Network access control (NAC) was first offered in 2006 as a security solution that seemed promising but struggled to gain any interest for its adoption. This only worsened in the wake of anywhere-work and the move to the cloud, as on-premises networks declined in importance. Newer solutions such as Zero Trust network access (ZTNA), which combine software-defined perimeters (SDPs), dominate the conversation today, yet NAC has retained a low-key relevance in the era of Zero Trust.
Forrester’s 2018 The State Of Network Security: 2018 To 2019 report reflected that 59% of security decision-makers were implementing or expanding implementations of NAC solutions for that year. The subsequent years of 2020, 2021, and this year saw that number drop but fluctuate at 45%, 43%, and 44%, respectively. Forrester found that most of the implementations seem to favor Wi-Fi connectivity, while many wired ports remain unprotected. This information is found in the Forrester Analytics Business Technographics® surveys covering network and telecom as well as security.
NAC Lives On Despite Ongoing Doubts
NAC lives on in some environments, due to the cost of ripping it out and two key use cases:
- Internet of things (IoT). Light bulbs, PLCs, strain gauges, and many other devices will send bytes of data to similar devices or localized systems that don’t enter the domains of other security systems. For example, light bulbs, using Zigbee, communicate between each other to adjust lighting levels and colors based on policies that are pushed down to the system through a single gateway.
- Network policies. Network infrastructure is a finite resource. Link and backplane bandwidth, memory, ASIC, and other hardware component constraints require devices and applications to be prioritized within networking hardware and throughout the network. Identifying them through NAC allows that to happen without networking administrators having to log in and update configurations when a new device connects.
While it was foreseen to phase out, NAC still comes up in conversations today. Vendors cite continued interest from customers, while infrastructure and operations and security pros argue whether it should still be a part of security programs.
Security and risk pros need to address problems introduced by a mobile and remote workforce incentivized by cloud integrations. NAC solutions were and still are viewed as complex and costly to deploy effectively. They also came up short on remote and cloud security. This resulted in NAC solutions being implemented that were limited to addressing comply-to-connect (C2C) programs, IoT/OT, and device posture use cases for on-premises environments.
Attempts to modernize NAC has allowed the offerings by vendors such as Forescout, Aruba, Extreme, Juniper, and Cisco to afford decision-makers options to either expand or integrate an existing NAC deployment into their Zero Trust strategy. These modernizations occurred while the industry wasn’t looking, and the marketing efforts didn’t garner widespread attention.
Aruba, for example, has bound the capability for microsegmentation into its platform. Juniper has bolstered its offering through the acquisition of WiteSand, allowing it to provide a cloud-native NAC. In most instances, NAC vendors offer solutions that benefit off integrating technologies such as ZTNA to improve security and help fill gaps. Even Forescout seeks to take its solution beyond modern NAC through its completed acquisition of Cysiv, an innovator in a cloud-native platform for threat detection and response.
Security professionals need help to understand where NAC is today and its future significance. I’ll be digging into this more in upcoming research throughout the fall, so watch this space!