logo
Published on Security Incite: Analysis on Information Security (http://securityincite.com)

2007 DOI: Day 4 - Trust No One

By Mike Rothman
Created 2007-02-19 16:27

NAC, NAC?
Who’s there?
Confused.
Confused who?

You know who, don’t you? NAC is this year’s PKI. Everyone wants to believe it’s the year of NAC. But I suspect most customers will be sorely disappointed in what they achieve to deter the “insider threat” with NAC this year.

Why? Because solving the insider problem is complicated and multi-faceted. It’s about more than just checking the AV and patch levels on devices connecting to the network. It’s also about more than access control and worm mitigation. And that doesn't even scratch the surface on the data/information security issues related to the "insider threat."

It’s about all three and architecturally, that’s going to be a hard problem to solve in 2007. Why? Because rip and replace is not an option. Unless you have a money tree out back.

The good news is that based upon numerous conversations and validating evidence, customers are starting to figure out what they need. Of course, knowing what to buy and actually buying it are totally different. NAC is still a very early market and will remain as such for another 2-3 years.

Can you hear all the VC’s shuddering? After throwing hundreds of millions of capital into a market sector, the last thing these guys want to see is a market still 2-3 years from major revenue acceleration. But it is what it is. You can’t push on a string, though many players in the NAC business will try this year.

Another dynamic that will muddle things is just the sheer number of vendors. If feels like the anti-spam business 2-3 years ago, but with a less defined value proposition. After the initial wave of buying, anti-spam leveled off (late 2005 to mid-2006). There were too many vendors, too much confusion, not enough differentiation. Customers waited for some consolidation and shake-out and it was only with the wave of image spam in Q4 of 2006 that they started buying en masse again.

The problem is the early adopters are only starting to roll their NACs, and the market is oversaturated. I don’t envy anyone trying to sell NAC nowadays. 10 vendors in a deal saying the same exact thing is no fun for anyone.

So what’s a customer to do? Tread carefully. Kick the tires. Figure out your real requirements. And probably repurpose existing devices (like SSL VPN) to do poor man’s NAC for the short term. Unless you have some very specific requirement that forces you to buy something today, don't. And if you do, don't get married to whatever solution you pick. It's TACTICAL. Manage expectations that you will be looking at other stuff in a year or two.

Something like network behavior analysis could also be helpful, at least to pinpoint some weird traffic patterns. In a perfect world, you’d like to actually block the weird stuff. But as a first step, knowing about it is useful.

Another benefit to more aggressive monitoring on the network is that the network doesn’t care who you are or what your job title is. There are no “freebies” for important folks. No ways to skirt the monitoring or enforcement mechanisms. And in an environment where the CEO is perhaps more likely to be dirty as a run of the mill worker – you can’t assume anyone is clean.

Trust no one. It will save your ass.

Source URL:
http://securityincite.com/blog/mike-rothman/2007-doi-day-4-trust-no-one