The Gartner IAM summit has evolved from its raucous early years at the Park Plaza Westminster. For someone like me, who has spent the full two days at the conference this year, after almost five years, it was a useful investment. I could notice some differences, in that the sessions were less individualistic, coached, orchestrated around the brand etc, which as we all know is not necessarily a bad thing. At a £ 3.5k a pop though, i did not have the patience to sit through another session that talked about “Identity Fabric” being the holy grail (okay, i know it kind of, is). What more than made up for this were the really incisive sessions that were tucked into the main agenda under ubiquitous headlines throughout.
In keeping with the staid times and the cost of living crisis, the impromptu bars that opened up on the exhibition floor at 6 pm on day one, dried up within 15 minutes. In the halcyon days back in Westminster, those empty beer buckets would be replenished, but not this time around, sadly.
This brings me to what was actually imbibed, during the absorbing two days. Here are my five key takeaways:
Identity Fabric: As a professional cynic, the use of the word “Future Proof” is as oxymoronish as you can get. Other than this minor quibble, I thoroughly enjoyed Felix Gaehtgens’ masterly rendering of the ten components of the Fabric. It is a ready reckoner for IAM Managers (like me!) who should be thinking broader than just deploying a bunch of tools and rushing to call it “Mission Accomplished”. For world-weary IAM Managers, it is a handy template for the definition of “done”, if anything like this exists at all. If you haven’t already downloaded this presentation from the Gartner site, do so as early as possible (open only for attendees of course!).
A(P)BAC + Privileged Access as code: Anyone who has deployed an access model for PaaS like AWS, Azure, or Snowflake knows the pain caused by the explosion of roles, broken developer/user experience and a niggling false comfort of security. The extension of time-tested rigid access control templates has not done well in the continuous integration/development world. Combine this with the fact that the resource chain used in PaaS and IaaS are not all proprietary and leverage a whole set of external services, rendering proprietary policy enforcement redundant. Enter OPA and AWS Cedar and policy as code. However, fine-grained access at the tenant/ node/resource level is ineffective if it does not capture the organizational and risk context. This is where ABAC or PBAC comes in. The “A” or “P” notwithstanding, the pieces of the puzzle seem to be coming together in the world of Cloud Infrastructure and Entitlement management. We should brace up for rapid M&A activity in this area though! Machine Identities: The problem with machine identities has been termed as “unsolvable” for quite some time. Smart IAM Managers, flush with new funding would never prioritise the “service account problem” as their metaphorical hill to die on. Besides, who would want to deal with the esoteric world of Cryptography, HSM, and Certificate Authorities when there is a burning new Identity Governance platform to deliver? Your Cyber Defence team would beg to differ. With the rest of us hooked to MFA and strong authentication (well, almost), machine identities tend to be the weakest link. The barometer for maturity in any discipline can be gauged by the lack of consolidation in tooling. Nowhere is this more visible in a space that spans service accounts, certificates, keys, secrets et al. We can throw yet another credential/key vault at this problem, but this will unfortunately not solve it!
The CAEP Factor: Corroboration finally comes to enterprise use cases. We are moving from policy-driven session management to dynamic authorisation and management of sessions. For IAM managers, the nightmare scenario is that of an auditor poring over a list of thousands of users — federated third parties, business partners, retaining access that they do not need or use, or worse. With the ability to continuously authenticate and validate sessions based on context, given the Identity Protection features that are now available with Relying Parties, this is a welcome evolution from the Open ID foundation.
Machine Intelligence: Yes, the non-use of the laden “Artificial” or “Generative” is intentional. Identity and Access Management has always had a data problem, but at no time perhaps has it been as clear and present as this one. Much of the focus has been driven by changes in broader Cyber, regulatory oversight, the weighted conversations about risk, and the deals being struck between the C suite and the Board. If you cannot quantify the data problem, forget solving it, something gotta give. Machine learning can be a way out of the problem given developments in this field. A smart IAM manager should be thinking about how they embed these user cases and ride on organizational initiatives to solve this data problem. As for any of us dreaming about a world that would solve IAM problems through a Chat GPT like prompt and prompt engineering, I hate to break it to you that this has to wait until your data models start learning and auto-remediating malign tendencies that perpetuate bad IAM data. The session delivered by Homan Farahmand was particularly insightful in the way it segmented the various components of the solution landscape in this area. Disclaimer: 100% of this article, the text, is human-generated. Views expressed are personal.