Cloud ID Summit Sharpens Focus on Future of IAM Standards

One common theme across the talks at last week’s Cloud Identity Summit (CIS) revealed a desire to simplify and unify existing identity and access management (IAM) technologies and standards to build a pragmatic approach to modern identity.

For years, authentication, authorization, single sign-on (SSO), federation, governance, risk, compliance, standards, etc., etc. have all been pointing toward their own identity-based and secured Nirvana. With each one sporting a unique and clearly articulated picture of a future void of complexity and inadequacies. (Oh, if we could only move to that address yesterday.)

But here’s what I heard last week in San Diego.

More than at any previous time, the intersections of these discrete technologies and standards are now closer, clearer, and capable of a scale that is significant to enterprises and consumers. These intersections are beginning to define the possibilities of a common identity and access management stack that can potentially address a large number of use cases while simplifying the number of edge cases.

Is it around the corner? Nope. Are we in the last mile? Perhaps. Does it have promise? Absolutely.

Let me start from a Yubico perspective, the multi-factor authentication and single sign-on integration unveiled last week between Yubico and Ping Identity highlights advantages when authentication hardware is paired with software-based federation and SSO. This combination moves security and convenience closer to being on the same side of the ledger.

And there are other pieces arriving at intersections.

Standards such as OAuth, OpenID Connect (OIDC), Security Assertion Markup Language (SAML), System for Cross-Domain Identity Management (SCIM), Fast Identity Online (FIDO), and User Managed Access (UMA) provide a view into managing modern identity users, authentication, applications, and services. Emerging standards for authentication and SSO (to mobile devices and applications) are evolving within FIDO (Bluetooth and NFC support) and the OpenID Foundation (Native Application SSO).

The result could add up to an infrastructure that begins to define security, levels of assurance, and user control across enterprise and consumer services accessed from desktops, laptops, and mobile devices.

Organizations like the Open Identity Exchange and the Kantara Initiative are adding trust models and certifications. The vetting of IAM systems will eventually look at the whole infrastructure and not the piece parts, which should come to the table already validated.

Add to the mix efforts underway in global governments including the National Strategy for Trusted Identities in Cyberspace (NSTIC) and the United Kingdom’s Office of the Cabinet. These programs are already proving out models that incorporate technologies constructed with the building blocks displayed at CIS.

The qualifier, however, is that integration of identity and security on such a scale does not handle weakness well. Mastering these integrations initially won’t be for the faint of heart. Failures could be epic fireballs.

Vendors will have to partner and defer to customer needs rather than push their checkbox implementations of their competitors’ strengths. Standards in many ways will deflect some of that conflict.

Major vendors at CIS lined up and vowed to work together and push the adoption of standards. Alex Simons, director of program management for Active Directory at Microsoft, said he now has 1,000 engineers in the security and identity business, and “we are here to be your partner.” Google’s Eric Sachs, product management director for Identity, said in his keynote, “We’ve blocked almost all password access to our APIs by default. You have to use OAuth.” And Ian Glazer, senior director of Identity at Salesforce, laid down the gauntlet, saying companies that continue to manage user names and passwords are “toxic waste farmers.”

Color this analysis optimistic. Argue over timelines. Wrestle with cynicism. But don’t underestimate progress made over the past years regardless of the amount of hope crushed along the way. There is a better identity and access management model. It’s more attainable perhaps than ever before, and with better pieces that reduce complexity and improve usability.

It’s time to jump on and follow this arc of progress.

Photo credit: Brian Campbell

Talk to our teamTalk to our team

Share this article:


  • Platform independent digital identity for all Many are understandably concerned that the great invention called the Internet, initially created by researchers for sharing information, has become a major threat to democracy, security and trust. The majority of these challenges are caused by stolen, misused or fake identities. To mitigate these risks, some claim that we have to choose between security, usability […]Read moreDigital IdentityEUDIFounderStina Ehrensvard
  • Q&A with Yubico’s CEO: Our move to the main Nasdaq market in StockholmAs 2024 draws to a close, it’s the perfect time to reflect on the incredible journey we’ve had this year and how it has shaped where we stand today as a company. To mark this moment, I sat down with our CEO, Mattias Danielsson, to look back on the milestones and achievements of 2024—culminating in […]Read moreCEOMattias Danielsson
  • Exploring DORA: A look at the next major EU mandateFinancial institutions have historically managed operational risk using capital allocation, but under EU Regulation 2022/2554 – also known as the Digital Operational Resilience Act (DORA) – the financial sector and associated entities in the European Economic Area (EEA) must also soon follow new rules. These new rules focus on the protection, detection, containment, and the […]Read moreDORAEU
  • Securing critical infrastructure from modern cyber threats with phishing-resistant authenticationAcross the globe, 2024 has seen a whirlwind of change. With ongoing wars, recent political change-ups and more, growth in data breaches targeting critical infrastructure continue to be on the rise. Critical infrastructure is integral to our everyday life – from the energy and natural resources powering our hospitals and providing clean drinking water, telco […]Read moreCISAcritical infrastructurezero trust