StillSecure, After All These Years

Just got done reading the transcript of yesterdays great NAC debate between Joel Snyder and Richard Stiennon.  As I predicted Snyder scored a knockout early on and it was mostly over from that point on.  The knockout came earlier than I expected though, right off the first question.  Each combatant was asked to define NAC and that was when it happened.  Richard brought an EPAC (end point access control) to a NAC fight.  That was akin to him bringing a rubber knife to a gun fight.  A quick bullet between the eyes by Snyder and it was almost painlessly over for Richard.

I have been preaching for some time about what I call complete NAC. That is a complete network access control solution, not just network admission control and certainly not end point access control.  It is not an evil plot to extend Cisco/Microsoft dominance and most importantly Richard, no one and let me say this again, no one has ever said that NAC negates the need for a layered security model.  NAC is just another layer in that model.  Richard’s comments deriding the .edu and .mil markets were also laughable.  Richard, have you ever heard the term military grade?  Are you seriously trying to say that enterprises take security more seriously than the military does?  Come on now Richard.

The bottom line is Joel Snyder is not only a sharp dude technically, but is street savvy enough to run circles around my friend Richard.  He made Richard stay focused on the question at hand, did not let him wander and so Richard had to face reality a bit. I am sure Richard will still say NAC is useless and will admonish people about hanging out with the likes of the StillSecure crowd, but I guess some things will just never change.  Except, I don’t think Richard will be in anymore of these bouts.  Maybe he can start selling a grill that takes the fat out of meat or perhaps a reality TV show like the other washed up palookas ?

I know many of you think I am like a pavlovian dog the way I respond to Richard Stiennon's anti-NAC vitirol.  After my last article, I really decided to just lay off Richard.  But just to show you that it is not me, I wanted to point out Richards recent attack on Grant Hartline, CTO of Mirage Networks.  Grant blogs and put up an article regarding the latest exchange between Richard and I.  Both Richard and I commented.  Check out Richards expective laced reply that I think shows just how unhinged he has become on this subject.  Richard rambles and stumbles taking shots at anyone he can.  I am telling you, he is really losing it.

In the meantime based on this, I am going to change my prediction on the great debate and say Joel Snyder in 2!

I am not sure what it is with Richard Stiennon.  Maybe his mom beat him with a NAC stick when he was young.  Hence his Jack Nicholson looks (more like the Joker in Batman, than Col Jessep in A Few Good Men) and his total disdain for NAC.  In any event Richard never seems to miss a chance to take a pot shot at NAC.  I have fired back and debated him many times on this.  In fact I am convinced that Richard's problem with NAC is that like Uncle Joe, he is just moving a little slow.  Richard still thinks of NAC as Cisco’s network admission control, circa Dec ‘03.  He has not gotten up to speed on anything happening with NAC since.  Richard is going to debate NAC with Joel Snyder according to this article by Tim Greene today. My prediction is Snyder by a knockout in 3 rounds or less.

Richard’s latest NAC knock comes on a comment to an excellent article by the Hoff.  Chris takes a bold stand for someone working for a vendor and calls BS on the whole analyst thing (I will write more about that later in this article). Richard being an ex-analyst himself (lets face it, with Richard you can take the man out of the analyst job, but you can’t take the analyst out of the man), takes exception to Hoff’s “whining” (Richards words, not mine) and tries to tell Hoff that giving up is not the answer and the way to show up analysts, is to prove them wrong.  Great Richard you try to prove them wrong, when because of what they report you don’t have a market, can’t get any capital and have no visibility.  I guess that is when it is time to move on to the next gig, right? Then Richard has a bad NAC deja vu and feels it necessary to write this:

“Look how easy it is to one up the analyst firms, who as near as I can tell support Network Admission Control universally. Everyone except the folks at Updata Ventures know how seriously flawed NAC is with only one viable market, edu.”

I assume Richard is referring to Updata recently leading the Bradford Networks VC round. But more importantly Richard it is time to call a code red on you and give you the cold hard truth.  Richard the fact is that the edu market is not the only viable market for NAC.  In fact, one of the biggest customers of NAC is the DoD.  That is right Richard at least 3 of the 4 armed forces use NAC in helping to secure their networks. To paraphrase my friend Col Jessep - Richard, you want the truth, you can’t handle the truth!  You sleep securely under the blanket of protection that NAC provides.  If it is good enough to help “clean the sand” out of laptops coming home from SWA (that is SouthWest Asia, like in Iraq and Afghanistan, in case you don’t know Richard), it should be good enough for you. Think about that next time you are about to bad mouth NAC.

