What is identity-based networking?

I have heard the term “Identity-based Networking” in relation to LAN Security. What is the relationship between identity management and securing the LAN?

The term “identity-based networking” has actually been around for many years, referring to the idea that a user’s identity is somehow tied into the networking services that user can receive. When wireless LAN controllers first emerged, for example, they applied they concept of identity-based networking by not only authenticating users joining the wireless network but also by placing them into the appropriate virtual LANs (VLANs).

Identity management, often referred to as identity and access management (IAM), is slightly different, though its goals are similar. IAM systems consolidate both user names and individual access rights across multiple disparate applications. IAM systems are used to establish new user identities, grant those rights across the enterprise’s applications, and then eliminate those identities and access rights when employees leave the company.

In its relation to LAN security, the fundamental meaning of identity-based networking remains the same – controlling a user’s access rights on the LAN based on that user’s identity. Of course, the notion of “identity” has broadened, and IT now has many more options for “controlling” users than simply placing them into VLANs.

One way to look at the expanding control options is to look at NAC systems, which have emerged a major element of LAN security over the last couple years. NAC incorporates pre- and post-admission tasks. Pre-admission tasks include authenticating a user and validating that the user’s machine complies with corporate security policy. Clearly, authentication and posture check are valid components of a user’s identity.

Post-admission tasks can include functions such as learning a user’s group affiliation or role in the company, associating that role with access rights, and watching that user’s behavior for anomalous activity. Many of these post-admission tasks can also contribute to defining a user’s identity. Certainly a user’s role or group membership is a vital component, but in applying access rights to that user, elements such as the application in use, a user’s location, and time of day can also enrich the notion of a user’s identity.

So why does IT have more options for applying identity-based networking in LAN security today? Because with access control technologies, IT can apply identity-based control on a far more granular basis. Previously, identity was equal to username, and control was equal to VLAN membership. Now, identity is a much richer concept, and controls are far more nuanced – a user can go to these finance servers but not the server storing credit card data, access this web application over Port 80 but not run IM, send art and photograph files over FTP but not Excel files.

While most business won’t need every aspect of those rich controls, the ability to choose from such a wide range of attributes in assigning users’ access rights is fundamental to the next wave of LAN security tools.

Getting back to IAM systems for a moment, I want to make clear that directly tying network access rights to IAM systems is, for the most part, only a concept for now. Neither LAN security nor IAM systems are deployed broadly enough to realistically be tied together. But the concept of basing users’ access rights on a rich and ever-changing notion of their identity absolutely makes sense.

The task now is for you to think through what should constitute “identity” in your organization and what kinds of controls you want to be able to exercise. At the end of the day, identity-based networking will mean something different in every business – but every business should have the tools to be able to define it as needed.

Have a question for the Network Guardians? Drop us a line.