What Microsoft's NAP means for the security market
Dear Vorticians,
For Microsoft, it is very good to be king and it makes all the sense in the world to build a network access control scheme that takes advantage of all your subjects - the operating systems that dominate the desktop market and control much of the server market. (For the earlier pieces in this ongoing discussion of network access control, click here.
Not surprisingly, Microsoft's Network Access Protection (NAP) strategy centers on enabling the Windows desktop client to communicate its state of security readiness to Windows server software, which decides whether the client can access the network or be restricted until its security health is brought up to policy. It's a fairly simple architecture and the best part for Microsoft is that the company has enjoyed pretty wide visibility for the NAP plan, even though it has not delivered on very much of it.
NAP is constantly being compared and contrasted to Cisco's Network Admission Control (NAC) strategy, for example, but NAP won't make its way into the world until the release of the oft-delayed Windows Vista client (which should roll out for business customers later this year) and the Windows Longhorn server software, which is still in beta. Microsoft says it is "investigating" - what an odd word - an update for clients that run XP with Service Pack 2 - meaning the rest of the world, so it will be quite some time before NAP gains much traction.
In the spirit of openness, Microsoft has pledged to support both Cisco's NAC and the Trusted Computing Group's Trusted Network Connect standards, which Cisco has not yet pledged to support. Microsoft's NAP documentation also outlines an important role for third-part security software and hardware in building a robust, secure enterprise ecosystem.
But make no mistake that the NAP plan is vital to Microsoft's strategy of owning much more of the lucrative and fragmented security market in the future. Microsoft has already moved into the anti-virus and anti-spam markets, something that strikes fear into the hearts of existing market leaders - no matter what they might tell you in public. (Here, I am reminded of the companies that once made a nice living selling TCP/IP "stacks." After Microsoft announced plans to embed TCP/IP, these folks all told me that Microsoft's offering would be weak and that customers would still be willing to pay for their more robust software. They're gone now.)
The Cisco-Microsoft alliance, while it has been criticized for not being particularly fruitful at this point, should reinforce that fear. The prospect of the leading infrastructure vendor and leading OS vendor working hand-in-hand to support each other's security strategies would certainly give me pause to consider if I were marketing one of the many security tools enterprises employ today. Can you say marginalization? A Forrester Research analyst said on that point: "Microsoft will become as large a player as Cisco (in access control) as it standardizes endpoint security and 802.1X APIs and complements all port-based solutions."
The Forrester analyst went on to describe how Microsoft has the potential to drive down the cost of network quarantine as it builds key components into its infrastructure software. Can you say disappearing margins?
Maybe that's why even Microsoft NAP and Cisco NAC partners don't always sound so thrilled about being part of the plan. Consider these comments from Fred Felman, a marketing VP with Check Point's Zone Labs, in a December interview with Enterprise Systems Journal.
"The thing that's going against (Microsoft) is they have a partnership with Cisco and they're slow moving. I can speak from experience: we know they are slow."
"Right now, it's probably more difficult for an organization to make its Microsoft (implementations) compliant with the 802.1x API and feature sets from Cisco and others. I think this will drive them to think about the ease with which you can manage it all and I think that what people will get is some administrative relief between Microsoft and Cisco environments. Still, from what I've seen, there's nothing revolutionary here. If you look at the NAC initiative, big whoop . . . Why would you put another security component on your PC, using NAC to do that, when you could get full service security from us? . . . I'm not sure what the tangible benefit will be."
Well, Mr. Felman, while the tangible benefit might not be so clear today, many enterprise customers might relish the prospect of having more security savvy data center and client hardware and software working in tandem to keep applications and information safe, without the need for separate client software and add-on security devices.
If Microsoft and Cisco make good on their plans - something they've shown the commitment to do - might not such a partnership ultimately reduce the need for at least some of the many security products they have to buy from multiple vendors today? Would not customers welcome such simplification? Methinks they will and methinks that can't be good news for today's current security leaders.
Bye for now.
Back to Vortex Blog
Comments
Post a comment
