Gartner (Lawrence Orans)recently published a paper entitled “Introducing the Identity Aware Network”, which can be found here if you subscribe to Gartner’s services or are willing to pay to read it:
http://www.gartner.com/DisplayDocument?ref=g_search&id=834420
Alternately, you can read Tim Greene’s article about it here for free:
http://www.networkworld.com/newsletters/vpn/2009/011209nac1.html
Although it's tempting to lament the points in the paper that I disagree with or feel needed more consideration in the paper, the central theme that Mr. Orans is highlighting is so compelling to the management and administration of the enterprise network that I’d like to focus on that instead. Since the ratification of 802.1X and subsequent emergence of NAC, the vast majority of vendors and customers have missed the fact that identity, one of the most readily available by products of a deployment of 802.1X/NAC, can unlock numerous efficiencies, support compliance initiatives, and improve IT security.
The ability to map connectivity and device attributes such as IP address, MAC address, Machine Name, etc to the name of a person is a huge leap forward in troubleshooting IT systems, incident response processes, and compliance initiatives. To highlight this, consider the following scenarios:
1. Someone calls the help desk because they can’t print or can't reach some network resource. The help desk technician, instead of asking for the users MAC Address, IP Address, Ethernet Jack, Printer Name/Queue they’re trying to print to, etc, they can simply ask “what username do you use to login in the morning?”. Because of the authenticated session, the additional information required to initiate this troubleshoot, such as the items I mentioned, are already associated withthe username and if they don't provide an immediate resolution, they certainly provide a meaningful start to finding a resolution.
2. A security incident is received where an IP address has been detected doing something or other that is either undesirable or impacting network availability. Instead of going through the usual hoops of locating the IP, looking up the current assignment in DHCP and/or ARP tables, scouring SAT tables to find the port to which the device is attached, tracing the cable to the patch panel, finding the jack, etc. the person working on that incident could simply search for the IP and learn which person was using the machine. Instead of all the aforementioned gymnastics you could simply call the person and tell them to knock it off. <reality check> ok, so the person would really email them and CC his/her boss –people don’t call each other anymore.
3. Given that there is a real migration away from traditional ‘phones’ (I only use a Blackberry and Skype and I don’t think I’m terribly unique in doing so) the concept of E911 is in real need of an overhaul. My recollection is that when I signed up for Skype voice calling it said “not for 911” or something similar. So, why can’t a person get help when they’re incapable of speaking, but can somehow dial 911, click “call” in Skype, send a text, or even (I can't believe I'm writing this) send a tweet. I admit, it seems hard to believe that someone would text rather than call, but if you think about it, a call either connects or not whereas a text endures until the person sees it and if you can't speak a voicemail isn't an option. While this scenario is admittedly more obscure than the aforementioned, one can easily see that the raw materials for such a system being a strong IP-to-Identity binding.
Additionally, although not mentioned in the Gartner paper, the notion of Identity also needs to be expanded beyond the person. Everything connected to the network has an identity (printer, WLAN AP, VOIP phone, etc.) and those values are often as important as the person-centric identity. I’ll stop that thought right there before it becomes a Great Bay product pitch, but the applications for identity are definitely wider than people and organization.
So, the idea of the Identity-Aware Network is pretty important from my perspective. Enterprise organizations will determine whether the cost/benefit is compelling enough, but my sense is that once customers fully understand the value it will quickly make its way up the priorities list on more than a few whiteboards.
Subscribe