Monday, July 22, 2013

Goodbye NAC, Hello EVAS (Endpoint visibility, access, and security)

New security and mobility requirements will make EVAS a network requirement


Around 2004, Cisco introduced a new technology initiative called Network Admission Control (now commonly referred to as Network Access Control or NAC). Back then, NAC was really in response to the recent wave of Internet worms where one compromised user PC could log on to the corporate network and subsequently infect the whole enchilada. NAC was seen as a way to alleviate this threat by authenticating (i.e. 802.1X) and inspecting PCs before providing Layer 3 network access.
Cisco’s NAC announcement led to a wave of follow-on industry activity. Microsoft countered NAC with Network Access Protection (NAP). The Trusted Computing Group added a set of standards called the Trusted Network Connect (TNC). Numerous Sand Hill Road lemmings funded NAC/NAP/TNC startups to out innovate and execute the big guys.

Whether from vendor exhaustion, clunky technology implementation, or the global recession, industry ga-ga for NAC faded sometime around 2008. Security and networking firms turned their attention to alternative hyperbole.
Fast forward to 2013 and a funny thing is happening since NAC exited the spotlight: Remaining vendors continued to innovate, products evolved, and requirements changed. In fact, NAC circa 2004 evolved precipitously. So much so that ESG believes it deserves a new categorization – Endpoint Visibility, Access, and Security (EVAS). EVAS is a logical progression:
• Endpoint. While NAC/NAP/TNC focused exclusively on Windows PCs, EVAS acts as a network tollbooth for any type of connected device – iPads, Androids, printers, sensors, control systems, etc.
• Visibility. EVAS can tell you what’s on the network at anytime as well as the state of each device. Want to know how many Windows XP systems running old revisions of IE are logged on? EVAS can provide real-time answers to questions like this, acting as a security-focused asset management repository.
• Access. What’s old is new again with a twist. EVAS works with network infrastructure and services to support granular access policy enforcement. If you want to create and enforce different network policies around things like user roles, device types, and network locations, EVAS (along with VLANs, VPNs, and Active Directory/LDAP), is central to contextual access policies and enforcement.
• Security. EVAS maintains the old NAC security angle of inspecting endpoints for configuration requirements, AV signatures, etc. Beyond this however, EVAS can be utilized for policy enforcement, monitoring, and rapid remediation.
With this expanded role, EVAS is communicating with everything, working with MDM, SIEM, vulnerability scanning, configuration management, endpoint security software, and so on.
While NAC was a niche technology, a combination of mobile computing, cloud computing, the “Internet of everything,” and security requirements will drive EVAS into the mainstream. ESG believes the EVAS market will grow beyond $700 million in revenue by 2017. The EVAS market is dominated by Bradford Networks, Cisco, Forescout, and Juniper today but with EVAS growth and critical role, other networking, MDM, and security vendors are jumping into the EVAS pool.
NAC was a great concept with flawed execution and market timing. EVAS vendors learned from this experience. Given new requirements and technology innovation, EVAS appears to be in the right place at the right time.

No comments: