Skip to main content

Recent thoughts and media appearances

  • Getting started with Zero Standing Privilege: A Field Guide

    Over the last few weeks I’ve had a bunch of conversations about zero standing privilege (ZSP). From my blog exchange with Andi Hindle, to the Identerati Office Hours with Mike and Vlad, to a great chat with Simon and Atul, ZSP has been the topic du jour. And throughout those conversations one question consistently came up: how does one get started with ZSP?

    Conduct a census

    ZSP, just like automated user provisioning, is not something that you need to apply for 100% of your apps, services, users, and use cases. As you start off, you’ll want to take a far more targeted approach. I’d recommend itemizing the systems/apps/services that, if something were to go wrong, have the greatest blast radius. Talk to your service reliability peers, talk to your friends in finance, talk to your customer support teams. From them you’ll get a list of things that could cause significant outages or damage to the company… like core DNS, network infrastructure, general ledger, your services in the public cloud, etc. 

    Read more

  • Identerati Office Hours: Zero Standing Privilege

    I joined Mike Schwartz and Vlad Shapiro to talk about zero stranding privilege and much much more - so much fun!

  • Misalignment and the rise of event-time IAM

    My good friend, colleague, collaborator, etc Andi Hindle has started blogging and I for one am thrilled he is adding another venue for him to share his thoughts on the identity space. His latest post speaks to the concept of continuous identity - one in which our systems “have the opportunity to make [access-related] decisions continuously based on a variety of signal inputs, including user-provided input, geolocation, user behavior, third-party fraud and risk signals, and so on.” In some regards this isn’t necessarily a new idea but a lot has changed around our identity systems that make a more continuous evaluation of assurance needs and associated risks and signals far more viable than in the past. 

    Read more

  • The Least Privilege Fallacy or How I Learned to Stop Worrying and Love Zero Standing Privilege

    An admission: I have become a bit of an identity governance and administration (IGA) nihilist. This, for those of you who know my background, is a big admission. I grew up a user provisioning person in this industry. I wrote extensively about access certification. I studied role management. 

    And, in a lot of ways, I have come to believe that IGA has failed. It works great for birthright access assignment but role management and access certification have missed the mark. This is not for lack of heroic efforts on the part of earnest practitioners nor for lack of massive investment in products and tools. 

    Read more

  • Counselors in the Modern Era

    Towards the end of 2019, I was invited to deliver a keynote at the OpenID Foundation Summit in Japan. At a very personal level, the January 2020 Summit was an opportunity to spend time with dear friends from around the world. It would be the last time I saw Kim Cameron in person. It would include a dinner with the late Vittorio Bertocci. And it was my last “big” trip before the COVID lock down.

    Read more