[Note: Eric is having trouble posting, so I posted this article for him - Phil]
Phil and I have been speaking a lot recently about the changing of security models in the enterprise. The three basic models actually seem to represent a learning curve that both enterprises and the vendors are evolving through. The three models lay out as follows:
The Security of Exclusion: The security of exclusion is a defensive model based around locking things up and protecting them. Under this model, authorization is the primary characteristic (not who you are, but are you authorized to come in), and identity is largely inferred via IP or MAC addresses. The security of exclusion is now largely about building small, defensible perimeters -- thinking almost solely in a location and domain-based sense.
The Security of Inclusion: The security of inclusion is evolution to a truly identity-based model. Under this model, the primary characteristic is providing the correct access to designated resources. Notice that the shift from authorization to access shifts identity from something that is inferred (exclusion and authorization) to something that is the fundamental quality that must be known (inclusion and access). The security of inclusion is now very advanced at the application layer (where traditional identity management products live), and is growing very quickly at the network layer (as traditional firewall and NAC products evolve from exclusion to inclusion).
The Security of Accountability: The security of accountability is what a fully realized identity solution is trying to offer. It begins from the premise that the networking of the enterprise "flipped the game" with regards to security. No longer is security the fundamental concept from which the benefit of identity falls. Now identity is the fundamental foundation upon which benefits like security can be built. The goal of the security of accountability is to provide *transparency* and *visibility* into the networked model. It seeks to always know who did what with what and whom when -- and to enforce policies around given parameters in real time. The evolution to the security model of accountability is what is driving the red hot areas of provisioning, identity-based compliance solutions, and some of the very very bleeding edge NAC product categories.
Taken as a spectrum of evolution, the models of exclusion, inclusion and accountability give us a lens through which to evaluate both enterprise projects (and their mindset) and the thinking of the vendors that are selling into the space.