Controls Intelligence in the Greater Whole

I was talking to a long time competitor/colleague/client/friend this week about identity governance and a variety of other identity topics. We were commenting that in some regards access certification and access policies have been stuck in bubble of amber: not a lot of innovation save the addition of some cluster analysis (marketed as AI.) In the course of the conversation I remember that a long time ago I had written a piece on the use of negative policy spaces for access governance. My buddy thought it would be fun to dig it up a repost it. So of I went to find this…

What’s funny (at least to me) is that what follows is a writing sample I used as part of the interview process to get my first analyst job at Burton Group. And that brought back a lot of memories…

So without further adieu, straight out of 2008, I bring you:

Controls Intelligence in the Greater Whole – Using Negative Authorizations to satisfy Audit Requirements and strengthen Positive Authorization Policies

Executive Summary

Whether conscious of it or not, no enterprise embarks on a controls exercise, be it controls definition, management, monitoring, or rationalization, unless that exercise addresses audit requirements.   Auditors and regulators have defined the backdrop against which a variety of corporate stakeholders must perform an ever-changing array of maneuvers to prove compliance.  Within this context, controls intelligence platforms and processes have developed to directly satisfy audit requirements.  In contrast, identity management technologies and other “compliance” tools are not truly aware of the constraints and requirements that auditors inflict upon organizations and are fundamentally not designed to meet those needs.  This piece will contrast the difference between controls intelligence platforms and their associated negative authorization policies against identity management technologies and their positive authorization policies, illustrating the appropriate use of both in the eyes of the auditors as well as the enterprise.

The Auditors rise to Power

It sometimes seems as if there were no audit regulations before Sarbanes-Oxley, but of course there were.  Various industries had their own set of regulations and subsequent audit requirements to meet.  SOX, however, does not discriminate among industries and with its introduction all manner of enterprise turned to their auditors for guidance.  The power and importance of the external auditor grew significantly; on one side, their clients were asking for guidance and on the other government and regulators were looking for results.  This put auditors in control and control they did; they defined stringent audit requirements and testing procedures.  They design the obstacle course that their clients have had to maneuver year after year.

Being Negative Never Seemed So Good

Simply put, auditors are interested in what people cannot do.  They want to verify that people who can execute out one task cannot execute another task that is in opposition to the first.  For example, an auditor will examine business systems to validate that the collection of capabilities granted to an inventory clerk does not enable the clerk to see the pay grades of her coworkers, as well as authorize payment for goods she ordered.  Auditors require that the analysis of these collections of capabilities must be executed at the lowest level of the audited system, ensuring that no convoluted permutation of capability components result in conflicts that cannot be detected at higher levels and thus cannot be mitigated.  This analysis of complex systems and processes is expressed using negative authorizations – explicit statements about which capability components are in conflict with others.

Compliance to audit requirements is evidence that the organization has not allowed to transpire what, according to auditors, should not be allowed to happen.  This holds true for both automatable processes and manual ones.  The lack of evidence that the organization required all of its managers to attend sexual harassment training, and thus educated managers appropriately, can be sufficient to run afoul of audit and/or regulatory requirements.  Similarly, evidence that a business system allows the inventory clerk to see her coworkers’ pay grades as well as authorize payment for goods she ordered can be sufficient to violate an audit requirement.  Controls intelligence and controls documentation platforms are designed to discover the existence of such potential violations before the auditor discovers them.  These tools, from a testing and monitoring perspective, utilize negative authorizations to discover, on an on-going as well as episodic basis, potential violations in both manual and automatable processes.

The Downside of being Positive

Identity Management technologies deal with entitlement: what are people of a certain type allowed to, and subsequently enabled, to do.  This holds true for a variety of identity management technologies including user provisioning, bottom-up and top-down role management, as well as entitlement management.  All of these technologies use a form of an entitlement which groups people together and grants them a collection of capabilities.  The explicit granting nature of these entitlements is a form of positive authorizations.

The primary goal of entitlement-based identity management systems is to realize operational efficiencies by granting and managing people’s granted abilities faster with more automated control and finesse.  A secondary goal is the self-service enablement of users in order to reduce cost.  These tools are invaluable to IT and help reduce the overall cost of supporting the enterprise’s user population.  That being said these tools cannot truly meet the needs of auditors on their own.

Auditors are not ignorant to positive authorization-based systems.  They are well aware these systems help provide access to business systems and at the same time these systems can pollute critical business systems with audit exceptions.  One of the inherent reasons that these positive authorization systems can so easily generate problems is that these systems concern themselves with collections of capabilities at the highest level.  This allows entitlements to be built and managed quickly, helping to realize operational efficiencies, but does not allow for the detailed analysis that auditors require and that negative authorization platforms provide.

