The Week in Identity

This week hosts Simon and David review a range of topical news events in the global identity and access management space. First up BeyondTrust have a definitive agreement with Entitle to combine up PAM and IGA. Cisco appear twice..once regarding a breach on Duo MFA service and another regarding their new solution launch - the Hypershield. A discussion on definitions before a quick comment on the new CEO at SecureAuth.

This week Simon and David tackle several topics in the governance space - how NIST Cyber Security Framework got a rev to v2.0, with the addition of a governance stage, are Privileged Access Management and Identity Governance & Administration convergence and a review of some CISO spending habits by investment firm Nightdragon.

This week Simon and David focus on a new raft of pending acquisitions. They discuss the impact of SecureAuth and Cloudentity joining forces as well as news that Entrust are in talks to buy OnFido. They also cover the announcement that Cisco has launched a new Identity Intelligence offering hot on the back of acquiring ITDR vendor Oort in 2023. They finish up by taking a look at an emerging technology trends report released by Mastercard. Is Data security the next big IAM integration story?

This week Simon and David take a look at the recent announcement that Okta are laying off 400 staff globally. Is this part of a broader tech slow down? They discuss some of the trends from 2023 with respect to staff attrition and the impact that has had. With funding still high for IAM and cyber what does 2024 have in store?

This week Simon and David review the 40 page Global Cybersecurity Outlook 2024 report released by the World Economic Forum.

This report covered 49 countries with over 200 respondents from a range of organisations. The report covered cyber resilience, inequity, emerging technologies such as generative AI, the role of cyber regulations, how to engage strategic leaders with respect to cyber risk and strategy and the role of changing geopolitical tensions and the impact on private sector cyber risk.

Cisco's 2023 purchase of Oort;

Okta's acquisition of Spera Security;

Delinea's acquisition of Authomize.

What do those acquisitions have in common? Will there be more? Is cyber and IAM now becoming one thing? Other predictions include consolidation within passwordless authentication, the rise of workload identity.

This week Simon and David review the recent Blackhat EMEA 2023 event that was held in London. They discuss the recent CEO change at Imprivata - and what means for their plans going forward. With respect to Blackhat they discuss the role of the CISO - is it becoming difficult to hire and be successful? Other Blackhat topics included a keynote by the UK's NCSC CTO discussing the asymmetric adversarial threat, password managers on mobile and how they "Autospill" credentials, the tampering of patient records and is data integrity now more important than confidentiality?

The Cyber Hut Blackhat review is here.

This week Simon and David return to Okta - to uncover more about details on their recent breach. They also discuss their recent Q3 results and are Microsoft their only competitor? They also discuss a recent complex attack involving customers of Booking.com - and cover push payment fraud, ATO, complex supply chains and protecting trust boundaries.

After a couple of weeks off, Simon and David return for an hour long special. They review the recent Security and Risk Management event in Washington DC hosted by Forrester where the topic of identity and cyber convergence appeared. They comment on the recent Okta breach and what that means for the world of complex software supply chain attacks and the rise of identity security, ITDR and identit security posture management. They also review the London version of the Ping Identity Youniverse series of events.

This week Simon and David were in sunny Carlsbad, San Diego for the latest Authenticate conference hosted by the FIDO Alliance. In this episode they review the main topics of the event, taking a look at passkey deployment maturity, KPIs, biometrics, threat models, adoption patterns as well as orthogonal topics such as machine identity, crypto agility, IDV + converged identity assurance.

This week Simon and David take a deep dive look at a recent cyber security advisory that was released by the NSA and CISA recently. This top 10 list covers a range of issues from default credentials, excessive permissions, a lack of networking monitoring and segmentation as well a lack of MFA and poor credential management. Simon and David apply their identity lens to the top 10 and what it may mean for your organisation.

This week Simon and David return to discuss a recent cyber attack against the hospitality chain MGM resorts - that leveraged social engineering, credential theft and more. Are attacks against complex digital entities now standard practice? They also return for part II of the ForgeRock and Ping Identity integration and discuss a recent article by David and a market choice poll by The Cyber Hut.

