Magic Quadrant for Network Access Control VIEW SUMMARY Most NAC vendors provide good support for the BYOD use case. Now, the market is evolving to

Transcription

1 Magic Quadrant for Network Access Control VIEW SUMMARY Most NAC vendors provide good support for the BYOD use case. Now, the market is evolving to address another use case, where NAC policy servers act as "warehouses of context" and share contextual data with firewalls and other security components to enable fine-grained policy enforcement. Market Definition/Description The BYOD phenomenon continues to be the primary driver for the adoption of network access control (NAC). Without NAC policies, corporate BYOD programs allow unchecked network access by a wide array of personally owned devices, thereby increasing the chances of security risks and network instability. To gain more visibility into the configuration of mobile devices, many organizations are integrating their enterprise mobility management (EMM) solutions with their NAC solutions. This is an important trend, and it enables network managers to enforce policies such as blocking devices (or limiting their network access) that are missing EMM agents. There is a wide discrepancy in the market between vendors that support multiple EMM partners (several support seven or more) and those that only support one or two. The ability to give customers choices for integrating with multiple EMM systems was an important factor this year in calculating Completeness of Vision scores. Another important NAC trend is the integration with other security components, such as next-generation firewalls, advanced threat defense (ATD) solutions and security information and advanced management (SIEM) solutions. Forwardthinking NAC vendors have positioned their solutions as "warehouses of context" to share contextual information with third-party security components. For example, NAC systems can send user identification to a firewall so that it can apply fine-grained policies based on this information. Contextual information can also be shared with SIEMs, sandboxes and other ATD solutions, where it is mapped to an IP address to provide context for security operations teams that are responding to alerts. Some enterprises use NAC to automatically remove endpoints from the network, in response to alerts from ATD systems. This use case is limited to highly security conscious organizations. Integrating with network and security solutions is not a primary driver for adopting NAC, but enterprises are progressively implementing these integrations after the initial rollout of NAC. Magic Quadrant Figure 1. Magic Quadrant for Network Access Control

2 Source: Gartner (December 2014) Vendor and Aruba Networks Aruba Networks, based in Sunnyvale, California, sells its ClearPass Access Management offering. It is a Remote Authentication Dial-In User Service (RADIUS)-based solution that is available in a family of hardware and virtual

3 appliances. Aruba's customers should consider ClearPass. ClearPass provides integration capabilities through the ClearPass Exchange API promoting contextual sharing integration with third-party security solutions. Examples include SIEM, EMM and next-generation firewalls. Aruba has a strong BYOD strategy. It integrates with AirWatch, MobileIron and several other EMM solutions. The ClearPass Onboard module, which includes a certificate authority, supports more operating systems (seven) than any other onboarding module in the NAC market. In supporting Chrome OS and Ubuntu, ClearPass is a strong option for the education vertical. ClearPass offers a strong guest network application. Granular policies allow employees to create Apple AirPrint and AirPlay and Google Chromecast dynamic policies for their guests. For example, printers and projectors can be shared with guests based on the time and location restrictions that are tied to that guest policy. In multivendor networks, ClearPass customers that have not implemented Aruba's Mobility Controllers lose advanced functionality, including Apple AirPlay visibility and support for Aruba's auto-sign-on feature. Gartner rarely sees ClearPass in wired LAN environments. ClearPass sales are driven primarily by Aruba wireless customers. Auconet Auconet, a privately held company, moved its headquarters from Germany to the U.S. (San Francisco) in The research and development team is still based in Germany. Auconet has been delivering NAC solutions since It is deployed most commonly as an agentless solution, because its RADIUS-based policy server supports native 802.1X supplicants embedded in multiple operating systems. Its Business Infrastructure Control Solution (BICS) is available as a hardware appliance, virtual appliance and SaaS. Auconet also offers an optional permanent agent on Windows, Unix/Linux platforms and Mac OS. Organizations that need to apply NAC policies to industrial and supervisory control and data acquisition (SCADA) environments, or that would benefit from a multitenant NAC solution, should consider Auconet. Large enterprises should also consider Auconet. Historically, Auconet has targeted the European market. Organizations outside of Europe should verify Auconet's ability to provide service and support. BICS' support for large-scale multitenancy appeals to managed security service providers (MSSPs) that offer managed NAC services. BICS enables NAC for industrial environments by implementing specific industrial protocols. For example, Siemens licenses BICS to help support SCADA environments that it manages. Customer references consistently commented favorably on the solution's agentless approach and its ease of administration. Auconet's BYOD strategy is limited. At the time of this report, it had only integrated with Citrix and MobileIron EMM solutions. Integrations with third-party security solutions are limited. Auconet has not completed integrations with any firewall or advanced threat defense vendors. Auconet has a limited geographic reach and only a small but growing presence in the U.S. Customers and prospects outside of Europe and Asia/Pacific may face challenges in obtaining presales and postsales support from the company.

