Identity-based networking: The digital frontier in government IT
By Reginald P. Best
Reginald P. Best
Complying with FISMA’s rigorous requirements is easier said than done. Six years on, many government agencies still struggle to implement a jumble of network security technologies aimed at keeping federal information secure, including intrusion detection systems and tools, individual authentication, logging, audit controls and more.
Help is on the way, thanks to a new, layered security model called Identity-based Access Control, or IBAC. IBAC incorporates user authentication with technologies like SSL VPNs and Network Admission Control (NAC), but adds the critical element of identity into access decisions. IBAC solutions can offer bewildered government IT workers a simpler, more effective way to achieve regulatory compliance.
What is Identity-based Access Control?
Identity-based Access Control employs a user’s identity to enforce and log access to the most private data on a network. Think of the ID badges needed to enter a physical datacenter; IBAC extends the idea by requiring a virtual ID in order to access datacenter resources.
Ideally, an identity-based network follows these principles:
1. It defines identity and trust policies for who is allowed access to the corporate network;
2. It stores the identity and access policies of every user in a directory, like LDAP or Active Directory;
3. It authenticates a user’s identity before allowing him or her to access the network. Some IBAC solutions can stamp that identity into the user’s data stream;
4. It provides connectivity depending on the user’s identity and system profile, and makes private data unreachable for users who lack the appropriate identity. If the user only has permission to access e-mail, they won’t be able to retrieve -- or even know about -- sensitive data on the wider network;
5. IBAC can incorporate Network Access Control (NAC). This means it can compare the user’s computer to the network’s security policies to make sure that there is up-to-date virus protection.
How it works: IBAC implementations in government
So, how does Identity-based Access Control help satisfy FISMA and HSPD-12? It provides meaningful security parameters that dictate who gets access to government networks.
Here’s how it works.
When a government agency deploys IBAC, a multi-layered authorization process (for instance, username, password and RSA 2-factor) authenticates the employee’s identity according to access policies set up by the agency, such as in Windows Active Directory. When the authentication is successful, the IBAC solution checks that the computer has the most current security protection available. Next, it adds the user’s identity, as a digital fingerprint, into packets destined for private resources, and enforce access based on the polices set for the network.
This process works the same whether users are accessing the network from their offices, from a remote location or if they are visiting agents joining a network via wireless guest access.
With an IBAC networking solution, the agency controls network admission by enforcing policies for all onsite and remote users, protecting its vital assets from tampering or prying eyes. It also ensures that every user’s computer meets security standards.
Identity-based Access Control in the real world
Theoretically, IBAC sounds great, but does it work in the real world?
At the 2005 world leader’s G8 Summit held in Scotland, delegates and staff needed to access sensitive data and applications securely from a variety of locations.
The summit IT group used a Secure Sockets Layer VPN for the job because it automatically manages policy-defined access and identity-enforced authentication. The easy installation of an SSL VPN simplified the process of putting best practices into place. Only users who were authorized at initial authentication were permitted to view and access private information.
Network security technologies continue to evolve and improve, but many government organizations still lag behind. The IBAC approach offers a way for government agencies still rushing to meet FISMA requirements to secure their networks with an unprecedented level of control.
Reginald P. Best is the chief operating officer at AEP Networks. He can be reached at:
- Add your comment
- trackback url: http://www.gsnmagazine.com/cms/trackback/954-1
