Analysis of the Global Network Access Control (NAC) Market More than just NAC
NE66-74 December 2014 NE66-74 1 Research Team
Lead Analyst Contributing Analyst Chris Kissel Chris Rodriguez Industry Analyst Senior Analyst ICT – Network Security ICT – Network Security
(623) 910-7986 (210) 477-8423 [email protected] [email protected]
Research Director Strategic Review Committee Leader Michael Suby Frank Dickson Stratecast VP of Research Research Director ICT – Network Security Information and Network Security 720-344-4860 469-387-0256 [email protected] [email protected]
NE66-74 2 List of Exhibits
Chart Slide Number Executive Summary 8 Key Findings 9 Market Engineering Measurements 11 CEO’s Perspective 16 Introduction to the Research 17 Key Questions This Study Will Answer 18 Market Overview 19 Market Overview—Definitions 22 Distribution Channels 24 Debate About 802.1X 26 Drivers and Restraints—Total Market 28 Market Drivers 29 Drivers Explained 30 Market Restraints 35 Restraints Explained 36
Source: Frost & Sullivan
NE66-74 3 List of Exhibits (continued)
Chart Slide Number Forecasts and Trends—Total Market 40 Forecast Assumptions 41 Total NAC Unit Shipment 42 Total NAC Revenue Forecast 43 Total NAC Unit Shipment and Revenue Forecast 44 Total NAC Market―Pricing Trends and Forecast 46 Total NAC Market—Unit Shipment Forecast by Region 48 Total NAC Market—Revenue Forecast by Region 49 Total NAC Market—Unit Shipment Forecast by Distribution Channel 51 Total NAC Market—Revenue Forecast by Distribution Channel 52 Total NAC Market—Unit Shipment by Product Type 54 Total NAC Market—Revenue Forecast by Product Type 55 Forecasts and Trends—Vertical Markets 57 Total NAC Market—Unit Shipment Forecast by Vertical Market 58 Total NAC Market—Revenue Forecast by Vertical Market 59
Source: Frost & Sullivan
NE66-74 4 List of Exhibits (continued)
Chart Slide Number Dynamics of Vertical Markets using NAC with Case Studies 61 Case Study—Erickson Living 68 Case Study—Financial Sector 71 Case Study—Midsized Manufacturer 74 Case Study—Venable, LLP 77 Market Share and Competitive Analysis— Total Market 79 Competitive Analysis—Market Share 80 Competitive Environment 82 Market Share and Versatility of NAC Solution 84 Enterprise Segment Breakdown 87 Market Engineering Measurements 88 Enterprise NAC Unit Shipment and Revenue Forecast 90 Enterprise NAC Segment—Pricing Trends and Forecast 91 Enterprise NAC Competitive Analysis—Market Share 93 Enterprise NAC Competitive Environment 94
Source: Frost & Sullivan
NE66-74 5 List of Exhibits (continued)
Chart Slide Number SMB Segment Breakdown 96 Market Engineering Measurements 97 SMB NAC Unit Shipments and Revenue Forecast 99 SMB NAC Segment—Pricing Trends and Forecast 100 SMB NAC Competitive Analysis—Market Share 102 SMB NAC Competitive Environment 103 The Last Word 105 Predictions 106 Recommendations 107 Legal Disclaimer 108 Vendor Profiles 109 Vendor Profile—Aruba Networks 110 Vendor Profile—Auconet, Inc. 124 Vendor Profile—Avaya Networks 132 Vendor Profile—Bradford Networks 140
Source: Frost & Sullivan
NE66-74 6 List of Exhibits (continued)
Chart Slide Number Vendor Profile—Cisco 148 Vendor Profile — ForeScout Technologies, Inc. 163 Vendor Profile—Impulse 176 Vendor Profile—Pulse Secure 184 Appendix 197 Market Engineering Methodology 198 Abbreviations 199 List of Companies Included in “Others” 201 Partial List of Companies Interviewed 202
Source: Frost & Sullivan
NE66-74 7 Executive Summary
NE66-74 8 Key Findings
• Frost & Sullivan estimates network access control (NAC) vendors sold $399.8M of NAC appliances and NAC SaaS for the basis year of the study 2013. This represented an improvement of 40.5% more than 2012. • For 2014, much is the same. Anticipated revenues in NAC are $552.8M or a 38.3% improvement. • At the heart of the matter is NAC is a foundational network security defense—endpoints are ultimately the place where intrusions to networks happen, and the last chance to defend or detect a network breach. • NAC vendors can be lauded for improving the fundamentals of traditional aspects of NAC platforms. Devices are easier to register and place onboard onto networks; directories are easier to integrate onto RADIUS servers; and BYOD and mobile devices are easier to recognize and protect. • NAC vendors can additionally be lauded for expanding their platforms. In recent years, three larger technological developments have made NAC more essential to network security: 1. Endpoint visibility including configuration assessment adds value to the platform and helps to provide crucial information about corporate assets, specialized devices, their location, and the security posture of endpoints. 2. NAC platforms are being bidirectionally integrated with other network and security platforms. If properly done, NAC integrated with firewall, advanced threat detection (ATD), vulnerability management (VM), security information and event management (SIEM), mobile device management (MDM), and other platforms improves the efficacy of both NAC and the integrated platforms, and allows these platforms to trigger NAC defense actions. 3. With true endpoint visibility and improved posture assessment, NAC adds “context” to controls. IT Directors can establish very granular policies; can build risk management into NAC; decrease the number of alerts; and anticipate potential weaknesses in the network through posture assessment and visibility into configurations.
Source: Frost & Sullivan
NE66-74 9 Key Findings (continued)
• The size of NAC deployments are getting larger. Enterprise and mid-sized networks are expanding to include more devices per employee and BYOD. • Beyond “greenfield” opportunities, organic growth is also happening as IT Directors are dismissing first-generation NAC issues and realizing next generation NAC capabilities and advantages. Prior installations are upgrading and expanding requirements and implementation coverage at the time of contract renewals. • In 2013, the average selling price (ASP) for an small to medium-sized business (SMB) NAC is $35,581. By 2018, the same deployment will be $41,227. • The ASP for an enterprise NAC in 2013 is $121,441. By 2018, the same deployment will be $144,784.
Source: Frost & Sullivan
NE66-74 10 Market Engineering Measurements
Total 2013 NAC Market: Market Engineering Measurements, Global, 2013
Market Overview Market Size for Market Market Average Price Market Stage Last Year of Revenue Units/Volume Per Unit Study Period
Growth $399.8 5,935 $67,364 $1.46 (In Millions) Base Year 2013 Base Year 2013 (In Billions)
Base Year Compound Degree of Customer Price Market Market Growth Annual Growth Technical Sensitivity Concentration Rate Rate Change
40.5% 29.5% 6 9 69.5% Base Year 2013 CAGR (2010―2018) Base Year 2013 Base Year 2013 Market Share Top 3 Competitors
Decreasing Stable Increasing For a tabular version, click here.
Note: All figures are rounded. The base year is 2013. Source: Frost & Sullivan
NE66-74 11 Market Engineering Measurements (continued)
Total 2013 NAC Market: Market Engineering Measurements, Global, 2013 Competitor Overview Total Addressable Market Number of Number of Number of Replacement Attachment Companies that Companies that Competitors Rate Rate Exited Entered
14 0 0 1.2 10,000 Base Year 2013 Base Year 2013 Base Year 2013 Years per appliance
Total Addressable Market Industry Advancement Average Maximum Average R&D Marketing Spend Current Product Attachment Spend by as a Percent of Potential Users Development Rate Product Market Revenue Time
300,000 100,000 1.4 16.5% 10.6% on one central console potential deployments Years Base Year 2013 Base Year 2013
Decreasing Stable Increasing *Companies with revenue of more than $1.0 M Note: All figures are rounded. The base year is 2013. Source: Frost & Sullivan
NE66-74 12 Market Engineering Measurements (continued)
• The purpose of this section is to explain the Market Engineering Measurements overviews, total addressable market, and product development criteria. • In the upcoming sections, Market Overview and Drivers and Restraints—Total Market, how NAC vendors improved their businesses by 40.5% from 2012 to 2013 is discussed. • Market revenues are determined by rolling up the estimated revenues of NAC service providers. • The average NAC deployment varied in cost. For instance, the deployments in the educational market are notable for having many endpoints, but lower deployments costs per end user than the financial markets. • Customer price sensitivity is a subjective criterion. If Vendor A and Vendor B offer nearly identical services for a customer with basic NAC requirements, then the lower cost vendor is likely to win the account. In enterprise accounts, NAC vendors have been able to successfully differentiate based upon product functionality. • NAC platform and diversity of support and services varies greatly between NAC vendors. Reliability, extent of endpoint intelligence, policy engine granularity, post-admission controls, complementing other technology platforms, and scalability features are more important than pricing in winning, maintaining, and expanding NAC accounts. • The degree of technical change is also subjective. Not only are NAC platforms difficult technologies to execute, but in 2013, NAC platforms also expanded in several significant ways (see Drivers Explained).
Source: Frost & Sullivan
NE66-74 13 Market Engineering Measurements (continued)
• The Top 3 NAC providers in terms of revenue are (Cisco, ForeScout, and Juniper Networks). In 2013, these vendors accounted for 69.5% of all NAC revenues; Frost & Sullivan believes the market share of Cisco and ForeScout will continue to grow through 2018, with Aruba Networks surpassing Juniper Networks (now Pulse Secure) as anticipated market leaders. • Frost & Sullivan counts 14 NAC vendors with revenues of more than $1 million in 2013. • The replacement rate is the contract duration rate that businesses typically have for either NAC as a service or to license an appliance. Almost all licensee dates are for one year, but contracts are sometimes signed for longer as businesses want to lock in maintenance and support pricing. • The attachment rate is the average capacity for a single appliance. Vendors have capacity ratings for the number of endpoints in total, and also for the number of active endpoints at any given time. The average appliance is capable of handling 5,000 active endpoints, but can store the profiles of 10,000 endpoints. • The maximum attachment rate is how many endpoints can be monitored and managed from one console (or one single pane of glass). Some vendors say that their platforms are infinitely scalable, but the largest deployments Frost & Sullivan is aware of accommodates 100,000‒500,000 centrally managed endpoints.
Source: Frost & Sullivan
NE66-74 14
Market Engineering Measurements (continued)
• In statistics kept by the US Census Bureau, there were 17,671 US businesses in 2011, with 500 or more employees. Frost & Sullivan extrapolates a global number of business that have 500 or more employees and have a significant Internet presence to be 100,000 businesses. The 100,000 businesses represents the number of companies that could buy a NAC product. • Since January 2013, NAC appliance vendors have been especially aggressive toward making major enhancements in their platforms with a new release one to two years. • Frost & Sullivan estimates research and development spending represented 16.5% of revenue in 2013. This R&D spending will slow to 10-15% of revenues through 2018. • NAC vendors recognized their products were hot in 2013, and spent a relatively high amount on marketing. In 2013, NAC vendors spent roughly 10.6% on marketing.
Source: Frost & Sullivan
NE66-74 15 CEO’s Perspective
In terms of global revenues, for the years 1 2013–2018, NAC vendors should expect 29.5% CAGR.
The factors driving NAC sales include granular policy settings, full endpoint 2 visibility, ease of deployment, and integration with other security tools.
In terms of regional markets, the Americas 3 represents more than 70% of the global market during the forecast period.
The leading NAC vendors are having 4 success in winning greenfield installations and in expanding existing relationships.
NAC vendors understand the importance of endpoint visibility and compliance, other 5 technology platforms will offer different aspects of endpoint visibility. Source: Frost & Sullivan
NE66-74 16 Introduction to the Research
• Purpose of the Research o This report provides an analysis of the market for global NAC including: Four years of historical market sizing including the base year of 2013 and five years of market forecast Drivers and restraints Market shares for the market participants Market description and market trends Individual company profiles of the market participants • Segments of the market to be analyzed include: o By product type o By vertical market o By geography o By size of company o By distribution channel
Source: Frost & Sullivan
NE66-74 17 Key Questions This Study Will Answer
Why has NAC become such a hot technology?
Which feature sets are being adopted by NAC vendors to win business?
NAC is a highly customizable platform; how can NAC policies be established most effectively in various vertical markets (case studies)?
What are the forecasts for NAC unit shipments and revenues by region? By vertical market? By size of business? By product type?
What is the market share for NAC vendors for the total global market for business sizes SMB and enterprises?
What are notable points of competitive differentiation between NAC vendors?
Source: Frost & Sullivan
NE66-74 18 Market Overview
NE66-74 19 Market Overview
• NAC started as a solution to address a massive outbreak of malicious software (also called malware) in enterprise networks in 2003 and 2004. • To combat this threat, first-generation NAC products required strict authentication practices and aggressive pre-connect device checks. These solutions, however, proved to be too intrusive and restrictive to be a viable option for most customers. • There may have been as many as 30 NAC vendors in the mid-2000s. The bad technologists diluted the work of the better NAC vendors. • By 2008, NAC became a more solid and understood technology. Vendors overcame deployment and usability challenges inherent in earlier generation products. In addition, with fewer vendors left in the market, there was reduced customer confusion. • Since 2012, enterprise mobility, inclusive of BYOD and wireless security, helped to revitalize customer interest in BYOD which served as an introductory catalyst for customers that did not yet understand the full capabilities of NAC.
Source: Frost & Sullivan
NE66-74 20 Market Overview (continued)
• The IEEE 802.1X is a standard protocol for port-based network access control. It requires three components supporting 802.1X management: devices with a supplicant or software agent, an authenticator such as a switch, and an authentication server such as remote authentication dial-in user service (RADIUS). • With 802.1X-based NAC, a device cannot have authorized network admission unless it is authenticated or authentication has been bypassed via MAC address. To work properly, all endpoints and respective infrastructure, wired and wireless, need to be configured to support 802.1X processes. • In the last two years, Android, IOS devices, Windows Phones, and Blackberry devices all have embedded supplicants. The device, through supplicants or other methods, can be recognized and managed by the NAC when a device is registered onto a network. • NAC can be set up to simplify and automate IT operations and coordinate disparate identity, network, security, and reporting tools. • Throughout this report, the virtues of discovering and monitoring endpoint visibility will be discussed in terms of how overall network security is improved. • Ultimately, NAC is the last line of defense in network security. If perimeter network defense products represent the front door of cyber defense, NAC is the back door. • NAC products are essential and well regarded within network security teams. Through 2013 ‒ 2018, Frost & Sullivan anticipates a CAGR of 29.5%.
Source: Frost & Sullivan
NE66-74 21 Market Overview—Definitions
• NAC empowers IT administrators to define, implement, and enforce granular access policies for connecting endpoints based on user identity, role, device type, security posture, location, and other relevant factors. • To accomplish this objective, NAC products must be able to detect connecting endpoints regardless of device type (e.g., smartphone, laptop, or wireless router) or connection type (e.g., wired, wireless, or remote). • NAC products should operate without on-device agents, though an agent may be offered optionally for organizations that require deeper visibility and control over the endpoint. • NAC products are delivered as a hardware appliance or a virtual appliance. NAC appliances should operate out-of-band and not inline with network traffic. • NAC products have a base price plus some modular or subscription licensing costs based on the number of endpoints and desired features including device onboarding, device posture assessment, and security tool interoperability. • Distribution channels include third-party security sales channels (which includes value added resellers (VARs), and systems integrators), managed security service providers (MSSPs), and direct sales. • For vertical markets, NAC customers are categorized as Education, Healthcare, Government, Financial, and Others. Source: Frost & Sullivan
NE66-74 22 Market Overview—Definitions (continued)
• A SMB denotes an organization with fewer than 20,000 concurrently connecting endpoints. • In this report enterprise denotes a NAC deployment with 20,000 or more endpoints. • A unit refers to a single physical or virtual appliance, along with required license fees, sold to a customer either by third-party sellers, MSSP, or directly. • Price indicates the average sale price from the vendor and is provided in US dollars ($). • The Americas region includes countries in North America and Latin America. • The Europe, Middle East, and Africa (EMEA) region primarily refers to countries in western and central Europe, the Middle East, and Africa. • Asia Pacific (APAC) includes Japan, Australia, India, and countries in southeast Asia.
Source: Frost & Sullivan
NE66-74 23 Distribution Channels
Key Takeaway: NAC deployment is still largely influenced by third-party security sales channels: distributors, VARs, and systems integrators.
Total NAC Market: Distribution Channel Analysis, by Revenues, Global, 2013
58.8% Direct Sales 17.4%
Third-party Security Managed Security Sales Channels 23.8% Service Providers Includes: Distributors, Systems Integrators and Value-added Resellers
End User
Note: All figures are rounded. The base year is 2013. Source: Frost & Sullivan
NE66-74 24 Distribution Channels Discussion
• Third-party security sales channels (distributors, VARs, and systems integrators) have 58.8% of the revenue in the NAC market in 2013. • In many cases, businesses (enterprises in particular) have matured their security approaches while working with specific channel partners and that loyalty still persists. • In Latin America and parts of Asia-Pacific, the third-party security solutions providers have greater influence than in North America. • A reason to work with third-party security providers (especially in non-domestic markets) is that they have broader experience and resources to create and deploy more complex security solutions. • A 17.4% share is attributed to managed service security providers (MSSPs). • NAC vendors see relationships expanding with MSSPs during the forecast period. • Enterprises have formal solution architects. Several NAC platforms already have integration modules or built-in integrations with complementary security technologies (SIEM, VM, MDM, and IDS/IPS). • Most NAC providers use an OpenAPI or RESTful API as a way to enable integrations with security platforms or custom applications. • In particular, companies that sell switches or related hardware (such as Cisco, Avaya Networks, Aruba Networks, and Extreme Networks) supporting 802.1X have a natural upsell opportunity by selling or bundling hardware or hardware upgrades with the NAC.
Source: Frost & Sullivan
NE66-74 25 Debate About 802.1X
• In 1997, the IEEE Working Committee IEEE Std 802.11-1997 (802.11a) convened to design wireless networking standards to ensure that wireless networks would be as secure as wired Ethernet (Wired Equivalent Privacy (WEP)). • The current 802.1X evolved from a subset of standards that emanate from the IEEE 802.11i system architecture. • The 802.1X standard has three components necessary to for a device to make an authenticated connection to network resources. I. A device has a supplicant, which is a software agent on the device. II. The supplicant is recognized by an authenticator, a network device such as an access point, port SPAN, or Ethernet switch. The authenticator is the gateway between network access and non-access. III. The authenticator refers to the Authentication, Authorization, and Accounting (AAA) server that determines if the credentials from the endpoint device match what is in the RADIUS server. • The benefit of this type of architecture is that the approach prevents rogue device access as a pre-connect authentication mechanism. Network security teams have a legacy understanding of 802.1X platforms. • Of the four leading NAC vendors, Cisco, ForeScout, Pulse Secure, and Aruba Networks, all support 802.1X port-based Network Access Control. • In an 802.1X deployment, all respective endpoints, switches, servers, and RADIUS must be able to support and be configured for 802.1X. In addition, all certificate management, client deployment, directory authentication and replication, and non-802.1X device exceptions must be managed. • The 802.1X-based NAC can be challenging, in terms of cost, deployment and maintenance, for users with network components whose 802.1X support varies, network components, and for those with endpoints not supporting 802.1X supplicants, such as printers and medical equipment. • New devices entering an 802.1X NAC platform must have endpoint recognition for certificates, formal assignment in directories, and client deployment before full policies can be pushed to the endpoint. • Conditions such as this are problematic for guest and BYOD registrations. Source: Frost & Sullivan
NE66-74 26 Debate About 802.1X
• ForeScout has a different approach. ForeScout CounterACT can be implemented as either as 802.1X or non 802.1X, or in a hybrid approach. The following are different types of network approaches: a) A multi-factored approach to device authentication and assessment supports policy-based device discovery, intelligence, profiling and response in real time. b) Device profiling and network mapping. c) Passive traffic monitoring. d) The interrelation of endpoint visibility, network mapping, and passive traffic monitoring. Monitoring the behavior of a device in the context of its profile and mapping is a necessary practice toward achieving a secure attack surface.
• Frost & Sullivan does not endorse either 802.1X, agentless networks, or a hybrid approach. o In fact, one good way to shunt network access is to not formally recognize rogue devices on a network in the first place; this is the signature strength of a 802.1X platform. o Of course, the rogue device argument while important does not mitigate spoofed MAC address risks or credential management. • The considerations listed about 802.1X networks have been largely diminished over the last few years. Web-based portals for registration and single sign-on identity recognition have made the NAC end-user experience better. • Like ForeScout, Cisco, Pulse Secure, and Aruba Networks all have device profiling in varying capacity. • The shape of the Internet of Things (IoT) is starting to form now. • Currently, NAC systems mostly do not have to account for connected devices that do not go back through the Internet for connectivity. Examples of non-Internet communication networks include smart metering, home automation, and automated lighting. Short-range wireless connectivity standards like Bluetooth and ZigBee could become a part of IoT. Source: Frost & Sullivan
NE66-74 27 Drivers and Restraints—Total Market
NE66-74 28 Market Drivers
Total NAC Market: Key Market Drivers, Global, 2013–2018
Drivers 1–2 Years 3–4 Years 5th Year
NAC platforms provide complete endpoint visibility which H H H is the focal point of access, policy, performance, and security
NAC is being integrated with other security platforms to enhance the efficacy of the NAC as well as perimeter H H H network defenses
Contextual awareness has become a part of NAC platforms leading to more operational intelligence whereby H H H granular policy settings provides greater efficacy
The NAC platform has evolved to match the way that M H H businesses have evolved network architecture and access
A positive secondary effect of having endpoint visibility is formal inventories and compliance reporting can be spun M M M from a central console
Impact ratings: H = High, M = Medium, L = Low Source: Frost & Sullivan
NE66-74 29 Drivers Explained
NAC platforms provide complete endpoint visibility which is the focal point of access, policy, performance, and security o The most true and simplistic aspect of network defense is that an IT team must understand the security surface it is protecting. This includes a continuous monitoring of all endpoints, servers, applications, virtual applications and machines, and location of networks (local, shared data center, cloud, etc.). o An endpoint is an entity that has a MAC address or IP address—this includes servers, routers, switches, as well as desktop and laptop PCs, tablets, and mobile devices. o Devices on a traditional network are recognized through Ethernet connections. These devices are desktop PCs and mail, storage, and Web servers. However, printers and office alarm systems are also often connected by Ethernet. o Mobile devices are matched to the network through on-device supplicants, or through dissolvable or persistent agents. o NAC platforms can be integral to the remediation process. NAC platforms are used to push out patch management, install and activate applications, and terminate or change settings. NAC can also be used to “big fix” from the Microsoft System Center Configuration Manager (SCCM). o Endpoint posture assessment is a nearly ubiquitous feature offered by NAC vendors. Types of posture assessments include application software versions, antivirus, patches, OS upgrades, and hard disk encryption. o Most NAC platforms gain device visibility by interfacing with the network infrastructure such as by interfacing with NMAP. IT teams will know where the endpoint is connected in the network and basic endpoint attributes. o An endpoint assessment can be initiated as a way to see if an application or patch was properly applied. o Endpoint visibility includes how much bandwidth is being utilized by an endpoint. If a bandwidth-heavy application is running (say a peer-to-peer app), an alarm can be generated to central administration.
Source: Frost & Sullivan
NE66-74 30 Drivers Explained (continued)
NAC is being integrated with other security platforms to enhance the efficacy of the NAC as well as perimeter network defenses o NAC vendors actively seek integration with other network defenses, including: advanced threat detection (ATD), antivirus (AV), virtual private networks (VPN), vulnerability management (VM), security information and event management (SIEM), mobile device management (MDM), firewalls, and Web gateways. o The communications between platforms can be one-way or bidirectional depending on the implementation. o SIEM is great at collecting, assimilating, and analyzing events and log information. However, while treating collected information as a repository, NAC platforms can make the information actionable. NAC can provide the SIEM dynamic endpoint intelligence with regards to network, use, configuration, application and activity details that are important in enhancing SIEM’s analytics coverage and supporting forensic tasks and compliance reporting. Additionally, SIEM rules that identify security issue can result in a SIEM message being send to the NAC platform, which in turn can trigger NAC policy to take action on a specific endpoint. o When NAC is integrated with MDM, enforcing policies for corporate and personal mobile device management become possible. NAC can enforce access policy to the network based on mobile device and user. NAC can automate the enrollment of unmanaged mobile devices into MDM controls. NAC also delivers network-based enforcement of MDM-controlled devices to trigger MDM profile checks on network requests and to take action on non-compliance devices through device notification, network reassignment, or network blocking. o NAC can also be integrated with other threat management platforms to support identifying threats and taking containment and forensics action. For example, in ForeScout CounterACT, if an endpoint is compromised, the ATD platform can send information to CounterACT to isolate the breached system from the network and even trigger other controls such as initiate a third-party system image capture for forensics purposes. Furthermore, IOC (Indication of Compromise) properties generated by the ATD can automatically be put to use by ForeScout to check against endpoints accessing or on the network.
