Allan Foster thinks the identity and access management industry is an immature industry mostly because it is still thinking in siloes. He will elaborate on this idea in his keynote Access Control – The New Frontier on Thursday, May 12, 2022, 9:10 am at the European Identity and Cloud Conference 2022.
To give you a sneak preview of what to expect, we asked Allan some questions about his presentation.
You have been involved in Identity for many years now. Have we solved all the Identity Problems?
Well, wouldn't that be nice, right? We wouldn't even have to have a conference like this. We've solved everything. Well, yes and no. We have solved a lot of the identity challenges that we've had, right?
There's a lot of people over the last years that have done a lot of hard work at this, and we do. We've understood most of the challenges.
We understand what we have to do. And in general, we're pretty successful at it. However, I'm sort of going to step back a little bit from that and say there's still some big problems that we've got with it.
First of all, it's still siloed.
We're buying an identity solution from a vendor and honestly, I'm familiar with all of the different vendors I'm going to pick on ForgeRock and Okta. It's an example. We're buying a solution from them and they are two different solutions.
They're are two different silos. And what that ends up is giving us multiplied entities.
And I only have to say things like LastPass for every single one of us to roll our eyes, knowing that we've got dozens or hundreds of different identities that we need to keep track of.
The reason we have to do that is that we've got these silos. And so when we start talking about have we solved all of the identity problems, I think it's worthwhile for us to stand back and say: Why? Identity is not why we're doing this. Identity is the “How”. Identity is how we do things.
The "Why" is actually access control, right? And in that space, we're still a very immature industry. Where we're taking our baby steps.
The only reason we need to know who someone is, really is so that we know what they can do. And that's really an access control problem.
And so sort of going back to the question, have we solved all of the problems? No. Have we gone a good way into solving many of them?
Yeah, we've built some great foundations, but there is still an awful lot to do as we start looking at how do we implement access control.
And obviously, I'm going to be talking about that through the different sessions and what we need to look at in access control.
You have said that we are still quite immature as an industry. Why?
The immature industry. Well, the good news about being an immature industry is we've got a long way to go to grow, right? The reason I say that we're immature is that we are still working.
And I'm going to go back to what I just said about silos. We're still working in the ideas of specific products, and I'm sort of going to use an example that many of us are familiar with. USB, right? USB is if we think about it, it's really just a serial protocol that we can plug into the side of our computer. However, I can use a USB thumb drive, write one of these, and I can plug it into my Mac and it just works.
And then I take it and plug it into the PC and it just works and I want to print onto a USB printer and it just works. And the really interesting part about this is that all of those products come from different manufacturers, right?
And the really important piece there is the interoperability and the standards so that it works no matter what we want to do with it. We're not there yet with identity. Sure, we've got some great standards like OAuth2, and OpenId Connect and some of the old gray hair devices may remember things like SAML and things like that. We have some great standards to build on.
But as we start moving up right, I look at it from the idea of my car knows who I am, and so does my Nest thermostat. But they don't know about each other and there's no way these are just two different universes, and there's so much growth that we can have in that and grow.
The challenges of access control, the challenges of me being able to prove my identity no matter what the context that we're dealing with.
And really, when I talk about being an immature industry, we talking about web-based access control, we're talking about browsers.
There's so much more that there's this whole industry is growing into things like smart cars, smart refrigerators, smart thermostats, my personal favorite smart light bulbs, right?
So we have all of these different things that either are skirting around identity or we haven't really been able to integrate them. And I think there's an awful lot of opportunity there.
And that's sort of why I say it's immature. We haven't really addressed these issues and we haven't worked out how they interoperate to provide that access control.
Right. If I've got a smart door lock, how do I give somebody else access to that door lock without doing it specifically in that door lock?
So the good news about being immature is we've got so much more to explore and there's still a lot of growth. So I think that's a really big positive thing.
I noticed you are talking about Access Control, rather than Identity. Why?
Because access control is what we're trying to do. Identity is really just a means to an end. Identity is the way that we find out who we're dealing with, right?
Access control and the bigger the sort of bigger picture of access control is answering the question of what should this person or what should this identity be allowed to do?
What should they be allowed to access?
And so let's go back to my example of the smart door lock. It really doesn't matter to the door lock, who the person is on the other side.
It's going to open the door and let that person in. What matters to the door lock is the person on the other side allowed to come in to my house.
And so really, when we look at that, the who is important because that's how we know whether they're allowed to or not. But allowing them into the house is actually the end goal.
And so sort of the drive that I'm trying to go towards is to move away from the thought of simply thinking about identity and, you know, multi-factor and all of these kinds of things that that we've heard over and over and over again.
Identity is really just there to prove who we're dealing with and to start thinking about the access control side of things. How are we going to make that smooth, ubiquitous and work across multiple platforms, multiple devices, multiple identity sources?
And that's why I'm sort of focusing on the access control side of things.
Identity, we've got a pretty good handle as to what we need to do for it.
What challenges do we still have ahead of us?
Well, this goes back to the immature industry side of things, right?
So in order for us to do this and I'm looking at all of the vendors that we have, and we've got several of them around in the hallways and in the booths and things like that, but as an industry, we need to start thinking less about building the best product out there and more about interoperability.
We need to really look at this idea of having siloed products and say that's not really in the best interest of our users, right? We need to have interoperability.
We need to be able to work with each other's technology, work with each other's identities, protect each other's resources.
And in order to do that, hand-in-hand with interoperability is standards and many of you know, me, I've sort of been a standards geek for years and years and years.
Standards is the way that an industry comes together and decides how we're all going to do something so that we can build a viable ecosystem and I think that's the way that we mature our industry is building that interoperable ecosystem so that we can plug IoT devices or smart cars or smart refrigerators, along with all of the other places where we have to deal with identity.
Identifying ourselves from a health care perspective, from a financial industry perspective and all of these things and bringing them together so that from the end-user experience.
Now I'm sort of focusing a little bit here on the consumer side, but both consumer and in the employee case, the end-user experience should be seamless.
They should be able to say, this is who I am now. Let me do what I'm allowed to do.
And I think that's really where the challenges are. We need to continue to build that into our operability.
We need to start thinking about things like how do we define these access control rules, interoperable policy, interoperable standards, so that agents and security agents can work with each other systems. And I think that's really the exciting part probably of the next decade.
If you were to focus on one thing to take away from EIC, what would it be?
Well, to start with, all of the friends and everybody that's there, because it's always great to come together and meet everybody that's working in this industry.
I think it's a conference I know from my perspective that I love coming to every year.
But if we walk away from it, the, the I'm going to kind of break away from the one thing is to sort of maybe if I put commerce between the two, this all becomes one big thing.
There is still a lot of work for us to do in the identity space. We're not done. So there's still a lot of ideas for us to do and we need to keep our eye on why we're doing it.
What is the reason that we're doing identity or doing access control and that "Why?" has to do with the consumer.
We're trying to make a workable ecosystem for that consumer.
And in order to do that, we need to focus on get involved in standard and interoperability. It's not a problem to work with other vendors that are in the same space, right?
We've got even this nice word co-op petition. There's it's a big industry. We can all make money in this industry and we need to be able to work together and be interoperable with each other so that we can provide that nice, flawless, seamless experience for the end-user. And that's probably the biggest takeaway for me.