Authenticate 2024 took place in Carlsbad, CA in mid-October. The weather was beautiful and the attendance was high. Hosted by the FIDO Alliance, Authenticate focuses on user authentication and brings together CISOs, business leaders, product managers, and identity architects.

Keynote and session highlights:

IDPro member Chris Anderson, Product CTO at Cisco discussed the challenges that exist today with compromised identity credentials, which contribute to over 80% of data breaches, a seemingly undented figure year over year. Chris noted there are gaps in protection as there is no phishing-resistant MFA available for many areas from unmanaged devices to remote access, to Linux systems, to contractors and vendors, and others.

IDPro member Tina Srivastava, PhD, Badge Co-founder and MIT Lecturer, and Bill Wright, former executive director at USAA bank and FIDO board member, presented on the importance of strong attestation for #passkeys and the approaches financial institutions are taking to solve this on their passwordless journeys. Relatedly, Pedro Martinez from Thales presented why synced passkeys do not work for banking, including that “they are exported and stored in the Cloud of the user’s device OS” and “synced passkeys may not meet stringent MFA requirements from Financial regulators in some countries/regions.”

The industry has been seeking phishing-resistant technologies to address the problem of breaches caused by the compromise of identity credentials. Challenges exist with passkeys, such as with account recovery, provenance, and portability. Many approaches still maintain a password or KBA as a fallback for account recovery, enabling ATOs prone to attack from social engineering. 

Google’s keynote by John Gronberg noted “Cross device still a challenge” and “Users are anxious about losing their devices.” In his key learnings about passkeys, he shared, “Raising the security bar comes later” and that passkeys are for “re-authentication,” account takeover playbooks already include passkeys, and credential managers storing passkeys are becoming targets. He noted that the new device bootstrap scenario is critical and unsolved. Amazon’s keynote by Abhinav Mehta similarly noted “Cross-Platform Challenges” and that “Passkeys don’t transfer across platforms.”

On the future of digital payments, Mastercard executives Jonathan Grossar, VP, product management, and Fred Tyler, VP, emerging digital products for North America, introduced the concept of the payment passkey, bound to a user’s device. They shared that in situations of higher security, enterprises are leaning towards device-bound passkeys. Generally, enterprises are not adopting synced passkeys as stand-alone MFA. This is the approach many companies seem to be taking, including Mastercard.

Sushma K. and Ritesh Kumar from Microsoft shared the challenges with migrating a passkey across devices. They demonstrated a set up that is required once per device that requires scanning QR codes with a phone or tablet. The accessibility and usability issues of scanning QR codes were raised.

Amazon and Microsoft presented their passkey implementations, including the importance of using prompts like “Skip for now” instead of “Not now” or “No thanks.”

Partnership Announcements and Expo highlights:

Qualcomm and Daon are working toward IoT-connected cars using biometrics and passkeys with key drivers including personalization and payments. 

Cisco and Thales announced major partnerships with Badge, the award-winning privacy company enabling identity without secrets. The companies demonstrated their joint integrations with customers. Cisco demonstrated the Hardwareless MFA experience. Thales showcased Passwordless authentication without secrets.

Social highlights:

An identity-themed family feud-style game show captured the attention of attendees, resulting in laughter and applause from the Authenticate audience. A big surprise was that for the question “What trend are you most tired of in the identity and access management space?” the answer “FIDO/Passkeys” was #2. IDPro member Jeff Steadman, of the Identity at the Center podcast, quickly noted to his FIDO hosts that he did not generate these and was just the host! The Gliterati team was seen taking shots on stage at a fun-filled comedic break.

Karaoke was a hit at the Passwordless Party. Pictured below, singing their hearts out to Katy Perry’s “Firework”: Christiaan Brand from Google, IDPro member Tim Cappalli from Okta, Matt Miller from Cisco, IDPro member Christine Owen from 1Kosmos, Jamie Danker from Venable LLP, and IDPro member Tina Srivastava, PhD from Badge (left to right).

Dr. Tina P. Srivastava is an entrepreneur, author, inventor of more than 15 patents, and an MIT-trained rocket scientist. She served as Chief Engineer of electronic warfare programs at Raytheon before founding a cybersecurity startup that was acquired by a public company and global leader in network security. She is an FAA-certified pilot and is a Lecturer at MIT in Aeronautics and Astronautics.

