Last week Burton held the Catalyst conference in San Francisco. Besides some good networking and above-average conference food, there were some interesting talks and a couple thoughts worth posting here. First, I was shocked by the size of the identity management track in terms of the space it occupied. There were four tracks running simultaneously on day one and the identity management track seemed to be bigger in terms of attendance and space than the rest of the tracks combined. Clearly this is a hot space getting a lot of attention.
This leads directly to my second observation though; the entire track made no mention of the network and seemed firmly focused on classic application IDM and single-sign-on initiatives. The network security tracks were similarly devoid of much real detail on identity. This confirms what I’ve been seeing for a while, these two sides just aren’t talking to one another enough. This is somewhat surprising given that the notion of federated identity has a natural role linking the network and the application. While federation today refers to linking the identity systems of multiple organizations, a far easier and equally fruitful endeavor might be to link the network identity event with application identity. Whether using protocols like SAML or something more basic, allowing an application to verify the network identity of a user seems useful.
As network transport gets more secure either through VPNs, WPA, or newer initiatives like the IEEE LinkSec work (802.1ae/af/ar) the network identity event could perhaps be used as a proxy for application authentication in certain environments. Even better would be linking authorization systems using protocols like XACML. Imagine an environment where you can author policies in one location for application and resource access and they are enforced by both the network and the application using differing techniques. Defense-in-depth indeed!
Next up was a great presentation by Bob Blackley titled Identity and Community in Human Society. I hope he posts his slides to the web soon as they are quite interesting. Anyone who quotes T.S. Eliot in a presentation is O.K. by me.
Finally there were a few good mentions of 802.1X. Some of the wireless talks seemed to indicate that though there was an even split between VPN and 802.1X WLAN security solutions, 802.1X was the trend moving forward. The talk delivered by a Sun Microsystems employee on their NAC deployment was interesting principally because it provided further evidence that appliances are getting the early traction in posture validation: Sun deployed Cisco Clean Access instead of Cisco’s 802.1X based NAC architecture. Another mention of the various NAC frameworks (Cisco NAC, NAP, TCG-TNC) suggested waiting until a more baked standard emerges before deploying. As I’ve said in this blog before, there are plenty of things that most enterprises need to do to prepare for NAC–starting with just basic user authentication at the network and a consistent means of communicating with their directory infrastructure.