Neil MacDonald

A member of the Gartner Blog Network

Neil MacDonald
VP & Gartner Fellow
15 years at Gartner
25 years IT industry

Neil MacDonald is a vice president, distinguished analyst and Gartner Fellow in Gartner Research. Mr. MacDonald is a member of Gartner's information security and privacy research team, focusing on operating system and application-level security strategies. Specific research areas include Windows security…Read Full Bio

Coverage Areas:

Identity-Awareness Should be a Feature, not a Product

by Neil MacDonald  |  December 16, 2009  |  3 Comments

I’ve been absent from my normal blogging routine during the month of November attending various Gartner conferences and onsite visits with clients. With travel slowing down for the holidays, there are a few posts that I’ve been meaning to get around to that I’ll tackle.

Back in late August/September, I saw that yet another network access control (NAC) vendor, Consentry, had gone under. However, Consentry had evolved its messaging beyond NAC and into identity-aware networking with their intelligent switches. Therein lies the rub: identity-awareness should be a feature of all network- and host-based security policy enforcement mechanisms, not a separate product.

As I talked about in this post, as we move to virtualize and secure our next-generation data center infrastructure, security policies can’t be tied to physical attributes. Security policies must be tied to logical attributes including virtual machine identities, application identities, as well as user and group identities. All security policy enforcement points (firewalls, IPSs, web security gateways, and so on) should be come identity-aware.

I’ll take it further:

  • Identities can’t be just about people. Virtual machines, applications, URLs, files, services … all of these entities will require identities that can be associated with policy. Call it “entity-awareness” if you feel strongly that identity-awareness only applies to users. When I say “identity-aware”, I mean the broader notion of what an identity is.
  • Identity-awareness is only the beginning. All security policy enforcement points must become context-aware – where the most critical component of context is the entity’s identity, but also includes other real-time environmental information such as the time of day, the location of the entity, the trust of the entity, the transaction or content being accessed, the strength of the authentication credential provided, and so on.

Security policies and enforcement points based on static, physical attributes will become obsolete.

3 Comments »

Category: Next-generation Data Center Next-generation Security Infrastructure Virtualization Security     Tags: , , ,

3 responses so far ↓

  • 1 Ian Bruce   January 6, 2010 at 12:15 pm

    Great post. The idea that identity and security policies need to be tied to logical attributes, and that identity must be context-aware, is a powerful insight.

    The move to virtualization and cloud-based computing promises greater efficiencies and economies, but requires a robust identity and security management infrastructure. It needs to support IT workloads that are portable and mobile – the workload itself needs to be identity-aware. There’s an emerging market here for intelligent workload management.

    We might agree with the headline of the post – Identity-awareness is a feature, not a product – but this doesn’t dilute the great significance of identity in the next-generation data center.

  • 2 Neil MacDonald   January 6, 2010 at 1:01 pm

    Yes, that’s exactly my point.

    Identity-awareness is a critical foundation to next-generation data center security policy enforcement.

    *and*
    1) that identities are not just people
    2) that identity is just one (but likely the most critical) part of context awareness which also must be improved
    3) that this vision MUST extend to include management policy as well – it’s not just a security policy thing

    Neil

  • 3 NOVELL: John Dragoon’s Blog » Blog Archive » Gartner Acquires Burton Group   January 6, 2010 at 7:28 pm

    [...] a recent blog post on identity management by Gartner analyst Neil MacDonald, he [...]