Recent thoughts and media appearances

  • 2025: The year we free our IAM data

    For the last 20 years, the digital identity market has been primarily focused on protocols and what’s transiting the wires; it has not been standardizing interfaces to data at rest. We have not thought about data-at-rest and the schema thereof since our LDAP days and inetOrgPerson1

    Over the last year I have been writing about what I think modern IAM looks like and what are the architectures we need to support it. Although I do not fully understand this moment in the market, I feel strongly that the future of IAM includes a robust data tier and near-real time events. 

    Read more

  • How to begin building a modern IAM architecture

    Congratulations Reader, you’ve made it to the last of part of my four part blog series on enterprise patterns for modern IAM! The journey started a few weeks ago in which I discussed principles that inform this approach to modern IAM. We then moved on to exploring ways to optimize controls for different kinds of systems that modern IAM needs to protect and enable. Last week we explored a notional architecture for a modern IAM architecture. And this week we end at the beginning or, more accurately, how to begin one’s journey to building a modern IAM architecture in their own organization.

    Read more

  • Notional architecture for modern IAM: Part 3 of 4

    Welcome back to part 3 of my thoughts on enterprise patterns for modern IAM. Last week I provided a few techniques for thinking about the systems that you need to protect and optimizing controls for them. That included identifying which kind of policy (admin-, run-, or event-time) was most important for which kind of system as well as some thoughts on policy complexity per type of system to be protected.

    This week I want to present what I believe is a conceptual architecture for modern IAM. It feels very different from the kinds of IAM infrastructure architectures you might be familiar with. It is, in some sense, a higher level architecture into which you would place classical components such as IGA or an IDP. But instead of me presenting it here, read on and discover!

    Read more

  • Optimizing controls to enterprise resources: Part 2 of 4

    Last week I published part one of my four part series on “Enterprise Patterns for Modern IAM” in which I discussed the principles that should inform the design of a modern IAM architecture. This week, in part 2, I am offering up a way to think about the kinds of systems your IAM architecture is meant to protect and a means to align controls to that goal.

    Optimizing controls to enterprise resources

    Armed with these principles, and before we get to every architect’s favorite thing—a boxes and arrows diagram—let’s consider a conceptual framework for the kinds of IAM controls that are required and the systems that those controls protect.

    Read more

  • Enterprise Patterns for Modern IAM: Part 1 of 4

    Over the last few months I have been working on ideas about modern IAM architecture, what it contains, and how to think about it. This is the first of four posts that expand on my previous thoughts. This post will examine the principles that should inform a modern IAM architecture. The second post will offer up a way to think about the systems a modern IAM architecture enables and protects along with the controls it provides. The third post will describe a notional architecture that embodies the principles discussed next and allows for the deployment of IAM controls. Lastly, I will talk about how to get started building a modern IAM architecture.

    Read more