Wednesday, June 28, 2006

NAC - The new Identity Management

I stumbled across Eric Norlin’s blog as I was surfing around the other day, and he had what I thought was an interesting observation – NAC (Network Access Control) is the new IdM (Identity Management). I couldn’t agree with him more.

When I first got into the Identity Management space, it was the wild west. Thor and Waveset were the early frontrunners (in my opinion) and both have since been acquired by Oracle and Sun respectively. Back then Identity Management meant a lot of things – password reset, self service, provisioning, de-provisioning, single sign on, meta directory, directory on steroids, yada, yada, yada. Then as things matured the companies starting exploring federation, security, and more yada yada yada.

I think that where we are today is more mature than 3-4 years ago (duh) and that there is some core functionality out there, with the approach of how users and user data are managed (authoritative sources, workflow, app interfaces/connectorsetc.) being the differentiators, along with the underlying technology of course (java, xml, other). There are now applications for virtually all of the components of the IdM problem – password resets, self service, provisioning, etc. Where I think IdM needs to get to is matching and managing USER data with CONNECTION data so you get users and machines identity correlated and accurate.

So let’s look at NAC. There are many vendors at the wild west stage with core functionality still being flushed out in my opinion. There are many things that NAC proposes to address – on-boarding machines, doing a machine health check, patch alert tool, anti virus checker, yada yada yada. This to me is akin to what authentication is - authentication. After a user is authenticated (or a machine), so what? You’re now in the building. It’s like dressing up as a fire fighter and walking into a building – once you’re in you can do whatever you want because you are considered to be a trusted/known user. Isn’t NAC the same thing?

You cannot truly control what that user machine does once you give it access to your network. Well actually you can, the solution I sell does it, but I don’t want to be too self promoting – I’d rather make a point here:

NAC is the new IdM and what we’re all striving for is to implement solutions that help us establish trust of users and devices and maintain and check that trust passively and actively all the time. We have some maturing to do, and I believe it is a matter of time before someone at the big guys (Cisco, Juniper, Crossbeam, Nortel, etc) get it and deliver integrated solutions at the network AND application layer that keep an eye on who we trust.

identitystuff @


Post a Comment

<< Home