Let me give you some other truths you may not like Richard.  Why do you think every switch vendor (of which we partner with many of them) is lining up and bringing out NAC solutions?  Why has Microsoft put such a big push on NAP?  Why despite the Luddites like you does NAC still draw crowds at conferences like Interop (ask Joel about that).  Richard we are still signing new major OEM partners.  I am afraid you are the one sadly out of touch on this one Richard.  Just as you are out of touch in missing Hoff’s point in his article.

As to Hoff’s article, as I said I give Chris credit for speaking his mind. I spend an ungodly amount of my time speaking with analysts and trying to “learn” from them while at the same time trying to educate them.  I am constantly amazed that so many analysts (and press for that matter) just take a vendors word as gospel. I have seen research reports from analysts big and small, that I am sure did not have any more research done than calling a handful of vendors and listening to their spiel. Too many of these vendors if they do speak to customers, base their findings on such a small sample that it is impossible to have an accurate picture.

Personally, like Hoff says, who watches the watchers is the truth. I would like to see a code of conduct among analysts. I would start by dictating that vendors cannot pay analysts.  Take the payola out of the equation the way they did to the DJ/Radio business in the late 50s. Next analyst reports have to come with metrics to back up the findings. I want to know how many customers they spoke to, how big they were, how they were found, etc.  A vendor giving an analyst a real live“pet” customer is not real research. I want to know if the customer pays the analyst. It is a dirty business.

Hey let me be clear, I play the game as well as the next guy.  But I agree with Hoff we need to clean up the rules to make the whole analyst thing more fair, viable and valuable.

Sir Lancelot or Guinevere? Hey don't laugh it could happen to you. In the meantime what has Richard so hot and bothered that he is subscribing mythical qualities to Rohati?  It seems they are using a layer 4 to 7 firewall to control access to applications. They call it network based entitlement control.  I wonder how they stack up to Palo Alto Networks and some of the other next gen application aware, access control firewall products.  From what I understand Nevis Networks and ConSentry can do similar things with the firewalls in their secure switches.

Nevertheless Rohati has gotten some good press, albeit with most coverage carping on the fact that they are founded by former Cisco employees (there are enough former Cisco employees to found many companies I would think). I do think that application aware access control is of tremendous value and this technology will find its way into many technologies. It is a logical extension of identity based access control. 

As usual though Richard can't resist taking a few cheap shots at NAC vendors.  In Richards idyllic view of Camelot, somehow performing pre-connect health or integrity tests is the devils own work.  Richard will just admit that these tests have value and people want them.  They do not preclude doing the rest of the job of access control that Richard seems to approve of though.  Alas, Richard and I have danced this dance before though and I am not going to get into the why it is important.  In fact, here is a new tact for you Richard, it is not important. If you are not going to be convinced, forget about them.  Look beyond admission control tests at what NAC vendors offer around access control and you may find similar type of technology to Rohati in the near future. 

Until than though Richard let me paraphrase Merlin from the movie Camelot "Never be too disturbed if you don't understand what a former analyst is thinking. They don't do it very often".

Frost & Sullivan is the latest analyst firm to note that NAC is coming on through to the other side. They say, "As common misperceptions are dispelled and NAC gains acceptance as a key part of network security, these technologies become the center of a highly competitive and lucrative market ..". They have released a new report according to this article in Trading Markets. The report further states, "NAC has made its mark in the market to such an extent that more participants have entered the NAC space. In the near future, this growth phase of the market will get a strong boost from the entry of major participants."  The report goes on to say, "NAC has proved its worth as an enterprise security product that can effectively enforce security policies. Now that many third-party product evaluations and customer reviews are available, customers can make well-informed decisions and purchase a superior NAC product. This also expects to help drive the market."

OK, enough quotes from the article.  My point is that despite the ramblings of the naysayers like my friend Stiennon, there is a gathering storm of evidence and commentary showing NAC is real, it works and it is valuable.

