Lockdown Networks, a network access control (NAC) appliance vendor, shut its doors earlier this week. In just a few days, I've read a number of statements about the meaning of this event. A tech meltdown? The end of the NAC market?
Nope, it's nothing that bold or startling. To me, the ramifications are pretty simple:
• It's hard to succeed when you change horses in the middle of a stream.
When I first became familiar with Lockdown, the company was focused on vulnerability scanning to compete with companies like Foundstone, ISS, and Qualys. When this didn't work, Lockdown reinvented itself as a NAC appliance vendor. Anytime a start-up pulls an about-face like this, it is a sure sign of trouble. There are exceptions like F5 and Ingrian, which successfully went through an extreme makeover, but the vast majority of companies fail.
• When the big guys refer to your core functionality as a "product feature," you are in big trouble.
NAC appliance vendors used to compete with one another. Now they compete with Cisco Systems, Hewlett Packard, Juniper Networks, and Nortel Networks, companies whose NAC features work with their devices, traffic management tools, and administrative consoles. As NAC moves from a tactical implementation to a strategic enterprise initiative, the appliance guys simply can't compete.
• This is a sign of an over-invested industry.
Lord knows why VCs invested in the sixth or seventh NAC appliance vendor a few years ago, but they did. The Lockdown failure follows the fire sale of Caymas Systems' assets to Citrix Systems last year, and others are sure to follow soon. I look across numerous other security niches and see the same thing. There are lots of 3-year-old start-ups with $40 million worth of investments, doing between $8 million to $10 million in revenue. What's the exit strategy for these guys? Seems to me that they either luck out through an acquisition (very few), go through VC extortion, recap and take a bath on shares, or die on the vine. Lockdown suffered the worst fate possible.
Now that I've voiced my opinion on what the demise of Lockdown means, let me be clear on what it doesn't mean. "Out of business" signs at Lockdown don't indicate that the NAC market isn't real--far from it.
Large organizations absolutely want to control who gets access to the network; they just want to centralize these policies and enforce them within the existing network architecture. Networks continue to get smarter, but the same can't always be said for entrepreneurs, investors, and (dare I say) analysts.
As we head into the dog days of summer, most technology announcements are lukewarm at best. Usually vendors save their juicy stuff for September and the push toward the end of the year.
With that as a back drop, one announcement last week may have been a curious exception to this rule. Cisco, EMC, and Microsoft got together with a few others and announced the Secure Information Sharing Architecture (SISA). What is SISA? The press release defines it as a "commercial off-the-shelf architecture that was created to make data easily, and securely shared among multinational environments."
Pretty vague, I know but in reading between the lines, SISA seems to be the beginning of a multi-vendor architecture that blends the best of Network Access Control, user authentication, network directories, and enterprise DRM. Combining these technologies could make it easier to enforce business policy rules without getting mired in multiple layers of technology. Want to add a new consultant to a project? SISA provides a framework that would streamline user provisioning, security enforcement and rights management. Mapping business initiatives with security policies gets a whole lot easier.
So will it work? Sounds good but this initiative hasn't lead to market ga-ga like the iPhone announcement. The architecture needs a lot more clarity and the group needs more participants. What about IBM's participation for document and identity management? Where is Oracle and Adobe? How about the Trusted Computing Group's Trusted Network Connect? MIA so far.
It's too early to tell whether SISA is a passing summer fling or the real deal. But Cisco, EMC, and Microsoft are definitely on to something here. We need better standards and frameworks to consolidate access controls, privacy, and security up and down the technology stack. Next-generation business processes depend upon this happening. SISA may or may not become real but I guarantee that something resembling SISA eventually does.
It's May in the IT industry and that means Interop is only two weeks away. For those not familiar with Interop, it is a huge networking geekfest in Las Vegas where booze, IP jargon and acronyms flow like water.
At this year's shindig, I anticipate a lot of Interop buzz focused on NAC, or Network Access Control. Of course, this is the generic industry acronym and one of many that basically describes the same thing.
Cisco NAC, aka CNAC, stands for Network Admission Control. Microsoft calls its flavor NAP, or Network Access Protection. And the Trusted Computing Group has a similar set of standards that combine to form an NAC framework called TNC, or Trusted Network Connect.
Confused? You are not alone. I speak with IT and security folks all the time, and they can't make heads or tails of this mix of industry rhetoric.
Enter industry analysts--the ones who are supposed to translate all this stuff to make it more palatable but, more often than not, simply throw more dirt into muddy water. In this case, an unnamed analyst shop decided that NAC is doomed to fail. (See my recent blog on the frequent analyst ploy: "Technology X is dead.") The same unnamed analyst then proclaimed that what the industry really needs is PERM, or Pro-active Endpoint Risk Management.
So here's my problem. First and most obvious, do we really need ANOTHER acronym here? I mean, aren't four enough?
Second, there is a whole NAC vision and framework that is extremely flexible and can be used in an assortment of different ways on both clients and networks. In other words, I think that PERM is really another way to describe NAC. We are arguing about subtle differences, so why exactly do we need another way to describe the same thing. As the old show tune goes, "You say potato and I say potato. Let's call the whole thing off."
Finally, NAC is an evolving framework in which lots of the standards and implementation choices have yet to be defined. Now I know that the tech industry moves quickly, but are we really at the point where technologies that haven't even been developed are already dead? I say let's give little guys like Cisco Systems and Microsoft a chance here.
I know I sound like Andy Rooney, but it seems to me that we analysts are too focused on re-naming stuff and not focused enough on clarifying stuff. Rather than creating context and taxonomy, we simply introduce more spin. In the existing world of NAC/CNAC/NAP/TNC, it's hard for me to see how this is at all useful.
- prev
- 1
- next