4 Bradford Networks Bradford Networks is a privately held company based in Boston, Massachusetts, that has been delivering NAC solutions since Its Network Sentry/NAC product is available in hardware appliances, in a virtual appliance and as a cloud service. The Network Sentry/RTR (Rapid Threat Response) is an additional application that shares contextual information about endpoints and provides tools for security analysts to respond to alerts from next-generation firewalls, advanced threat defense solutions and other security products (Network Sentry/RTR is sold separately). Network Sentry/RTR can also respond to alerts automatically by quarantining compromised endpoints. Consider Bradford Networks' NAC products for heterogeneous networks and wide mixes of endpoint devices. Bradford Networks has one of the broadest sets of integration partners in the NAC market. Network Sentry integrates with multiple solutions in each of the following categories: EMM, firewall, SIEM, advanced threat defense and other security solutions. Bradford Networks partners with managed services providers (Windstream and DecisionOne) that offer the Network Sentry products as a cloud-based service. Bradford Networks offers a unique cloud-based analytics service that helps its customers analyze trends about devices and users that connect to their networks. Customers use this information to develop network access policies and to plan for wireless LAN capacity. Bradford has a strong presence in the education vertical. Network Sentry/NAC has several features (including device registration) and integrations (such as eduroam) that are important in education networks. The vast majority of Bradford Networks' customers are in North America. Prospective customers outside of North America should validate that its partners can provide an appropriate level of support in their respective regions. Some reference customers requested improvements in the Network Sentry/NAC reporting capabilities. Bradford Networks claims these issues have been addressed in its 2014 reporting updates. Gartner clients are advised to validate these enhancements. Cisco Cisco is headquartered in San Jose, California. Its Identity Services Engine (ISE) policy server is RADIUS-based, which enables Cisco to support authentication in heterogeneous network infrastructure environments (although advanced NAC features will require Cisco components). ISE is available in hardware appliances and also as a virtual server. Cisco packages ISE software in several licensing options, including a mobility-only license. Cisco customers should consider ISE, especially when the Cisco AnyConnect endpoint client will be in use. Cisco has a strong BYOD strategy. ISE integrates with AirWatch, MobileIron and solutions from several other EMM vendors. Version 1.3 of ISE supports an optional onboarding module that includes a certificate authority. This feature simplifies BYOD implementations, since enterprises do not need to implement a third-party certificate authority. ISE leverages technology that is embedded in Cisco network infrastructure components to provide unique benefits. For example, it uses endpoint

5 profiling data collected from Cisco switches and wireless controllers, eliminating the need to deploy stand-alone profiling sensors. TrustSec enables granular identity-based policies on many Cisco LAN, WLAN and firewall products. Cisco's pxgrid initiative enables network and security solutions to coordinate the sharing of contextual information (such as identity and location) through ISE. pxgrid also enables integrated technology partners to use ISE to execute mitigation actions in response to events. Early pxgrid partners include Splunk, Ping Identity, NetIQ, Tenable Network Security, Emulex and Bayshore Networks. Some Cisco Sourcefire products also support pxgrid. ISE includes a strong guest administration module that is highly customizable. Cisco's status as a network security vendor is an obstacle when it comes to partnering with other network security vendors. For example, mainstream firewall vendors and third-party sandboxing vendors have not yet integrated with pxgrid. ISE does not enforce advanced policies on Cisco Meraki wireless LAN access points (Meraki includes its own NAC functions). ISE is capable of enforcing basic authentication policies with Meraki. Enterprises that are interested in implementing TrustSec's role-based identity policies should perform careful testing in a lab environment. Adoption of TrustSec has been slow, as some key Cisco products have only recently added TrustSec support (for example, TrustSec support for ASA Security Appliances was added in July 2014). With TrustSec deployments, network teams may encounter challenges typical of early adopters of new technology. Extreme Networks Extreme Networks, based in San Jose, California, acquired Enterasys in 2013 and began selling its NAC solution and the broader Enterasys security product portfolio. Extreme's NAC appliance and NetSight NAC management system are available as virtual appliances or hardware appliances. The primary use case for Extreme NAC is its wired and wireless customers, since they benefit from Extreme's integrated functionality. Also, the solution is capable of supporting non-extreme environments. Extreme's NAC solution integrates with multiple solutions in each of the following categories: firewall, SIEM, advanced threat defense and other security solutions. Extreme has a good strategy for pursuing the K-12 environment. Its NAC solution integrates with secure Web gateway (SWG) vendors iboss Network Security and Lightspeed Systems, both of which target the K-12 vertical. Extreme has a good BYOD strategy. Its Mobile IAM component integrates with AirWatch, MobileIron and several other EMM solutions. Extreme's NAC solution integrates with several nonsecurity solutions, including OpenStack and Microsoft Lync. The Lync integration enables Extreme to apply dynamic policies per call (for example, prioritize voice traffic over the data network). Policy enforcement is inconsistent across Extreme switches and Enterasys switches. Policy controls are more granular with the Enterasys switches.

