Jennifer Jabbusch, a network security engineer and founder of the blog Security UnCorked recently tweeted a thought-provoking comment, “NAC is a philosophy, not a technology.” We recently caught up with Jabbusch to dig deeper into this fascinating idea. To get this discussion started off, Jabbusch defined philosophy for us (via Wiki).
Philosophy is the study of general and fundamental problems concerning matters such as existence, knowledge, values, reason, mind, and language. It is distinguished from other ways of addressing fundamental questions (such as mysticism, myth, or the arts) by its critical, generally systematic approach and its reliance on rational argument. The word “philosophy” comes from the Greek φιλοσοφία (philosophia), which literally means “love of wisdom”.
VPN Haus: You recently tweeted that NAC is a philosophy, not a technology. Can you explain what you meant by this?
Jabbusch: Sure! See the definition above. It’s pulled from Wiki, but gets the point across. Network access control is a philosophy in that it truly is the result of studying fundamental issues of networking and security. NAC attempts to address some pretty nebulous concepts of authenticated users, access rights, endpoint security and network connectivity. Whom do we allow to connect; when, where, how and for what purpose? Because NAC tries to address such a breadth of fundamental security issues in one ‘solution’, there’s really no clear-cut definition of what NAC should be doing. Instead most consumers of the technology have only a slight notion of what it could be doing. Hence, we have to approach NAC as a philosophy, not a product or technology.
VPN Haus: What does it take for someone to “get” the NAC philosophy? What is the biggest barrier in getting people to “get it”?
Jabbusch: Helping people understand NAC and “getting” the NAC philosophy is extremely difficult. It really requires you to take a step back and pull your thoughts out of the fray of marketing lingo and vendor verbiage. If you want to “get” NAC, you should understand what ends you’re seeking and by what means you can get there. What I mean by that is – what do YOU want or need from NAC? Do you want port security, endpoint scanning, user authentication, or everything? Which functions are most important to you and which are directly supporting other business goals? Do you need part of the functions for compliance or is it just a nice management add-on for the network team? Once you know what you need, you have to understand your current posture and environment, and then connect the dots to a solution.
Connecting the dots is the hard part and that’s really where the opportunity to “get it” comes in to play. The ability to dissect the various vendor offerings and understand on a technical level how they’re accomplishing a feature (the means to the end) is how you “get it”. I realize I just said you need to understand specific technical pieces in order to get a philosophy, and I know that may sound backwards to many people. The complication is that NAC is NOT a product, it’s NOT a specific technology, so in order to understand the philosophy of NAC, you really have to understand all the possible pieces that are feeding in to it. Once you “get it” you’ll have that enlightened feeling that will help you and your organization pick the right solution.
Stay tuned next week for more from Jennifer Jabbusch, including NAC misconceptions and its poor market performance.