Symantec threw its hat in the identity ring yesterday, when CEO John Thompson told the audience at their annual Vision conference that identity management was a "critical part of the stack" and an "area of great interest to the company." All of this follows Thompson's earlier comments about Symantec not being a "security" company anymore; that "security" was too small of a box to place them in.
At the RSA Security conference in February, James Gosling (of Sun) got on stage with Scott McNealy and started by saying (paraphrasing) that "Security is like Love -- everyone wants it, but no one can define it." I loved that because I think its so true. For years, "security" has been the buzzword; something you could say was a "critical initiative" for corporate IT. What "security" has never been is something easily defined (if at all), or even partially achieved.
The reason, of course, is that security's history began with the "wall and moat" metaphor: build a wall (one made of "fire" ;-) and then separate all of the important stuff on the inside from all of the bad stuff on the outside. The reality is that in a networked world this metaphor simply breaks down. That's why we heard Jim Allchin of Microsoft talking about the "semi-permeable firewall" (huh?) back in 2002. The reality is that in a networked world, you can't "secure" anything without first stepping back and getting your foundational metaphor right -- a foundational metaphor built on identity.
Is security a benefit that comes from good identity management? That's what I'll argue all day long. Intrusion prevention? If I know who people are, I can decide who to let in. Spam and Viruses? If I can trust individual senders, I can stop that problem. "Securing" an enterprise IT environment? Primarily an identity task.
The point isn't to make an "I'm right and you're not" argument -- the point is that it was nearly inevitable that a company that Symantec started by being a "security" company, then decided that was too limiting and now thinks they should be in the identity management business. We've seen similar things happen with Verisign (and their launch of the Verisign Identity Protection, or "VIP" network).
When identity becomes a core concept in networking infrastructure, the benefit of security comes naturally (versus being brute-forced via bigger walls and wider moats). That simple flipping of the equation is why you see companies like Symantec becoming identity companies.
Welcome to the party, guys!