Recent thoughts and media appearances

  • The Least Privilege Fallacy or How I Learned to Stop Worrying and Love Zero Standing Privilege

    An admission: I have become a bit of an identity governance and administration (IGA) nihilist. This, for those of you who know my background, is a big admission. I grew up a user provisioning person in this industry. I wrote extensively about access certification. I studied role management. 

    And, in a lot of ways, I have come to believe that IGA has failed. It works great for birthright access assignment but role management and access certification have missed the mark. This is not for lack of heroic efforts on the part of earnest practitioners nor for lack of massive investment in products and tools. 

    Read more

  • Counselors in the Modern Era: Advancing Identity Management

    Towards the end of 2019, I was invited to deliver a keynote at the OpenID Foundation Summit in Japan. At a very personal level, the January 2020 Summit was an opportunity to spend time with dear friends from around the world. It would be the last time I saw Kim Cameron in person. It would include a dinner with the late Vittorio Bertocci. And it was my last “big” trip before the COVID lock down.

    Read more

  • An introduction to customer identity and access management

    When I started at Salesforce nearly a decade ago, I was intrigued by the potential of combining customer engagement data and services with identity. Back then customer identity and access management (CIAM) was newish. The amount I didn’t know was staggering and frankly I still have a lot to learn.

    But have over the years learned a few things. Some things I learned through my product customers. Some I learned through my internal customers who used my technology (and engineering teams) to run a CIAM for Salesforce. Taking those lessons, combining them with what I have learned from people like Vittorio Bertocci, Michiel Stoop, and Andrew Cameron, I am thrilled to write this Introduction to Customer Identity and Access Managment.

    Read more

  • What it takes to give a keynote

    From time to time, people ask me about my presentation techniques. More often than not, they aren’t actually asking me about how I grow ideas for presentations, build decks, or rehearse. (No one, btw wants to hear about the rehearsals.) What these people are really asking is for is, “What do I need to do to keynote at a conference?” Instead of pointing them to the article I wrote a while ago, I need to show them this picture.

    Read more

  • Identity Week DC with Identity at the Center #237

    Not only did I have the please of being back on the Identity at the Center podcast, but I got to co-host AND Steve “Hutch” Hutchison was the guest. Hutch is an old friend/colleague/client. He’s the Director of Security Architecture at the Mitsubishi Bank of Tokyo and is absolutely one of the smartest people in identity - not just from a 1s and 0s perspective but from a practical application perspective. We talk about everything from what does an identity architect do to Microsoft Entra to Dungeons & Dragons! Check it out for yourself!