My opinions are my own and do not reflect the views of others at my employer, the Federal Reserve System. Now that my authorization filter is in place, let’s follow Alice down the Rabbit hole and let your imagination run wild for the next 5 minutes.
Identity is jumping the fence
Identity is the new security perimeter, or so we’ve been told.
Do we need someone to draw a box so you can picture yourself trapped inside? The Little Prince asked for it after all…. Are you a sheep?
Be honest – did you let Identity roam free again this year? Do you feel like you are Peter Pan trying to re-attach his shadow before going back to Neverland? Keep trying to secure this personal information that has leaked… again. Third time’s a charm. If not, a bit of fairy dust will go a long way to make DNA erase itself from the dark web (thank you 23andMe).
Identity can be undercooked, well-done or roasted
Let’s deconstruct this. Which material did you use for your identity wall? But more importantly, which one of the three little pigs are you?
Are you careless and used straw to build your wall? Let’s reuse this password again my friend.
Did you use sticks? Stick it together. Let’s add a thin layer of MFA with SMS and call it a day.
Did you use bricks? This is the way! Phishing-resistant authentication and mutual TLS. Hasta la vista, Big Bad Wolf!
Hopefully, the Wolf was not part of the construction crew. Let’s put a layer of ITDR during inspections. Remember that the construction code has changed this year; we need to spend more on that house!
If none of these protections are enough, we do know that everything is good in the pig… so lucky Wolf.
Are my thoughts not Kosher enough? My Grandma is probably still cursing me in Yiddish from where she is… Sorry Grandma.
Identity strikes back – everyone to the exhaust port!
There must be a door somewhere in this identity perimeter, so what happens when you don’t have your keys?
Do you still have this red hammer in your outdoor shed? (you all know this mind trick… right?)
Well, it will for sure prove itself useful when someone asks you about the secret passphrase to get back in. Those security questions are hard (to remember… not to break), but luckily with my red hammer, I nailed every answer. If only the helpdesk wasn’t trying to be “that” helpful… I don’t think I need to use Gen AI to impersonate the CEO this year.
Now as the Big Bad Wolf, I could also have tried the back door. I learned that trick from a Nigerian prince, and I can guarantee Phish for dinner (No winner, winner, chicken dinner tonight, I need to have a balanced diet).
Identity is at the door. My dog is barking
“Knock, knock”. Someone is at the door and my door is locked; I can’t trust anyone these days: Zero Trust.
Before I let that person in, let’s re-establish trust. We don’t trust the network so let’s work with what we have, the identity network and the stuff around, like shared signals (Wait… what? Did I say network – again? Okay let’s call that identity graph). Don’t worry, the Wolf is still huffing and puffing so that’s not him. He likes doing DDOS attacks to get in – he doesn’t knock.
“Hey I’m the utility guy, I won’t be long, I just need to come inside to check the meter, I was not able to read it remotely.”
He looks nice enough, and he wears the uniform. Okay, I will only allow him inside for a few minutes.
Context has changed: we just realized we both play Bingo at the country club on Sundays. He can stay longer, and I will bring him biscuits. After all, we are all separated by at most six degrees of separation so what could go wrong? We’re practically family. I won’t ask for his badge this time.
Here you go… I was able to sneak in some continuous authentication (let’s not call that authorization anymore – we all know that we can’t get authentication right, so let’s rename authorization “authentication” so we can lower everyone’s expectation).
Before leaving, the utility guy left that little device so he doesn’t have to come back. Luckily enough, it is always connected to a foreign country to assure higher availability and make sure my data lives forever. I’m grateful for the IoT redundancy, I won’t rely on my robot vacuum anymore to protect my privacy with its camera array. Maybe next year I will think about protecting these API and non-human flows.
Ring around the Rosie. Ashes, Ashes… Identity is falling down
What about the roof? If there is a perimeter and a door, there must be a roof, no?
It is important that the roof does not leak because when the storm hits the clouds, we want to anchor down on-premises and drink some hot cocoa. Traditions, Traditions! Like the Fiddler on the roof would say.
