It’s been a busy summer here at Napera and I plan to get back into the blogging habit later this month. In the meantime, a couple of weeks ago I had the chance to chat with Mike Vizard of eWeek about managed security services, and the podcast is now up on the eWeek website.

Mike and I spoke during Seattle’s annual Seafair celebration, and if you listen real close to the audio you can hear the Blue Angels roaring over the Napera offices on Mercer Island on their practice flights!

Yesterday’s well hyped NAC debate over at Network World certainly received some attention. I was only able to check in between meetings but they posted an entire transcript and it makes interesting reading.

In one corner, Joel Snyder, well respected NAC expert and Interop regular. I’m partial towards Joel because he has been a voice of reason in the networking space for many years, and his work on NAC and NAP is second to none.

In the other corner, Richard Stiennon, self-titled ‘ Security Industry Innovator’ who regularly exclaims ‘NAC is dead’ to anyone who reads his column at Network World. I don’t believe I’ve ever met Richard, but he was previously at Gartner (where he exclaimed IDS was dead), worked at Fortinet and Webroot for a brief period and recently joined an Australian startup doing MSS. I was doing MSS in Australia in 1995 as it happens, so I guess I must be a security innovator as well.

The debate itself got off to an early start with an argument over the definition of NAC. Richard was pretty obtuse and I think Joel did well to stay on topic. Ultimately a lot of what Joel said struck a chord with me - for example.

Every NAC deployment I’ve looked at, and everyone I’ve heard about, has a surprise factor…The surprise is how UNcompliant PCs are with the host AV. Talk to the most Microsoft-savvy IT departments in the world. They’ll tell you they were astonished at how low their compliance level was.

This is exactly what we’ve seen in the field at Napera. We regularly see the surprise factor within a few minutes after plugging in an N24. Whether it’s the endpoint software that IT purchased but nobody is actually running, the PC’s that are months behind on patches or the devices on the network the IT admin had no idea were even there, the ability to see and then manage this situation is what our customers are passionate about. A customer I spoke with yesterday in the health care field said it was like having a microscope on his network for the first time.

Other folks have weighed in on the debate. Alan Shimel claimed a KO by Joel in the first round. Alan, this is one of those times where I can do nothing but agree. The outcome of the debate is clear and even Richard’s former colleagues at Gartner agree there is a healthy NAC market - Joel gets it, and Richard doesn’t. Thanks to Network World for staging the debate!

Network World suggested with its headline this morning that a recent Infonetics study outlined the top reasons for delaying network access control (NAC) deployments. I think that’s an overly negative headline. While the Infonetics report did discuss some of the blockers to NAC deployments, most of it was positive and covered the increased level of NAC deployments expected over the coming year, and indicated that NAC is becoming a budgetary line item for most companies.

In fact, the report states that nearly two-thirds of the respondents have a budgetary line item for NAC in their fiscal 2009 budgets. That’s double the number for 2008.

I agree with the body of the Network World article that regulatory compliance demands, lower prices and improved NAC technologies, especially around reduced complexity, are key reasons enterprises will move forward on a network access control deployment. Current solutions are too heavily focused on the large enterprises and require large investments and infrastructure upgrades and are complex to use and manage.

The whole reason Napera launched its solution for small and medium-sized enterprises was to provide a comprehensive solution focused on simplicity and cost effectiveness. This is a missing piece of the NAC market today and critical for our SME customer. The Napera N24 is the first shipping NAC product for the SME to utilize a Software as a Service approach that removes the need for local servers and leverages Microsoft’s Network Access Protection architecture to minimize the need to deploy agents.

The Network World article points out that respondents to the Infonetics study clearly see security as the number one driver. This is because most security and network IT staff are still experiencing security issues, in spite of the fact that they have multiple security products already deployed.

This is a common theme we discuss with our customers. Even though companies are spending more than ever on anti-virus, anti-spyware, firewalls, and other security solutions, they still need to ensure that devices accessing their network are secure, up to date, compliant with policy and authorized before gaining access to the corporate network. This is the added layer of defense that NAC brings, tying together these disparate security solutions to control network access.

Another driver is workforce mobility. The reason security solutions are not fully protecting the network from attack or virus outbreaks is because of the lack of control IT has over laptops. Workers now demand access everywhere and work from Starbucks or a hotel as frequently as on the corporate network. In addition, consultants, customers, and other guests are demand access to the Internet and printers while at your offices, making guest access another key driver for NAC.

Finally, it’s important to put the Infonetics user survey in context of another key report released at the same time about NAC: an updated market forecast that suggests the NAC market is alive and well and expected to reach $800 million by 2010. This Infonetics report came on the heels of an IDC report, featuring an aggressive forecast for the network access control market of $3.2 billion by 2011.

