Gartner Blog Network

Network Access Control Update

by John Pescatore  |  February 24, 2010  |  3 Comments

Lawrence Orans and I are in the midst of developing the 2010 Network Access Control Magic Quadrant.  It is interesting to see how the products have matured and how enterprise use of NAC has matured. Guest networking has become the dominant use case, but not just for allowing vendors or contractors on the network – increasingly NAC is being used to securely support allowing unmanaged “guest” devices on the network: employees with employee-owned laptops or smartphones, as well as the myriad of appliances, IP phones, wireless access points and the like that pop-up on networks.

I spend a lot of time with Gartner clients on this issue of securely allowing unmanaged IT to be used – this is all part of the “Consumerization of IT” trend Gartner identified several years ago. NAC is actually one of the more commonly used solutions (though it is not always called NAC,) as the other approaches are often either more restrictive, more expensive, or both:

  • Desktop virtualization – giving out a VMware environment so that the locked down work image can be run on home PCs and the like sounds attractive, but it is really just IT saying “work out of this locked down environment and don’t transfer anything in or out” and that approach never works outside of environments where lockdown worked in the first place – not many. It also doesn’t work for smartphones. A variant, where tailored virtual desktops are downloaded each time a user connects, has more promise where sufficient connectivity exists.
  • Server-based computing – From a security perspective, Citrix and the like are ideal solutions, but it is just as restrictive as the above.
  • Portable personalities – give users secure USB devices that run secure sessions from the USB device to your server. Some approaches are just as restrictive as the above (only IT can enable applications) but some approaches do allow the user to add apps.
  • Network Access Control – Whenever anything connects, determine if it is one of your machines or not; who is using it; and what the security status of the device is. Then you can require a dissolvable agent to be downloaded, or let the device be used as is with limited access or full access, or not allow the device to be used at all.

Enterprises who have institutionalized the first steps of NAC (detecting when something connects to your network and determining if it is a managed device or not) are in a good position to deploy a solid security approach for supporting business demands to use any old device anyone wants to use.

Additional Resources


John Pescatore
VP Distinguished Analyst
11 years at Gartner
32 years IT industry

John Pescatore is a vice president and research fellow in Gartner Research. Mr. Pescatore has 32 years of experience in computer, network and information security. Prior to joining Gartner, Mr. Pescatore was senior consultant for Entrust Technologies and Trusted Information Systems… Read Full Bio

Thoughts on Network Access Control Update

  1. Dave says:

    John… this seems to me to be a case where the culture and political climate in an organization is more important than the technology or approach. Those are usually the biggest barriers to our adoption of some of the things you talk about. Some are easy sells, others the opposite not because they don’t see the benefits, but because the institutional climate is not right.

  2. Yes. definitely – security is really always about compromising between what the business wants to do and what security wants to do, and the overall culture of the organization drives both sides of that.

    The technology and security controls can be adapted to the culture – it is a losing strategy to sit around and say “well, until our culture changes we can’t do anything about *that*” Think about universities -they are the largest adopters of NAC and they have had the most anti-security culture of any industry vertical.

    There are security approaches to fit *almost* every culture that are all better than doing nothing.

  3. […] article just goes to show how important it is to use VPN and have NAC features in place, particularly when logging in remotely.  Without these anyone can access data available […]

Leave a Reply

Your email address will not be published. Required fields are marked *

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.