Source: Frost & Sullivan
NE66-74 31 Drivers Explained (continued)
Contextual awareness has become a part of NAC platforms leading to more operational intelligence whereby granular policy settings provides greater efficacy o Contextual awareness is largely what happens when endpoint visibility intersects with cues from other network infrastructure, applications, and security defenses. o Many of the leading NAC providers have mechanisms which allow the network and endpoint security information to be sent to other network, application, and security platforms, and the NAC system can also receive data from these other platforms. This enhances the context and resulting controls of both NAC and other systems. o Access policy is determined through a multi-factor derivative, which can include: the authenticity of the endpoint (does it have necessary credentials to access the network), where the endpoint is located, the user and role, the use of required security software on the endpoint, the types of applications an endpoint is running or are installed— this can all be factored and applied within a NAC policy for monitoring, reporting, and response. o Monitoring, access, and response rules can be customized and weighted to provide different network access control policy based on business need. This can be applied to devices pre-admission and post-network admission. o Similarly, the granular NAC policy can be applied to the type of information not only natively obtained by the NAC but also obtained by receiving or gathering information from the infrastructure and other systems. For example, receiving information that an MDM-managed mobile device on the network is jail broken. o NAC becomes more valuable by yielding accurate alarms and providing dynamic endpoint intelligence to the operator so that the IT team can make informed decisions, adjust policies, or take action from the console. • NAC platforms can aggregate visibility into hundreds of thousands of endpoints onto a single console and can also be integrated into help desk, ticketing, and service management systems used by IT and security teams. o By way of combining all of these capabilities, IT can devote fewer resources to managing NAC because incident and event alarms are accurate, detailed, and prioritized whereby data can be exchanged and incidents can be centrally monitored.
Source: Frost & Sullivan
NE66-74 32 Drivers Explained (continued)
The NAC platform has evolved to match the way that businesses have evolved network architecture and access o The idea of network is no longer just hardwired Ethernet devices protected by a stateful firewall. o Network access includes cellular and Wi-Fi. For many businesses, the network includes offsite data centers, hybrid networks, shared networks, and cloud communications. o Businesses are allowing network access to BYOD devices, guest registers, as well as to contractors. o Policy rules can be established for the type of devices that is on the network, or the type of device requesting access to the network. o Policies can be established for permanent or temporary access. For example, guest registrants can be given access to a network for a week, but the endpoint is denied access on the eighth day. o Profiling is used to determine what types of devices are on a network at a given time. Tablets and mobile phones can have different policy requirements. For example, companies may have different requirements for Android and IOS. An IT team may want to monitor Android device more closely because Android third-party applications may be perceived as containing malware. Or NAC policy can simply register these devices and relegate access to Internet- only. o Networks are becoming less corporate network centric. Web-based applications are becoming inevitable and network security products must adapt. Depending on the Web application, and device and infrastructure integration, NAC may regulate appropriate Web application use.
Source: Frost & Sullivan
NE66-74 33 Drivers Explained (continued)
A positive secondary effect of having endpoint visibility is formal inventories and compliance reporting can be spun from a central console • A standard component of all security compliance frameworks is the tracking of all hardware and software in an enterprise, as well as ensuring host-based security system are in place. For example, the first three controls within the Critical Security Controls (maintained by Center for Internet Security and the SANS Institute) ensure an inventory of hardware and software, as well as ensure secure configurations. NAC supports many specifications as described below: o The National Institute of Standards and Technology (NIST) 4.0 was released April 30, 2013. For federal agencies or businesses conducting business with the federal government to be NIST complaint, a monthly inventory of devices, applications, and OS in use is required. o As a part of Health Insurance Portability and Accountability Act (HIPAA) compliance, patient healthcare and financial records must be secure. Additionally, the devices that doctors or admissions use to access patient records must also be proven to be secure. For breach notification safe harbor, encryption must be active. o As part of the Payment Card Industry Data Security Standard PCI DSS), access to payment processing systems must be segregated, and host-based defenses, patching and vulnerability scanning must be in place. o NAC capabilities address these mandates directly or by integrating with other tools. NAC can see if host-based defenses are not present or active and take corrective action such as alerting on unencrypted disks or a missing data loss prevention (DLP) agent. NAC can integrate with vulnerability scanning tools that check for missing patches or the expiration of digital certificates. o If companies merge or different divisions of a company are integrated onto the same network, the effort required in merging inventory and compliance practices can be diminished by employing NAC technology. o Similarly, any time a network expansion is called for, the existing mapping of the networks can be visualized using NAC.
Source: Frost & Sullivan
NE66-74 34 Market Restraints
Total NAC Market: Key Market Restraints, Global, 2013
Restraints 1–2 Years 3–4 Years 5th Year
Technology platforms aside from NAC will try to offer capabilities around endpoint visibility, endpoint assessment, L M M and remediation Some NAC vendors have limited growth opportunity because they have limited capabilities to support virtual L M M environments, MSSPs, remote systems, and cloud applications Inevitably underperforming NAC vendors will be L M M winnowed out of the market NAC growth is naturally bounded by the number of L L M enterprises with substantial infrastructure and endpoints
Impact ratings: H = High, M = Medium, L = Low Source: Frost & Sullivan
NE66-74 35 Restraints Explained
Technology platforms aside from NAC will try to offer capabilities around endpoint visibility, endpoint assessment, and remediation o The NAC vendors were among the first platform providers to see value in providing dynamic endpoint visibility and being able to apply that data to enforce access, to remediate systems, and to respond to threats. o The idea that NAC is being integrated with other network security platforms is a double-edged sword. The operational siloes between technologies is becoming less apparent, while at the same time, companies that are currently NAC integration partners are potential competitors. o Beyond perpetual licensing, one-year and subscription licensing on IT management and security software term is common in SIEM, VM, NGFW, wireless, as well as MDM. Flatly stated, these vendors have to add value to their platforms to increase their marketing opportunity and value for their renewals. o An IT Director Frost & Sullivan interviewed mentioned Tenable Network Security with the thought of integrating NAC with the Tenable SecurityCenter Continuous View. The SecurityCenter Continuous View is comprised of the Nessus Active Scanner, the Passive Vulnerability Scanner, and the Log Correlation Center (SIEM). Tenable is the type of company that could add additional endpoint visibility licensing. o At the Qualys Investor Day in October 2014, Qualys announced that its 2015 roadmap included penetration testing and exploit detection based on polymorphic matching. Qualys has also intimated it would acquire companies that could enhance its technology platform. o McAfee, which left the market with its host-based NAC, partnered up with ForeScout in 2012. Juniper recently sold its VPN and NAC business to a private equity firm (Pulse Security). Each could return to the market. o OPSWAT and Promisec already license endpoint posture assessment products and could conceivably license its technology directly to network architects or competing technology platforms. OPSWAT currently licenses its technology to NAC service providers. o To be clear, Frost & Sullivan is not saying these companies are thinking of entering the NAC business (or likely too). However, part of the value that NAC vendors derive is from integration modules or competitive feature sets. Source: Frost & Sullivan
NE66-74 36 Restraints Explained (continued)
Some NAC vendors have limited growth opportunity because they have limited capabilities to support virtual environments, MSSPs, remote systems, and cloud applications o The most common NAC deployment includes an 802.1X which assesses an endpoint entering a corporate network; requiring an 802.1X infrastructure and a managed device supporting an 802.1X supplicant. • Pulse Secure, Aruba Networks, and Avaya Networks are dedicated 802.1X port-based NAC providers. These vendors rely predominantly on their current 802.1X (infrastructure) compatible servers, routers, and switches and security systems that have to be purchased to support the protocol—predominantly their infrastructure. o NAC vendors have visibility into remote systems using a VPN to access network resources. Some vendors may not be capable to capture and manage access systems remotely (not going through a VPN) or those systems going to cloud-based applications and not the corporate network. o Although NAC vendors have built plug-ins and Web-interfaces, 802.1X requires constant refreshing of directories with the RADIUS server. o Security teams do not have access to all the virtual systems and tools that the IT network operations team uses, yet security policies for virtual systems need to follow similar specifications as physical systems. There is value in NAC being able to provide operational oversight to the security team. Not all NAC vendors have made accommodations to fully integrate into virtualized network technologies like VMware or Microsoft Hyper-V.
Source: Frost & Sullivan
NE66-74 37 Restraints Explained (continued)
Inevitably underperforming NAC vendors will be winnowed out of the market o The Frost & Sullivan forecast for 40.5% growth in 2013 sets a formidable baseline for NAC vendors to achieve. o The companies that are growing at better than 40% are aggressive in all possible meanings of the term. o The best performing companies are fighting for SMB and enterprise business. These companies are seeking integration partners. The same businesses have made significant investments in R&D and marketing. o Good companies hoping to expand out of niche markets will have a hard time doing so. o Frost & Sullivan believes that either insolvency or consolidation is a likely outcome for some of the companies in the NAC market. o Consolidation of regional NAC vendors is one possibility. o Other network defense technologies (SIEM, VM, or ATD) could acquire a NAC service provider as a way to bolster its product offering. o What is less clear is if this affects the size of the overall market. NAC is a foundational network security platform and if one company leaves clients, then the account is likely absorbed by another NAC vendor.
Source: Frost & Sullivan
NE66-74 38 Restraints Explained (continued)
NAC growth is naturally bounded by the number of enterprises with substantial infrastructure and endpoints o By 2016, Frost & Sullivan anticipates that revenues in NAC will drop below 30% growth year-over-year. o This has more to do with a naturally saturated market than with competition from competing technologies or from competitive pricing from NAC vendors. o Pricing always matters, but Frost & Sullivan does not see current NAC licensing as being over-priced against value. o To date, there has not been an emphasis on the larger NAC vendors offering “under-cut” pricing to win business of large enterprise sales. Just the same, pricing could become an issue at some point through the forecast period. o NAC vendors have been able to expand existing relationships, that is, licensing additional visibility, protection, and remediation functionality and additional endpoint coverage within existing accounts. Organic growth within existing accounts will slow down at some point in the future. o NAC vendors have been able to expand existing relationships, that is, licensing protection for more endpoints within existing accounts. o However, Frost & Sullivan anticipates that the revenues per endpoints will decline: 1. Competing technology platforms will compete for value-added services . 2. Appliances have capacity for 10,000 or more endpoints. As a NAC vendor adds capacity to its appliance, the pricing paradigm would likely change. Enterprise management systems may offset some of the price per endpoint decline. 3. Network security vendors compete for a pool of static network security dollars. Even as NAC is winning revenue that may have gone to VM, patch management, and other security product vendors; a ceiling for network security exists.
Source: Frost & Sullivan
NE66-74 39 Forecasts and Trends—Total Market
NE66-74 40 Forecast Assumptions
• Frost & Sullivan incorporates multiple factors into forecasting NAC market revenue and unit shipments figures: development of adjacent technologies, macroeconomic factors, and the strength of individual companies in the market. • Unit shipment figures are derived from shipment numbers suggested by NAC vendors. Some slight counting incongruences may occur. Some companies count one NAC per company; others vendor count a NAC deployment by how many licenses or consoles are issued to a site. • The recovery of the global economy has been relatively slow since 2008. The current forecast would be valid if the global economy grows from 0% - 4% from now through 2018. • The forecast model is based upon questionnaire results provided to Frost & Sullivan from NAC vendors. Supplier input was more heavily factored than demand-side input. • The forecast accounts for some competition from adjacent technologies trying to establish endpoint posture assessment or different licensing paradigms. If platform providers like IBM QRadar or Qualys integrate endpoint posture assessment at a faster rate than anticipated, there will be reduced NAC revenues.
Source: Frost & Sullivan
NE66-74 41 Total NAC Unit Shipment
Key Takeaway: Unit shipment is increasing in SMB as well as in enterprises.
Total NAC Market: Unit Shipment, Global, 2010‒2018 20,000 4000%
18,000 3500% 16,000 3000%
14,000
12,000 2500%
Units 10,000 2000%
8,000 1500% 6,000 1000%
4,000 Growth Growth Rate (%) 2,000 500% 0 0% 2010 2011 2012 2013 2014 2015 2016 2017 2018 Units (000s) 3,134 3,724 4,459 5,935 7,950 10,271 12,959 15,653 18,732 Growth Rate % 19 20 33 34 29 26 21 20 Year
Note: All figures are rounded. The base year is 2013. Source: Frost & Sullivan
NE66-74 42 Total NAC Revenue Forecast
Key Takeaway: In 2013, the culmination of improvements in NAC platforms, enhanced endpoint visibility, remediation, and integration with other technologies made NAC a very hot technology. Total 2013 NAC Market: Revenue Forecast, Global, 2010–2018 1,600 45
1,400 40
35
1,200
30 1,000 25 800 20 600
Revenue Revenue ($M) 15 Growth Growth Rate (%) 400 10
200 5
0 0 2010 2011 2012 2013 2014 2015 2016 2017 2018 Revenue ($ M) 183.8 224.7 284.6 399.8 552.8 740.4 960.7 1,188.8 1,457.9 Growth Rate (%) 22 27 40 38 34 30 24 23 Year Note: All figures are rounded. The base year is 2013. Source: Frost & Sullivan
NE66-74 43 Total NAC Unit Shipment and Revenue Forecast
Key Takeaway: Units shipments and global revenues are tight coupled; even as enterprise deployments are becoming more lucrative, SMB deployments are growing faster. Total NAC Market: Unit Shipment and Revenue Forecast, Global, 2010‒2018
1,600 20,000
1,400 18,000
16,000 1,200 14,000
Millions) 1,000 12,000 800 10,000 8,000 600 (000s) Units 6,000 Revenue ($ Revenue 400 4,000 200 2,000 0 - 2010 2011 2012 2013 2014 2015 2016 2017 2018 Revenue ($ M) 183.8 224.7 284.6 399.8 552.8 740.4 960.7 1,188.8 1,457.9 Units (000s) 3,134 3,724 4,459 5,935 7,950 10,271 12,959 15,653 18,732 Year
Note: All figures are rounded. The base year is 2013. Source: Frost & Sullivan
NE66-74 44 Unit Shipment and Revenue Forecast Discussion
• In the base year of 2013, there were 5,935 NAC deployments. Frost & Sullivan estimates these deployments brought revenues of $399.8 million to the coffers of NAC vendors. • In 2018, at the end of the forecast period, Frost & Sullivan projections are for 18,732 NAC unit shipments: the CAGR between 2013‒2018 is 25.8%. • In 2018, at the end of the forecast period, Frost & Sullivan estimates the total global NAC market to be worth $1.46 billion: the CAGR between 2013‒2018 is 29.5%. • As revenues continue to outpace unit shipment in growth means that the value of each deployment (ASP) is becoming more lucrative. • The biggest reason this is happening is in enterprise accounts, IT teams are continuing to increase the number of endpoints protected (e.g., corporate and personal mobile devices) and the level of added NAC functionality purchased in each contract renewal. • In subsequent pages, the factors for increased unit shipments and revenues in NAC for vertical markets, geographies, size of business, and product type will be more closely examined.
Source: FrostSource: & Sullivan Frost & analysis. Sullivan
NE66-74 45 Total NAC Market―Pricing Trends and Forecast
Key Takeaway: NAC vendors are able to ask for higher licensing costs because of endpoint posture assessments and integration modules with other security platform vendors. Total NAC Market: Average Price for NAC Deployment, Global, 2010–2018 90,000 8
80,000 7
70,000 6
5 60,000 4 50,000 3 40,000 2
30,000 Growth Growth Rate (%) Average Average Price ($) 1
20,000 0
10,000 -1
0 -2 2010 2011 2012 2013 2014 2015 2016 2017 2018 Average Price ($) 58,651. 60,346. 63,830. 67,364. 69,529. 72,086. 74,133. 75,946. 77,830. Growth Rate (%) 2.9 5.8 5.5 3.2 3.7 2.8 2.4 2.5 Year Note: All figures are rounded. The base year is 2013. Source: Frost & Sullivan
NE66-74 46 Pricing Trends and Forecast Discussion
• NAC vendors have been able to add value to licenses by offering added endpoint posture assessments, remediation services, and integration modules. • In 2012 and 2013, Frost & Sullivan estimated growth rates of 5.8% and 5.5%, respectively, in ASPs. This is attributable to a larger number of endpoints protected in renewal contracts as well as an uptick in licensing for security product integration modules, remediation, and endpoint posture assessment add-ons. • The growth rate begins to slow in 2014 and 2015 to year-over-year growth of 3.2% and 3.7%, respectively. • The ASP takes into account all NAC deployments and Frost & Sullivan believes that greenfield SMB deployments, while representing new business for NAC vendors, inhibits the growth of overall NAC ASPs. • In 2016‒2018, year-over-year growth in ASPs does not exceed 3%. • Although the forecast still shows growth in ASP on a per NAC basis, SMB deployments are outpacing enterprise deployments. • Competition for endpoint visibility and posture assessment licenses will intensify. • Deployments originating in Latin America and APAC are less lucrative than deployments in North America and Europe and are beginning to flatten the overall ASP potential.
Source: Frost & Sullivan
NE66 -74 47 Total NAC Market—Unit Shipment Forecast by Region
Key Takeaway: In the years 2013‒2018, the regional CAGRs for unit shipments are The Americas 25%; EMEA 30%; and APAC 29%.
Total NAC Market: Unit Shipment Forecast by Region, Global, 2010–2018
20,000 18,000 16,000 14,000 12,000 10,000 8,000 6,000
Revenue ($ Millions) ($ Revenue 4,000 2,000 0 2010 2011 2012 2013 2014 2015 2016 2017 2018 EMEA 490 581 695 930 1,274 1,713 2,263 2,803 3,390 APAC 332 388 453 598 808 1,070 1,411 1,768 2,146 The Americas 2,312 2,755 3,311 4,407 5,868 7,488 9,285 11,082 13,196
-
Year
Note: All figures are rounded. The base year is 2013. Source: Frost & Sullivan
NE66-74 48 Total NAC Market—Revenue Forecast by Region
Key Takeaway: On a percentage basis, there is a slight erosion of the Americas market, but this regional market will still represent more than 70% of the global market during the forecast period.
Total NAC Market: Revenue Forecast by Region, Global, 2010–2018
1,600
1,400
1,200
1,000
800
600
400 Revenue ($ Millions) ($ Revenue 200
0 2010 2011 2012 2013 2014 2015 2016 2017 2018 EMEA 28.1 34.4 43.5 61.4 86.9 120.8 164.1 208.3 258.2 APAC 18.6 22.3 27.6 38.0 53.0 72.7 98.7 126.7 157.3 The Americas 137.1 168.0 213.6 300.4 412.9 546.8 697.9 853.8 1,042.4
-
Year
Note: All figures are rounded. The base year is 2013. Source: Frost & Sullivan
NE66-74 49 Regional Unit Shipment and Revenue Forecast Discussion
• The Americas represents more than 70% of the global NAC appliance revenues in all years. In terms of percentage of revenue, North America represented 74.6% of the global market in 2010; and will likely be 71.5% of the global market in 2018. • In the Americas, endpoint visibility has been an important driver in winning new NAC deployments and in expanding existing deployments. • Endpoint visibility is important in other markets as well; however, the efficacy of the NAC and the ability to define granular policy control settings to identify and respond to issues are more important drivers globally. • In this study, Latin America is a part of the Americas. It should be noted that Latin America is the most price sensitive of all of the regional markets. • In EMEA, Auconet and macmon secure gmbh have significant footholds in Germany and are actively expanding their presence in the rest of Europe. Auconet is building a presence in the US too. However, NAC leaders are aggressively pursuing EMEA as well. • Portnox has a significant share of the NAC market in Israel including key installations with the military, government facilities, in telecom, and in banking. • By proportion, APAC customers are more fond of physical appliances (hardware) than virtual appliances (software).
Source: Frost & Sullivan
NE66-74 50 Total NAC Market—Unit Shipment Forecast by Distribution Channel
Key Takeaway: Third-party resellers, which entails systems integrators, VARs, and distribution channel partners, are responsible for the majority of NAC unit shipments.
Total NAC Market: Unit Shipment Forecast by Distribution Channel, Global, 2010– 2018 20,000 18,000 16,000 14,000
12,000 Units 10,000 8,000 6,000 4,000 2,000 0 2010 2011 2012 2013 2014 2015 2016 2017 2018 MSSP 501 614 758 1,033 1,423 1,900 2,462 3,052 3,784 Direct Sales 727 871 1,052 1,413 1,900 2,475 3,149 3,835 4,627 Third-party Resellers 1,905 2,238 2,649 3,490 4,627 5,896 7,348 8,766 10,321
-
Year
Note: All figures are rounded. The base year is 2013. Source: Frost & Sullivan
NE66-74 51 Total NAC Market—Revenue Forecast by Distribution Channel
Key Takeaway: Enterprises are working more directly with NAC vendors, especially in very large NAC deployments.
Total NAC Market: Revenue Forecast by Distribution Channel, Global, 2010–2018
1,600
1,400
1,200 1,000 800 600 400
Revenue ($ Millions) ($ Revenue 200 0 2010 2011 2012 2013 2014 2015 2016 2017 2018 MSSP 26.5 33.4 43.5 62.6 89.0 123.3 164.3 208.6 265.0 Direct Sales 45.6 56.3 72.0 102.1 142.0 192.1 251.7 314.4 389.6 Third-party Resellers 111.8 135.1 169.1 235.1 321.7 425.0 544.7 665.7 803.3
- Year
Note: All figures are rounded. The base year is 2013. Source: Frost & Sullivan
NE66-74 52 Total NAC Market—Unit Shipment and Revenue Forecast by Distribution Channel Discussion
• The Americas represents the most advanced market in terms of network security architecture. In APAC and to a lesser degree EMEA, VARs and systems integrators are contracted to help with consulting, purchasing, project planning, and installation. • In the Americas, two market dynamics exist. In compliance-heavy industries like financial services, retail, and healthcare, a business may prefer to go through a third-party channel. The reasoning is that the third-party channel provides additional resources and competence in deploying NAC platforms. • In the enterprise space, enterprises have a larger, dedicated network and security team. These professionals create their own architecture. Network architects prefer to work with the NAC vendor directly because the vendor is expected to help in developing custom policies, assure NAC deployment, scale, and performance, and provide flexibility in licensing as a network grows. • MSSPs, that are working with some of the infrastructure NAC leaders, have very little influence in the NAC space aside from the NAC product selected by an enterprise. The exception (and opportunity) is NAC packaging to MSSPs by independent NAC vendors. • While there is support for MSSPs for NAC vendors through special project packaging and licensing, there is no further synergy in terms of product development. • However, MSSP service providers integrating NAC into their service portfolio is rising.
Source: Frost & Sullivan
NE66-74 53 Total NAC Market—Unit Shipment by Product Type
Key Takeaway: A physical appliance is and will remain the most common type of NAC product deployment through 2018.
Total NAC Market: Unit Shipment Forecast by Product Type, Global, 2010–2018
20,000 18,000 16,000 14,000
12,000 Units 10,000 8,000 6,000 4,000 2,000 0 2010 2011 2012 2013 2014 2015 2016 2017 2018 Appliance 2,311 2,789 3,366 4,562 6,175 7,890 10,090 12,133 14,529 Virtual Appliance 499 593 694 878 1,202 1,614 2,012 2,451 2,966 NAC SaaS 324 342 399 495 573 767 857 1,069 1,237
- Year
Note: All figures are rounded. The base year is 2013. Source: Frost & Sullivan
NE66-74 54 Total NAC Market—Revenue Forecast by Product Type
Key Takeaway: Virtual appliance deployments have greater appeal in the enterprise space, while NAC SaaS appeals to small and mid-sized market deployments.
