The 61st Edition of the Identity Jedi Newslette

Zero trust = identity first, the case for authorization, QOTW

Hey Jedi welcome to the 61st edition of the Identity Jedi Newsletter! “It’s the most wonderful tiiiiimmmmee of the yeaaarr!” Sorry couldn’t help it, the leaves are changing color, a chill is in the air and we are getting close to the holiday season. Make sure you make time for your loved ones this year!

We keep climbing towards our goal of 1k subscribers. Steady growth month over month and we are inching towards 800. To all the new subscribers. Welcome! Share the love let’s get this thing to 1k!

Let’s Get to the Good Stuff!

  • Can’t spell Zero trust without identity

  • Authorization to the rescue

  • Question of the Week


Zero trust = identity first

Ok so are we over the Zero Trust buzzword yet? I think we are, because we are actually starting to talk about what it means to make this a reality. Organizations are starting to take a hard look at what it means to build an identity-centric program.

New flash: It’s more than just one product.

Not great for your budget, but it’s the truth. I often remind people to go back to the nexus of this whole Zero Trust movement. The BeyondCorp whitepaper by Google.

The premise is this: There is not trusted network, not trusted identity, so we will verify everything. ( I’m paraphrasing, but you get the point).

A simple and small statement, but a BIG fundamental change to how we architect and implement systems. AND how we operate as a business.

Here’s my favorite quote from the article

To start, there are cultural challenges. The granular approach required by an identity-first strategy is drastically different than the way security has traditionally devised access management.

Henrique Teixeria

I couldn’t agree more. Identity-centric, identity first, zero trust, whatever you want to call it, is a shift in how we operate. A shift in what tools we use. Better said, it’s changed. So we have to become agents of change and that means understanding what’s currently there, and providing support for getting to where we want to go. It’s more than just buying XYZ vendor.

Change is hard. Yes. Change is necessary. Yes. But it’s also fun and rewarding. So…let’s go make some changes.

The Case for Authorization

I’ve had several insightful conversations over the last two weeks that have led me to spend several hours thinking and writing about where we are as an industry and what’s next.

Externalized authorization has been a monster that we have tried to slay several times now, and it turns out much like Atheon in the original Vault of Glass, it’s a tough one to bring down.

But I’m encouraged that they are some really smart people taking a crack at solving this problem. At the core of truly making identity a first-class citizen in security architectures, we have to be able to grant and enforce authorization at a granular level. And not just once, but multiple times, because context changes everything. But we can’t do that if authorization logic is trapped in the application and subject to a production update. We need to be able to make decisions in real-time based on the information that’s available to us and have the right to progressively change our minds.

I don’t think we can accomplish this without some standards. When we look at what OIDC, and OAuth did for authentication, we can have a similar impact on authorization.

It’s a wide-open field where we could use innovative thoughts and behind.

Shout out to Sarah Cecchetti for launching a substack all about authorization. You can check it out here

Question of the Week

Do entry-level IAM positions actually exist? If they do what do they look like? What does an entry-level IAM person do?

Identity Jedi Show Podcast

The Last Word

A couple of updates: The LinkedIn course I did on identity is coming soon. ( Couple of weeks!!)

The podcast is back and rolling, we are doing an every two week episode drop, so hit the links above to subscribe.

What does it mean to do something with intent? I had a fantastic conversation this past week about intent and how it changes the output when you do things with intent. ( You’ll get that conversation soon as it was a podcast we recorded) This got me thinking about many things we’ve done in the identity and tech industries.

We created software to remediate problems.

Yet, somewhere along the way, we figured out that fixing problems isn’t as profitable. Repeat business, monthly recurring revenue, became top of mind, and we started to build solutions that didn’t fix things but just kinda made them better, but you still needed more.

We stopped fixing problems.

Not out of maliciousness ( I don’ t think) we just kind of went with the flow. We accepted the norm. And arguments can be made for good reason, disruptors don’t always succeed. But if we don’t disrupt, where will we be?

So I’m going to leave you with this. Ask yourself some questions about whatever task you’ve got in front of you this upcoming week. Why am I doing this? What’s the outcome that is expected to come for this? Really sit with those for a while, you might be surprised at what you find.

Be Good to each other, Be Kind to each other, Love each other

-Identity Jedi

What did you think of this weeks newsletter?

Login or Subscribe to participate in polls.

Join the conversation

or to participate.