Regular readers will know that I'm a big fan of context-based access (see, for example, "Putting Context in Identity"). I like the idea of gathering as much context information as possible and using it for authentication and authorization as well as governance and entitlement. But suppose we could make contextual judgments about access even before authentication?

That’s the premise behind Cisco’s new TrustSec - officially called “Cisco TrustSec” - initiative (it was rolled out at the beginning of last year, but only recently started making noise). While not announced as a successor to Cisco’s Network Access Control (NAC) architecture, that’s the way it is perceived (see “What Cisco TrustSec Learned From Cisco NAC Failures”).

The idea is that there are many different kinds of people (employees, contractors, vendors, customers, partners and guests) accessing your network in multiple ways (desktops, laptops, phones, PDAs, wireless access points, etc.) from both local and remote sites over secured and unsecured networks. Cisco TrustSec attempts to serve as, essentially, a “triage” facility before network authentication occurs.

<aside> Triage (used widely in healthcare) is a process of prioritizing patients based on the severity of their condition. </aside>

Cisco TrustSec doesn’t try to identify every entity accessing the network. Rather, it uses Role-Based Access Control (RBAC) to pre-determine an entity’s ability to carry out the transaction that it is attempting. Whether that’s a person accessing an application, or an application accessing a device, or a device accessing data. According to the Burton Group’s Phil Schacter (Vice President and Service Director): “Cisco Systems has taken an important step toward enabling customer deployment of authenticated networks, where device/user identity and its relationship to an organization role enable a more dynamic model for enforcing security policies.”

A second very important aspect of Cisco TrustSec is privacy and confidentiality. Cisco says: “Confidentiality within the campus starts with device integrity: if the network devices or endpoints are compromised, information at higher application layers might not be trustworthy. Second, higher layer encryption can also disrupt the ability to maintain network-based policy enforcement using services such as firewalls, intrusion prevention, load balancing, QoS, and so on. A network encryption mechanism that preserves these network services [i.e., like the one in Cisco TrustSec] provides more policy control.”

Dave Kearns is a consultant and editor of IdM, the Journal of Identity Management.