The Analyst Brief

This week Simon and David discuss the recent acquisition of Oort by Cisco, which finds them discussing the entire ITDR space - who is the buying persona and what problems will it solve? As always technology isn't always the answer and we mustn't forget the human element. They answer an audience question focused on Microsoft - and will they start to dominate the IAM space? They also remember the passing of hacking pioneer Kevin Mitnick.

This week there is a special guest on the podcast. Eric Olden CEO at Strata joins Simon for a discussion. They cover a broad and meandering set of topics focused on Eric's journey to being a multi-company founder (his first startup was at age 23..), contributing to the SAML specification and how he is now focused on identity orchestration at Strata. What is orchestration? Why is it needed and how the rise of the hybrid cloud landscape is here to stay. They deep dive into IDQL, identity integration recipes and how the rise of the AI co-pilot may save us all.

This week Simon and David took a meandering look at the last weeks most eye catching events in the world of identity. They had a quick recap of Infosec 2023 held at the eXcel in London, where the topic of data level encryption, data origin authentication and integrity caught Simon's eye. They discussed a recent vulnerability found in deployments on OIDC in the Microsoft world as uncovered by Descope called NOAuth - which essentially was caused by poor verificaiton of OIDC id token claims. They finished off by discussing the world of generative AI and how that is impacting the world of fraud, content, biometrics, misinformation and more...

This episode, sees The Week in Identity have another specialist guest: Bojan Simic, Co founder and CEO of passwordless specialists HYPR. Simon and Bojan delve into Bojan's story from being a computer science graduate to entering the security world pen-testing in New York and working with some of the world's largest financial services institutions. From there the inspiration to rid the world of passwords started to take hold...and ten years later, seeing HYPR as a leading passwordless authentication provider. The topic covers a range of fascinating subjects, from the perfect storm of FIDO, mobile biometrics and secure hardware storage, through to how to create strategies for mass passwordless adoption based on nudge-theory, gamification and stakeholder buy-in. They also cover success criteria, AI and what the future may hold for IAM...

This week Simon and David discuss the recent Identiverse conference as well the Gartner Security Risk Management summit that happened shortly afterwards. They delve into the world of passkeys (again), verifiable credentials and modern architectures and how we're moving to an industry education maturity model, where organisations are going beyond knowing what a technology is, to how to get started and derive value. They also discuss the concept of "minimum effectiveness" as it pertains to technology, expertise, friction and insights and that essentially having too much identity and access management "stuff" is often a precursor to complexity and failure.

This week Simon and David review the recent Heliview IAM Conference that took place in the Netherlands. The main topic for the day was the rise of the identity fabric (or mesh) and how this can enable the modern organisation with a range of agile IAM components that supports both business and security use cases. Simon presented a keynote on the future of IAM - using some research from The Cyber Hut focusing on where IAM may look like in 2028 and beyond... They also discussed the need for people, process and technology integration, in order to map the existing IAM landscape to future investment and metrics. They finish off by discussing the rise in cyber threat reports that have emerged in the past month that all have a very strong reliance on IAM - and why ITDR is a process not a product. Cyber Threat Reports: Joint Cyber Advisory: People's Republic of China State-Sponsored Cyber Actor Living off the Land to Evade Detection CISA Advisory: Hunting Russian Intelligence “Snake” Malware Permiso Security: Unmasking GUI-Vil - Financially Motivated Cloud Threat Actor

This week Simon and David review the recent RSA Conference that occurred at the end of April over in San Francisco. From the generic meta-patterns at the conference covering themes such as collaboration, standards, multi-cloud and technology integration, through to more IAM focused conversations covering MFA, passkeys and authentication attacks. Are passkeys now here to stay? What will help adoption? Will attacks on passkeys start to increase along with usage rates? Will attacks against existing MFA forms including SIM swap, MFA fatigue and social engineering be a compelling event to improve adoption?

This week Simon and David tackle a range of news items including: Radiant Logic completing the acquisition of IGA vendor Brainwave; Authorization vendor Styra getting a new CEO and Auth0 (by Okta) releasing v1.0 of a new open source authorization project called OpenFGA. They also tackle the question of whether we need to see Chief Identity Officers in the board room and how zero trust is essentially driving the demand for authorization platforms.

In this week's episode, Simon and David are joined by Alex Bovee the CEO of https://www.conductorone.com/ - a next generation identity security and IGA provider. They cover a range of topics including the adoption of cloud services and the impact on security, the cloud shared security model, the left shifting of identity risk from being detection focused to preventative, reducing access reviews to focus on exceptions only, how the security world is taking on more IAM capabilities and knowledge and the introduction of a new open source project called Baton - to extract and manage identity data.

In this episode Simon and David review the recent Gartner IAM conference held in Grapevine Texas. Is Identity Orchestration on the rise and how will that impact the complex identity infrastructure of the modern enterprise? What role does security now play within IAM and how will that impact metrics, persona and integration? Is this the year of Identity Threat Detection and Response? And what is becoming of Zero Trust and how it relates to identity?