NAC stands for what? Part 1

I really like the current capabilities and promise of NAC. I do, however, have a problem with the abbreviation, specifically, the “A” in NAC. Which do people mean when they say NAC: “network admission control” or “network access control”? To me, there are big differences between the two.

NAC as Network Access Control
If you have an identity background, when you hear NAC, you think, “Oh, this is web access control for the network.” If that’s the case, then NAC needs to have some features that mirror WAC. For example:
• Identifying the user is key.
• There needs to be a centralized policy store that describes access control.
• There needs to be a fine level of granularity of those policies.
• There needs to be some modicum of single sign-on.
• There’s going to be some form of the proxy versus plug-in fight.

User authentication has always been a part of web access control, and network access control should be no different. WAC vendors have all sorts of mechanisms to authenticate the user either directly or through other authentication providers. NAC vendors do, but, I conjecture, not in the same way. There are two flavors here: explicit and implicit. Explicit NAC authentication involves the end-user in an authentication event. Forcing the user to authenticate to RADIUS is a form of this. Implicit authentication uses authenticated credentials from something higher in the stack (like the operating system) and not involving the end-user in an extra authentication event.

Centralized policy store — yes, they exist. The market has no problem building policy stores. In fact, as I have mentioned before, there are too many policy stores out there today, with little integration and hierarchy to them. Can I use a single policy tool for all of my identity-based access control? Nope, not yet. I have heard from numerous people: “I already use vendor X’s web access control tool. Can I use it to describe policies for network access control?” The funny thing is this existed nearly 10 years ago. DASCOM’s IntraVerse had both a web component (WebSeal, part of IBM Tivoli’s Access Manager for e-business) and a network component (NetSeal, which lived about as long as a drummer for Spinal Tap.) What’s old is what’s new, and I guarantee that in the next couple of years we’ll see a return of this model for a variety of reasons.

Fine-grained policies — can I describe a network access policy down to the object level: file, row, transaction, etc.? Kinda, sorta, maybe. There are vendors that do this, but they are typically application specific. There is a gap between that level of control that various products provide and more general network access control. Part of the issue is that getting a NAC product deep enough into an application to get that level of granularity isn’t easy and requires modifying and/or distrupting the application. Further, as anyone who has ever tried to maintain group permission information knows, the more objects you want to tie to group permissions the harder it gets to work with. (This is why user-provisioning tools have shied away from group management at any deep level.)

WAC products had basic single sign-on, at least for the applications they protected. If NAC is really an offshoot of WAC, you’d expect the same. Does this mean that Imprivata and Passlogix and the like are NAC vendors? I think that’s a bit of a stretch. Will NAC vendors grow PAM modules? Someday, but not any time soon.

Back in the day Netegrity and IBM fought it out over the best architecture for web access control. Was it better to deploy proxy servers to control access or plug-ins to application servers? At the end of the day, the answer was: it depends. Both vendors supported both. Will this architecture difference arise in NAC-land? I wouldn’t be surprised if it did. We already see SSL VPN vendors acting as a form of proxy server. Could we see a rise in plug-ins to applications running on the network to provide extended NAC services? Maybe, but I think we’ll see SPMLv2 adoption before we see NAC plug-ins for applications… either way — don’t hold your breath.

After the 4th, I’ll be back to examine the other “A” in NAC – admission.

Ian

Can I see some ID?

That question was asked by a guard at Department of Homeland Security’s headquarters. Bruce DeCell, a retired New York City police officer, presented identification. What he actually presented and was accepted as valid ID is quite amazing. You have to read this Washington Times article to believe it.

Clearly, Mr. DeCell’s name was matched against the list of vetted guests for the day. Other than his name, clearly no other component of his ID was even remotely examined. This isn’t much different than the “check the name game” that the TSA has us go through at airports.

It seems pretty simple to me, if you are going to ask for identification, at the very least you ought to examine the entire piece of identification: not just the name, not just the picture.

Further, if people are checking credentials, they need trustworthy systems to validate those credentials.

At least DHS did one thing well, after (poorly) being authenticated, Mr. DeCell was escorted constantly. You can come in, but I am going to watch every move you make.

You are the best virtual directory on the market

Phil has released his fourth Identity Fallacy – Identity is Monolithic. After reading it, I could almost hear the choir of meta and virtual directory companies rise up in praise. This what they have been really been talking about all these years, but often times lacked the distance from the problem to express it out so clearly.

To continue his train of thought, if I may, although identity is not monolithic, our perception is our identity is monolithic. There is one me. I may have many contexts in which I work, live, play, and shop, but at the bottom of it, that is still me. This mindset is getting people out there in trouble.

You keep track of your various bits out there. You do not have all that data on your computer or phone, but you have a bunch of it. Applications like Keychain on the Mac help aid your memory by providing pointers to other bits of you. You keep track of things that aren’t immediately recognizable as you, such as your characters in MMORPGs and your alter ego on MySpace where profess to be a lot more interesting than you really are. (See Mark’s musings on that one.)

Essentially, you act as a powerful virtual directory for things that you perceive as owning. You own your account on your home computer. You own your wallet with your driver’s license in it. These are all pieces of your “monolithic” facade of identity. By definition, your identity cannot be monolithic as it is comprised of all these little bits that you are tracking. But, we still like to think of the notion of the singular me. (What could be interesting to research is if people with a polytheistic set of beliefs hold the same notion of singular self as those with a monotheistic set.)

In fact, the belief that you own the various components of your overall identity edifice is what gets people in trouble. You think you own your account on the corporate email system, and thus you track it in your virtual directory. If you haven’t realized by now, you do not own that identity. VPN account. No. RACF id. Absolutely not. Though you don’t own these things, you still track them as if they were really part of you. Seems fair – you do use them frequently. You typically use them in a work environment and people, to varying degrees, associate work and self. Keep in mind those are not things that you own, merely things you use.

It gets worse. Much worse. There is a whole category of things out there that you don’t, and often times cannot, track: data about you. Credit records. Insurance information. This is all the good stuff that gets copied and reused; the activities that fall under the header of identity theft. (I wince when I hear people talk about having your identity stolen. The metaphysical implications are staggering.) There is so much out there that you and I don’t track; it is truly astonishing. No one would confuse my identity for a record in a police database saying that my car was parked on Main St at 10:05 AM last Tuesday, but these days, the two are more and more equivalent.

Revel in the fact that you are such a good virtual directory. Okay, you may not blow the doors of a benchmark, but you hang with the best of them. Just keep reminding yourself that a) you may not own as much of “you” as you think and b) your identity isn’t monolithic.

I’m off to Catalyst; see you there.