Magic Quadrant for Network Access Control
The BYOD trend continues to be the major driver in NAC adoption. NAC vendors must have flexible approaches (partnerships and/or internally developed capabilities) for enforcing policies on the use of personally owned devices.
Network access control (NAC) technology providers fall into three major categories:
- Wired and wireless network infrastructure vendors: Most major LAN switch vendors offer NAC solutions. Aruba Networks' acquisition of Avenda Systems means that the two largest wireless LAN (WLAN) vendors (Cisco and Aruba) also have NAC products.
- Network security vendors: Because they already sell products that serve as enforcement points in the network, NAC products augment their primary offerings.
- Pure-play NAC vendors: NAC continues to evolve, and vendors focused on NAC offerings as their primary products have been the quickest to recognize and react to the dynamic market.
Gartner estimates that the size of the NAC market in 2012 will be approximately $240 million, an increase of approximately 17% over the market in 2011. The mobility and bring your own device (BYOD) trends have increased demand, and the largest NAC suppliers have seen strong increases in growth. Driven by these trends, we expect market growth of approximately 63% in 2013, with approximate revenue of $390 million as businesses are spending on mobile device management (MDM) — see "Magic Quadrant for Mobile Device Management Software" — and NAC as the primary means for meeting demand for use of personally owned smartphones and tablets, while containing risk. Although we expect the growth of NAC-involved endpoints to continue to grow rapidly, over the longer term, NAC functionality will become embedded in wireless access methods, which will provide downward pressure on pricing.
Source: Gartner (December 2012)
Based in Israel and founded in 2007, Access Layers is a pure-play NAC vendor. Its portnox solution is agentless and is based on endpoint discovery. After a device connects to the network, portnox checks the OS type and applies the appropriate policy to the network access point (LAN switch, WLAN controller or VPN gateway). In 2012, Access Layers expanded its product line to add solutions for the BYOD use case and for cloud-enabled NAC. It also added a small sales presence in North America. Organizations that can tolerate the risk of a startup and that are within the geographic range of Access Layers' service and support coverage should consider portnox.
- Access Layers has integrated portnox with MDM vendors Zenprise and Good Technology.
- Access Layers' customers consistently report that the portnox solution is easy to deploy and manage. It attaches to any LAN switch port and does not require a "mirror" or Switched Port Analyzer (SPAN) port.
- Access Layers can enforce NAC policies in a VMware environment. For example, it monitors and graphically represents the number of virtual machines (VMs) in use and enforces policies for these VMs by blocking or allowing access to virtual switches.
- Access Layers' BYOD strategy is limited because of its reliance on Active Directory (AD) for authentication. Devices that are in AD gain access to the network. Personally owned devices and devices not in AD must register via a captive portal. Access Layers' airforcer product establishes the captive portal, but it is unable to control granular device policies (for example, enforcing app policies on mobile endpoints).
- Endpoint baselining (posture analysis) capabilities are weak for Windows devices. The management console does not easily reflect missing Windows patches.
- Access Layers has a limited geographic reach. Customers and prospects outside of Israel and the U.K. may face challenges obtaining presales and postsales support from the company.
Aruba, based in Sunnyvale, California, entered the NAC market through its acquisitions of Avenda Systems (2011) and Amigopod (2010). In 2012, Aruba integrated the two solutions and branded the combined NAC offering "ClearPass." The foundation of ClearPass is the Remote Authentication Dial-In User Service (RADIUS)-based policy server from Avenda (available in hardware and virtual appliances), and the guest networking component is based on Amigopod technology. Aruba is broadening its solution to extend network security policy to applications on mobile devices. Aruba's customers and any enterprise that needs a policy server capable of supporting heterogeneous endpoints should consider ClearPass.
- Aruba has integrated with several MDM vendors, including Fiberlink and MobileIron.
- Aruba's 802.1X innovations include a built-in certificate authority to ClearPass, which eases BYOD implementations by not requiring an external certificate authority. The ClearPass OnBoard module provides the ability to revoke and delete certificates (for example, when devices are lost or stolen).
- Users continue to cite the flexible policy engine, strong reporting and overall ease of management as reasons for adopting ClearPass.
