Tag: Security

Out: NAC, In: N-IdM?

In prepping for the panel he is leading (and I am speaking on), Eric Norlin has been reading through the mire that is NAC literature. I’ve talked about how Network Access Control (NAC) is a thorny term that is misunderstood, misused, and a bit misleading: here and here. Eric recently called for TNT, among others, to rebrand/rename the entire market space to something more clear than NAC. He suggested Network Identity Management or N-IdM. He suggested that N-IdM would be distinguished from Application Identity Management (A-IdM) – what we think of as traditional identity management. Let’s look at the typical services that A-IdM and N-IdM offer. Under the A-IdM umbrella:

  • Directory Services (including meta and virtual)
  • User Provisioning
  • Web Access Control
  • Federated Identity Management (really Federated Access Control and someday, maybe, Federated User Provisioning)
  • Centralized and Stronger Authentication
  • Role Management (both top-down and bottom-up)
  • Reduced / Single Sign-on
  • Compliance analysis and attestation
  • Report and alerting

In the N-IdM bag of tricks we have:

  • End-point services (Identification, Authentication, and Health)
  • Network admission control (Are you allowed on the network?)
  • Network access control (Where are you allowed to go and what can you see?)
  • Policy-driven Connectivity
  • Connection protection (Tunneling and encryption)
  • Identity-centric activity analysis, reporting, auditing, and alerting

I’m sure I’ve missed some services in both camps, but those lists are a decent start. To be meaningful to the business, these services must help describe the interaction between people and business goals and needs. Consider Bill. Bill is a traveling sales rep. He needs constant, secure access back to the order entry system, email, and the sales portal. He should only have the appropriate permissions in those systems based on who he is and what he does. The business needs to be able to report on Bill activities in those systems as well as on the corporate network in general. The business needs to protect itself from viruses and malware which Bill, inadvertently, has on his computer. Twice a year Bill needs to verify that he is using all of his accounts and the business needs to verify that Bill is in the appropriate roles with the appropriate permissions. I don’t think Bill’s case is too far fetched. But tell me, where in that example does network-provided identity services stop and application-provided identity services begin? Sure connectivity is a network service, but the policy that governs it is related to roles and user provisioning. Auditing and attesting to activity is not exclusively an application-level affair. So, is there really a clear demarcation between network and application identity management from a business perspective? The title of our panel at Digital ID world is: How Network Access Control is Integrating with Identity Management. Come by next Wednesday and bring your questions. Its going to take all kinds of stakeholders in this industry (vendors, customers, pundits, analysts) to get us from NAC to N-IdM and from there to truly unified identity management.

NAC stands for what? Part 2

Before the 4h, I posted on the access control-side of NAC. I compared it with web access control and examined some similarities. This week, I want to look at the other side of NAC: admission control.

NAC as Network Admission Control
Treating NAC as admission control is more of a network/threat-centric approach. There are some basic characteristics of NAC as admissions control:

• Health and configuration validation and remediation
• Machine authentication to the network infrastructure
• Assignment of IP address

Health checking is a common NAC function. This is just good house keeping and it is something that every organization, big or small, needs to do. There are a variety of ways to check the health state of a connecting end-point and most are fairly simple to do. The challenge is managing the remediation of a sick end-point. This is where the real skill of NAC vendors (and a lot of time – their partners) comes into play. How do you quarantine? What configuration management and software distribution tools are used to remediate the problems? How do you orchestrate all of these pieces working together? This is non-trivial work and there are a lot of vendors out there doing really great stuff.

The next two items are not truly mandatory functions for admission control, but they are important nonetheless. Some form of machine authentication is lumped in here: RADIUS, 802.1x, EAP. This is one approach to ensure that only organization-owned laptops are on the network. What concerns me is the conflation of me for my laptop. In order to truly understand what is going on inside the network, user and machine identity have to be treated separately. I am not my laptop and my laptop is not I.

Last, getting an IP address is the last aspect of admission. Some NAC vendors integrate with DHCP services to orchestrate all the necessary steps for admission including address assignment. I’m not saying that DHCP services need to be embedded into the same product that does health analysis, but it is the last step to network admission and should be treated with importance.

Will the real NAC please stand up?
In conversations, blog entries, analyst papers, which NAC is being discussed? I feel that both are necessary to have a complete story, but each side has a different heritage and mindset. Using NAC as an abbreviation blurs the distinction between what is required for admission versus access control. We can do better. Anyone up for renaming this market Network Admission and Access Control – NAAC?

Can I see some ID?

That question was asked by a guard at Department of Homeland Security’s headquarters. Bruce DeCell, a retired New York City police officer, presented identification. What he actually presented and was accepted as valid ID is quite amazing. You have to read this Washington Times article to believe it.

Clearly, Mr. DeCell’s name was matched against the list of vetted guests for the day. Other than his name, clearly no other component of his ID was even remotely examined. This isn’t much different than the “check the name game” that the TSA has us go through at airports.

It seems pretty simple to me, if you are going to ask for identification, at the very least you ought to examine the entire piece of identification: not just the name, not just the picture.

Further, if people are checking credentials, they need trustworthy systems to validate those credentials.

At least DHS did one thing well, after (poorly) being authenticated, Mr. DeCell was escorted constantly. You can come in, but I am going to watch every move you make.