The Week in Identity

This week Simon and David review the recent Heliview IAM Conference that took place in the Netherlands. The main topic for the day was the rise of the identity fabric (or mesh) and how this can enable the modern organisation with a range of agile IAM components that supports both business and security use cases. Simon presented a keynote on the future of IAM - using some research from The Cyber Hut focusing on where IAM may look like in 2028 and beyond...

They also discussed the need for people, process and technology integration, in order to map the existing IAM landscape to future investment and metrics.

They finish off by discussing the rise in cyber threat reports that have emerged in the past month that all have a very strong reliance on IAM - and why ITDR is a process not a product.

Cyber Threat Reports:

This week Simon and David tackle a range of news items including: Radiant Logic completing the acquisition of IGA vendor Brainwave; Authorization vendor Styra getting a new CEO and Auth0 (by Okta) releasing v1.0 of a new open source authorization project called OpenFGA. They also tackle the question of whether we need to see Chief Identity Officers in the board room and how zero trust is essentially driving the demand for authorization platforms.

In this week's episode, Simon and David are joined by Alex Bovee the CEO of https://www.conductorone.com/ - a next generation identity security and IGA provider. They cover a range of topics including the adoption of cloud services and the impact on security, the cloud shared security model, the left shifting of identity risk from being detection focused to preventative, reducing access reviews to focus on exceptions only, how the security world is taking on more IAM capabilities and knowledge and the introduction of a new open source project called Baton - to extract and manage identity data.

This week we hear from a special guest as Simon has a great conversation with 1Kosmos CEO Hemen Vimadalal.  They start off at the beginning...going back to 2003/4 when Hemen helped setup identity certification and role management startup Vaau - which later became Sun Role Manager, then Oracle Identity Analytics.  From there Hemen continued on the entrepreneurial journey to setup Simeio Solutions - a 1000 strong identity advisory and managed services player, before moving on to setup 1Kosmos - a software vendor aiming to tackle the usability and security dilemma by linking identity proofing to passwordless authentication.  An insightful discussion that covered identity governance and administration, trust boundaries, the rise of different identity personas, data breaches, privacy and identity based authentication.

This week Simon and David review the recent eCrime summit that happened in London, where the topic of ChatGPT was discussed.  Is it just for the bad guys?  Can the good guys benefit too?  Where is that heading? Identity Threat Detection and Response vendor Authomize released a new project called OpenITDR - what is it and what is the benefit?  Identity visibility seems to be in vogue this month too..with both Radiant Logic and Ermetic making product releases that focus on joining up data in the identity ecosystem.

This week Simon and David review some interesting moves in the identity governance and administration space.  First up Saviynt raised $205 million (along with founding CEO Sachin Nayyar returning as CEO after a stint at Securonix) to bolster their Enterprise Identity Cloud offering.  Next up they discuss Radiant Logic entering into a definitive agreement to acquire French IGA specialist Brainwave GRC.  What does this tell us about the global IAM and IGA space?  Where will they head to?  Will more funding and acquisitions happen in 2023?  They also review SiberX CISO Forum in Canada and the Future of Cyber conference held in the UK.

This week Simon and David discuss a $26 million series B round for identity orchestration vendor Strata.io. What is identity orchestration, why is it a problem today and how can it be handled within the enterprise?  What is IDQL and what are recipes?  A discussion on a recent consent breach at Home Depot in Canada saw the Canadian Privacy Commissioner got involved. They also review a recent poll covering our favourite biometric, which spawned a discussion around identity based authentication (see 1Kosmos and keyless.io for more on that).  They also delved into the world of IAM maturity assessments...

Welcome to the first episode of 2023! After a short festive break, Simon and David are back to bring you the latest industry analyst views on a range of different identity and access management topics.  This week, they have a special guest: Kristian Alsing - a Senior Cyber Security and Business Resilience Executive - with 20 years experience working for the likes of Accenture and Deloitte.  Kristian recently wrote a great guest article for The Cyber Hut on NIS-2. In this episode the guys cover a range of topics relating to regulation and the role of IAM - covering critical infrastructure, the ever increasing supply chain and the rise of destructive attacks in waiting!