- Aruba's large wireless installed base gives it a beachhead to sell ClearPass into verticals that have been aggressive adopters of NAC — namely, education, healthcare and financial services.
- Aruba's strategic move to manage and enforce mobile application policies takes the company beyond its traditional network infrastructure buying center. The strategy of extending network security policy to applications will place Aruba in competition with established MDM and mobile application management vendors.
- Aruba's heavy focus on wireless networking makes it challenging for it to gain mind share as it attempts to sell NAC into wired environments and non-Aruba networks.
Auconet was founded in 1998 as a system integrator and began shipping NAC solutions in 2005. It is a privately held company based in Germany, with offices in Austria and Switzerland. In 2012, Auconet added a small sales presence in North America. Auconet is deployed most commonly as an agentless solution, because its RADIUS-based policy server supports native OS-based 802.1X supplicants. The policy server is available as a hardware appliance or as a virtual appliance. Auconet also offers a permanent agent (Windows only). Organizations within Auconet's geographic reach that have a heterogeneous network infrastructure should consider Auconet.
- Auconet has several large customers, including some implementations with greater than 100,000 endpoints.
- Customer references consistently comment favorably on the solution's agentless approach and its ease of implementation.
- The solution provides visibility into network traffic by capturing NetFlow records and correlating information to display top talkers and top protocols.
- Auconet has a weak BYOD strategy. At the time of this writing, it has not integrated with any MDM solutions.
- Visibility into endpoint configuration is limited. For example, the solution lacks the ability to report on missing patches for Windows PCs.
- Auconet has a limited geographic reach. Customers and prospects outside of Europe may face challenges obtaining presales and postsales support from the company.
Avaya is a privately held company that provides solutions for unified communications, contact centers, and voice and data networks. It entered the NAC market when it acquired the Identity Engines portfolio from Nortel Networks (Avaya purchased Nortel's networking division in 2009). The Ignition Server is a RADIUS-based policy server that is delivered as a virtual appliance (supporting the Open Virtualization Format). Avaya's Ignition Server should be considered when Avaya data networking solutions are in use, and when enterprises seek an 802.1X standards-based solution.
- Support for Trusted Computing Group (TCG) and Internet Engineering Task Force (IETF) standards enables Identity Engines to baseline Microsoft Windows endpoints (XP SP3 and later) without requiring an additional agent.
- Identity Engines integrates with a wide range of directories because of its support for XACML.
- Several Avaya references commented on the solution's ease of use, particularly with regard to policy creation.
- Avaya's NAC strategy for BYOD lags the competition. At the time of this writing, it has not integrated with any MDM platforms, and it does not have an agent for Mac OS X.
- Endpoint baselining capabilities are limited. For example, the console lacks the ability to report back on missing patches for Windows systems.
- Unlike several competing 802.1X/RADIUS-based solutions, Avaya lacks a cross-platform native supplicant configuration tool.
Bradford Networks is a privately held company based in Cambridge, Massachusetts, that has been delivering NAC solutions since 2001. Its Network Sentry NAC product is available in hardware appliances and also as a virtual appliance. In 2012, the company released Bradford Cloud, which provides cloud-based delivery options for the management side of NAC. Bradford Networks' NAC products should be considered by enterprises with heterogeneous networks and wide mixes of endpoint devices.
- Bradford has a good BYOD and mobile strategy. In addition to integrating with AirWatch's MDM solution, it has developed Bradford apps for iOS and Android devices.
- Network Sentry integrates with several other security solutions, including FireEye, Fortinet, Palo Alto Networks, Sourcefire and RSA NetWitness. These integrations provide Network Sentry with greater visibility into network traffic and threats and the option to quarantine or block dangerous endpoints.
- A partnership with HP has strengthened Bradford's global distribution channel. Bradford has integrated its authentication technology with HP's wireless controller.
- Some Bradford customer references provided unfavorable feedback regarding the company's service and support organization, commenting that it lacked mature processes.
- Bradford is facing stronger competition from Cisco and Aruba in its core market of higher education, which represents approximately 50% of its customer base. Both competitors began offering new NAC solutions in 2011, and have since been more aggressive in selling NAC to their installed base of infrastructure customers at colleges and universities.
