Cisco TrustSec Hops on Role-Based Access Train

With its new Trusted Security architecture, Cisco is linking role- and identity-based access control.

Cisco Systems' plan to tie together role- and identity-based access management has the company looking to make its own unique footprint on a tried and true path.

Called Cisco Trusted Security—or TrustSec—the architecture leverages Cisco's collection of routers, switches and Unified Wireless Network controllers to lay a foundation for authenticating users, assigning roles, enforcing access policies and ensuring data integrity and confidentiality in network traffic. Access to the network is granted based on an employee's role in the company—for example, human resources employees would have access to data they need based on their role as human resources, while being excluded from other data.

The role-aware network envisioned by Cisco helps enforce identity-based security policies across the network regardless of the network access method or device, whether it's wired, wireless or mobile, or a laptop or printer. With it, Cisco is taking a step down something of a beaten path, as several other companies push role-based access control models of their own, including Hewlett-Packard, Enterasys and Nortel Networks.

"[Cisco is] introducing something that other Ethernet switching companies have done for a while," said Jon Oltsik, an analyst with Enterprise Strategy Group.

However, in terms of ingress and egress filtering and label switching, Cisco stands alone in its approach, Forrester Research analyst Robert Whiteley said.

The approach has a number of benefits for enterprises—role-based control can be much more scalable across an enterprise than a totally identity-based approach, which can be difficult to administer.

"Everyone wants sort of the nirvana state of identity-based access control, but it's really a policy nightmare to do that in that you have to worry about creating either unique policy or … unique access requirements based on however many users or unique identities you have," Whiteley said. "What you find, though, is that most companies have a pretty good handle on the roles within their organization … so it's much easier to group into roles, which is something that group policy and active directory is well-established to do."

The Dec. 5 announcement comes roughly a month after Cisco stated its intention to acquire Securent, which specializes in auditing, administering and enforcing access policies, and at a time when enterprises are challenged by industry- and country-specific compliance requirements, Cisco officials said.

"The roots of [TrustSec] lie in making the network a very valuable tool in meeting the challenge of regulatory compliance," said Cecil Christie, director of product management for Cisco's Internet Systems Business Unit. "While the switch network has many embedded features that can provide benefit, it's the coupling of those features to a centralized, role- and policy-driven infrastructure that creates great additional value to the enterprise."

Cisco officials said they're also working with Intel in the name of interoperability, as both Cisco's TrustSec capable switches and Intel's Ethernet controllers support the IEEE 802.1AE standard. Ixia, a provider of Internet Protocol performance test systems, will also support IEEE 802.1AE encrypted line cards in their Ixia test equipment so that customers can test with Cisco TrustSec capable switches.

The TrustSec functionality is scheduled to be available across the Cisco switching platforms throughout the next 18 months, starting in the first quarter of 2008.

"Finally, Cisco comes to its senses," said Eric Ogren, an analyst with The Ogren Group. "Returning to identity and role-based access makes perfect sense—customers can understand it, it integrates with IBM Tivoli and Microsoft Active Directory infrastructures, and organizations don't need a fleet of forklifts to upgrade. It's nice to see them get away from NAC. Access to a network and its applications is an identity function first and foremost."

However, one of the challenges is the people who determine what policies will apply to each user group are not necessarily part of the network team, Whiteley said. Understanding just who needs access to what data and why is vital part of network security and establishing a sound access control policy.

"You need to have good role-based administration … so that I know what it means to only have HR go to HR," Whiteley said.

Check out's Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK's Security Watch blog.