I presented Identity Management for Networks to the Network Applications Consortium (NAC) late last week. The presentation is very similar to others I’ve posted recently so no need to download it if you’ve looked at anything I’ve done recently. What is new is my answers to the presenter questions the NAC posed to everyone at the conference. As the questions are fairly interesting, here they are complete with my answers in italics.
- Do you see any differences in how the authorization policies of networks vs. applications should be engineered, managed, and provisioned? Network policies are broader today due to limitations of the technology and understanding of the business roles. Eventually network policies will be merged with application policies.
- Are there any advantages or drawbacks in the flow of the access request being sent to the PDP first or the PEP first? PDP first requires basic authorization to route the request from the network edge which may be suboptimal.
- Do you see declarative authorization interpreting and enforcing more finely grained authorization policies than they support today? Yes though this is as much a challenge for enterprises to understand their roles as it is a technical challenge to support the fine-grained authorization.
- Should SAML authorization assertions, and requests for authorization assertion, be used in the communication between PDPs and PEPs? If not, what should be used? For networks, SAML will be used in the future but perhaps more for PDP to PDP communication in a federated model than for PDP to PEP communication. In the network space RADIUS has traction simply because it is so ubiquitous.
- How can we meet our need for flexibility to deploy centralized and/or de- centralized approaches within an enterprise and across enterprise customer, supplier, or channel partners using different platforms? Policy portability through XACML and authorization assertions through SAML can address much of this, challenges here are more at the organizational level.
- Comment on the NACâ€™s best practice of locating the PEP as close to the resource as possible. For networks, it may make more sense to locate the PEP as close to the point of network access as possible to reduce exposure to threats. If you consider the network the resource then our best practices are aligned.
- Comment on the NACâ€™s best practice of balancing between availability and performance when selecting the location of the PDP. This makes perfect sense, distribution of the PDP may be key depending on the application.
- Comment on the NACâ€™s best practice of having platform agnostic PAPs and PDPs, loosely coupled with access management product offerings (e.g., WAM products). This allows for the independent evolution of PAP, PDP, and PEP technology, without disrupting the other components. This is the only way this can scale long term, particularly the vendor neutrality between the PDP and the PEP. Standards for access control formats need more attention.