After the summer recess, Simon and David return for another Week in Identity catch-up. This week...heavily influenced by some recent acquisition activity...they discuss Tenable buying CNAPP/CIEM provider Ermetic, a rewind to Cisco buying ITDR vendor Oort and a detailed discussion on the uncertainties surrounding Thoma Bravo adding ForgeRock to their stable. They also discuss the further rise of Identity Security and a recent release by Okta's Defensive Cyber Operations team on a recent attack.

This week the US Security and Exchanges Commission announced rules requiring organisations to handle cyber breach notifications, risk management and expert cyber personnel in a different way. Simon and David delve into the implications of this. Why have organisations been reluctant to notify on breaches historically? A lack of detection? A lack of incident response playbooks? A lack of expert personnel? What is the end goal of such regulation? What will success look like in the short and long terms? Clearly a move towards a more risk based approach is the ideal outcome but why has the market failed for cyber security? What are the three V's of threats?

This week Simon and David discuss the recent acquisition of Oort by Cisco, which finds them discussing the entire ITDR space - who is the buying persona and what problems will it solve? As always technology isn't always the answer and we mustn't forget the human element. They answer an audience question focused on Microsoft - and will they start to dominate the IAM space? They also remember the passing of hacking pioneer Kevin Mitnick.

This week there is a special guest on the podcast. Eric Olden CEO at Strata joins Simon for a discussion. They cover a broad and meandering set of topics focused on Eric's journey to being a multi-company founder (his first startup was at age 23..), contributing to the SAML specification and how he is now focused on identity orchestration at Strata. What is orchestration? Why is it needed and how the rise of the hybrid cloud landscape is here to stay. They deep dive into IDQL, identity integration recipes and how the rise of the AI co-pilot may save us all.

This week Simon and David took a meandering look at the last weeks most eye catching events in the world of identity. They had a quick recap of Infosec 2023 held at the eXcel in London, where the topic of data level encryption, data origin authentication and integrity caught Simon's eye. They discussed a recent vulnerability found in deployments on OIDC in the Microsoft world as uncovered by Descope called NOAuth - which essentially was caused by poor verificaiton of OIDC id token claims. They finished off by discussing the world of generative AI and how that is impacting the world of fraud, content, biometrics, misinformation and more...

This episode, sees The Week in Identity have another specialist guest: Bojan Simic, Co founder and CEO of passwordless specialists HYPR. Simon and Bojan delve into Bojan's story from being a computer science graduate to entering the security world pen-testing in New York and working with some of the world's largest financial services institutions. From there the inspiration to rid the world of passwords started to take hold...and ten years later, seeing HYPR as a leading passwordless authentication provider. The topic covers a range of fascinating subjects, from the perfect storm of FIDO, mobile biometrics and secure hardware storage, through to how to create strategies for mass passwordless adoption based on nudge-theory, gamification and stakeholder buy-in. They also cover success criteria, AI and what the future may hold for IAM...

This week Simon and David discuss the recent Identiverse conference as well the Gartner Security Risk Management summit that happened shortly afterwards. They delve into the world of passkeys (again), verifiable credentials and modern architectures and how we're moving to an industry education maturity model, where organisations are going beyond knowing what a technology is, to how to get started and derive value. They also discuss the concept of "minimum effectiveness" as it pertains to technology, expertise, friction and insights and that essentially having too much identity and access management "stuff" is often a precursor to complexity and failure.

This week Simon and David review the recent Heliview IAM Conference that took place in the Netherlands. The main topic for the day was the rise of the identity fabric (or mesh) and how this can enable the modern organisation with a range of agile IAM components that supports both business and security use cases. Simon presented a keynote on the future of IAM - using some research from The Cyber Hut focusing on where IAM may look like in 2028 and beyond...

They also discussed the need for people, process and technology integration, in order to map the existing IAM landscape to future investment and metrics.

They finish off by discussing the rise in cyber threat reports that have emerged in the past month that all have a very strong reliance on IAM - and why ITDR is a process not a product.