6 Extreme Networks suffers from limited brand awareness in the NAC market. Gartner clients rarely include Extreme on their shortlists when evaluating NAC vendors. ForeScout Technologies ForeScout Technologies is a privately held company based in Campbell, California, that sells the CounterACT family of hardware and virtual appliances. Although ForeScout offers optional agents, its clientless approach eases the support of Windows, OS X and Linux endpoints. ForeScout also offers a series of integration modules (for an additional fee) that share contextual information about endpoints. These tools enable security analysts to respond to alerts from next-generation firewalls, advanced threat defense solutions and other security products. The integration modules utilize ForeScout's ControlFabric API and enable CounterACT to respond to alerts automatically and initiate mitigation actions. At the time of this writing, the company has an interim CEO (as of June 2014). ForeScout should be considered for midsize and large NAC deployments. ForeScout has one of the broadest sets of integration partners in the NAC market. Using the ControlFabric series of APIs, CounterACT integrates with multiple solutions in the following categories: firewall, SIEM, advanced threat defense and other security solutions. ForeScout has a strong BYOD strategy. In addition to supporting integrations with several EMM vendors, it also sells a ForeScout-branded EMM solution (an OEM of IBM's offering), and it offers the ForeScout Mobile Security Module. The latter is an "EMM-lite" solution that enforces device policies and reports health and configuration status back to the CounterACT appliance. Users continue to cite ease of deployment, flexible enforcement methods and network visibility as primary selection criteria. ForeScout has some of the largest active deployments of all vendors. Obtaining postadmission threat protection (an optional feature) in distributed environments requires CounterACT appliances at each remote location, which drives up the cost of deployment. ForeScout customers have the option of implementing CounterACT appliances in a centralized approach, which is less expensive but reduces ForeScout's threat protection functionality. In its most commonly implemented approach, CounterACT is positioned on Switched Port Analyzer (SPAN) or "mirror" ports on core network switches. Network administrators need to ensure the availability of these ports in their networks. Impulse Point Based in Lakeland, Florida, and founded in 2004, Impulse Point continues its focus on the higher education and K-12 markets. Impulse Point delivers its flagship SafeConnect solution as a managed service, which includes system monitoring, problem determination and resolution, updates to device type, antivirus and OS profiling recognition, and remote backup of policy configuration data. All Impulse Point products can be implemented as a hardware or virtual appliance. Education institutions should consider Impulse. SafeConnect integrates with a wide range of EMM, SIEM, bandwidth management, firewall and advanced threat solutions via its Contextual Intelligence Publisher module. Integrations with iboss Network Security,

