The somewhat quiet news that ConSentry Networks has gone out of business is more bad news for the independent network access control (NAC) market and underscores the struggles of a handful of pure-play independent vendors — Nevis Networks and Vernier Networks were the others — that took similar approaches.
The trio were notable for their strong post-connect monitoring and enforcement, and fine-grained policy controls around identity-based NAC. All offered appliances, and ConSentry and Nevis also sold NAC-enabled switches. Vernier slipped quietly away a couple of years ago and tried to reinvent itself as Autonomic Networks, focusing on NAC for compliance auditing. It closed in February. Nevis went bankrupt and sold its assets to Aviram Networks in May. Aviram has resurrected the business, still as Nevis Networks.
(Two other NAC vendors, Caymas and Lockdown Networks shut their doors in the last couple of years. Remaining independents include StillSecure, InfoExpress, Bradford Networks and ForeScout Technologies.)
NAC–the next big thing a few years ago — has not yet developed into the huge market it was expected to be. Gartner pegs it at $221 million this year. Venture capitalists have sunk more than $ 550 million into the NAC market, including $9.4 million for ConSentry in January, according to the Wall Street Journal.
With all the major security and network infrastructure vendors offering some sort of NAC capability, focusing primarily either on the endpoint (Microsoft, Symantec, McAfee, Trend Micro,Sophos, etc.) or the network (Cisco Systems, Juniper Networks), the indications are strong that NAC will be subsumed, rather than persist as a market. My colleague, Eric Ogren, noted in his April column, “Gartner gets NAC wrong, again,” that there was no NAC exhibition category for vendors at RSA and that enterprises should be thinking in terms of features to infrastructure products, rather than separate tools.
ConSentry, Nevis and Vernier may be the poster children. For all their impressive capabilities, they may have been selling into a market that didn’t exist. The vast majority of companies are still primarily with basic guest access control and pre-connect endpoint hygience, particularly for remote users (and you should generally be able to get that basic piece with your VPN).
Most companies either don’t have the kind of granular role-based access control policies that would be a good match for the identity-centric monitoring and enforcement ConSentry et al presented. Those that do would likely prefer to work with their network company –Cisco more often than not — through the admittedly slow-to-develop and somewhat painful process of embedding NAC in the infrastructure while working through their endpoint security vendor on the client side. In particular, ConSentry and Nevis switch-based options, while perhaps the right place to put NAC, was never going to make a dent against established network equipment vendors, doomed for the most part to spot deployments in special scenarios.