Who is an identity-based NAC vendor?

Who is an identity-based NAC vendor?

Summary: Network Access Control ("NAC") was an emerging focus at last September's Digital ID World conference. The reason for including NAC in the agenda arose from my belief (fueled by talks with enterprises) that network-layer identity management was an area that is fast becoming an important piece of enterprise architecture.

SHARE:
TOPICS: Networking
2

Network Access Control ("NAC") was an emerging focus at last September's Digital ID World conference. The reason for including NAC in the agenda arose from my belief (fueled by talks with enterprises) that network-layer identity management was an area that is fast becoming an important piece of enterprise architecture. In the aftermath of the event, Phil and I tried to sit back and take a look at what actually happened. What we found with regards to NAC (and what I've heard since) is that, while the enterprise IT folks I talked with really "get it," some of the vendors in the space don't understand how they fit in the identity world. Curious, right?

Is the product focus "pre-admission" or "post-admission"?

That finding led me back to wanting to speak with some NAC vendors, and luckily ConSentry contacted me to brief me about some of their new product releases (their InSight product, for those that are interested). What resulted was a realization for me: the dividing line of NAC vendors who understand where their products fit in an identity-based world, and those that do not, is centered on where the core of their functionality comes from.

If a vendor's NAC product is focused on the zone of "pre-admission" -- that is to say, the "admission" process -- then they do not see themselves as an identity-based product. If, on the other hand, the core of the functionality is focused on what happens "post-admission," they do see themselves as living in the identity space.

The reason for this is simple: "post-admission" identity-based NAC is centered around things like role-based provisioning at the network level, policy enforcement around roles, and the visibility and auditing of policies. All of these post-admission activities are driven by the functioning of identity within a network. (All of those capabilities, by the way, are what ConSentry is realizing are core to their customer's needs.) The driving force of this functioning is a customer base that now views the network perimeter as a dynamic zone of permissions and authorizations. Keeping people out isn't the order of the day, controlling what they do and knowing what they've done is.

On the other hand, "NAC" companies focused on "pre-admission" activities still view the network as a static wall. For these companies, the act of authentication and endpoint checking is still a binary switch. The "yes/no" decision results in a "policy" of you're in or out.

Companies like ConSentry seemed to have tapped into a cutting edge customer concern -- treating the network layer (and its accompanying identity problems) in the same way that one would treat the application layer. That focus, and the accompanying shift of NAC products toward "post-admission" activities seems likely to be the growing edge of a hot market.

Needless to say, Digital ID World will still be covering NAC.

Topic: Networking

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

2 comments
Log in or register to join the discussion
  • I've been holding back, but....

    I can't any more, it simply must be said.

    Sorry to say this, but you guys have it bass-ackwards. These "revolutionary" companies are finally "treating the network layer in the same way that one would treat the application layer"??
    Identity has traditionally not been an applicative concept, but always been a network (or at least infrastructure) concept.
    True, some applications were able to take advantadge of that identity - but it was supplied by the network.

    Just to be clear, when I say that identity is network-based, I include other infrastructure, such as OS, AD (in MS networks), and similiar "software", not just routers, firewalls, and whatnot. (If this is the point on which we differ, though I doubt it, then I retract my argument).

    Current IdM products are all about the network - even if they do regard the "application layer" - e.g. HTTP etc, called the "application layer" ONLY in networking terms - it is only as a communication endpoint. For instance, IdM systems that support Web applications usually address the web app by the hostname, and possibly the full address. So what? This is still just a network-addressable endpoint, and says nothing whatsoever about the application itself.

    So-called "Identity 2.0" - and I must point out that I find it despicable that YOU GUYS are pushing such a self-deprecating buzzword - still has to wake up, and realize that identity at the network layer is only the beginning - if that. It has little importance - other than what you can achieve with a network firewall, basically just expanding the policy from "yes/no" to "HostA:yes/no;HostB:yes/no/sometimes" etc. It still provides negligible value as compared to what can be achieved when Identity is fully adopted and integrated at the application level (and I don't mean the OSI stack !! :-) )

    They are finally "treating the network layer in the same way that one would treat the application layer"? Maybe in five years, vendors will start treating the application layer the same way (just more efficient) that they treat the network (and host/OS) layer.
    douglen9
    • I beg to differ strongly on this one

      Just so we're clear about why I can say what I'm about to say... I have run over a dozen initiatives that have provisioned/deprovisioned over 1M users at the application layer. I have worked with IBM, Novell, and Sun's products, and left a VP level job to join TNT for exactly the reason/point you seem to miss. I have published two articles in the ISSA Journal about this as well. My blog is at http://identitystuff.blogspot.com should you care to follow along.

      Your point:
      So-called "Identity 2.0" - and I must point out that I find it despicable that YOU GUYS are pushing such a self-deprecating buzzword - still has to wake up, and realize that identity at the network layer is only the beginning - if that. It has little importance - other than what you can achieve with a network firewall, basically just expanding the policy from "yes/no" to "HostA:yes/no;HostB:yes/no/sometimes" etc. It still provides negligible value as compared to what can be achieved when Identity is fully adopted and integrated at the application level (and I don't mean the OSI stack !! )

      My point:

      Identity at the network layer means that identity is carried from perimeter to port, so you've encompassed identity in the network, infratsructure, AND application layer WITH the associated entitlements in a single piece of technology. Add to the visibility of who from what machine went to (or tried to go to) an application that ultimately drives who can see and access the right apps is invaluable. The other benefit to identity in the nework is that once I have deprovisioned the user from the directory, guess what? They can't get on my network at all, they can't login to HR systems from the laptop they still have, and every account they ever set up known or unknown is rendered useless. How's that for workflow?

      So I beg to differ and point out that identity in the network is exactly where things are headed, and need to be. TNT (yes I work for them)(http://www.trustednetworktech.com) gives DNA to identity which is as close to true identity as we can get right now...

      identitystuff@gmail.com
      identitystuff