Recognition finally: The directory’s role in network security

For three years at least, I’ve railed against security vendors trying to wrest control of the identity management space away from the directory vendors. Unfortunately, security is a concept that most people understand, so it’s easy to throw it around as a basis for doing anything you want to do. Identity, on the other hand, is much less tangible and harder to understand. But there is hope as one of the good guys is fighting back.

NetVision has been around for a dozen years and has always been involved with identity management and the directory. Beginning with its Synchronicity product (one of the very first metadirectory engines) through its Directory Alert and Server Alert products for both NetWare and Windows/Active Directory, NetVision has been at the forefront of identity management in the enterprise.

The company has taken everything it has done, everything it has learned and everything that users have asked for and rolled it up into Integrated Security Policy Management (ISPM) Version 4 (why? Because nobody ever buys Version 1).

It’s also Version 4 to show its lineage as a direct descendent of NetVision’s Policy Management Suite (PMS) which, in turn, was made up by combining the ServerAlert and DirectoryAlert packages. But ISPM is a whole lot more than a minor facelift to PMS; it’s a breathtakingly wide ranging security and identity management tool encompassing monitoring, reporting, policy enforcement and more.

NetVision CEO Todd Lawson decries those competitors who simply monitor and report on activity involving Access Control Lists (ACL) as well as those who feel that building a wall around your network is the best way to initiate security.

“Because we operate at the directory level where identity and access management really happens and we have a full-blown policy enforcement engine, we’re able to go beyond just managing access control lists like many of our competitors,” Lawson explained.  “We actually manage user behavior by constantly monitoring and controlling what users are doing with the access rights they have – that’s an entirely different type of security management.”

And not only monitor behavior but also actually enforce the policies that have been applied. As marketing vice president Jim Allred demonstrated for me, not even the Administrator/Admin user – with all rights and privileges – could override policy settings enforced by ISPM – the system simply reversed the changes the admin made.

When you’re looking into security measures for your network, remember that detection and reporting aren’t enough. Getting a message that the barn door is open doesn’t allow you to close it in time to keep the horse from disappearing. You need a service that will actually close the door as soon as the opening is detected – that’s enforcement.

To be able to do that, though, the policy engine has to be available anytime and everywhere, and everytime and anywhere. That is, it has to be ubiquitous and pervasive. And the only thing that’s ubiquitous and pervasive in any network is – the directory. But the directory is also the place where identity information can be found, and as Allred said, “Policy is incomplete when its not tied to identity and role.”

If you’re involved in your networks identity management and you’d like to be involved in its security management, then NetVision’s Integrated Security Policy Management is something you really need to take a look at.