Trusted Network Connect (TNC), which is the working body of Trusted Computing Group (TCG) today announced extensions to the security architecture with new open source standards for remote access (IF-T), non-TNC enabled endpoints, and Security Assertion Markup Language (SAML) interface. TNC has collaborated with NAC vendors to standardize solutions that work with hybrid network components NAC switches, appliances, and software agents. The TNC standards could integrate with any device that produces identity and policy information. In essence creating a repository of policy based on identity and behavior of the user which is completely transferable to any system via SAML interfaces. This work is specifically aimed at easing the deployment woes of many organizations that host diverse vendor solutions like Cisco, Microsoft, ProCurve Networking by HP, Juniper, Oracle, Symantec, McAfee, and so on….

We still hear many horror stories of how complex and cumbersome NAC implementations are. To top it off, choosing a vendor solution is never an easy task since there are many that claim to have NAC functionality but have proprietary ways of doing things. These two reasons have hampered the NAC market with failures. In the midst of all this, the interoperability of NAC solutions with other networking components remains an Achilles Heel. Policy creation and enforcement suffer the most due to these obstacles. With this recent announcement, the TNC security architecture includes a number of open source standards that help in policy creation and enforcement protocols that work without heavily updating the network infrastructure. Rather it leverages existing network devices and agents by requiring them to run a TNC code stack that makes the interworking of various security devices easier. Specifically, IF-MAP will help tremendously, given that the NAC market is already fragmented into infrastructure, out-of-band appliance, and software-based solutions.  

Sounds good, right? Yes, but there is limited success in enrolling vendors that incorporate TNC's standards. Vendors like Cisco that have the largest NAC install base still do not work with TNC standards directly. If a Cisco shop wants to implement a NAC solution other than Cisco, it would have to go through a plethora of configurations before getting it up and running. TNC standards can ease similar use cases, simplify integration pain points, and provide a common policy store. Specifically, we’re bullish on standards such as IF-MAP, which builds a metadata server resident in the infrastructure capable of communicating with any networking component. 

 

TNC standards can help revive NAC's interest among customers by providing them with an open source mechanism that integrates with all the technology components. The latest updates are aimed at handling various user and process scenarios that help track a user’s identity and device. Traditionally, NAC has been aimed at simpler use cases like guest access, but it has now evolved to help address broader issues like operational efficiency, making it much more relevant in the current economy. For example, organizations are striving to automate asset management by fingerprinting network attached endpoints and enforcing policies by using a common enforcer. This enforcer has to take information from multiple sources thus, NAC enters the picture. The NAC and IF-MAP marriage is needed for a complete view of backend policy and network visibility and enforcement.

Although many vendors have joined the ecosystem since last year, there are still a number of NAC vendors that don't support these standards. Adoption of TNC's standards can lead to open collaboration among IPS, DLP, asset management, UTM, and many other technologies that ease operational overhead. It’s hard to say if these standards will drive NAC adoption, but it surely expands its definition to make it operationally efficient and a common enforcer across many policy interfaces.

Do you think TNC's standards are going to be fruitful in NAC's adoption or will it fail to revive NAC interest? If so, let us know what you think.

Have you started or completed a NAC implementation? We’d love to hear your experience on that, too.