Changing the (Identity) Season
Getting ready for a whirlwind Fall (in the Northern Hemisphere)…
Welcome to Cybersecurity Awareness Month | CISA! As we head into the Northern Hemisphere’s Fall conference season, Non-Human Identities (NHI) are the talk of the town. What does that mean for access control and authorization?
Debut volunteer editor Atul Tulshibagwale recapped Q4’s run of AuthZ-related events that will be Closing the 2024 IAM Conference Season in Style | SGNL:
Authenticate in Carlsbad, CA from Oct 14-16
Oktane in Las Vegas, NV from Oct 15-17
OpenID Foundation in Mountain View, CA on Oct 28
Internet Identity Workshop (IIW) in Mountain View, CA from Oct 29-31
IETF #121 in Dublin, Ireland from Nov 3-8
Gartner IAM Summit in Grapevine, TX from Dec 9-11
Not to mention all the fwd:cloudsec Europe recordings just released and another few hundred events during SF Tech Week, including Security Considerations in the Time of AI | Okta & Auth0 today.
However, the one we hope you’re most excited about is our very own Halloween AuthZ Subscriber Meetup! Our fourth meetup will start right after IIW #39 at the Computer History Museum in Mountain View, CA. We’re looking for volunteers, speakers, and perhaps sponsors for a few rounds for an after-hours social. Please share your own travel plans and coordinate session proposals in the Authorized Meetup & Unauthorized Unconference planning doc.
Why NHIs?
Non-Human Identities are the talk of the town. Perhaps because there are “17 of them for every human identity” according to Veza; or “20,000 NHIs for every 1,000 employees” according to Astrix’s sponsored survey with the Cloud Security Alliance. Both stats are cited in Francis Odum’s definitive deep-dive The Complete guide to the growing impact of NHIs keynote and in his newsletter, The Software Analyst:
Non-human identities (NHIs) refer to digital identities associated with applications, services, and machines. They include all the bots, API keys, service accounts, and OAuth tokens — all of which are credentials that allow machines to authenticate, access resources, and communicate with each other.
NHI is also a hot investment area, with Token Security’s “machine-first identity security platform” emerging from stealth with $7 million | CTech on Sep 18.
Or perhaps it’s the rapid rise of interest in autonomous AI agents for the enterprise, as Gartner’s Avivah Litan surveyed in his Sep 23 column, Mitigating security threats in AI agents | Computer Weekly. (We wonder if Artificial Intelligences will also need Artificial Identities, to fit into our outmoded approaches to authorize access on behalf of humans…? That’s also one of the advanced topics Eve Maler tackles towards the end of her latest Personhood Credentials interview with Identity at the Center)
ReBAC to the Rescue
NHI’s are a fascinating new arena, but most of us are busy solving our existing access management problems. You could build a powerful new tool to help you solve those with RElationship-Based Access Control (ReBAC) using Amazon Verified Permissions and Amazon Neptune | AWS Blog.
Or, if you are into Open Policy Agent (OPA), a new extension for AuthZed’s SpiceDB from Umbrella Associates can turn that into it a ReBAC capable Policy Decision Point (PDP). You may also know their founders from IdentiBeer, which is also kicking off a SF Bay Area meetup in-person in Mountain View, CA on Oct 28.
In other AuthZ software updates, Permit.io released version 0.5.5 on Sep 30 with new ReBAC enhancements, ReBAC frontend support, ABAC support by default, and efficiency improvements in storing policies and creating users.
Privileged Access, or Privileged Identities?
SGNL’s co-founder, Erik Gustavson, provided his perspective on The Shift from PAM to PIM on how to modernize access management of your most critical resources:
“PAM is not designed to manage access dynamically” … “Shared credentials are not only difficult to manage but also make it challenging to attribute actions to specific users” … “where identity is the perimeter, managing identities—not passwords—becomes critical”
Apono.io’s $15.5M Series A on Sep 30 was another vote of confidence for replacing PAM with “AI-driven least privilege and anomaly detection, providing organizations with the tools they need to ensure secure, just-in-time, and just-enough access to their critical resources” (with a tip o’ the hat to the Security, Funded #164 newsletter)
Harmonic Security also raised a $17.5M Series A on Oct 1 to “Drive AI innovation without the risk of data exposure”. A recent RSA Innovation Sandbox finalist, they are coining “zero-touch data protection” as their approach to authorizing access for AIs
Thirty years of Blogs, BSD, and W3C
Rohit had a hard time accepting that his first employer out of college invited him to an alumni gala for W3C’s own 30th birthday! It’s one thing to contemplate the 30th anniversary of Dave Winer’s Scripting News | The Guardian or the founding of FreeBSD, but another to realize how long ago “just yesterday” was, for someone who’s not even 50 yet! Among the few hundred revelers at their 2024 Technical Plenary, he was not only one of Tim Berners-Lee’s very first hires at MIT, he was the first to leave, too… for Vint Cerf’s group at MCI, on his way to graduate school at UC Irvine.
Pride, ego, and indulgence aside, there’s still some AuthZ angles to share, from breakouts and hallway chats about content authenticity, consent and permissions, and authorizing AI access to training data. For more, see notes from Trust the Origin, Trust the Content-Originator Profile for a chain of trust from cameras to journalists to readers; User Research on Permissions spanned “prompt fatigue,” popup blindness, and vagueness of 3rd-party OAuth scopes; and community group to revise robots.txt for AI.
While search and AI companies both crawl the Web, it’s not clear the same authorization mechanism would work, so there was a recent IAB Workshop on AI-CONTROL in Washington, DC from Sep 19-20 to explore “practical opt-out mechanisms for AI.” Among the position papers was one citing IETF’s Grant Negotiation and Access Protocol (GNAP) as a path towards a Delegated Authorization standard for AI access control” to protect private health information. Another, from Creative Commons argues against reusing copyright licenses as AuthZ, either: “we believe a new suite of tools that complement the CC licenses are required to communicate sharing preferences for AI training.”
Surveying our own Future…
This community isn’t even a year old yet, so it’s going to take a lot more to sustain success into a second year, much less 30! We are planning to send out a subscriber survey through Substack soon to suss out how to increase subscriber satisfaction. Your responses — and showing your support by signing up new supporters! — are critical for getting from 743 to 1,000 as a first step!