What a week! My first time attending, and being able to speak, at Identity Week was awesome. I met so many IAM practitioners, visionaries, leaders and vendors in attendance and had a ton of great conversations. As I sit and get ready for the weekend and work on some presentations and content, I am reflecting on the state of things in IAM and how I see we’re moving into a new era of what IAM is focused on. So, let me reflect a bit on what I learned this week and how things are shifting.
From the vendors, presentations, and conversations, three (3) things are abundantly clear to me in terms of Identity and our direction.
- We keep fumbling on the basics which is leading to challenges with everything else in our environment.
- There was a lot of discussion this week on general data cleanliness, which in turn helps with automation, governance, and everything else we need to do as Identity and Security professionals.
- The other foundational item we keep fumbling is authentication, or more appropriately, verifying the identity of users. Attackers are awesome at bypassing MFA (where applied) because we rely on insecure factors or have yet to fully implement MFA across our environments.
- The future is non-interactive. I heard anywhere from 45:1 to 800:1 in terms of non-human to human identities in the wild right now. So, for every 1 person we secure, we have 45-800 potentially insecure identities tied to them or processes they consume. The standards, processes, and capabilities are coming to secure this risk, but will be interesting how interactive MFA and device bound credentials scales to handle this workload.
- As a former (still dabble PKI nerd), seeing the rebirth of certificates and other crypto authenticators is really awesome. Anyone that knows PKI, certificate lifecycle, revocation, etc. is going to be busy here soon!
- The future is digital. No more paper / physical IDs and badges. We have things like eIDAS in Europe and state mDLs in the US quickly being developed and issued. The future will be largely driven by digital wallets and shareable data, not physical identifications and credentialing.
- This is super exciting given we are establishing data ‘authorities’ that everyone can start trusting to verify data and identities to quickly enable users to share only data they consent to and organizations being assured is from a trusted authority.
While not on the main takeaways from the conference and conversations, one thing I did find interesting as a theme and common thread was trust. How do we trust users, build trust in the process, and establish trust with our consumers (internal, external, and otherwise)? With the rash of news on breaches, shift to AI / agents, and more digital wallets and verified credentials, we need to be able to instill trust in everything we’re doing, and communicate with transparency when it doesn’t work or there are issues. With the growth of agents and non-human identities, will be interesting we scale trust across identities that can understand or are forced to trust the process.
With all the above, I’m looking forward to continue building some of the new projects I’m starting up and incorporating my takeaways into the final products.
