Definition: Identity Domains

A few years ago, data centers were actually places you would visit, walk around and physically touch servers, storage and networking gear.  Not to mention, who doesn’t love seeing a refrigerator sized (or bigger!) uninterruptible power supply (UPS) sitting proudly and in wait on a raised floor.  We remember times when customers gave data center tours, much like a real estate tour at an open house.  Security solutions were not complex.  Servers resided in racks and were rarely ever physically moved. System administrators knew server locations and the IP addressing scheme, which meant security teams, knew where to place firewalls and IDS/IDPs.  Since servers didn’t move around all that much either, firewalling took on a physical dimension as well.

Times have changed and data centers are different. With the advent of cloud computing and virtualization, everything has the ability to be dynamic. A server instantiation can grow and shrink based on demand usage, it can reside over several physical machines at once and can dynamically be cleaved into multiple parts in geographically disparate locations. Generally, this flexibility is a great thing. But it does pose multiple challenges for the security team – where exactly does one place the firewall and how will policies be kept up to date?

We’re best friends.  (We know this, because you like us on Facebook and follow us on Twitter.) We trust you so much that we give you the keys to our house. You can come in, even if we are not home. You can help yourself to the food that’s in the refrigerator, make yourself a tasty sandwich, watch some high definition TV or play the new Zelda game on our Nintendo Wii. Generally, mi casa es su casa so make yourself at home. As a matter of fact, we’ve given our keys to a lot of other best friends.  So, if you see someone else visiting, say hello.

Let’s assume we move to a new house. The new owners at our old place might not take favorably that strangers that can easily come in, eat left overs, wander freely, and make a mess of the bathroom. The new owners solution to this problem is a complete overhaul of all the locks in the house, which is expensive, time consuming, and they still have to contend with those annoyingly pesky knocks at the door at all hours of the day and night. Not an enviable position to be in.  Some people need their beauty sleep.

As you might have guessed, we love exploring and since we like our helpful real estate agent, we move again. We move to another house but now we give you a ‘magic’ key that will only work in the places that we own. No matter how many times we move, or where we move, your ‘magic’ key will only ever work in our locks. As a best friend, we will always give you our new addresses as they change so you are always guaranteed to get access to our HDTV, refrigerator, and Nintendo Wii.

And that is what is what we consider an “identity domain”.

In the virtual world, computational instances can grow and shrink based on demand, they may also reside simultaneously on different physical machines, moreover, they can move and migrate, changing IP schema at will. The security mindset of a fixed asset completely fails in this paradigm.

What is needed is a fluid understanding of access, identity, and trust and this is inherently the underlying strength of identity-based domains. Your resources, your assets, no matter where they may find themselves, will only ever be accessible to you and your best friends.

Identity based domains offer a superior alternative to traditional network security. Firewalls and VLANs don’t respond as well in virtualized datacenters because of the fluidity of the environment. Identity domains work without network reconfiguration and without regard to the physical location of the assets. User and server identities are used to grant membership into one or more zone, creating a flexible, layered security approach within the network; both physical and virtual.  

To the virtualized cloud and beyond, that is the BlackRidge Transport Access Control (TAC) advantage.