Towards the end of 2019, I was invited to deliver a keynote at the OpenID Foundation Summit in Japan. At a very personal level, the January 2020 Summit was an opportunity to spend time with dear friends from around the world. It would be the last time I saw Kim Cameron in person. It would include a dinner with the late Vittorio Bertocci. And it was my last “big” trip before the COVID lock down.
I was talking to a long time competitor/colleague/client/friend this week about identity governance and a variety of other identity topics. We were commenting that in some regards access certification and access policies have been stuck in bubble of amber: not a lot of innovation save the addition of some cluster analysis (marketed as AI.) In the course of the conversation I remember that a long time ago I had written a piece on the use of negative policy spaces for access governance. My buddy thought it would be fun to dig it up a repost it. So of I went to find this…
Some on the next 10-ish years in identity management.
[This was originally written in December 2019: pre-pandemic, pre-US presidential election, pre-George Floyd. Truly, it was written in the “Before Times.” I thought about updating this before posting but that felt wrong - somehow dishonest. So here is the lightly touched up text of my talk which was given first in Tokyo at the OpenID Foundation Summit and then again as part of the all-virtual Identiverse. If you want to skip the text and go straight to the video, you can!
[What follows are some thoughts on usernames and identifiers. This was an extremely fun talk to put together. Many thanks as always to everyone who helped improve this talk including Chuck Mortimore and George Fletcher. – IG Sept 3 2019. If you don’t feel like reading everything, you check me out giving this talk at Identiverse in June of 2019.]
Usernames. They are the most forgotten, the most overlooked thing in our industry. They are, as we would say in the US, the “Gen X” of identity management. They show up; they do their job; they don’t get any credit. In fact, they do not get the same attention that their big brother “Password” and their little sister “Password-less” get. Instead, usernames do their job without thanks or recognition. But failing to pay attention to usernames can have major negative impacts to both B2B and B2C scenarios.
A few months ago, I had the honor and pleasure to sit down with one of the most awesome people in Privacy, Michelle Dennedy, Chief Privacy Officer at Cisco, and record one of her Privacy Sigma Riders podcasts. We were in Austin. We were pumped to finally get together. We were heavily caffeinated. And we didn’t actually record anything… save for the last 25 secs of what was a 45 minute conversation. Fail… fail… fail!
(Thanks to Kim Cameron for prompting me to write this down. Special thanks to Chuck Mortimore for his insight and probing questions and who helped me improve this.) In the identity industry, there’s been a lot hype these days around self-sovereign identity. The latest permutation in the quest for user-centric identity, self-sovereign revisits the laudable goal of enabling people to be in better control of how information about them passes to enterprises and organizations (but now with added blockchain.) To be clear, increased individual control is an important goal and one that incredibly sharp people have been working on for 15+ years, going back to InfoCard and Higgins. Before I discuss why self-sovereign has a real chance at widespread adoption, it’s important to understand why identity technologies and approaches get adopted in the first place. At least, three things are required:
In Part 1 of this series, I discussed the types of attackers who can weaponize your identity systems, use them to cause harm. In Part 2, I introduced the design goals of the Maturity Model as well as the disciplines needed to implement the Maturity Model. In this post, I’ll discuss each of the 5 levels of the Maturity Model and controls you should put in place to achieve those levels.
This level is table stakes. It optimizes your organization’s existing security controls for identity systems. I believe it helps make compliance with things like GDPR easier but it is in no way a “cure all” for regulatory burdens. To achieve Level 1, you’ll need a combination of access control, data protection, and audit:
In the first part of this series, I discussed different kinds of attackers and why they attack our identity systems. I also discussed how they can weaponize our identity systems, turning what is meant to deliver services and do good into something that can be used to cause harm. In this part I’ll talk about the goals of the model, the disciplines needed to do this work, and the levels of maturity.
It’s no secret that we, as identity professionals, are the custodians of some of the most crucial information in our enterprises. We hold information about employees and customers in our identity systems in order to deliver them services that range from productivity to entertainment to personal health and wellbeing. And as professionals, none of us want to build systems that can harm other people. Certainly, none of us want to build systems that can be used to harm ourselves. At the core of our professional code of ethics is the spirit of “do no harm.” Now it is true that if our identity systems are of value to us and to our employers, then they are of value to attackers.
Apologies for not getting this out sooner. After having a great time at #CISNOLA I recovered a bit. In that time I got a lot of feedback on my micro-keynote on professionalizing the identity management industry. Lots of of very encouraging feedback. There was a common theme to these conversation - I signed the pledge; so now what happens? From a long term perspective, I simply don’t know. On a shorter timeline, here’s what I do know. Kantara is going to leave the pledge page open for a few more weeks. Around July or August, Kantara will convert the pledge list to a working group. This discussion group will explore what a professional organization for our industry should look like. I have recommended that that working group spend the rest of the year identifying what the organization ought to look like, what it should do, what it should not do, etc. My hope is that around the beginning of 2017 the organization gets going in earnest. Well that seems like a long time to wait you might say. True. But we’ve gone 30 years without a professional organization - 180 more days isn’t going to kill anyone. Having gone through the creation of one organization already, I am in no rush and I think the Kantara leadership is of a similar mindset. In the meantime, what can you do? Send your colleagues to the Kantara pledge page. Talk with your peers about what you want to see in a professional organization for our industry. Find similar organizations that are doing interesting things and brings those things to the working group when it starts.