Goodbye, NAC. Hello, software-defined perimeter

Enterprise organizations are embracing network access control (NAC) concepts but on a bigger, broader scale than we ever imagined back in 2006

Those of us who’ve been around security technology for a while will remember the prodigious rise of network access control (NAC) around 2006. Now, the ideas around NAC had been around for several years beforehand, but 2006 gave us Cisco’s network admission control (aka Cisco NAC), Microsoft’s network access protection (NAP) and then a whole bunch of venture-backed NAC startups (ConSentry, Lockdown Networks, Mirage Networks, etc.).

There were lots of reasons why the industry was gaga over NAC at the time, but it really came down to two major factors:

  1. Broad adoption of WLANs. In 2006, wireless networking based upon 802.11 was transforming from a novelty to the preferred technology for network access.  I also believe laptop sales first overtook desktop computer sales around this same timeframe, so mobility was becoming an IT staple as well. Many organizations wanted a combination of NAC and 802.1X so they could implement access policies and monitor who was accessing the network.
  2. A wave of internet worms. The early 2000s produced a steady progression of internet worms, including Code Red (2001), Nimda (2001), SQL Slammer (2003), Blaster (2003), Bagel (2004), Sasser (2004), Zotob (2005), etc. These worms could easily spread across an entire enterprise network from a single PC as soon as a user logged on. NAC was seen as a solution to this problem by providing point-to-point PC inspection and authentication over Layer 2 before systems were granted Layer 3 network access.

NAC really was a good idea, but the space was over invested and many of the products were difficult to deploy and manage. As a result, NAC enthusiasm faded, although NAC deployment was making slow but steady progress. As NAC became a niche product, it lost its panache. Heck, my friends at Gartner even killed the NAC MQ when there were few vendors left and not much to write about.

Yup, NAC hyperbole has come and gone from the industry, but in my humble opinion, NAC has a second life and new moniker—the software-defined perimeter (SDP). Take a look at Google’s BeyondCorp or the Cloud Security Alliance's (CSA) paper on SDP, and you’ll find many nuggets of NAC in a new superset package. 

To me, SDP assumes NAC functionality such as device authentication and health checking, but it also adds things:

  • Broad device support. Beyond laptops and PCs, SDP can be used to authenticate mobile and IoT devices. 
  • User authentication. SDP correlates device identity with user identity to make policy enforcement decisions. This is especially useful for unmanaged devices. 
  • Attribute-based policy support. SDP can make or change access policies based upon real-time identity attributes, such as the device type, user location and time of day.
  • Broader risk-based policy support. While NAC made access decisions based on device health, SDP can make access decisions based upon a wide range of risk criterion, such as new software vulnerabilities, threat intelligence and malware outbreaks.
  • Network segmentation support. SDP aligns closely with software-defined networking (SDN) functionality like micro-segmentation. With SDP/SDN, it’s possible to provision a secure point-to-point network tunnel from a device to an application. This can be used to minimize the network attack surface on a dynamic basis.    
  • Any device to any service in any location connections. SDP virtualizes perimeter security and network services with the goal of providing secure connectivity from a user device to applications and services regardless of location. In this way, SDP is designed so that IT and security teams can address the modern IT conundrum—connecting mobile workers to cloud-based services while enforcing and monitoring security policies.   

A few vendors, such as Cryptzone and Vidder, sell SDP technology today, but my guess is that others—including Cisco, VMware and all of the current NAC players—will soon embrace the SDP label. And given the fact that SDP is based upon software, vendors such as Check Point, IBM, McAfee, Palo Alto Networks, Symantec, Trend Micro or Unisys could jump into the pool.  

Like NAC, SDP is a bit of a niche today. But my guess is that cloud, IoT and mobility will drive massive SDP proliferation over the next few years. Stay tuned. 

Copyright © 2016 IDG Communications, Inc.

22 cybersecurity myths organizations need to stop believing in 2022