Total NAC Market: Revenue Forecast by Product Type, Global, 2010–2018
1,600
1,400
1,200 1,000 800 600 400
Revenue ($ Millions) ($ Revenue 200 0 2010 2011 2012 2013 2014 2015 2016 2017 2018 Appliance 132.1 163.9 209.3 299.9 414.7 548.2 721.1 896.0 1102.9 Virtual Appliance 34.4 42.1 52.1 69.6 98.3 136.9 175.5 219.0 271.6 NAC SaaS 17.3 18.7 23.2 30.3 39.8 55.3 64.2 73.8 83.4
- Year
Note: All figures are rounded. The base year is 2013. Source: Frost & Sullivan
NE66-74 55 Total NAC Market—Unit Shipment and Revenue Forecast by Product Type
• Among the three product groups, an appliance is taken to mean a physical appliance that is attached either inline or out-of-band on a network. • A virtual appliance is a software package that is purchased and the customer loads the software onto an approved physical appliance. For example, a NAC solution can run on a VMware VM with a specified resource reservation and VMware certified hardware. • A NAC SaaS is NAC purchased as a service. The NAC SaaS vendor is responsible for the management of the software platform and the contract is billed as a month-to-month service. • Trustwave and Bradford Networks are among the larger pure NAC SaaS service providers, as the education vertical market is the largest consumer of NAC SaaS. Additional growth for NAC SaaS is in the government and larger enterprise market where the NAC leaders have focused. • The physical appliance is how NAC has been installed traditionally in 802.1X networks. • At the very least, one physical appliance is needed in an 802.1X network to serve as the gateway between the endpoint and the RADIUS server. • Depending upon the vendor, another appliance may be needed to contain the access control list (ACL), policy control rules engine, and logistics. Different service modules may be associated with an appliance. Aruba Networks, for example, uses one appliance combining the gateway, the ACL and related applications.
Source: Frost & Sullivan
NE66-74 56 Forecasts and Trends—Vertical Markets
NE66-74 57 Total NAC Market—Unit Shipment Forecast by Vertical Market
Key Takeaway: Financial market NAC installations are the most lucrative; educational facilities present challenges in terms of quick access and types of devices.
Total Global NAC Market: Unit Shipment Forecast by Vertical Market, 2010–2018
20,000 40% 18,000 35% 16,000 30%
14,000
12,000 25% 10,000 20% Units 8,000 15% 6,000 10% 4,000 5% 2,000 Growth Rate % 0 0% 2010 2011 2012 2013 2014 2015 2016 2017 2018 Financial 541 671 830 1,141 1,569 2,094 2,695 3,305 4,019 Government 571 690 831 1,159 1,619 2,129 2,736 3,361 4,090 Healthcare 369 441 529 726 978 1,267 1,601 1,936 2,314 Education 985 1,109 1,292 1,644 2,101 2,600 3,151 3,676 4,259 Others 668 814 978 1,265 1,683 2,181 2,775 3,374 4,050 Growth Rate (%) 19% 20% 33% 34% 29% 26% 21% 20%
Year
Note: All figures are rounded. The base year is 2013. Source: Frost & Sullivan
NE66-74 58 Total NAC Market—Revenue Forecast by Vertical Market
Key Takeaway: The financial sector will always require the most sophisticated network security tools, but utilities and manufacturing (in Others) are also on the rise.
Total Global NAC Market: Revenue Forecast by Vertical Market, 2010–2018
1,600 45% 40%
1,400
1,200 35% 30% 1,000 25% 800 20% 600 15%
$ US $ Millions 400 10% 200 5% Growth Rate % 0 0% 2010 2011 2012 2013 2014 2015 2016 2017 2018 Financial 50.6 62.1 78.8 110.1 152.6 206.3 268.4 332.0 407.2 Government 33.5 41.6 53.0 78.1 112.6 153.5 202.9 255.3 318.3 Healthcare 19.9 25.0 32.4 47.9 66.6 89.5 116.3 144.1 176.5 Education 48.5 56.2 69.2 93.0 122.7 157.4 196.2 234.5 278.4 Others 31.3 39.8 51.2 70.7 98.3 133.6 176.9 223.0 277.4 Growth Rate (%) 22% 27% 40% 38% 34% 30% 24% 23%
Year
Note: All figures are rounded. The base year is 2013. Source: Frost & Sullivan
NE66-74 59 NAC Vertical Market Revenue and Units Forecast Discussion
• The others category in vertical markets is private sector businesses including retail, manufacturing, technology/telecommunications, and utilities. • In 2013, the financial sector is the largest NAC vertical market in terms of revenues. The education market vertical is the largest in terms of unit shipments. • In 2013, the education category had 1,644 NAC unit shipments, and was followed by the others category sector which purchased 1,265 NAC units. • In 2013, the financial sector purchased $110.1 million in NAC appliances and services. The financial sector will be the largest vertical market throughout the forecast period with anticipated revenues of $407.2 million in 2018. • The fastest growing NAC unit shipment CAGRs between 2013‒2018 come from the government sector growing at 28.7% and the financial sector with 28.6% growth. • The fastest growing NAC revenue CAGRs between 2013‒2018 come from the others sector growing at 31.4% and the financial sector with 29.9% growth. • Education is the vertical market with the lowest growth rate; however, even this market has a revenue CAGR of 24.5% between 2013 and 2018. The education market works with the most confining budgets of any of the vertical markets in this study. • The next section describes how NAC solutions are developed and deployed to help customers in specific market verticals. Case studies are included.
Source: Frost & Sullivan
NE66-74 60 Dynamics of Vertical Markets using NAC with Case Studies
NE66-74 61 Dynamics of Vertical Markets using NAC with Case Studies
Financial • Financial institutions will continue to be high-priority targets by cyber criminals. Attempting to steal money or monetary assets has been and will always be a constant. • Financial markets tend to purchase the most progressive NAC platforms. • NAC is slightly different in financial markets. Well-publicized hacks of ATMs show that there is an Internet connection to even custom-built devices. • Bank accounts and credit card numbers could be used directly by thieves. However, other personal information is attached to loan documents and credit applications. • The consistent improvement in NAC, including granular policy settings, endpoint visibility, and integration with other security platforms, has provided new opportunities for business. • Any effective, original approach to detecting anomalous behavior will be considered in a financial institution’s network security defense. • For additional dynamics about the financial market sector see Case Study—Financial Sector.
Source: Frost & Sullivan
NE66-74 62 Dynamics of Vertical Markets using NAC with Case Studies (continued)
Government • Federal government agencies have strict security requirements and often invest in NAC solutions to prevent unapproved user access and device connections. State and local agencies are also strong adopters of NAC solutions. • In the US, for businesses hoping to do business with the federal government, compliance with NIST 800.53 standards is a requirement. NIST 4.0 requires agencies of the federal government to provide an inventory of devices, applications, and OS every month. • Government installations vary in size and complexity. Large facilities like the Pentagon and the FBI Headquarters in Quantico, VA will not only have on-premises security appliances, these appliances are physically guarded. • Other government facilities are smaller, like post offices and department of motor vehicle facilities. • In general, BYOD is not as big a consideration in government installations. Wireless is not used to enhance the user experience or to leverage promotions as in other types of businesses.
Source: Frost & Sullivan
NE66-74 63 Dynamics of Vertical Markets using NAC with Case Studies (continued)
Healthcare • The adoption of The Affordable Care Act also brought a set of additional compliance standards. • A hospital is liable if a personal, computing, or storage device containing sensitive data is stolen. Often, hospitals or healthcare providers will want visibility into the endpoint to make sure data on the machine is encrypted. • NAC in hospitals is interesting. As recently as three years ago, Wi-Fi networks were discouraged in hospitals. However, in the last three years, hospitals have installed hotspots and distributed antenna systems. Hospitals now offer guest registration privileges. Also, there has been an uptake in BYOD tablets for doctors in hospitals. The NAC challenge is increasing difficult in hospitals. • The language in HIPAA suggests that healthcare service providers (Cigna, Aetna, etc.) have indemnity in regard to subcontractors. Breaches made by x-ray technicians, ultrasound, and similar specialists in patient records could be directed to the healthcare providers. • ¹ As part of converting to electronic databases by 2016, the Centers for Medicare & Medicaid Services have set various standards promoting meaningful and accurate use of healthcare information captured by various healthcare IT platforms in the United States. • ¹ Similarly, EU member states have adopted eHealth as part of their national strategies, as indicated by the €22 million European Patient Smart Open Services Project (epSOS) for implementation of HIE among 12 member states.
• ¹ The references come (verbatim) from the Frost & Sullivan report Analysis of the Global Enterprise Content Management (ECM) Market for Healthcare. Source: Frost & Sullivan
NE66-74 64 Dynamics of Vertical Markets using NAC with Case Studies (continued)
Education • The education vertical includes kindergarten-12th grade (K-12), and higher education meaning community colleges, colleges, and universities. • NAC solutions serving education facilities are different from NAC in other vertical markets. The most important differentiation is that many personal devices need to be on-boarded for both faculty and students. • Initially, a NAC may only need to handle few devices of faculty. However, within the first week of school, tens of thousands of student devices and guests may suddenly require registration. • Often working with state or federal funds, profit margins for NAC in education tend to be lower than other market verticals. This is very evident in K-12 and even with small high education customers. • Internal technical resources required to deploy and support NAC are very limited in K-12, less so in higher education. However, higher education will often have decentralized implementations. Companies that offer simpler and more flexible architectures and centralized monitoring capabilities will have an advantage in securing education business compared to other verticals. • User experience has a different meaning. College students are technically savvy. Academic disciplines start the instant that a student is enrolled, and network access is a crucial part of the academic experience. • Device registrations have to be intuitive with the means to support students migrating across the campus and using multiple devices. User experience is key in terms of reducing time to access resources and in alleviating registration and re-authentication. Source: Frost & Sullivan
NE66-74 65 Dynamics of Vertical Markets using NAC with Case Studies (continued)
Education (continued) • An administrator may wish to quarantine a device pending an upgrade to AV or patch management. • The primary use cases are malware detection, guest management, inventory, and preservation of bandwidth. This market also has material compliance considerations for PCI, FERPA, HIPAA, and copyright laws. • Like other NAC implementations, many education facilities have existing network security and analytics tools. Compatibility with existing infrastructure is desirable. • Vendors offering NAC solutions intimate that each educational setting is different. For instance, in a K- 12 school, being able to tie in with Web management tools is an important consideration in denying access to students attempting to access adult material. • In a university setting, wide access to resources and Web sites is encouraged as a part of the overall culture. • Devices registrations have to be intuitive. Post-admission is also important as students migrate across the campus. Preferably, users would not need to re-register or authenticate devices.
Source: Frost & Sullivan
NE66-74 66 Dynamics of Vertical Markets using NAC with Case Studies (continued)
Others • The others category in vertical markets is private sector businesses including retail, hospitality, retirement living facilities, manufacturing, legal firms, technology/telecommunications, and utilities. • For restaurants, amusement parks, and hospitality fields, NAC plays in important role in giving customers limited access to business networks. Businesses like these have started to integrate social media and wireless to augment onsite promotions. • Promotions and enhancements to the customer experience can be offered to customers through mobile access. • Retailers could use a NAC to consolidate distribution channels. Cuisinart products (used as an example of a brand name but not interviewed in this project) are sold in Walmart, Best Buy, Target, on Amazon, and directly through the manufacturer. Cuisinart may want to push additional access privileges to new customers. • Manufacturers have different levels of sensitivity at their facilities. Certain areas of a facility may handle extremely sensitive products (a distributor may pay a substantial penalty if merchandise is mishandled before a formal product unveiling). • By necessity, legal firms assume the security profiles of the customers it represents. If representing a healthcare provider, the legal firm will follow HIPAA/HITRUST standards for secure networking. • If working with banks, Sarbanes-Oxley is followed; and for public initial offerings, financial institutions follow SEC regulations. • When working with technology companies, NAC is challenged because the theft of intellectual property can be devastating. • Frost & Sullivan interviewed security teams in the retirement living sector Case Study—Erickson Living, midsized manufacturing Case Study—Midsized Manufacturer, and legal firms Case Study—Venable, LLP.
Source: Frost & Sullivan
NE66-74 67 Case Study—Erickson Living
Retirement Community • Erickson Living owns and operates 19 retirement communities in ten states in the United States. In total Erickson Living hosts 23,000 residents and has 14,000 employees. • Erickson Living selected Cisco ISE 1.2 as its NAC platform. • Communications for retirement communities have specific technical challenges. Resident coordinating services with external providers, especially during the move in process, detracts from resident satisfaction. Also, with each resident procuring their own Internet services, there are challenges with co- channel interference across Wi-Fi networks. • HIPAA compliance is an on-going consideration. All Erickson Living campuses have medical facilities. • The oldest campus is 30 years old and as buildings age part of the life-cycle process involves significant construction as Erickson Living modernizes its facilities. • While a facility is expanding, often there are legacy communications services. Erickson Living wanted to support wireline phones, Wi-Fi, mobile devices, and custom-purpose devices like Power over Ethernet (PoE) door locks. • To explain a sense of scale, the Charlestown campus is laid out over two million square feet and has over 900 access points. • At all points Erickson Living communities wanted to be able to offer advanced communications platforms. • Erickson Living has two campuses with a GPON (Gigabit Passive Optical Network) fiber network and are installing GPON at two other campuses.
Source: Frost & Sullivan . NE66-74 68 Case Study—Erickson Living
Retirement Community (continued) • GPON has a downstream capacity of 2.488 Gbps and an upstream capacity of 1.244 Gbps and enables Ethernet connectivity. • The advantage of GPON is Erickson Living would have additional capacity and could effectively serve as its own Internet Service Provider (ISP) and could offer multiple digital services. • Whatever networking decisions being made on an enterprise level ultimately had to be consumer- friendly. • Conceptually, Erickson Living wanted the communications to be simple for its residents, “a big analog device like a push-button phone.” • Advanced planning was necessary. The Optical Network Terminal (ONT) for most endpoints for communications are located outside of residents’ apartments. Specifically ,the ONTs are located underneath a welcome shelf in the corridor just outside of the front door of the apartments. • The design is practical—when a new resident arrives, the IT team can set up PCs, wireless printers, LAN phones, and other devices at the time of moving in. • For Erickson Living, the idea of identifying each device and keeping passwords through a service set identifier (SSID) was not a realistic scenario. • The Cisco Identity Services Engine (ISE) is deployed centrally at the Cisco Campus LAN 6500 Switch which makes sense for use with GPON.
Source: Frost & Sullivan
NE66-74 69
Case Study—Erickson Living
Retirement Community (continued) • The Cisco ISE platform allows central administration to set group and identity tags. • Furthermore, group and identity tags can be created through Microsoft Active Directory. • The partitioning is effective. For instance, a PC and a wireless printer can be visible to each device, but is not visible to any other devices outside of the group tag. • Annually, Erickson Living allows for a third-party audit to attest to HIPAA compliance. • Erickson living is adding PCI-DSS into its annual security assessment this year as the use of credit cards continues to rise. Currently, credit cards are only accepted through separate analog swipes at key locations. • Credit cards could be used by visitors for philanthropic reasons or to collect memorabilia. • Ultimately, Cisco ISE was selected because Erickson Living was confident its residents had a secure connectivity platform. • A one-time connection enables all individual device simultaneous connectivity. • Connectivity remains as an individual travels throughout the campus. • Also mentioned by Erickson Living is that the combination of the Cisco 6500 switch and the Cisco ISE platform have a significant amount of backend capabilities. • Expansion for new devices or networks is relatively easy.
Source: Frost & Sullivan
NE66 -74 70 Case Study—Financial Sector
Financial • An unnamed provider of financial services has been ForeScout NAC for approximately four years. The corporation is US-based, but has a global footprint. The financial institution is large and would be a familiar company. • The size of the company and the vertical market determined the type of NAC: o The financial institution integrates NAC with different categories of security solutions. The financial institution has a next-generation firewall, SIEM, and a ATD system. o The company has an elite incident response team. If a verified alarm occurs, the desktop response team can isolate the incident, and quarantine the device and ports within 5-10 minutes. o Large financial institutions are subject to a broad range of regulations. This means compliance best practices are routine for communications with the government, in industry-imposed standards, and in the protection of personal information and assets, even HIPAA. o The financial institution has security teams responsible for compliance and posture. For instance, unique security considerations are given to UNIX and Windows environments. • What might be counterintuitive—the financial institution is subject to many compliance specifications. However, since compliance is an on-going obligation, the institution sends NAC information to a SIEM for the purpose of compliance reporting and forensics via ForeScout SIEM integration module. • Where the ForeScout CounterACT is helpful is the IT Director and his team obtain immediate endpoint discovery and configuration details, down to checking Windows registry settings to ensure endpoint compliance and have a real-time pulse of their overall security posture. Source: Frost & Sullivan
NE66-74 71 Case Study—Financial Sector
Financial (continued) • ForeScout emerged as the preferred NAC vendor for several reasons. The IT Director was reticent to use competing solutions due to: modest pre-connect and post-connect functionality, limited degree of visibility, lack of broad integration, scalability concerns, and fear of vendor-lock—his feeling was ForeScout was the best NAC for their heterogeneous and large distributed network. • Not only did ForeScout provide heterogeneous network support, the solution supported centralized management of multiple CounterACT appliances. Also, several network visibility protocols were supported by CounterACT including 802.1X, agentless, MAC address routing, SNMP, etc.. • Endpoint visibility turned out to be the single feature that most impressed the IT Director. The endpoint intelligence provided many important capabilities towards network diagnostic capabilities: o Endpoint visibility does not apply just to the endpoint, visibility is available on the switches and ports that the devices are connected to (and which of these is active). Endpoint visibility can instantly detect unknown, rogue, and unmanaged devices and take informed action. o Visibility includes the applications that are installed and active on each device. In this specific deployment, the financial institution prohibited Skype, but nonetheless found systems with Skype installed. The institution integrated CounterACT to McAfee ePO via ForeScout ControlFabric. o Patch management validation is an added capability. Patching happens through the patch management app on the endpoint. In one update, the network engineering team changed some device auto duplexing rules in the network. The patch was properly pushed out, but the MAC routing was mismatching the switches and environments. CounterACT was able to show that the devices simply had not accepted the patches. CounterACT is now part of the validation process. Source: Frost & Sullivan
NE66-74 72 Case Study—Financial Sector
Financial (continued) o To complement vulnerability scans, CounterACT also does an assessment of endpoints every few hours to assess security posture. Additionally, when a new device comes onto the network, ForeScout can also inform the vulnerability assessment to run a scan based on the last time a scan was performed. While a vulnerability management scan will check for configuration errors, CounterACT check for endpoint compliance. In essence, integrating NAC with VM offers a good level of redundancy. o The IT Director is convinced CounterACT makes other security tools better, such as firewall, SIEM, VM and ATD—reducing false positives and enabling faster response to issues. o The financial institution was impressed with the risk management analytics in the CounterACT platform, and this helps it make better informed decisions and reduces analysis effort. • The institution can block rogue devices and do guest networking. The next priority the financial institution had was network blocking based upon non-compliance endpoint configuration settings. • Wireless was not overly problematic for the financial institution. The internal network made extensive use of two-factor authentication. • Laptops issued to employees were already pre-loaded with security settings and posture alignment. • BYOD devices are diverted to a different part of the network. • Endpoint activity is also an indicator of a potential security breach. Seeing an alert about an endpoint plugging into an unexpected port is common. Also common is an endpoint trying to engage with several ports at once. CounterACT IPS feature detects these instances and monitors MAC
address bypassed devices. Source: Frost & Sullivan
NE66-74 73 Case Study—Midsized Manufacturer
Retail/Manufacturing • An unnamed manufacturer became a ForeScout NAC customer approximately two years ago. • When the current Network Engineer (IV) solicited proofs of concepts (POCs) from competing NAC vendors, the manufacturer had an existing requisition for a NAC that was roughly two years old. • The manufacturer was reticence about installing the NAC. As a manufacturer, the company was especially sensitive about false positives interrupting production. • The manufacturer produces a commercial product sold through online distribution and in stores, and this meant that part of what the company had to prove was that its practices were PCI-DSS compliance. • The NAC had to provide sufficient protection advantages for their large manufacturing plants, regional offices, for corporate human resources and administration, and 70 satellite offices. • The network had subtle nuances. For instance, employee PCs and Cisco VoIP phones share the same Ethernet port. If access is shutdown to the port, it will shunt access for the PC and the phone. The customer required ACL controls as well as VLAN controls. CounterACT policy granularity easily accommodated these requirements. • The company wanted a NAC that would be useful for VPN, wired, and wireless considerations. While 802.1X was an option, this manufacturer did not pursue the 802.1X as easier deployment, greater visibility, and more flexible and granular control afforded by an agentless approach was desired.
Source: Frost & Sullivan
NE66-74 74 Case Study—Midsized Manufacturer
Retail/Manufacturing (continued) • In an extensive POC, ForeScout emerged victorious fundamentally because of five important factors: 1. Compliance reporting was becoming problematic for the manufacturer. The ForeScout CounterACT platform handled this requisite. 2. The manufacturer appreciated the policy engine. The Network Engineer was able to configure alerts and had several options in directing devices onto alternative VLANs or shunting access. The Network Engineer wanted to write policies with contingencies and felt the ForeScout CounterACT gave him the greatest flexibility. 3. The Network Engineer was similarly impressed with ForeScout endpoint visibility. The NAC provided not only the presence of endpoints, but also visibility into the network, all of the ports, operating systems, and applications. The extent of CounterACT ability to do endpoint posture checking was an unanticipated, but welcomed as it could be applied to support other potential security issues. 4. The Network Engineer explained ease of deployment and use. Vendor A would require at least three weeks to install with a suggested tuning of three weeks following the first six months of engagement. Vendor B suggested the installation project would take at least three weeks. ForeScout was up and running in less than a week with an option for more tuning if needed. 5. The Network Engineer saw that in comparative NAC systems required various workarounds or extensive configurations, for example, to apply security policy correctly to VPN connections. In general, he observed that many approaches would not scale. During the POC, ForeScout did not have such issues. In one case, ForeScout was even able to support the manufacturer’s unique integration need; a demonstration of CounterACT’s integration versatility. Source: Frost & Sullivan
NE66-74 75
Case Study—Venable, LLP
Law Firm • Venable is a Top 100 American Lawyer (AmLaw firm) and is in the top ten in US Trademark Registrations. • The network Venable is protecting has 10 offices and over 8,000 endpoints. Venable has roughly 1,280 employees, but with contractors, their network has over 1,400 permanent end users. • For Venable, the Cisco ISE 1.3 installation was the first time Venable worked with a Cisco NAC. Conversely, the Cisco 1.3 version was in beta. • Compliances issues are different at every business. With a large legal firm, in many cases, the law firm is bound by the same compliance requirements as their clients. Examples of this type of compliance: 1. Standard IRS requirements for accountants permeate over every business. 2. HIPAA compliance is necessary when working with healthcare providers, hospitals, insurers, doctors, surgeons, and private practitioners. 3. SEC guidelines need to be adhered to when companies issue an Initial Public Offering (IPO). 4. SEC guidelines for insider trading are stringent as well. 5. Sarbanes-Oxley (SOX) is designed to prevent creative accounting practices and this is important when clients file financial records,. • The Director of Enterprise Architecture, Pete Karelis, is sensitive to public access points. While he feels he can control his known endpoints, his worry is devices that can connect via Ethernet in the
break room or in the lobbies of offices. Source: Frost & Sullivan
NE66-74 76 Case Study—Venable, LLP
Law Firm (continued) • Wireless is also a problem even though Karelis made a concerted effort to purge Venable offices of low-end consumer wireless routers. • In the Venable network architecture, Karelis did not feel he could roll an appliance out to every port. • Venable had specific objectives in mind when deploying its NAC: 1. Venable liked the idea of using 802.1X to control access to wired and wireless networks. 2. Both the Cisco Profile Feed and device posture checking would be used to determine the amount of access or restriction for each connecting device. 3. Venable needed a guest access policy for contractors. Further, Venable wanted to offer a self- registration or sponsor portal for access. • At deployment, Karelis discovered a high degree of network visibility. He discovered XP devices (he thought those had been purged), Tripp Light power equipment, and security cameras. • The Profile Feed in conjunction with AAA protocols helped to prevent devices from being spoofed. • Endpoint visibility including MAC address filtering, and OS systems inventory is useful. Self-evidently, IT has to understand and have command of its full attack surface. • Karelis cited the recent discovery of the Bashdoor Shellshock Bug affecting Linux devices. Karelis would like to isolate devices based on a dynamic threat environment.
