NAC! NAC! Who’s there? (Hint: You’re locked in the basement if you’re asking that question!)

I’ll take a some flak for this post.  Certain vendors will try to say that I’m biased because I take a pretty hard, but very well articulated, stand on NAC technology.  So let’s put this on the table right up front.


Yes, I’m biased.  I am totally biased.  Why?  Because I have wide and deep experience in this area.  And I can point you to a number of end-users that have used more than one product, and they are equally biased.  Go ahead and throw the magic quadrant at me, but before you do, show me one person authoring that report who’s actually deployed one NAC, any NAC, in production. But before I enflame the fan-boys, let’s develop a little background.


If you’re still reading, I’ll assume you already know why you want/need/lust over putting NAC into your environment.  And if you’ve seen a presentation from one of the NAC vendors or reviewed an “industry report”, you might be inclined that they are all about 90% the same and that they pretty much perform the same function.  And you’d be wrong.  I know.  I know.  Everyone says that.  And if we were talking firewall, or endpoint, or MDM, and most other categories that merit their own magic quadrant, you’d get my full agreement.


The very nature of the term “NAC” puts us in a box that limits everything else that we could do in this area of information security and compliance.  If you do this right, this is a major step forward in bringing InfoSec & compliance into the same room.  Yes, visionary executives envision the merging of InfoSec & compliance.  At the very least, can’t we all start to use the same terminology at least?


What makes NAC a fundamentally different animal is that it really is at the intersection of all the other security products that we deploy.  Let’s step outside the NAC box…


This is NOT about “Networks”. (The Network is just one RESOURCE!)
This is NOT about “Access”. (Access is just one aspect of POLICY!)
This is NOT about “Control”. (Control is one aspect of ENFORCEMENT!)


No!  Let’s think in terms of “Resource Policy Enforcement”.  See what we did there?


The interesting thing about using this approach, we have found that the cost in both FTE’s & TCO are radically lower.


Want to challenge my premise?  OK.  When you meet with your vendor, tell them you will require a performance clause in your contract that given functions will be available in ‘x’ number of days, with no more than ‘y’ hours of your team spent, and a not-to-exceed $ amount for the implementation.    Oh!  Icing on the cake?  Get a guarantee on the number of FTE’s required to support the NAC.  Want to see your vendor/integrator squirm?  Do that.  If nothing else, it’s fun to watch.


If you’d like insight about how to do Resource Policy Enforcement instead of just NAC, give us a call.  It’s really a strategic architecture discussion that has little to do with any given vendor.  But at the end of the day, there’s only one technology that we’re aware that rethought how to fill this space, and they’re going public soon with an anticipated $1B+ valuation.

Leave a Comment