This week Simon and David bring you another dose of analyst insight and opinion on the world of identity and access management.  This week they discuss how HYPR received a $25 million funding round to rid the world of passwords; a discussion around how identity is now foundational for zero trust - and how the US DoD released a reference architecture for zero trust and what that means for identity - and an interesting poll result, on the question "Would you pay for privacy?".

This week Simon and David discuss a funding round for secrets management startup Akeyless who this week announced a $65 million funding round.  The need for secrets, machine identities and service credential management is on the rise and Akeyless are aiming to securely automate this area.  IAM platform player ForgeRock also announced this week, they were launching a cloud based identity governance and administration (IGA) service.  The world of IGA has been dominated by on-prem solutions.  Can ForgeRock make a difference?  They round out this weeks chat, with a review of the Future Identity two day festival that happened in London this week.  Simon hosted a panel on mobile authentication - launching a riff on biometrics, privacy, identity based authentication and more...

This week Simon and David met up face to face at the Whitehall IDM Conference in London.  This one day event covered a host of topics, case studies and vendor pitches.  Simon and David pick out the best and most interesting aspects focused on the rise of AI+ML in authentication and IGA - asking the question is identity becoming a big data problem?  They discuss the emergence of machine and service identities - what it is, who will own it and how it works.  They cover cyber insurance the ever growing need to articulate the business case for IAM and how identity for zero trust architectures is for small and large organisations alike.

This week Simon and David continue the conversation around identity and access management deployment patterns.  Identity is broad and can be deployed in many different ways - yet buy side decision makers and vendors alike often misunderstand the nuances seen in the difference between SaaS, PaaS, IaaS, Managed Services and the classic on-premises.  The Cyber Hut released a free open source article this week outlining the definitions.  Identity Threat Detection and Response startup Oort received a $15M round this week - Simon and David weigh in on identity funding and the rise of ITDR in general.  And finally German based identity consultancy IC-Consult acquired fellow specialists Kapstone to make an 800 strong private consultancy practice.

This week Simon and David discussed the ever growing question around identity and access management deployment models that arose from Simon's recent trip to the Identit.eu consumer identity event in Belguim.  What are the options?  How do practitioners decide between the vast array of choices from private cloud and on-prem through to SaaS.  Do they really just need a managed service if a SaaS offering becomes too hard to customize or perhaps can't connect to on-premises data? They also check in at the mid-point of the latest The Cyber Hut poll that is running - seeing where AI/ML will have the biggest benefit in the IAM industry...

This week Simon and David do a deep dive riff on that old age chestnut...authentication!  Uber has recently been in the news regarding a data breach...one seemingly executed by using an MFA Bombing attack technique.  Could it have been stopped?  What options are available?  They then discuss a recent LinkedIn poll run by The Cyber Hut asking why are we not using passwordless authentication....tune into hear the midweek poll results.

This week Simon and David take a look at three large recent data breaches - that had some interesting meta-characteristics.  Firstly...all are key suppliers of technology to organisations outsourcing key components of their business infrastructure.  Is it that hackers are getting more bang-for-their-buck by attacking suppliers?  Secondly the attack characteristics all focused on identity - with phishing based attacks based on SMS and Push MFA the main entry point.  Details of the breaches discussed on the podcast can be found here: Twilio, Cloudflare and Cisco.

This week Simon and David briefly discuss the emergence of the legal profession into the world of cyber and identity and how privacy is making advertising waves by the likes of Samsung and Apple.  They also review the latest acquisition of Ping Identity by Thoma Bravo and what that may mean to both Ping (and Sailpoint!) and perhaps the rest of the IAM market.

This week Simon and David discuss the recent acquisition of European identity and access management for B2E and B2C OneWelcome by French giants Thales.  This week also saw an interesting partnership between passwordless authentication startup Transmit Security and global heavy weights Microsoft - with Transmit bolting into their Azure AD B2C offering.

This week Simon (David's on holiday!) took a quick peek at some interesting blog entries that appeared.  Ubisecure provided some insight into hybrid cloud deployments, 1Kosmos told us more about "Identity Based Authentication" as a pillar of zero trust and Trulioo discussed how risk assessment should be a part of identity onboarding.  In other news Ping Identity announced a partnership with Microsoft and Workday to work on a profile for verifiable credentials and JWT and identity based access control startup Cyolo.io announced a $60 million series B round.  Finally an April article by Palo Alto's Unit 42 on cloud based threats also caught Simon's eye.