This week saw the FIDO Authenticate conference take place in Seatle. I attended via the virtual remote route, going through the vast majority of the sessions from the comfort of the office. A few items that stood out for me.
Our latest LinkedIn poll on September 27th was focused on understanding the role and impact of artificial intelligence and machine learning (AI/ML) technology on the general identity and access management industry.
In the last 3 years or so, we have seen huge interest in the need to improve authentication techniques, that deliver a passwordless MFA experience. What is stopping adoption?
Expert independent industry opinion.What you need, when you need it. CISO Briefing Inquiry services provide an expert voice for a range of projects. Whether you are a looking to engage a vendor and design an RFP, perform a maturity assessment for an existing identity and access management investment or enable a team on market technologies, the CISO […]
Security starts when authentication ends. It's a line I have used a few times over the years as it is one I actually quite believe in. In an era where firewalls are derided as being pretty toothless in the fight against omnipresent complex cyber attacks - and the concept of trusted networks quite rightly become obsolete in the world of "zero trust" - it always seemed odd to me, to put such a large emphasis on stringent authentication services. Clearly authentication is hugely important don't misunderstand, but my point really was that authentication (even with a strong MFA component) becomes less relevant if a) it is not continuous and b) not part of a more holistic approach focused on the access control of services, data and APIs.
Trust within the identity world is a huge priority. Trust regarding the on-boarding and registration of external users via proofing (think assurance levels using identity validation and verification techniques) right through to creating trust labels for employees in order to monitor for malicious activity - that is either driven by external threat actors, insider threat or just unintentional bad user behaviour.

When on briefings and inquiry workshops there are often emerging themes that start to spring up repeatedly. Perhaps every few months, perhaps under different projects, using different terms and stories and perhaps from unexpected people or teams.

There has been one theme over the past 12 months or so that is difficult to ignore: not only how identity based security has left-shifted into the thinking of information leaders to being a first-class citizen in the technology arsenal, but how identity is moving into a new territory. The territory of autonomy.

A long read post investigating the evolution of decoupled authorization platforms - including use case and capability analysis and brief vendor review including Axiomatics, PlainID, Styra and Scaled Access.
An introduction to authorization startup Aserto.
What is driving the demand for new authorization models, software vendors and emerging authorization design patterns? This discusses previous failures of RBAC and XACML as well as modern architecture patterns such as identity centricity and the business mesh.