Survey: NAC backlash growing

Network Access Control technologies may be waning as a priority for U.S. businesses because decision makers worry that the technology isn’t quite baked yet, according to an upcoming study by TheInfoPro.“People are taking it off their books for the next 12 months and waiting for it to mature,” says Bill Trussell, managing director of networking for the analyst firm.Research to be published next month says that of 126 network professionals, 37% say it is very likely or extremely likely they will decide to develop or implement a NAC policy initiative in the next 12 months, down 17% from earlier this year.

About half of the respondents came from businesses with greater than $1.4 billion in revenues and the other half from businesses making $300 million to $1.4 billion.

The survey was done in two groups, one last spring and one this fall. From the spring sample, 54% said they are very or extremely likely to decide or implement a NAC policy initiative.“CSOs and CISOs don’t feel the NAC is mature enough yet,” Trussell says. Others say they have recently refreshed their network infrastructure and are reluctant to launch another extensive project so soon. And some are put off by the cost. “Cisco’s NAC alone requires you to load up the NAC framework on every switch and router. In a global network, that is a major undertaking,” he says. Another hurdle is the lack of a universal trust agent, software that runs on network endpoints to perform security scans that NAC evaluates to determine whether the device warrants network access at all and if so how much. As corporations with a common business focus such as healthcare or finance consider NAC, they will want some assurance their infrastructure will be interoperable with partners in the same field, he says. Attitudes have not turned against NAC altogether, just shifted to the cautious end of the spectrum. Some skepticism has arisen because there are few standards adopted by vendors that will make their NAC gear interoperable, according to comments made by those interviewed.Full NAC rollouts may not start in earnest until 2008 says Phil Lerner, TheInfoPro’s managing director for information security. “They may not be ready in 24 months, let alone 12 months,” he says. Contributing to this shift is the delay in the release of Microsoft’s Vista operating system which contains core elements of Microsoft’s NAC scheme which is called Network Access Protection or NAP.While fewer businesses are ready to make big-dollar commitments short-term on NAC, many are still willing to pilot NAC gear or run tests on it in their labs, Trussell saysFewer than half those surveyed say NAC plans are influencing hardware, software and services procurement decisions for the next 12 months.