Network and Application Identity
Tuesday, March 7th, 2006While talking to folks in the IDM space about the benefits of network identity management I often run into the question James McGovern recently asked: What is the difference between network and application identity and why are they separate? There are a couple ways to answer this; first some background.
Both network and application identity management evolved from a desire to limit the number of authoritative user stores within a system. With application identity management this is achieved–today–primarily by writing hooks into the authentication infrastructure of many popular applications which then leverage a back-end directory to perform central authentication. Network identity management does roughly the same thing today using RADIUS.
In mid to large size organizations the groups who manage the applications and the groups who manage the network and its security are often in different parts of the IT organization. Though this is not ideal long term, today those groups generally do not work well together and as such often solve their problems separately. Though the fundamental drivers are the same, the operational needs of network and application identity are also different. In the network, for example, access rights are enforced across a whole range of different enforcement devices. By speaking RADIUS, an identity management platform gains access to hundreds of different types of network devices. Each of these devices may have its own way of enforcing policy. This is exacerbated by the recent focus within AAA on the second A: authorization. Authorization in today’s identity-aware networks means lots of potential things:
Dynamic VLAN provisioning
Dynamic ACL / QoS provisioning
Host posture standards
Time of day restrictions
The application world also has rich authorization decisions to make but today the application identity management systems lack the network focus and awareness to make a rich policy decision–and to provision the session to enforce that decision–within the network. Longer term standards like XACML can help bridge these two worlds moving forward. Additionally, to the degree both systems support a common directory such as LDAP or Microsoft AD you get a certain amount of integration for free. I expect application and network identities to stay separate for the near future but merge over the mid-term. The benefits of a central business policy defined in one location and then enforced throughout the IT infrastructure are just too compelling.
