Using History as Our Guide…
I keep running into organizations that are struggling with two critical areas where Network Access Control (NAC) can help them resolve key security issues:
- Helping to get under control the explosion of personal devices being used for business applications… some call it BYoD… others… the “consumerization of IT”… mobile devices accessing corporate resources.
- How to limit access of network clients only to the hosts & resources that they need access, metaphorically on a “need to know” basis. This is one way to limit the threat exposure.
Many of these organizations first look to their key network provider, most often Cisco, to solve their network security needs. They also look to Gartner’s analysis of market sectors for guidance.
I’m familiar with Cisco’s NAC solution, aka “ISE”. I’ve observed many organizations attempt to deploy it and give up in frustration. I tend to be the curious type, so I took a deep dive into what Gartner has published about NAC (see Part 1) & security in general. Some of it is quite good. Some of it, particularly related to NAC, an area where I tend to concentrate, I would even consider outstanding analysis. Their Magic Quadrants? They’re sexy. I’ll admit that. Flashy? Check! Lots of fanfare? Yep. (And yes, I confess that I have fallen into the trap of looking at the MQ graphic and ending any deeper dive right then and there. Ouch. Let me start my ten step program right now so I don’t fall into my magic quadrant addiction ever again.)
After all the press releases die down. After the quadrant gets published in fifteen gazillion PowerPoints. And after we’ve read the complete $1,995 report… those of us in the real world, you know, the ones who have to make things work and then keep them working for the next 5-7 years? Shame on us. We should do a lot more due diligence in our own assessments.
Case in point… Let’s look at one example of Gartner’s evaluating the security sector. Here’s a brief history of Cisco’s “MARS”…
In late 2004 Cisco announced they were buying Protego, executed the acquisition, and renamed the product “MARS”. MARS was supposed to have a litany of capabilities, access control was intended to be one. There are many reasons that, even when Cisco “bundled” MARS into large networking deals, it never took hold in the industry.
By early 2009, there were widespread rumors that MARS was not performing and that it would no longer be the lead in Cisco’s network security architecture. Sure, MARS had been implemented at a number of locations, but it was not getting traction in the corporate, educational, nor government markets.
In May, 2009, Gartner placed MARS in their magic quadrant. Just a few months later, October to be exact, Cisco quietly began supporting only Cisco equipment. Gartner issued a research alert that MARS should no longer be considered for general purposes. By early 2010, it was widely recognized that MARS was not strategic to Cisco.
I’m not saying that Gartner has done anything wrong. Gartner’s own disclaimers state that the magic quadrant should be used only as a research guide and it is not an endorsement of any vendor or product. And if Gartner is truly sincere in their position, why do they allow their “research” to be publicized in press releases with words like “wins”, “announced today”,