Why NAC is about Identity

If you've spoken with me lately about Digital ID World, then you've heard me give my spiel on Network Access Control (NAC) - and why its so important to identity. This week, two things are bringing this topic back up for me:

1. I had someone who is pretty familiar with Digital ID World's mission tell me that they "just didn't see how NAC ever fits in."

2. Mark MacAuley wrote an interesting post, wherein he asks - "Do you want to manage identity in the network layer or the application layer?"

Mark's question is interesting because it highlights *why* NAC *does* fit into Digital ID World's mission -- but to unpack that a bit, allow me to step back.

Traditionally, "identity management" has been thought of as something that occurs at the application layer. Indeed, all of the early companies in the space (Netegrity, Oblix, Securant) were built around abstracting the management of identity out of the specific application. Over a period of years, these application identity management vendors ("AppIdM") came to architect products that centralized the management of employee identities without necessarily centralizing the identity data itself.

The enterprise, of course, does not think in "application layers" and "network layers" as it goes about executing its business. The enterprise thinks about policy enforcement, auditing of resources, security, SOX compliance, increased productivity, reduced costs -- in short, business processes. In the meantime, the natural "push" of networking is to network -- in short, to keep connecting everything. This sets up a natural tension between business process and networking. While business process demands an efficiency of process that *requires* control, networking runs about wily-nily downloading, hooking up, mashing together and integrating. While business wants order, networking fosters creative chaos.

This tension between business process and networking is the primary reason that identity is the succeeding organizing paradigm for the enterprise. When *identity* is the lens through which things are viewed, it becomes possible to give the business side what it needs (which is actually management, not so much control), while letting networking do what it does (hook up like a drunk frat boy on 25 cent beer night).

At this level, the distinction between the "network layer" and the "application layer" dissolves -- all layers are united by an identity view. Now the entire "network" (big N) of the business is about identity -- the identification (authentication, access and authorization) of every thing and person that is interacting with the enterprise. Driven by the need to manage process while not crushing creativity and productivity, identity provides the only viable mechanism.

Walking through NAC reveals this to be so: a person (identity) authenticates to a device (identity); device (identity) authenticates to the network (identity); network checks device for policy compliance - often individual specific policy compliance(identity); network enforces compliance upon person through a series of challenges, alterations to credentials or revocations of access to critical systems (all identity); network aggregates all identity data around devices, policies and individuals for audit purposes (who had access to what under what circumstances for what reasons and for how long -- all identity); network helps person and device correct any policy violations (identity) and begin accessing (identity) applications with fine-grained authorizations (identity).

In light of all of this, why don't all NAC vendors know that they're in the identity game? The NAC industry has grown out of a binary access mindset (you're in or you're out) -- and that binary switch is largely enforceable at the device level, which is not normally thought of as identity. All of the recent pushes around compliance and security are forcing innovative NAC vendors to perform fine-grained operations (not binary ones), and as such they are forced to elevate out of the device realm to the user realm (see their integration with Active Directory, RADIUS, etc) -- in short, they become identity companies.

NAC and "traditional" identity management are now beginning to interact ("converge" may be the future, but not yet). And NAC vendors are beginning to realize that their customers are quickly becoming the same people that are worried about identity management (compliance and security infrastructure guys and gals). The pull of identity will inexorably drag NAC toward identity for a simple reason -- the network (big N) demands it.

Next up: I'll begin to highlight some of the innovative NAC vendors that know they're in the identity business.