Tuesday, July 18

Network Layer Identity Management: Part I

Mark Macauley of Trusted Network Technologies has been making the case for Network Layer identity management. It's a very compelling concept. Eric Norlin of DIDW has also posted about NAC - and more than once. Eric sees NAC as front-and-center, one of the major IdM themes for 2006 and possibly the new provisioning. Another TNT blog makes the distinction between Network Access Control and Network Admission Control. It's an important distinction. I was recently at a trade show standing across from a large banner that read Network Access Control. When I inquired, I was given the spiel on what is really Network Admission Control (by Eric's definition). For that company, the distinction really doesn't matter - access to the network vs. admission to the network... who cares? They both sound the same. For TNT, it matters because they provide much more than just binary access to the network. For my purposes, I mean access control. That is, NAC as controlling who has access to what at the network layer rather than at the application layer.

Placing security at the network layer seems to be more secure than at the application layer. The goalie (for lack of a better analogy) wouldn't have to protect the goal if opposing players weren't even allowed on the field. And users who plug a non-compliant laptop into the network have no chance of reaching protected data. You need to be attempting access from a NAC-approved system in order to have any chance of gaining access to the requested resource.

There are still plenty of finer technical points (is packet spoofing possible?, etc.) about NAC that I don't fully understand, but I do see some business challenges. Assuming a NAC implementation works exactly as I would want it and there are no technical concerns, I still think there are some business-related hurdles to overcome before widespread adoption of network layer access control would take place.

1. From what I've seen, the IT industry has moved away from installation of agents on desktops and laptops. So, the carrot needs to be very sweet in order to convince IT managers that agents are the way to go. Complete enterprise single sign on and elimination of all user names and passwords other than the network is a pretty sweet carrot -- we're talking Carrot Halwa. But, is that really achievable? I have no experience with this so I'm actually asking. Have people achieved this?

2. Companies are comfortable with the idea of controlling access at the application layer. Applications have user names and passwords and identity stores and policies that control who can get in. Turning all of that off for every application across the enterprise is a very tall order. I believe it would take a significant amount of time to convince organizations that it's safe to open all the safes in the mansion and take comfort that only those with appropriate permissions to a particular safe will be able to get into the rooms with that safe. It may be purely an emotional obstacle, but one nonetheless. It's just the kind of obstacle that could prevent a very good technology from ever reaching widespread adoption. If I were a NAC vendor, I think I'd spend a huge portion of my time and budget attacking this fear. Find a single high-profile customer, give away the software and make the case. ...just an idea.

3. In the long-term, if organizations do begin to adopt a NAC identity management architecture, NAC vendors will need to either pair-up with the major platform vendors or prepare for a long hard fight. Building identity into network requests and responses could eventually become part of the network OS, desktop OS and server applications. Of course, no single vendor could solve the entire problem without some common standards. I think I smell a new set of protocols out on the horizon waiting to come to fruition as soon as customers get over the fears mentioned above.

...in part II, I'll discuss how I think application-layer identity management solutions (like MaXware's) add value to network layer access management solutions.

* Thanks again to Mark Macauley (who may or may not agree with my thoughts) for providing me some background info on TNT.

No comments: