I've spent some time over the last many months looking at NAC (amongst other things), and think there is a long way to go. The standards are still evolving, vendors are still jockeying for position if not acquisition for the smaller players, and folks trying to implement NAC are still riding through various peaks and troughs of success and disillusionment.

But this post is not about those things… this is about where I think NAC needs to and will evolve over the next few years… and I’ll say that if I am wrong, or missing things, let me know – I am watching lots of news and analysis go by through the tubes, but the evolution seems to be moving slowly.

So, here are some key areas I think we need to focus on:

• Standardized NAC infrastructure: With the work of the TCG's TNC working group, HP believes that standards for NAC infrastructure will help meet customer needs for interoperability between NAC level products. For example, Microsoft's recent NAP alignment with TNC will have a significant impact on creating a common NAC framework. HP will continue to work with vendors and standards bodies to deliver a standardized NAC infrastructure. Further, the increased use of interoperability testing will ensure that the infrastructures will provide for easier deployments.
• Device Identities: HP sees the need for secure device identities to be implemented to support NAC security architectures. Using existing standards such as TCG's TPM specifications, the TCG's TNC working group and the IEEE 802.1AR work will better address network infrastructure security needs: endpoints will be able to provide stronger security assurances with hardware protected device identity credentials, and signed health statements to a NAC eco-system.
• Standardized NAC integrations: To minimize friction between governance models and network security initiatives, it is critical that NAC be able to support and respond to an organization's supporting SIM/SEM, change management, network management, and similar tools.
• Behavior based NAC: Linking NAC implementations with network monitoring capabilities allows for legacy devices to participate more fully in a complete NAC environment, while appropriately mitigating the risks associated with their lack of NAC device client capabilities. This will evolve into a cyclical relationship between these solution areas delivered by standardized NAC integrations.
• Virtualization and Hypervisor evolutions: With the emergence of virtualization technology on endpoints, we expect to see the development of hypervisor-level NAC solutions for endpoint compliance enforcement. Proprietary technologies such as Intel vPro are beginning to take advantage of hypervisor technology to isolate and secure network security policy enforcement on individual endpoints, and we expect such implementations to integrate with NAC architectures moving forward.

Let me know your thoughts...