Source: Frost & Sullivan
NE66-74 77 Case Study—Venable, LLP
Law Firm (continued) • A simple thing like a quarantine log is valuable and practical. A device can be placed on a quarantine log and then removed and readmitted to a network if it can be shown the device has been properly patched. • Karelis has an interesting philosophy about devices. For instance, if a printer IP address is associated with a printer port, a device is seen as safe. • Philosophies vary: many systems architects would be comfortable with granting access privileges to the device inside the firewall. Karelis feels like the printer should be confined to limited access consistent only with what is necessary for a functioning printer. • Similarly, Karelis indicates that profiling of devices is great and useful in further restricting a device on the network. However, profiling has integrity limitations as the device or the profile of a device can be spoofed. • Karelis also feels that the persistent endpoint visibility scans serve much the same purpose as a VM scan. • In fact, Karelis has high hopes for pxGrid. He sees an architecture where pxGrid connects ISE 1.3 to the Tenable Security Center and at that point, the benefits of VM and NAC create an effective continuous monitoring platform. Karelis also mentioned integration with SourceFire IPS.
Source: Frost & Sullivan
NE66-74 78 Market Share and Competitive Analysis— Total Market
NE66-74 79 Competitive Analysis—Market Share
Key Takeaway: Cisco, ForeScout, and Aruba Networks all outpaced the 40.5% year- over-year growth rate the global NAC market achieved in 2013.
Percent of Revenue Total NAC Market: Global, 2013 Others 15.7%
Bradford Networks Cisco 4.6% 39.6% Aruba Networks 10.2%
Juniper Networks 10.3%
ForeScout Technologies 19.6%
**Others include: Avaya Networks, Impulse, Portnox, Extreme Networks, macmon, Auconet, InfoExpress, Trustwave, and, StillSecure are companies with $2M or more in 2013 sales. Please note that in 2014 Juniper Networks, sold its NAC assets to what would become Pulse Secure. n = 14 Note: All figures are rounded. The base year is 2013. Source: Frost & Sullivan
NE66-74 80 Market Share Analysis
• Market share information varies from an important market adjustment made by Frost & Sullivan. Different from the 2013 report, Frost & Sullivan has revised the global NAC market from $235.5 million in 2012 in the 2013 edition of this report a total global market of $284.6 million for 2012 in this report. • Cisco ISE has 7,000 customers and services roughly 32 million licensed endpoints. In 2013, Cisco has a 39.6% share of the global NAC market. • Cisco owns several key advantages in NAC: 1. Cisco is an active participant in the technical development and ongoing support of the IEEE 802.1X platform. 2. In terms of hardware, Cisco has a complete line of Ethernet switches, access points for wireless, integrated service routers, RADIUS servers, and authenticator gateways. 3. Cisco has a global footprint with customer support, global installation specialists, and sales and marketing global support. • ForeScout has 19.6% of the global NAC market and has been chipping away at Cisco’s overall market share and winning greenfield enterprise customers. ForeScout has some of the largest NAC deployments. • ForeScout has a significant focus on large enterprise, mid-tier customers, and government agencies― with over 1,800 customers in 54 countries. The company has partnerships with leading security providers and global SI’s. • Aruba Networks was a fast riser in 2013 with its modular NAC solution and a focus protecting its wireless business. The company has a strong reputation in wireless security and in mid-sized markets and have solid MDM partnerships. • Bradford Networks seems to have stalled as it pulled out of direct support in Europe and has trimmed personnel. • Frost & Sullivan believes that then Juniper Networks was the third largest NAC service supplier in 2013 (narrowly over Aruba Networks). Juniper Networks sold its Junos Pulse product portfolio to private equity investors and has been rebranded as Pulse Secure. Aruba Networks passed Pulse Secure as the third-largest NAC provider in 2014.
Source: Frost & Sullivan
NE66-74 81 Competitive Environment
Total NAC Market: Competitive Structure, Global, 2013
Number of Companies in the Segment 14 with revenues of more than $1 million in 2013 Extent of endpoint visibility, ease-of-use and deployment, pre- and post- Competitive Factors admission feature set, granular policy settings, integration with other security tools, scalability, management, global support, and pricing.
Key End-user Groups IT directors, systems architects, and central administration
Financial services, government, education, healthcare, manufacturing Major Segment Participants (all types of businesses benefit from NAC) 85.0% (Cisco, ForeScout, Juniper Networks, Aruba Networks, and Segment Share (Units) Top 5 Competitors Bradford Networks) 84.3% (Cisco, ForeScout, Juniper Networks, Aruba Networks, and Total Market Share of Top 5 Competitors Bradford Networks) Avaya Networks, Portnox, Impulse, Auconet, macmon Extreme Other Notable Segment Participants Networks, InfoExpress, Trustwave, and StillSecure Third party distribution channel (system integrators, distribution channel Distribution Structure partners, and VARs), direct sales, and MSSPs Enterasys acquired by Extreme Networks. (Note in 2014 Juniper Notable Acquisitions and Mergers Networks sold its Junos Pulse product portfolio to private equity investors. The NAC product was rebranded as Pulse Secure). Source: Frost & Sullivan
NE66-74 82 Competitive Environment (continued)
• The extent of endpoint visibility, ease-of-use and deployment, pre- and post-admission feature set, granular policy settings, integration with other security tools, management and scalability, and pricing are used for competitive differentiation and will be discussed in upcoming sections and will be discussed in upcoming sections. • Subtle difference exist between key NAC features sold to SMB compared to that of enterprise. • The industry is dominated by the top four vendors (Cisco, ForeScout, Juniper Networks and Aruba Networks) which have a 79.7% of the total market share. • All types of businesses benefit from NAC. The financial sector, government, healthcare and education are the top four industries purchasing NAC, but all market verticals covered in this report have a CAGR above 25% from 2013‒2018.
Source: Frost & Sullivan
NE66-74 83 Market Share and Versatility of NAC Solution
Key Takeaway: Cisco has built a successful strategy based upon 802.1X protocols. However, ForeScout rates ahead in platform integration partners, and in serving multi-faceted networks. Competitive Landscape Total NAC Market, Global, 2013
ForeScout
Cisco
Aruba Networks Auconet Portnox Avaya Networks Pulse Secure Impulse
Bradford Networks
Extreme Networks Meets Market Demands Market Meets
Emerging Competitor Market Challenger Market Leader Market Penetration
Source: Frost & Sullivan
NE66-74 84 Market Share and Versatility of NAC Solution (continued)
• The previous graphic plots NAC market penetration against the ability to meet market demands of the NAC solution. • On balance, Frost & Sullivan believes ForeScout has the most versatile platform. ForeScout is noted for: 1. Heterogeneous networking with support for 802.1X and non-802.1X platforms. 2. A highly scalable platform that is especially beneficial to enterprise-sized deployments. 3. ForeScout has the most security platform integration partners. ForeScout NAC can become an integral part of a company’s perimeter defense architecture. 4. Excellence in traditional NAC services including accurate NAC alarms, granular policy settings, and integration of wired, wireless, and VPN into common policy control and monitoring. For additional details, see Vendor Profile — ForeScout Technologies, Inc. • However, Cisco is the clear market share leader and has a global focus on winning new business. • Cisco has a strong emphasis on security in its architecture: o In Cisco architecture, there is a tie-together between RADIUS authentication and TLS communication. Theistie-in largely denies unauthenticated devices onto the network. o Cisco uses a proprietary technology to associate the endpoint with the right server. This technology helps to mitigate potential race conditions.
Source: Frost & Sullivan
NE66-74 85 Market Share and Versatility of NAC Solution (continued)
o In 2013, Cisco Security acquired SourceFire last year. Combining Cisco ISE with SourceFire FireSIGHT, customers can create a closed loop of detection-quarantine-remediation. o Cisco ISE offers Cisco TrustSec capabilities which allow enterprises to easily implement software- defined segmentation without VLANs to provide highly secure access to protected resources. Network segmentation is an important effective control that can be used to prevent lateral movement of threats or unauthorized access on a network. • Aruba Networks receives high marks integrating its NAC to their wireless network controllers, integration with MDM vendors, and ClearPass Quick Connect for end users configuring BYOD endpoints for 802.1X networks. • Pulse Secure (formerly Juniper Networks) is noted for its architectural tie-in with Ethernet switch suppliers. • Companies like Impulse, Bradford Networks, and Trustwave have success in educational markets. • Extreme Networks is able to combine high-end infrastructure products with the NAC product it offers as a part of the Enterasys acquisition. • Avaya Networks has had high visibility projects including the 2014 Sochi Winter Olympics. The Sochi installation was designed to accommodate 40,000 visitors and 120,000 endpoints.
Source: Frost & Sullivan
NE66-74 86 Enterprise Segment Breakdown
NE66-74 87 Market Engineering Measurements
Enterprise Segment: Market Engineering Measurements, Region, 2013
Measurement Name Measurement Trend Segment Stage Growth --- Segment Revenue (2013) $266.8 M ▲ Segment Forecast (2018) $958.6 M ▲ Base Year Segment Growth Rate 39.3% ▲ Compound Annual Growth Rate (CAGR, 2013–2018) 29.1% Price Sensitivity (scale of 1 to 10, Low to High) 5 ● Number of Competitors (active market competitors in 2013) 10 ● Degree of Competition (scale of 1 to 10, Low to High) 8 ● Degree of Technical Change (scale of 1 to 10, Low to High) 9 ▲ Customer Loyalty (scale of 1 to 10, Low to High) 8 ●
Segment Concentration (% of base year market controlled by top three competitors) 74.5% ●
Decreasing Stable Increasing TREND ▼ ● ▲ Note: All figures are rounded. The base year is 2013. Source: Frost & Sullivan
NE66-74 88 Market Engineering Measurements (continued)
• Enterprise market NAC is highly lucrative and highly competitive. • Enterprise network security teams are looking for a NAC platform that is extensible and self-intuitive. • A NAC must be able to quarantine or divert a suspicious and non-compliant endpoints. The network security team must then be able to immediately identify the risk and be able to take policy-based or on-demand action. • To authenticate the endpoint and validate configuration, the network security team must have complete intelligence about the endpoint (understanding where the endpoint is, its OS, applications, etc.), and its security posture (status of certificates, antimalware, etc.). • The enterprise NAC market is more feature oriented than price sensitive. • Endpoint visibility teamed with other control information gather from external network and security infrastructure helps improve the overall defense capabilities of NAC. • Integrating NAC with existing network security defense products as well as with directories increase the value of NAC with enterprises.
Source: FrostSource: & Sullivan Frost & analysis. Sullivan
NE66-74 89 Enterprise NAC Unit Shipment and Revenue Forecast
Key Takeaway: Enterprise NAC revenues are growing faster than unit shipments because enterprises are expanding the number of policy-controlled endpoints. Total Enterprise NAC Market: Unit Shipment and Revenue Forecast, Global, 2010‒2018
1,200 7,000
1,000 6,000
5,000
800 Millions)
4,000 Units 600 3,000 400
Revenue ($ Revenue 2,000
200 1,000
0 - 2010 2011 2012 2013 2014 2015 2016 2017 2018 Revenue ($ M) 123.7 151.2 191.5 266.8 361.1 479.2 630.0 781.7 958.6 Units 1,194 1,389 1,662 2,197 2,808 3,545 4,560 5,531 6,621 Year
Note: All figures are rounded. The base year is 2013. Source: Frost & Sullivan
NE66-74 90 Enterprise NAC Segment—Pricing Trends and Forecast
Key Takeaway: Competition from NAC vendors and competition from other security product providers in endpoint posture assessment will flatten pricing in enterprise NAC contracts. Average Price for Enterprise NAC: Global, 2010–2018 150,000 9 8
140,000 7
6 130,000 5 120,000 4 3
110,000 2 Growth Rate (%) Rate Growth
Average Price ($) Average 1 100,000 0
90,000 -1 -2 80,000 -3 2010 2011 2012 2013 2014 2015 2016 2017 2018 Average price ($) 103,593 108,871 115,236 121,441 128,583 135,175 138,158 141,328 144,784 Growth rate (%) 5.1 5.8 5.4 5.9 5.1 2.2 2.3 2.4 Year Note: All figures are rounded. The base year is 2013. Source: Frost & Sullivan
NE66-74 91 Pricing Trends and Forecast Discussion
• To qualify as an enterprise NAC deployment, 20,000 or more endpoints must be protected. • In 2013, enterprise NAC products and licenses totaled $266.8 million globally. Enterprises purchased 2,197 NAC units. • In 2018, Frost & Sullivan estimates enterprise NAC products/licenses will be worth $958.6 million globally. Enterprises will purchase 6,621 licenses. • Growth opportunities exist in existing enterprise NAC deployments. In enterprise NAC, enterprises frequently experience organic growth driven by new employees and new devices entering networks. NAC service providers protect more endpoints by simply offering coverage for the existing infrastructure. • Integration modules, endpoint visibility, posture assessment, and vulnerability assessment capabilities are ways for NAC vendors to monetarily improve NAC licenses. • Greenfield enterprise NAC opportunities exist in large enterprise, EMEA as well as in APAC. • In 2013, enterprise NAC deployments are worth $121,441 on average. The ASP for enterprise NAC deployments grew by 5.4% in 2013. • When enterprises renew their NAC licenses, Frost & Sullivan estimates the renewal rates have been at 10%–12% higher year-over year. • Starting in 2016, the ASPs should begin to reduce. Greenfield deployments in EMEA and APAC will begin to change the ASP growth as the SMB customers will have smaller deployments and are more price sensitive.
Source: Frost & Sullivan
NE66-74 92 Enterprise NAC Competitive Analysis—Market Share
Key Takeaway: ForeScout is making the most gains with enterprises, Cisco remains steady, and Aruba Networks is leveraging NAC within it’s wireless install base.
Percent of Revenue Enterprise NAC Market Segment: Global, 2013 Others 11.1% Bradford Networks 4.2% Cisco 37.9% Aruba Networks 10.2%
Juniper Networks 12.3%
ForeScout 24.3%
**Others include: Avaya Networks, Portnox, Auconet, macmon ,and Extreme Networks are companies with $1M or more in 2013 sales. Please note that in 2014, Juniper Networks sold the NAC assets to what would become Pulse Secure. n = 11 Note: All figures are rounded. The base year is 2013. Source: Frost & Sullivan
NE66-74 93 Enterprise NAC Competitive Environment
Enterprise NAC Segment: Competitive Structure, Global, 2013
Number of Companies in the Segment 11
Endpoint visibility, granular policy settings, integration with other Competitive Factors security tools, accuracy of the NAC (accurate alerting), inventory, and enhances compliance
Key End-user Groups IT directors, network and security architects, VP directors, and CISO
Financial services, government, manufacturing, healthcare, (all types Major Segment Participants of businesses benefit from NAC) 88.6% (Cisco, ForeScout, Juniper Networks, Aruba Networks, and Segment Share (Units) of Top 5 Competitors Bradford Networks) 88.9% (Cisco, ForeScout, Juniper Networks, Aruba Networks, and Total Market Share of Top 5 Competitors Bradford Networks) Avaya Networks, Portnox, Auconet, macmon ,and Extreme Other Notable Segment Participants Networks Third-party distribution channel partners (VARs, distribution channel Distribution Structure partners, system integrators), direct sales, and MSSPs Enterasys acquired by Extreme Networks. (Note in 2014 Juniper Notable Acquisitions and Mergers Networks sold its Junos Pulse product line to private equity investors. The NAC product was rebranded as Pulse Secure).
Note: All figures are rounded. The base year is 2013. Source: Frost & Sullivan
NE66-74 94 Enterprise Competitive Environment (continued)
• Currently, the largest NAC deployments are with multi-divisional and multinational companies with headquarters in the United States. • To win enterprise NAC clients in 2013, NAC vendors have name recognition with large US companies. • In terms of revenue in 2013, the top five NAC vendors (Cisco, ForeScout, Juniper Networks, Aruba Networks, and Bradford Networks) own 88.9% of the enterprise NAC market. • Cisco has the largest market share, however, the largest deployments in terms of endpoints protected belongs to ForeScout. • Aruba Networks has a growing presence in enterprise accounts that need to offer wireless. Sports organizations, conventions, and amusement parks are places where Aruba Networks has prominence. • While installments with educational institutions can reach 20,000 endpoints or higher; realistically, NAC deployments have lower management and scale requirements. • Bradford Networks has several colleges that have more than 20,000 connected endpoints, however, this market has lower scale and management expectations. Bradford Networks does not have significant penetration in other market verticals. • In the German NAC market, Auconet has a large financial service NAC deployment with BASF Chemicals and DB Systel/Deutsche Bahn.
Source: FrostSource: & Sullivan Frost & analysis. Sullivan
NE66-74 95 SMB Segment Breakdown
NE66-74 96 Market Engineering Measurements
SMB Segment: Market Engineering Measurements, Region, 2013
Measurement Name Measurement Trend Segment Stage Growth --- Segment Revenue (2013) $133.0 M ▲ Segment Forecast (2018) $499.3 M ▲ Base Year Segment Growth Rate 42.3% ▲ Compound Annual Growth Rate (CAGR, 2013–2018) 29.1% Price Sensitivity (scale of 1 to 10, Low to High) 7 ▲ Number of Competitors (active market competitors in 2013) 14 ● Degree of Competition (scale of 1 to 10, Low to High) 9 ▲ Degree of Technical Change (scale of 1 to 10, Low to High) 9 ▲ Customer Loyalty (scale of 1 to 10, Low to High) 6 ▼
Segment Concentration (% of base year market controlled by top three competitors) 63.6% ●
Decreasing Stable Increasing TREND ▼ ● ▲ Note: All figures are rounded. The base year is 2013. Source: Frost & Sullivan
NE66-74 97 Market Engineering Measurements (continued)
• The SMB market is defined as deployments of less than 20,000 endpoints. • In 2013, the SMB NAC market totaled $133 million and 3,738 products/licenses were sold. • SMB NAC deployments are slightly different than enterprise NAC deployments. • The SMB network security teams will be smaller than enterprise security teams. Ease-of-use is an important product differentiator. • A key SMB vertical market is education (small and midsized colleges specifically). Self-registration of mobile and BYOD has added importance because of limited of support staff. • Often in smaller deployments, a single IT Director wears many hats. That person is responsible for the network, its security, and bringing users onboard. • Device, OS, and application inventory is seen of high value among SMBs. • The tools a single IT Director uses has to be multi-purposed. NAC platforms that provide endpoint visibility also help IT Directors to support inventory and compliance reporting requirements. • SMB businesses, as with education market segment, exhibit greater price sensitivity.
Source: FrostSource: & Sullivan Frost & analysis. Sullivan
NE66-74 98 SMB NAC Unit Shipments and Revenue Forecast
Key Takeaway: SMB NAC unit shipments and revenues are growing slightly faster in 2010–2018 than enterprise NAC units shipments and revenues. Total SMB NAC Market: Unit Shipment and Revenue Forecast, Global, 2010‒2018
600 14,000
500 12,000
10,000
400 Millions)
8,000 Units 300 6,000 200
Revenue ($ Revenue 4,000
100 2,000
0 - 2010 2011 2012 2013 2014 2015 2016 2017 2018 Revenue ($ M) 60.1 73.5 93.1 133.0 191.7 261.2 330.7 407.1 499.3 Units 1,940 2,335 2,797 3,738 5,142 6,726 8,399 10,122 12,111 Year
Note: All figures are rounded. The base year is 2013. Source: Frost & Sullivan
NE66-74 99 SMB NAC Segment—Pricing Trends and Forecast
Key Takeaway: The addition of mobile and BYOD is increasing the value of NAC within SMB NAC contracts. Average Price for SMB NAC: Global, 2010–2018 42,000 10 9 40,000 8
7
38,000 6 5 36,000 4 3 34,000
2
Growth Rate (%) Rate Growth Average Price ($) Average 32,000 1 0 30,000 -1 -2 28,000 -3 2010 2011 2012 2013 2014 2015 2016 2017 2018 Average price ($) 30,992 31,481 33,285 35,581 37,281 38,834 39,374 40,219 41,227 Growth rate (%) 1.6 5.7 6.9 4.8 4.2 1.4 2.1 2.5 Year Note: All figures are rounded. The base year is 2013. Source: Frost & Sullivan
NE66-74 100 Pricing Trends and Forecast Discussion
• By 2018, the SMB NAC market will reach $499.3 million in revenues encompassing 12,111 licenses. • For many of the same reasons that enterprise NAC deployments grew in value, the SMB market grows similarly. Endpoint posture assessment, and wireless and BYOD registrations have improved the licensing opportunity for NAC vendors. • ASPs start to flatten out in 2016 due to competition.
Source: FrostSource: & Sullivan Frost & analysis. Sullivan
NE66-74 101 SMB NAC Competitive Analysis—Market Share
Key Takeaway: Cisco is making a concerted effort to win market share with small and midsized businesses.
Percent of Revenue Total NAC SMB Segment: Global, 2013
Others 24.8% Cisco 43.1% Bradford Networks 5.3% Juniper Networks 6.3%
Aruba Networks 10.1% ForeScout 10.4%
Others: Avaya Networks, Impulse, Portnox, macmon Auconet, Trustwave, Extreme Networks, InfoExpress, and StillSecure are companies with $1M or more in 2013 sales. Please note, that in 2014 Juniper networks sold its NAC assets to what would become Pulse Secure. .
n = 14 Note: All figures are rounded. The base year is 2013. Source: Frost & Sullivan
NE66-74 102 SMB NAC Competitive Environment
SMB NAC Segment: Competitive Structure, Global, 2013
Number of Companies in the Segment 14 with greater than $1 million in revenues in 2013
Full endpoint visibility, ease-of-use, self-register mobile and BYOD, Competitive Factors pricing, integration with other security tools, enhances compliance
Key End-user Groups IT directors, systems architects, and central administration
Education, small banks, retailers, mid-sized manufacturers, Major Segment Participants healthcare, (all types of businesses benefit from NAC) 73.8% (Cisco, ForeScout, Juniper Networks, Aruba Networks, and Segment Share (Units) of Top 5 Competitors Bradford Networks) 75.2% (Cisco, ForeScout, Juniper Networks, Aruba Networks, and Total Market Share of Top 5 Competitors Bradford Networks) Avaya Networks, Impulse, Portnox, macmon Auconet, Trustwave, Other Notable Segment Participants Extreme Networks, InfoExpress, and StillSecure Third-party distribution channel partners (VARs, distribution channel Distribution Structure partners, system integrators) and direct sales. Enterasys acquired by Extreme Networks. (Note in 2014 Juniper Notable Acquisitions and Mergers Networks sold its Junos Pulse product line to private equity investors. The NAC product was rebranded as Pulse Secure).
Note: All figures are rounded. The base year is 2013. Source: Frost & Sullivan
NE66-74 103 SMB NAC Competitive Environment (continued)
• In terms of revenues, the top five SMB NAC vendors (Cisco, ForeScout, Juniper Networks, Aruba Networks, and Bradford Networks) own 75.2% of the global revenue. • Cisco, Juniper Networks, and Aruba Networks are 802.1X service providers. In SMB, dedicated hardware purchases can be paired with an 802.1X SMB NAC provider. • ForeScout is noted for its ease-of-use in administration, deployment ease, and out-of-the-box functionality. • System integrators have more influence in the SMB segment than in enterprise NAC. Instead of an IT Director building its network piecemeal, a system integrator can assume everything from project management to product deployment; delivering to the IT Director a turnkey solution. • SMBs typically use NAC-like and NAC-lite products in lieu of full-blown NAC solutions to fill a network security void. • One example is the iNetSec Smart Finder made by PFU Limited, a Fujitsu company. This product is not quite a full-fledged NAC, but is NAC-lite. The platform offers limited endpoint visibility and access control, application visualization, and behavioral IPS. • Microsoft Windows Server 2003 and 2008 environments, offer support for Network Policy and Access Services (NPAS). If not exactly a NAC, companies using these Window servers do have limited policy controls and settings.
Source: Frost & Sullivan
NE66-74 104 The Last Word
NE66-74 105 Predictions
The biggest NAC vendors Cisco, ForeScout, Aruba Networks, and (now) 1 Pulse Secure should continue to gain enterprise and SMB market share.
Bidirectional integration with other network and security platforms will 2 continue to differentiate NAC vendors, increase licensing, and be valued by customers.
Integration partners may begin to offer a degree of enhanced endpoint 3 posture assessment and remediation capabilities in the future.
Source: Frost & Sullivan
NE66-74 106 Recommendations
To account for IT consumerization, cloud, and virtualization, NAC vendors 1 would be advised to enhance device on-boarding, self-registration, and MDM integration.
API matters—vendors will want to enhance connectivity to share data with 2 external systems (including ticketing systems), and to enable other platforms to access NAC defenses.
