Roles: driving network access control

In my quest to understand the dynamics of how NAC and identity management are intersecting, I've been reaching out to vendors in the NAC space.

In my quest to understand the dynamics of how NAC and identity management are intersecting, I've been reaching out to vendors in the NAC space. To be clear, I view this NAC "space" as a spectrum. On one end of the spectrum, we have folks like Applied Identity, Identity Engines and Trusted Network Technologies -- guys that started from the identity premise. At the other end of the spectrum are companies like Forescout and ConSentry -- guys that started in the tradtional "network" space and have recently found identity.

That spectrum (and I've by no means listed all of the vendors) makes up the "identity-based" NAC space, or more broadly -- those companies that are beginning to manage identities at the network layer. The other end of identity management is, of course, those companies that are managing identity at the application layer. We (Phil and myself) are of the opinion that the intersection of these two areas over the next 18-24 months will become a major theme in the world of identity.

The shared imperative that both NAC and traditional IdM (identity management) vendors are having to address is the larger problem of roles. The defining of, management of, refining of, and enforcement of roles is the lynchpin that is focusing deployments *across* the identity layers - be they the network or application layer.

I discovered how this applies to the NAC space in recent talks with ConSentry and Forescout. While neither company listed the other as a direct competitor, it was interesting to note that they're both focused on the problem of fine-grained policy enforcement around roles. As an example: a typical NAC customer may begin with the stated goal of "protecting access" to a given piece of their network infrastructure (a VPN, for example); granting or denying access to that piece of the network (and its accompanying applications) requires a definition of roles. In the past that definition of roles has been a binary choice: employee or contractor. That choice, of course, does not work, as many employees shouldn't have access to certain things and many contractors should only have access to certain things. In other words, the market is forcing NAC vendors that began with an abstract notion of roles to ground that notion in the reality of identity. Only by moving to identity are the NAC vendors able to answer the demands of their customer base -- the ability to enforce access control policies with fine-grained precision.

You can see this highlighted differently in the product sets of both ConSentry and Forescout. ConSentry's LANShield controller organizes itself around the notion of "pre-admission" and "post-admission" control - where "post-admission" speaks to role provisioning, enforcement and (to some extent) auditing. Forescout's CounterACT product is centered around the multitude of responses that can be given as a means for policy enforcement (everything from challenge/response to alteration of user credentials). Both products connect to identity stores via Active Directory and RADIUS, and both products are seeking to address what is currently viewed as a "security" problem.

I expect that as the identity-based NAC market matures, the primary driver won't be phrased as "security," but rather "policy enforcement" and "auditing of network resources." The reason I'm confident about that is that we've been running a survey of past Digital ID World conference attendees regarding how they view NAC and its features and benefits - and those two features have risen to the top of the stack.

To that end, we'd love to hear your thoughts as well. The survey is available here.