NAC's Painful Realities

Before the multi-million-dollar NAC market can go forward, someone needs to decide what the three letters stand for, according to a security expert.

Aaron Earle, CEO of security consultancy AE&E Corp., will give a tough-love session on the endpoint security technology at the annual Computer Security Institute conference in Washington, D.C., next week. And he's starting with some harsh realities.

"The fact is that NAC isn't working because nobody knows what it is," Earle says. "Cisco says it's Network Admission Control. The industry says it's network access control. Microsoft says it's Network Access Protection. All of those things have different meanings.

"Is NAC a way to ensure that an end user has all of the right antivirus software and security tools in place? Or is it just a way to separate guests from permanent end users, and restrict what they can get to? If you don't know what you want NAC to do, you're going to have a tough time getting it implemented."

Earle's cut-to-the-chase, emperor-has-no-clothes attitude about NAC reflects the mood of many other analysts and security professionals, who are becoming frustrated with the confusion surrounding the market. (See Is NAC Dying?.)

"Enterprises need to get off the notion that they have to do NAC," he says. "There are good uses for it, but in some cases, there may be other ways to achieve the same thing." In the meantime, vendors need to agree on a common standard for the technology -- some vendors currently have representatives sitting on the boards of competing NAC standards, he notes.

— Tim Wilson, Site Editor, Dark Reading