NAC vendors should continue to develop integrations and partnerships with 3 security platforms providers, virtual environments, and cloud applications.
Source: Frost & Sullivan
NE66-74 107 Legal Disclaimer
Frost & Sullivan takes no responsibility for any incorrect information supplied to us by manufacturers or users. Quantitative market information is based primarily on interviews and therefore is subject to fluctuation. Frost & Sullivan research services are limited publications containing valuable market information provided to a select group of customers. Our customers acknowledge, when ordering or downloading, that Frost & Sullivan research services are for customers’ internal use and not for general publication or disclosure to third parties. No part of this research service may be given, lent, resold or disclosed to noncustomers without written permission. Furthermore, no part may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, recording or otherwise, without the permission of the publisher. For information regarding permission, write to: Frost & Sullivan 331 E. Evelyn Ave. Suite 100 Mountain View, CA 94041
Source: Frost & Sullivan
NE66-74 108 Vendor Profiles
NE66-74 109 Vendor Profile—Aruba Networks
Overview • Founded in 2002, Aruba Networks is headquartered in Sunnyvale, CA. • The company was venture backed by Sequoia Capital and Matrix Partners, although the company became publically traded in March 2007. • Aruba Networks has product offerings in wireless LAN, wired access, remote networking, outdoor mesh networks, access security, Meridian mobile apps, and Cloud Wi-Fi. Aruba Networks is best known for its hardware―access points (IEEE 802.11n and IEEE 802.11ac), OSI Layer 3 application layer mesh routers, and mobility switches. Aruba Networks can offer a single-vendor wired/wireless platform including endpoint health analysis and management software. • Airwave Network Management is a network installation management platform. IT teams can design networks from the ground up accounting for capacity, establish the network topography, build in troubleshooting, and anticipate application issues. • In late 2011, Aruba Networks acquired Avenda Systems. The acquisition provided the ClearPass Access management System (NAC Platform). Product Line ClearPass Access Management System (NAC Platform) • The ClearPass NAC offering is a policy-based 802.1X protocol platform. • The policy management system is role-based. What this means is a user and device’s role can be assigned and used for each device entering the network for granular policy enforcement.
Source: Frost & Sullivan
NE66-74 110 Vendor Profile—Aruba Networks (continued)
Introduction of Key Features of ClearPass Access Management System o ClearPass Policy Management 1. The ClearPass Policy Management is the central management and intelligence console. 2. A ClearPass cluster can manage as many as one million endpoints from one console. 3. ClearPass Policy Management supports enterprise-grade AAA, including RADIUS/TACACS+, 802.1X, and non-802.1X services in heterogeneous networks. 4. Wired devices, wireless, guest access, BYOD, and VPN are monitored on one console. 5. The ClearPass Policy Manager has customizable discovery and management options for consumer devices 6. Supports multiple network based policy enforcement methods including Aruba roles, VLANs, and access control list (ACL) for RADIUS. As a part of network-based policy, prioritization using application-aware quality of service (QoS) controls bandwidth. 7. The Policy Manager can support multiple identity directories including Microsoft Active Directory, LDAP-compliant directories, ODBC-compliant SQL databases, token servers and internal databases. 8. Profiling and endpoint posture assessment is provided back to ClearPass, and becomes a part of the algorithm that determines policy. 9. ClearPass uses a wide array of APIs and languages, including: SQL, syslog, XML, SOAP, SAML, OAuth2, and HTTP APIs to facilitate third-party integrations.
Source: Frost & Sullivan
NE66-74 111 Vendor Profile—Aruba Networks (continued)
Introduction of Key Features of ClearPass Access Management System o ClearPass Onboard 1. Devices can be brought onto the network onboard through a secure automated workflow which is the most common convention. 2. If a device is classified as unknown: a) The platform redirects the device through a self-configuration process. b) End users are asked to log-in, and the device is provisioned and a unique certificate is pushed to the device. c) The administration team can build in protections at the certificate issuance stage. For instance, the certificate can be given an expiration date. 3. Now that a certificate has been pushed to a device/endpoint, the ClearPass management platform can begin to use the certificate for authentication and enforcement privileges. 4. At this point, the device is being actively profiled. Based upon device and posture assessment attributes, ClearPass determines what type of device is at the endpoint. If the device is a desktop PC, ClearPass can assign policies used by other PCs and like user roles for network enforcement. 5. Perpetual, subscription and enterprise licenses can be purchased in 1-, 3- or 5-year increments for 100, 500, 1,000, 2,500, 5,000, 10,000, 25,000, 50,000, and 100,000 endpoints
Source: Frost & Sullivan
NE66-74 112
Vendor Profile—Aruba Networks (continued)
Introduction of Key Features of ClearPass Access Management System (continued) o ClearPass OnGuard 1. ClearPass OnGuard is the technology used to check endpoint posture for computers. Endpoint posture is a factor used by the policy engine to determine access to different parts of the network. Additionally, alerts triggered from posture assessments can then be used mitigate vulnerabilities in the network. 2. Endpoint posture assessment is also critical in maintaining visibility throughout the network. Application software versions, antivirus, patches, and OS upgrades are types of software that is being constantly monitored. 3. IT teams or third-party vendors may follow proper procedures in pushing out new software to endpoints. However, due to misconfiguration, poor endpoint posture compliance, or access denied through policy; the endpoint may not meet compliance requirements. Without continuous endpoint posture assessment, an enterprise simply does not know which applications or services are being used or not. 4. OnGuard supports endpoint visibility for Microsoft Windows 7/8 and Vista, Apple for Mac OS X 10.7 and later versions as well as Linux for Red Hat Enterprise Linux 4 and above. (Note: Microsoft NAP is supported with a Microsoft NAP agent). 5. The device must accept either a dissolvable or persistent agent. To facilitate auto-remediation, a device must have a persistent agent installed. 6. Perpetual, subscription and enterprise licenses can be purchased in 1-, 3- or 5-year increments for
100, 500, 1,000, 2,500, 5,000, 10,000, 25,000, 50,000, and 100,000 endpoints. Source: Frost & Sullivan
NE66-74 113 Vendor Profile—Aruba Networks (continued)
Introduction of Key Features of ClearPass Access Management System (continued) o ClearPass OnGuard (continued) o The figure below shows the type of operating systems and endpoint visibility/posture assessments available for endpoints.
Operating System
Installed ApplicationsAntiVirus AntiSpyware Firewall Disk EncryptionNetwork ConnectionsProcesses Patch ManagementPeer-to-Peer Services Virtual MachinesWindows HotfixesUSB Devices
Windows X X X X X X X X X X X X X MAC OS X X X X X X X X X X X X X Linux X X Source: Aruba Networks ClearPass OnGuard Datasheet
Source: Frost & Sullivan
NE66-74 114 Vendor Profile—Aruba Networks (continued)
Introduction of Key Features of ClearPass Access Management System (continued) o ClearPass Guest 1. ClearPass Guest is Policy Management software used for guest registration. ClearPass Guest also authenticates and authorizes and adds policy enforcement. 2. Registration processes supported include self-registration, and automated credential distribution using SMS text, email or printed credentials. 3. The guest registration process can include traffic encryption over public networks using Aruba’s EAP-PEAP-Public. 4. ClearPass Guest allows for several ways to display advertising, branding, or promotions to the guest at the time of guest registration. 5. The ClearPass Guest app can be used to set conditional access criteria. An administrator can set a limit on the number of unique visitors or bandwidth used. Expiration dates can be pre-set based on a guests needs – from hours to multiple days. 6. Clear Pass Guest also supports social media log-ins. The advantage to this is that a business can garner demographic information from the people that are accessing their networks. 7. MAC caching can be leveraged so that guests do not have to re-register when devices shut-off or they move within various parts of a network. 8. Perpetual, subscription and enterprise licenses can be purchased in 1-, 3- or 5-year increments for 100, 500, 1,000, 2,500, 5,000, 10,000, 25,000, 50,000, and 100,000 endpoints
Source: Frost & Sullivan
NE66-74 115 Vendor Profile—Aruba Networks (continued)
Introduction of Key Features of ClearPass Access Management System (continued) o ClearPass QuickConnect 1. QuickConnect is a soft-touch app for users configuring BYOD endpoints for 802.1X networks. QuickConnect does not provision certificates. 2. QuickConnect administration is cloud-hosted. Users can configure devices remotely and when onsite. 3. Over the last few years, almost all mobile phones and tablets have an on-device supplicant and support for greater security methods. Supported operating systems and supplicants include Microsoft Windows 7/8 and Vista, Mac OS X, iOS for iPhone, iPad and iPod, and Android version 2.2 and above. 4. The platform is centrally administered and all changes pertaining to user or device are logged. 5. QuickConnect can also enable endpoint posture and health-check settings. 6. A user can configure as many devices as needed.
Source: Frost & Sullivan
NE66-74 116 Vendor Profile—Aruba Networks (continued)
Introduction of Key Features of ClearPass Access Management System (continued) o ClearPass Exchange 1. ClearPass Exchange provides the central decision point for sharing contextual information with a wide range of third-party IT systems, giving customers the benefit of a coordinated access-layer defense. ClearPass uses this context when defining access policies on any multivendor network. After the access decision is made, the rich session context constructed by ClearPass need not be thrown away – it can be shared with other systems to help protect the network. 2. One virtue of using ClearPass Exchange is integrating Access Management with network intelligence to web-services such as Twilio and ServiceNow. This type of integration leads to a network with more automated processes that keep users and administration staff informed. 3. ClearPass Exchange uses a wide array of APIs and languages, including: SQL, syslog, XML, SOAP, SAML, OAuth2, and HTTP APIs to facilitate third-party integrations. 4. ClearPass Exchange enables unidirectional and bidirectional communications with others security platforms depending on system type. Contextual information such as user ID, device status, location, and authentication state can be shared and used within policies. 5. MDM systems provide containerization, but when MDM is integrated with ClearPass Exchange, it is the access management system that enforces network policy.
Source: Frost & Sullivan
NE66-74 117 Vendor Profile—Aruba Networks (continued)
Architectural Advantages • ClearPass is highly scalable. Three box sizes are available: 500, 5,000, and 25,000 MAC authentication address appliances are sold. • Each appliance is sold as either hardware or as a virtual machine. The amount of endpoints determines the amount of appliances a business will want to purchase, although, Aruba Networks advises one extra appliance to provide redundancy. • Each appliance is an all-in-one box. The Policy Manager, Onboard, OnGuard, and Guest are all on the same appliance. • All of the third-party integrations are available on the same appliance in the platform. For instance, for an integration with an MDM, a drop down menu gives you the option to integrate with MobileIron, AirWatch, or IBM/MaaS360. • The same is true for integrations with SIEM, next generation firewalls and vulnerability platforms. These integrations are not sold separately as individual modules and come natively with the platform. • ClearPass can use MAC caching during the authentication process. For instance, if a guest registers, the policy engine will know the MAC address and can set expirations for network access. This prevents end users from having to log-in multiple times on smart phones and tablets during a stay. • Many NAC service providers count the number of ways a device accesses a network as an “authentication.” If a laptop is connected to an Ethernet port, uses a Wi-Fi network, or enters a different part of a WAN, each incident is treated as an authentication event and metered against a license. Source: Frost & Sullivan
NE66-74 118 Vendor Profile—Aruba Networks (continued)
Architectural Advantages (continued) • Aruba Networks counts each MAC address once in licensing paradigms. • With smartphones, MDM vendors can do both device management and endpoint posture assessment. Using an Adaptive Trust model, Aruba Networks can use this contextual data to determine access. Even more, the contextual data can be leveraged to create more granular policy. • Policy management is ubiquitous across wired, wireless, and VPN for IT-managed and BYOD. • ClearPass supports all of the RADIUS dictionaries from 802.1X switch providers (Juniper, Brocade, Cisco, etc.). • Using ClearPass Exchange and EMM integration, recognizes jail broken devices. If a jail broken device is recognized on a network, the policy can allow, deny or quarantine access. • The vast majority of Aruba Networks customers are committed to the 802.1X platform. While most customers want wireless deployments to use 802.1X for security reasons ClearPass supports SNMP and SSH based enforcement as well. • Aruba Networks believes 802.1X is the customers most secure option, but provides integration that allows for 802.1X and non.1X use cases. For legacy switched environments where customers want to do health checks and hold-off on 802.1X, OnGuard with SNMP enforcement is an option. • In wireless deployments most/all customers use 802.1X for security reasons.
Source: Frost & Sullivan
NE66-74 119 Vendor Profile—Aruba Networks (continued)
Key Partnerships and Product Integrations • Other MDM integrations include MobileIron, AirWatch and, Citrix, JAMF, MaaS360, SAP Afaria and SOTI. • ClearPass integrates with a large number of security platforms for enhanced security posture and IT workflow. • ClearPass Exchange makes it possible to integrate security platforms, directories, workflows, and business applications with ClearPass. This capability is included in the base appliance. Unlike competing products, no additional licensing or hardware is required. • One forward-thinking ClearPass integration is with Micros Opera which is a property management solution. By using room number and guest identifier in Micros Opera, ClearPass can make sure customers have at check in. • Aruba Networks outbound HTTP-based RESTful APIs allows ClearPass Exchange to interact with any API-enabled web-based service. • This approach gives ClearPass tremendous extensibility to countless other IT systems.
Source: Frost & Sullivan
NE66-74 120
Vendor Profile—Aruba Networks (continued)
List of Aruba Networks Technology Integration Partnerships
Technology Integration Partners
MDM IBM MaaS 360, MobileIron, Citrix Xen Mobile, JAMF, SOTL, SAP Afaria, AirWatch SIEM Splunk, HP ArcSight, IBM QRadar, AccelOps, RSA Envision, Immediate Insight Firewall Palo Alto Networks, Fortinet, Juniper, Checkpoint, Bluecoat, Zscaler Advanced Threat Palo Alto Networks, F5 Networks, FireEye Vulnerability Assessment Webroot, OPSWAT Other, Single Sign-on (SSO) Ping, Okta, OneLogin, F5, Juniper SA, Microsoft Other, (OAuth2) Facebook, twitter, LinkedIn, Office365, Google Apps Other (Notification) ServiceNow, Twillio, PagerDuty, Clickatell, BulkSMS, Orange, BT Other (Public Access) Paypal, Authorize.net, Micros (Oracle), Agilysys, Silverbyte, Protel Cisco, Juniper, HP, Brocade, Dell, Arista, Aruba and over 100 other vendor RADIUS dictionary Network Access Layer types
Source: Aruba Networks for Frost & Sullivan, November 2014.
Source: Frost & Sullivan
NE66-74 121 Vendor Profile—Aruba Networks (continued)
Company Strengths o Aruba Networks can offer a comprehensive solution in terms of network hardware and software, NAC, and licensing for small companies through enterprises. o The ClearPass NAC platform is highly scalable. Customers working with Aruba Networks can align equipment and licensing with very little overhead. o Each appliance is an all-in-one box. The Policy Manager, Onboard, OnGuard, and Guest are all on the same appliance. o The platform reconciles user ID by either first match or best match. o Aruba Networks has had many high visibility installations including the 2014 Black Hat network security conference. Competitor Opportunities o While the licensing plans are very granular, Aruba Networks does not offer a NAC SaaS or a cloud-based product (note that guest registration can be initiated through the cloud). o Aruba Networks is a relatively new player to NAC. Competing companies have legacy deployments to build from.
Source: Frost & Sullivan
NE66-74 122
Vendor Profile—Aruba Networks (continued)
Revenue Breakout • Aruba Networks is a publicly traded company. The company reported revenues of $728.9 million. This was more than FY’ 2013 which saw revenues of $600.0 million―a 21% year-over-year increase. • Aruba Networks however does not breakout revenues by product line or even by hardware versus software. (Professional services are presented separately). • For our models, Frost & Sullivan is assuming better than 40% growth for the NAC product, and that software is less than 10% of overall revenues.
Source: Frost & Sullivan
NE66-74 123 Vendor Profile—Auconet, Inc.
Overview • Auconet was founded in 1998 as an IT system integrator for enterprise networks. • Currently, Auconet is headquartered in San Francisco, CA with additional EU sales, support, and research and development offices in Berlin, Germany. • In 2006, with the development and launch of the Business Infrastructure Control Solution (BICS) platform, Auconet started to transform its business model to become an Independent Software Vendor, and has been a pure software vendor since 2009. • With the acquisition of Asdis, in June 2014, Auconet expanded its software offering and enhanced its multi-vendor endpoint management capability via diversified agent technology.
Product Line and Pricing • Auconet BICS is designed to deliver enterprise-grade business infrastructure control. • BICS includes a NAC solution that continuously discovers, secures, manages, and centrally controls every network device, port, and endpoint, in complex, heterogeneous IT infrastructures – each with hundreds of thousands of endpoints.
Source: Frost & Sullivan
NE66 -74 124
Vendor Profile—Auconet, Inc. (continued)
Product Line and Pricing (continued) • BICS with NAC Automation Manager for Layer-2 Port Security, IEEE 802.1X and NAC Management and Deployment, is designed for the enterprise market—more than 100,000 endpoints. • All components are available as an on-premises solution based on physical appliances; in a virtual form factor as virtual appliances; and as SaaS/Cloud in a multi-tenant solution. • The BICS platform is explicitly designed for deployment in large, complex, and heterogeneous IT infrastructures. • The Auconet platform consists of three major product areas, all sold as one product: Visibility, Security (NAC included), and Process optimization. • BICS pricing, in general, is project specific as Auconet solutions are tailored to the customer’s needs. In most cases prices from $10 (MAC, Layer-2) up to $20 (802.1X) per port. The starting price for an appliance and base system is $30,000. • Additional note: the pricing paradigm includes the entire BICS ITOM platform and not just the NAC Automation Manager.
Key Features of BICS • Auconet claims fast deployment times with an emphasis on a three-step implementation process – to install, discover 100% of endpoints, and consolidate/correlate all the elements of the network infrastructure into a configuration management database (CMDB). The complete BICS platform provides security, control and central management that encompasses complete network visibility to
granular endpoint management. Source: Frost & Sullivan
NE66-74 125
Vendor Profile—Auconet, Inc. (continued)
Key Features of BICS (continued) • Key to BICS is the solution can be installed in a cloud environment and is multi-tenant. • Discovery is an important part of BICS. BICS discovers 100% of the endpoints, and 100% of the switches, ports and routers on the network as well. • BICS can be deployed regardless of the network, router, or switch environment. This means there are no new hardware purchases required. Legacy servers and switches can be used. • BICS is flexible in that IT can build its own applications and workflows to integrate into the platform. Processes can be customized and many processes can be automated. • Bandwidth settings can be varied at the port level. For instance, central IT could change a setting from giving a device full bandwidth access at a 10mbps port to allocating 50% bandwidth to each device at a 100mbps port. • In a deployment with the world’s largest chemical company, BASF, Auconet discovered 80,000 ports on the first day of installation. • The DB Systel/Deutsche Bahn installation required just eight appliances to manage and monitor 240,000 endpoints.
Source: Frost & Sullivan
NE66 -74 126
Vendor Profile—Auconet, Inc. (continued)
• Key Features of BICS (continued) o Shown below is a graphical representation of an installation project scenario.
o BICS is a persistent, real-time database of multi-vendor network devices and connected assets. The platform is vendor-independent and provides persistent monitoring, management, and security of all network ports, devices and endpoints from one, central graphical user interface o The infrastructure-based network access control is unique in that it offers either combines management of MAC-based Layer-2 and or 802.1X or the combination of both, and makes its deployment quick and easy – compared to competitors (days, not weeks/months/years) o Singular, multi-tenant designed architecture with enterprise-grade scalability. Auconet is managing up to 500,000 endpoints for certain clients.
Source: Frost & Sullivan
NE66-74 127 Vendor Profile—Auconet, Inc. (continued)
Revenue Breakout • Auconet has key clientele in every vertical market, however, Auconet products resonate the most in the financial and transportation sectors. More than half of Auconet sales are to banks and lending institutions. • Almost two-thirds of Auconet revenues come from EMEA. • More than 90% of Auconet deployments are for more than 10,000 endpoints and 75% are more than 100,000 endpoints. • Key customer deployments include BASF, the world’s largest chemical company, Deutsche Bahn, the world’s second largest transportation and logistics company, ING Group, Krones, Berliner Wasserbetriebe, and UBS AG.
Key Partnerships and Product Integrations • Siemens: Worldwide OEM Partner for Railway automation systems worldwide • Asdis: Systems integrator (SI) partner in ATM Management solutions (acquired by Auconet June 2014) • Finanz Informatik: German SI-Partner for all German savings banks (430 total banks, 250 currently using Auconet BICS, the rest are being on boarded over time.) • In 2014, Auconet gained its first US reseller partner.
Source: Frost & Sullivan
NE66 -74 128
Vendor Profile—Auconet, Inc. (continued)
Security Efficacy • BICS NAC includes Automation Manager for Layer-2 Port Security, IEEE 802.1X and NAC management and deployment • BICS offers both agentless and agent-based endpoint management, based on the type of device and company requirements. • Auconet supports all standardized 802.1X supplicants. Customers can use native OS supplicants. There is no need to buy, install, and support any additional software. • No matter what the endpoint operating system is, BICS agents are able to configure the supplicants in the same way, all from one, common graphical user interface. • Dramatically simplified MAC address handling: A main benefit, and time saver for customers, is that BICS automatically detects, manages, and keeps MAC addresses up- to-date in real time – avoiding huge efforts to manage them manually and reducing the TCO by over 50%. • NAC policy creation is intuitive and provides a central view of all NAC-controlled devices from one intuitive graphical user interface.
Source: Frost & Sullivan
NE66-74 129 Vendor Profile—Auconet, Inc. (continued)
New Since January 2013 o Culturally, Auconet made a serious commitment to the US market. Auconet relocated global headquarters to the US and the CEO, Frank Winter now resides in the US. o Auconet hired a US Executive Team – CTO, CMO, Sales, Marketing. Al Sisto, formerly CEO of RSA, was added to the advisory board. o Expanded its sales and marketing team in the US. o Auconet established its first Latin America business and channel development partner. o In the US market Auconet differentiates by offering both a multi-tenant/SaaS solution. o Auconet acquired Asdis Solutions for systems management, including ATM management, Software distribution, and agent-based device management. o Auconet is dynamically improving BICS, based on customer and market demand, through internal R&D and new third party integrations.
Company Strengths o Proven success with enterprise clients in EMEA with massive deployments. o Provides a unique technology approach to business infrastructure control with the BICS platform, designed in partnership with its customers from the ground up, to support the real-world needs of vast enterprises for today’s and tomorrow’s IoT and BYOD challenges.
Source: Frost & Sullivan
NE66 -74 130
Vendor Profile—Auconet, Inc. (continued)
Company Strengths (continued) • The Auconet BICS platform is a comprehensive infrastructure management solution providing complete monitoring, management and control of the network from one central point for devices from all vendors. • Auconet BICS supports hundreds of thousands of endpoints by utilizing either a single or a master/slave implementation, which can also run in a on premises and/or cloud-based high-availability environment. • BICS provides easy integration with any type of vendor-specific management solution and with point products (e.g. MDM, WLAN, Firewall, etc.) • Key focus on network management and vendor independence.
Competitor Opportunities • Proven NAC vendors permeate the US business landscape. • Not only is Auconet new to US companies, the BICS platform is unfamiliar to MSSPs, other security service platforms, distribution partners, and VARs.
Source: Frost & Sullivan
NE66-74 131 Vendor Profile—Avaya Networks
Overview • Avaya originated as a spinoff of Lucent Technologies in 2000. In October 2007, Avaya was acquired by TPG Capital and Silver Lake Partners and became privately-held. • In December 2009 Avaya acquired Nortel’s Enterprise Solutions business which included a networking portfolio of wired, wireless and security products. Identity Engines (Avaya’s Network Access Control (NAC) solution) was part of this acquisition. • Avaya has built a strong reputation as an Unified Communication and video networks infrastructure supplier. That reputation has been enhanced with the purchases of Nortel Enterprise Solutions, Radvision, Conversive, and Aurix.
