What happened to standards development — where vendors would collaborate to provide a base level of interoperability between products so end users could pick and choose the best products for them? It seems to be a thing of the past, leading to unavoidable lock-in. Let’s look at some recent examples and the issues they present.
First up is what is variously called Dynamic, Private, Identity or Multiple Pre-Shared Key — a feature initially introduced by Ruckus back in 2010 that allows different passwords to connect to the same Wi-Fi network.
A host of vendors including Aruba, Cisco (twice), Extreme, Fortinet, Meraki and Mist have since implemented this feature, but none are interoperable or have even attempted to standardise implementation. Aruba’s even uses RADIUS under the hood, but is not supported for use with any RADIUS server but their own, ClearPass. This dynamic forces IT departments to buy their NAC from the same company as their Wi-Fi to enable use of this feature.
The second example is a practice started by Google with BeyondCorp — the idea of limiting resources access to trusted clients, rather than relying on trusted networks and VPNs. This idea has spawned many IT buzzphrases including Zero Trust Network Access and Secure Access Secure Edge.
The general idea is to monitor endpoint compliance in addition to user identity when granting access. This means integrating endpoint security, identity management and access control, giving advantage to vendors who provide all three and disadvantaging those focused on a single product. The underlying concept is good, but an unintended consequence is forcing tighter integration of previously disparate technology areas.
Microsoft’s Azure AD uses Intune and Defender for Endpoint as its conditional access solution. Users that don’t employ Intune for MDM can integrate other solutions, but are then effectively paying twice. Jamf is widely regarded as the most established Mac and iOS management solution, but its integration with Intune is so buggy that some Mac admins are trying to force their security teams to abandon it. On the Windows side, integration with other endpoint security solutions is possible but none of them are regarded as top-tier.
Fortinet’s ZTNA combines its Fortunate firewalls and Endpoint Management Server for FortiClient but users can also add on FortiNAC and FortiAuthenticator on top. Cisco bought Duo, which best integrates with their ISE, AnyConnect and AMP products. Other options, like Okta and Cloudflare Access, do work with a wide variety of endpoint security solutions, but users still may end up paying for multiple solutions, or be forced to switch if their current choice isn’t supported.
UC is also seeing increasing integration. Some phone systems, including Cisco and Mitel, have developed chat and video calling over time. Conversely, others including Microsoft Teams and Zoom started as chat and video-calling then moved on to develop telephony. None of these can natively communicate with each other, unlike older systems like Skype for Business which promoted open federation. Microsoft Teams can integrate with an existing phone system, but again the user pays twice.
The final example is SD-WAN. The ability to virtualise away the lower network connections has great value, but none of the many vendors can interoperate, forcing organisations to use a single vendor across their entire network. This makes changing vendor an expensive ‘rip and replace’ operation.
Oftentimes this tight integration has benefits. But it can mean that users are forced to trade off a good endpoint security solution with a subpar access management system simply because they’re both from the same vendor — and switching one inevitably means switching the other.
It increasingly feels like the only choice users have is to select a technology vendor and go all-in on their products in the hope that they’ll work best together. This then locks the market out from new independent vendors who may have a better solution but can’t integrate with existing systems, leaving the incumbent giants with no motivation to improve their products... a sad result for those of us wrangling IT in the trenches.