While there do remain blockers to NAC deployments, companies are including NAC on their list of IT purchases, because the pain is great and current security and networking solutions are not solving their security and other challenges. With Microsoft’s NAP agent on Windows on the road to becoming ubiquitous (with XP SP3 appearing on Windows Update last week), we are confident there will be a faster uptake of both NAP and product like Napera that integrate with the Microsoft architecture.

As a working mom with a tween and teenagers, I often have to keep a loose boundary between work and home, and my laptop and smartphone are often in use as much in the kitchen as in the office. I think that’s typical of many working parents, who find some level of work-life balance by blurring the two.

It’s not hard, therefore, to imagine how easy it is for some people to also stretch the boundaries of corporate IT policy by using the company laptop for both work and personal things, like allowing their children to use the company laptop for school research or to IM with friends or to download the latest tune onto their Zune (yeah, yeah, I used to work at Microsoft and have a Zune as does one of my sons – they’re actually really good – and I don’t have to say that anymore).

Today’s mobile workforce views the company laptop as a personal productivity tool, and IT departments must take this into consideration and address the behavior and the potential security risks that come with this trend. Even with security solutions and controls in place, you still can’t guarantee that an employee or one of their kids won’t accidently download a virus or trojan or open a spam email.

When I talk to companies, I typically recommend they do whatever they can to assure their employees are adhering to security policies. Earlier this week, we put out a release that gives IT a pre-written memo to send to all employees, outlining five simple steps each person can take to improve the security posture of their laptop computers.

The steps are:
1. Know your companies security policies and adhere to them
2. Activate Internet controls and passwords
3. Make sure your firewall and anti-virus solutions are turned on and up to date
4. Update your Operating System with the latest security updates
5. And, if you can, don’t let children or non-employees use the corporate laptop

Perhaps these seem overly simplistic, but you’d be amazed how many people don’t update their operating systems even with automatic updates from Microsoft and Apple or actually disable key security features on their machines. So, while these steps are a good first step, the IT staff needs to know the security state of every device before it gets on the network.

That’s the whole premise behind why we started Napera and built our first product, the Napera N24, which checks the health state of laptops before they obtain access to the network and gives IT real-time visibility into every device on the network. Even with all endpoint security solutions in place, unless there is some way to confirm that the laptop is secure and not a harbinger of malware or some other risk, that laptop could bring down the network and lead to loss of productivity and revenues, not to mention potentially putting your corporate or personal information at risk of being compromised.

Every company that we’ve gone to and deployed the Napera N24 has had at least one computer on their network that was out of compliance or presenting a direct threat to the network. No matter what the policy says, I’m sure many workers are not going to stop letting their kids use the company laptop, especially during summer and family vacations.

At least for me, I know that when I attempt to reconnect to the Napera network, my laptop will be given a comprehensive health assessment. And if my laptop is missing some critical security updates, my access to the corporate network will be restricted until my system is declared “healthy”.

Now that I think about it, that may be my one chance at achieving a few minutes of work-life balance — just kidding, Todd!!

We’re excited to welcome our Asia Pacific and Central & Latin America sales teams to Napera. John Kirch, Mark Stevens and Heather Johnson joined us at Napera HQ in Seattle this week as we planned the roll out of Napera products to these international markets. John is heading up sales in Japan and South Korea. From Australia, Mark is covering the rest of Asia Pacific, while Heather is responsible for Central and Latin America. Each of them will be working closely with Napera partners in their local markets. In a small twist of fate, it was Mark who introduced me to the WatchGuard products in 1997 and is indirectly responsible for me moving to the US to work with WatchGuard in 1998.

Napera APAC and CALA join Pierre and Austin in our existing EMEA sales group to complete our international sales force, reporting to Cary Kosher, VP of Worldwide Sales. All of our team members were key players of the international team at WatchGuard, and have many years of experience in the network security market around the world. Please email sales @ napera.com if you’d like to arrange a meeting with them.

Heather, Mark, John and Cary enjoying some rare Seattle sun.

Some very interesting news for the NAC market this week with multiple analysts publishing predictions and market forecasts.

Patrik Bihammar at IDC talked up the threat landscape and says NAC has become a high priority because of the “everything, everywhere” network. IDC expects the NAC market to grow at 43 percent year on year to reach $US3.8 billion by 2011.

Infonetics also released its latest market forecast, appropriately titled, “Reports of NAC’s death have been greatly exaggerated”, showing market growth of 16% in 1Q08 and expected double digit growth for the next five years.

All of this good news was tempered by a warning to smaller NAC vendors in a Network World article this morning. In short, Gartner claims Cisco and Microsoft may marginalize NAC vendors by 2009 because of Cisco’s success in the enterprise switching market (and presumably Microsoft’s domination of desktops).

