Today, sharing data among infrastructure systems, and between the infrastructure and applications, typically requires custom, point-to-point integration using SNMP, syslog, proprietary APIs and custom scripts. The resulting systems are complex, brittle and difficult to maintain. As a result much of the data available in IT systems today remain locked in isolated silos. This leaves many organizations without visibility into their infrastructure or assets, which compromises security, increases costs and slows the ability to respond to changing conditions and business needs.
Consider the challenges in network security: Today's business and regulatory requirements demand that organizations provide appropriate levels of network and application access for a constantly changing mix of employees, contractors, partners and devices in data centers and remote locations. Implementing effective policies requires information about a user's employment status, role, and privileges. In some organizations, it's even necessary to restrict a PC's access to the network if their user leaves a secure location or if they exhibit anomalous network behavior, such as worm traffic.
The first version of the Interface to Metadata Access Point (IF-MAP) standard was published by the Trusted Computing Group in 2008, as part of the Trusted Network Connect (TNC) protocol suite that provides an open standard for network access control. The IF-MAP specification defines a standard client-server protocol that aggregates, correlates, and distributes information to and from different systems in real time.
IF-MAP clients, which can range from security sensors like intrusion detection systems, to policy engines, authentication servers, security management systems, asset management systems, network location systems and many more, can publish metadata to the MAP server, search for data, and via subscriptions, receive automatic, immediate updates when data of interest changes - such as when an employee or contractor is terminated or their privileges change. The IF-MAP service is extremely flexible and can aggregate both standardized and user-defined data - including user role and capabilities, device characteristics and availability, authentication and authorization status, physical location, conformance with policy, recent behavior, configuration, and more. A number of vendors, including Juniper Networks, currently support the IF-MAP standard and are deploying powerful, multi-vendor network access control solutions.