say so at any turn no matter how much the default vendors scream. I learn daily and am willing at any point to dig into problems and conversations that make most marketing people and VARs cringe.
I consistently wonder why there are so few customer-based blogs. Maybe it is a time issue or a heads down issue...no idea. What I do know is that we do ourselves a disservice in that capacity because we at times fail to realize that we need to help lead this industry instead of being lazy and letting the vendors, VARs, and pundits do 90 percent of the work. It is in our own best interest and yet we seldom step out and when we do we fail to communicate thereby letting ourselves constantly be kept in silos. I tire of that standard operating procedure.
"The general who advances without coveting fame and retreats without fearing disgrace, whose only thought is to protect his country and do good service for his sovereign, is the jewel of the kingdom."
- Sun Tzu
Regards,
David
Oh, I get it alright Alan
I have been working with startups with dollars in their eyes and holistic security in their mouths for over eight years. It has been my task to filter out the capable from the crapulous.
Some failed technologies have included networked honey pots, "black IP addresses", learned access control rules, security information management, proxy firewalls (good stuff, just not what the market was looking for), behavior based host protection, and a host of bizzarre stong authentication schemes.
The all encompassing NAC that you (a vendor)and Joel Snyder(a consultant to NAC vendors) are proponents of entails HUGE investments and new deployments of infrastructure that will not enhance security. Yes, it helps higher ed put off the day of recconing a few more years by allowing them to enforce system health policies for students. But is is too much for too little. Now you are saying that NAC encompasses exisiting technology that proceeded it, IAM, behavior monitoring, configuration management. SO I ask *you* and Joel: Just where is the value buying your porduct over doing a good job at access control, and configuration management? There are some great, mature products in those areas. Why scrap them and entrust Cisco, Microsoft, StillSecure or any other single vendor with unproven solutions?
You cannot expect the 24+ NAC vendors to all succeed in this space Alan. There will be blood.
Why use NAC over IAM? Because it's a better fit in most cases...
Depending on the organization's networking environment and needs, the features provided by NAC (authentication, authorization, remediation, compliance checking, remediation, coverage, etc ) are sometimes just a better fit. Some organizations may not have an IAM solution in place that's comprehensive enough, or the coverage might be incomplete. Although you can argue that it's better to upgrade and tighten the IAM for the entire organization, that can be a larger undertaking then adding NAC where it's needed.
I also dispute the contention that NAC requires an overhaul of infrastructure or massive costs. The reason InfoExpress developed a dynamic, peer to peer NAC approach was to reduce up front costs and avoid infrastructure changes that were required in existing versions of NAC.
Post new comment