Cisco adds a pinch of identity to the network
This week, Cisco did something it is extremely good at: it announced yet another marketing-focused initiative called the Cisco Trusted Security, or TrustSec. The company describes TrustSec as "a new architecture that integrates identity and role-based security measures for scaled implementation across enterprise networks."
Hey, great idea! If I knew who was on my network and what they were doing, I could certainly get a better handle on security, business process management, workflow, and regulatory compliance controls. That said, we've been talking about this for a long time. I would also argue that a number of vendors including Extreme, Hewlett-Packard, and Nortel are already pretty far along with products that support an identity-based networking and security model. Nevertheless, there is only one Cisco and if John Chambers and Co. can promote this model, everyone may win.
So what are the implications of identity and/or role-based security on the network? Here are a few of my thoughts:
1. Isn't this just a superset of Network Access Control (NAC)? If we use NAC and the 802.1X protocol, we can identify a device, check it for its health status, and then apply certain networking rules based upon parameters like device type (i.e. laptop or mobile device), network location, time of day, etc. I think what Cisco is suggesting is that we marry device and user identity and then come up with an additional set of policies, controls, and reports. Sounds good, but it sounds like user-centric NAC to me.
2. The underappreciated workhorse in Cisco's model is good old Radius. Cisco will release its latest Radius offering, ACS 5.0, in 2008. When it does, TrustSec and Cisco NAC become much more real. Large organizations thinking about this type of network security model should start by assessing the state of their Radius architecture. You may find that it is a mismatch for the scale and availability requirements you will need. I'm sure Cisco ACS 5.0 will be a vast improvement over its current Radius server, but Identity Engines and Juniper/Funk are pretty good alternatives.
3. Network-based identity and security is Act 1. Act 2 is marrying network identity with application identity. Imagine if I could look at users networking traffic patterns and what they actually did in loads of different applications. There are two ramifications for Cisco: No. 1, other than RADIUS, Cisco doesn't play much in the identity space yet but it recently purchased Securent for this very purpose. Don't be surprised if Cisco decides that it needs additional "up-the-stack" tools in areas such as multi-factor authentication, public key infrastructure, single sign-on. No. 2, Cisco may have its eyes on user auditing, which may also mean log management. Sounds like a good partnering opportunity for focused vendors like LogLogic and LogRhythm.
Cisco isn't always the first vendor to embrace a new model, but it can really move the market when it does. As Cisco adds identity-based networking and security to its equipment, everyone else will be forced to ramp up their own efforts. Ultimately this will improve the security, flexibility, and service levels of all networks.
Jon Oltsik is a senior analyst at the Enterprise Strategy Group. He is not an employee of CNET. 
Your third point is especially strong - what if you could combine identity and application info. That is the ultimate combo for applying policy. Good to see the vision from Cisco on using identity, but the missing app piece is a big hole. It's easy to see why - existing switches can easily read a client-based or 802.1X-based tag to learn identity - but doing the deep packet inspection to learn application, at Layer 7, just can't be done in Cisco's switches. That takes more horsepower, plus it needs to be done in an adaptable format like a CPU or FPGAs to keep up with changing applications.
Yours is the only coverage I've seen to date noting the application hole in this strategy. Thanks for the insights,
--Michelle
Michelle McLean
ConSentry Networks
mmclean-at-consentry-dot-com