7 Exinda and Procera Networks strengthen Impulse's ability to target the education vertical. Feedback from Impulse Point customers continues to indicate that SafeConnect can be quickly implemented. Its optional Layer 3 approach to enforcement eliminates the need to test compatibility at Layer 2 (at the LAN switch level). Impulse Point customers consistently point to the company's service and support as strengths. SafeConnect's dashboard console is not as customizable or flexible as some competing offerings. SafeConnect's Layer 3-based enforcement technique does not meet the needs of most corporate environments. Customers have the option of using a new RADIUS-based 802.1X enforcement feature, although Impulse's RADIUS server is not as feature-rich as others in this market. Impulse has been primarily targeting North American customers, and has only recently expanded into Europe. Customers and prospects outside of North America may face challenges obtaining presales and postsales support from the company. InfoExpress Founded in 1993, InfoExpress is a privately held company based in Mountain View, California, that is largely focused on the NAC market. Its CGX solution is available as a hardware appliance and a virtual appliance. Enterprises that need a scalable solution that doesn't require hardware at remote sites should consider InfoExpress. CGX correlates data from multiple sources (for example, InfoExpress endpoint agents, Syslogs, Nmap data and MobileIron) to enable more-granular NAC policies. By analyzing when devices change state, CGX can enforce the appropriate policy. For example, when a mobile device reported as stolen reappears on the network, CGX can quarantine the device. InfoExpress offers endpoint agents for a wide variety of operating systems, including Windows, OS X, Apple ios, Android and Linux. InfoExpress does not require hardware at remote locations, due to its Dynamic NAC feature (an agent-based Address Resolution Protocol [ARP] enforcement solution). InfoExpress only integrates with one EMM vendor (MobileIron). InfoExpress has limited integrations with third-party security components. For example, it does not share contextual data about network endpoints with third-party security components, such as firewalls, SIEM and advanced threat defense solutions. InfoExpress' lack of marketing focus hampers its ability to differentiate its product and contributes to the company's low visibility among Gartner clients. Portnox Portnox moved its headquarters to the U.S. in 2014, and retained its research and development facilities in Israel. The company was founded in 2007 and is a pure-play NAC vendor. The Portnox solution is agentless and based on endpoint discovery. When a device connects to the network, Portnox checks the OS type and applies the appropriate policy to the network access point (LAN switch, WLAN controller or VPN gateway). Historically, the company has been focused on

8 the EMEA region. Organizations that can tolerate the risk of a startup and that are within the geographic range of Portnox's service and support coverage should consider this vendor. Portnox has a good BYOD strategy. It integrates with AirWatch, MobileIron and several other EMM solutions. Portnox integrates with a wide range of third-party firewall and advanced threat defense solutions. The company's customers consistently report that the Portnox solution is easy to deploy and manage. It attaches to any LAN switch port and does not require a "mirror" or SPAN port. Portnox can enforce NAC policies in a VMware environment. For example, it monitors and graphically represents the number of virtual machines (VMs) in use and enforces policies for these VMs by blocking or allowing access to virtual switches. To achieve the maximum benefits of Portnox at remote locations, the vendor suggests deployment of its Knoxer software (free of charge) at each location. Without Knoxer, the process of isolating and remediating endpoints may be inconsistent, as it will vary according to the infrastructure at the remote location. Customization of Portnox may be required to enable special-purpose endpoints, such as security cameras or videoconferencing systems, to gain network access. Because endpoint discovery is at the core of the Portnox solution, all endpoints must be accurately profiled. Some customers commented that Portnox's library of profiled devices could be larger to avoid the customization effort required to identify nonstandard endpoints. Portnox lacks a strong distribution channel in North America. Customers and prospects in North America may face challenges in obtaining presales and postsales support from the company. Pulse Secure Pulse Secure is a newly formed company that was created when private equity firm Siris Capital acquired the Junos Pulse business from Juniper Networks. In addition to its NAC solution, Pulse Secure also offers a VPN solution and a mobile security suite. In October 2014, Pulse Secure acquired MobileSpaces, a provider of virtual container technology for mobile devices. In the 2013 Network Access Control Magic Quadrant, Juniper was positioned in the Challengers section. This year, Pulse Secure is positioned in the Niche Players quadrant. The drop in Ability to Execute is due in part to the multiple challenges faced by establishing a new company, including branding, sales and distribution, and operational issues. Pulse Secure's NAC solution is based on a RADIUS platform and is available as a family of hardware and virtual appliances. Pulse Secure should be considered by Juniper and non-juniper customers. The Pulse Secure solution remains tightly integrated with Juniper's core security products (firewall, intrusion prevention system [IPS] and Secure Sockets Layer [SSL] VPN), network infrastructure offerings (LAN switches) and SIEM solution. When implemented with Pulse Secure, Juniper's network and security components provide strong support for identitybased policies (role-based policies). Pulse Secure's Unified Mobility Client reduces the number of agents required for network access by integrating an SSL VPN client and a NAC agent. The

9 NAC component provides authentication and endpoint configuration assessment. Pulse Secure has established full FIPS compliance and EAL3 certification for its NAC products. These certifications provide an advantage in government procurements, because most other NAC vendors have yet to meet these qualifications. Pulse Secure lags many competitors in its ability to integrate with solutions from other security vendors. The Policy Secure policy server does not integrate with non-juniper firewalls, and it does not integrate with any network-based advanced threat detection solutions (for example, sandboxes). Pulse Secure does not own device profiling technology. It relies on an OEM partner for this functionality. Pulse Secure only provides two options for third-party EMM integration AirWatch or MobileIron. Pulse Secure is missing some features that are important in 802.1X environments. It lacks a standards-based approach for Change of Authorization (CoA), a feature that enables a policy server to communicate policy changes to the network infrastructure. Also, Pulse Secure does not offer an embedded certificate authority. Customers must implement an external certificate authority to enable 802.1X-based device authentication. Vendors Added and Dropped We review and adjust our inclusion criteria for Magic Quadrants and MarketScopes as markets change. As a result of these adjustments, the mix of vendors in any Magic Quadrant or MarketScope may change over time. A vendor's appearance in a Magic Quadrant or MarketScope one year and not the next does not necessarily indicate that we have changed our opinion of that vendor. It may be a reflection of a change in the market and, therefore, changed evaluation criteria, or of a change of focus by that vendor. Added None Dropped StillSecure After being acquired by private equity firm Versata in 2013, StillSecure shifted its focus to the small-to-midsize market business segment. The company still retains support for its legacy U.S. Department of Defense customers. Inclusion and Exclusion Criteria To be included in this Magic Quadrant, a vendor's solution must be able to enforce NAC policies in a heterogeneous infrastructure environment. In addition, vendors' solutions must include the policy, baseline and access control elements of NAC, as defined by the following criteria: Policy The NAC solution must include a dedicated policy management server with a management interface for defining and administering security configuration requirements, and for specifying the access control actions (for example, allow or quarantine) for compliant and noncompliant endpoints. Because policy administration and reporting functions are key areas of NAC innovation and differentiation, vendors must own the core policy function to be included in this Magic Quadrant. Baseline A baseline determines the security state of an endpoint that is attempting a network connection, so that a decision can be made about

10 the level of access that will be allowed. Baselining must work in heterogeneous endpoint environments (for example, Windows, Mac OS X, Apple ios and Android). It must include the ability to assess policy compliance (for example, up-to-date patches and antivirus signatures for Windows PCs, or the presence of an EMM agent for mobile devices). Various technologies may be used for the baseline function, including agentless solutions (such as vulnerability assessment scans), dissolvable agents and persistent agents. NAC solutions must include a baseline function, but "reinventing the wheel" is not necessary. Baseline functionality may be obtained via an OEM or licensing partnership. Access control The NAC solution must include the ability to block, quarantine or grant partial (limited access) or full access to an endpoint. The solution must be flexible enough to enforce access control in a multivendor network infrastructure, and it must be able to enforce access in wired LAN, wireless LAN and remote access environments. Enforcement must be accomplished either via the network infrastructure (for example, 802.1X, virtual LANs or access control lists [ACLs]) or via the vendor's NAC solution (for example, dropping/filtering packets or ARP spoofing). Vendors that rely solely on agent-based endpoint self-enforcement do not qualify as NAC solutions. Additional criteria include: Vendors must integrate with one or more EMM solutions. Network infrastructure vendors must have demonstrated their ability in 2013 and 2014 to sell NAC solutions beyond their installed base of infrastructure customers. NAC vendors must consistently target and show wins at enterprises with 5,000 endpoints and above to be included. This Magic Quadrant does not analyze solutions that only target the small to midsize (SMB) market. Vendors must have an installed base of at least 100 customers or an aggregate endpoint coverage of 500,000 endpoints. The vendor must have at least $5 million in NAC sales during the 12 months leading up to 1 November Solutions that do not directly generate revenue for the vendor, such as those that embed basic NAC functionality in other products at no extra charge, have been excluded from this analysis. The NAC solutions had to be generally available as of 1 November Evaluation Criteria Ability to Execute Product or Service: An evaluation of the features and functions of the vendor's NAC solution, including the ability to integrate with solutions that provide network visibility and event monitoring. Due to the influence of the BYOD trend on NAC, this criterion heavily weights the ability to establish and enforce policies in heterogeneous endpoint environments (Windows, Mac OS X, Apple ios and Android). Other BYOD-related NAC functions, such as profiling of endpoints and guest networking services, have been heavily weighted. Overall Viability: An assessment of the vendor's overall financial health, the financial and practical success of the business unit, and the likelihood of the individual business unit to continue to invest in an NAC solution. Market Responsiveness/Record: The speed in which the vendor has spotted a market shift and produced a product that is sought after by potential customers. This criterion includes an assessment of how quickly NAC vendors have added

