So, here’s my quick roundup of the wonderful Authenticate 2024 conference that recently concluded in Carlsbad, CA.
Notable Sessions:
- Four Components of Modern Identity: There were some truly amazing presentations at Authenticate 2024. The first one that comes to mind is this one from Ian Glazer, where he made a compelling case for “Policy, Orchestration, Execution and Data” to be considered as the pillars of modern identity. He also showed how augmentation instead of replacement can quickly upgrade your identity security posture. He has covered this second part in his recent blog post too. The slide content, precision of delivery and perfect timing of his presentation was next level.
- CISA’s Perspective on Cloud Security: Grant Dasher of CISA (which he stressed was pronounced like “Ciza” and not “Ceessa”) made an excellent case about how automobiles are much safer in the US (falling, and low death rates despite huge increases in people and miles), whereas cybersecurity breaches keep getting worse. He described how a lack of investigative inquiry into prominent hacks (unlike, say, the collapse of the deep water submersible), and indifference to significant cyber attacks remains a problem. He outlined concrete steps that individuals and organizations can take to make cloud services more secure.
- Authentication Events, not Factors!: Microsoft’s Pam Dingle and Beyond Identity’s Dean Saxe, both renowned contributors and speakers in the identity standards space offered an enlightening perspective on the industry’s obsession with “authentication factors” (without actually precisely defining the terms). In the presentation they described 7 properties of credentials, such as their boundary, enrollment, recovery, etc. They are in the process of drafting open specifications regarding all this and are looking for collaborators.
- GM’s Perspective: Andrew Cameron, a well respected identity thought leader, presented the case for building confidence in identity security. Andrew introduced the “Identity First Security Model” which relies on three aspects: Context, Consistency, and Continuous, and how this model can lead to zero trust success. Andrew also provided an amazing explanation of ITDR in his talk.
- AuthZEN: I presented in a total of four sessions, three of which were related to the OpenID AuthZEN working group! This is a relatively new working group in the OpenID Foundation, which is focused on authorization. Authorization is a complex space, but people mostly agree on the NIST architecture which introduces the terms “Policy Enforcement Point” (PEP), “Policy Decision Point” (PDP), “Policy Information Point” (PIP), and “Policy Administration Point” (PAP). The part of authorization that deals with the communication between the PEP and the PDP can be standardized without having to take a position on how to determine access. This is something that we at SGNL identified early, and proposed as an initial draft to the AuthZEN working group. Through the vigorous efforts of the co-chairs and members of the AuthZEN working group, a much refined version of this draft is now under consideration as an implementer’s draft, and a follow on spec was already interoperability tested in the Authenticate 2024 conference!
Preventing Catastrophe when Authentication Fails
This was the topic of my solo session, which focused on how “zero standing privilege” is the right strategy to prevent identity breaches from being effective. Identity breaches constitute the vast majority of cyber breaches now. The discussion obviously led to CAEP and Shared Signals, but what I proposed (and believe in), is embodied entirely in the SGNL product.
Other Conversations
Much of the excitement about conferences is in the discussions in the hallways and over meals. This one stood out: At a dinner with bankers and fellow technologists, the conversation turned rather dramatically to the future of the CISO role. On the one hand, the role is made harder by recent regulations that could put the CISO in jail, and on the other hand since they do not have sufficient visibility or influence at the board level. And their budgets are getting squeezed in favor of shiny new toys like AI. Add to this misery the reality that companies that suffered major cyber breaches haven’t really suffered in terms of their stock price. The popular perspective at the table was that the CISO role is probably going to get eliminated. But I hold the counter position that CISOs are going to become more prominent as we wake up to repeated attacks and bring in more forceful regulation that makes companies act. To bring in Grant Dasher’s analogy - automobiles are now safer because the NHTSA requires safety in every automobile and although I’m fearful of overregulation, we might need something like this in cyber security.