Cyber Threat Reports:

• Joint Cyber Advisory: People's Republic of China State-Sponsored Cyber Actor Living off the Land to Evade Detection
• CISA Advisory: Hunting Russian Intelligence “Snake” Malware
• Permiso Security: Unmasking GUI-Vil - Financially Motivated Cloud Threat Actor

This week Simon and David tackle a range of news items including: Radiant Logic completing the acquisition of IGA vendor Brainwave; Authorization vendor Styra getting a new CEO and Auth0 (by Okta) releasing v1.0 of a new open source authorization project called OpenFGA. They also tackle the question of whether we need to see Chief Identity Officers in the board room and how zero trust is essentially driving the demand for authorization platforms.

In this week's episode, Simon and David are joined by Alex Bovee the CEO of https://www.conductorone.com/ - a next generation identity security and IGA provider. They cover a range of topics including the adoption of cloud services and the impact on security, the cloud shared security model, the left shifting of identity risk from being detection focused to preventative, reducing access reviews to focus on exceptions only, how the security world is taking on more IAM capabilities and knowledge and the introduction of a new open source project called Baton - to extract and manage identity data.

This week we hear from a special guest as Simon has a great conversation with 1Kosmos CEO Hemen Vimadalal.  They start off at the beginning...going back to 2003/4 when Hemen helped setup identity certification and role management startup Vaau - which later became Sun Role Manager, then Oracle Identity Analytics.  From there Hemen continued on the entrepreneurial journey to setup Simeio Solutions - a 1000 strong identity advisory and managed services player, before moving on to setup 1Kosmos - a software vendor aiming to tackle the usability and security dilemma by linking identity proofing to passwordless authentication.  An insightful discussion that covered identity governance and administration, trust boundaries, the rise of different identity personas, data breaches, privacy and identity based authentication.

This week Simon and David review the recent eCrime summit that happened in London, where the topic of ChatGPT was discussed.  Is it just for the bad guys?  Can the good guys benefit too?  Where is that heading? Identity Threat Detection and Response vendor Authomize released a new project called OpenITDR - what is it and what is the benefit?  Identity visibility seems to be in vogue this month too..with both Radiant Logic and Ermetic making product releases that focus on joining up data in the identity ecosystem.

This week Simon and David review some interesting moves in the identity governance and administration space.  First up Saviynt raised $205 million (along with founding CEO Sachin Nayyar returning as CEO after a stint at Securonix) to bolster their Enterprise Identity Cloud offering.  Next up they discuss Radiant Logic entering into a definitive agreement to acquire French IGA specialist Brainwave GRC.  What does this tell us about the global IAM and IGA space?  Where will they head to?  Will more funding and acquisitions happen in 2023?  They also review SiberX CISO Forum in Canada and the Future of Cyber conference held in the UK.

This week Simon and David discuss a $26 million series B round for identity orchestration vendor Strata.io. What is identity orchestration, why is it a problem today and how can it be handled within the enterprise?  What is IDQL and what are recipes?  A discussion on a recent consent breach at Home Depot in Canada saw the Canadian Privacy Commissioner got involved. They also review a recent poll covering our favourite biometric, which spawned a discussion around identity based authentication (see 1Kosmos and keyless.io for more on that).  They also delved into the world of IAM maturity assessments...

Welcome to the first episode of 2023! After a short festive break, Simon and David are back to bring you the latest industry analyst views on a range of different identity and access management topics.  This week, they have a special guest: Kristian Alsing - a Senior Cyber Security and Business Resilience Executive - with 20 years experience working for the likes of Accenture and Deloitte.  Kristian recently wrote a great guest article for The Cyber Hut on NIS-2. In this episode the guys cover a range of topics relating to regulation and the role of IAM - covering critical infrastructure, the ever increasing supply chain and the rise of destructive attacks in waiting!

This week Simon and David bring you another dose of analyst insight and opinion on the world of identity and access management.  This week they discuss how HYPR received a $25 million funding round to rid the world of passwords; a discussion around how identity is now foundational for zero trust - and how the US DoD released a reference architecture for zero trust and what that means for identity - and an interesting poll result, on the question "Would you pay for privacy?".

