Hey identity geeks, if you have been in the identity industry for a while like I have – yikes, 19 years – then you may remember one of the renowned industry analyst firms for Identity and Access Management (IAM), The Burton Group.
Back in the day, The Burton Group Catalyst conference was the place to be for all the identity thought leaders and movers and shakers. Gartner acquired Burton Group in 2010 and has done some great things to further the discussion about identity, but the Catalyst Conference is no longer the community of identity geeks that it used to be.
It turns out that some of the Burton Group originals have gotten the band back together and has re-emerged as TechVision Research. I was invited to attend and speak at their recent inaugural Chrysalis Conference in San Diego, CA.
First, congratulations to Gary Rowe and the entire team at TechVision for pulling off a successful initial event, and for bringing back together many of the industry elite for a few days to share their insights. You can see the agenda and list of excellent speakers (many of whom you may recognize) here, and the presentations from the conference are publicly available for your viewing pleasure here.
Second, it was a pleasure serving on the Zero Trust panel chaired by Sorrel Slaymaker, and the Privileged Access Management (PAM) panel with Doug Simmons. Some of my favorite sessions were the Identity Legends Panels. Many of our industry luminaries were there, including Jamie Lewis, Bob Blakley, Ian Glazer, Doug Simmons, Eve Maler, Malcom Harkins, Dr. Fred Cohen, Dan Blum, Nick Nikols, Kurt Lieber, Jackson Shaw, and Pam Dingle, just to name a few.
Three Takeaways from TechVision Research’s Chrysalis Conference
Today’s IAM Challenges
There have been many great successes in the last 10 years of IAM, but there are some age-old issues we are still struggling with, and some new challenges:
- Authorization – we have made huge strides as an industry with authentication, but authorization is typically handled by the application. Role-based Access Control (RBAC) is still the standard. Attribute-based Access Control (ABAC) never quite took off. No real standards have emerged successfully, so authentication is still a challenge.
- How do we END trust? – when should we be closing or ending sessions? Should we always be using temporary tokens? Does this issue go away with stateless apps?
- The next authentication will be recognition – especially for B2C. Will authentication be necessary anymore or are there enough attributes out there that we can accurately “recognize” a particular identity?
- Decentralized identity – will identity blockchains become a “thing?” At the Chrysalis Conference, Bob Blakley of Citigroup said he believes this will happen for machine identities, but not humans.
- Abstract identity from the application – will this ever take place? Microservices architectures may help.
Celebrate Our IAM Successes
As much as there is always more work to be done and things move more slowly than we like, there have been some really big wins for IAM in the last 10 years…
- SAML – now a readily-accepted standard for federation, SAML has achieved the designed intent to make user’s lives easier while at the same time increasing security.
- FIDO – maybe a bit early to call this a success, but adoption of the FIDO standard has started quickly and fills a great need in multi-factor authentication (MFA).
- SCIM – for sure too early to call this one a win, but adoption is growing with the second generation of the standard. It feels like good things to come.
For an identity conference, there was quite a bit of discussion about DevOps and the changing application development architecture. Just as Ops and QA are moving “left” closer to development, so is security.
Identity needs to “move left” too. Identity controls and processes should be core application development capabilities and not an afterthought that takes a backseat to application features. We need to make IAM more API-centric, and push more standards. The more we can make it EASY for developers, the more identity will be embraced and incorporated early. Identity must “move left.”