The 61st Edition of the Identity Jedi Newslette

Zero trust = identity first, the case for authorization, QOTW

Author

David Lee
November 16, 2023

Hey Jedi welcome to the 61st edition of the Identity Jedi Newsletter! “It’s the most wonderful tiiiiimmmmee of the yeaaarr!” Sorry couldn’t help it, the leaves are changing color, a chill is in the air and we are getting close to the holiday season. Make sure you make time for your loved ones this year!

We keep climbing towards our goal of 1k subscribers. Steady growth month over month and we are inching towards 800. To all the new subscribers. Welcome! Share the love let’s get this thing to 1k!

Let’s Get to the Good Stuff!

  • Can’t spell Zero trust without identity

  • Authorization to the rescue

  • Question of the Week

WHAT’S HAPPENING THIS WEEK

Zero trust = identity first

Ok so are we over the Zero Trust buzzword yet? I think we are, because we are actually starting to talk about what it means to make this a reality. Organizations are starting to take a hard look at what it means to build an identity-centric program.

New flash: It’s more than just one product.

Not great for your budget, but it’s the truth. I often remind people to go back to the nexus of this whole Zero Trust movement. The BeyondCorp whitepaper by Google.

The premise is this: There is not trusted network, not trusted identity, so we will verify everything. ( I’m paraphrasing, but you get the point).

A simple and small statement, but a BIG fundamental change to how we architect and implement systems. AND how we operate as a business.

Here’s my favorite quote from the article

To start, there are cultural challenges. The granular approach required by an identity-first strategy is drastically different than the way security has traditionally devised access management.

Henrique Teixeria

I couldn’t agree more. Identity-centric, identity first, zero trust, whatever you want to call it, is a shift in how we operate. A shift in what tools we use. Better said, it’s changed. So we have to become agents of change and that means understanding what’s currently there, and providing support for getting to where we want to go. It’s more than just buying XYZ vendor.

Change is hard. Yes. Change is necessary. Yes. But it’s also fun and rewarding. So…let’s go make some changes.

As perimeter defenses fall, the identify-first approach steps into the breach

More security chiefs are seeking to make identity a centerpiece of their security programs, but challenges persist.

www.csoonline.com/article/1246076/as-perimeter-defenses-fall-the-identify-first-approach-steps-into-the-breach.html

The Case for Authorization

I’ve had several insightful conversations over the last two weeks that have led me to spend several hours thinking and writing about where we are as an industry and what’s next.

Externalized authorization has been a monster that we have tried to slay several times now, and it turns out much like Atheon in the original Vault of Glass, it’s a tough one to bring down.

But I’m encouraged that they are some really smart people taking a crack at solving this problem. At the core of truly making identity a first-class citizen in security architectures, we have to be able to grant and enforce authorization at a granular level. And not just once, but multiple times, because context changes everything. But we can’t do that if authorization logic is trapped in the application and subject to a production update. We need to be able to make decisions in real-time based on the information that’s available to us and have the right to progressively change our minds.

I don’t think we can accomplish this without some standards. When we look at what OIDC, and OAuth did for authentication, we can have a similar impact on authorization.

It’s a wide-open field where we could use innovative thoughts and behind.

Shout out to Sarah Cecchetti for launching a substack all about authorization. You can check it out here

Question of the Week

Do entry-level IAM positions actually exist? If they do what do they look like? What does an entry-level IAM person do?

CrowdStrike Revolutionizes Security for Small and Medium Businesses

CrowdStrike announced a new release of CrowdStrike Falcon® Go, delivering the cybersecurity protection that small and medium businesses need.

www.crowdstrike.com/press-releases/crowdstrike-revolutionizes-cybersecurity-for-smbs-with-falcon-go-release

Obstacles and Opportunities: The Move to Cloud IAM

A new study shows that organizations can enjoy a range of benefits by migrating — if they can overcome internal challenges In the early days of cloud adoption, organizations were understandably apprehensive. Many of the early adopters were particularly concerned about security, and tested the waters with non-essential apps that were easy to migrate and presented minimal risk. securityboulevard.com/2023/11/obstacles-and-opportunities-the-move-to-cloud-iam

CISA Outlines AI-Related Cybersecurity Efforts

CISA details its efforts to promote the use of AI in cybersecurity and guide critical infrastructure in adopting AI.

www.securityweek.com/cisa-outlines-ai-related-cybersecurity-efforts

#246 - IDAC Mailbag - Halloween 2023 Edition

Listen to this episode from Identity at the Center on Spotify. In this episode of the Identity at the Center Podcast, hosts Jim McDonald and Jeff Steadman dive into the world of Identity and Access Management (IAM) with their mailbag segment. They answer thought-provoking questions from listeners around the globe, discussing topics such as integrating IAM with legacy systems, emerging trends in IAM, the role of artificial intelligence in IAM, user-friendly IAM solutions, inclusive and accessible IAM, and managing machine identities at scale in microservices and containerized environments. Jim and Jeff also share interesting experiences from their week, including showcasing the differences in IAM consulting between them and conducting an IAM workshop for those seeking to learn more about IAM. They also touch on the new AI Beatles song and wrap up the episode with a lighthearted discussion on favorite backyard BBQ party games. Connect with us on LinkedIn: Jim McDonald: https://www.linkedin.com/in/jimmcdonaldpmp/ Jeff Steadman: https://www.linkedin.com/in/jeffsteadman/ Visit the show on the web at idacpodcast.com and follow @IDACPodcast on Twitter.

open.spotify.com/episode/3ZPW2qHAwLyRPcNBiTfgGB?si=7fdcc8a156bf4c61

Attestation in IAM

Listen to this episode from The Identity Navigator on Spotify. Certifications in IAM are outdated, the advancement in tools also needs the new way of thinking of them. Let’s discuss on how to make them happen.

open.spotify.com/episode/6VSYowinwfh8cOjdj4gugk?si=61734f238ff84ed0

Identity Jedi Show Podcast

The Last Word

A couple of updates: The LinkedIn course I did on identity is coming soon. ( Couple of weeks!!)

The podcast is back and rolling, we are doing an every two week episode drop, so hit the links above to subscribe.

What does it mean to do something with intent? I had a fantastic conversation this past week about intent and how it changes the output when you do things with intent. ( You’ll get that conversation soon as it was a podcast we recorded) This got me thinking about many things we’ve done in the identity and tech industries.

We created software to remediate problems.

Yet, somewhere along the way, we figured out that fixing problems isn’t as profitable. Repeat business, monthly recurring revenue, became top of mind, and we started to build solutions that didn’t fix things but just kinda made them better, but you still needed more.

We stopped fixing problems.

Not out of maliciousness ( I don’ t think) we just kind of went with the flow. We accepted the norm. And arguments can be made for good reason, disruptors don’t always succeed. But if we don’t disrupt, where will we be?

So I’m going to leave you with this. Ask yourself some questions about whatever task you’ve got in front of you this upcoming week. Why am I doing this? What’s the outcome that is expected to come for this? Really sit with those for a while, you might be surprised at what you find.

Be Good to each other, Be Kind to each other, Love each other

-Identity Jedi

What did you think of this weeks newsletter?

Login or Subscribe to participate in polls.

Join the conversation

or to participate.