I’ve been absent from my normal blogging routine during the month of November attending various Gartner conferences and onsite visits with clients. With travel slowing down for the holidays, there are a few posts that I’ve been meaning to get around to that I’ll tackle.
Back in late August/September, I saw that yet another network access control (NAC) vendor, Consentry, had gone under. However, Consentry had evolved its messaging beyond NAC and into identity-aware networking with their intelligent switches. Therein lies the rub: identity-awareness should be a feature of all network- and host-based security policy enforcement mechanisms, not a separate product.
As I talked about in this post, as we move to virtualize and secure our next-generation data center infrastructure, security policies can’t be tied to physical attributes. Security policies must be tied to logical attributes including virtual machine identities, application identities, as well as user and group identities. All security policy enforcement points (firewalls, IPSs, web security gateways, and so on) should be come identity-aware.
I’ll take it further:
- Identities can’t be just about people. Virtual machines, applications, URLs, files, services … all of these entities will require identities that can be associated with policy. Call it “entity-awareness” if you feel strongly that identity-awareness only applies to users. When I say “identity-aware”, I mean the broader notion of what an identity is.
- Identity-awareness is only the beginning. All security policy enforcement points must become context-aware – where the most critical component of context is the entity’s identity, but also includes other real-time environmental information such as the time of day, the location of the entity, the trust of the entity, the transaction or content being accessed, the strength of the authentication credential provided, and so on.
Security policies and enforcement points based on static, physical attributes will become obsolete.
Category: Next-generation Data Center Next-generation Security Infrastructure Virtualization Security Tags: Adaptive Security Infrastucture, Next-generation Data Center, Next-generation Security Infrastructure, Virtualization Security