[Note: Eric is having trouble posting today, and I have posted this article for him. So "I" refers to Eric in this article. - Phil]
Prior to the holidays, I had begun to dig into some new briefings around NAC. Specifically, I was looking to hear from Trusted Network Technologies and Identity Engines -- two startups that *began* with identity and ended up at NAC (instead of the other way around). I wanted to begin there because I know that I don't have to convince TNTand Identity Engines that "identity is center." Rather, we can dig right into what their markets are saying to them.Abstraction of policy across both the network and application identity management layers is a growing movement.
What I learned was that despite the fact that Identity Engines and Trusted Network Technologies are radically different companies, they're both experiencing the same push in their product architectures. That push centers around the idea that the abstraction of policy is a growing movement *across* both the network and application identity management layers. Allow me to explain.
NAC has traditionally been thought of as a "health check" for machines that are connecting to the network. As the marketplace for NAC has begun to demand post-admission capabilities, NAC has been forced to adjust from simple health checks into an identity-based foundation. And that adjustment is the result of a very basic need: the ability to perform fine-grained authorization (and the accompanying functions of enforcement, audit, etc.). Notice the switch -- from simple access control (health checks) to fine-grained authorization. The move from binary access (yes or no) to fine-grained authorization betrays a shift in mindset: from a defensible perimeter to a qualifier that identifies who can access what room.
Fine-grained authorization is *the* shift that NAC vendors will wrestle with all year, but it is not the endgame. The endgame (or, at least, next step in the endgame) is to abstract policy and its enforcement across both the network and application layers. Look for the startups like TNT and Identity Engines to begin working toward that level of cross-layer abstraction of policy by the end of next year.
And that is why I keep talking about convergence of application and network layer management around the concept of identity...