11 partnerships with other security vendors. Marketing Execution: The effectiveness of the vendor's marketing programs and its ability to create awareness and mind share in the NAC market. Vendors that frequently appear on client shortlists are succeeding in marketing execution. Customer Experience: Quality of the customer experience based on input from Gartner clients and vendor references. Input is gathered via reference calls and an online survey. Table 1. Ability to Execute Evaluation Criteria Criteria Weight Product or Service High Overall Viability High Sales Execution/Pricing Not Rated Market Medium Responsiveness/Record Marketing Execution Medium Customer Experience Operations Medium Not Rated Source: Gartner (December 2014) Completeness of Vision Market Understanding: The ability to anticipate market trends, such as the impact of BYOD, and to quickly adapt via partnerships, acquisitions or internal development. Marketing Strategy: An analysis of whether the vendor's marketing strategy succeeds in differentiating its NAC solution from its competitors. Sales Strategy: The vendor's strategy for selling to its target audience, including an analysis of the appropriate mix of direct and indirect sales channels. Offering (Product) Strategy: An evaluation of the vendor's strategic product direction and its road map for NAC. The product strategy should address trends that are reflected in Gartner's client inquiries. Vertical/Industry Strategy: The vendor's strategy for meeting the specific needs of individual vertical markets and market segments. For example, does the vendor have an effective strategy for pursuing vertical markets that have been aggressive adopters of NAC, such as higher education, healthcare and financial services? Innovation: An assessment of product leadership and the ability to deliver NAC features and functions that distinguish the vendor from its competitors. Geographic Strategy: The vendor's strategy for penetrating geographies outside its home or native market. Table 2. Completeness of Vision Evaluation Criteria Evaluation Criteria Weighti ng Market Understanding High Marketing Strategy Medium Sales Strategy Medium Offering (Product) High Strategy Business Model Not Rated Vertical/Industry Low Strategy

12 Innovation Geographic Strategy Medium Low Source: Gartner (December 2014) Quadrant Descriptions Leaders Leaders are successful in selling large NAC implementations (10,000 nodes and greater) to multiple large enterprises. Leaders are pure-play NAC vendors or networking and/or security companies that have been first to market with enhanced capabilities as the market matures. Leaders have the resources to maintain their commitment to NAC, have strong channel strength and have financial resources. They have also demonstrated a strong understanding of the future direction of NAC, including the impact of BYOD. Leaders should not equate to a default choice for every buyer, and clients should not assume that they must buy only from vendors in the Leaders quadrant. Challengers Challengers are networking and/or security companies that have been successful in selling NAC to their installed bases, although they are generally unsuccessful in selling NAC to the broader market. Challengers are generally not NAC innovators, but are large enough and diversified enough to continue investing in their NAC strategies. They are able to withstand challenges and setbacks more easily than Niche Players. Visionaries Visionaries have led the market in product innovation and/or displayed an early understanding of market forces and trends. They are smaller pure-play NAC vendors or larger networking and/or security companies. A common theme among Visionary vendors is that they don't have significant channel strength in the NAC market and have not succeeded in building installed bases as large as those of vendors in the Leaders quadrant. Niche Players Niche Players are typically strong in strategic NAC verticals (for example, education and healthcare) and certain geographies. They don't often appear on Gartner clients' shortlists, but they are valid options for organizations within those key geographies and vertical industries. Context If your organization faces BYOD challenges, consider solutions that can easily profile personally owned mobile devices, and apply controls that are consistent with your organization's mobile device policies. Because there are multiple approaches for enforcing NAC policies (for example, virtual LANs, firewalls and access control lists), look for solutions that best fit your network infrastructure. Market Overview Gartner estimates that the size of the 2014 NAC market will be approximately $460 million, an increase of about 36% over In 2015, we expect growth to be more conservative, at approximately 20%. The slower growth is a result of many highly security-conscious organizations already implementing NAC to address the BYOD trend. Organizations with less demanding security requirements are taking a "good enough" approach to controlling BYOD by implementing EMM, but are not integrating it with NAC. The "good enough" strategy (EMM-only) enables organizations to enforce policies on mobile devices, but without NAC integration there is no ability to enforce network access policies. The downside to this scenario is that noncompliant mobile devices (for example, a tablet without an EMM agent) could still gain access to the network.

