Goodbye NAC, Hello Software-defined Perimeter (SDP)


Those of use who’ve been around security technology for a while will remember the prodigious rise of network access control (NAC) around 2006. Now the ideas around NAC had been around for several years beforehand, but 2006 gave us Cisco’s network admission control (a.k.a. Cisco NAC), Microsoft’s network access protection (NAP), and then a whole bunch of venture-backed NAC startups (ConSentry, Lockdown Networks, Mirage Networks, etc.).

Remembering the Early NAC Hype

There were lots of reasons why the industry was gaga over NAC at the time, but it really came down to two major factors:

  1. Broad adoption of WLANs. In 2006, wireless networking based upon 802.11 was transforming from a novelty to the preferred technology for network access. I also believe that laptop sales first overtook desktop computer sales around this same timeframe so mobility was becoming an IT staple as well. Many organizations wanted a combination of NAC and 802.1X so they could implement access policies and monitor who was accessing the network.
  2. A wave of Internet worms. The early 2000s produced a steady progression of Internet worms including Code Red (2001), Nimda (2001), SQL Slammer (2003), Blaster (2003), Bagel (2004), Sasser (2004), Zotob (2005), etc. These worms could easily spread across an entire enterprise network from a single PC as soon as a user logged on. NAC was seen as a solution to this problem by providing point-to-point PC inspection and authentication over Layer 2, before systems were granted Layer 3 network access.

NAC really was a good idea but the space was over invested and many of the products were difficult to deploy and manage. As a result, NAC enthusiasm faded over time although NAC deployment was making slow but steady progress. As NAC became a niche product, it lost its panache. Heck, my friends at Gartner even killed the NAC MQ when there were few vendors left and not much to write about.

Software-Defined Perimeter Succeeds NAC

Yup, NAC hyperbole has come and gone from the industry, but in my humble opinion, NAC has a second life and new moniker—the software-defined perimeter (SDP). Take a look at Google’s BeyondCorp, or the Cloud Security Alliance (CSA) paper on SDP and you’ll find many nuggets of NAC in a new superset package.

To me, SDP assumes NAC functionality like device authentication and health checking but also adds things like:

  • Broad device support. Beyond laptops and PCs, SDP can be used to authenticate mobile devices and IoT devices.
  • User authentication. SDP correlates device identity to make policy enforcement decisions. This is especially useful for unmanaged devices.
  • Attribute-based policy support. SDP can make or change access policies based upon real-time identity attributes like the device type, user location, time of day, etc.
  • Broader risk-based policy support. While NAC made access decisions based upon device health, SDP can make access decisions based upon a wide range of risk criterion such as new software vulnerabilities, threat intelligence, malware outbreaks, etc.
  • Network segmentation support. SDP aligns closely with SDN functionality like micro-segmentation. With SDP/SDN, it’s possible to provision a secure point-to-point network tunnel from a device to an application. This can be used to minimize the network attack surface on a dynamic basis.
  • Any device to any service in any location connections. SDP virtualizes perimeter security and network services with the goal of providing secure connectivity from a user device to applications and services regardless of location. In this way, SDP is designed so that IT and security teams can address the modern IT conundrum—connect mobile workers to cloud-based services while enforcing and monitoring security policies.

A few vendors like Cryptzone and Vidder are selling SDP technology today but my guess is that others including Cisco, VMware, and all the current NAC players will soon embrace the SDP label. And given the fact that SDP is based upon software, other security vendors like Check Point, IBM, McAfee, Palo Alto Networks, Symantec, or Trend Micro could jump into the pool.

Like NAC, SDP is a bit of a niche today but my guess is that cloud, IoT, and mobility will drive massive SDP proliferation over the next few years. Stay tuned.

 Jon Oltsik is an ESG senior principal analyst and the founder of the firm’s cybersecurity service. Read more ESG blogs here.