NAC is Dead? The Resurrection of NAC

Some argue that Network Access Control (NAC) is no longer relevant in today’s world of the mobile workforce and distributed (or decentralized) organizations that have moved to using cloud applications for the most part. Adding the fact that many organizations are allowing personal devices to be used in the corporate environment (BYOD) and the fact that IoT devices are used everywhere, some might consider this to be further evidence to the conclusion that NAC is no longer relevant or needed.

In 2004 the first NAC products came on the scene and signaled the start of a new segment in Information Security. At the time, most organizations still had a physical perimeter, desktops were still the main PC to be used at the workplace and laptops were starting to make a wide appearance. BYOD (bring your own device), IoT (Internet of Things) and multi-branch, geo-distributed organizations that rely heavily on cloud services were not prevalent yet. Accordingly, the standards for NAC were very different from what they are today and mainly focused on the wired environment. NAC solutions were then primarily based on using 802.1x pre-connect enforcement with supplicants which were not part of the operating system. Organizations trying to implement NAC solutions only had the option of deploying 802.1x – which ended up with long, complex deployment and implementation, leaving them with a bad taste for NAC.

Over the past 20 years, NAC technologies have evolved exponentially. Vendors introduced control and discovery techniques that have yielded better and faster deployments and ROI. Just as the enterprise network and endpoints have evolved, NAC solutions have evolved from merely allowing or blocking endpoints onto the network into a broader security solution that provides network visibility, endpoint profiling, security posture assessments, risk management and compliance.

Additionally, some solutions have scaled to suit the modern workforce, heterogeneous networks, hybrid cloud and on-prem environments, diverse endpoint environments (such as IoT and BYOD) and globally distributed organizations. This increase in number of devices connecting to the network and change of working environments   has been our reality for the past 10 years and has evoked a new NAC. Hence, the resurrection of NAC continues to be upon us.

Future of NAC

At this point in 2019, over 60% of enterprise data is stored in cloud applications (public cloud, private cloud and a hybrid of both). By 2020, just a year from now, it is predicted that 83% of enterprise workloads will be taking place in the cloud (1). According to IDG, 77% of enterprises have at least one application or a portion of their enterprise computing infrastructure in the cloud. Additionally, more technology-dependent industries including manufacturing, high-tech, and telecom are being led by executive management to become 100% cloud-based. Therefore, it is crucial to make sure that only company owned and secured devices gain access to corporate intelectual property and information in the inner most circles of the enterprise. According to Gartner research , by 2023 80% of enterprises will adopt two or more cloud-based security services. This is no coinsidence. The complexities in the cyber security landscape alongside the increasing shortage in skilled security professionals is leading towards a greater adoption of cloud-based security services and specifically to the adoption of NAC as-a-Service.

Another factor in future solutions is related to increaseing IoT adoption by enterprises and factories. Visibility and monitoring of IoT must be done by an agentless solution. We believe that having agentless solutions that are centrally controlled will be preferred by many organizations in 2019 and the years to come.

Lighter, adaptable and agile solutions will be necessary in the new era. Enterprises will transition into using easier NAC solutions such as centralized NAC, agentless NAC, NAC delivered from the cloud and Software-as-a-Service. These NAC solutions will save time and money on deployment, training and implementation, while at the same time providing the visibility and accuracy needed to handle today’s complex and hybrid networks. Next-gen solutions are able to cope fully with today’s decentralized organizations and the old NAC configurations will no longer suffice as they are perimeter focused.

Conclusion

NAC was effective for the problem it was created to solve in the mid-2000s, but subsequent technological advancements in cloud applications and the mass-adoption of mobile computing devices by the mobile workforce, and IoT have introduced new complexities and challenges. The new computing model requires new cyber security solutions, and the new, NAC technologies are uniquely positioned to be among them. Cloud-native solutions will address concerns of lengthy deployments and geo-distribution. Agentless and centralized solutions will shorten and simplify implementations and everyday usage that were once the dread of CISOs and IT security teams in the enterprise.

1. LogicMonitor’s Cloud Vision 2020: The Future of the Cloud Study
2. The State of Network Security in the Cloud Era, Lawrence Orans, 2018 Gartner Security & Risk Management Summit.
3. 2.9 million according to (ISC)2