I’ve been absent from my normal blogging routine during the month of November attending various Gartner conferences and onsite visits with clients. With travel slowing down for the holidays, there are a few posts that I’ve been meaning to get around to that I’ll tackle.
Back in late August/September, I saw that yet another network access control (NAC) vendor, Consentry, had gone under. However, Consentry had evolved its messaging beyond NAC and into identity-aware networking with their intelligent switches. Therein lies the rub: identity-awareness should be a feature of all network- and host-based security policy enforcement mechanisms, not a separate product.
As I talked about in this post, as we move to virtualize and secure our next-generation data center infrastructure, security policies can’t be tied to physical attributes. Security policies must be tied to logical attributes including virtual machine identities, application identities, as well as user and group identities. All security policy enforcement points (firewalls, IPSs, web security gateways, and so on) should be come identity-aware.
I’ll take it further:
- Identities can’t be just about people. Virtual machines, applications, URLs, files, services … all of these entities will require identities that can be associated with policy. Call it “entity-awareness” if you feel strongly that identity-awareness only applies to users. When I say “identity-aware”, I mean the broader notion of what an identity is.
- Identity-awareness is only the beginning. All security policy enforcement points must become context-aware – where the most critical component of context is the entity’s identity, but also includes other real-time environmental information such as the time of day, the location of the entity, the trust of the entity, the transaction or content being accessed, the strength of the authentication credential provided, and so on.
Security policies and enforcement points based on static, physical attributes will become obsolete.
Category: next-generation-data-center next-generation-security-infrastructure virtualization-security
Tags: adaptive-security-infrastucture next-generation-data-center next-generation-security-infrastructure virtualization-security
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.