Neil MacDonald

A member of the Gartner Blog Network

Neil MacDonald
VP & Gartner Fellow
15 years at Gartner
25 years IT industry

Neil MacDonald is a vice president, distinguished analyst and Gartner Fellow in Gartner Research. Mr. MacDonald is a member of Gartner's information security and privacy research team, focusing on operating system and application-level security strategies. Specific research areas include Windows security…Read Full Bio

Coverage Areas:

There is no Such Thing as an Absolute Identity

by Neil MacDonald  |  July 19, 2010  |  2 Comments

Let me clarify what I mean by this.

When most people talk about identities they are really talking about identifiers – such as a username. I explored this insight in 2007 with Kim Cameron of Microsoft in this Gartner Fellows interview.

So getting past the confusion with identifiers, what is an identity? An identity is who the person really is. However, no one (probably including the person themselves) really knows who they are.

We all work with “models” of who we think people are, based on the information we have at the time (context). More intimate relationships have better models, but there is no such thing as a perfect model.

A spouse or a parent should be able to build really good identity models with really intimate information as to who a person really is. But often when something really bad happens – a murder, a robbery, an act of violence, etc – you’ll hear people close to the person say that they “never really knew the person” and that they had no idea the person was capable of whatever happened. Even intimate models aren’t perfect.

Why does all this matter?

Increasingly, we are tearing down the walls of our enterprise and our systems to provide access to people that aren’t employees. I had one client in the pharmaceutical space tell me already they are supporting more external users accessing their internal systems than internal users.

What’s the difference between an employee and a non-employee needing access? Not much really. It’s mostly just a matter of the confidence in our model. We have more information (and thus, better models) of employees so we tend to place higher trust in them. But, this really is an outdated notion. We never had absolute trust and we never had absolute identities.If we acknowledge this, then we can have a discussion on how much information do we need to have a “good enough” model of the identity so that we can engage in the requested transaction.

Instead of perceived absolute trust (which we never really had), we will shift to a paradigm that embraces variable levels of trustability — adaptive and context-aware security policy enforcement mechanisms that help us answer the real question:

“Do I have enough trust in the entities involved to take the requested action at my current level of risk tolerance and given the current context to allow the action to take place?”

That’s a direct quote out of my most recent research note for clients titled The Future of Information Security is Context-Aware and Adaptive.

If all you are doing is registering for a webcast, a valid email address may provide enough information for the model. If you are subscribing to a newsletter, perhaps I’ll ask about more of your interests and preferences. If you are signing up for a bank account, I’ll want your social security number or some other type of government-issued identifier as well. These are all just variations of precision and confidence in the model of the identity of the user requesting the transaction.

Identities are adaptive models. Trust is not absolute. Our enterprise authentication and authorization systems must become context-aware and adaptive to support this.

Food for thought.

2 Comments »

Category: Information Security Next-generation Security Infrastructure     Tags: , ,

2 responses so far ↓

  • 1 Sumner Blount   July 21, 2010 at 8:52 am

    Neil,
    interesting post.

    how do you see the importance of being CONTENT-aware, in relation to being CONTEXT-aware?

    I believe that policy enforcement based on context (as well as other factors) is obviously important, but it’s also a capability that has been available in vendor products for awhile. It seems to me that policy enforcement based on content (ie, actual content analysis to determine its classification) is a newer and more promising area.

    thoughts?

    regards
    Sumner

  • 2 Neil MacDonald   July 21, 2010 at 11:44 am

    @Sumner,

    Content-awareness is one example of the broader underlyng shift to context-awareness.

    This quote comes right from the same research note that I referenced in the post:

    “While a few of the information security vendors have adopted the term “adaptive security infrastructure,” most are using the terms “application awareness,” “identity awareness” and “content awareness” as adaptive and context-aware security capabilities are added. Instead of being separate requirements, we believe these are all examples of an underlying architectural shift to context-aware and adaptive security infrastructure. Each independently describes the need to incorporate higher levels of context into security decisions to improve those decisions.”

    http://www.gartner.com/resId=1369721

    Neil