Opinion: Bringing security policy and identity together
- 04 May, 2008 22:00
If the LAN is supposed to get smarter and help us improve security — and other control features — with enforcement, what does that mean for policy and identity?
Right now, it seems like all these aspects — the network, the identity store, and policy — are separate. They need to work in concert to do control right in the LAN. Ultimately, they need to be much more tightly integrated to really simplify the administration of controls in the LAN.
Let's look at each piece in turn.
The network: Today, most network devices offer fairly limited enforcement. Standards like 802.1X that allow or deny a user access to the LAN are typical of the capabilities in today's infrastructure. But these mechanisms are fairly blunt, and the infrastructure typically relies on an outside "brain" to tell it how to act on the traffic.
The identity store: This area is probably the most evolved, with well-defined standards and implementations for accessing both a user's identity and role. Active Directory, RADIUS, and LDAP all provide strong options, and other devices can successfully tap into these stores and use the data residing there.
Policy: Despite years of work on policy-based management, with architecture standards for policy enforcement points and policy administration points, too few organisations have networks that can take advantage of these architectures. So for the most part, policy is done by different vendors. Think of all the various policy stores common in networks today — those for wireless, VPN, NAC, identity and access management, and security are just a few examples of how rampantly these policy stores have grown.
So where are we headed?
The network is definitely getting smarter. We're seeing more intelligent devices — at the access layer, LAN core, and LAN/WAN boundary — that understand users and applications and offer greater flexibility for enforcement. The strongest of these devices can maintain their own policy stores, currently derived from vendor-specific policy engines, and act on traffic independently of those engines.
The network needs to bind with the identity store, and an evolution toward this is definitely in progress. The simple case of an 802.1X switch is the first step; an intelligent switch that uses the information in an identity store is an even stronger example. The switch learns the user's name and role, and associates them with the application currently running to apply policy.
Ultimately, getting policy to reside in a central location is the key. Rather than many disparate systems with policy information, enterprises need to have a single policy store, intimately tied to the identity store, where the network infrastructure can apply and enforce policy on all traffic. Having policy management in the core-with control at the edge-is the only scalable model for pulling together network, identity, and policy.
Kerravala manages Yankee Group's infrastructure research and consulting