CSI 2008: You Want Standards, You Have To Demand Them - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
Software // Information Management
Commentary
11/18/2008
02:24 PM
Mike Fratto
Mike Fratto
Commentary
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

CSI 2008: You Want Standards, You Have To Demand Them

This morning's Trusted Computing Group summit focused on the Trusted Platform Module (TPM), NAC, and the TNC. The event was well-attended and covered a range of topics from what the TPM is and what it is used for to the TNC's role in NAC and NAC standards. One overwhelming message came out: Users want standards. Vendors are not listening.

This morning's Trusted Computing Group summit focused on the Trusted Platform Module (TPM), NAC, and the TNC. The event was well-attended and covered a range of topics from what the TPM is and what it is used for to the TNC's role in NAC and NAC standards. One overwhelming message came out: Users want standards. Vendors are not listening.The panel consisted of myself; Steve Hanna, Juniper Network Distinguished Engineer and TNC co-chair; Greg Kazmierczak from Wave Systems; David O'Berry from the South Carolina Department of Probation, Parole, and Pardon Services; and Lisa Lorenzin, principle solutions architect with Juniper Networks. Steve and Greg did a great job laying out the role and functions of the TPM in general and the use of the TPM along with NAC, and we had some great questions about the technology.

The biggest question is who is implementing the TNC standards. Hanna has a slide of vendors who have implemented TNC standards, but the people I have talked to in some of those companies have said they are not actually shipping the code, yet. I doubt there are many cases where multivendor TNC implementations are actually occurring. When asked why, the answer from vendors is "when we see customer demand, we will build it." Well, customers are demanding it. In fact, every company representative I have talked to who is looking at NAC wants standards and that is backed up by research in our 2008 InformationWeek NAC Survey [[registration required]] where 75% of respondents said adherence to any framework (a generalized term including standards and vendor programs) was important, very important, or critical.

Yet every vendor I talk to say they are hearing the demand from their customers. While relating that to the audience today, many heads were nodding in agreement. There is a disconnect. The message from customers -- most of the people in the room had not yet implemented NAC -- is that they want standards-compliant products. They want interoperability. You, dear vendor, are not hearing it.

A Message To Organizations

If standards are important, the only way to get vendors to adopt them is to walk away from the sale, telling them when their product conforms with standards you want in your organization, then you will purchase. The standards could be the TNC standards or even one of the vendor frameworks like Cisco's NAC or Microsoft's NAP. I would argue that the TNC standards, which are vendor neutral, are probably the better route than a vendor-proprietary framework simply because the TNC the standards are available to anyone to download and adopt. The TNC working group also is actively developing new standards to integrate other technologies into the TNC. The Meta Data Access Point, IF-MAP, which is a repository of host information, is a recent example.

Standards don't give any vendor an upper hand but do allow vendors to differentiate their products with value-adds while assuring that their products will play with others. Since NAC incorporates other security and nonsecurity technologies, make the same demands from other vendors as well. If you want your IDS or DLP product to integrate with your NAC, your IDS or DLP vendor needs to know that.

Make the demands viral. Tell your peers to make similar demands. If your local sales rep is nonresponsive, contact the vendor directly or, for that matter, send me an e-mail and I will forward it to the people I know within the vendor.

A Message To Vendors

Stop hiding behind the "demand" shield. It's old and says a lot more about your company than you suppose. It's an excuse that says you don't have the resources to respond to customers needs and that doesn't give anyone confidence that your company will be around next year. More important, if your pitch is to be proactive and take control of your security with NAC, but your business model is reactive, only building features when there is demand, you are demonstrating you don't really believe the very reasons you espouse, namely being proactive. A proactive vendor identifies a need and then goes out and builds stuff before demand is built.

You, too, can put pressure on other vendors, like AV and patch management vendors, to adopt standards, as well as other NAC vendors. There's plenty of money to be made in NAC. Your product doesn't have to be all things. Your product doesn't have to be an agent, a policy decision point, a policy enforcement point, and everything in between. Pick one or two and innovate the crap out of it with useful features. Let others build the parts you don't have and ,as long as everyone conforms to standards, there will be plenty of business. The cost of proprietary, nonstandards-based products is a stifled industry with limited growth potential.

I am telling you. The demand for standards-based NAC is there. You just have to listen.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Slideshows
Reflections on Tech in 2019
James M. Connolly, Editorial Director, InformationWeek and Network Computing,  12/9/2019
Slideshows
What Digital Transformation Is (And Isn't)
Cynthia Harvey, Freelance Journalist, InformationWeek,  12/4/2019
Commentary
Watch Out for New Barriers to Faster Software Development
Lisa Morgan, Freelance Writer,  12/3/2019
White Papers
Register for InformationWeek Newsletters
Video
Current Issue
The Cloud Gets Ready for the 20's
This IT Trend Report explores how cloud computing is being shaped for the next phase in its maturation. It will help enterprise IT decision makers and business leaders understand some of the key trends reflected emerging cloud concepts and technologies, and in enterprise cloud usage patterns. Get it today!
Slideshows
Flash Poll