Identity management technologies are beginning to weave together the application and network layers of corporate networks, significantly improving access control, easing management burdens and helping users meet stringent compliance and security mandates.
The tools of this emerging trend will be on display this week at the annual Digital ID World conference in Santa Clara, where vendors such as Apere, Applied Identity, Caymas, ConSentry Networks, Identity Engines and Trusted Network Technologies (TNT) will display their network access control (NAC) gear. NAC relies on identity to determine which machines get on the network - and more important, what users are authorised to do once there.
While NAC is gaining momentum, users and analysts say the unification of the network and application layers via identity is a missing link to reducing risk in a compliance-driven world where access is expected from anywhere and network perimeters are disappearing.
"It is becoming more important to know who is on the other end of the wire," says Jon Oltsik, senior analyst for information security at the Enterprise Strategy Group. "Security, compliance and global business initiatives are going to drive these two (layers) together."
To underscore this emergence of sophisticated NAC options, Cisco and Microsoft this week at the Security Standard conference introduced a white paper detailing how users can integrate Cisco's Network Admission Control and Microsoft's Network Access Protection (NAP) technologies. The companies said they would support each other's protocols, but stuck to their previous statements that they would develop their own NAC frameworks while providing methods for users to integrate the two.
They said interoperability would hinge in part on a single agent that will ship with Vista and Longhorn Server, and that will work on the Cisco and Microsoft platforms and can be used by third parties to tie their systems into the architecture. Cisco will continue to develop its Trust Agent to support non-Microsoft platforms.
The companies plan to begin a beta test with a limited number of users by year-end, but the entire architecture won't be available until Microsoft's Longhorn Server ships in late 2007.
By contrast, Caymas, ConSentry, TNT and others are shipping hardware and software that goes beyond validating that a machine is current on patches and antivirus and spyware signatures - which are the pre-admission to the network checks Cisco and MS initially are focused on - into post-admission controls that use identity and policies stored at the application layer to govern how the network looks and reacts to a particular user.
Users already are tallying up the benefits from tightened security, from compliance and auditing to easier management.
"From a security and services perspective, identity has been incredibly useful because we have had this perception that access was based on who you knew, and now we can articulate clearly what people get," says Jeremy Hobbs, CIO of the Upper Canada District School Board in Ontario. "From a manageability perspective, it has been enormous. Also, our auditors love it. They ask how do we decide who gets access to our financial system, and based on identity, we can say these job codes have access and everybody else doesn't."
During the past year, Hobbs has re-architected his network infrastructure so it controls access to resources via user identity and a set of rules, roles and policies, for example, a student's grade level; whether a user is a teacher or administrator; and a user's accumulated threat history.
Internally, the district has built its identity and access control on Microsoft's Active Directory and NAC tools from Nevis Networks. On the perimeter, it uses Caymas' Identity-Driven Access Gateway, integrated with permissions the district wrote and stores in Active Directory to control access for remote users.
"With Caymas, we can track people right down to individual files," Hobbs says.
The driving force is identity, and network vendors are seeing the light from many angles.
Caymas started off doing VPN termination, and ConSentry was a traditional NAC vendor. TNT started as an identity vendor and ended up in the network layer, where it puts identity information into packets.
Much of this identity-enabled hardware sits inline without requiring infrastructure overhauls, and works at wire speeds, so network architects don't introduce latency.
When a user's identity is added to a new group or job title, access control is based on that new identity and controls based on the old identity disappear automatically.
"All of our access control is based on the identity of users and machines," says Rob Ciampa, vice president of marketing and business strategy for TNT. "We set up access control rules on the back end so you don't have to configure access based on IP address and TCP or (User Datagram Protocol) ports."
TNT has helped the US state of Georgia lock down its voter registration system, which serves 163 counties.
"I was mainly looking for some control over what machines could come into our network," says Wes Peters, a network engineer for the state.
Blocking machines by IP address via the firewall was not an option, Peters says, because many users did not have static IP addresses. Now he controls access to the network via the identity of specific trusted machines that have the TNT driver, and hides his Web site from hackers by limiting access to the log-on screen to those trusted machines.
Others say that identity-enabled controls mean users no longer have to manage access-control lists, virtual LANs or firewall rules.
"By a user simply coming onto the network and authenticating, you can have the roles and responsibilities for that user enforced in the network based on policies that are stored in our engine or in RADIUS or Active Directory or (a Lightweight Directory Access Protocol) server," says Jeff Prince, CTO of ConSentry, which makes an appliance that sits behind the switching infrastructure.
The company plans to introduce this year its own Layer 2-3 10/100/1000Mbps switch that incorporates an identity-enabled appliance that will integrate with the NAP technology coming out with Microsoft's Vista desktop operating system.
Experts say they don't expect the network-layer identity trend to reach critical mass for another two to three years.
"We sort of feel that the identity piece is what is tying together a lot of pre-existing security technologies," says Rob Ayoub, a network security analyst for Frost & Sullivan. "Identity is delivering on the promises of security that have been hinted at in the past but have not been fully realised."