That gadfly of the security world, Richard Stiennon says NAC is dead. In fact he says NAC actually never was and never will be. Of course, this is the same Richard Stiennon who said IDS was dead so many years ago. If NAC is only half as alive as IDS has been, I would be very happy. Why do I call Richard a gadfly? Because Richards MO is trying to find what the next hot thing is and to jump on it, then another hot thing comes by he runs to that and so on and so on. He thought anti-spyware was big and joined Web Root, after a relatively short time there he left. He than took a whirl at his own analyst firm, when a few others were forging a new breed of analyst firm and after a short time doing that moved on again. He then was CMO at Fortinet and again after a short time left there too. Now he is the CEO of an MSSP (hey, I hear SaaS is the next big thing), how long this will keep his attention or the powers that be keep him on is anybodys guess. But if past track record is any indication, Richard will hop on the next big thing sometime next year. I mention this because fundamentally I think Richard's attention span or maturation horizon is why he does not see that NAC is marching on.

As you can probably guess I strongly disagree with Richard's opinion on this one. However, to understand why, some clarification is necessary:

1. Richard is mixing metaphors with Network Admission Control and Network Access Control. Both are NAC. Admission control was coined by Cisco, access control was first used by Gartner I believe. Richard seems to indicate that admission control is bad, access control or at least some definitions of it are OK. More importantly, Richard uses admission control as a code word for pre-connect health checks, access control for identity based and post-connect control. I think both are very important and as I have said many times a good NAC solution needs all of these.

2. NAC vendors being depressed, etc. Yes Richard some NAC vendors not making it are depressed and having lay offs and hard times. That is the way of capitalism and competitive markets I am afraid. There are winners and losers. I would bet that even in the $500 million /year UTM market that you spent a whole year in, there are some vendors who are just not making it and would be classified as depressed.

3. Gartner says several NAC vendors are getting traction. They recently released a marketscope on NAC and sorry Richard, but StillSecure is one of the few out of 17 vendors which was given a positive rating, the highest rating Gartner gave. BTW Richard in that same marketscope your "buddies at Gartner" estimated the NAC market at $225m for 2007 and expect 100 percent growth in 2008. In case your calculator is not handy Richard, that should put NAC around the $450m mark in 2008. Not that different than the number for the UTM space that you use in your article. Hopefully that will allow you to put your "magnifying spectacles" away, unless there is something else that you would want to make look bigger than it is.

4. NAC being created by Cisco in 2003 to solve the worm problem. Richard, perhaps that is why Cisco did NAC. BTW, they announced in like November or December, 2003. We released Safe Access in April 2004. It was under development for at least 12 months before that. We did not call it NAC of course, our working title was endpoint policy compliance. Richard today Safe Access solves that same problem, endpoint policy compliance. We have not deviated from our original plans around this from day one. It is purpose built to solve a problem that customer after customer told us was they wanted a solution to. Maybe that is why we have had success with the product.

We did not jump on the latest, hottest thing bandwagon. In fact I have found that companies and people who jump on the latest big thing, inevitably fail. You cannot time the stock market or the technology market. The NAC market is a perfect example of this. Companies who have taken products that were not successful in another incarnation and morphed them into a NAC product are the companies that are failing. Maybe I am more of an EF Hutton type than you are Richard, but I believe in building a company the old fashioned way. Find a problem that customers are willing to pay for a solution for. Then build that solution and bring it to market and work hard making it the best it can be. If you did your research right and you built the right product, the market will come to you. It may take longer than you think, but if you keep at it, cream always rises to the top and quality always wins. You cannot win running to the next big thing, see through what you start to the finish. Richard if you want to consider that some free advice, take it!

5. NAC is only for the .edu market. Again Richard take some time to dig in here. Yes the edu market is a big adopter of NAC. But let me give you some other examples. Any network that will have a large number of unmanaged visitors or guests is going to be fertile ground for NAC. That includes the government sector, where many users are contractors or visitors. I know you have much disdain for the federal governments IT security practices Richard, but if you spend a little time (there is that phrase again) digging in to what they are doing, you will see that NAC does indeed solve a real security problem for them and is why we have had a great deal of success in the government vertical.

Richard no one ever claimed that NAC is a reason to avoid other security tools. Just the opposite, NAC should work with and leverage your existing network infrastructure and security technologies.

6. NAC does not tie you down to one vendors eco-system if you don't want it to. The TCG/NAP interoperability and now the new IETF standards are bringing one standard to NAC. It does not tie you down, but frankly in case you haven't noticed with all of the moving around, Microsoft already has you pretty tied to one vendors eco-system and frankly Cisco has you pretty tied to another. Don't be so naive Richard.

