After having attended in person one Identiverse, two EICs, one AuthenticateCon, one IETF, one OSW and one IIW, I thought I definitely left behind the woes of the Lockdown Winter that forced our favorite events to take place in the netherspace that is Zoom or proprietary eponym equivalents. Boy, was I wrong. None of those events prepared me for a conference that takes over entire blocks, where the expo alone is large enough (700+ exhibitors!) to have its own weather system, if not its own zip code. Above all, I wasn’t prepared for an event where you no longer have direct line of sight with your tribe, and the majority of the badge-clad people are perfect strangers.

The very distrustful conference site (it asked for my username/password every couple of hours; is this what continuous authentication means?) offered a staggering 612 sessions. One first-time attendee asked me – “how do you choose what to attend at RSA?”. My answer: use the search feature to tease out what’s relevant to your interests. That is also what I have done: as a result, expect this report to be a very partial & personal account of the event. If you want to broaden your perspective, you can chat to other IDPros who were there; you’ll find them on #RSAConference in our IDPro Slack.

Content highlights

Despite all the rhetoric about identity being the new perimeter and other platitudes, and some shoutouts to OIDC and FIDO from the keynote, RSAC 2022 had very little content on our favorite topic. The Identity track had 44 sessions, 13 of them being vendor sponsored and 7 being duplicates (overflow rooms). 

While zero trust was still one of the dominating buzzwords, I was surprised to see that a search for “blockchain” only returned 5 sessions, “web3” exactly zero, and “decentralized” only one track session, from IDPro’s very own George Fletcher.

George’s session, “Managing De-Centralized Identities: A Relying Party Perspective”,  was one of the highlights of the conference for me. The first time I saw George present on this topic was at an IIW in 2019. In a nutshell, the session takes tools and principles of Self-Sovereign Identity (SSI)/decentralized identity and tries to apply them when developing a realistic relying party. In so doing, he uncovers discrepancies, opportunities and impedance mismatch that are both a powerful tool to understand SSI’s value proposition and an honest litmus test to assess the maturity level of those new technologies. TL;DR: things did improve since that first 2019 session, but much still needs to be figured out for those technologies to be viable in real world use. 

After the session, a bunch of IDPros and identirati congregated right outside, engaging in an incredibly satisfying 30 minute long discussion on VCs, passkeys and their potential impact on society. Those 30 minutes alone were worth the trip, what a JOY to be among one’s people!  

Passkeys were the centerpiece of the other awesome event-in-the-event I had the chance to attend, the half-day FIDO Alliance seminar on – surprise surprise – passwordless and passkeys in particular. The Apple WWDC announcements about passkeys created a huge interest around the topic, and the seminar was the perfect opportunity to demystify the technology and get a glimpse of the enormous potential it has to finally deliver a substantial blow to passwords in consumer authentication. Our very own IDPro member Tim Cappalli delivered key parts of the event, from the very first live cross device/vendor passkey demo to a very lively panel.   

Remaining in IDpro territory, mighty board member and acclaimed book author Jon Lehtinen presented a session on “Demystifying the Identity Capabilities of AWS for Enterprise Practitioners”- no one will be surprised to learn that it was well received.

Just because it’s RSA, and the RSA experience needs some “pure security” to be complete, I decided to attend “Bypassing Windows Hello for Business and Pleasure” –  and I wasn’t disappointed. The lengths to which the researcher had to go in order to defeat Windows Hello were substantial, and he presented his journey with flair and competence. If you have access to the on-demand content, I would recommend this session.

In Summary

Is RSA still worth the very hefty admission price? From the content perspective, I am honestly not sure. I got lucky with George and passkey, but the dearth of identity content is concerning, though I suspect part of the fault falls on ourselves – I personally had some submission fatigue and didn’t propose anything. Perhaps we should resolve to submit in bigger numbers and see whether we move the needle. From the experience perspective… I’d say it’s a resounding YES. True, we identirati have other opportunities to see each other, but with its sheer size, parties (rrrisky) and general vibe, RSA remains an important milestone in the conference calendar, and I am glad it’s back!

About the Author

Vittorio Bertocci is a Principal Architect for Auth0|OKTA. A veteran of the identity industry, in his 20 year career Vittorio helped create, shape and steer key identity products, technologies, and practices. Vittorio is currently serving on the OpenID Foundation board of directors, and is the host of the Identity, Unlocked podcast. An active member of the identity community, Vittorio is a well-known speaker, educator, and published author.

The post Strolling Through RSAC 2022 appeared first on IDPro.

Identity management is the term that describes how organizations maintain effective security to prevent unauthorized users from obtaining access to secure systems. Good identity management keeps systems and people secure, enhances privacy, and enables efficient digital experiences for both businesses and individuals.

Identity Management Day was first hosted on April 12, 2021 by the Identity Defined Security Alliance and the National Cybersecurity Alliance to spread awareness about the importance of proper identity management and the dangers of improperly managing digital identities. 

