Network Access Control ("NAC") was an emerging focus at last September's Digital ID World conference. The reason for including NAC in the agenda arose from my belief (fueled by talks with enterprises) that network-layer identity management was an area that is fast becoming an important piece of enterprise architecture. In the aftermath of the event, Phil and I tried to sit back and take a look at what actually happened. What we found with regards to NAC (and what I've heard since) is that, while the enterprise IT folks I talked with really "get it," some of the vendors in the space don't understand how they fit in the identity world. Curious, right?Is the product focus "pre-admission" or "post-admission"?
That finding led me back to wanting to speak with some NAC vendors, and luckily ConSentry contacted me to brief me about some of their new product releases (their InSight product, for those that are interested). What resulted was a realization for me: the dividing line of NAC vendors who understand where their products fit in an identity-based world, and those that do not, is centered on where the core of their functionality comes from.
If a vendor's NAC product is focused on the zone of "pre-admission" -- that is to say, the "admission" process -- then they do not see themselves as an identity-based product. If, on the other hand, the core of the functionality is focused on what happens "post-admission," they do see themselves as living in the identity space.
The reason for this is simple: "post-admission" identity-based NAC is centered around things like role-based provisioning at the network level, policy enforcement around roles, and the visibility and auditing of policies. All of these post-admission activities are driven by the functioning of identity within a network. (All of those capabilities, by the way, are what ConSentry is realizing are core to their customer's needs.) The driving force of this functioning is a customer base that now views the network perimeter as a dynamic zone of permissions and authorizations. Keeping people out isn't the order of the day, controlling what they do and knowing what they've done is.
On the other hand, "NAC" companies focused on "pre-admission" activities still view the network as a static wall. For these companies, the act of authentication and endpoint checking is still a binary switch. The "yes/no" decision results in a "policy" of you're in or out.
Companies like ConSentry seemed to have tapped into a cutting edge customer concern -- treating the network layer (and its accompanying identity problems) in the same way that one would treat the application layer. That focus, and the accompanying shift of NAC products toward "post-admission" activities seems likely to be the growing edge of a hot market.
Needless to say, Digital ID World will still be covering NAC.