Source: Frost & Sullivan
NE66-74 132 Vendor Profile—Avaya Networks (continued)
Product Line Avaya Networking Unified Access Solution The Unified Access solution consists of: • Avaya Identity Engines - Network Access Control solution offering consistent policy enforcement, security, guest management and network management over a unified wired and wireless network. • Avaya Networking portfolio products, which include; o Wired Portfolio: A range of Ethernet Routing Switch (ERS) stackable and Virtual Services Platform (VSP) fixed-form factor and modular switches o Wireless Portfolio: Avaya’s next-generation WLAN 9100 solution, released in June 2014 o Avaya Fabric Connect: Avaya’s innovative, standards-based technology that extends from the data center core to the campus edge Identity Engines Portfolio • Identity Engines is Avaya’s unified Identity and Network, Guest and BYOD Access Control solution. • Identity Engines can be purchased as a standalone solution (it is vendor agnostic) or as a part of Avaya’s holistic Unified Access solution. Avaya Identity Engines is a mature product and in March/April 2014, Identity Engines v9.0 was released. • Identity Engines was awarded InterOp Best of Show Finalist in the Security Category twice—in 2012 and 2014
Source: Frost & Sullivan
NE66-74 133
Vendor Profile—Avaya Networks (continued)
Product Line (continued) • The Avaya Identity Engines solution is an application suite consisting of: o Ignition Server - a centralized advanced policy engine, which connects to corporate directories and MDM servers for identity, data and network systems for access enforcement. It is a virtual appliance and can be deployed as either a single server or a High Availability pair of servers. The Ignition Server Authenticates and Authorizes users and devices based on 802.1X and MAC authentication. Note that customer supplies the physical server and VMware ESXi. o Ignition Guest Manager - a Web-based administrative application for centrally managing the network privileges of temporary users such as contractors, visitors and guests. It is designed so that non-technical personnel can manage secure guest access to the network. o Ignition Posture - checks for the health of endpoints and compliance based on MS-NAP. o Ignition Access Portal – a Web-based Virtual Appliance where device profiling takes place. The Access Portal is where non-802.1X devices are on-boarded. o Ignition CASE Wizard - automates configurations for 802.1X and MS-NAP on Windows PC’s. o Ignition Analytics – does reporting and statistics creation in addition to the built-in reporting in the Ignition Server
Source: Frost & Sullivan
NE66-74 134 Vendor Profile—Avaya Networks (continued)
Identity Engines Portfolio (continued)
Notes About Installation and Deployment 1. Ignition Server is the only required component of Identity Engines for policies, analytics, and identity management. 2. If Ignition Posture is desired, then the deployment may require the downloading of a dissolvable agent on to client devices such as laptops. The agent is needed one-time to establish identity on a machine but does not reside in the PC or endpoint. 3. Ignition Access Portal does the device fingerprinting. 4. Identity Engines is scalable to roughly 100,000 endpoints and 100,000 users. Logs from remote locations can be interconnected.
Source: Frost & Sullivan
NE66-74 135 Vendor Profile—Avaya Networks (continued)
Major Platform Objectives • Support wired and wireless in the same solution, and support all major directory services (Microsoft Active Directory, RSA, Open LDAP, Novell eDirectory, etc.). • Provide an integrated network for public, private, or hybrid cloud environments. • Create a common service platform for campuses, local admin, and data centers. • Allow policy enabled access with policies either enforced at one console or pre-set. • Set up a compliance engine for self-regulatory compliance, as well as industry standard compliances. • Handle BYOD efficiently. For example, device fingerprinting and device on-boarding can be handled without 802.1X.
Authenticated and Application Network Architecture • The Unified Identity Provider (UIP) is located in the Ignition Server. The UIP navigates the identity routing and realm mapping. Additionally, the UIP informs the Ignition Dashboard and facilitates the access policy configuration and administration. • Open standards such as Security Assertion Markup Language (SAML) is used for Application Single Sign-on.
Source: Frost & Sullivan
NE66-74 136
Vendor Profile—Avaya Networks (continued)
Authenticated and Application Network Architecture (continued) • The NAC architecture is bidirectional in that access to the network can be granted through different sign-on methods and activities, but also access to the network creates a single identity that is recognized throughout the network. • If a customer has developed in house web-based application, the Identity Engines Service Provider agent can be embedded on the Web server to join with the authentication engine for Single-Sign-On.
Fabric Connect core and Fabric Attach edge • Avaya Fabric Connect core is a networking architecture based on Shortest Path Bridging (SPB). The Fabric Attach architecture extends Fabric Connect to the wiring closets and endpoints. • Fabric Attach (FA) Signaling is the protocol that leverages standard networking protocols to communicate messages and data between the FA elements in order to orchestrate network automation at the edge. • Identity Engines leverages Avaya Fabric Attach technology to automate edge attachment. • The automated FA process is called “Zero Touch Edge”. The architecture is elegant as the FA switch provisions the virtual service for a client and if the client disconnects, the path itself is removed. • Fabric Attach has been sent to standards bodies as Auto Attach in an effort to establish an open interconnect standard.
Source: Frost & Sullivan
NE66-74 137 Vendor Profile—Avaya Networks (continued)
Identity Engines Licensing • Licensing models include packages for as few as 5 and 20 authenticators or unrestricted number of authenticators. • Uniquely, the licensing model is not based on a per user or per endpoint model nor is it subscription based. • A company can build its capabilities a little at a time. Types of licenses that can be acquired include the Access Portal, the Guest Manager feature, Posture assessment, Analytics (although this is commonly bundled with the large Ignition server), Single Sign-on, and Terminal Access Controller Access-Control System Plus (TACACS+) which as open-standard for AAA. Additional Features and Benefits • Avaya Networking has had some high-profile deployments. Avaya was the official networks service provider for the 2010 Winter Olympics in Vancouver and for the 2014 Winter Olympics in Sochi.
Source: Frost & Sullivan
NE66-74 138 Vendor Profile—Avaya Networks (continued)
Additional Features and Benefits (continued) • In the Sochi deployment, Avaya networking made provisions for 40,000 visitors with the assumption that each would be connecting as many as three devices, for a total of 120,000 devices • Avaya Networking won the bid to be the network supplier for InterOp. Avaya sent four engineers to Las Vegas for three days to set up the network. Previous installations required as many as 20 technicians and 2-3 months to bring up the InterOp network. • The NAC platform has log management capabilities and supports most commonly used log formats like syslog. Integration with Splunk is on the roadmap. • Avaya Identity Engines v9.1 is planned to integrate the Ignition Server with MDM. Most MDM use a REST interface, but how a platform talks with individual MDMs is slightly different depending on MDM APIs. • While typical Enterprise deployments require scalability of 10-20,000 endpoints, Identity Engines is capable of handling larger deployments. Competitive Opportunities • The prevailing perception is that NAC must be run by highly skilled technicians. Identity Engines, with its easy-to-use software-only solution addresses a broader customer base that may not have such highly skilled personnel. • Avaya NAC could improve the breadth of its integration with other security platforms such SIEM solutions.
Source: Frost & Sullivan
NE66-74 139
Vendor Profile—Bradford Networks
Overview • Bradford Networks was founded in Boston, MA in 2000. • The Bradford Network Sentry/NAC can be deployed as a physical appliance, a virtual appliance or as a cloud service. • The Bradford Network handles device discovery without use of 802.1X. • Risk-based endpoint analysis is a native feature in the Bradford Networks NAC. • Bradford Networks calls it historical inventory for forensics a “black box” of network connections. • On June 26, 2013, Bradford Networks was granted two patents. The patent for dynamic provisioning initiates automated configuration of network devices such as ports and switches, for the appropriate network access based on dynamic, pre-defined polices and real-time inputs from the network. • The second patent pertains to onboarding/guest registration. The guest registration process can be initiated without technical (IT) resources.
Product Line Network Sentry/NAC o The NAC provides visibility into all of the devices on the network, as well as live visibility of network connections during both the pre-connect and post-connect stages. o Provides pre-connect safe onboarding environment.
Source: Frost & Sullivan
NE66-74 140
Vendor Profile—Bradford Networks (continued)
Product Line (continued) o The Network Sentry/NAC adds context to alerts. Information contained in the alert: I. For the device, the alerts has the device type, network adapters, IP address, MAC address, installed apps, and OS. II. About the user, information about the owner or security group, and user’s other devices is provided. III. Information about the connection includes the wired switch port, or wireless access port, and the connection duration and history. o Of course, context is integral toward determining risk. New connection paradigms complicate NAC policies. I. In hospitals, iPads are widely distributed to doctors. Network access privileges are different if a doctor is on-premise or at his own house. The IT team can determine whether they want to quarantine the device, or allow the doctor to self-remediate. II. In one Bradford Networks installation, one student has 17 devices that he wishes to register onto the network. III. Access conditions can be changed based upon device status. Access conditions can change based upon patches, encryption, certificate status, and health of the endpoint. IV. The alert itself triggers actionable events. An alert emanating from a POS system should take priority over an alerts from a marketing person’s laptop.
Source: Frost & Sullivan
NE66-74 141
Vendor Profile—Bradford Networks (continued)
Product Line (continued) o Access to the network is policy driven. However, if issued an alert, It has the ability to isolate a VLAN ports or classes of devices with one-click. o The Network Sentry/NAC contains historical data. For instance, if a breach occurs, the list of devices, connections, applications, and users can be compared to historical data of the same. A key aspect of forensics is the ability to compare the current state of a network against the last known good configurations. o Device profiling is integral to the registration process. In the case of sports teams (the San Francisco Giants are a client) that use Bradford Networks for NAC, press members want to be to log onto a press VLAN one-time and one-time only. The initial registration process is good for the wired VPN or for wireless AP as the press member moves throughout the stadium. o Additionally, the Bradford Networks assigns the proper VLAN dependent upon the end-user and the device. o Physical appliances can be a part of a Bradford Networks deployment, but virtual appliances are far and away the most common deployment. Differentiating from HP, Cisco, and Aruba Networks, those installations requires several appliances (although the appliances themselves can be centrally managed in the Cloud). o In the Network Sentry/NAC architecture the appliance and the server communications are bidirectional. In mobile, instead of relying on agents ported to devices, the Sentry/NAC can use the registration lists from the server side to build access lists.
Source: Frost & Sullivan
NE66-74 142
Vendor Profile—Bradford Networks (continued)
Product Line (continued) o The Network Sentry/NAC is not only cloud-based, the application leverages the Cloud. Network Sentry/NAC is designed to support hybrid and public cloud environments over the Amazon Elastic Compute Cloud (EC2) Hosting Platform. o In mobile, instead of relying on agents ported to devices, the Sentry/NAC can use the registration lists from the server side to build access lists. In the MDM integration with AirWatch, the Network Sentry/NAC can simply communicate with the AirWatch server to establish access and permissions. o The Network Sentry/NAC can provide endpoint visibility without reliance on 802.1X certified servers and endpoints.
Network Sentry/Analytics o The Network Sentry/NAC has built-in analytics; the platform is named Network Sentry Analytics. The analytics platform is native to every network solution offered by Bradford Networks meaning even the smallest deployments will benefit from analytics. o Analytics inform every aspect of the NAC including device management (unmanaged and managed devices), connections (points, ports, and duration), appliance health (OS, digital certificates, and disk encryption), and network alarms (based upon policy and endpoint status). o The analytic platform is not confined to one server. The data is aggregated from each server into a data mart. The data can be correlated, analyzed, and reported. Archived data gives the IT team the ability to compare known devices and known “golden states” to times when the network has been
breached. Source: Frost & Sullivan
NE66-74 143
Vendor Profile—Bradford Networks (continued)
Network Sentry/Analytics (continued) o The Network Sentry/Analytics can be used predict wireless demand and capacity. o The Network Sentry/Analytics also has templates for custom and compliance-based reporting. o The analytics platform is able to create alert status based upon multiple factors. Conceptually, this is risk-based analysis based upon the end-user, device and group classification, and endpoint security status.
Network Sentry/Rapid Threat Response (RTR) o From the Bradford Networks website (verbatim), “Network Sentry/RTR leverages its unique Live Inventory of Network Connections (LINC) to automatically correlate high fidelity security alerts from the leading firewall and Advanced Threat Detection solutions.” o The Network Sentry/RTR has integration partnerships with FireEye, Fortinet, and Palo Alto Networks. Bidirectional communications helps refine both the NAC and advanced threat detection. o Network Sentry/RTR triggers a responses on compromised endpoints including auto-block, or restricted access to contain a threat. o An alert becomes more event specific. For instance, if an alert is triggered, information can be isolated to the OS, device type, application type or other type of classification. IT can dynamically change network access based upon device, user, port, or other classifications. o Combining Network Sentry/RTR with and Network Sentry/Analytics, a strong forensics chain in
established in the event of a security breach. Source: Frost & Sullivan
NE66-74 144
Vendor Profile—Bradford Networks (continued)
Network Sentry/Rapid Threat Response (RTR) (continued) o The importance of context awareness needs reiterated—in pre-breach deployments, Network Sentry/RTR enhances what a firewall can do to prevent breaches. In a post breach environment, to begin a remediation strategy, the type of breach has to be fully understood to determine the proper patch strategy.
Revenue Breakdown o Bradford Networks has established a great reputation in the education market vertical. In the Key Customers Bradford Networks Web page, Bradford Networks lists 120 K-12 and higher education customers. o The total of other customer segments is 126 customers—a tad under half of all Bradford Networks accounts are educational.
Source: Frost & Sullivan
NE66-74 145 Vendor Profile—Bradford Networks (continued)
Revenue Breakdown (continued) o Bradford Networks also has several technology-based customers including Bit9, Towerstream, and Kiva Systems. o Utilities are an emerging market vertical. o Because Bradford Networks does not require physical appliances for installation, the NAC solution scales. The majority of deployments are considered to be mid-market between 2,500-10,000 endpoints. o Bradford Networks has more than 80% of its clientele in the US, although there are significant European accounts. o The majority of customers come from channel partners.
Company Strengths o Bradford Networks is one of the first NAC vendors. The company is also a pure play NAC and devotes all of its energies into NAC platforms. o Education is one of the hardest types of NAC deployments. The Bradford Network Sentry/NAC is trusted in heterogeneous networks and wireless deployments. o Many NAC deployments are contingent upon 802.1X standardization for device discovery and containerization. A Bradford Network deployment does not require 802.1X
Source: Frost & Sullivan
NE66 -74 146
Vendor Profile—Bradford Networks (continued)
Company Strengths o Bradford Networks owns patents for dynamic provisioning and network access based upon dynamic, pre-defined policies. These are standalone strengths, as importantly, IT departments have the option of how much customization they want to do. o Historical analysis of the network is a part of the overall platform. o Bradford Networks analytics can help to create access-based policy determinant from location, type of device, type of network, and the value of the asset being accessed. o Potentially, Bradford Networks believes that its agentless, bidirectional architecture can be leveraged earlier in the NAC policy chain. Integrating historical analysis and risk-based analysis with next generation firewalls and whitelists and blacklists of known IP and hashes could prevent bad access onto networks in the first place.
Competitive Opportunities o Other companies have been more aggressive in establishing integration relationships with MDM, VM, and SIEM vendors (although Bradford Networks integrations with next generation firewall providers has been impressive). o Bradford Networks is challenged to win business outside of the US and in commercial markets. o The Network Sentry/NAC works without 802.1X protocols. Strangely, this is a double-edged sword in that some IT teams like the segmentation and containerization in 802.1X platforms.
Source: Frost & Sullivan
NE66-74 147
Vendor Profile—Cisco
Overview • Cisco is headquartered in San Jose, California. The company was founded in 1984 by Len Bosack and Sandy Lerner based on their efforts to connect detached networks at Stanford University. • In terms of security, Cisco helped invent the NAC market starting with Cisco ACS, which was first introduced in 1992. Cisco then later coined the term “Network Admission Control” based on a RADIUS-based architecture. In 2004, Cisco purchased Perfigo, further accelerating Cisco’s NAC business. • In 2011, Cisco introduced the Identity Services Engine (ISE), the company’s next-generation identity and access control policy platform. • Cisco ISE realizes 7,000 customers and services roughly 32 million licensed endpoints. Cisco counts half of the Fortune 500 companies and 20 of the Fortune 25 as customers. In terms of global sales, Cisco ISE is the market-leading NAC security policy management platform.
Product Line Cisco Identity Services Engine (ISE) • On September 30, 2014, Cisco ISE platform released version ISE 1.3. The ISE platform unifies and automates access control to proactively enforce role-based access to networks and network resources, regardless of how a user chooses to connect – via wired, wireless or VPN.
Source: Frost & Sullivan
NE66-74 148 Vendor Profile—Cisco (continued)
Cisco Identity Services Engine (ISE) • Cisco has a proprietary technology for a real-time profiling feed service that provide visibility and identifies all devices that connect to a network (via wired, wireless, or VPN). • New, dynamic administration for guest access, enabling the creation and management of portal pages with simplified and customizable workflows to enhance the guest user experience. • Simplified self-service device onboarding for guests and BYOD across wired and wireless networks. • Cisco pxGrid is a robust context-sharing platform that delivers a deeper level of contextual data collected by ISE. Cisco pxGrid combines internal and external ecosystem partner solutions to accelerate to identify, mitigate, and remediate network threats. Currently pxGrid is used this way: o Faster Remediation of Threats via work with SIEM vendors: NetIQ, Splunk, Lancope o Extending of access policy and posture compliance to mobile devices with MDM vendors, such as MobileIron. o Mobile Device enhanced single-sign on for secure access to sensitive data with Ping Identity. o Internet of Things (IoT) security for the industrial sector with Bayshore Networks. o Simplified network troubleshooting and forensics with Emulex. o Endpoint vulnerability remediation with Tenable.
Source: Frost & Sullivan
NE66-74 149 Vendor Profile—Cisco (continued)
Cisco Identity Services Engine (ISE) (continued) • Streamlined policy-defined network segmentation with Cisco TrustSec to permit granular role-based access to business resources as well as limit the spread of malware and network threats through access policy. • In a Cisco Identity Services Engine deployment cluster, each ISE node can assume a "persona" or predefined set of roles and responsibilities; this is done for added convenience in deployment. • Personas include sets for Administration, for Policy Service, and for Monitoring/Troubleshooting with each ISE appliance having one or more personas. Multiple instances of nodes configured as different personas can be used in high-availability deployments. Identity Service Engine 1.3 • Cisco ISE 1.3 offers all-new out-of-the-box simplicity for guest administration and onboarding. Administrators can customize guest portals in minutes through the use of dynamic visual tools that offer real-time previews of the portal screens and steps a guest will experience in order to demonstrate exactly how changes to settings will affect their users. • Cisco ISE offers full customization of guest pages – including advertisements, banners, themes, and branding – full management of guest accounts and expirations, and complete auditing of guest accounts and activity across the network. ISE 1.3 will support most-used guest workflows – from hotspot to employee-sponsored with SMS confirmation.
Source: Frost & Sullivan
NE66-74 150 Vendor Profile—Cisco (continued)
Identity Service Engine 1.3 (continued) • Like previous ISE platforms, Cisco ISE 1.3 accelerates the efficiency of network and security partner solutions by leveraging Cisco pxGrid technology, a context-sharing platform within ISE. • Contextual data from ISE is shared with not only EMM/MDM and SIEM/TD vendors, but also integrated third-party solutions for adaptive single-sign-on to identity-federated devices (Ping Identity). • ISE can connect directly to Microsoft Active Directory, Novell e-Directory, Open LDAP, Sun LDAP, and RSA directory services natively. For other identity stores that follow standards-based LDAP, ISE can provide a customizable connector. • Like previous platforms, ISE 1.3 supports up to 50 independent non-trusted Active Directory forests with selection criteria to deal with username ambiguity to address the needs of complex enterprises environment where Active Directories are added and dropped frequently. • Easy-to-deploy internal certificate authority within ISE to simplify certificate management for BYOD devices – including certificate suspension or revocation in the event of a lost or stolen device. • ISE 1.3 is integrated with Cisco AnyConnect 4.0 to provide single unified agent solution that provides endpoint posture assessment, remote access, and network connectivity to reduce endpoint client software distribution and management headaches. • Cisco makes a continued commitment to standardization in the industry though the submission of an informational draft on Source-Group eXchange Protocol (SXP). The submissions to the IETF allow other vendors to implement SXP and exchange tags with Cisco products.
Source: Frost & Sullivan
NE66-74 151 Vendor Profile—Cisco (continued)
Identity Service Engine 1.3 (continued) • Additionally, the Tunneled EAP (TEAP) specification was officially published as RFC-7170, which makes Cisco's innovative use of EAP-Chaining in EAP-FASTv2 a standard that may be implemented in any 802.1X supplicant or authentication server. • New to ISE 1.3 is the inclusion of the persistent posture agent capabilities in the AnyConnect software platform. For the first time customers running AnyConnect 4.0 or later will be able to leverage a single client solution to provide posture assessment, remote access, and network connectivity as an optional component within an ISE deployment. In the event that a persistent posture agent is not a viable option, Cisco provides the ISE Web Agent for posture assessment.
Cisco Secure Access Control Server • Control servers enable highly scalable, high-performance RADIUS-based access policy system • The architecture centralizes device administration, authentication, and user access (AAA) policy • Control servers reduce the management and support burden for many of these functions through APIs.
Cisco NAC Appliance • The Cisco NAC appliance is an easily deployed SNMP-based product that uses the network infrastructure to enforce security policy compliance on all devices seeking to access network
computing resources. Source: Frost & Sullivan
NE66-74 152 Vendor Profile—Cisco (continued)
Deployment Manageability • As of ISE 1.3, the all-new Guest Administration WorkCenter delivers everything an administrator needs to setup and manage guest in one place. • The ISE Guest administration experience now streamlines the setup of core guest flows with out-of- the-box defaults for Hotspot, Self-Service and Sponsored flows, so a customer can be up and running in hours. • The administration console’s on-boarding flow diagram shows administrators how changed settings affect their guests’ access by dynamically updating with each settings change. • A simple, dynamic graphical customization tool lets novice users produce professional-looking guest portals, while still retaining full customization flexibility for enterprises with on-staff web designers. • In 1.3, ISE will also support a full Guest & Sponsor REST API which enables both bulk administrative operations as well as guest and sponsor integration into 3rd party on-boarding applications. • End users will also see a dramatic simplification. Sponsor portals on both mobile and desktops provide quick access to common actions, the ability to add custom instructions, and onscreen contextual clues for end-users. • Every step of the on-boarding experience – from the first captive portal to the warnings about accounts about to expire – are managed by ISE and communicated to users.
Source: Frost & Sullivan
NE66-74 153 Vendor Profile—Cisco (continued)
Support for Physical and Virtual Appliances • ISE supports both physical and virtual appliance instances: Physical device NAC includes Small - Cisco ISE 3415; Large - Cisco ISE 3495. • Virtual device support in VMware ESX 4.x, VMware ESXi 4.x, and VMware ESXi 5.x virtual environments. Revenues Breakout • Cisco is traded over the New York Stock Exchange. Thusly, financial information about Cisco is available in public documents—however, Cisco will not comment directly on any product group. • For fiscal year 2014, Cisco’s global revenues totaled $47 billion (period ending July 27, 2014). • Worldwide revenue Distribution: 59% US, 25% EMEA, 16% APJC. Distribution Channel • Cisco has a companywide partner-led sales model, which ISE also follows. There are some exceptions where certain very large corporate customers purchase directly; 95%+ of Cisco’s business is Channel Partner driven. • Cisco’s Remote Management Services organization provides a fully managed ISE solution that is capable of managing not only ISE, but also the full network infrastructure itself. • Additionally, several Cisco partners offer managed services based on Cisco ISE - ranging from fully- managed network infrastructure to over-the-top remote management of a customer's ISE installation.
