Yesterday I presented at the Secure IT Conference in Sacramento, CA. I did a presentation on identity management applied to networking called “RADIUS Grows Up: Identity Management for Networks.” If you are new to the space, this presentation should give you some good background on what problems need to be solved, and what some possible approaches are. In other news, my cast is off and the arm splint should be gone next week!
Technorati Tags: NAC, Identity Management
Apologies for the sensationalist title, I couldn’t help myself. I’m writing this blog post using voice recognition software as my left arm is broken. I broke it snowboarding in a half-pipe at Squaw Valley this past weekend. Given my day job, there was only one bone in my arm that I could have possibly broken–that’s right, my radius. Feel free to insert your own joke about the robustness, scalability, and reliability of radius. I, for one, have a new-found respect for the importance your radius plays in daily life.
One of the more exciting aspects of authenticated networks is that once you do it, role-based access control becomes possible. Today–as I’ve said before–authentication for wireless, VPN, and dial-up connections has the principle goal of proving that you should be treated like you were in the building. Wired access typically has no authentication. However, if you authenticate your wired access as well, now every access method is authenticated and the game changes. With the user’s identity validated at every point of access, now we can ask what the user should be allowed to do.
At this point vendors and customers can get overly excited and start talking about dozens of roles based on the different areas of the organization. The problem is many larger organizations have no idea what specific authorizations each role needs. Instead of jumping to the end game, organizations should instead look to a smaller number of roles. A good place to start is simply to differentiate between a guest, a contractor, and a permanent user. Guests typically need access only to the Internet. Contractor’s needs vary widely but generally need access to a subset of internal resources. Locking down contractors will still require some homework for a network IT staff but it is a far more tractable problem than figuring out all employee entitlements. Lastly the permanent user role gets access to everything, as normal.
From these meager beginnings, you can begin to extend your role-based access control. The next logical step for many organizations is a “privileged” role which could be granted to finance, HR, and executive staff which grants access to the servers which house very sensitive data. It is important to remember that even with just three roles though, you’ve significantly extended the functionality the network provides over what it did before authenticated networks.