CSI 2008: You Want Standards, You Have To Demand Them

This morning's Trusted Computing Group summit focused on the Trusted Platform Module (TPM), NAC, and the TNC. The event was well-attended and covered a range of topics from what the TPM is and what it is used for to the TNC's role in NAC and NAC standards. One overwhelming message came out: Users want standards. Vendors are not listening.The panel consisted of myself; Steve Hanna, Juniper Network Distinguished Engineer and TNC co-chair; Greg Kazmierczak from Wave Systems; David O'Berry from the South Carolina Department of Probation, Parole, and Pardon Services; and Lisa Lorenzin, principle solutions architect with Juniper Networks. Steve and Greg did a great job laying out the role and functions of the TPM in general and the use of the TPM along with NAC, and we had some great questions about the technology.

The biggest question is who is implementing the TNC standards. Hanna has a slide of vendors who have implemented TNC standards, but the people I have talked to in some of those companies have said they are not actually shipping the code, yet. I doubt there are many cases where multivendor TNC implementations are actually occurring. When asked why, the answer from vendors is "when we see customer demand, we will build it." Well, customers are demanding it. In fact, every company representative I have talked to who is looking at NAC wants standards and that is backed up by research in our 2008 InformationWeek NAC Survey [[registration required]] where 75% of respondents said adherence to any framework (a generalized term including standards and vendor programs) was important, very important, or critical.

Yet every vendor I talk to say they are hearing the demand from their customers. While relating that to the audience today, many heads were nodding in agreement. There is a disconnect. The message from customers -- most of the people in the room had not yet implemented NAC -- is that they want standards-compliant products. They want interoperability. You, dear vendor, are not hearing it.

A Message To Organizations

If standards are important, the only way to get vendors to adopt them is to walk away from the sale, telling them when their product conforms with standards you want in your organization, then you will purchase. The standards could be the TNC standards or even one of the vendor frameworks like Cisco's NAC or Microsoft's NAP. I would argue that the TNC standards, which are vendor neutral, are probably the better route than a vendor-proprietary framework simply because the TNC the standards are available to anyone to download and adopt. The TNC working group also is actively developing new standards to integrate other technologies into the TNC. The Meta Data Access Point, IF-MAP, which is a repository of host information, is a recent example.

Standards don't give any vendor an upper hand but do allow vendors to differentiate their products with value-adds while assuring that their products will play with others. Since NAC incorporates other security and nonsecurity technologies, make the same demands from other vendors as well. If you want your IDS or DLP product to integrate with your NAC, your IDS or DLP vendor needs to know that.

Make the demands viral. Tell your peers to make similar demands. If your local sales rep is nonresponsive, contact the vendor directly or, for that matter, send me an e-mail and I will forward it to the people I know within the vendor.

A Message To Vendors

Stop hiding behind the "demand" shield. It's old and says a lot more about your company than you suppose. It's an excuse that says you don't have the resources to respond to customers needs and that doesn't give anyone confidence that your company will be around next year. More important, if your pitch is to be proactive and take control of your security with NAC, but your business model is reactive, only building features when there is demand, you are demonstrating you don't really believe the very reasons you espouse, namely being proactive. A proactive vendor identifies a need and then goes out and builds stuff before demand is built.

You, too, can put pressure on other vendors, like AV and patch management vendors, to adopt standards, as well as other NAC vendors. There's plenty of money to be made in NAC. Your product doesn't have to be all things. Your product doesn't have to be an agent, a policy decision point, a policy enforcement point, and everything in between. Pick one or two and innovate the crap out of it with useful features. Let others build the parts you don't have and ,as long as everyone conforms to standards, there will be plenty of business. The cost of proprietary, nonstandards-based products is a stifled industry with limited growth potential.

I am telling you. The demand for standards-based NAC is there. You just have to listen.