Hi Rob,
Good luck with the next chapter of your life.
"we will eventually find a data-security device at the centre of our networks in the future... is NAC taking us in the right direction? Probably."
NAC is just an extension of the network trying to move inward. It may be offering finer granularity, but I do not see it offering anything in regards to data security because it deals primarily with devices and not data and users.
I do not know if network security and data security can meet in the middle, or even if they should, perhaps becoming complementary aspects of security.
Just my 2c.
Hi Rob, nice ideas.
And I'm putting on my hazmat suit and maybe changing my phone number and email address next week, but I don't think there's really a market there either, and that's why the NAC guys seem so.... um... desperate.
To be honest, I see NAC either being moved the UTM way by the "everything in one huge switch with firewall and router module" school or pushed out to the client as an endpoint solution ala glorified 802.1x combined with A-V, DLP, etc.
Today, however, there is a need to bridge this gap between UTM and client-side, and that's where I think people see a market, but I still think it's going to be gobbled from one direction or another. Doing what I do without much of a budget, I'm always looking to do things the cheap and easy way. That means that sometimes the technical solution isn't the most cost-effective for me at the time.
But then again, I've been known to be wrong before. Once. =)
@Rob: It doesn't make sense to say that NAC deals primarily with devices and not users and data. Also, I haven't mentioned users yet.
However, devices control and contain user credentials, authentication mechanisms, data in storage, data in transit, etc.
NAC requires authentication to allow access to devices, which allow access to data. NAC is Network Access Control. Access Controls are important, they just aren't the whole story, and are being mis-sold as such to a market who don't understand.
I am talking about properly securing data with UTM at the perimeter and data-security devices at the centre. I will talk about this more in time...
@rybolov: Yes, sounds good. What I've described doesn't exclude this happening either in fact. The data security devices are going to need to be able to talk to endpoints, so there will be some client interaction required, this is something the NAC/UTM boys are working on already I think. If not, they should be!
Hi Rob,
That was me. Was going to post about it to flesh out my thoughts, but dumped it there in the holding area.
Yeah, I know it was you, that's the only reason I didn't get mad and say how irresponsible it was. 
That's not to say you aren't irresponsible however. 
Why was it irresponsible?
"If someone wants to do business with a company that had a breach, then let them."
That doesn't sound very safe to me...
To you, but what about to them? They obviously are fine with it right?
Yes, but does that make it right to let it go? Isn't it our responsibility to educate?
OK, I get that compliance is more than education, but then all education is controlled by something. Would you rather that there was no structure to it?
I guess it's social conscience rather than responsibility?
Definitely educate and persuade, but not force.
Commenting by HaloScan
