Keep calm and gobble on
A story of two lucky turkeys
I would be remiss if this newsletter didn’t contain a couple of turkeys 🦃 to celebrate Thanksgiving. As my friend & colleague Rohit duly pointed out, we celebrate it in October in Canada 🍁which I find a bit odd. Someone once told me that the weather is far too cold this late in the season this far North for anyone to celebrating anything to be thankful about. Yet, in the era of global warming, Montreal has yet to see its first snow while Paris, France (not Texas) has had a generous blanket of the white stuff.
And speaking of Texas , the authorization nerds hiding behind this newsletter will be headed to Grapevine, TX, nestled just north of DFW’s runway 18R (yes, there’s a Venn diagram of AuthZ nerds and Aviation nerds). This year’s North America edition is packed with many authorization-related sessions so, rather than scouring the web for the latest AuthZ news, here’s a curated list of talks worth tuning into. For the full agenda, follow this link. And if you need a discount code, try SAVENOW2024.
But, wait, what about the turkeys? And what do turkeys have to do with access control? Well, two lucky fowls eloped from their rafter/flock/gaggle (yes there are 3 words for a group of turkeys but only one school of fish), hobbled over to Washington, DC, and received a full pardon from the president himself, the AP is proud to report.
Now, on to Texas and the agenda.
Monday
Ask the Expert: IGA Integration With PAM, Access Management and IaaS. In this talk, Gautham Mudra, Sr Director Analyst, Gartner, will cover how identity governance and privilege access management integrate with one another. It’ll be interesting to understand how IGA and PAM cover “access management” and whether finer-grained authorization methods (think ABAC, ReBAC) will impact or even simplify IGA and PAM.
Workshop: How to Develop a Minimum Viable Architecture for IAM. Nathan Harris, Sr Director Analyst, Gartner will show attendees what a practical IAM architecture looks like. It may sound trivial but it is fundamental for a successful IAM rollout. No later than today, a customer reached out and asked what the best approaches for authorization are: the PEP/PDP approach; the provisioning approach; or the token-based approach. Nathan will help bring clarity.
Authorization Trek - The Final Frontier? Ok, shameless plug alert 🚨. My colleague Mark Berg (a jack of many trades) and I will take to the floor and talk about securing USS Enterprise. Is one policy enough to make sure Captain Kirk & crew live to see another day?
Building a Trust Fabric With the OpenID Shared Signals Framework. To talk about trust and shared signals, the stage will offer attendees no less than 3 stellar speakers: Felix Gaehtgens and Erik Wahlstrom both VP Analysts at Gartner as well as Atul Tulshibagwale, my co-conspirator at AuthZEN. Atul is also the chair of the OpenID Shared Signals and this presentation will be the perfect opportunity to learn the latest about OpenID SSF, CAEP and RISC, open standards that enable instantaneous event-based communication, enabling real-time ITDR.
Technical Insights: Generative AI and IAM. Homan Farahmand, VP Analyst, Gartner. Homan is not only the host of this year’s conference, he’s also Gartner’s honcho for everything AuthZ. I’m keen to hear from him re. the use of AI for IAM. There are already a few AuthZ companies dabbling in AI: Axiomatics launched their policy companion while both Aserto and Cerbos wrote about applying AuthZ to RAG-based AI systems.
Technical Insights: Guidance for Policy-Based Authorization to Enable Zero Trust. Espen Bago, a new addition to the Gartner team will dive right into the core of ABAC/PBAC (pick-your-own-acronym). This session will focus on available options and deployment models for mitigating risk through modern architecture patterns.
Tuesday
Guidance for Continuous Adaptive Trust to Enhance Your Identity Fabric. Ant Allan, VP Analyst, Gartner. Two words stick out: continuous and trust. While Ant’s presentation will focus heavily on authentication, I still see authorization playing a major role in establishing better trust and enabling continuous enforcement. Authorization also gives you the means to dynamically enforce access based on authentication types (think amr/acr).
Ant’s session reminded me of Ian Glazer’s session at Authenticate 2024 where he spoke of signals as a means to achieve fine-grained authorization leveraging authentication tokens & sessions. The video will be posted soon on FIDO Alliance’s YouTube channel. This ties nicely with the Shared Signals session on Monday and the following session:
Shared Signals Interop Demos: CAEP and RISC in Action: there are a total of 6 sessions on Shared Signals throughout Tuesday and Wednesday. Come watch live demos by implementers participating in the shared signals interoperability event co-hosted by the OpenID Foundation.
And speaking of interops, Omri Gazitt and I will run a similar event for AuthZEN at Gartner IAM in London (if only to spell authorisation differently, it had to be London).
Wednesday
Demystifying Identity Protocols: The Old, The New and De Facto. Mehmet Yaliman, Director Analyst, Gartner has his plate full with many new standards in authorization alone: Shared Signals with CAEP and RISC, OpenID AuthZEN for a standard PEP-PDP interface, and the nascent IETF ALFA 2.0 for a policy language. I’m hoping to learn more about the other identity standards (OAuth transaction tokens perhaps) that are percolating up.
Ask the Expert: What Does Policy-Based Authorization Mean for Reducing Access Risk? Espen Bago, Sr Director Analyst, Gartner will take to the stage again on Wednesday and allow attendees to ask questions about how to translate your access control requirements into policies that will work for you.
AuthZEN: the “OpenID Connect” of Authorization. This is as close as it gets to a closing session for authorization. Omri, Homan, and I will discuss the advancements in authorization standards and in particular OpenID AuthZEN. The session is quite timely as the proposal is on its way to becoming a standard.
Conclusion
Gartner IAM will be packed, just about as busy as your Thanksgiving dinner table. My advice? Save some room for dessert (pumpkin pie is my favorite) and come refreshed to Grapevine. The delightful Eve Maler will be hosting a fantastic BBQ party. Click here to register and get details. No, Peach & Blossom won’t be on the menu.
But speaking of dire news, SC Media recently revealed 1.5M individuals were compromised in a 2023 hack of Set Forth. More than ever, we need access control to mitigate the impact of such breaches.
On that note, I wish our American readers a happy Thanksgiving and a wonderful work week to the rest of us.