In 2007 we circulated the concept with the network vendor community that Network Access Management was a critical ingredient in a modern identity management capability. We couldn't understand why network authentication was never spoken of in the same breath as identity management.
Think about it. Where is the first point of access a) your domain, b) you applications, or c) your network.
The right choice is obviously C. The network has always been the first point of access, but usually only the first point of authentication for remote access users (e.g. teleworkers). If network access is not authenticated, users or visitors might place their personal laptops on your network, and will automatically be given an IP address. If these "rogue" laptops have malware on them or have not been hardened, they can be used to launch attacks on your applications and data from the soft underbelly of your agency LAN. Network access management solves this problem by forcing users and devices to authenticate to the network FIRST before anything else can happen.
We are thrilled that Gartner put network access into their most recent identity and access management report (19 November 2007). If agencies implement network access without considering the wider enterprise identity management capability, there is a huge risk that your agency will not achieve a basic level of single sign on, and in the worst case you might find that your network access products are not interoperable with your HSPD-12 smart cards; leaving you with a the choices of 1) replacing your network access investments or 2) turning off or not deploying network access. Neither option is a good one.
You can avoid this tough decision by planning network access and domain access architectures in tandem. In a future post, we will post a screencast of single sign on using your FIPS 201 smart cards.
Monday, January 14, 2008
Network Access and Identity Management Converge