13 There are no Challengers in the Magic Quadrant this year. Network infrastructure vendors could fit the profile of a Challenger. For example, if a network infrastructure vendor highly visible in the NAC market with many NAC customers had difficulty selling NAC beyond its installed base, the vendor would be a candidate for the Challengers quadrant. The pool of candidates for the Challengers quadrant is small. Many network infrastructure vendors still do not own NAC technology (although many partner with NAC vendors), so they are not eligible for inclusion in this Magic Quadrant. In 2014, the smaller NAC vendors did not grow quickly enough to be positioned in the Challengers quadrant. EVALUATION CRITERIA DEFINITIONS Ability to Execute Product/Service: Core goods and services offered by the vendor for the defined market. This includes current product/service capabilities, quality, feature sets, skills and so on, whether offered natively or through OEM agreements/partnerships as defined in the market definition and detailed in the subcriteria. Overall Viability: Viability includes an assessment of the overall organization's financial health, the financial and practical success of the business unit, and the likelihood that the individual business unit will continue investing in the product, will continue offering the product and will advance the state of the art within the organization's portfolio of products. Sales Execution/Pricing: The vendor's capabilities in all presales activities and the structure that supports them. This includes deal management, pricing and negotiation, presales support, and the overall effectiveness of the sales channel. Market Responsiveness/Record: Ability to respond, change direction, be flexible and achieve competitive success as opportunities develop, competitors act, customer needs evolve and market dynamics change. This criterion also considers the vendor's history of responsiveness. Marketing Execution: The clarity, quality, creativity and efficacy of programs designed to deliver the organization's message to influence the market, promote the brand and business, increase awareness of the products, and establish a positive identification with the product/brand and organization in the minds of buyers. This "mind share" can be driven by a combination of publicity, promotional initiatives, thought leadership, word of mouth and sales activities. Customer Experience: Relationships, products and services/programs that enable clients to be successful with the products evaluated. Specifically, this includes the ways customers receive technical support or account support. This can also include ancillary tools, customer support programs (and the quality thereof), availability of user groups, service-level agreements and so on. Operations: The ability of the organization to meet its goals and commitments. Factors include the quality of the organizational structure, including skills, experiences, programs, systems and other vehicles that enable the organization to operate effectively and efficiently on an ongoing basis.

14 Completeness of Vision Market Understanding: Ability of the vendor to understand buyers' wants and needs and to translate those into products and services. Vendors that show the highest degree of vision listen to and understand buyers' wants and needs, and can shape or enhance those with their added vision. Marketing Strategy: A clear, differentiated set of messages consistently communicated throughout the organization and externalized through the website, advertising, customer programs and positioning statements. Sales Strategy: The strategy for selling products that uses the appropriate network of direct and indirect sales, marketing, service, and communication affiliates that extend the scope and depth of market reach, skills, expertise, technologies, services and the customer base. Offering (Product) Strategy: The vendor's approach to product development and delivery that emphasizes differentiation, functionality, methodology and feature sets as they map to current and future requirements. Business Model: The soundness and logic of the vendor's underlying business proposition. Vertical/Industry Strategy: The vendor's strategy to direct resources, skills and offerings to meet the specific needs of individual market segments, including vertical markets. Innovation: Direct, related, complementary and synergistic layouts of resources, expertise or capital for investment, consolidation, defensive or preemptive purposes. Geographic Strategy: The vendor's strategy to direct resources, skills and offerings to meet the specific needs of geographies outside the "home" or native geography, either directly or through partners, channels and subsidiaries as appropriate for that geography and market.