The term “identity-based networking” refers to the concept of an end user’s identity being tied to the network services they are allowed to receive. The initial implementations of this concept can be seen in ubiquitous network services such as 802.1x. Wireless networks have been applying the basics of identity-based networking to users who joined wireless access points for years.
Identity is foundational to data security at all layers of an organization and security is at the heart of every networking solution yet they are usually managed with separate tools and teams. Deeper integration of identity management and secure networking provides clear enhancements to overall security.
Recently there has been a renewed interest in furthering these integrations. The benefits of an architecture that integrates these two disciplines can start from day one. In these new solutions, new user and device connections are built around a single-source of truth (the identity provider). This simplifies the configuration and eliminates complex legacy solutions such as RADIUS servers. But the real benefits come from the security and compliance enhancements.
So why is greater alignment of identity and network access so critical to security and compliance?
#0 – Zero Trust can be extended through IT infrastructure – Zero Trust network security means that no one is inherently trusted on the network, and everyone must be verified. The assumption behind Zero Trust is that threats exist both inside and outside of an organization. Users are given the least amount of access privileges to ensure that users can only see what they need to do their jobs and to minimize the blast radius of compromised access. The integration of networking and identity services is the easiest way to extend Zero Trust security to every system, user or device in an IT environment.
#1 – Enable next generation access – Typically, legacy networking solutions authenticate at the beginning of a session but allow a session to remain intact until it is manually ended. But when a user’s identity is incorporated, the connection can be continually reassessed and adjusted as the circumstances surrounding the endpoints change. An example of this can be found in Google’s CAEP (Continuous access evaluation protocol). CAEP attempts to address the needs of network security by continually reassessing the context around the user accessing the network. None of this is possible without the identity and context of a user being known and access controlled dynamically at the network level
#2 – Attackers become blind to IT resources – Using identity-based networking, authenticated users are only allowed to connect the applications they have been given permissions to access. All entities start from a default of zero access or visibility. Without authentication and authorization (originating in an IdP), applications on the network don’t even appear to a user. This obfuscation of resources minimizes the enterprise attack surface by preventing bad actors from performing port scans to identify vulnerable applications. This hiding of IP addresses behind virtual networks inherently makes any attempt to penetrate IT resources more difficult while also impairing DDoS attacks.
#3 – Compliance and reporting – Because identity-based networking is user-centric, it allows administrators to create access policies based on user attributes. This enables reporting based on the access that specific users have had to specific applications. Current solutions have no way of providing anything more than logs of a user’s authentication into a network. Providing network metadata tied to an identity’s individual and group attributes streamlines attestation and ensures that regulators know exactly who, how and when a connection used or an application was accessed.
While identity-based networking has been around for years, their implementations lacked the advanced features of modern solutions and were incredibly complex to manage. The advancements provided by software-defined networking solutions such as Trustgrid have made it possible to finally realize more advanced security and compliance visions.