Recently another analyst company had a presentation titled "The future of Information Security is context- and identity-aware". Yes - but not that new. I remember that we had the context-based approaches as a key trend at our second European Identity Conference, back in 2008 (thus the upcoming EIC 2011 is IMHO the best place to learn about the new trends and the best practices for today around IAM, Cloud Security, GRC, and related topics).

I personally think that there are some important aspects to consider when looking at the overall topic of Information Security:

  1. First of all: It is about the I in IT, not the T. It is Information Security, not Technology Security. That is information-centric.
  2. You need to have the organizational structure, the processes, the policies in place before you look at technology.
  3. You need standards around information security for your entire application environment to reduce the grass root seecurity approaches and islands.
  4. Context is an important thing. Context defines criteria to understand the risk of interactions and transactions.
  5. Given that, it is mainly about risk. Context helps you in better dealing with risks, but the core thing is risk.
  6. Regarding identity-aware I'm a little reluctant. That is correct in the sense that there is little value in just looking at information or systems but not the identity. Look at DLP: Not allowing to transfer information is wrong - it is about allowing only the right people to transfer the right information. In that sense, identity-aware is important. Have a look here (not that new...) where I have put DLP into context. But you should be careful - it is not necessarily about a 1:1 mapping person:identity. There are situations (think about identity federation) where it might be a role, a group of people.
  7. Versatility is as well important - the flexibility to authenticate people in a flexible way, which is a prerequisite to support all types of potential users, internal as external.
Information security is a key topic for every organization (and not only the IT department). Following the principles above should help you to better understand the value of technical approaches. Technology which doesn't support the principles and is not "backed" by the organizational structure, processes, and so on will only have limited value to achieve your targets around information security.