Cloud ID Summit Sharpens Focus on Future of IAM Standards

June 18, 2015 4 minute read

One common theme across the talks at last week’s Cloud Identity Summit (CIS) revealed a desire to simplify and unify existing identity and access management (IAM) technologies and standards to build a pragmatic approach to modern identity.

For years, authentication, authorization, single sign-on (SSO), federation, governance, risk, compliance, standards, etc., etc. have all been pointing toward their own identity-based and secured Nirvana. With each one sporting a unique and clearly articulated picture of a future void of complexity and inadequacies. (Oh, if we could only move to that address yesterday.)

But here’s what I heard last week in San Diego.

More than at any previous time, the intersections of these discrete technologies and standards are now closer, clearer, and capable of a scale that is significant to enterprises and consumers. These intersections are beginning to define the possibilities of a common identity and access management stack that can potentially address a large number of use cases while simplifying the number of edge cases.

Is it around the corner? Nope. Are we in the last mile? Perhaps. Does it have promise? Absolutely.

Let me start from a Yubico perspective, the multi-factor authentication and single sign-on integration unveiled last week between Yubico and Ping Identity highlights advantages when authentication hardware is paired with software-based federation and SSO. This combination moves security and convenience closer to being on the same side of the ledger.

And there are other pieces arriving at intersections.

Standards such as OAuth, OpenID Connect (OIDC), Security Assertion Markup Language (SAML), System for Cross-Domain Identity Management (SCIM), Fast Identity Online (FIDO), and User Managed Access (UMA) provide a view into managing modern identity users, authentication, applications, and services. Emerging standards for authentication and SSO (to mobile devices and applications) are evolving within FIDO (Bluetooth and NFC support) and the OpenID Foundation (Native Application SSO).

The result could add up to an infrastructure that begins to define security, levels of assurance, and user control across enterprise and consumer services accessed from desktops, laptops, and mobile devices.

Organizations like the Open Identity Exchange and the Kantara Initiative are adding trust models and certifications. The vetting of IAM systems will eventually look at the whole infrastructure and not the piece parts, which should come to the table already validated.

Add to the mix efforts underway in global governments including the National Strategy for Trusted Identities in Cyberspace (NSTIC) and the United Kingdom’s Office of the Cabinet. These programs are already proving out models that incorporate technologies constructed with the building blocks displayed at CIS.

The qualifier, however, is that integration of identity and security on such a scale does not handle weakness well. Mastering these integrations initially won’t be for the faint of heart. Failures could be epic fireballs.

Vendors will have to partner and defer to customer needs rather than push their checkbox implementations of their competitors’ strengths. Standards in many ways will deflect some of that conflict.

Major vendors at CIS lined up and vowed to work together and push the adoption of standards. Alex Simons, director of program management for Active Directory at Microsoft, said he now has 1,000 engineers in the security and identity business, and “we are here to be your partner.” Google’s Eric Sachs, product management director for Identity, said in his keynote, “We’ve blocked almost all password access to our APIs by default. You have to use OAuth.” And Ian Glazer, senior director of Identity at Salesforce, laid down the gauntlet, saying companies that continue to manage user names and passwords are “toxic waste farmers.”

Color this analysis optimistic. Argue over timelines. Wrestle with cynicism. But don’t underestimate progress made over the past years regardless of the amount of hope crushed along the way. There is a better identity and access management model. It’s more attainable perhaps than ever before, and with better pieces that reduce complexity and improve usability.

It’s time to jump on and follow this arc of progress.

Photo credit: Brian Campbell

Share this article:

Recommended content


Ping Identity and Yubico

Ping Identity and Yubico—stronger together Strong, phishing-resistant authentication for every role Together, YubiKey and PingID enable organizations to easily define authentication policies and layer strong protection for everyone across the enterprise. Each user is protected from phishing and account takeovers, preventing hackers from compromising vulnerable targets as a way to accessing critical systems and data. ...


Okta and Yubico

Okta Adaptive MFA and YubiKey deliver the right authentication for every situation, when you need it and where you need it Create intelligent policies that adapt the level of identity assurance all the way up to hardware-based authentication for stronger levels of protection. No matter the device, user or login context, Okta Adaptive MFA and ...


Duo Security and Yubico

Duo and YubiKey deliver strong authentication that’s highly secure and easy for users Every user needs strong authentication to access vital applications, services, and data. Duo and YubiKey combine centralized, intelligent security policies, broad compatibility and easy integration with a consistent authentication flow users will appreciate. Together Duo and Yubikey share a focus on the ...


Identity Access Management is more secure with YubiKey

Integrating YubiKey with IAM solutions delivers the most secure level of authentication for all users Organizations looking to enhance their security posture can integrate their Identity Access Management platform with a YubiKey to provide hardware-based multi-factor authentication to all their users. This will not only provide the highest level of protection against phishing, but it ...