Identiverse is an exciting conference for those of us who work in the identity industry. Not only is it an occasion to meet with peers, it often provides insightful sessions that can bring fresh perspectives. This year, like in other years, there are a large number of really interesting sessions. Shortening it to a list of 10 requires cruelly harsh cuts, for which I employed my personal perspective as a filter. In coming up with this list, I focused on the areas I’m most interested in, namely authorization / access management, real-world experiences of identity practitioners and identity standards.
Not surprisingly, the authorization area seems to have taken center stage. From CAEP and Shared Signals to externalized / centralized access management, a great number of authorization related sessions make it clear how important this area has become in the world of identity.
They say that the best laid plans can be undermined by the strangest of obstacles. If you’ve listened to real world experiences, you might be surprised how something that we software developers don’t always give importance to, becomes a stumbling block for implementers, and how they overcome such blocks by their innovative approaches. I look forward to these in the real-world sessions I’ve listed below.
Finally, although parts of the identity world are maturing, there are tremendous growth areas where important standards need to be developed in order to achieve secure outcomes.
I’m looking forward to these ten sessions, which include the three I’ll be speaking at:
10. Unmasking Fraud: Understanding the Operational Dynamics of Identity Deception
I’m intrigued and would like to understand the evolving tactics of attackers, especially with the strong influence of Generative AI and sophisticated social engineering. The speaker seems well positioned to provide a broad view of what attacks various companies are seeing in their businesses.
9. Fireside Chat: Login.gov Lessons Learned and Paths Ahead
Although this session lacks any details on the Identiverse website as of the moment when I’m writing the blog, it should be an interesting real-world experience of deploying identities across a large number of government agencies and user constituencies.
8. The Authorization Conversation
A panel featuring members of the OpenID AuthZEN working group
In the last few months, a new working group - AuthZEN has taken shape in the OpenID Foundation. Aside from demonstrating interoperability between different implementations that use the same OpenID spec, this panel will provide a quick history of different authorization models, and debate aspects of the externalized and centralized authorization model that a number of companies are now promoting. I’m happy to be a part of this panel with amazing co-panelists and moderators.
7. ACR: The Missing Security Control
I’m particularly excited about a talk of proposing a new standard in this one area where we’ve had a blind spot collectively as an industry. As we transition to strong authentication, it is important to convey how a user has been authenticated to relying parties in a federated environment. We’ve defined “Authentication Context Class Reference” and “Authentication Methods” a while back, but its use in OpenID Connect (OIDC) is optional, and even though there’s an almost ubiquitous adoption of OIDC, the assurance of authentication methods or “context class” is still very nebulous. Pam is one of the leading and most respected persons in the identity standards area, and this is a unique opportunity to see an important standard take shape.
6. Notes from the Trenches of Identity Governance Implementation
Seems interesting as a relatively new tech company discovers the reality of implementing a somewhat mature identity technology: Identity Governance
5. Externalizing Authorization is More than a Technology Problem
Because this talk is being presented by two identity veterans - Amazon’s Sarah Cecchetti of the Cedar open source policy language fame, and Microsoft’s Pieter Kasselman, my co-author on the Transaction Tokens draft spec - I feel this will be a great talk that covers a broad spectrum of real-world dynamics of implementing externalized authorization.
4. One McDonald’s Way: The Global Identity & Access Journey at McDonald’s
This seems like an interesting case study of consolidating a large number of (>100) independent IAM systems into one global IAM. It’s something I’ve seen a number of companies express interest in, so it’ll be great to learn from someone who has gone through that journey.
3. CAEP Panel
CAEP and Shared Signals have come a long way and it’s time to discuss how well it is solving real-world problems, and where it goes from here! I’ll be sharing the stage with fellow co-chairs of the SSWG: Sean O’Dell of Disney, Tim Cappalli of Okta, and Shayne Miel of Cisco.
2. Embracing Zero Standing Privileges
This will be a great session to understand how a seasoned identity practitioner at Disney views the shift from static privileges to the new dynamic, zero-standing privileges model. I’m most excited to learn about real-world situations and solutions that can help.
1. Shrinking the Blast Radius with Zero Standing Access
I’m most excited about this talk, since I get to present the practical learnings and results of many years of effort for our SGNL team. Zero Standing Access is a great way to ensure organizations’ access security. I will share the stage with Disney Executive Director - Mark Neiswinger to present how it can be implemented practically and while coexisting with existing technology investments.
Closing Thoughts
If you didn’t get to attend Identiverse this time, I’ll be sure to provide an update after the conference ends, so watch out for that blog post. But if you do get a chance, you will find many themes that could interest you, such as passkeys, verifiable credentials / wallets, customer identity management, new standards developments and other such areas that I’ve not been able to do justice to in this blog post. While at the conference, it’s great to have casual conversations with our peers, but it’s also important to make sure you don’t miss the opportunity to learn about topics that are important to you, but you haven’t had a chance to sit down and get educated.