BTW, I notice you like what ConSentry and Nevvis do without quarantine. While neither of those companies are apparently setting the world on fire as secure switches, you should check out our white paper on a phased approach to NAC that talks about NAC being more than quarantine. You can get it here.

Authors note: BTW Richard while I am chief blogger here at StillSecure, my official title is chief strategy officer and I have been working here for about 7 years now.

Its no secret that over the past year it has been quite fashionable to bash NAC.  It has not lived up to the hype.  It is not the promised silver bullet.  Some companies in the market went belly up.  Yes, yes and true.  But as I have said all along this was I think just the natural evolution of a technology as it matures.  There was no way it could live up to the over hype that it was saddled with.  Those who spoke about it realistically always said it was not the next "great white hope" of security, just another arrow in the quiver. However, the reason that people got excited about NAC was that at a rather simple level it was very easy to describe the problem it was trying to solve.  As it turns out, solving that simple problem takes a rather complex solution, no matter how you slice it.

In the end though what we have seen in the NAC market is textbook hype cycle.  The technology triggers for NAC were unseen before numbers of guests having legitimate reasons to access the network.  The spread of malware not through downloading via the Internet, but by introduction via devices logging on and the need for compliance or otherwise to enforce access policies with the network technologies to make it happen.  With Cisco announcing their Network Admission Control program in December, 2003 and Microsoft announcing NAP that summer (interesting that it would be years before either one was actually available) NAC buzz went through a big bang expansion to the very height of inflated expectations. What goes up, must come down and NAC certainly has been dragged into the trough of disillusionment. However, the inherent appeal of the problems it can solve continue to drive customers and interest.  Now we are seeing real signs of NAC emerging into the slope of enlightenment on the way to the plateau of productivity.

What has got me so optimistic?  It is a variety of things.  Let me list them:

1. Network Computing's 3rd annual NAC survey which while it shows demand is down for NAC from past years, it is still substantial and appears to be deeper if not as wide. It also has several other metrics that show people are being more realistic in what they want to accomplish with NAC and have more confidence that it will work.

2. Forrester's new report that shows that customers think NAC is mature enough to be ready for more wide scale deployments. Remember this is the same Forrester who said that NAC as we know it would fail last year. Has NAC changed so much in a year or has Forrester?

3. That Ebenezer Scrooge of NAC, Mike Rothman, actually admits that maybe we are seeing some progress with less inflated expectations with NAC. What could be next, the NAC Grinch, Richard Stiennon admitting it might be OK as well. Here is my prediction: When Rich's new MSSP can make money offering a managed NAC service, Richard will jump on the NAC bandwagon with bells on.

4. My own observations at Interop, RSA, SANS and other events where I spoke to real live potential customers.  I have personally seen a marked upturn in the amount of real NAC projects that we see coming into both our partners and our sales pipelines. I assume that other NAC products are seeing the same pick up.

All of this is very gratifying to see after the bashing NAC has taken.  Now it is onwards and upwards to the plateau of productivity.   See you there!

Richard Stiennon fires a broadside at the US military in his latest post on his ZDNet Threat Chaos blog.  Seems that at a recent trade show  poor Richard after being on his feet for far too long was accosted by the CIO of one the branches of our military.  The CIO took Richard to task as another security vendor "...trying to sell us a new box, you are a money hole we keep spending on but we still get hacked”.  Reading between the lines, Richard did not respond to the man in the manner he wanted to at the time, so now lays out his response in his post.  Richard, did you not have your response formulated when the CIO confronted you, or did you think it the better part of valor not to go toe to toe with him.  I would hate to think you are hiding behind your blog and not saying anything you wouldn't say in person.

Not to wrap myself in the flag, but let me pull an Otter from Animal House (watch the You Tube video for a refresher). Richard don't blame the over-worked, under paid military information assurance people for the failing FISMA scores they receive.  I am not sure how much business Fortinet does in the federal sector (not sure if foreign ownership or anything plays in here), but we have done a lot of business with the DoD and the military over the last few years. I can tell you that by and large, the people responsible for the security of the networks of the American Military are genuine American heroes worthy of our respect and praise, not our scorn.  They are often times, under trained and making due with less budget, as money is shifted towards the war.  They are saddled with a bureaucracy that ads time and money to their selection and procurement process.  They have to fight their own internal wars over risk management versus ease of use.  In spite of all this they do a damn fine job.  Their networks see volumes of attacks that most private sector security folks would only dream of in their worst nightmares. Yes we may hear now and then about some attack or incident, but compared to what they are defending against, they are doing great things on the cyberwarfare front lines every day.