This week Simon and David discuss a funding round for secrets management startup Akeyless who this week announced a $65 million funding round.  The need for secrets, machine identities and service credential management is on the rise and Akeyless are aiming to securely automate this area.  IAM platform player ForgeRock also announced this week, they were launching a cloud based identity governance and administration (IGA) service.  The world of IGA has been dominated by on-prem solutions.  Can ForgeRock make a difference?  They round out this weeks chat, with a review of the Future Identity two day festival that happened in London this week.  Simon hosted a panel on mobile authentication - launching a riff on biometrics, privacy, identity based authentication and more...

This week Simon and David met up face to face at the Whitehall IDM Conference in London.  This one day event covered a host of topics, case studies and vendor pitches.  Simon and David pick out the best and most interesting aspects focused on the rise of AI+ML in authentication and IGA - asking the question is identity becoming a big data problem?  They discuss the emergence of machine and service identities - what it is, who will own it and how it works.  They cover cyber insurance the ever growing need to articulate the business case for IAM and how identity for zero trust architectures is for small and large organisations alike.

This week Simon and David continue the conversation around identity and access management deployment patterns.  Identity is broad and can be deployed in many different ways - yet buy side decision makers and vendors alike often misunderstand the nuances seen in the difference between SaaS, PaaS, IaaS, Managed Services and the classic on-premises.  The Cyber Hut released a free open source article this week outlining the definitions.  Identity Threat Detection and Response startup Oort received a $15M round this week - Simon and David weigh in on identity funding and the rise of ITDR in general.  And finally German based identity consultancy IC-Consult acquired fellow specialists Kapstone to make an 800 strong private consultancy practice.

This week Simon and David discussed the ever growing question around identity and access management deployment models that arose from Simon's recent trip to the Identit.eu consumer identity event in Belguim.  What are the options?  How do practitioners decide between the vast array of choices from private cloud and on-prem through to SaaS.  Do they really just need a managed service if a SaaS offering becomes too hard to customize or perhaps can't connect to on-premises data? They also check in at the mid-point of the latest The Cyber Hut poll that is running - seeing where AI/ML will have the biggest benefit in the IAM industry...

This week Simon and David do a deep dive riff on that old age chestnut...authentication!  Uber has recently been in the news regarding a data breach...one seemingly executed by using an MFA Bombing attack technique.  Could it have been stopped?  What options are available?  They then discuss a recent LinkedIn poll run by The Cyber Hut asking why are we not using passwordless authentication....tune into hear the midweek poll results.

This week Simon and David take a look at three large recent data breaches - that had some interesting meta-characteristics.  Firstly...all are key suppliers of technology to organisations outsourcing key components of their business infrastructure.  Is it that hackers are getting more bang-for-their-buck by attacking suppliers?  Secondly the attack characteristics all focused on identity - with phishing based attacks based on SMS and Push MFA the main entry point.  Details of the breaches discussed on the podcast can be found here: Twilio, Cloudflare and Cisco.

This week Simon and David briefly discuss the emergence of the legal profession into the world of cyber and identity and how privacy is making advertising waves by the likes of Samsung and Apple.  They also review the latest acquisition of Ping Identity by Thoma Bravo and what that may mean to both Ping (and Sailpoint!) and perhaps the rest of the IAM market.

This week Simon and David discuss the recent acquisition of European identity and access management for B2E and B2C OneWelcome by French giants Thales.  This week also saw an interesting partnership between passwordless authentication startup Transmit Security and global heavy weights Microsoft - with Transmit bolting into their Azure AD B2C offering.

This week Simon (David's on holiday!) took a quick peek at some interesting blog entries that appeared.  Ubisecure provided some insight into hybrid cloud deployments, 1Kosmos told us more about "Identity Based Authentication" as a pillar of zero trust and Trulioo discussed how risk assessment should be a part of identity onboarding.  In other news Ping Identity announced a partnership with Microsoft and Workday to work on a profile for verifiable credentials and JWT and identity based access control startup Cyolo.io announced a $60 million series B round.  Finally an April article by Palo Alto's Unit 42 on cloud based threats also caught Simon's eye.