Lawrence Orans and I are in the midst of developing the 2010 Network Access Control Magic Quadrant. It is interesting to see how the products have matured and how enterprise use of NAC has matured. Guest networking has become the dominant use case, but not just for allowing vendors or contractors on the network – increasingly NAC is being used to securely support allowing unmanaged “guest” devices on the network: employees with employee-owned laptops or smartphones, as well as the myriad of appliances, IP phones, wireless access points and the like that pop-up on networks.
I spend a lot of time with Gartner clients on this issue of securely allowing unmanaged IT to be used – this is all part of the “Consumerization of IT” trend Gartner identified several years ago. NAC is actually one of the more commonly used solutions (though it is not always called NAC,) as the other approaches are often either more restrictive, more expensive, or both:
- Desktop virtualization – giving out a VMware environment so that the locked down work image can be run on home PCs and the like sounds attractive, but it is really just IT saying “work out of this locked down environment and don’t transfer anything in or out” and that approach never works outside of environments where lockdown worked in the first place – not many. It also doesn’t work for smartphones. A variant, where tailored virtual desktops are downloaded each time a user connects, has more promise where sufficient connectivity exists.
- Server-based computing – From a security perspective, Citrix and the like are ideal solutions, but it is just as restrictive as the above.
- Portable personalities – give users secure USB devices that run secure sessions from the USB device to your server. Some approaches are just as restrictive as the above (only IT can enable applications) but some approaches do allow the user to add apps.
- Network Access Control – Whenever anything connects, determine if it is one of your machines or not; who is using it; and what the security status of the device is. Then you can require a dissolvable agent to be downloaded, or let the device be used as is with limited access or full access, or not allow the device to be used at all.
Enterprises who have institutionalized the first steps of NAC (detecting when something connects to your network and determining if it is a managed device or not) are in a good position to deploy a solid security approach for supporting business demands to use any old device anyone wants to use.
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.