DIDW: How NAC is Integrating with Identity Management
Here are notes on the second NAC session.
Eric Norlin, Moderator
NAC Guys started using Identity in their messaging, he wanted to find out why.
Introductions:
Applied Identity
Juniper
Forescout
Apere
TNT
What do you do:
Applied Identity: Application security is further along, so we’re doing identity based access control in the network
Juniper: In the NAC business. Genesis was the acquisitions of Netscreen and Neoteris. SSL VPNs being used for access control. As these technologies evolved througout the enterprise we looked at policy frameworks
Forescout: Definitely NAC. Clientless approach and discovery, also do ranking abilities, also provide role-based capabilities, provides integration with identity players.
Apere: Bringing Identity and Access Control together. Miniature Tivoli in a box. Medium enterprises don’t have identity management. We wanted to put a version of that in a box.
TNT: Identity is confusing for enterprises, at the network layer no one did this. We bring a clear vision of what assets are doing and who they are interacting with. We now have access control on top of that to define what folks are allowed to do.
Eric: Identity Managment at the Network layer and Identity Management at the Application layer, you seem to be going between the two. What are customers doing from you?
Applied Identity: Control is something we provide, second driver is compliance SOX, etc. Third driver is consolidation of defense in depth from disjointed layers to more coordinated layers. One place for security policy. Deployment cases. 1: Guest worker access (employee, contractor, etc.)
Juniper: First is notion of identity at the user level, then also non-managed devices and controlling what they are able to access, then what rights do they have. The reality of enterprise endpoints, customers tend to want a holistic view across all forms of access.
Forescout: Agrees as far as drivers. One thing to add, depending on market (i.e. Federal may have a different focus). In the enterprise, we see mostly orchestration to provide one management platform for things already in place. I.e. How can I be sure that the AV is all in place. In federal market, more compliance.
Apere: Too many products in the market, what can we do to help this? Did interviews in 2002 talking to customers. Three key issues we heard from is 1. Business enablement 2. IP protection 3. Compliance. 90% of customers we talk to have more than 10 identity stores (7 ADs, couple LDAPs, etc. These systems don’t talk well with one another). Focused on the medium enterprise.
Eric: How is TNT changing based on changes in market?
TNT: Lots of disjointed functions deployed across enterprises. Regulatory pressures are forcing directory discipline. Need controls and visibility after authentication. Fighting attacks at the edge or data center alone is not enough. Need to go to every machine in the network [SJC: This seems architecturally questionable, but perhaps we have different definitions for these terms]
Eric: Security happens when you do Identity well. Why call yourself an Identity company and not just a networking company?
Applied Identity: Wanted a strong association with Identity. Noise level got excessive in the overall security space. Static ACL tables are very error prone.
Juniper: We aren’t an identity management company. What used to be controlling access based on who is evolving into other vectors like device type, etc. We see a huge guest worker opportunity.
Eric: The metaphor seems to be changing. Instead of bigger firewalls and more techniques to protect the network, is this change in metaphor happening?
Forescout: Yes, we are a NAC vendor and are not doing Identity but we see the linkages between the two.
Apere: We launched product two months ago. Biggest problem was analysts are identity or security focused. This highlights the problem. In customers, the networking guy cares about security but the application guy cares about identity. An application guy and the network IT manager don’t play well with one another. We want to make a comprehensive solution that includes both security and identity.
Eric: What is the value of managing Identity at the network layer?
TNT: The balance of power in the enterprise is shifting towards the identity folks since they speak the business language. This power is taken from the networking guy. These trends are causing some of these metaphor changes. By talking about the infrastructure in Identity terms it allows the networking guys to speak the language of the business.
Missed the last 15 minutes.
Technorati Tags: Digital ID World, identity, NAC