It’s great to see data from IDC and Infonetics, but I’ve heard the Gartner analysis before. In the late nineties it was enterprise vendors like Cisco and Check Point that were going to crush firewall appliance startups. In reality it took Cisco ten years to get their act together, and meanwhile companies like WatchGuard, Sonicwall and Netscreen grew and prospered in the mid and large enterprise markets. If that is the definition of getting crushed by Cisco, bring it on!

The Gartner hypothesis referenced in Network World doesn’t apply equally to all companies. The problems that large enterprises are solving with NAC technology are equally relevant to the small and medium enterprise customer: guest Internet and printer access, endpoint and identity enforcement, and overall visibility into the security state of computers on the network. But the SME market is very different from large enterprise. Cisco has been less than successful selling into the SME, and much of the Linksys SME product line is not interoperable with Cisco’s enterprise architecture. While SMEs have Microsoft NAP on their computers, few will build out an entire NAC/NAP infrastructure based on Cisco products.

Bihammar at IDC named cost and complexity as the prime barriers to NAC adoption, which gets to the heart of the issue. I’ve posted on this exact issue before. The vast majority of Napera customers haven’t heard of NAC, haven’t participated in these debates, and primarily care about the practical application of technology and risks in their company to solve a business problem and not the technology itself. They want a solution that helps them take back control of the computers accessing their network and that does so easily and affordably. That’s where the real opportunity is - how do you help that customers solve those problems without complex, expensive large enterprise products? And that’s what Napera is all about.

Fresh from TechEd, Chris Boscolo spoke on TechNet Radio with Kevin Remde and Jeff Sigman from Microsoft about Network Access Protection. Chris talks about the Napera product line, how we enable NAP for small and medium enterprises and how you can deploy NAP in 10 minutes.

Napera’s CTO Chris Boscolo is attending a panel discussion on Network Acccess Protection at Microsoft’s annual TechEd conference for IT professionals in Orlando today. Join Chris and experts from Microsoft and other NAP partners to see product demonstrations and talk NAP at 1:15pm today Tuesday, June 10^th in room N310 E.

Session code: SVR369

Session: Network Access Protection Overview

Session Day/Time: 6/10/2008 1:15PM-2:30PM

The session repeats on Friday 6/13/2008 at 10:15am if you can’t make it today.

Chris just sent me a great new article at Tech Target from Lisa Phifer on the topic of Securing the New Network. Lisa gives an excellent summary of the state of the art in a couple of intersecting areas such UTM’s, VPN’s and NAC and a couple of relevant quotes caught my eye.

When IDC surveyed enterprises about pressing security challenges for 2007, growing attack sophistication, lack of employee adherence to security policy, and increasing complexity of security solutions and network traffic were top concerns…

This is a close match to the sort of feedback we’ve received from customers since we founded Napera. The increased financial motivation behind attacks, the need to check the health and identity of devices at the edge of the network and the growing complexity of products are familiar refrains.

Lisa puts forward a couple of market outcomes for the differing approaches to Network Access Control as well.

Many analysts believe that NAC will become an accepted best practice. Others find NAC architectures overly complex and believe that NAC appliances suffice. Still others argue that endpoint software, rather than the network, should enforce access decisions. Only time will tell which approach will prevail. All seem to agree, however, that network access must be more tightly controlled, reflecting identity and endpoint state.

I’m not sure if it’s an either/or for the different approaches. Personally I believe the endpoint software based solution looks to be the least feasible in many of our customer networks. Customers already have endpoint software widely deployed, and it’s their lack of ability to enforce endpoint compliance which causes them to seek network level solutions in the first place. A solution that operates at the network level is the best place to enforce policy as well as deliver a great user experience. Whether customers will choose to deploy that solution as part of a large vendor architecture, as a specific NAC appliance or some combination of both remains to be seen.

My blog reader had an unexpected surprise for me this morning - a brand new Javascript based trojan that appears to have been automatically downloaded to my PC via the RSS feed of a blog I subscribe to. According to the virus encyclopedia entry, this trojan was discovered just two days ago. Last week I was on the road for a couple of days and it’s possible my blog reader would have downloaded this before my antivirus updated with the latest signatures, in which case my computer could well have been compromised.

We’ve been running our entire office on a Napera N24 since last year, so the trojan had little opportunity to slip past the up to date antivirus and antispyware software enforced on every computer on our network. Still, it was nice to see a live demonstration of the short time between discovery and proliferation of a threat, and the need to continuously monitor computer health via NAP. Yesterday I was talking to a customer about exactly this type of scenario and how we designed the Napera products to manage it. I didn’t have an inkling that I would be living proof within 24 hours!