Source: Frost & Sullivan
NE66-74 154 Vendor Profile—Cisco (continued)
Security Efficacy • Cisco ISE has extensive integration with both Cisco and standards-based network infrastructure (DHCP, NetFlow etc.) to capture critical agentless endpoint attributes as part of its best-of-breed device profiling capability. • These tools include probes such as HTTP, DHCP, DNS, CDP, LLDP, RADIUS, NetFlow, SNMP, etc. Cisco has experienced the pain of scaling profiling technology to the largest customers in the world and, as such, has invested heavily into ensuring the scalability of the ISE profiling solution to function pre and post connection. • One such means to ensure the scalability is to embed the profiling "collectors" as close to the endpoint as possible, directly into Cisco access-layer infrastructure (known as "Device Sensor"). • The distributed collection capability has been included in the majority of Cisco's wired and wireless access-layer devices and enables accurate and efficient attribute collection directly from the access devices themselves without having to SPAN traffic across the network. • Cisco is expanding its industry-first Device Profiling Feed Service to include all partners and customers in an active and engaged community, contributing to and deriving value from new device profiles. • Through the integration with ISE, this feed service community drives even greater mainstream adoption by providing profiling data for new consumer devices as well as highly vertical-specific devices (e.g., healthcare and manufacturing devices). With the help of various customers and partners, at the time of this writing,
Source: Frost & Sullivan
NE66-74 155 Vendor Profile—Cisco (continued)
Security Efficacy • ISE's native profiling capabilities allow for reclassification of a profiled device, based on the observed network traffic. For example, if a legitimate host becomes compromised and starts forwarding traffic as an illegitimate SMTP server, ISE profiler can reclassify the device and, consequently, change its level of access. ISE can leverage NetFlow probes as well. • ISE’s native certificate authority is designed to ease the administrative burden of BYOD deployments and eliminate both the administrative overhead, the significant complexity, and the inevitable questions associated with managing multiple devices on a third party certificate server. • In the case of lost or stolen devices ISE offers administrators the choice of revoking a certificate or temporarily denying access through a single console that seamlessly links devices and certificate management into a single user friendly concept. • Cisco ISE provides comprehensive monitoring, dashboards, reporting, and alarms for all of its native functions: NAC, profiling, AAA, guest, BYOD, and MDM access. • Cisco ISE shares context and session information that it collects with Cisco Prime Infrastructure, so that administrators viewing a session see the entire picture - user, device, port, and all the back and forth RADIUS and policy traffic that led to its current state. • Using that, Cisco Prime Infrastructure also offers great 360-degree views of an endpoint or a user and their history, presenting a complete view of client access issues with a clear path to solving them.
Source: Frost & Sullivan
NE66-74 156 Vendor Profile—Cisco (continued)
Features and Functionality o Centralized, unified secure access control that streamlines network access policy for end-users regardless of how they connect to your networks (e.g., via wired, wireless, and VPN) o Simplified Guest Experiences for easier guest onboarding and administration. Create fully- customizable branded mobile and desktop guest portals in minutes with dynamic visual workflows and fully manage every aspect of guest access easily from ISE. o Logical network segmentation based on business rules, by leveraging Cisco TrustSec technology to create role-based access policy to dynamically segment access without the complexity of multiple VLANs or changing network architecture. o Deep contextual data, shared to third-party ecosystem partners via Cisco pxGrid, a robust context-sharing platform within ISE. This data is shared to external and internal ecosystem partner solutions in order to accelerate these solutions’ abilities to identify, mitigate, and remediate network threats. o Broad, integrated partner ecosystem that leverages ISE contextual data in order to improve the efficacy of their own solutions. For example, with ISE, integrated partner solutions can more rapidly remediate threats; streamline network forensics and endpoint vulnerability remediation; provide adaptive single-sign-on to identity-federated devices; and even extend secure access to SCADA/control networks – all based on context and identity received from Cisco ISE.
Source: Frost & Sullivan
NE66-74 157 Vendor Profile—Cisco (continued)
New Since January 2013 • Cisco released Identity Services Engine 1.2 and 1.2.1. In September 2014, ISE 1.3 is released. • Each Identity Service Engine cluster can support up to 1,000,000 managed devices with up to 250,000 active, concurrent endpoints connecting at any given point in time. • Since January 2013, Cisco has integrated with eight of the leading enterprise mobility management (EMM/MDM) vendors. The integration allows IT teams to collect and leverage mobile compliance checks to create proper access controls. Cisco Meraki EMM is integrated with ISE 1.3 beginning in November 2014. • Cisco has begun Integrations with the leading SIEM and advanced threat detection vendors in order to accelerate security operations decision making and risk mitigation efforts. Integration is underway with SourceFire FireSIGHT technology to be introduced in 2014. • The dynamic device feed service was created to support the latest devices and makes it hassle-free for users and IT to classify new devices. Cisco reports a reduction of unknown devices on the network by 74%. • Bootstrap wizards were designed to provide IT deployment automation and simplification when testing the ISE in a proof-of-concept network.
Source: Frost & Sullivan
NE66-74 158 Vendor Profile—Cisco (continued)
New Since January 2013 (continued) To reflect the needs of its customers, Cisco revamped its pricing and licensing models: 1. An ISE appliance -- This can be a physical or VMware based virtual appliance. 2. Support -- SMARTnet for physical appliances or Software Application Support plus Upgrades (SASU) for virtual appliances based 3. ISE Base License -- This is a perpetual license based on the total number of concurrent endpoints utilizing basic RADIUS/AAA or Guest Services. Also include Security Group Access/TrustSec. 4. ISE Plus License -- This is a term-based license (1, 3 or 5 yr.) for the total number of concurrent endpoints utilizing context-focused services such as Profiling or BYOD status. 5. ISE Apex License -- This is a term-based license (1, 3 or 5 yr.) for the total number of concurrent endpoints utilizing compliance focused services such as Posture or 3rd Party MDM/MAM/EMM status. Apex Licenses are layered on top of Plus licenses in an a la carte model allowing customers to buy the right type of services for their environment. As of ISE 1.3, the ISE Apex licenses can be augmented by AnyConnect 4.0 Apex licenses to enable AnyConnect as the unified agent for PC compliance. 6. ISE Pricing starts at $6,490.
Source: Frost & Sullivan
NE66-74 159 Vendor Profile—Cisco (continued)
Key Partnerships and Product Integrations • Cisco ISE interoperates with eight of the leading MDM/EMM vendors including Mobile Iron, AirWatch and Citrix ISE will also interoperate with Cisco Meraki’s new enhanced cloud-based EMM offering introduced in November 2014. • Cisco Meraki’s EMM, Systems Manager, will be cloud-only and focused on implementation of security features found in core mobile OS (e.g., pin lock), allowing Cisco to continue positioning 3rd party vendors for on-premise, advanced EMM/MDM functionality (e.g., containerization, SDK app wrapping) as well as telecom expense management. • ISE supports all the major A/V vendors in the market including Symantec, McAfee, Trend Micro, Kaspersky, and Sophos, in addition to the ~800 applications from ~100 partners that are already supported. See http://www.cisco.com/c/dam/en/us/td/docs/security/ise/ComplianceModule/win- avas-3_6_9457_2.pdf • ISE continues to interoperate with a wider set of non-Cisco, 802.1X-compliant network hardware as well as a long list of new Cisco infrastructure platforms.
Source: Frost & Sullivan
NE66-74 160 Vendor Profile—Cisco (continued)
Company Strengths o Cisco is an engineering, services and support organization, with acknowledged expertise as an equipment supplier and as network design and maintenance experts. o ISE is a context-aware, secure network access platform spanning wired, wireless, and VPN that scales from commercial to large enterprises. o Cisco offers a substantial policy engine and the largest library of identity attributes needed to address enterprises’ evolving network and security needs. o Valuable context through innovations such as our device profiling feed and embedded iOS device sensors, that enable implementing business policy as network policy. o The solution architecture with ISE as the controller for Cisco TrustSec is implemented to simplify enterprise secure access from the edge to the datacenter; o Cisco demonstrates leadership to drive parallel industry ecosystems, as demonstrated by best-of-breed MDM and SIEM partnerships as well as expanded security and network vendor enhancements and capabilities through Cisco Platform Exchange Grid (pxGrid).
Source: Frost & Sullivan
NE66-74 161 Vendor Profile—Cisco (continued)
Competitor Opportunities o Cisco competitors suggest that the Cisco NAC has trouble with extensibility. (In fairness, all platforms improve with each revision—the bootstrap wizard, guest registration and the upcoming Cisco Meraki EMM may alleviate some of these concerns). o The Cisco platform is heavily-contingent on 802.1X protocols, and related equipment like RADIUS servers. As the IoT evolves, the question will be how Cisco NAC performs in heterogeneous networks. o Cloud-based NAC providers claim quick NAC installation turnarounds and a high degree of scalability centralizing NAC over different locations.
Source: Frost & Sullivan
NE66-74 162 Vendor Profile — ForeScout Technologies, Inc.
Overview • Founded in 2000, ForeScout is a privately-held company based in Campbell, CA. ForeScout has regional offices in London, Tel Aviv, and Hong Kong. • ForeScout has a significant focus on large enterprise, mid-tier customers and government ― the company reports as of September 30, 2014 over 1800 customers in 54 countries and 200 channel partners.
ForeScout Product Line ForeScout CounterACT is an integrated network security platform that offers access control, endpoint compliance, mobile security and threat management. The CounterACT platform, delivered on an out-of- band appliance with foundation and add-on software modules, offers core NAC capabilities and demonstrably distinctive pre-admission and post-admission asset intelligence, network enforcement and endpoint remediation capabilities via a centralized console, high performance correlation engine, and extensible integrations and policies. These are some key elements of the CounterACT platform: o Multi-factor network, user, device and application classification and profiling that does not require agents or where agents are necessary, support for persistent and non-persistent agents o Authentication, on-boarding and control flexibility; supports 802.1X, non-802.1X and hybrid mode o ForeScout ControlFabric Architecture. Enables extensive infrastructure interoperability, through open-standards and APIs to support switches, firewalls/VPN, wireless controllers, directories, patching, and databases, used to exchange control context and enable policy-based mitigation. Source: Frost & Sullivan
NE66-74 163 Vendor Profile — ForeScout Technologies, Inc. (continued)
ForeScout Product Line (continued) o ForeScout Integration Modules. ForeScout-developed advanced integrations: endpoint protection, mobile device management (MDM), security information event management (SIEM), vulnerability assessment (VA), advanced threat detection (ATD), next-gen firewall (NGFW). o ForeScout BYOD functionality. Built-in guest management, BYOD device on-boarding, network- based mobile device controls, broad MDM integration, and a Mobile Security Module ― offers “MDM-lite functionality such as device intelligence, configuration and application policy- enforcement, and jailbroken/root detection (no containerization). o Noteworthy: Extensive capturing of endpoint properties and security state pre and post network admission. Mobile security functionality is broad and can run independently or can be combined with MDM. The finer points of security and mobile capabilities discussed later in this profile.
ForeScout Next Generation NAC Capabilities • Diverse endpoint classification and intelligence enables more flexible and granular security policies. • Solid corporate and personal mobile device on-boarding, policy management and enforcement. • Continuous monitoring with advanced threat mitigation as an integral part of the platform. • Dynamic software and hardware inventory, virtualization integration, and compliance reporting. • Comprehensive integration with other network, security and management systems to enhance and fortify a company’s oversight, overall security posture and threat mitigation capabilities.
Source: Frost & Sullivan
NE66-74 164 Vendor Profile — ForeScout Technologies, Inc. (continued)
ForeScout CounterACT Installation • CounterACT is installed as an out-of-band physical or virtual network appliance connected to a span or mirror switch port or network traffic aggregator. CounterACT has extensive infrastructure support. • Different models and interfaces are available which manage as little as 100 up to 10,000 concurrent network devices. It is high scalable, has high availability options, and offers an Enterprise Manager appliance to manage up to 250 appliance which provide the administrative console means for visibility and dynamic policy management for 500,000 devices (an Enterprise Director is planned). • CounterACT is deployed at core, access or distribution switch layers, and supports centralized and decentralized network architectures. Central management is managed in various ways, such as DHCP, DNS, MLPS, to negate an appliance per network segment. It performs application-layer inspection and integrates with LAN, VLAN, RADIUS, directory services, FW/VPN, etc. • CounterACT binds into the authentication process and captures broad user, network, device, system and application properties used for visibility, classification, profiling, reporting and policy-based actions such a guest management (captive portal), network enforcement and endpoint remediation. • ForeScout CounterACT can be implemented without an agent and supports a broad array of network and security infrastructure. Therefore, the platform can be implemented relatively faster and with nominal network re-architecture (as evidenced through customer interviews and testimonials). • ForeScout offers a persistent or dissolvable SecureConnector agent which establishes a secure tunnel between the client and the CounterACT appliance for dynamic inspection and policy enforcement of devices where CounterACT does not have credentials.
Source: Frost & Sullivan
NE66-74 165 Vendor Profile — ForeScout Technologies, Inc. (continued)
NAC Policies • Passive and active monitoring capabilities provides comprehensive visibility into user, device, system, application, network, security posture and authentication diagnostic details. The system displays the operational state in a well designed GUI. Any endpoint property be used in a policy. • CounterACT has built-in policies for device, system and application classification and templates for endpoint compliance and security posture monitoring. These are completely extensible. The policy engine allows for simple to complex logic with granular and flexible response: monitor-only, network enforcement and endpoint remediation. • Customers start in monitor-only mode to refine rules and exceptions before phasing in strong policy response. Policies can be administered centrally and locally to align to business requirements. • CounterACT also monitors device behavior to address MAC spoofing and advanced threat activity. • Network enforcement is broad and includes: captive portal, DNS hijack, HTTP browser hijack, guest management, alert/report-only, allow, limit, terminate, VLAN reassign, switch ACL, WAP assign, 802.1X block and more. Endpoint remediation includes inform user to self-remediate, install/activate/terminate applications and more. Actions can be on-demand via GUI or automated within the policy. • CounterACT offers “Virtual Firewall” device isolation via manipulating network communications. • ControlFabric open and standard interfaces, such as REST API, Syslog, CEF, and SQL, allows CounterACT to send intelligence and control data to other systems or receive such information. This can trigger CounterACT policy-based actions for network enforcement and direct endpoint
remediation. Source: Frost & Sullivan
NE66-74 166
Vendor Profile — ForeScout Technologies, Inc. (continued)
Endpoint Visibility and Compliance • Integral to CounterACT is real-time network asset intelligence. The system dynamically identifies and classifies users, device types, network, system, hardware and application details. Integration with directory services and other applications allows for other properties to be associated with a device. • CounterACT captures device properties using passive and active techniques via network integration including switches, DHCP, DNS, FW/VPN and more. This allows for the identification of managed and unknown devices, including wired, wireless, PC, mobile, embedded, printers and virtual. • CounterACT can directly inspect a device without requiring an agent by providing credentialed access, such admin rights to Windows domain PCs. Optionally, organizations can employ optional agents which provide a secure tunnel between the device and CounterACT. • Advanced device fingerprinting technology allows for the identification and classification of more uncommon or custom devices, such as medical, surveillance and industrial, and applications. • CounterACT captures a vast array of device properties (too numerous to list). Discovered properties can be used in policies to determine the security posture of endpoint pre-admission and post- admission – essentially identify what is on your network, as well as what is wanted and unwanted. • Endpoint details are available in the console GUI tactical map, tables, alerts and reports and policy engine. This dynamic information can be shared with other systems via ControlFabric interfaces. • CounterACT offers extensive information for VMs running on VMware ESXi (or under vCenter) to include OS, device classification, hardware inventory, VM settings, connected peripheral devices, etc.
Source: Frost & Sullivan
NE66-74 167 Vendor Profile — ForeScout Technologies, Inc. (continued)
Facilitation of BYOD • The CounterACT platform can identify and and apply policy for personal and corporate issued mobile devices, such as laptops, smartphones and tablets, personal WAP, and portable storage. • The platform integrates with popular wireless infrastructure including Cisco, Aruba and Motorola, and provides network enforcement, wireless LAN assignment, user/device on-boarding and more. • CounterACT has comprehensive guest registration capabilities including captive portal with DNS and HTTP hi-jack, as well as employee-sponsored guest management. ForeScout also offers mobile device on-boarding with certificate management. • ForeScout also offers a Mobile Security Module (MSM) which offers some mobile device management functionality such as identity, inventory and endpoint compliance, password and encryption verification, jailbreak detection and more. This is delivered as a Counter ACT licensed module plug-in as well as mobile device app for Android, and for Apple iOS as an app and profile via Apple’s Live Push Technology (only Android and iOS are supported). No containerization is offered. • CounterACT MDM Integration module supports multiple mobile device management tools, such as MobileIron, IBM FiberLink MaaS360, VMware AirWatch, Citrix XenMobile and SAP Mobile Secure. • MDM interoperability helps organizations automate the enrollment process into MDM controls, gain on-access MDM posture scanning, and enables on-demand or policy-based network enforcement. Once the module is installed, the console displays all mobile device status and compliance. • When a device connects to the network, CounterACT can queue the MDM to do a real-time compliance assessment. If a device is complaint, the device is granted access. If a device in non-
compliant, it can be quarantined until the issue is resolved. Source: Frost & Sullivan
NE66-74 168 Vendor Profile — ForeScout Technologies, Inc. (continued)
Integration with other Security Platforms • A compelling reason for an organization to work with ForeScout is that CounterACT can be used with other network, security and systems products to improve an organizations overall security posture and to enable IT to respond to a broad number of compliance, security and IT management issues. • ForeScout currently has integrations with 60 vendors and numerous products based on the company’s ControlFabric architecture comprised of open and standard interfaces such as SYSLOG, LDAP, CEF, SQL and REST API. • CounterACT base integrations support a good number of infrastructure devices such as popular switches, firewalls, VPNs, RADIUS, wireless network controllers, ESX and more. Users with CounterACT appliances under maintenance can download base integration plug-ins as available. • Extended integrations developed by ForeScout, in the form of licensed CounterACT Modules, offer more advanced interoperability with different popular vendors by category including endpoint protection suites (ePO), SIEM, MDM, NGFW, advanced threat detection (ATD) and vulnerability assessment (VA). • CounterACT can send and receive information with other systems to enhance control context and invoke policy-based response. For example, CounterACT can send endpoint posture details to a SIEM and a SIEM rule can send data to CounterACT to invoke a response such as to isolate a system, initiate MS-SCCM patching, request a VA scan and send a log of activity for each task. • Organizations which we have interviewed have expressed the value of different integrations and the flexibility at which the CounterACT platform can be integrated with commercial and custom systems.
Source: Frost & Sullivan
NE66-74 169 Vendor Profile — ForeScout Technologies, Inc. (continued)
Advanced Threat Response • CounterACT offers advanced threat response through direct network monitoring and response capabilities and also by integrating with other Advanced Threat Detection (ATD) systems. • CounterACT’s built-in intrusion prevention technology, called ActiveResponse, monitors for anomalous and malicious behavior to detect internal zero-day and targeted threats. o As post-admission IPS technology, active response can identify and respond to anomalous and malicious behavior on a monitored network segment. For example, It can identify and terminate propagating worms or breached systems that perform network interrogation activity. o It can also determine when a system has changed, such a printer that is attempting to perform a communication associated with a Windows system. CounterACT’s post-admission monitoring capability address NAC Mac spoofing risks due to use of MAC exception lists. o Honey-pot like technology also identifies systems attempting to take advantage of know but fake system and application exposures, and therefore helps reduce the risk of targeted attacks. • CounterACT has an ATD Integration Module that enables interoperability with leading ATD systems such as those from Palo Alto Networks, FireEye, Bromium, Damballa and Invincea. CounterACT can identify systems that require ATD host protection, and can also enable ADT defense enrollment. o CounterACT can receive information from an ATD system and insolate the breached system. o CounterACT can also extract the ATD-provided IOC (indication of compromise) and put the signature into a CounterACT IOC repository. CounterACT’s IOC scanner can then look for the same advanced threat signature on devices attempting to access or operating on the network. Source: Frost & Sullivan
NE66-74 170 Vendor Profile — ForeScout Technologies, Inc. (continued)
Continuous Monitoring • Essentially continuous monitoring means that security blind spots and risks are largely reduced through dynamic and poll-based methods that occur on network access request and post admission. • CounterACT delivers continuously monitoring via synchronous and asynchronous infrastructure and system integration. CounterACT interfaces with switches, Firewalls, VPN concentrators, wireless network controllers, RADIUS, directory services, endpoint protection suites and VA systems. o CounterACT can monitor 802.1X requests to an existing RADIUS server (or their RADIUS service), as well as Dynamic Host Configuration Protocol (DHCP) requests. o The system monitors SPAN ports to inspect network traffic such as HTTP traffic and banners. Network mapper (NMAP) scans discover where hosts reside in the network. o CounterACT can read user and device group and policies within directory services. It can also send SQL queries and writes to external databases. • CounterACT can assess the configuration and security state of an endpoint including installed applications, connections and network activity, and take action based on policy. o Policies can be used to install or terminate applications or to trigger patch management systems. • CounterACT can trigger a vulnerability scan on devices at connection via VA Integration Module. o CounterACT obtains VA details, such as last scan, vulnerability, severity and risk, which can be applied to policies for reporting, to initiate scans, and to invoke endpoint remediation actions. • Extensive post-connection monitoring and IPS differentiates ForeScout from competition.
Source: Frost & Sullivan
NE66-74 171 Vendor Profile — ForeScout Technologies, Inc. (continued)
Inventory and Compliance • Maintaining control over all network hardware, software and applications is a foundation of all popular IT security frameworks. Enterprises should also verify that security defenses are properly installed and active, for example, having the means to prove that device encryption is active. Network complexity, consumerization and endpoint configuration dynamics often results in operational gaps. • In the course of a deployment, ForeScout reports that many of their clients guestimate and well underestimate the number of devices on their networks, as well as adherence to security policies. o For instance, a company may suspect that they have 10,000 devices, when is it not uncommon for CounterACT to discover 12,000 devices - a 20% gap or more depending on company size and network distribution. This common observation was verified through multiple customer interviews. • ForeScout enables enterprise to maintain accurate network asset intelligence including hardware, installed and running software, and network location – reducing previous mentioned operational gaps. o Endpoint visibility, compliance and remediation capabilities details were described earlier. • Among NAC vendors, ForeScout CounterACT as achieved the U.S. governments highest security certification - the National Information Assurance Partnership Common Criteria (NIAP CC) gives CounterACT version 7 an Evaluation Assurance Level (EAL) score of 4+. • ForeScout CounterACT is on the United States Army Information Assurance Approved Products List (US AI-APL). • ForeScout CounterACT is also Federal Information Processing Standard Publication 140-2 (FIPS 140-2) certified. Source: Frost & Sullivan
NE66-74 172 Vendor Profile — ForeScout Technologies, Inc. (continued)
Revenue Breakout • ForeScout had considerable growth across vertical and regional markets, demonstrably in government, financial services and healthcare, as well as manufacturing, education retail and energy. • Growth rates are strongest for deployments of 10,000 endpoints or greater; more than half of booking were from mid-tier enterprise. The company sells its product through a network of global, national and specialized channel partners, and there is an array of training and professional services. • ForeScout is winning new accounts, and achieving expansion in existing accounts. o Account expansion occurs in many forms, such as: expanding deployment coverage from wired to wireless, adding divisions, regions and acquisitions, enabling BYOD policy, and through integrations such as augmenting MDM and ADT investments or maturing SIEM capabilities. New Since January 2013 • Numerous endpoint monitoring and remediation enhancements, as well as extensive VMware ESXi/vCenter monitoring, virtual network enforcement, and endpoint compliance enhancements. • ControlFabric enhancements: new Advanced Threat Detection and Vulnerability Assessment vendors interoperability, and Open Integration Module WebAPI baseline inquiry (custom integrations). • Console, endpoint monitoring and reporting enhancements such as portal additions for guest registration and management, and support for Asset Reporting Format (ARF). • Additional infrastructure support such as DHCP classification enhancements and IPv6 support.
Source: Frost & Sullivan
NE66-74 173 Vendor Profile — ForeScout Technologies, Inc. (continued)
Company Strengths o ForeScout’s CounterACT delivers continuous monitoring and mitigation based on integrated Network Access Control technologies. o The software-defined security platform addresses numerous visibility, access, BYOD/mobile security, endpoint compliance and threat management risks. Customers cite cost-savings, resource optimization and improved return on security investments. o Reasons vocalized by enterprises for why they chose ForeScout CounterACT: rapid and easy deployment, 802.1X support, agentless and agent options, robust functionality, scalability and interoperability. The policy-engine is flexible and offers granular pre- and post-admission control using extensible policy templates. o CounterACT has been designed to work with a variety of legacy and heterogeneous infrastructure; wired, wireless and virtual. Solid mobile security / BYOD capabilities: guest management, onboarding, mobile NAC functionality and MDM interoperability. o ForeScout leads the pack with advanced interoperability using its standards-based ControlFabric architecture open to vendors, integrators and customers. ForeScout pioneered bidirectional integrations such as EPP, SIEM, MDM, VA, NGFW and ATD. o ForeScout capabilities breadth and certifications give it a strong footing in government accounts; they are well positioned for Continuous Diagnostics & Monitoring programs.
Source: Frost & Sullivan
NE66-74 174 Vendor Profile — ForeScout Technologies, Inc. (continued)
Competitive Opportunities o As a “next-generation” NAC offering, ForeScout offers extensive capabilities and integrated functionality. The platform has been optimized for mid-tier to large enterprise. Pricing and functionality may open smaller competitors to gain footing in the SMB market. o Cisco has made considerable investments in their ISE platform and has significant influence with networking managers. Cisco has the means to bundle their platform to sustain market share in large business, and to leverage their channel partners. Similarly, Aruba can offer their NAC solution to fortify and defend their wireless business.