When her identity was stolen in a data breach in 2015, Dr. Srivastava teamed up with a group of MIT cryptography PhDs to crack the code on one of the most common reasons for modern data breaches: stored credentials. Together, they solved a decades-old cryptography problem to remove PII, biometrics and other stored credentials from the authentication equation, eliminating highly vulnerable storage systems as points of attack for hackers. Badge Inc. is the award-winning privacy company enabling Identity without Secrets.

The post Highlights from Authenticate 2024 by FIDO Alliance  appeared first on IDPro.

But my observation from chatting with people in conference hallways and social media channels is that professionals in our industry are still grappling with this shift in expectations. There are new skills we need to polish (or learn outright) that may not have been on our radar. Let’s talk about that. 

The Evolution of IAM: From the Shadows to Center Stage

I’m going ahead and asserting that IAM was often treated as a necessary but secondary concern. Many organizations didn’t see it as integral to their operations, leaving it to be managed by HR or, at best, as part of broader cybersecurity efforts. IAM was reactive, a tool to be deployed after other systems were in place. And no one was actually trained before they got sucked into the vortex of IAM. 

COVID was eye-opening to lots of people in the Gen X and Boomer crowd when it came to recognizing the importance of IAM. I’m willing to guess, however, that Millenials and Gen Z already had the expectations in place that their digital identity and the whole identity experience online was a Really Big Deal. 

Modern businesses cannot function securely or efficiently without a robust IAM infrastructure. It’s not just about keeping the wrong people out; it’s about enabling the right people to access the resources they need when they need them. And SO MANY resources are now online. Little wonder that companies demand more from identity professionals than ever before.

The New Reality: IAM as a Core Business Function

Today, IAM is less an afterthought and more a core business function. The stakes are higher, the demands are greater, and the need for skilled identity professionals has never been more urgent. IAM is foundational to every aspect of a business’s operations—from securing sensitive data to ensuring compliance with regulatory requirements, to supporting seamless user experiences.

But with this shift comes a new set of expectations. Identity professionals must now act with the same level of urgency and importance as their counterparts in HR, Engineering, and Sales. This means not only managing identities but also understanding the broader business implications of their work. It means being able to prepare reports for our executives and present our projects and findings across teams. We are more visibly responsible for balancing security with usability, ensuring that IAM solutions support business goals while protecting critical assets.

Stepping Up: What It Means to Be an IAM Professional Today

Of course, there is the need to stay on top of the technological changes in our space. Establishing yourself with a baseline of IAM knowledge is a great idea (had to do a CIDPRO^® promo in there). But there are a few other areas I think you’ll want to focus on, too:

1. Strategic Thinking: Identity professionals must move beyond the technical aspects of IAM and start thinking strategically. How does IAM align with the company’s business objectives? How can IAM drive efficiency, innovation, and competitive advantage?
2. Collaboration: IAM is no longer siloed; it’s a function that touches every part of the organization. Identity professionals must collaborate closely with other departments, from IT to HR to Legal, to ensure that IAM solutions are aligned with business needs.
3. Leadership: As IAM becomes more critical, identity professionals need to take on leadership roles within their organizations. This means having the skills to advocate for IAM at the executive level, ensuring that it receives the attention and resources it deserves.
4. Continuous Learning: The IAM landscape is constantly changing, with new technologies, threats, and regulations emerging all the time. Identity professionals must commit to continuous learning to stay ahead of the curve and keep their organizations secure.

The Future of IAM: Becoming Indispensable

The evolution of IAM from a part-time function in the Information Security or HR departments to a core business function is still ongoing, but in no world can I imagine that function will do anything but grow. Those who build up more than just technological awareness will be the ones who shape the future of IAM—and ensure that their organizations can thrive in a complex, digital world.

If you’ve read this far, you rock AND you’re in the right place to engage with other professionals to grow all your skills, from collaboration and leadership to hard-core tech knowledge. IAM is critical to the success and security of modern businesses. You can do more with strategic thinking, collaboration, leadership, and continuous learning and ensure that you’re not just keeping up with the demands of the business world, but driving it forward.

Disclaimer: The views expressed in the content are solely those of the author and do not necessarily reflect the views of the IDPro organization.

