I've been looking at the hype, potential and sometimes disappointment associated with the Network Access Control (NAC) market (and its kin - NAP/CNAC etc).

The needs are relatively obvious in terms of protecting data, protecting resources and validating compliance - HP's Secure Advantage approach to securty encapsulates these goals as well - however, the benefits sometimes hard to quantify.

HP’s approach to NAC is comprehensive in its scope and flexible in its delivery evolved from a security model that requires analysis of the business needs, governance models and operational risk management. HP states that NAC cannot be an isolated security solution. NAC is part of a layered security, or Defense in Depth approach to protecting your organizations information technology assets.

HP looks at NAC as a combination of software, hardware, services and processes designed to protect a network from untrusted or unsecured endpoints while providing clear policy compliance across the corporate network environment. HP Enterprise NAC incorporates:

• Policy Management and Compliance – NAC controls and restricts access to network resources based on certain criteria (e.g. posture/health) and business policies
• Endpoint Protection – NAC solutions include authentication (user and endpoint), endpoint health checks, and/or ongoing monitoring of endpoint health
• Network Security – Complete NAC solutions incorporate appropriate endpoint, edge, core, LAN and WAN controls.
• Remediation – NAC also provides mechanisms to quarantine and remediate non-compliant devices to allow them appropriate access to network resources.

While these are the core functional aspects of NAC, other service and solution requirements need to be considered including: ISSM, ITIL, ANA, Identity Management, IDP, HIP, Help Desk.

The business benefits of proper NAC solutions are significant, and include:

• Improved Compliance and Governance - When dealing with regulatory or corporate compliance requirements, NAC allows an organization to significantly improve their ability to ensure that access to specific systems and data is only available to specific authorized devices and users that comply with policy. Additionally with the right implementation, the ability to audit and report on the environment is increased. NAC implementations then allow for the high level governance capabilities to be aligned with common network security due diligence used in many different governance frameworks.
• Improved security posture - NAC provides an additional protection layer for an organizations Defense in Depth or Layered Security requirements. While it requires analysis specific to an organization, the goal is to minimize risk to the network business resources from unauthorized, unhealthy and out-of-compliance devices and endpoints, and subsequently minimize risks resident in environment where user is connecting. By doing this, NAC can reduce unnecessary exposure of corporate assets, for example, if a PC is running P2P software then there is a risk that confidential docs could be inadvertently shared. This could then be caught, audited and blocked by ensuring the PC does not get on to the secured network.
• Improved operational cost management - Ranging from virus infection through to data loss, organizations face tremendous pressures to prevent breaches, while at the same time maintain or decrease cost structures. Investing in NAC capabilities allows an organization to increase the security posture while ensuring that fewer issues need to resolved post-breach. Unfortunately, costs associated with resolving security breaches after the fact are often hard to quantify, however, there is a mountain of data available that provides a baseline for such events.

In upcoming posts I'll take a look at the challenges for NAC, the standards, and the future evolutions.