The Identity Services Engine (ISE), Cisco's flagship NAC offering, has replaced Cisco's earlier NAC solution. The ISE policy server is RADIUS-based, which enables Cisco to support authentication in heterogeneous network infrastructure environments (although advanced NAC features will require additional Cisco components). ISE is available in hardware appliances and also as a virtual server. ISE software is available in two versions. The Basic package supports 802.1X, and the Advanced package supports endpoint baselining (posture assessment), granular identity policies and other more sophisticated features. Cisco wired and wireless customers should consider ISE, especially where the Cisco AnyConnect endpoint client will be in use.
- Cisco has a strong BYOD strategy and has publicly announced integration with four MDM vendors: AirWatch, Good Technology, MobileIron and Zenprise. The integrations are planned to be completed in the first half of 2013.
- Device profiling capability is embedded in Cisco switches and wireless controllers (through firmware upgrades), eliminating the need to deploy stand-alone sensors (to profile devices through traffic analysis) in the network. The ISE server can identify and classify endpoints using templates that are provided by Cisco or defined by an administrator. ISE uses a combination of active and passive profiling techniques to achieve more accurate profiles.
- Cisco's support of identity tags (which it calls TrustSec SGA) in the Ethernet frame (via the 802.1AE standard) enables its more advanced customers to implement granular identity-based policies. Most organizations will require infrastructure upgrades to benefit from this feature.
- Cisco's strong installed base of AnyConnect clients positions it well to extend NAC policies to mobile devices (by embedding more NAC functionality in AnyConnect), provided that it delivers on its 2013 road map.
- Several Cisco references objected to the subscription-based licensing model and the overall cost of the ISE solution.
- Cisco has been slow to integrate its two NAC endpoint agents. The ISE Advanced package requires the Cisco NAC Agent for endpoint baselining (posture analysis). Although Cisco plans to integrate the NAC Agent with the AnyConnect client in 2013, Cisco has several major security product upgrades to complete during the same time frame.
- ISE does not include some features that may be important to customers of Cisco's earlier RADIUS server, known as ACS. For example, users of Cisco's TACACS+ (used to authenticate users to Cisco routers and other Cisco equipment) will still need ACS. Thus, many organizations will find that they require two distinct RADIUS products from Cisco. Cisco's road map includes an integration of key ACS features in ISE for 2013.
Enterasys Networks is a networking infrastructure company that is an arm of Siemens Enterprise Communications. In addition to NAC, it offers security products in the intrusion prevention system (IPS), and security information and event management (SIEM) markets. The NAC offering includes out-of-band (NAC Gateway) and in-line (NAC Controller) appliances (also available as virtual appliances). The primary use case for Enterasys NAC is Enterasys switch and WLAN customers, although the solution is capable of supporting non-Enterasys environments.
- Enterasys has a good BYOD strategy. It has integrated its NAC solution with several MDM solutions, including AirWatch, McAfee and MobileIron.
- Enterasys' tight integration of its NAC solution with its LAN switch product family enables granular policy enforcement. Policies may permit, deny, rate limit and apply other controls to traffic based on user identity, time, location, end system and user groups.
- Enterasys customers consistently highlight the company's service and support as strengths.
- Enterasys suffers from limited brand awareness in the NAC market. Gartner clients rarely include Enterasys on their shortlists when evaluating NAC vendors.
- Enterasys lacks a large security-focused VAR partner with a North American reach, and it faces a similar challenge in Europe.
ForeScout Technologies is a privately held company based in California that sells the CounterACT family of hardware and virtual appliances. Although ForeScout offers optional agents, its clientless approach eases the support of Windows, Mac OS X and Linux endpoints. In 2012, ForeScout announced sales partnerships with McAfee and Fiberlink, and added an embedded RADIUS server to the CounterACT appliance to enhance 802.1X functionality. ForeScout should be considered for midsize and large NAC deployments.
- ForeScout has a strong BYOD strategy. It was the first NAC vendor to integrate with an MDM vendor (Fiberlink), and it also integrates with MobileIron. It sells a ForeScout-branded MDM solution (an OEM of Fiberlink MaaS360), and it also offers the ForeScout Mobile product, which includes agents for Apple iOS and Android devices. These agents can enforce device policies and also report health and configuration status back to the CounterACT appliance.