Author (as an individual contributor)

Heather Flanagan, Principal at Spherical Cow Consulting, comes from a position that the Internet is led by people, powered by words, and inspired by technology. She has been involved in leadership roles with some of the most technical, volunteer-driven organizations on the Internet, including IDPro as Principal Editor, the IETF, the IAB, and the IRTF as RFC Series Editor, ICANN as Technical Writer, and REFEDS as Coordinator, just to name a few. If there is work going on to develop new Internet standards or discussions around the future of digital identity, she is interested in engaging in that work. You can learn more about her on LinkedIn or reach out to her on the IDPro Slack channel.

The post IAM: From Afterthought to Core Business Function—Why Identity Professionals Must Step Up appeared first on IDPro.

How Each Organization Wants Us To “See” Zero Trust

The NSA defines each “pillar” of zero trust as separate capabilities, each with a clear purpose and demarcation. While not entirely independent of each other (for instance, some aspects of the device pillar may intertwine with the user pillar, and so on) there are clear capabilities that each pillar has all its own. Under this visual model, we still need each capability to do the job of zero trust, and it is implied that each pillar is required for the model to function.

Figure 1: NSA’s Zero Trust Pillars from the NSA CSI series on Zero Trust

The DoD defines each “pillar” as being in service of protecting data. Data is, per the DoD’s understanding, part of all other resources. In this sense data is a pillar, but because everything else utilizes data and the goal is to protect data, the boundary of what is in the data pillar and what is data in service of another pillar gets blurry – for instance, contextual information around a user that guides authorization decisions could absolutely be considered data, and it comes down to the purview of the person looking at the model to make that distinction. The model is further blurred by noting that a given capability may be the purview of multiple pillars and that some capabilities (such as continuous multifactor authentication) span all pillars.

Figure 2: DoD’s Zero Trust Pillars from the DoD ZTRA

What The NSA Reports Offer

At a high level, the NSA Cybersecurity Information Sheets (CSIs) on Zero Trust (available in totality on the NSA website) generally speak to the capabilities inside a given pillar, how the NSA defines these capabilities, and then the path from preparation into maturity with a given capability. For instance, the NSA speaks to five specific capabilities it feels are within the User pillar. Here we replicate their statements on these capabilities:

• Identity Management: technical systems, policies, and processes that create, define, govern, and synchronize the ownership, utilization, and safeguarding of identity information to associate digital identities to an individual or logical entity.
• Credential Management: technical systems, policies, and processes that establish and maintain a binding of an identity to an individual, physical, or logical entity, to include establishing the need for a credential, enrolling an entity, establishing and issuing the credential, and maintaining the credential throughout its life cycle.
• Access Management: management and control of the mechanisms used to grant or deny entities access to resources, including assurances that entities are properly validated, that entities are authorized to access the resources, that resources are protected from unauthorized creation, modification, or deletion, and that authorized entities are accountable for their activity.
• Federation: interoperability of ICAM with mission partners. This CSI only discusses the general complexity of identity federation. 
• Governance: continuous improvement of systems and processes to assess and reduce risk associated with ICAM capabilities. This CSI addresses improvements for this category by defining maturity levels for each of the ICAM categories rather than discussing maturity of identity governance in general.

These statements are fairly broad, and rightfully so. Each capability is discussed in further detail within the CSI, specifically around what an increasingly mature organization might have in terms of capabilities. For instance, if we look at identity management it speaks to a set of capabilities that becomes increasingly complex and based around the mitigation of risk.

Indeed, across the User pillar the NSA makes it clear that they see the mitigation of risk through the utilization of dynamic assessment and recording of risk to push decisions as close to the application and as close to real-time as possible as an “advanced” capability. If we perform a similar analysis of the NSA’s work on the other zero trust pillars, we see a similar building upon prior capabilities to meet a common end goal. For instance, if we look at the automation and orchestration pillar, we see a series of capabilities whose ultimate goal is to support the automation of workflows and to facilitate responses that are dynamic and risk-based. This framing across the NSA CSIs is consistent – drive decisions through each pillar that are dynamic, adjusted for risk, and as close to the application or workload as possible.

