Response to a Digital ID World Blog
http://blogs.zdnet.com/digitalID/wp-trackback.php?p=75
Take a look at the blog, the 1 comment that is up there (mine is awaiting approval by Eric), and here is the comment and my response:
"... So-called "Identity 2.0" - and I must point out that I find it despicable that YOU GUYS are pushing such a self-deprecating buzzword - still has to wake up, and realize that identity at the network layer is only the beginning - if that. It has little importance - other than what you can achieve with a network firewall, basically just expanding the policy from "yes/no" to "HostA:yes/no;HostB:yes/no/sometimes" etc.
It still provides negligible value as compared to what can be achieved when Identity is fully adopted and integrated at the application level (and I don't mean the OSI stack !! )They are finally "treating the network layer in the same way that one would treat the application layer"? Maybe in five years, vendors will start treating the application layer the same way (just more efficient) that they treat the network (and host/OS) layer.
Posted by: douglen@..."
RESPONSE:
I beg to differ strongly on this one
Just so we're clear about why I can say what I'm about to say... I have run over a dozen initiatives that have provisioned/deprovisioned over 1M users at the application layer. I have worked with IBM, Novell, and Sun's products, and left a VP level job to join TNT for exactly the reason/point you seem to miss. I have published two articles in the ISSA Journal about this as well. My blog is at http://identitystuff.blogspot.com should you care to follow along.
Your point:So-called "Identity 2.0" - and I must point out that I find it despicable that YOU GUYS are pushing such a self-deprecating buzzword - still has to wake up, and realize that identity at the network layer is only the beginning - if that. It has little importance - other than what you can achieve with a network firewall, basically just expanding the policy from "yes/no" to "HostA:yes/no;HostB:yes/no/sometimes" etc. It still provides negligible value as compared to what can be achieved when Identity is fully adopted and integrated at the application level (and I don't mean the OSI stack !! )
My point:Identity at the network layer means that identity is carried from perimeter to port, so you've encompassed identity in the network, infratsructure, AND application layer WITH the associated entitlements in a single piece of technology. Add to the visibility of who from what machine went to (or tried to go to) an application that ultimately drives who can see and access the right apps is invaluable.
The other benefit to identity in the nework is that once I have deprovisioned the user from the directory, guess what? They can't get on my network at all, they can't login to HR systems from the laptop they still have, and every account they ever set up known or unknown is rendered useless. How's that for workflow?
So I will point out that identity in the network is exactly where things are headed, and need to be. TNT (yes I work for them http://www.trustednetworktech.com) gives DNA to identity which is as close to true identity as we can get right now...
identitystuff@gmail.com
Take a look at the blog, the 1 comment that is up there (mine is awaiting approval by Eric), and here is the comment and my response:
"... So-called "Identity 2.0" - and I must point out that I find it despicable that YOU GUYS are pushing such a self-deprecating buzzword - still has to wake up, and realize that identity at the network layer is only the beginning - if that. It has little importance - other than what you can achieve with a network firewall, basically just expanding the policy from "yes/no" to "HostA:yes/no;HostB:yes/no/sometimes" etc.
It still provides negligible value as compared to what can be achieved when Identity is fully adopted and integrated at the application level (and I don't mean the OSI stack !! )They are finally "treating the network layer in the same way that one would treat the application layer"? Maybe in five years, vendors will start treating the application layer the same way (just more efficient) that they treat the network (and host/OS) layer.
Posted by: douglen@..."
RESPONSE:
I beg to differ strongly on this one
Just so we're clear about why I can say what I'm about to say... I have run over a dozen initiatives that have provisioned/deprovisioned over 1M users at the application layer. I have worked with IBM, Novell, and Sun's products, and left a VP level job to join TNT for exactly the reason/point you seem to miss. I have published two articles in the ISSA Journal about this as well. My blog is at http://identitystuff.blogspot.com should you care to follow along.
Your point:So-called "Identity 2.0" - and I must point out that I find it despicable that YOU GUYS are pushing such a self-deprecating buzzword - still has to wake up, and realize that identity at the network layer is only the beginning - if that. It has little importance - other than what you can achieve with a network firewall, basically just expanding the policy from "yes/no" to "HostA:yes/no;HostB:yes/no/sometimes" etc. It still provides negligible value as compared to what can be achieved when Identity is fully adopted and integrated at the application level (and I don't mean the OSI stack !! )
My point:Identity at the network layer means that identity is carried from perimeter to port, so you've encompassed identity in the network, infratsructure, AND application layer WITH the associated entitlements in a single piece of technology. Add to the visibility of who from what machine went to (or tried to go to) an application that ultimately drives who can see and access the right apps is invaluable.
The other benefit to identity in the nework is that once I have deprovisioned the user from the directory, guess what? They can't get on my network at all, they can't login to HR systems from the laptop they still have, and every account they ever set up known or unknown is rendered useless. How's that for workflow?
So I will point out that identity in the network is exactly where things are headed, and need to be. TNT (yes I work for them http://www.trustednetworktech.com) gives DNA to identity which is as close to true identity as we can get right now...
identitystuff@gmail.com