- ForeScout's sales channel will be strengthened by its partnership with McAfee (announced in October 2012). McAfee will present ForeScout as its preferred NAC solution.
- Users continue to cite ease of deployment, flexible enforcement methods and network visibility as primary selection criteria.
- ForeScout has some of the largest active deployments of all vendors.
- To obtain postadmission threat protection in distributed environments requires CounterACT appliances at each remote location, which drives up the cost of deployment. ForeScout customers have the option of implementing CounterACT appliances in a centralized approach, which is less expensive, but also reduces ForeScout's threat protection functionality.
- As wired and wireless vendors continue to integrate more NAC functionality in their infrastructure solutions, ForeScout's architectural model of distributing special-purpose NAC appliances may limit its appeal to the mass market.
Based in Tampa, Florida, and founded in 2007, Impulse Point continues its focus on the higher education and K-12 markets. Impulse Point delivers its SafeConnect solution as a managed service, which includes system monitoring, problem determination and resolution, updates to device type, antivirus and OS profiling recognition, and remote backup of policy configuration data. SafeConnect can be implemented as a hardware or virtual appliance. In 2012, Impulse Point added the ability to support identity-to-device association and session tracking by introducing the Identity Correlation Manager, an appliance-based component that integrates with the SafeConnect policy server. Education institutions should consider Impulse Point.
- Feedback from Impulse Point customers continues to indicate that SafeConnect can be quickly implemented. Its Layer 3 approach to enforcement eliminates the need to test compatibility at Layer 2 (at the LAN switch level).
- Impulse Point continues to demonstrate a strong understanding of the education vertical, as evidenced by its technology partnerships. In 2012, it integrated with Procera Network's Smart Campus platform, a bandwidth management solution that targets educational environments. The integrated solution enables schools to assign aggregate bandwidth quotas for multiple devices (for example, laptops, iPads and gaming devices) per student.
- Impulse Point customers consistently highlight the company's service and support as strengths.
- The company's BYOD partnership strategy lags many competitors. Impulse Point offers an MDM solution through an OEM agreement with Tangoe. Tangoe's strength is in telecom expense management. It does not focus as strongly on the MDM-only market, where it lags major competitors.
- SafeConnect lacks a historical reporting feature (for example, report on the number of devices quarantined in the past month).
- SafeConnect's product architecture limits its ability to penetrate the corporate environment. Its Layer 3-based enforcement mechanism (access control lists [ACLs]) makes it a poor choice in wired environments that require switch-based (Layer 2) enforcement.
Founded in 1993, InfoExpress is a privately held company based in California. It is largely focused on the NAC market. In 2012, the company rearchitected its NAC product, enabling it to integrate more easily with directories, MDM, IPS and other network security solutions. InfoExpress has branded this new solution CGX, and it is available as a hardware appliance and as a virtual appliance. Enterprises with a heterogeneous infrastructure should consider InfoExpress.
- InfoExpress has a good BYOD strategy. It was one of the first vendors to detect jailbroken iPhones (via an InfoExpress agent), and it also has an app for Android devices. InfoExpress has integrated the new CGX offering with MobileIron.
- In addition to MDM integration, CGX integrates with other data sources (for example, Snort and several directories), and correlates this information to enable more granular NAC policies.
- Dynamic NAC (an agent-based ARP enforcement solution) and multiple other enforcement options make CGX easy to implement across complex networks.
- InfoExpress' lack of focus on marketing hampers its ability to differentiate its product and contributes to the company's low visibility with Gartner clients.
- In previous product versions, InfoExpress references commented that reporting capabilities need improvement. InfoExpress claims that these issues have been addressed with the new CGX offering. Gartner clients are advised to validate these enhancements.
