Gartner Blog Network

Identity-Awareness Should be a Feature, not a Product

by Neil MacDonald  |  December 16, 2009  |  3 Comments

I’ve been absent from my normal blogging routine during the month of November attending various Gartner conferences and onsite visits with clients. With travel slowing down for the holidays, there are a few posts that I’ve been meaning to get around to that I’ll tackle.

Back in late August/September, I saw that yet another network access control (NAC) vendor, Consentry, had gone under. However, Consentry had evolved its messaging beyond NAC and into identity-aware networking with their intelligent switches. Therein lies the rub: identity-awareness should be a feature of all network- and host-based security policy enforcement mechanisms, not a separate product.

As I talked about in this post, as we move to virtualize and secure our next-generation data center infrastructure, security policies can’t be tied to physical attributes. Security policies must be tied to logical attributes including virtual machine identities, application identities, as well as user and group identities. All security policy enforcement points (firewalls, IPSs, web security gateways, and so on) should be come identity-aware.

I’ll take it further:

  • Identities can’t be just about people. Virtual machines, applications, URLs, files, services … all of these entities will require identities that can be associated with policy. Call it “entity-awareness” if you feel strongly that identity-awareness only applies to users. When I say “identity-aware”, I mean the broader notion of what an identity is.
  • Identity-awareness is only the beginning. All security policy enforcement points must become context-aware – where the most critical component of context is the entity’s identity, but also includes other real-time environmental information such as the time of day, the location of the entity, the trust of the entity, the transaction or content being accessed, the strength of the authentication credential provided, and so on.

Security policies and enforcement points based on static, physical attributes will become obsolete.

Category: next-generation-data-center  next-generation-security-infrastructure  virtualization-security  

Tags: adaptive-security-infrastucture  next-generation-data-center  next-generation-security-infrastructure  virtualization-security  

Neil MacDonald
VP & Gartner Fellow
15 years at Gartner
25 years IT industry

Neil MacDonald is a vice president, distinguished analyst and Gartner Fellow in Gartner Research. Mr. MacDonald is a member of Gartner's information security and privacy research team, focusing on operating system and application-level security strategies. Specific research areas include Windows security…Read Full Bio

Thoughts on Identity-Awareness Should be a Feature, not a Product

  1. Ian Bruce says:

    Great post. The idea that identity and security policies need to be tied to logical attributes, and that identity must be context-aware, is a powerful insight.

    The move to virtualization and cloud-based computing promises greater efficiencies and economies, but requires a robust identity and security management infrastructure. It needs to support IT workloads that are portable and mobile – the workload itself needs to be identity-aware. There’s an emerging market here for intelligent workload management.

    We might agree with the headline of the post – Identity-awareness is a feature, not a product – but this doesn’t dilute the great significance of identity in the next-generation data center.

  2. Neil MacDonald says:

    Yes, that’s exactly my point.

    Identity-awareness is a critical foundation to next-generation data center security policy enforcement.

    1) that identities are not just people
    2) that identity is just one (but likely the most critical) part of context awareness which also must be improved
    3) that this vision MUST extend to include management policy as well – it’s not just a security policy thing


  3. […] a recent blog post on identity management by Gartner analyst Neil MacDonald, he […]

Comments are closed

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.