Recent thoughts and media appearances
-
A Maturity Model for De-Weaponizing Identity Systems - Part 3
In Part 1 of this series, I discussed the types of attackers who can weaponize your identity systems, use them to cause harm. In Part 2, I introduced the design goals of the Maturity Model as well as the disciplines needed to implement the Maturity Model. In this post, I’ll discuss each of the 5 levels of the Maturity Model and controls you should put in place to achieve those levels.
Level 1 - Managed
This level is table stakes. It optimizes your organization’s existing security controls for identity systems. I believe it helps make compliance with things like GDPR easier but it is in no way a “cure all” for regulatory burdens. To achieve Level 1, you’ll need a combination of access control, data protection, and audit:
Read more -
A Maturity Model for De-Weaponizing Identity Systems - Part 2
In the first part of this series, I discussed different kinds of attackers and why they attack our identity systems. I also discussed how they can weaponize our identity systems, turning what is meant to deliver services and do good into something that can be used to cause harm. In this part I’ll talk about the goals of the model, the disciplines needed to do this work, and the levels of maturity.
Read more -
A Maturity Model for De-Weaponizing Identity Systems - Part 1
It’s no secret that we, as identity professionals, are the custodians of some of the most crucial information in our enterprises. We hold information about employees and customers in our identity systems in order to deliver them services that range from productivity to entertainment to personal health and wellbeing. And as professionals, none of us want to build systems that can harm other people. Certainly, none of us want to build systems that can be used to harm ourselves. At the core of our professional code of ethics is the spirit of “do no harm.” Now it is true that if our identity systems are of value to us and to our employers, then they are of value to attackers.
Read more -
Changing Face/Fate of Identity
In looking for my most recent talk at RSA, I stumbled across one from that vault. Back in 2017, I had the opportunity to speak at the Conference. Leaving aside the horrible sounding audio in the beginning (trust me it get’s better), this talk is a fun one. As I, apparently, wrote in the abstract:
You had one source for all identities and life was easy. But today you have a handful of sources of employee identities, dozens of sources of partner identities, and billions of sources of consumer identities, and that’s just the humans—you have APIs, connected devices, and third-party systems to deal with too. Come learn how manage all of this in spite of the changing face/fate of identity.
Read more -
Professionalizing Identity: What happens next?
Apologies for not getting this out sooner. After having a great time at #CISNOLA I recovered a bit. In that time I got a lot of feedback on my micro-keynote on professionalizing the identity management industry. Lots of of very encouraging feedback. There was a common theme to these conversation - I signed the pledge; so now what happens? From a long term perspective, I simply don’t know. On a shorter timeline, here’s what I do know. Kantara is going to leave the pledge page open for a few more weeks. Around July or August, Kantara will convert the pledge list to a working group. This discussion group will explore what a professional organization for our industry should look like. I have recommended that that working group spend the rest of the year identifying what the organization ought to look like, what it should do, what it should not do, etc. My hope is that around the beginning of 2017 the organization gets going in earnest. Well that seems like a long time to wait you might say. True. But we’ve gone 30 years without a professional organization - 180 more days isn’t going to kill anyone. Having gone through the creation of one organization already, I am in no rush and I think the Kantara leadership is of a similar mindset. In the meantime, what can you do? Send your colleagues to the Kantara pledge page. Talk with your peers about what you want to see in a professional organization for our industry. Find similar organizations that are doing interesting things and brings those things to the working group when it starts.