Source: Frost & Sullivan
NE66-74 175 Vendor Profile—Impulse
Overview • Privately-held, Impulse¹ is headquartered in Lakeland, Florida (with offices in Boston, MA; Los Angeles, CA; Columbia SC; and Austin, TX). Impulse has been cash-flow positive since 2007. Impulse Installation and Deployment • SafeConnect is the central console and NAC platform. SafeConnect is installed as an out-of-line network device appliance. • Two important advantages to deploying out-of-line are there is no single point of failure, and the NAC performance is not susceptible to performance bottle-necks or maintenance-related or scheduled network outages. • There is no custom hardware required. SafeConnect currently runs on a standard Dell R420 enterprise server, and can be deployed as a VMware virtual appliance. • Designed for remote setup and implementation, an Impulse solution can be installed in a few hours. Deployment can also be executed in a phased-in approach (by IP address/range, subnet, VLAN, OU’s) for a non-disruptive transition. • Automated-802.1X secure on-ramping provides easy access to WPA2 secure wireless and wired networks (please note: 802.1X or WPA2 is not required for SafeConnect to operate but is fully supported if or when this standard is implemented). SafeConnect can also support a hybrid implementation where some segments of the network have 802.1X installed and others do not.
¹ In previous Frost & Sullivan NAC reports, this company has been referred to as Impulse Point.
Source: Frost & Sullivan
NE66-74 176 Vendor Profile—Impulse (continued)
Impulse Installation and Deployment (continued) • Impulse solutions deployed in the field constitute a true NAC as a service (NACaaS). What Impulse offers is a turnkey solution where Impulse will supply the virtual NAC appliance as well as the managed service. • SafeConnect can be integrated with an organization's preferred, best-of-breed intrusion detection and/or vulnerability assessment technology using Impulse’s API to automate custom policies to support agentless baselining and subsequent enforcement in real-time. • Additionally, the Contextual Intelligence Publisher distributes real-time contextual intelligence to other network management and security systems (i.e., web content filters, bandwidth managers, firewalls, SIEM, etc.) that enables single-sign-on, one-time authentication, granular policy assignment and enhanced analytics to provide more informed and timely security decisions. Impulse Approach and Market Positioning • Self-guided remediation allows users to conform to security policies without help desk support. Impulse claims a dramatic decrease in customer help desk calls (60-90%) when transitioning from an existing NAC or network device registration system to SafeConnect. • Guest user self-enrollment automates the process of managing network access for guests. • The Impulse NAC solution offers seamless Integration with reduced management. The product is largely transparently except to those who implement the solution. • Accounting for new devices is relatively easy. For example, when a new iPhone is introduced to the market Impulse can fingerprint the device months in advance and update the organization’s system.
Source: Frost & Sullivan
NE66-74 177
Vendor Profile—Impulse (continued)
Impulse Approach and Market Positioning (continued) • Impulse resells Tangoe’s MatrixMobile MDM solution to deliver a comprehensive BYOD managed service solution that combines Mobile Device Management and NAC. • When that new device shows up it is automatically recognized and is assigned the appropriate access. The value provided is significant because users do not experience any disruption of service. • Impulse does not require the purchase of replacement hardware, as refreshment hardware is included if new features are rolled out during the contract period. Similarly, free software updates and new versions, are updated dynamically and new versions are included in the base period of the contract. Product Line The Impulse approach to NAC has three basic facets: 1. SafeConnect is the larger NAC platform (the platform will shortly be described in greater detail). 2. The Contextual Intelligence Publisher (CIP) provides real-time contextual intelligence pushed to other network management and security systems. 3. Impulse solutions deployed in the field constitute a true NAC as a service (NACaaS). The vast majority of Impulse customers come from either K-12 educational facilities or in colleges. What Impulse offers is a turnkey solution where Impulse will supply the virtual NAC appliance as well as the managed service.
Source: Frost & Sullivan
NE66-74 178 Vendor Profile—Impulse (continued)
SafeConnect NAC Features of SafeConnect o Safe Connect securely and efficiently automates BYOD by combining real-time, context-aware and simplified architecture, and remote managed support services. o Enhances visibility, security, and control over network resources. o Correlates user identity, device type, location, ownership and compliance over time (contextual intelligence). o 24x7 proactive managed support including health monitoring and instant updates. o Custom Policy Builder offers the ability to construct customer-specific policies based on file types, processes, services, and configuration registry settings that exist or don’t exist on designated endpoint devices. o Customers purchase a device license, an appliance, annual maintenance and installation services. o The software licenses are offered under a concurrent device model. Customers purchase a license equal to peak concurrent devices connected to the network. Impulse allows customers to “burst” above their license level without penalty or restriction. Customers then “true up” if needed on the maintenance anniversary date. The top 5% highest usage days are forgiven and not factored into the customer’s licensing count.
Source: Frost & Sullivan
NE66-74 179 Vendor Profile—Impulse (continued)
SafeConnect NAC (continued) • In terms of scalability, SafeConnect can Manage up 10,000 concurrent endpoint devices on a single server. SafeConnect can be clustered on multiple servers to support 300,000 concurrent device enterprise-wide user populations. The system is deployed centrally, negating the need to replicate hardware throughout remote locations of an organization. Security Efficacy • Real-time policy assessment of user’s system prior to granting network access as well as on a continuous basis after access is granted. • Device type profiling for updates of new operating systems and devices delivered within 48 hours. • Security policies are assessed prior to access as well as on a continuous basis in real time. • This provides two significant benefits; users who become non-compliant are isolated immediately. This is inherently more secure because users are not allowed to remain on the network for extended periods. In addition, the user experience is superior because only those users out-of-compliance with security policies are impacted. Device Provisioning and Identity Access Control • Automated, secure WPA2 Enterprise on-boarding of devices • User authentication and network access device assignment based on Contextual Intelligence (user identity, device type, location, time, ownership, and compliance) and real-time/historical reporting.
Source: Frost & Sullivan
NE66-74 180 Vendor Profile—Impulse (continued)
Device Security o SafeConnect offers real-time assessment, enforcement and remediation for Windows and OS X. o Integration with leading Mobile Device Management systems ensures security, reporting, and management for all mobile devices across the network. o Detection and blocking of unwanted devices and users. Device type recognition is automated. Registering Users and Provisions for Access o User authentication with directory integration. o Guest Management – various options including self-enrollment. o Network Address Translation (NAT) Access Point detection and policy management. Additional Features SafeConnect (continued) o Check for Anti-Virus and Anti-Spyware – current, updated and running. o Check for Microsoft OS update policies. o Detection of P2P file sharing applications Proactive Maintenance Support Services create the turnkey solution including monitoring, system updates, backup, problem determination and resolution ownership. o The SafeConnect in conjunction with Contextual Intelligence Publisher (CIP) provides real-time and historical reporting information
Source: Frost & Sullivan
NE66-74 181 Vendor Profile—Impulse (continued)
New Since January 2013 o Contextual Intelligence Publisher (CIP) delivers correlated device information (identity, device type, location, ownership, policy status over time) to third-party security providers o RADIUS-Based Enforcement (RBE) eliminates VLAN steering o Enhanced Guest Access allows self-provisioning without help desk involvement for multiple profiles o MDMConnect integrates with MDM solutions for MDM policy enforcement and network access assignment o OEM partnership for Tangoe to resell SafeConnect as MxNAC with their MatrixMobile solution. o Updated End User Interface Web Pages
Source: Frost & Sullivan
NE66-74 182 Vendor Profile—Impulse (continued)
Company Strengths o The Impulse Experience™. Impulse sees their product ownership as an experience combining real-time contextual intelligence, simplified access control architecture, remote managed support services, and customer-centric business philosophy. o Contextual Intelligence™ technology enables correlated user identity, device type, location, ownership and compliance data. This enables policies and informed security decisions a granular level that are unique to the solution. o Contextual Intelligence Publisher provides real-time contextual intelligence to other network management and security systems (i.e., web content filters, bandwidth managers, firewalls, SIEM, etc.) that enables single-sign-on, one-time authentication, granular policy assignment and enhanced analytics o Impulse delivers support and system updates to customers from the cloud. The company is expanding its existing cloud offering with additional services and product configurations. Challenges o Impulse has to find a way to convey its strengths in serving the educational market are applicable to other types of businesses. o Like other NAC vendors, Impulse will be pressed to establish an international presence.
Source: Frost & Sullivan
NE66-74 183 Vendor Profile—Pulse Secure
Overview • In July 2014, Juniper Networks sold its Junos Pulse product portfolio to Siris Capital for approximately $250 million. • On October 2nd, the company launched as Pulse Secure. • The launch is fundamentally different than a launch for a startup would be. The talent that was in the Junos Pulse division mostly transitioned over to Pulse Secure. • It is worth noting that the CEO Andrew Monshaw does come from Siris Capital. • Even as Juniper Networks sold the company, Juniper offers ongoing support for legacy clients. As importantly, Juniper will support Pulse Secure in platform developments involving Juniper hardware (switches, routers, etc.). • At the time of the Pulse Secure launch, the Junos Pulse legacy included more than 20,000 enterprise clients. • Pulse Secure is headquartered in San Jose, but has branch offices in Massachusetts and India. The company launches with more than 285 employees, and 1,800 channel partners.
Source: Frost & Sullivan
NE66-74 184 Vendor Profile—Pulse Secure (continued)
Product Line • No Junos Pulse products were dropped and none added in the transition. However, all of the Junos Pulse products were rebranded (including the Juniper Unified Access Control (UAC) for NAC. The new NAC is named Pulse Policy Secure. • The following are the rebranded technology platforms and product names. o Connect Secure SSL VPN includes Pulse Connect Secure Access and MAG Series Gateways and Pulse Connect Virtual Appliances. Pulse VPN Client and Pulse Network Connect are offered for endpoint support and monitoring. Gateways will be rebranded as NeoTerrace gateways. o Mobile Secure includes Pulse VPN Client, and Pulse Workspace. For the mobile cloud, Pulse Secure offers Pulse Workspace UI, and the Pulse Mobile Security Suite. o Policy Secure NAC (which is the focus of this report) includes Pulse Policy Secure Gateway which can be implemented in IC Series Unified Access Control (UAC) and MAG Series Hardware or as a Virtual Appliance. Pulse Client is used on the endpoint for authentication and collecting endpoint compliance state info. Pulse Steel-Belted RADIUS is the standalone RADIUS server, a separate product available to customers. The Pulse Odyssey Access Client is the older 802.1X supplicant client.
Source: Frost & Sullivan
NE66-74 185 Vendor Profile—Pulse Secure (continued)
Features and Functions • Pulse Secure will continue to offer the Juniper Networks platform known as Unified Access Control (UAC) under the new name Policy Secure. The features of (UAC) include: 1. UAC enables customers to use any vendor-agnostic 802.1X-enabled WAP or switch including Juniper Ethernet switches, Juniper firewalls, or IPS devices. 2. UAC architecture enables a unified policy plane for firewall, VPN, and NAC. UAC supports policy enforcement on the Layer 3 application plane and L2 plane. 3. The integration with Juniper products is tightest. However, since network integration is based upon industry standards such as 802.1X, RADIUS, and IPSEC and other open standards, integration with VPN, firewalls, and switches is possible through OpenAPI. Trusted Network Connect standards are similarly supported. 4. One of the strengths of the Pulse Secure NAC is in an integration with a firewall that can start dropping packets based upon an IP address. 5. Additionally, the firewall becomes “user aware” in a tightly coupled integration. 6. A big differentiator for Policy Secure UAC is support for Interface to Metadata Access Points (IF- MAP). IF-MAP. IF-MAP is an open standard created by the Trusted Computing Group that facilitates the sharing of information from different applications (CRM, ERP, supply chain management systems, etc.), and across hardware (switches, servers routers, etc.). 7. IF-MAP is used by Wall Street to federate ID, and is used in SCADA to track assets.
Source: Frost & Sullivan
NE66-74 186 Vendor Profile—Pulse Secure (continued)
Features and Functions (continued) 8. Along with IF-MAP, the Policy Secure UAC can integrate Syslog feeds. The Pulse NAC is highly deterministic in establishing user ID. 9. The Policy Secure UAC emanated from a classic network design architecture. As such, a Simple Network Management Protocol (SNMP) drop is easy to deploy on a network and can be used to leverage existing RADIUS support for management classifications and device identification. 10. Policy Secure UAC architecture is designed to dynamically create an IPSec tunnel straight to the server. 11. Policy Secure UAC will support networks where client-devices will have an service set identification (SSID) assigned and broadcast on premise. 12. Policy Secure UAC supports several DDI containerization options. DDI stands for Domain Name System (DNS), Dynamic Host Configuration Protocol (DHCP), and/or Internet Protocol Address Management, commonly referred simply as (IPAM). 13. The platform can use the same VPN sandbox techniques for mobile. 14. Policy Secure UAC integrates with Great Bay Software. Notably, Great Bay keeps an ongoing library of 1,000 endpoint profiles, and can compare 500,000 endpoints against endpoint profiles in a single database. The Great Bay integration also means a user can be on a common Wi-Fi network and still be authenticated through the NAC through an understanding of the device profile. 15. If a user is authenticated through SAML, that person can go to any part of the network that he has access to without having to re-authenticate. Source: Frost & Sullivan
NE66-74 187 Vendor Profile—Pulse Secure (continued)
Features and Functions (continued) 16. UAC includes dissolvable agents, or customers can use the Pulse multi-service network client for user authentication and endpoint health check. 17. The Pulse Secure platform can check to see if a jailbreak has been performed on a device. 18. By the end of 2014, the Pulse platform will support BYOD onboarding of personal devices to enroll over Wi-Fi. 19. Pulse Secure (UAC) integrates with OPSWAT GEARS for endpoint security posture checking (notably hard disk encryption, AV, and certificate status). 20. To create an optimal NAC, integration with new VPNs, cloud environments and device profiling is necessary and continuous. Pulse Secure is working with vendors such as Google, Apple, Microsoft and Samsung and other security vendors to expand the ecosystem.
Source: Frost & Sullivan
NE66-74 188 Vendor Profile—Pulse Secure (continued)
Roadmap • Pulse Secure is the result of the significant investment by Siris Capital. New commitment to capital is integral toward developing the product roadmap: 1. The budget for sales and marketing for Pulse Secure will be 10X the investment made by Juniper Networks year-over-year. The initial R&D budget is 20% of revenues in the first year. 2. For Pulse Secure, the NAC works independently, but their greatest strength is as a UAC. In the presentation to analysts, Pulse Secure identifies product innovation as “key vision pillars.” The key vision pillars are ordered this way: . o Seamless User Experience ― On the VPN and NAC space, BYOD onboarding, user enrollment and device onboarding need to be automated. The VPN has to offer full support for OS with VPN plug-in frameworks built into OS platforms. In mobile, to ensure a seamless user experience, mobile enterprise authorization must natively trigger containerization. An SSO must be valid as a user travels between on premise networks and cloud-based networks and applications. Finally, the Pulse AppConnect™ SDK needs to be expanded to include more integrations with applications and with MDM platforms. o Any Device, Any Application — To achieve this, the Pulse Secure roadmap requires the VPN to integrate HTML5-based remoting capability and security controls. VPN rewriter capability is necessary to give contractors and guest registrants wish to connect to the network, they can gain access through a browser. Pulse Secure has to support every major enterprise OS as a single client. Lastly, in mobile, Pulse Secure has to have comprehensive support for containerization and security for any public store mobile application. Source: Frost & Sullivan
NE66-74 189 Vendor Profile—Pulse Secure (continued)
Roadmap (continued) o Access Policy and Control ― The impressive Layer 3 network control and routing layer needs to be extended to non-Juniper equipment solutions. Pulse Secure recognizes the need to build further integrations with SIEM systems. The RADIUS Change of Authorization (CoA) is used to allow IT to change the attributes of an authentication, authorization, and accounting (AAA)—Pulse Secure is developing greater flexibility and extensibility for RADIUS-based AAA. In mobile, the MDM profile has to change based upon location-based risk. o End-to-end Data Security — In total, the Pulse Secure platform is designed to protect data on the device, applications, and network communications layers. Pulse Secure supports virtualization and sandboxing technologies. The aspirations in mobile include frictionless containerization options for mobile apps and make per-app VPN ubiquitous and easy to enable. VPN support must be both always-on and available on-demand.
Key Initiatives 2015 o Enabling Cloud-based central management and monitoring for NAC and VPN. o A single sign-on grants access for on-premises, mobile, and cloud applications. o The platform to built-in HTML5 proxy support. o Pulse Secure NAC integration with other security platforms. o In the conceptual roadmap (but not committed) is cloud-based compliance reporting, enhanced VoIP support, and augmented profiling options. Source: Frost & Sullivan
NE66-74 190 Vendor Profile—Pulse Secure (continued)
MobileSpaces Acquisition o On October 2, 2014, Pulse Secure announced the acquisition of MobileSpaces. o At the time of this writing, much is to be determined about the acquisition. As a standalone business, MobileSpaces could offer its mobile apps containerization service to any Enterprise or security vendor willing to license. In other words, exclusivity has not been determined. o Mobile Spaces will be rebranded under the new Pulse Secure company and product portfolio. o However, the Pulse Secure acquisition of MobileSpaces is the result of a standing partnership that then Juniper Networks had with MobileSpaces in developing BYOD solutions. o The MobileSpaces press release describes its capability this way (verbatim), “Downloaded to a smartphone or tablet as an app, MobileSpaces creates a virtual partition that separates enterprise and employee data while also providing a secure BYOD workspace for native or enterprise apps on any Android or iOS device. o The MobileSpaces proprietary App Virtualization resides between software and the OS. o MDM service providers use a technique called app wrapping which is the process of applying a management layer to a mobile app without requiring any changes to the underlying application. o However, the app has to be known and trusted. Conventional MDM service suppliers are likely to wrap between 50-100 applications. The problem is that many Enterprises have its own customized apps for things like CRM, directories, and file management. o Many commonly used applications like mobile SAP for Oracle will not have an app wrap solution.
Source: Frost & Sullivan
NE66-74 191
Vendor Profile—Pulse Secure (continued)
MobileSpaces Acquisition (continued) o All work data is encrypted at rest (importantly, if a person leaves a company, sensitive data cannot be accessed from a phone or tablet). o The App Virtualization is also a control policy plane. 1. Enterprises can connect native business apps to campus, data center and cloud applications and services 2. Likewise, a connected device can be connected seamlessly to a VPN, a data center or secure cloud environment. 3. Conversely, the app policy will not allow connectivity outside of an approved container. 4. The App Virtualization uses a set of certificates to get users to log back on again. 5. If a situation occurs where a “wipe” of a BYOD device is necessary, personal data will not be wiped from the device. o A second point of pain addressed by MobileSpaces is Android fragmentation. Apple products can share data through the Apple Push Network Service. o No such service exists for Android device—except through the App Virtualization layer in Mobile Spaces o Pertaining to the Pulse Secure NAC, the MobileSpaces App Virtualization is already a native feature of the NAC. The application layer is a value-added service.
Source: Frost & Sullivan
NE66-74 192
Vendor Profile—Pulse Secure (continued)
MobileSpaces Acquisition (continued) o The ability to create a virtual environment (sandbox) around a mobile device is an important containerization capability. o The apparent aspiration going forward is to roll up App Virtualization into the single console management Pulse Secure UAC platform. o Endpoint fidelity needs to be established. If an end-user has “jail broken” the device, this should be visible to central admin. o Visibility needs to be extended to endpoint devices in cloud environments and data centers.
Source: Frost & Sullivan
NE66-74 193 Vendor Profile—Pulse Secure (continued)
Revenue Breakout • Where Juniper Networks was especially successful was with Enterprise accounts and the company had a high profile in healthcare and with the Federal government. • The Junos Pulse UAC in federal government settings often had the most complex installation requirements in terms of BYOD and containerization.
Key Partnerships and Product Integrations o Integrated with MobileIron and AirWatch MDM. o Integrations with GreatBay and OPSWAT provide endpoint security posture checking and endpoint profiling capabilities. o Can establish a firelink through FireEye and integrates with a Splunk SIEM.
Source: Frost & Sullivan
NE66-74 194 Vendor Profile—Pulse Secure (continued)
Company Strengths o The Policy Secure UAC offers a unified policy plane across NAC. VPN, and mobile. o The integration with the Juniper SRX firewall creates a user-aware firewall reducing false negatives and providing an additional security layer. o The acquisition by Siris Capital brings new vigor into the organization. o IF-MAP is an optional system used for ID federation, asset discovery, and network mapping. o Gateway enforcement policies prevent rogue apps from coming onto the network (Angry Birds for instance never make it onto the network). o If a guest registrant, contractor, or even an employee needs access to a network, access can be provided through a browser. o Pulse Secure will continue to support open standards.
Source: Frost & Sullivan NE66 -74 195
Vendor Profile—Pulse Secure (continued)
Competitor Opportunities o The elephant in the room is how the newly formed company will be perceived by current customers and perspective clients. o While the Pulse Secure UAC architecture supports open standards and interoperability with other vendors, the solution offers more integration with Juniper network equipment. o Juniper UAC was widely perceived to be more complex than competing NAC. Admin need to configure RADIUS, 802.1X, and Active Directories manually. o While Policy Secure (UAC) provides comprehensive NAC for virtualized environments, it currently does not integrate with virtual management platforms such as vSphere.
Source: Frost & Sullivan
NE66-74 196 Appendix
NE66-74 197 Market Engineering Methodology
One of Frost & Sullivan’s core deliverables is its Market Engineering studies. They are based on our proprietary Market Engineering Methodology. This approach, developed across the 50 years of experience assessing global markets, applies engineering rigor to the often nebulous art of market forecasting and interpretation.
A detailed description of the methodology can be found here.
Source: Frost & Sullivan
NE66-74 198 Abbreviations
Acronym Spelled Out Acronym Spelled Out AAA authentication, authorization, and accounting HIPAA Health Insurance Portability and Accountability Act ACL access control list HTTP hypertext transfer protocol API application programming interface IDS/IPS intrusion detection/intrusion prevention systems ATD advanced threat detection IOS operating system for iDevices (Apple) BYOD bring-your-own-device LAN local area network CAGR compound annual growth rate LDAP lightweight directory access protocol CISO chief information security officers MAC media access control CMDB configuration management database MDM mobile device management CSRF cross site request forgery MPLS multiprotocol label switching DDoS (distributed) denial-of-service attack (DoS attack) MSSP managed security servicer providers DHCP Dynamic Host Configuration Protocol NAC network access control DNS domain name system NAP Network Access Protection (Microsoft) EAP extensible authentication protocol NBAD network behavior anomaly detection EMM enterprise mobility manager NERC North American Electric Reliability Corporation (NERC) GPON Gigabit passive optical network NGFW next-generation firewall. Source: Frost & Sullivan
Source: Frost & Sullivan
NE66-74 199 Abbreviations (continued)
Acronym Spelled Out Acronym Spelled Out NIST National Institute of Standards and Technology SOX Sarbanes-Oxley Act NMAP Network Mapper SPAN switched port analyzer OS operating system SSID service set identifier P2P peer-to-peer SXP Source-Group eXchange Protocol PCI DSS Payment Card Industry Data Security Standard TACACS terminal access controller access-control system PoE Power over Ethernet TEAP tunneled extensible authentication protocol RADIUS remote authentication dial in user service VAR value-added reseller SaaS software-as-a-service VLAN virtual local area network SAML security assertion markup language VM vulnerability management SIEM security information event management VPN virtual private network SMB small-to-medium business WAP wireless application protocol SNMP simple network management protocol WPA Wi-Fi Protected Access SOAP Simple Object Access protocol XML extensible markup language SOC security operations center
Source: Frost & Sullivan
Source: Frost & Sullivan
NE66-74 200 List of Companies Included in “Others”
List of all companies included in “Others” • Auconet • Avaya Networks • Extreme Networks • Impulse • InfoExpress • macmon secure gmbh • Portnox • StillSecure • Trustwave
Source: Frost & Sullivan
NE66-74 201 Partial List of Companies Interviewed
• Aruba Networks • Auconet • Avaya Networks • Bradford Networks • Cisco • Extreme Networks • ForeScout Technologies • Impulse • OPSWAT • Portnox • Promisec • Pulse Secure
Source: FrostSource: & Sullivan Frost & analysis. Sullivan
NE66-74 202