2007 DOI: Day 8 - Identity Everywhere

Identity becomes the most overused term in 2007, as NAC vendors, systems management vendors, Big Security, and everyone else “identity-enable” their offerings more as a marketing initiative than to add value. Pragmatic CSOs focus on solving problems, embracing non-disruptive mutual authentication and integrating directory stores with network equipment to streamline management and problem isolation. The first inklings of an interoperable “identity network” emerge, making cheap multi-use tokens more compelling to a broader market.

Read the rest of the 2007 Incites here.

Identity is one of those words that security professionals hate. It can mean everything to everyone, or nothing to no one. Most folks think Identity just refers to single sign-on and provisioning, which remains a pretty big business. But I’m pulling back on my direct coverage for IdM topics, because it’s big, ugly and pretty much every vendor sounds the same.

Which makes it a lot different than the rest of the security disciplines I follow. NOT!

But back to the topic. Identity is increasingly being used as differentiation and leverage for network security gear. What does that mean? It means that some brain surgeon finally figured out that it’s a big pain in the ass to use IP address as the way to implement policies on users.

As I roam around and connect into the network from all sorts of places, my IP address is pretty much useless. What I need is a way to map the IP address to my identity and provide a location-aware enforcement capability so that “Mike Rothman” can only get to the resources that I’m supposed to, depending on where I am.

Thus there is a big rush to integrate all security equipment with LDAP and Active Directory. But here’s the rub. Whenever every vendor is doing exactly the same thing, it’s not novel. And even if a vendor has to totally re-architect their offering to make it identity-aware, which won't happen for 2 or 3 quarters - they’ll still announce that they are all over "identity."

So customers are confused for a change. Being the Pragmatic type of guy that I am, I say we get back to focusing on problems, as opposed to paying attention to marketing hype and other fabrications. Don't worry about "Identity NAC" unless you have a real, defined (and budgeted) project to implement NAC (either pre- or post-connect).

Worry about the problems you know you have. How about authentication, especially if you are a bank? Got that one licked. Yes? Then you are probably lying, even if FFIEC says you need to be done. Address those issues. So work on mutual authentication projects to make sure it’s harder to Phish you. Think about other less token-centric authentication technologies. See as keystroke dynamics improves and starts to make an impact in 2007.

There is also a movement to build “identity networks” that will allow stronger authentication credentials to be used across web sites. To use my own business as an example, I use PayPal as my credit card processor. I could get an authentication token from them for free, but at this point, I’d only be able to use it for PayPal, and that’s not interesting. But if I could use it for my brokerage accounts and banking, that would be much more interesting – and I’d actually carry one around with me.

Will it happen in 2007? Nope. But as more and more consumer brands look to differentiate on security, there is a clear opportunity for an “identity network” to emerge providing interoperability. There are lots of hurdles, but given the compelling value to customers, it’ll happen by 2009.