News Stay informed about the latest enterprise technology news and product updates.

Identity-based security tools give customers control of users, not just ports

The need to quickly identify and respond to threats has driven the development of tools that can define not just whether a resource can be used, but how it is used, and by whom.

The need to quickly respond to threats and bandwidth shortages is driving the creation of tools that can protect a company using methods more sophisticated than passwords and virus definitions.. .

During the next few weeks several vendors, including Symantec Corp. and Microsoft Corp., will introduce identity-based security applications that combine aspects of network security and systems management.

Each vendor uses slightly different language to describe its products or market niche: network access controls (NAC), intrusion detection and prevention systems (IDPs), application-level security.

But all of the products focus on the ability to monitor and apply rules to specific users and applications -- whether that means limiting the types of applications that can run during business hours, or the amount of bandwidth a particular employee can use for a particular purpose.

That level of flexible security is what customers are looking for now, and what security providers have to learn if they're going to keep up with the market, analysts and value-added resellers (VARs) said.

The old mode of networking assumed there was a perimeter. The perimeter is dead. Either that, or it's Swiss cheese.
Robert Whiteley, senior analyst, Forrester Research,

"What we hear again and again is enterprises are struggling with visibility and control," said Robert Whiteley, a senior analyst with Cambridge, Mass.-based Forrester Research. "Visibility before was at the packet level, and control before was at the port level."

That makes identity-based, application-level control a big selling point, said Darren Patoni, president and CTO of The Information Technology Workshop, a Juniper Networks VAR in Tempe, Arizona.

"Being able to look at this at the application level is really big," he said. "A lot of the customers may not know what port to shut down or how to do it. … Rather than have manufacturers handcuff the customers to a proprietary set of standards, customers are demanding them to be customer-centric."

Identity-based software is a better solution to clients' security issues today because "the old mode of networking assumed there was a perimeter," Whiteley said. "The problem is, the perimeter is dead. Either that, or it's Swiss cheese."

As administrators try to keep their networks secure while accommodating users' demands for universal access, "hardware and technology will be less important than creating an umbrella policy," Whiteley said.

Identity-based software like ScreenOS 6.0 and Intrusion Detection and Prevention (IDP) 4.1 -- which Juniper will announce April 30 -- will make that easier by eliminating the need to translate security policies based on business or compliance rules into the language of ports and packets, he added.

Identity-based security resources
Host-based anti-malware tools help fend off attacks

NAC -- Strengthening your SSL VPN

The Juniper products, which will be available as free downloads to existing customers, are designed to allow IT managers to identify network traffic and control use of the network according to the rights of individual users or applications. The software marks a change in Juniper's focus from port-based filtering to application-based security, company executives said.

A day earlier, systems management vendor LANDesk plans to announce a host-based intrusion prevention system (HIPS) for its security suite. The software is designed to learn what network activity is acceptable by observing different users' machines for about two weeks. Administrators can then use what the system learned to set access rules for different user profiles.

Earlier this week, Microsoft announced it will release a managed security suite, called Forefront Client Security, and an application-level firewall later this spring.

And Symantec is now testing a product, code-named Hamlet, that will offer many of the features of its current Symantec NAC and Critical System Protection products. Kevin Murray, the antivirus vendor's senior director of product marketing for endpoint security, declined to provide any details in an interview this week but said information will be available within "the next couple of months."

The company already offers a NAC product, acquired from Sygate in 2005, and offers application-based security through its Critical System Protection software, acquired from Platform Logic in 2004.

Clients' demands for application-level control assure that even more vendors will make similar offerings in the future, analysts and VARs predict.

"It allows them to considerably reduce the level of effort required" to manage their security, said Christina Stableford, vice president and senior account executive for BizCarta, a LANDesk VAR in Dublin, Ohio.

"Most new security technologies will try to do the same thing," Whiteley said.

In a December 2006 survey by Forrester Research, more than half of large North American companies polled said they planned to purchase NAC software, HIPS and other emerging security technology this year. For small- and medium-sized businesses, 60% said they will buy NAC tools and 58% said they will buy HIPS.

The role of VARs is to keep on top of this trend and offer clients the products that will not only help them now but also in the future, as more areas of IT move to the identity-based, application-level model, Patoni said.

"Even on the small side of businesses, they want to manage their networks," he said.

The trend could also create new partnership opportunities, as both security and systems management vendors introduce products.

"It'll be curious," Whiteley said. "It makes someone like LANDesk be able to enter the market and be fairly influential."

Let us know what you think about this story; email: Colin Steele, Features Writer.

Dig Deeper on Managed network security services

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.