Report Card: 2007 Incite #8 - Identity Everywhere

Let's keep plugging along. This Incite deals with Identity. Not just from the standpoint of who you are and what you are supposed to have access to, but also how identity information is increasingly being integrated into the fabric of our computing infrastructures.

Incite #8 - Identity Everywhere

Identity becomes the most overused term in 2007, as NAC vendors, systems management vendors, Big Security, and everyone else “identity-enable” their offerings more as a marketing initiative than to add value. Pragmatic CSOs focus on solving problems, embracing non-disruptive mutual authentication and integrating directory stores with network equipment to streamline management and problem isolation. The first inklings of an interoperable “identity network” emerge, making cheap multi-use tokens more compelling to a broader market.

Days of Incite Link: http://securityincite.com/blog/mike-rothman/2007-doi-day-8-identity-everywhere
Incite Redux Link: http://securityincite.com/blog/mike-rothman/incite-redux-july-12-2007

Final grade: C

Let’s start off with the positive. Cisco TrustSec. ‘Nuf said.

OK, it’s probably not enough, but it should be. Cisco finally jumped on the identity-aware bandwagon in December with its TrustSec architecture, which is basically just validating everything that everyone else has been saying for a long time. You can’t really separate out who you are, from what you are allowed to get to. Moreover, you need to enforce that as close to the network fabric as you can.

But the rest of the Incite was a bust. Mutual authentication is not really happening because the banks have no incentive to make it happen. Sure some of them are making a half-assed attempt to train their users about little marks or SiteKeys or something else, but these have had precious little impact on fraud.

The extent of directory store integration with the network is for the devices to suck information from a LDAP data store and then use it to set policy. It’s not like they are externalizing any of their policy or storing that policy in the directory store – now are they?

Finally, the idea of an “identity network” has been a real bust. You can get your little token from PayPal, but then what? Again, I was a bit optimistic here because I know it’s something that should happen – but I forgot the importance of a profit motive.

The reality is there just isn’t a real compelling need. It would be convenient for me as a customer to be able to use the same set of credentials in a lot of different places, but I’m not going to stop buying stuff from Amazon because they don’t play nice. So I’ll put this one in the “swing and a miss” bucket and look forward to getting closer in 2008.

Check out the other posts in the Report Card series.