Richard I understand that this CIO touched on one of your hot buttons.  But, if you think your feet hurt now from standing for too many hours at some Gartner trade show in Orlando, how do you think they will feel having walked a mile in the shoes of an information assurance officer stationed in Southwest Asia? 

There has been a bit of a brouhaha lately over the Jericho Forum and the amazing shrinking, disappearing, shifting, changing, eternal (take your pick) perimeter.  It started with Chris Hoff teeing off on Rich Mogul. Rich had a get out of jail free card while he was still at Gartner, as not even Hoff while working for a vendor, would piss off a Gartner dude.  However, the Teflon is gone and Hoff is on.  He took umbrage with Rich's views on the Jericho folks.  I was going to jump in, but every time I disagree with the Hoff man lately he accuses me of going off my meds.  No doubt Hoff can write a mean rhyme and a long blog post.  But sometimes he is so deep in the doo-do, that he kind of loses some of the subtler points being made.  Anyway, I digress.  What got this party started was another former Gartner dude weighing in, Rich Stiennon.  For those who do not know, Chris and Rich Stiennon have a long history of antagonizing each other.  Anyway, Dan Weber then brings up a point I wanted to comment on in Rich Stiennons comments.  Rich ends his article with this:

I work for a vendor of network perimeter security appliances. But, keep in mind, I would not be working for a perimeter defense company if I did not truly believe that the answer lies in protecting our networks. If I believed otherwise I would work for a de-perimeterization vendor, if I could find one. :-)

Dan calls BS on this and I agree 100%.  I don't believe for a second that Rich went to work at Fortinet because of his belief in the sanctity of the perimeter.  I think if Rich worked for an anti-spyware company (wait he already did that didn't he), he would be all for anti-spyware. If he worked for an endpoint provider he would be a big supporter of a endpoint security.  Lets be clear, it is not only Rich.  Many folks in the security sphere claim that they came to work where they did because of their deeply held beliefs in the supremacy of their companies technology and approach.  I say give me a break people.  You like it because it is yours and it is paying the bills.  Lets be open and honest about it. That would be a good place to start.

take your pick. Stiennon, Rothman, Rob Newby from over in Spain or how about yours truly. To me, whenever I see people trying to make long range predictions of what is going to happen in any market, I think Johnny Carson probably had as good a chance of being right than any of these understudies. In my mind there is the next 24 to 36 months.  Beyond that is better left to Nostradamus, Carnac and the like.  Who knows what kind of devices we will be using for access by then.  This alone makes it hard to predict that far out.

However, let me audition for the role here a bit.  I agree with Richard on two things.  First of all I don't think innovation is dead in security. I think venture money may be harder to come by for security start ups, but there are lots of ideas out there for new security methods and even more ideas to combine existing security technologies in ways that have not been done before and will result in more effective and efficient security.  I also agree with Richard that security as a service is going to be hot. However, I have seen this pendulum swing before. I think services will heat up and then over time cool off, as people realize it is not any cheaper and gives them less control over their own security. A fact of life is that as the mice get smarter, we need smarter mouse traps.  This is also a fact of life in security.  As the bad guys figure out new vectors in, we have to figure out smarter ways of preventing and detecting them.

I disagree with Mike and Richard that security as a stand alone goes away. I think there are going to be pure play security companies that specialize in protection.  I think that there will always be smaller security companies getting swallowed up by the bigger boys.  This sort of farm league of security allows the bigger companies to buy innovation, rather than having to innovate themselves.  Many larger technology companies are going to want in on the security market, so you may seem them entering the market via acquisition like EMC a few years back.

I totally agree with Rob Newby about a generic platform on generic hardware "that we can turn into whatever device we want, anywhere in the network".  That actually sounds very much like Cobia. I think virtualization and multi-core technology is going to make that happen. I also think open source and "freemium" applications are going to make themselves felt in security, even more than now.  Of course convergence with networking will make security more ubiquitous, but it will not just be blended in.

Beyond that, your guess is probably as good as mine.  One thing for sure though is that don't worry about Rothman or me, we will find a way to to live off of the fat of the land somehow.

