One common theme across the talks at last week’s Cloud Identity Summit (CIS) revealed a desire to simplify and unify existing identity and access management (IAM) technologies and standards to build a pragmatic approach to modern identity.
For years, authentication, authorization, single sign-on (SSO), federation, governance, risk, compliance, standards, etc., etc. have all been pointing toward their own identity-based and secured Nirvana. With each one sporting a unique and clearly articulated picture of a future void of complexity and inadequacies. (Oh, if we could only move to that address yesterday.)
But here’s what I heard last week in San Diego.
More than at any previous time, the intersections of these discrete technologies and standards are now closer, clearer, and capable of a scale that is significant to enterprises and consumers. These intersections are beginning to define the possibilities of a common identity and access management stack that can potentially address a large number of use cases while simplifying the number of edge cases.
Is it around the corner? Nope. Are we in the last mile? Perhaps. Does it have promise? Absolutely.
Let me start from a Yubico perspective, the multi-factor authentication and single sign-on integration unveiled last week between Yubico and Ping Identity highlights advantages when authentication hardware is paired with software-based federation and SSO. This combination moves security and convenience closer to being on the same side of the ledger.
And there are other pieces arriving at intersections.
Standards such as OAuth, OpenID Connect (OIDC), Security Assertion Markup Language (SAML), System for Cross-Domain Identity Management (SCIM), Fast Identity Online (FIDO), and User Managed Access (UMA) provide a view into managing modern identity users, authentication, applications, and services. Emerging standards for authentication and SSO (to mobile devices and applications) are evolving within FIDO (Bluetooth and NFC support) and the OpenID Foundation (Native Application SSO).
The result could add up to an infrastructure that begins to define security, levels of assurance, and user control across enterprise and consumer services accessed from desktops, laptops, and mobile devices.
Organizations like the Open Identity Exchange and the Kantara Initiative are adding trust models and certifications. The vetting of IAM systems will eventually look at the whole infrastructure and not the piece parts, which should come to the table already validated.
Add to the mix efforts underway in global governments including the National Strategy for Trusted Identities in Cyberspace (NSTIC) and the United Kingdom’s Office of the Cabinet. These programs are already proving out models that incorporate technologies constructed with the building blocks displayed at CIS.
The qualifier, however, is that integration of identity and security on such a scale does not handle weakness well. Mastering these integrations initially won’t be for the faint of heart. Failures could be epic fireballs.
Vendors will have to partner and defer to customer needs rather than push their checkbox implementations of their competitors’ strengths. Standards in many ways will deflect some of that conflict.
Major vendors at CIS lined up and vowed to work together and push the adoption of standards. Alex Simons, director of program management for Active Directory at Microsoft, said he now has 1,000 engineers in the security and identity business, and “we are here to be your partner.” Google’s Eric Sachs, product management director for Identity, said in his keynote, “We’ve blocked almost all password access to our APIs by default. You have to use OAuth.” And Ian Glazer, senior director of Identity at Salesforce, laid down the gauntlet, saying companies that continue to manage user names and passwords are “toxic waste farmers.”
Color this analysis optimistic. Argue over timelines. Wrestle with cynicism. But don’t underestimate progress made over the past years regardless of the amount of hope crushed along the way. There is a better identity and access management model. It’s more attainable perhaps than ever before, and with better pieces that reduce complexity and improve usability.
It’s time to jump on and follow this arc of progress.
Photo credit: Brian Campbell