Recent headlines have created more concern about how to secure ourselves from the government than about how the government must secure itself from others. The government does continue to face pressing security concerns, however, and how it addresses those concerns has relevance to the enterprise. That is, at least, the stance Network Access Control (NAC) solutions vendor StillSecure takes. Last month, StillSecure's Safe Access NAC solution became the first (and, for now, only) product to gain approval under the DoD's new 2013 requirements, an achievement StillSecure hopes to parlay into a greater share of the enterprise market.
Listed as a niche player in Gartner's December 2012 Magic Quadrant for Network Access Control, StillSecure has long maintained a strong footing in the defense vertical, with DoD approval dating back to 2005. The current Safe Access certification, which will last until June 2016, demonstrates security capabilities compliant with a stricter set of requirements, including nine Security Technical Implementation Guidance (STIG) requirements.
Safe Access now also addresses BYOD concerns. The solution complements Mobile Device Management deployments "by performing access control for mobile devices by profiling them as they connect, identifying them by operating system, and allowing users to assign devices to access policies to control their access to the organization," in some cases catching devices undetected by MDM deployments, StillSecure CEO James D. Brown said. Safe Access can also authenticate mobile devices.
Safe Access differentiates itself from its competitors through its approach to network access, according to Brown. "Noncompliant devices never get access to the network until they prove that they are compliant," he told me, describing the approach as "guilty until proven innocent." He credited the StillSecure compliance testing engine with enabling guilty-until-proven-innocent security without hampering end user experience. Brown explained, "We have over 2,000 different cross-vendor tests that we can apply to an endpoint in about two seconds per endpoint. You can isolate a device for a very short period of time to assess it and only get it on the network after the fact." In the enterprise space, however, many organizations prefer the innocent-until-proven-guilty approach for productivity purposes. Safe Access can provide that approach, but "the Department of Defense finds the 'guilty-until-proven-innocent' capability very compelling," Brown said.
Also compelling are Safe Access's ease of deployment and its interoperability within infrastructures that are less than state-of-the-art. Brown said that Safe Access can slot into a network and get up and running, with "very minimal changes to the network besides putting an agent on and making some minor configuration changes," in an hour or less in some cases. Additionally, Safe Access enables military networks whose infrastructures aren't yet up to a full 802.1x deployment to meet NAC requirements during their transition to 802.1x.
So what does all this mean to those outside the defense vertical?
Military networks aren't the only ones that require strong, reliable security, and government regulations affect plenty of private sector industries, too. StillSecure does significant business within the financial services vertical, Brown told me, with interest in Safe Access high thanks to Federal Financial Institutions Examination Council (FFIEC) requirements, which include specific recommendations for NAC solutions for banks and credit unions. And many other enterprises have mission-critical security needs that DoD-approved solutions can meet.
Safe Access isn't the only NAC solution on the DoD Defense Information Systems Agency (DISA) Unified Capabilities Approved Product List (UC APL). The IC6500 4.1R2 from Juniper Networks and the Xsuite from Xceedium also possess current certification. Both of these solutions were approved in 2011 under the previous requirements and will need re-certification in 2014, rather than 2016, when the Safe Access approval expires.
Juniper's solution, and how it compares to the 2013-approved Safe Access, is of particular interest given recent news of Juniper's struggling security revenues. When contacted, Michael Callahan, vice president of global product marketing for the Juniper security business, told me, "Juniper is actively involved in several certification activities at the Joint Interoperability Test Command (JITC) to add or in most cases update multiple Juniper products on the DoD APL, including our latest NAC products." The company, he added, remains committed to engaging with DoD labs to maintain compliance.
In the meantime, StillSecure hopes to pull ahead of the pack quickly. According to Brown, Gartner positioned the vendor as a niche player primarily because of its split focus between NAC and Managed Security Services Provider (MSSP) businesses. Now that Still Secure has divested its MSSP business in favor of undivided focus on NAC, the company "expects our 2013 Magic Quadrant position to be significantly improved," Brown said.
"Gartner has told us repeatedly that our product functionality is very strong, and I believe there's significant evidence that our product functionality is extremely competitive," Brown concluded.
NAC solutions have seen a recent resurgence of interest, thanks to the proliferation of mobile devices, the BYOD trend within the enterprise, and the risks those devices pose to company networks. In its 2012 NAC report, Gartner predicted 63 percent growth in the market in 2013. The NAC space looks sure to become even more competitive in the near future. Perhaps StillSecure's clout within its current defense niche will give the vendor the credibility to break out into the enterprise.
Jude Chao is executive editor of Enterprise Networking Planet. Follow her on Twitter @judechao.