At the risk of pissing off Hoff, I am going to agree with Richard Stiennon twice in a row.  First his article in SC Magazine last month read like a marketing piece for Cobia, now his most recent post in his Threat Chaos blog on ZDNet has some great points on UTM. Richards points that I agree with are:

1. UTM comes down to a best-of-breed versus suite decision.  Can a UTM really provide a best in class solution for each type of security application on board?  Hoff and the Crossbeam gang have built their business on that, but does it scale down from large corporations and carriers to the rest of the world?  Also, as Richard points to a point made by Barry Shteiman, can just OEM'ing or piling on applications without any integration or synergies be the effective long term?  I think first generation UTM's just piled up lots of security applications.  I think the market is going to demand integration and one plus one equals three value in the near future.

2. Does UTM add to security or consolidate security?  Richard points out that the Asian security market is immature enough that a UTM is actually bringing new security functionality to customers. In more mature markets, UTM just consolidates existing security apps in one box. I can see this, but I think I disagree a bit.  I think most people buy UTM for one or two security applications and get the rest "for free".  Many of them are almost throw ins.

3. Spam and content filtering are real drivers in the UTM market.  Too many of us seem to focus on the firewall, IDS and AV applications. Meanwhile spam and content filtering are very important to many UTM buyers.  This is a great lesson for us with Cobia.

4. Finally, Richard is still fighting the, is UTM for the biggest enterprises fight.  Hoff gets violent about this one and I am sure Richard in his own mid-western way gets down right feisty, but people still want to know.

Rich Stiennon is someone that I have blogged a lot about.  Of course Rich is perhaps best known for his "IDS is dead" prediction while at Gartner.  Over the last few years, Rich and I have gone back and forth on NAC and his secure network fabric concept. But I think history may record another Stiennon prediction as perhaps his most insightful.  But if they do, let them also record, StillSecure was there first!

Rich writes in SC Magazine today about his vision of the 4th generation of UTM. Now I am not going to say that Rich took his idea from us (I was on a UTM panel with him at RSA), but this article reads like a Cobia PR piece.  Let me give you some quotes here:

We are rapidly approaching the advent of the fourth generation security platform. This is a device that can do all of the security functions that are lumped in to UTM but are also excellent network devices at layers two and three. They act as a switch and a router. They supplant traditional network devices while providing security at all levels. Their inherent architectural flexibility makes them easy to fit into existing environments and even make some things possible that were never possible before. For instance a large enterprise with several business units could deploy these advanced networking/security devices at the core and assign virtual security domains to each business unit while performing content filtering and firewalling between each virtual domain, thus segmenting the business units and maximizing the investment in core security devices.

One geologic shift that will occur thanks to the advent of these fourth generation security platforms is that networking vendors will be playing catch up, trying to patch more and more security functions into their under-powered devices or complicating their go to market message with a plethora of boxes while the security platform vendors will quickly and easily add networking functionality to their devices.

Fourth generation network security platforms will evolve beyond stand alone security appliances to encompass routing and switching as well. This new generation of devices will impact the networking industry it scrambles to acquire the expertise in security and shift their business model from commodity switching and routing to value add networking and protection capabilities.

I swear. if Rich would have mentioned open source and Moore's Law providing the horsepower to make this happen, I would have sent him a check from the Cobia marketing budget!

But lets not be naive.  If Rich is writing this, you can bet his employer, Fortinet will be coming out with a network/security convergence box shortly.  We already have almost 2 years into Cobia development and welcome the company.  It will be interesting to see if Fortinet tries to do everything themselves or opens up the platform for 3rd parties.  In any event, another prescient prediction from Stiennon. Maybe this will go down as the beginning of the secure networking revolution.

I decided to do Rich the favor and list his comments into the center section for everyone to see.  I don't agree with Richard on this (that is no secret) but wanted to give his point of view its due.  So Amrit has his take, Richard his and I mine. Thats what makes the world go round!

Too bad one can't comment at Enterprise Systems. So I'll comment here instead!   You have to admit Amrit lays out his arguments pretty well even though they are tainted by a configuration management perspective. But, you know what? NAC is all about configuration management. The way it is being promulgated (Thank you FireFox for in-line spell checking!)NAC addresses the issue of out-of-policy devices and what to do with them. Security is a side issue although the vendors like to push that aspect. But NAC cannot address security issues beyond the prevention of the spread of a worm or virus- at the expense of loss of productivity.

To me the issue is: After investing all that money in NAC what have you done to counter the threat of a healthy machine being used to attack you?

Yes, configuration management, NAC, and security all overlap. But I would draw the diagram with NAC inside Config Management and both intersecting a small piece of security.