Using Negative Authorizations to satisfy Audit Requirements

While the efficiencies gained from positive authorization systems, like user provisioning, are great from a bottom-line perspective, those efficiencies are irrelevant to auditors – they don’t care how quickly an enterprise grants access to business applications.  To satisfy audit requirements, an enterprise must be able to demonstrate how people cannot execute certain tasks, how theirs capabilities are not in conflict and must be able to demonstrate this amongst the tiny pieces that comprise a capability.  To accomplish this, the enterprise must rely on negative authorizations and the depth of analysis that controls intelligence platforms provide.

Unaware of their choice, many enterprises choose to codify and modify negative authorizations through manual efforts.  They employ brute force spreadsheet-based analysis of both manual processes and business systems to demonstrate that they have an enforced, auditable collection of negative authorization policies.  Effective to a point and costly to an extreme, these efforts have been tolerably sufficient in the past but with changes to auditor guidance, such as  AS5, and financial and competitive pressures, enterprises are turning to automated solutions, eschewing these manual efforts.  Enterprises that chose controls intelligence platforms, those who automate controls management and monitoring, find benefits in reduced audit preparation costs, easier more predictable audits, and stronger deployments of their positive authorization systems.

Harmonizing of Negative and Positive Authorizations

As previously mentioned, positive authorization systems, like identity management technologies, provide a conduit along which potential exceptions and audit findings travel straight into business systems.  In order to intercept these potential audit exceptions and, in turn, meet audit requirements, enterprises must examine their positive authorization-based policies through the filter of negative authorizations.

There are two key points at which controls intelligence, negative authorizations, can filter positive authorization-based identity management technologies: runtime and design-time.  At runtime, proposed account changes, generated by user provisioning systems, derived from positive authorization-based entitlements, pass through the filter of a controls intelligence platform.  This negative authorization filter highlights potential exceptions that exist in the proposed account change and does so by using the language that the auditors speak at a level of detail that the auditors expect.  This process, known as compliant provisioning, provides a safety-net for critical business applications, preventing potential audit findings from finding their way into the business applications in the first place.

Although compliant provisioning is a highly effective method of preventing potential exceptions, design-time application of negative authorization filters is a superior long term approach.  This approach not only reduces potential audit exceptions, but also increases the value of enterprise identity management deployments.  Design-time application of negative authorizations works as follows: as entitlements are developed in positive authorization systems, they are passed through the filter of a controls intelligence platform.  The negative authorization analysis of these entitlements, episodically and/or continually, highlight flaws in these entitlements and help organizations prevent these “bad” entitlements from generating fundamentally flawed role definitions, provisioning policies and account changes, and access entitlements.  Further, by relying on the filter of negative authorizations at design-time, organizations can avoid costly and time consuming entitlement exercises in which subject matter experts on critical business systems attempt to translate what they know an auditor wants to see (negative authorizations) into convoluted positive authorizations.

Both the runtime and design-time approaches harmonize positive and negative authorizations.  This harmonizing of satisfies audit requirements for complete, detailed negative authorization analysis and reduces potential audit findings.  It also retains all of the operational benefits of identity management systems, reduces the cost of deploying these systems, and increases their time to value.


To satisfy both internal and external audit requirements, the enterprise must consolidate and rationalize its negative authorization policy stores.  This includes transitioning from manual-effort analysis and disjoint controls documentation to continuous, automated controls testing whose results flow into a consolidated controls documentation platform.  These efforts reduce enterprise risk and audit exposure and serves to directly meet audit requirements.

Meanwhile, the enterprise should continue deploying identity management technologies and their positive authorizations in order to realize operational gains.  That being said, the enterprise should not attempt to make these positive authorizations behave like negative authorization systems as the effort will be time consuming, costly, and fundamentally will not meet audit requirements.  

Finally, the enterprise should tie their negative authorizations to their positive authorization systems.  At the minimum the enterprise should deploy compliant provisioning, passing entitlement generated account changes through the filter of a controls intelligence platform for negative authorization analysis.  Ideally, during creation and on-going maintenance, identity management entitlements, in their various forms, should be examined through negative authorization filters weeding out potential audit findings long before they can find their way into business applications.

By using negative authorizations and thus gaining control intelligence, the enterprise can speak the language of the auditor and rise to the challenge of an ever-changing set of audit requirements.  By using negative and positive authorization in harmony, the enterprise can realize operational efficiencies without an increased risk of potential audit findings.

Lessons on Salesforce’s Road to Complete Customer MFA Adoption

What follows is a take on what I learned as Salesforce moved to require all of its customers to use MFA. There’s plenty more left on the cutting room floor but it will definitely give you a flavor for the experience. If you don’t want to read all this you can check out the version I delivered at Identiverse 2022.


Thank you.

It is an honor and a privilege to be here on the first day of Identiverse. I want to thank Andi and the entire program team for allowing me to speak to you today.