Juniper Networks' NAC solution, Unified Access Control (UAC), is a RADIUS-based solution that is available in a family of hardware and virtual appliances. Customers have the option of purchasing a basic RADIUS server (suitable for an 802.1X environment) or the full UAC NAC offering. In 2012, Juniper extended its Junos Pulse solution to support Apple iOS and Android devices. However, Juniper lacks integration with third-party MDM solutions. It is also dependent on OEM technology for key NAC features. These limitations and a decrease in visibility to Gartner clients were key factors that led Gartner to move Juniper from the Leaders quadrant into the Challengers quadrant. Juniper UAC should be considered where Juniper IPS, SSL VPN gateway, firewall and LAN switch products are in use, and where enterprises seek an 802.1X standards-based solution.
- UAC is tightly integrated with Juniper's core security products (firewall, IPS and SSL VPN), network infrastructure offerings (LAN switches) and SIEM solution. In addition to common NAC device-based policies, Juniper's network and security components can also enforce identity-based policies (role-based policies).
- Juniper's Pulse agent runs on Apple iOS and Android devices, and supports basic posture checks for these platforms. UAC is also strongly integrated with Juniper's Junos Pulse Mobile Security Suite, which supports some MDM functions.
- Juniper's focus on open standards enables it to support heterogeneous network environments. The components of UAC communicate with each other via open protocols that have been established by the TCG/Trusted Network Connect (TNC), which eases the integration path for other vendors that support these protocols.
- UAC lacks integration with third-party MDM solutions, and the Junos Pulse Mobile Security Suite is not a full MDM solution, as defined in Gartner's 2012 Mobile Device Management Magic Quadrant.
- Juniper has a heavy reliance on OEM technology for its NAC offering. Its profiling technology is an OEM of Great Bay Software's solution, and its NAC dashboard console is based on an OEM of Q1 Labs' (an IBM company) Qradar. Great Bay Software is a very small company, and any change to its independent status could negatively impact Juniper.
- UAC lacks strong operational support tools that are important for a RADIUS-based solution. For example, it doesn't offer a cross-platform 802.1X-based supplicant configuration tool for native OS-based supplicants, and details about failed authentications are buried in logs.
Founded in 2000, Colorado-based StillSecure is a privately held company that sells managed security services and NAC, as well as vulnerability management products. The company is strongly focused on the defense vertical. Gartner estimates that more than 50% of StillSecure's revenue comes from U.S. Department of Defense customers. Safe Access, the company's NAC solution, supports a wide range of endpoint baselining methods. It is available as a hardware appliance and as a virtual appliance. Consider Safe Access where heterogeneous networks are in use and where the flexibility of agentless baselining options is required.
- Safe Access supports a broad base of policy enforcement options, including support for DHCP, virtual LANs, ACLs and RADIUS support for 802.1X-based authentication.
- Safe Access provides in-depth baselining (posture analysis) of endpoint health status.
- StillSecure's FIPS 140-2 and Common Criteria certifications provide an advantage in government procurements, because most other NAC vendors have yet to achieve these certifications.
- StillSecure has a weak BYOD strategy. At the time of this writing, it has not integrated with any MDM solutions.
- Outside of the government (mainly defense) vertical, StillSecure's channel support and visibility to Gartner clients are low.
Based in Chicago, Trustwave has grown rapidly as a Payment Card Industry (PCI) Qualified Security Assessor (QSA) and security service provider. In April 2011, the company filed an S1 form, indicating its intention to become a publicly traded corporation, although it has yet to reach that goal. Trustwave's ARP-based NAC solution is differentiated by its focus on postconnect functionality (see the Strengths section). In 2012, Trustwave acquired M86 Security, a provider of secure email and secure Web gateway solutions. Trustwave NAC should be considered by Trustwave customers, as well as where a low cost of entry and/or as-a-service delivery is required.
- Trustwave has strong capabilities for detecting malware and isolating endpoints that are not compliant with corporate policies (for example, BitTorrent usage).
- An agentless approach for discovery and baselining, along with ARP manipulation for enforcement, simplify deployment in mixed-vendor network infrastructure environments.
- Trustwave offers three options for an NAC solution. Customers can buy dedicated NAC appliances, contract for the Trustwave managed NAC service or purchase an add-on software NAC module for Trustwave's managed UTM service.
- Trustwave has a weak BYOD strategy. At the time of this writing, it has not integrated with any MDM solutions.
