Comments on: Why I’m a NAC nonbeliever http://blog.thestateofme.com/2008/06/12/why-i%e2%80%99m-a-nac-nonbeliever/ IT mixology and other thoughts about tech, life the universe and everything Thu, 11 Mar 2010 08:53:55 +0000 http://wordpress.com/ hourly 1 By: Howard http://blog.thestateofme.com/2008/06/12/why-i%e2%80%99m-a-nac-nonbeliever/#comment-64 Howard Tue, 01 Jul 2008 19:36:29 +0000 http://thestateofme.wordpress.com/2008/06/12/why-i%e2%80%99m-a-nac-nonbeliever/#comment-64 Chris, Having dealt with the inability to implement a nac solution due to the complexity in having related and dependent network components be anything but static during the implementation, I will wholeheartedly agree with you that putting the intelligence inside the network pipes is not the way to go. Along with your other blog entries speaking of reperimeterization (US spelling of a word not in the dictionary by habit :-) I think it makes complete sense to target the efforts as close to the points of which you are trying to protect. let the network in general run free, as long as you can control the significant systems in terms of identity-based access control and sanitary bytes reaching those points. Products are just making their way to the market that provide solutions in this realm, and there will be a whole cycle of methodologies and approaches before we reach a unified way to do this. and by then of course, there will be new challenges and problems to face, which is why we all will have gainful employment for years to come.... Chris,

Having dealt with the inability to implement a nac solution due to the complexity in having related and dependent network components be anything but static during the implementation, I will wholeheartedly agree with you that putting the intelligence inside the network pipes is not the way to go. Along with your other blog entries speaking of reperimeterization (US spelling of a word not in the dictionary by habit :-) I think it makes complete sense to target the efforts as close to the points of which you are trying to protect. let the network in general run free, as long as you can control the significant systems in terms of identity-based access control and sanitary bytes reaching those points. Products are just making their way to the market that provide solutions in this realm, and there will be a whole cycle of methodologies and approaches before we reach a unified way to do this. and by then of course, there will be new challenges and problems to face, which is why we all will have gainful employment for years to come….

]]> By: Steve http://blog.thestateofme.com/2008/06/12/why-i%e2%80%99m-a-nac-nonbeliever/#comment-59 Steve Thu, 12 Jun 2008 17:14:50 +0000 http://thestateofme.wordpress.com/2008/06/12/why-i%e2%80%99m-a-nac-nonbeliever/#comment-59 The other issue to consider is how we get from A (no holistic methodology in place to control the movement of data) to B (well-defined global policies incorporating a high degree of visibility into data relationships and consistently enforced by policy enforcement points). In my opinion, this is a central question in the evolution of identity management (which to my mind is a higher-tier but related issue to which clients get to connect to the network and what they are authorized to do once they are connected). Is there a way for all the existing siloed logic to be transformed through an abstraction layer, or does it effectively become marooned over time as we move to a horizontal transfer of identity information and binding of metadata to identity state using standardized protocols? Incumbent vendors are clearly going to have a preference for the more incremental approach, but they are going to have to pick up the pace here. The other issue to consider is how we get from A (no holistic methodology in place to control the movement of data) to B (well-defined global policies incorporating a high degree of visibility into data relationships and consistently enforced by policy enforcement points). In my opinion, this is a central question in the evolution of identity management (which to my mind is a higher-tier but related issue to which clients get to connect to the network and what they are authorized to do once they are connected). Is there a way for all the existing siloed logic to be transformed through an abstraction layer, or does it effectively become marooned over time as we move to a horizontal transfer of identity information and binding of metadata to identity state using standardized protocols? Incumbent vendors are clearly going to have a preference for the more incremental approach, but they are going to have to pick up the pace here.

]]>