However, many third-party NAC technologies on the market today will either be acquired, move down-market from the enterprise, or disappear, she predicted.
The debate over whether it is smarter to locate the top-level intelligence of security systems at the endpoint or the network is one that has raged on for years, prompting companies to deploy both types of technologies.
In the IT systems defense space, for example, vendors have successfully marketed both network and host-based intrusion prevention systems (IPS). Used to ward off external attacks, a host-based IPS lives on an endpoint such as a PC, while a network-based IPS is typically handled within a firewall device or network appliance.
The enterprise NAC segment will allow for the same type of diversity, and support providers who deliver network-based device authentication and remediation tools beyond than the infrastructure giants, claim other vendors.
According to some, Forrester's endpoint-based vision for the technology -- technically defined as proactive endpoint risk management (PERM) -- overlooks the need for additional NAC products to sit between the endpoint and network to handle heavy lifting that traditional desktop and infrastructure systems can't deliver.
"The PERM people are talking about NAC as an endpoint uber-agent, but in today's world one of biggest drivers of NAC are unmanaged users like contractors coming onto networks," said Alan Shimel, chief strategy officer at StillSecure, based in Superior, Colo. "Enterprises need to know that machines are not polluting the network, that's the whole point, and with the PERM approach there's no solution for that problem."
Shimel said that the more endpoint-focused NAC strategy also fails to address the issue of allowing a potentially-infected device to rely primarily on its own internal ability to verify its security status.
He said his company and others like it also continue to sell plenty of NAC products while the broader market lines are being drawn.
Shimel expects the NAC market to split into two camps, with those who think device authentication intelligence moves into the network and is embedded into routers on one side, and others who think it moves onto endpoints.
"Many of the initial expectations around NAC are unachievable, but that's no reason for people to start writing obituaries about these technologies before their time," he said. "We don't think the last word has been written about network-based control, if you look closely at the Forrester report and what they say NAC is lacking, it's actually what the network based people already doing such as remediation."
Many larger vendors support the notion that both network and endpoint NAC tools will be adopted by enterprises, but some agreed that there will not likely be tolerance among customers for multiple systems that require the creation of parallel policies and controls.
In that sense, major security and infrastructure providers will have an advantage over smaller best-of-breed NAC suppliers as the big players are already working to coordinate their products and stake out which aspect of the systems in which they will specialize.
"Hardcore security guys will always tell you there's no way that you can expect an endpoint to protect itself, but it's not ultimately a one or the other scenario, there's a need for a coordinated combination of tools," said Oliver Tavakoli, vice president of architecture and technology, at Sunnyvale, Calif.-based Juniper. "You cannot force people to create duplicate policy stores, and our goal, if you look at what companies like Juniper, Cisco and Microsoft are doing, is to provide that policy enforcement framework."