Towards the end of 2019, I was invited to deliver a keynote at the OpenID Foundation Summit in Japan. At a very personal level, the January 2020 Summit was an opportunity to spend time with dear friends from around the world. It would be the last time I saw Kim Cameron in person. It would include a dinner with the late Vittorio Bertocci. And it was my last “big” trip before the COVID lock down.
At the Summit, I was asked to talk about the “Future of Identity.” It was a bit of a daunting topic since I am no real futurist and haven’t been an industry analyst for a long time. So I set about writing what I thought the next 10 years would look like from the view of a practitioner. You can read what I wrote as well as see a version of me presenting this.
A concept I put forward in that talk was one of “counselors”: software agents that act on one’s behalf to make introductions of the individual to a service and vice versa, perform recognition of these services and associated credentials, and prevent or at least inhibit risky behavior, such as dodgy data sharing. I provide an overview of these concepts in my Future of Identity talk at approximately minute 20.
Why even talk about counselors
That’s a reasonable question. I have noticed that there is a tendency in the digital identity space (and I am sure in others too) to marvel at problems. Too many pages spent talking about how something is a fantastically hard problem to solve and why we must do so… with scant pages of follow up on how we do so. Additionally, there’s another tendency to marvel at very technical products and services that “solve the problem.” Except they don’t. They solve a part of the problem or they are one of many tools needed to solve the problem. The challenges of digital identity management are legion and they manifest themselves in different ways to different industry sectors in different geographies. One can argue that while we have used magnificent tools to solve account management problems, we really haven’t begun to solve identity management ones. Counselors are a way to both humanize online interactions and make meaningful (as in meaningful and valuable to the individual) progress on solving the challenges of digital identity management.
I was talking to a long time competitor/colleague/client/friend this week about identity governance and a variety of other identity topics. We were commenting that in some regards access certification and access policies have been stuck in bubble of amber: not a lot of innovation save the addition of some cluster analysis (marketed as AI.) In the course of the conversation I remember that a long time ago I had written a piece on the use of negative policy spaces for access governance. My buddy thought it would be fun to dig it up a repost it. So of I went to find this…
What’s funny (at least to me) is that what follows is a writing sample I used as part of the interview process to get my first analyst job at Burton Group. And that brought back a lot of memories…
So without further adieu, straight out of 2008, I bring you:
Controls Intelligence in the Greater Whole – Using Negative Authorizations to satisfy Audit Requirements and strengthen Positive Authorization Policies
Whether conscious of it or not, no enterprise embarks on a controls exercise, be it controls definition, management, monitoring, or rationalization, unless that exercise addresses audit requirements. Auditors and regulators have defined the backdrop against which a variety of corporate stakeholders must perform an ever-changing array of maneuvers to prove compliance. Within this context, controls intelligence platforms and processes have developed to directly satisfy audit requirements. In contrast, identity management technologies and other “compliance” tools are not truly aware of the constraints and requirements that auditors inflict upon organizations and are fundamentally not designed to meet those needs. This piece will contrast the difference between controls intelligence platforms and their associated negative authorization policies against identity management technologies and their positive authorization policies, illustrating the appropriate use of both in the eyes of the auditors as well as the enterprise.
What follows is a take on what I learned as Salesforce moved to require all of its customers to use MFA. There’s plenty more left on the cutting room floor but it will definitely give you a flavor for the experience. If you don’t want to read all this you can check out the version I delivered at Identiverse 2022.
It is an honor and a privilege to be here on the first day of Identiverse. I want to thank Andi and the entire program team for allowing me to speak to you today.
This talk is an unusual one for me. I have had the pleasure and privilege to be here on stage before. But in all the times that i have spoken to you, I have been wearing my IDPro hat. I have never had the opportunity to represent my day job and talk about what my amazing team does. So today I am here to talk to you as a Salesforce employee.
And because of that you’re going to note a different look and feel for this presentation. Very different. I get to use the corporate template and I am leaning in hard to that.
Salesforce is a very different kind of company and that shows in up many different ways. Including the fact that, yes, there’s a squirrel-like thing on this slide. That’s Astro – they are one of our mascots. Let’s just get one thing out of the way up front – yes, they have their own backstories and different pronouns; no, they do not all wear pants. Let’s move on.
So the reason why I am here today is to talk to you about Salesforce’s journey towards complete customer adoption of MFA. There are 2 key words in this: Customer and Journey.
‘Customer’ is a key word here because the journey we are on is to drive our customers’ users to use MFA. This is not going to be a talk about how we enable our workforce to use MFA. Parenthetically we did that a few years ago and got ~95% of all employees enrolled in MFA in under 48 hours. Different talk another time. We are focused on raising the security posture of our customers with their help.
Journey is the other key word here. The reason why I want to focus on the Journey is because I believe there is something for everyone to take away and apply in their own situations. And I want to tell this Journey as a way of sharing the lessons I have learned, my team has learned, to help avoid the mistakes we made along the way.
Reification. I learned that word from Kim. In the immediate next breath he said from the stage that he was told not everyone knew what reify meant and that he would use a more approachable word: “thingify.” And therein I learned another lesson from Kim about how to present to an audience.
My memories of Kim come in three phases: Kim as Legend, Kim as Colleague, and Kim as Human, and with each phase came new things to learn.
My first memories of Kim were of Kim as Legend. I think the very first was from IIW 1 (or maybe 2 – the one in Berkeley) at which he presented InfoCard. He owned the stage; he owned the subject matter. He continued to own the stage and the subject matter for years…sometimes the subject matter was more concrete, like InfoCard, and sometimes it was more abstract, like the metaverse. But regardless, it was enthralling.
At some point something changed… Kim was no longer an unapproachable Legend. He was someone with whom I could talk, disagree, and more directly question. In this phase of Kim as Colleague, I was lucky enough to have the opportunity to ask him private follow-up questions to his presentation. Leaving aside my “OMG he’s talking to me” feelings, I was blown away by his willingness to go into depth of his thought process with someone who didn’t work with him. He was more than willing to be challenged and to discuss the thorny problems in our world.
Somewhere in the midst of the Kim as Colleague phase something changed yet again and it is in this third phase, Kim as Human, where I have my most precious memories of him. Through meeting some of his family, being welcomed into his home, and sharing meals, I got to know Kim as the warm, curious, eager-to-laugh person that he was. There was seemingly always a glint in his eye indicating his willingness to cause a little trouble.
The last in-person memory I have of him was just before the pandemic lockdowns in 2020. I happened to be lucky enough to be invited to an OpenID Foundation event at which Kim was speaking. He talked about his vision for the future and identity’s role therein. At the end of his presentation, I and others helped him down the steep stairs off of the stage. I held onto one of his hands as we helped him down. His hand was warm.