Like the legendary period in English history there once was a company, whose product, Hark! , promised a new way to enforce the rule of law. But instead of chivalry it was access control policies that Camelot the company promised. 
For all the lovely talk about access control emanating from so-called NAC vendors who must have invoked Merlin to magically transform the unworkable Network Admission Control into Network Access Control, there is still one huge problem with access controls. Most enterprises really have no idea who should have access to what resources. The granularity of access control needed to secure the enterprise is beyond the ken of most IT guys. Let’s face it, knowing what applications, networks, and data sets any one of say 10,000 people should have access to is not a simple problem.
Camelot attempted to address the failings of most identity and access management (IAM) systems by building in a learning component. What happened to Camelot? I wish I knew. For some reason the IT press is great at recording the history of startups as long as they have an active PR program. As soon as vendors start to die the historical record seems to get wiped clean. I would guess that part of the problem was that they were too far ahead of their time. Another issue was they relied on host agents to do the learning and enforcement, a company killer if there ever was one.
Now, in what appears to me to be the second coming, a new vendor is born from the knights of Cisco. Five top networking guys have apparently recognized that the marketing department at Cisco is not really that good at inventing security solutions (admission control) but that there truly is a need for automated tools to discover and enforce access control policies in the enterprise. The company, Rohati, came out of stealth mode in time for the Gartner IT Security Summit last week in DC. They are calling their technology Network-Based Entitlement Control or NBEC. No agents, automated discovery, policy management. I love it. This could work.
I hope the ever flexible NAC vendors get out of the end point health check business. Then we could have an industry that is all pulling in the same direction: towards better policy management, more granular authorization, and ultimately, better security.
---------
Follow Stiennon on Twitter
Join the Security Leaders Group on LinkedIn
About Stiennon
Richard Stiennon is a security industry innovator. He is currently consulting, speaking and writing on all manner of security topics and has just announced the launch of Seccom Global, a Managed Security Service Provider focused on UTM. He was most recently chief marketing officer for Fortinet. He has served stints at PricewaterhouseCoopers, Gartner, and Netrex, the world's first managed security service provider.
|
|
This is already available
This is already available from Enterasys Networks, and has been for many years
I don't think so
http://www.enterasys.com/products/advanced-security-apps/enterasys-network-access.aspx
It appears that Enterasys has evolved their original User Defined Network into NAC. But I do not see any automated discovery or granularity down to application command or data set.
So Richard does this make your Lancelot or Guinevere?
Richard, I dont know if this qualifies as a shining place on a hill technology, but it is interesting if not unique. Of course you use it to take a shot at NAC vendors. I of course have to respond. You can read my response here