- In North America, Trustwave has little NAC-relevant channel support outside of the PCI and payment-processing verticals. The M86 acquisition helps to diversify and strengthen the channel, although these new partners are primarily focused on secure email and secure Web gateway solutions, and may not have NAC expertise.
We review and adjust our inclusion criteria for Magic Quadrants and MarketScopes as markets change. As a result of these adjustments, the mix of vendors in any Magic Quadrant or MarketScope may change over time. A vendor appearing in a Magic Quadrant or MarketScope one year and not the next does not necessarily indicate that we have changed our opinion of that vendor. This may be a reflection of a change in the market and, therefore, changed evaluation criteria, or a change of focus by a vendor.
Avaya met our inclusion criteria for revenue and demonstrated an ability to sell its NAC solutions to organizations that had not installed Avaya network infrastructure equipment.
McAfee now resells ForeScout as its primary NAC solution and will no longer advance its own NAC offering.
To be included in this Magic Quadrant, a vendor's solution must be able to enforce NAC policies in a heterogeneous infrastructure environment. Also, vendors' solutions must include the policy, baseline and access control elements of NAC, as defined by the following criteria:
- Policy: The NAC solution must include a dedicated policy management server with a management interface for defining and administering security configuration requirements and for specifying the access control actions (for example, allow or quarantine) for compliant and noncompliant endpoints. Because policy administration and reporting functions are key areas of NAC innovation and differentiation, vendors must own the core policy function to be included in this Magic Quadrant.
- Baseline: A baseline determines the security state of an endpoint that is attempting a network connection, so that a decision can be made about the level of access that will be allowed. Baselining must work in heterogeneous endpoint environments (for example, Windows, Mac OS X, Apple iOS and Android). It must include the ability to assess policy compliance (for example, the presence of an MDM agent for mobile devices or disk encryption for Windows PCs). Various technologies may be used for the baseline function, including agentless solutions (such as vulnerability assessment scans), dissolvable agents and persistent agents. NAC solutions must include a baseline function, but "reinventing the wheel" is not necessary. Baseline functionality may be obtained via an OEM or licensing partnership.
- Access control: The NAC solution must include the ability to block, quarantine or grant partial (limited access) or full access to an endpoint. The solution must be flexible enough to enforce access control in a multivendor network infrastructure, and it must be able to enforce access in wired LAN, WLAN and remote access environments. Enforcement must be accomplished via the network infrastructure (for example, 802.1X, VLANs and ACLs) or via the vendor's NAC solution (for example, dropping/filtering packets or ARP spoofing). Vendors that rely solely on agent-based endpoint self-enforcement do not qualify as NAC solutions.
Additional criteria include:
- Network infrastructure vendors must have demonstrated their ability in 2011 and 2012 to sell NAC solutions beyond their installed base of infrastructure customers.
- NAC vendors must consistently target and show wins at enterprises with 5,000 endpoints and above to be included. This Magic Quadrant does not analyze solutions that target the small or midsize business market.
- Vendors must have an installed base of at least 100 customers or aggregate endpoint coverage of 500,000 endpoints.
- The vendor must have at least $5 million in NAC sales during the 12 months leading up to 1 November 2012. Solutions that do not directly generate revenue for the vendor, such as those that embed basic NAC functionality in other products at no extra charge, have been excluded from this analysis.
- The NAC solutions had to be generally available as of 1 November 2012.
Vendor Considered but Not Included in the 2012 Magic Quadrant
Microsoft embeds NAC functionality (branded as Microsoft Network Access Protection [NAP]) within its OSs. Microsoft no longer actively markets its NAP solution, and we received few questions from Gartner clients about it. The BYOD era and the rapid growth of non-Windows endpoints make it challenging for Microsoft NAP to compete in heterogeneous environments.
Product/Service: An evaluation of the features and functions of the vendor's NAC solution. Because of the growing influence of the BYOD trend on NAC, this criterion heavily weights the ability to establish and enforce policies in heterogeneous endpoint environments (Windows, Mac OS X, Apple iOS and Android). Other BYOD-related NAC functions, such as integration with MDM solutions, profiling of endpoints and the ability to provide limited access for personally owned devices, have been heavily weighted.