Identity is messy, so I packed it
I don’t know about you, but I’m a bit of a hoarder. My identity house is filled with resource rooms. There, I have a bunch of RBAC boxes. My wife says I act like I’m entitled. You put things in boxes and you forget what they are and what they do. Can’t tell what’s valuable anymore and should be in my vault. Not sure I will ever get to cleaning that up and identifying what’s valuable but I will repaint the walls in ABAC, PBAC, or ReBAC next year. Help me choose the color. I will put two layers of PEP this time to get this finer grain.
Identity is wandering outside, alone in the dark
Now that we’ve explored the perimeter of our little identity house, let’s wander in the forest, aka the Internet (not your AD forest, that one is evaporating to the clouds turning Azure color – thank you Global Warming!).
Do you see yourself more like the Little Red Riding Hood or Hansel & Gretel when you get lost? We were told not to go far from the identity perimeter, but something good is cooking for sure. I can smell it coming from that house over there. Now, going back to the decision you have to make, I will help you: the Wolf probably didn’t use an oven to bake stuff. It is wild out there.
The network perimeter was porous. Solution: The Identity Sponge!
I feel like the sponge is filling itself up and getting really heavy by now. No wonder: I have to clean up all the mess left by these cookies. The good news is that someone out there is constantly tracking my every move (and mood) so there is no need to waste breadcrumbs to find my way out… if only I could escape the web.
Identity is coming to town
Here comes Decentralized Identity or Self-Sovereign Identity (SSI): so, the Identity Kingdom was becoming really big after all these federated trusts, but we didn’t have a good way to verify that this visiting knight from a faraway land really killed that dragon. Thanks to Merlin’s magic, we decentralized trust on the blockchain (yeah everything is made in blocks nowadays – Minecraft is a “thing”) and the crypto bros were able to verify its DID. This knight was indeed knighted, killed the dragon… but failed to save the princess, explaining why he is on the run again.
Didn’t even need to force the knight out of the armor or send a messenger to the faraway land! The knight just presented claims from his verifiable credentials. Then, we made sure to store as many attributes as we could about him in our Kingdom registry for the next time he is in town (we can’t always rely on Merlin and our core mission is still to protect the crown jewels). I will keep the story of Zero Knowledge Proof (ZKP) for when we get our hands on a witch: I don’t feel like wasting wood or killing a duck.
Tired of this Identity Journey – need some rest
My identity journey has been long enough so I won’t waste time on CIAM. Which social identity provider did I use again? When in doubt I will click on all the options I see, starting with password reset. Love playing Whac-A-Mole. Maybe I’ll add an entry in my password manager or switch to passkeys. My dog loves Fido.
Identity is us – we are its Foundation
Voila! I hope you had a good laugh and you are ready to tell the Identity tale in 2024. Yes, sometimes it feels like Identity security or cybersecurity is a house of cards and this year was definitely full of emotions. We lost friends and made new ones. Things didn’t always go as we wanted in our personal lives, at work, or in the World in general. Thus, we shouldn’t lose track of our North Star, who we are, and our core values; in short: of our Identity. Talking about core values: let’s not forget to be kind to each other and to ourselves.
The glass is not half empty or half full. Remember that it doesn’t matter anymore after the third glass. Cheers to 2024!
Yes, there are indeed plenty of challenges in Identity ahead of us but who doesn’t like a good challenge? Also, never forget to question things, learn… and when you have learned, share the knowledge. Identity is our jam, let’s spread it!
I do love the community we are building at IDPro. I’ve enjoyed becoming a member and participating in the discussions on Slack. Tell others! Don’t keep it to yourself. Encourage diversity and bring new faces to our group next year.
Author: Elie Azérad
Elie is Lead IAM Architect at the Federal Reserve and a member of IDPRO. He has 20+ years of experience in IT working in roles ranging from Software Development, Customer Support, Consulting and Pre-Sales to Solution Architecture in France and the US. He started his career in Business Rules and switched to IAM in 2010.
Since then, he is having fun solving Identity problems, big and small… and he calls that work.
In his free time, he bakes, raises his kids, and walks his Golden Retriever.
His opinions are his own.