Demand for post-admission NAC grows

Demand for post-admission NAC grows

Summary: [Note: Eric is having trouble posting today, and I have posted this article for him. So "I" refers to Eric in this article.

SHARE:
TOPICS: Networking
2

[Note: Eric is having trouble posting today, and I have posted this article for him. So "I" refers to Eric in this article. - Phil]

Prior to the holidays, I had begun to dig into some new briefings around NAC. Specifically, I was looking to hear from Trusted Network Technologies and Identity Engines -- two startups that *began* with identity and ended up at NAC (instead of the other way around). I wanted to begin there because I know that I don't have to convince TNTand Identity Engines that "identity is center." Rather, we can dig right into what their markets are saying to them.

Abstraction of policy across both the network and application identity management layers is a growing movement.

What I learned was that despite the fact that Identity Engines and Trusted Network Technologies are radically different companies, they're both experiencing the same push in their product architectures. That push centers around the idea that the abstraction of policy is a growing movement *across* both the network and application identity management layers. Allow me to explain.

NAC has traditionally been thought of as a "health check" for machines that are connecting to the network. As the marketplace for NAC has begun to demand post-admission capabilities, NAC has been forced to adjust from simple health checks into an identity-based foundation. And that adjustment is the result of a very basic need: the ability to perform fine-grained authorization (and the accompanying functions of enforcement, audit, etc.).  Notice the switch -- from simple access control (health checks) to fine-grained authorization. The move from binary access (yes or no) to fine-grained authorization betrays a shift in mindset: from a defensible perimeter to a qualifier that identifies who can access what room.

Fine-grained authorization is *the* shift that NAC vendors will wrestle with all year, but it is not the endgame. The endgame (or, at least, next step in the endgame) is to abstract policy and its enforcement across both the network and application layers. Look for the startups like TNT and Identity Engines to begin working toward that level of cross-layer abstraction of policy by the end of next year.

And that is why I keep talking about convergence of application and network layer management around the concept of identity...

Topic: Networking

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

2 comments
Log in or register to join the discussion
  • NAC??

    One minus vote for unexplained acronym. Yeah, we're overloaded with 'em and need some relief. Thanks for helping.
    Techboy_z
  • Once again...

    Application-level Identity Management [i]does not exists[/i].
    Again, unless you're referring to the application layer of the OSI network stack, which from this article it seems quite clear that you're not.
    Most contemporary IdM products work at the infrastructure/host level, allowing applications built on top of that infrastructure to access the identity deployed there.

    Real application-level IdM either means that the application is dependant on the IdM (contrary to common sense), or that the IdM, and the identity itself, is aware of the application(s).
    There are no real products for this (yet).

    Another point I need to make, is that NAC will NEVER be capable of "fine-grained authorization" - once again, to do this properly, you need to be aware of the application's context. NAC, being a networking concept, is conceptually incapable of ever getting there.
    What you should have said, instead of "The move from binary access (yes or no) to fine-grained authorization", should have been, "The move from a single binary access (yes or no) to multiple binary access (hostA-yes, hostB-no, hostC-yes-but-only-on-the-designated-port-or-protocol)...."
    Fine grained authorizations are starting to be supported, if only very crudely, as you mentioned here in a review a few weeks back. I forsee a major upheaval in this field by the end of the year (I'll let you know when I get funded.... ;-) )

    Btw, for the record, I agree strongly with some of what you said, and a lot of what you intended, such as "...a shift in mindset: from a defensible perimeter to a qualifier that identifies who can access what room". Only I think it goes much farther than just accessing a room, and then getting free reign...
    douglen@...