This talk is an unusual one for me. I have had the pleasure and privilege to be here on stage before. But in all the times that i have spoken to you, I have been wearing my IDPro hat. I have never had the opportunity to represent my day job and talk about what my amazing team does. So today I am here to talk to you as a Salesforce employee.

And because of that you’re going to note a different look and feel for this presentation. Very different. I get to use the corporate template and I am leaning in hard to that.

Salesforce is a very different kind of company and that shows in up many different ways. Including the fact that, yes, there’s a squirrel-like thing on this slide. That’s Astro – they are one of our mascots. Let’s just get one thing out of the way up front – yes, they have their own backstories and different pronouns; no, they do not all wear pants. Let’s move on.

So the reason why I am here today is to talk to you about Salesforce’s journey towards complete customer adoption of MFA. There are 2 key words in this: Customer and Journey.

‘Customer’ is a key word here because the journey we are on is to drive our customers’ users to use MFA. This is not going to be a talk about how we enable our workforce to use MFA. Parenthetically we did that a few years ago and got ~95% of all employees enrolled in MFA in under 48 hours. Different talk another time. We are focused on raising the security posture of our customers with their help.

Journey is the other key word here. The reason why I want to focus on the Journey is because I believe there is something for everyone to take away and apply in their own situations. And I want to tell this Journey as a way of sharing the lessons I have learned, my team has learned, to help avoid the mistakes we made along the way.

Continue reading Lessons on Salesforce’s Road to Complete Customer MFA Adoption

Memories of Kim Cameron

Reification. I learned that word from Kim. In the immediate next breath he said from the stage that he was told not everyone knew what reify meant and that he would use a more approachable word: “thingify.” And therein I learned another lesson from Kim about how to present to an audience.

My memories of Kim come in three phases: Kim as Legend, Kim as Colleague, and Kim as Human, and with each phase came new things to learn.

My first memories of Kim were of Kim as Legend. I think the very first was from IIW 1 (or maybe 2 – the one in Berkeley) at which he presented InfoCard. He owned the stage; he owned the subject matter. He continued to own the stage and the subject matter for years…sometimes the subject matter was more concrete, like InfoCard, and sometimes it was more abstract, like the metaverse. But regardless, it was enthralling.

At some point something changed… Kim was no longer an unapproachable Legend. He was someone with whom I could talk, disagree, and more directly question. In this phase of Kim as Colleague, I was lucky enough to have the opportunity to ask him private follow-up questions to his presentation. Leaving aside my “OMG he’s talking to me” feelings, I was blown away by his willingness to go into depth of his thought process with someone who didn’t work with him. He was more than willing to be challenged and to discuss the thorny problems in our world.

Somewhere in the midst of the Kim as Colleague phase something changed yet again and it is in this third phase, Kim as Human, where I have my most precious memories of him. Through meeting some of his family, being welcomed into his home, and sharing meals, I got to know Kim as the warm, curious, eager-to-laugh person that he was. There was seemingly always a glint in his eye indicating his willingness to cause a little trouble. 

The last in-person memory I have of him was just before the pandemic lockdowns in 2020. I happened to be lucky enough to be invited to an OpenID Foundation event at which Kim was speaking. He talked about his vision for the future and identity’s role therein. At the end of his presentation, I and others helped him down the steep stairs off of the stage. I held onto one of his hands as we helped him down. His hand was warm.

The Future of Digital Identity: 2020 – 2030

Some on the next 10-ish years in identity management.

[This was originally written in December 2019: pre-pandemic, pre-US presidential election, pre-George Floyd. Truly, it was written in the “Before Times.” I thought about updating this before posting but that felt wrong – somehow dishonest. So here is the lightly touched up text of my talk which was given first in Tokyo at the OpenID Foundation Summit and then again as part of the all-virtual Identiverse. If you want to skip the text and go straight to the video, you can

My deepest thanks go to Naohiro Fujie and Nat Sakimura for prompting me to write this, Andi Hindle for his feedback. – IG 11/24/2020]

It is my honor to present to you today. Today, it is my privilege to talk to you about my vision of the future of digital identity. When Naohiro-san asked me to speak on this topic, I was both honored and panicked. In my daily role, I focus on a 12 to 18 month time frame. My primary task is to help my stakeholders and, yes I have a multi-year vision, but I primarily focus on how my team can execute in the next few months to help those stakeholders. I don’t, as a matter of my daily routine, think about the future.

So I was a little panicked. I am not a futurist. I am no longer an industry analyst. I am just a practitioner trying to help where I can. How then should I talk about the next ten years of our industry?

I can name 4 ways to think about the future and with your permission I will briefly try all 4.

Looking at the Past to See the Future

One way to talk about the future is to look back at past predictions and see how they fared. I’ll choose 3 predictions:

  • The Need for Password Vaulting
  • SAML is Dead
  • The Year of PKI (Again…Still)
Continue reading The Future of Digital Identity: 2020 – 2030