Those of you who know me know that I rarely get excited about hardware. And while I'll be telling you about two hardware companies in this newsletter, it isn't the hardware I want to talk about, but what these companies do with it.

Switches, routers, firewall devices and network access control (NAC) have been with us for quite some time. But some companies are beginning to realize that the term "identity" when used in conjunction with these devices means more than an IP or MAC address.

<aside>We shouldn't lose sight of the identity of the devices on our networks -- that's very important. But it needs to be balanced with the identity of the people, services and applications that are on that same network.</aside>

Not surprisingly, both Consentry Networks and Avenda Systems are headed by ex-Cisco people: Krishna Prabhakar (Avenda CEO) was a Cisco director of engineering while ConSentry's Joe Golden is a former Cisco vice president. Both companies are well staffed by Cisco (and other router/switch company) veterans. That assures me that the switching/routing part will be done well. But that's not what drew me to these organizations.

ConSentry hooked me with the phrase "context-driven switching" while Avenda offers what they call an "identity-based network access platform."

You can learn more about ConSentry's approach from my colleague Tim Greene's newsletter ("ConSentry's new correlation features help spot trouble"), while Linda Musthaler offers a good look at Avenda in her newsletter ("Wedded bliss: NAC and identity management").

These are both good tools, with a slightly different focus, to implement end-to-end identity-as-security. Well, almost end-to-end. Neither can get inside the application or service the way, say, an entitlement management product can. But the ability to join either to an entitlement management product is right there for the taking and the first organization to put them together is going to have one heck of a marketing story to tell.

It starts with the health check of the remote endpoint device that any decent NAC tool can do, then the gathering of context data to present to the authentication event. With these switching devices, the end user (or end service) can be properly routed over the optimal network path with the requisite bandwidth to whatever resource to which they've been granted access by means of their role and context. Once that's been passed to the rules engine (and the enforcement point), the endpoints (user/service on one side, application/service/device on the other) can be securely and optimally connected.

Dave Kearns is a consultant and editor of IdM, the Journal of Identity Management.