Counselors in the Modern Era

Towards the end of 2019, I was invited to deliver a keynote at the OpenID Foundation Summit in Japan. At a very personal level, the January 2020 Summit was an opportunity to spend time with dear friends from around the world. It would be the last time I saw Kim Cameron in person. It would include a dinner with the late Vittorio Bertocci. And it was my last “big” trip before the COVID lock down.

At the Summit, I was asked to talk about the “Future of Identity.” It was a bit of a daunting topic since I am no real futurist and haven’t been an industry analyst for a long time. So I set about writing what I thought the next 10 years would look like from the view of a practitioner. You can read what I wrote as well as see a version of me presenting this. 

A concept I put forward in that talk was one of “counselors”: software agents that act on one’s behalf to make introductions of the individual to a service and vice versa, perform recognition of these services and associated credentials, and prevent or at least inhibit risky behavior, such as dodgy data sharing. I provide an overview of these concepts in my Future of Identity talk at approximately minute 20.

Why even talk about counselors

That’s a reasonable question. I have noticed that there is a tendency in the digital identity space (and I am sure in others too) to marvel at problems. Too many pages spent talking about how something is a fantastically hard problem to solve and why we must do so… with scant pages of follow up on how we do so. Additionally, there’s another tendency to marvel at very technical products and services that “solve the problem.” Except they don’t. They solve a part of the problem or they are one of many tools needed to solve the problem. The challenges of digital identity management are legion and they manifest themselves in different ways to different industry sectors in different geographies. One can argue that while we have used magnificent tools to solve account management problems, we really haven’t begun to solve identity management ones. Counselors are a way to both humanize online interactions and make meaningful (as in meaningful and valuable to the individual) progress on solving the challenges of digital identity management.

Continue reading Counselors in the Modern Era

Controls Intelligence in the Greater Whole

I was talking to a long time competitor/colleague/client/friend this week about identity governance and a variety of other identity topics. We were commenting that in some regards access certification and access policies have been stuck in bubble of amber: not a lot of innovation save the addition of some cluster analysis (marketed as AI.) In the course of the conversation I remember that a long time ago I had written a piece on the use of negative policy spaces for access governance. My buddy thought it would be fun to dig it up a repost it. So of I went to find this…

What’s funny (at least to me) is that what follows is a writing sample I used as part of the interview process to get my first analyst job at Burton Group. And that brought back a lot of memories…

So without further adieu, straight out of 2008, I bring you:

Controls Intelligence in the Greater Whole – Using Negative Authorizations to satisfy Audit Requirements and strengthen Positive Authorization Policies

Executive Summary

Whether conscious of it or not, no enterprise embarks on a controls exercise, be it controls definition, management, monitoring, or rationalization, unless that exercise addresses audit requirements.   Auditors and regulators have defined the backdrop against which a variety of corporate stakeholders must perform an ever-changing array of maneuvers to prove compliance.  Within this context, controls intelligence platforms and processes have developed to directly satisfy audit requirements.  In contrast, identity management technologies and other “compliance” tools are not truly aware of the constraints and requirements that auditors inflict upon organizations and are fundamentally not designed to meet those needs.  This piece will contrast the difference between controls intelligence platforms and their associated negative authorization policies against identity management technologies and their positive authorization policies, illustrating the appropriate use of both in the eyes of the auditors as well as the enterprise.

Continue reading Controls Intelligence in the Greater Whole

The Future of Digital Identity: 2020 – 2030

Some on the next 10-ish years in identity management.

[This was originally written in December 2019: pre-pandemic, pre-US presidential election, pre-George Floyd. Truly, it was written in the “Before Times.” I thought about updating this before posting but that felt wrong – somehow dishonest. So here is the lightly touched up text of my talk which was given first in Tokyo at the OpenID Foundation Summit and then again as part of the all-virtual Identiverse. If you want to skip the text and go straight to the video, you can! 

My deepest thanks go to Naohiro Fujie and Nat Sakimura for prompting me to write this, Andi Hindle for his feedback. – IG 11/24/2020]

It is my honor to present to you today. Today, it is my privilege to talk to you about my vision of the future of digital identity. When Naohiro-san asked me to speak on this topic, I was both honored and panicked. In my daily role, I focus on a 12 to 18 month time frame. My primary task is to help my stakeholders and, yes I have a multi-year vision, but I primarily focus on how my team can execute in the next few months to help those stakeholders. I don’t, as a matter of my daily routine, think about the future.

So I was a little panicked. I am not a futurist. I am no longer an industry analyst. I am just a practitioner trying to help where I can. How then should I talk about the next ten years of our industry?

I can name 4 ways to think about the future and with your permission I will briefly try all 4.

Looking at the Past to See the Future

One way to talk about the future is to look back at past predictions and see how they fared. I’ll choose 3 predictions:

  • The Need for Password Vaulting
  • SAML is Dead
  • The Year of PKI (Again…Still)
Continue reading The Future of Digital Identity: 2020 – 2030

The Most Forgotten Thing In Identity Management

[What follows are some thoughts on usernames and identifiers. This was an extremely fun talk to put together. Many thanks as always to everyone who helped improve this talk including Chuck Mortimore and George Fletcher. – IG Sept 3 2019. If you don’t feel like reading everything, you check me out giving this talk at Identiverse in June of 2019.]

What I want to talk about

Usernames. They are the most forgotten, the most overlooked thing in our industry. They are, as we would say in the US, the “Gen X” of identity management. They show up; they do their job; they don’t get any credit. In fact, they do not get the same attention that their big brother “Password” and their little sister “Password-less” get. Instead, usernames do their job without thanks or recognition. But failing to pay attention to usernames can have major negative impacts to both B2B and B2C scenarios.

Why this talk?

Having been incredibly wrong about many things when it comes to identity, I have developed a habit: I like to re-examine my believes from time to time and make sure they are still valid. I like to root out the assumptions and the implicit principles, hold them up to the light, and see if they are correct.

Customer needs have driven me to think more about usernames. The very large program I am in the midst of at Salesforce has spurred this on as well.

But most of all – usernames are incredibly important, especially given how much use they get every day. And yet we don’t often talk about them.

5 Aspects of Usernames

There are 5 aspects of usernames that I’d like to discuss. These aspects overlap and, in the intersections, there are lessons to be learned.

Usernames:

  • Are not a secret
  • Must be classified as public data
  • Must be memorable
  • Must be unique
  • Must be recoverable
Continue reading The Most Forgotten Thing In Identity Management