NAC & Identity Management - Same Difference?
Several years ago when Identity Management was emerging as the NBT (Next Big Thing) for helping IT organizations deal with the challenges of being able to identify and better manage users and automate access to resources and applications, what I learned over a short period of time was that Identity Management meant something different to anyone in the space. Vendors, companies, institutions couldn’t define it very well out of the gate but they were going to get it figured out and ultimately deployed – whatever it meant. The one thing that has emerged, and I believe the same is true of NAC, is the intent of a better managed environment. The intent of Identity Management was to manage a users identity and enable and disable access to applications in a faster and more automated way.
When I first started reading about NAC last year, I thought it was pretty straightforward – Network Admission Control, at the time simply meaning the identity of and corresponding health of a machine that connects to your network. Machine health was emerging as a new way to partition networks and access to them. In some ways similar to Identity Management in the sense of a device is another component of identity because machines interact with your organization just as users do. With NAC the idea is healthy machines can get on and stay on my network and unhealthy machines only get to a web page in a quarantined area, vs. full access to assets. In many ways very similar to what Identity Management is designed to do for users. The big difference here is the infrastructure layer where this will happen. IdM is in the app layer, and NAC will happen in the network layer.
We’ve been down this road before with Identity Management, so when I look at the direction of NAC, NAP, TCG and other alternatives that exist today, what my discussions with other peers in this space have uncovered is that these technologies and initiatives are converging, and I believe it will mean better mitigation and control of threats, and putting identity & security professionals in a proactive position for once.
The key concepts of NAC are:
Introduced by Cisco, it is a Framework and also an Appliance
Access Authentication providing port level control (802.1x)
Health Assessment that will determine the health of an endpoint enabling or denying it access to the network
Quarantine/Isolation of unhealthy or compromised endpoints
Remediation to fix an unhealthy or compromised endpoint
I haven’t been able to find a published list anywhere that specifically numbers the deployment’s of 802.1x architected solutions but I have heard the number is about 1000 so there are some NAC/802.1x based deployments out there. Like IdM they have been cumbersome and succesfull in small projects to abysmal failures in larger organizations. Let’s not forget - it’s an IT project.
So What will NAC do for companies? It will provide a way for organizations to keep unhealthy (unpatched, virus filled) machines from connecting to the network. The idea is that if I keep viruses off my network then the cost of an outbreak will drop significantly. I know of one case where a hospital in the Southeast got hit by Sasser and it had to take down the hospitals network until it was fixed. Expensive for the hospital in dollars, lost revenue and most importantly – patient care. This is one example of where NAC may have helped – being able to deny access to an infected machine before it gets to uncontained outbreak level.
There is another alternative that was developed by Microsoft called NAP – Network Access Protection. Since Microsoft is installed at a significant number of endpoints in most environments this seems a natural extension for them. The concept is the same – keep unhealthy machines from doing harm to other machines connected to the network. The NAP version of this consists of different components that are designed to authenticate to remediate an unhealthy machine. From what I understand NAP will be reliant upon Vista and Longhorn, so we may need to wait a bit for this alternative.
There are a myriad of other vendors out there all pitching NAC solutions, which is like the early days of the Identity Management space when it was a bit wild west, but it eventually settled down and acquisitions were made and strategies executed. I believe the same events will unfold with NAC.
One thing I will mention here is that none of the options today that I know of are based on open standards, which may be a concern for the highest levels of an organization’s decision making authority.
My sense is that the large players want us to choose one path or the other and lock us into a religion vs. a denomination. From a business perspective I understand this, however for a CISO who needs to enable ubiquitous access while maintaining a high level of security and needs to work with many components, spend some time thinking about what will work long term since the costs over time may differ greatly as will the requirements to maintain interoperability with current investments.
Bottom line is that NAC will shed some light on the machine's role in our management of identities, and provide some much needed functionality into the market.