As a final note, the NSA CSIs also offer a “why all of this matters” for each separate paper. For instance, the user pillar CSI discusses several real-life scenarios that came about due to ICAM immaturity at a federal level and what the results of those failures were to emphasize each pillar’s importance.

Comparison to the DoD 

The DoD ZTRA, by comparison, speaks to specific capabilities that should comprise each pillar and then uses cases that drive the need for these capabilities. For instance, if we look at the “Pillars, Resources, and Capability Mapping” figure in the ZTRA, we see a substantial number of terms and capabilities put forward all at once.

Figure 4: The US DoD’s Zero Trust Reference Architecture Pillars, Resources & Capability Mapping (CV-7)

The capabilities outlined here are discussed later within the document – for instance, if we look at the user pillar and its call-out of an Enterprise Identity Service in service of the user pillar, we see the capabilities defined and key functions discussed. Perhaps due to the sheer scale of the mapping done here, we should note the above figure is not exhaustive! We can see this when we look at the use cases. For instance, if we look at the figure representing Use Case 4.14 (Dynamic, Continuous Authentication (OV-1)), we see it fleshes out the capabilities and requirements further.

Figure 5: The US DoD’s example of Dynamic, Continuous Authentication (OV-1)

Differences and Similarities Between the DoD and NSA

It could be said that between the two US Government sources on zero trust thought leadership, the Department of Defense is more focused on speaking to specific capabilities it feels are necessary to eliminate implicit trust across the organization with the ZTRA. The NSA, in its CSIs, is attempting to offer a path by which an organization might eliminate implicit trust. While the DoD does speak on needing a dynamic and risk-adjusted response for each action taken in the environment, it at times loses that messaging over spelling out the capabilities it feels are necessary to get there.

The NSA’s CSIs offer a clear advantage here in that they attempt to educate as opposed to enumerate but at the expense of perhaps missing things that may be considered important to a given pillar. For example, within access management, the NSA CSI on the user pillar discusses privileged access devices generally, which suggests some implicit trust of the workstation itself. The DoD’s model, in the “Zero Trust Authentication and Authorization Capability Taxonomy (CV-2)” figure, instead calls this “Device Hygiene” and calls out specific capabilities that comprise this capability. 

To the NSA’s credit, they discuss these capabilities in further detail within the Device Pillar CSI, and to the NSA’s further credit, they specifically state that pillars are not independent, and many capabilities rely on or mesh with other capabilities in other pillars. All of that said, for an individual or organizational unit looking to understand where they fit into zero trust it can be a lot like grasping at an elephant in the dark if they only read about the pillar that relates to their daily operations. The DoD ZTRA, in comparison, does not have this sort of by-pillar problem due to it presenting all the work in one place.

These differences are largely in the way the information surrounding zero trust is disseminated to its audience, and who its audience is. The DoD ZTRA is very much for stakeholders within the DoD. The NSA CSIs are very much for the larger federal government (both within defense as well as national security). The DoD ZTRA is very much a reference architecture, and it is built to discuss specific use cases that the DoD considers important to solve. The NSA CSIs are built to help organizations understand the path to zero trust, which has unfortunately been used more as a term by security firms to sell products and less as a framework in which to mitigate risk through the elimination of implicit trust.

The commonalities between these works are significant. Both the DoD ZTRA and NSA CSIs on zero trust act as some of the most (if not the most) comprehensive, definitive visions of zero trust available today to the public. Both are very clear about the necessity to eliminate implicit trust and the need to radically shift how organizations think about identity and its associated capabilities. Both are excellent, no-nonsense reads that are vendor-neutral. Both promote a strategy that, as adversarial events become both more frequent and more sophisticated, makes sense to explore and adopt. It would be prudent for any organization looking to mitigate risk to understand what governments are doing to address nation-state level adversaries, and consider what steps they could take to bolster their own internal processes.

Disclaimer: The views expressed in the content are solely those of the author and do not necessarily reflect the views of the IDPro organization.

Author

Rusty Deaton has been in Identity and Access Management for over a decade. He began in technology as a technical support engineer for a Broker-Dealer and has since worked across many industries, carrying forward a passion for doing right by people. When not solving problems, he loves to tinker with electronics and read. He currently works as Federal Principal Architect for Radiant Logic.

The post Two Tunes Coming Together on Zero Trust – The NSA and the DoD appeared first on IDPro.