The Ashimmy Blog

Tim Greene returns with a good column on NAC today, entitled "Who's in charge of NAC". Tim hits on one of the real life lessons learned when you try to sell NAC.  That is who is in charge of it.  Initially, here at StillSecure we were trying to sell NAC through the security team.  However, it became clear to us that NAC went beyond the security teams charter and more importantly, their budget! 

The network team had to be on board with any NAC project for two key reasons:

1. They were had to give permission for anything to run on the network.  Anything effecting who and what gets on the network or not comes under their control.  Anything that has the potential to cause network down time, has to have their blessing as well.

2. More importantly, their budget dwarfed what the poor security guys had to spend.  More often then not, NAC was paid for out of the network groups budget.

Another group that was crucial was the desktop help folks.  They were the ones who were going to help shape the policies and answer the calls when people were quarantined.  If they did not understand what was going on and how they could manage it and have input, no NAC implementation would be successful.

Tim says a successful NAC deployment requires the following:

* A budgeting plan that may extend over more than one fiscal year.

* Defining roles of the various teams involved in the deployment.

* Training and cross-training staff to administer NAC.

* A technology plan that takes into account that NAC is a young and evolving technology that won’t be fully cooked for several years.

* Involve business units because NAC requires a balance between the work a corporation has to get done to earn revenue and the need to protect the network and data.

Good advice from Tim. I personally always like to follow the money, so would emphasize making doubly sure that who ever has the budget for this is firmly on board and leading the charge.