Tuesday, July 18, 2006

Network Layer vs. Application Layer Identity

I want to understand that given where technology is today, why anyone would want to implement an application based IdM solution. I used to do it for a living, until I saw a better mousetrap and went to work for the company, but in this day and age I can’t understand why a company would fund a large IdM project without asking a key question - In which layer of our environment do we want our solution?. Please feel free to comment on this one (or anything else I’ve offered including my Playbook, which is for application based IdM implementations). The biggest reason I can think of is that IdM applications are fairly mature, there are some best practices to follow, and there are hundreds of thousands of consultants who know how to implement the applications, but that’s as far as I get. Maybe the workflow tools embedded in the applications, but that does little to prevent a DB admin from going outside the workflow to write to the database/LDAP directly setting up a ghost account.

I thought a lot about the key differences between application vs. network Identity Management and one thing keeps ringing in my head – managing identity in the network layer, means that the infrastructure layer and the application layer are included in this, whereas an application based IdM solution includes the application layer and still allows access to and visibility of your network.

In the application layer, you cannot (to my knowledge) segment the network to block access to assets which is an issue in two key areas I want to look at – offshore vendor management and Swiss banking regulations. Both cases involve a US based company needing to extend their control offsite and out of country.

In the case of offshore vendors it’s probably a good idea to limit access to production systems to a few key people, and also have some level of control of what assets they can see and interact with. Customer databases, dev, test, and staging environments, and other applications that have high levels of restrictions for export control or compliance are specific areas where companies need to focus on. In the case of Swiss banking, if you are a bank operating globally, the Swiss issue has been a big one since you cannot have employees outside of Switzerland accessing information. If a person can get on your network, or the network segment in the case of a Credit Suisse First Boston or Citibank for example, then they can conceivably get access to things they are forbidden to access.

To this end, looking at an IdM solution that operates in the network layer provides several significant benefits over an application layer IdM solution:

1. Endpoint control outside company and geographic borders
2. Protection of Network, Infrastructure, Applications, and Data
3. Greater flexibility of policy enforcement by zones

Identitystuff @ gmail.com


Blogger Matt Flynn said...

I think Access Management in the network layer is an interesting concept. Are you talking primarily about having Access Management in the network layer? Or do you also mean managing IDs? How does an organization grant and deny access to employees without some app-layer involvement? How does it manage what resources should be protected and how?

Tuesday, July 18, 2006 8:55:00 AM  
Blogger P.T. Ong said...

What happens when the pipes get locked down? When point-to-point encryption becomes common place (e.g. with https, Skype traffic, SSH)? This is a direction that I believe our networks will move towards in order to achieve greater security and privacy. When the pipes are locked down, won't the network be then relegated to just a transport system for bit streams? Not sure how one could do any identity management on the network when that happens.

Wednesday, August 30, 2006 9:51:00 PM  

Post a Comment

<< Home