What will 2024 hold for the authorization industry?
Welcome to the “Authorize” clipping service, a precursor to an upcoming “Authorize” conference. This service is provided by volunteer authorization nerds who want more people to know about all the cool stuff that’s going on in the authorization world! Here’s all the news you need to know:
Round-up of 2024 prediction articles that touch on AuthZ issues
Cloud CISO Perspectives: Our 2024 Cybersecurity Forecast report | Google Cloud
2024 Cybersecurity Predictions from Industry Experts | Solutions Review
“Just Implement MFA Already!”
Conference News
Call for Participation! CAEP Interoperability Event at the Gartner IAM Summit, UK
Demonstrate the interoperability of your CAEP / SSF implementations at the Gartner IAM Summit in the UK, which will be held on March 4-5, 2024.
The next ACM Conference on Computer and Communication Security in Salt Lake City in October 2024, with its first submission deadline coming up on January 24, 2024
The buffet extravaganza that is RSAC 2024’s early-bird deadline is January 12, 2024.
The self-curated moveable feast that is IIW 38 from April 16-18, 2024 also has its early-bird deadline on January 12, 2024
Interesting Headlines
IAM enhancements to make Databricks readily accessible to your users [Dec 20, 2023]
Authentication improvements on AWS for Databricks users, integrations with PowerBI & Tableau, and authorizing robot or service accounts as principals.
Also recaps their best practices for managing access at their conference from July 2023.
Four cybersecurity startup dilemmas | Venture in Security by Ross Haleliuk [Dec 20, 2023]
Ross has an incisive hypothesis about why cybersecurity startups aren’t offering simple, easy-to-use, security solutions for the “rest of us.”
Founders come from sophisticated business and are most familiar with Enterprise-scale problems; solving those with cutting-edge innovations takes time and money, so they can’t be bootstrapped; and building trust with big customers requires even more capital, rising valuations can rule out exits for cheaper products that would serve small and medium businesses.
FOSDEM’24 published its IAM track [Dec 19, 2023]
HackerNews was abuzz with hundreds of talks at the immense open-source bash in Brussels on February 3-4, 2024. Some of the most relevant tools for our community appear on the IAM Track, including SpiceDB, FusionIAM, FreeIPA+Keycloak, and MidPoint IGA.
2024 Cyber60 Report | Fortune and Lightspeed Venture Partners [Dec 15, 2023]
Inaugural effort spotlights IAM as the #1 opportunity to improve policy automation, identity lifecycle, privileged access, and natural language interfaces. Startups in the spotlight included Cerby, ConductorOne, Descope, Grip, Opal, P0 Security, Semperis, StrongDM, and Veza. (PDF)
A Cheat Sheet to Database Access Control: MySQL | The New Stack [Dec 18, 2023]
Startup Apono.io published its first installment in a forthcoming series highlighting their just-in-time authorization platform for dozens of databases. It’s not enough to block access to buckets or backups, you have to manage access to tables, too…
Boosting faith in the authenticity of open source software | MIT News [Dec 11, 2023]
MIT researchers led by Prof. Karen Sollins and Chainguard published a new way to protect developer’s identities by integrating OpenID Connect into Sigstore using zero-knowledge proofs.
Speranza replaces conventional digital signatures that use public email addresses with “Identity Co-commitments” that can still establish continuity across releases over time.
Accenture takes an industrialized approach to safeguarding its cloud controls | CSO Online [Dec 11, 2023]
Applying the “Toyota Way” to developing and deploying new security policies centrally actually improved developer velocity.
Accenture CISO Kris Burkhardt said “we knew we needed to manufacture, if you will, these controls at scale,” using Prisma Cloud to integrate every stage from research to deployment and compliance auditing.
How to build a comprehensive testing pipeline for authorization code Policy as code is a relatively new phenomenon and we’re at a loss for best practices. When’s the right time to validate syntax? Where should you test authorization logic? How can you incorporate a shared authorization service into an integration test suite without creating contention? In this series, we’ll tackle these questions and show you how to build a comprehensive testing pipeline for authorization code.
OpenID Community Representative and Corporate Board Member Elections: The OpenID Foundation invites all members to vote on for two community representatives to the OpenID Board, and invites all corporate members to vote on two corporate board member representatives. The corporate board member election is conducted by email.
Why I Chose Google Bard to Help Write Security Policies
We tell people how to protect themselves in plain English — so why not tell computers to “Do What I Mean” too?
Android game dev’s Google Drive misconfig highlights cloud security risks
A million here, a million there, pretty soon we might be talking about real breaches of trust?
Will Japan’s Personal Information Protection Commission consider authorization policies as broad as “Anyone with the link” obscure enough to be secure ?
23andMe tells victims it’s their fault that their data was breached
The podcast “Authorization in Software” from Auth0 is very insightful!
How Open ID Connect works (illustrated) sparked discussion on HN with gems like:
“it feels like nobody has actually managed to make this easy for developers yet.”
“I hand-wrote the largest OIDC deployment in the world […] It is awful.”
______________________________
If you’re an authorization nerd and an IDPro member, join our discussions in the IDPro Slack #authorization channel! Want to help write this newsletter and organize the conference? Find Sarah Cecchetti on LinkedIn and ask for an invite.