Network Layer vs. Application Layer Identity
I thought a lot about the key differences between application vs. network Identity Management and one thing keeps ringing in my head – managing identity in the network layer, means that the infrastructure layer and the application layer are included in this, whereas an application based IdM solution includes the application layer and still allows access to and visibility of your network.
In the application layer, you cannot (to my knowledge) segment the network to block access to assets which is an issue in two key areas I want to look at – offshore vendor management and Swiss banking regulations. Both cases involve a US based company needing to extend their control offsite and out of country.
In the case of offshore vendors it’s probably a good idea to limit access to production systems to a few key people, and also have some level of control of what assets they can see and interact with. Customer databases, dev, test, and staging environments, and other applications that have high levels of restrictions for export control or compliance are specific areas where companies need to focus on. In the case of Swiss banking, if you are a bank operating globally, the Swiss issue has been a big one since you cannot have employees outside of Switzerland accessing information. If a person can get on your network, or the network segment in the case of a Credit Suisse First Boston or Citibank for example, then they can conceivably get access to things they are forbidden to access.
To this end, looking at an IdM solution that operates in the network layer provides several significant benefits over an application layer IdM solution:
1. Endpoint control outside company and geographic borders
2. Protection of Network, Infrastructure, Applications, and Data
3. Greater flexibility of policy enforcement by zones
Identitystuff @ gmail.com