Identity Management – Without Context – is Incomplete

Identity Management – Without Context – is Incomplete

April 13, 2017

by Lorena Crowley

RES has always considered identity to be multi-dimensional. While traditional IT security tools rely heavily on roles to define and enforce access policies, RES has long made a case for the need to look more broadly at people – both their individual needs and behaviors – to truly deliver on the productivity and security needs of the enterprise. And it turns out, Forrester agrees. In a recent report, they highlight the trend of identity intelligence being strengthened through new threat signals and intel. Here is a quick excerpt of that report: 

“Vendors are … aggregating DNS-based intelligence, and device intelligence into the identity management and governance (IMG) and access control processes. While today it sounds largely futuristic, Forrester expects that contextual identity intelligence will play a key role in: 1) revoking and managing privileges for users and devices; 2) becoming the authoritative identity data and risk assessment provider for zero trust network security, data protection, and collaboration frameworks; and 3) being able to intercept and stop risky user activity. (Vendors include Centrify, RES Software, and others.)”*

*'The Top IAM Trends from The RSA Conference 2017', by Andras Cser and Merritt Maxim, Forrester Research, March 24, 2017.

The trends listed in this report stems from rumblings at February’s RSA Conference 2017, the world’s largest event dedicated to security technology. And it certainly reflects the rising tide of RES customers who are buying or further applying our technology to resolve especially thorny security challenges in a new way: insider threats, blacklisting & whitelisting, privilege management, and automated onboarding & offboarding.

What Forrester calls “Contextual identity intelligence” (we’ve been calling it “context awareness”) has been a defining capability of RES since our software launched. And most of the 2,500 companies using our products have deployed this capability for some use case. It’s a technology that links a person’s individual access capabilities and entitlements based on basic identity with their physical context. What device and I using now? Company issued or personal? What network and I connecting through? Is it a company network or a public Wi-Fi? Where am I physically located? In a patient-care area, a public cafeteria? Is my workspace physical, virtual or cloud-based?

Context is a key indicator of potential risk and dictates different access requirements and entitlements. An individual’s access – especially to sensitive financial, medical or otherwise confidential data – should be governed by their context, not just identity or role alone. And an identity and access solution should be smart enough to monitor their context and make changes (provision or de-provision access) as soon as their context changes. It’s about using business rules to govern access without restricting them to the limits of technology systems that aren’t able to recognize context changes. Without considering context, a person’s identity is arguably incomplete.

We at RES, and our customers think this is a very cool capability that rounds out identity management. To learn more, read up about the next generation of people-centric security on our website, or check out Forrester’s coverage of the top trends at the RSA event here.