Overall Viability: Viability includes an assessment of the vendor's overall financial health, the financial and practical success of the business unit, and the likelihood of the individual business unit to continue to invest in an NAC solution.
Sales Execution/Pricing: The vendors' capabilities in all presales activities and the structure that supports them. The ability of vendors to succeed in their target markets is important. Vendors should demonstrate success in winning NAC deals of 5,000 endpoints or more.
Marketing Execution: This criterion assesses the effectiveness of the vendor's marketing programs and its ability to create awareness and mind share in the NAC market. Those vendors that frequently appear on client shortlists are succeeding in marketing execution.
Customer Experience: Quality of the customer experience based on input from Gartner clients and vendor references. Input is gathered via reference calls and an online survey.
Source: Gartner (December 2012)
Market Understanding: The ability to anticipate market trends, such as the impact of BYOD, and to quickly adapt via partnerships, acquisitions, or internal development.
Marketing Strategy: This criterion analyzes whether the vendor's marketing strategy succeeds in differentiating its NAC solution from its competitors.
Sales Strategy: The vendor's strategy for selling to its target audience, including an analysis of the appropriate mix of direct and indirect sales channels.
Offering (Product) Strategy: An evaluation of the vendor's strategic product direction and its road map for NAC. The product strategy should address trends that are reflected in Gartner's client inquiries.
Vertical/Industry Strategy: The vendor's strategy for meeting the specific needs of individual vertical markets and market segments. For example, does the vendor have an effective strategy for pursuing vertical markets that have been aggressive adopters of NAC, such as higher education, healthcare and financial services?
Innovation: This criterion includes product leadership and the ability to deliver NAC features and functions that distinguish the vendor from its competitors.
Geographic Strategy: The vendor's strategy for penetrating geographies outside its home or native market.
Source: Gartner (December 2012)
Leaders are successful in selling large NAC implementations (10,000 nodes and greater) to multiple large enterprises. Leaders are pure-play NAC vendors or networking and/or security companies that that have been first to market with enhanced capabilities as the market matures. Leaders have the resources to maintain their commitment to NAC, have strong channel strength and have financial resources. They have also demonstrated a strong understanding of the future direction of NAC, including the impact of BYOD. Leaders should not equate to a default choice for every buyer, and clients should not assume that they must buy only from vendors in the Leaders quadrant.
Challengers are networking and/or security companies that have been successful in selling NAC to their installed bases, although they are generally unsuccessful in selling NAC to the broader market. Challengers are generally not NAC innovators, but are large enough and diversified enough to continue investing in their NAC strategies. They are able to withstand challenges and setbacks more easily than Niche Players.
Visionaries have led the market in product innovation and/or displayed an early understanding of market forces and trends. They are smaller pure-play NAC vendors or larger networking and/or security companies. A common theme in Visionary vendors is that they don't have significant channel strength in the NAC market and have not succeeded in building installed bases as large as what the Leaders have.
Niche Players are typically strong in strategic NAC verticals (for example, education and healthcare) and certain geographies. They don't often appear on Gartner clients' shortlists, but they are valid options for those organizations within those key geographies and vertical industries.
If your organization faces BYOD challenges, consider solutions that can easily profile personally owned mobile devices, and apply controls that are consistent with your organization's mobile device policies. Because there are multiple approaches for enforcing NAC policies (for example, virtual LANs, firewalls, access control lists and others), look for solutions that best fit your network infrastructure.
Demand for NAC functionality increased in 2012, driven largely by the need for enterprises to support the use of personally owned smartphones and tablets. Even where BYOD is not allowed, IT organizations are being forced to deploy and support a diverse array of mobile devices, with varying degrees of management control/visibility and policy enforcement. NAC's ability to detect what type of device is connecting to the network and apply limited access capability when required is a core component of limiting risk, while meeting the demand for "any device I want to use."
Supporting heterogeneous devices in general, and allowing employee owned devices in particular, makes traditional endpoint protection platform (EPP) software approaches to NAC less likely to succeed, because IT has less control over what software will be installed on the user's device. McAfee's decision to resell ForeScout's product as its preferred NAC solution is evidence of the challenges faced by EPP vendors in the NAC market. Solutions that can integrate with a wide range of EPP and MDM solutions, as well as offer dissolvable agents or agentless endpoint assessments, have strong advantages in the NAC market today and will have strong advantages in the future. Most vendors in the Magic Quadrant indicated plans to integrate with more MDM solutions in 2013 (or plan to achieve their first MDM integration).
