Information security managers should steer clear of the buzz surrounding Network Access Control (NAC) as there are less complex and more effective alternatives, according to Mark Bouchard, the founder of Missing Link Security Services.
Speaking at a Computerworld breakfast briefing earlier this month, Bouchard labelled NAC "Network Access Confusion."
NAC basically refers to technology that enables enterprises to enforce security policies on endpoints connected to their networks.
The NAC charge is being led by Cisco and Microsoft who have committed to making their systems interoperable and NAC-ready.
A study by Infonetics estimates NAC vendor revenue will skyrocket from $US323 million in 2005 to $3.9 billion in 2008.
But despite the optimistic forecast, Bouchard said NAC is hard to implement if an organization wants to extract any real value.
It relies upon knowledge of the network, the user and the access controls in place to function properly.
He expects a slow growth curve around the adoption of NAC with only 10-20 percent of enterprises adopting the technology during 2007.
Bouchard isn't the only analyst or customer to issue warnings about NAC.
Opus One senior partner Joel Snyder, said earlier this year that NAC technologies are daunting to even the most sophisticated IT shops because they cross multiple domains.
Among the four primary requirements of NAC -- authentication, environment, access control and management -- management poses the most significant challenges, he said.
"Inherently NAC is impossible to manage because it combines authentication with network gear with end-point security and with a policy server. All teams have to come together to manage this one solution," Snyder said. "NAC is 'big picture' hard."
It is in this environment that Bouchard warned IT security managers to seek out cheaper and more effective alternatives.
He said enterprises have always been able to control where users go on the network, they have only been limited by fears of stopping legitimate traffic.
To avoid NAC complexity, Bouchard said enterprises can get a monitoring device and tighten access control as enforcement is less costly and less intrusive.
"We need more integrated products, not end points so we have full coverage before an attack, during an attack, and after an attack," Bouchard said.
So what security products are hot? According to Bouchard, Intrusion Prevention Systems (IPS) are effective as they provide a wealth of contextual information to make better decisions.
Also hot this year is log management, and encryption.
He said the effectiveness of anti-virus products is diminishing and labelled information leak prevention tools a complete waste of money.
"It's easy to invest $300,000 on leak prevention tools that only address half the problem. It is more cost-effective to use encryption and address policies around who actually gets a laptop," Bouchard said.