We asked our members to share their best IAM practices for protecting digital identity. Learn from the best by following these 9 tips:

1. Only collect the data you absolutely need to provide your product or service. The more data you have, the more attractive you become to attackers, and the more risk you take on.
2. Bad data quality will kill every IAM approach. For example: people suddenly without managers, missing required data or having it disappear from a source overnight. Plan to keep the bad data out and when it creeps in (because it will) make sure you have tested  the unhappy path before you accidentally fire the CEO.
3. Follow the ‘principle of least privilege.’ Meaning, don’t assign too many privileges to those who don’t need them; instead only assign what is needed to do their jobs.
4. Prune and clean your account list and remove your “leavers”. It should be a no-brainer, but is actually an often-neglected control measure.
5. Any MFA is better than no MFA (Multi-Factor Authentication). (see #6)
6. If you’re using MFA, use Adaptive MFA. Don’t carpet-bomb every transaction with laborious authentication requirements, because other parts of your business could suffer (e.g., signup funnels). Have clear policies when you require stronger authentication and only present those prompts when necessary.
7. Encrypt personally identifiable information (PII) and personal data (PD) at rest and in transit. Things like emails and phone numbers should never be stored or sent in cleartext.
8. Block the use of known breached passwords / credentials.
9. Adopt SSO (Single Sign-on) as a default practice. Friends don’t let friends connect things directly to LDAP for sign-on or local user ID/password pairs — they adopt SSO. You don’t know who wrote and tested a given application, much less what they actually contain for code or their patching practices. They do NOT need to handle clear text user ID and password pairs. Local accounts pose the risk of ghosting credentials, jeopardizing them, or handling them without the same duty of care needed for good security hygiene. SSO is vastly more helpful than trying to remember all the touch points on local credentials when revoking them. 

Now it’s YOUR turn to participate! 

Identity practitioners are encouraged to share their best security practices during the 2022 Identity Management Day Virtual Conference, inspiring others to employ effective strategies for securing their digital identities and helping leadership understand the importance of a strong identity management team. 
Want to learn more? Check out this 2022 RSAConference presentation by IDPro members – Vittorio Bertocci and Sarah Cecchetti – Securing Your Direct to Consumer Identity Strategy.

The post Celebrating Identity Management Day 2022 with Nine IAM Best Practices from IDPro® Members appeared first on IDPro.

Only three months to go! Identiverse is IDPro’s home event, and it will be taking place in Denver as an in-person conference on June 21-24, 2022. The content committee has been busy reviewing and selecting proposals. It’s shaping up to be another excellent agenda. Together with fellow IDPro member Lorrayne Auld at MITRE, I’m excited to be co-leading the Deployments and Leading Practices (D&LP) topic once again. In this blog, I’d like to share some of the upcoming highlights for our track.

D&LP is the place where you can come to learn how some of our larger enterprises deal with identity at scale, how they manage large rollouts, and the challenges they face. These could be workforce identity implementations, CIAM programs, or any combination thereof. In short, expect some war stories from the real world, and some great advice for avoiding some of the pitfalls of large IAM programs.

Our speakers in this track will be coming from a healthy mix of global enterprise identity practitioners, international government agencies, consulting companies, financial institutions, and identity solution vendors. And more than a few of our fellow IDPro members!

This year’s theme is “Trust”, which offers plenty of latitude for our topics. You’ll hear from companies like Target and J&J about their trust journeys with FIDO2 adoption and managing Single Sign-On at scale. We’ll hear from PayPal about the frameworks they developed for Connected Identity across the PayPal ecosystem. HSBC will be talking about building trusted identity frameworks using open-source software. The Norwegian Labour and Welfare Administration will explain why agility should be considered when evaluating identity products for your organization.

Our Trust theme wouldn’t be complete without a session on Zero Trust. We have at least four, from Uberether, ProofID, Ping Identity, and Easy Dynamics. And two of those are real-world deployments for the US federal government and the US Department of Agriculture. The ProofID session will dive into customer experience from an omni-channel perspective, which can be immensely challenging. Nok Nok will be sharing five real-world deployment stories for passwordless authentication, and our speaker from Gluu will remind us that the password isn’t quite dead yet. Microsoft will share advice on getting to strong authentication on your passwordless journey while showing a positive ROI to your senior leadership. Customer experience is trending and gaining attention, not only within the Federal Government, but also here in our track where the FIDO Alliance will provide an update on optimizing the user experience for FIDO security keys.

We’ll learn more about verifiable credentials from Avast. Curity’s speaker will explain how applying OIDC profiles for Open Banking can benefit the financial services industry as well as the rest of us. We’ll hear from Authlete about real-world examples of configuring OAuth and OIDC correctly to avoid data breaches. Last, but certainly not least, Wavestone will provide invaluable advice on how not to fail at your IAM project.

Over the next couple of months, our speakers have a lot of work to do to turn those topics into full-fledged sessions. I am really looking forward to seeing what they come up with, and then sharing it with all of you at Identiverse in Denver! If you haven’t already registered to attend, what are you waiting for?

Stay tuned for more Identiverse updates in the weeks to come.

Greg Smith

Chair, IDPro Editorial

Radiant Logic

Greg Smith is a Solutions Architect with Radiant Logic. He has been implementing Identity & Access Management solutions for over 35 years. He holds BSEG and MSBA degrees from Bucknell University, where he also began his professional career before moving into the Pharmaceutical industry in 1996. After a 25 year career there, he recently retired from Johnson & Johnson, where he led the engineering team for J&J’s single sign-on, risk based authentication, multi-factor authentication, access governance, directory synchronization and virtualization, provisioning automation, and PKI services. He has spoken at Identiverse® and other industry events on numerous occasions. He was recently CIDPRO certified and is also a founding member of IDPro, where he currently chairs the editorial committee.

The post Identiverse Preview: Deployments & Leading Practices appeared first on IDPro.