There are also some trends that will impact NAC over the next few years:
- The growth of the enterprise mobile application market will shift much of the employee access model from connecting a device to the corporate network over Wi-Fi or remote access VPN to a model of connecting over 4G/LTE directly to the individual server application. As this happens, the importance of "in the mobile cloud" NAC functionality will increase (see "Choose the Right Tools to Securely Support Consumer-Driven Smartphones and Tablets").
- Growth in the adoption of virtualized desktop infrastructure reduces the importance of device access to the network, because the applications and data remain on the server.
- NAC standards have been driven by the TCG's TNC effort and were proposed to the IETF in 2010.1 However, these standards for NAC have been slow to penetrate the market, leading to interoperability problems — especially as endpoints become increasingly heterogeneous. Support for the TNC protocols is embedded in Windows, but has not been supported by Apple in iOS or by Google in Android.
Ability to Execute
Product/Service: Core goods and services offered by the vendor that compete in/serve the defined market. This includes current product/service capabilities, quality, feature sets and skills, whether offered natively or through OEM agreements/partnerships, as defined in the market definition and detailed in the subcriteria.
Overall Viability (Business Unit, Financial, Strategy, Organization): Viability includes an assessment of the overall organization's financial health, the financial and practical success of the business unit, and the likelihood that the individual business unit will continue investing in the product, will continue offering the product and will advance the state of the art within the organization's portfolio of products.
Sales Execution/Pricing: The vendor's capabilities in all presales activities and the structure that supports them. This includes deal management, pricing and negotiation, presales support and the overall effectiveness of the sales channel.
Market Responsiveness and Track Record: Ability to respond, change direction, be flexible and achieve competitive success as opportunities develop, competitors act, customer needs evolve and market dynamics change. This criterion also considers the vendor's history of responsiveness.
Marketing Execution: The clarity, quality, creativity and efficacy of programs designed to deliver the organization's message to influence the market, promote the brand and business, increase awareness of the products, and establish a positive identification with the product/brand and organization in the minds of buyers. This "mind share" can be driven by a combination of publicity, promotional initiatives, thought leadership, word-of-mouth and sales activities.
Customer Experience: Relationships, products and services/programs that enable clients to be successful with the products evaluated. Specifically, this includes the ways customers receive technical support or account support. This can also include ancillary tools, customer support programs (and the quality thereof), availability of user groups, SLAs and so on.
Operations: The ability of the organization to meet its goals and commitments. Factors include the quality of the organizational structure, including skills, experiences, programs, systems and other vehicles that enable the organization to operate effectively and efficiently on an ongoing basis.
Completeness of Vision
Market Understanding: Ability of the vendor to understand buyers' wants and needs and to translate those into products and services. Vendors that show the highest degree of vision listen to and understand buyers' wants and needs, and can shape or enhance those with their added vision.
Marketing Strategy: A clear, differentiated set of messages consistently communicated throughout the organization and externalized through the website, advertising, customer programs and positioning statements.
Sales Strategy: The strategy for selling products that uses the appropriate network of direct and indirect sales, marketing, service and communication affiliates that extend the scope and depth of market reach, skills, expertise, technologies, services and the customer base.
Offering (Product) Strategy: The vendor's approach to product development and delivery that emphasizes differentiation, functionality, methodology and feature sets, as they map to current and future requirements.
Business Model: The soundness and logic of the vendor's underlying business proposition.
Vertical/Industry Strategy: The vendor's strategy to direct resources, skills and offerings to meet the specific needs of individual market segments, including vertical markets.
Innovation: Direct, related, complementary and synergistic layouts of resources, expertise or capital for investment, consolidation, defensive or pre-emptive purposes.
Geographic Strategy: The vendor's strategy to direct resources, skills and offerings to meet the specific needs of geographies outside the "home" or native geography, either directly or through partners, channels and subsidiaries, as appropriate for that geography and market.