Live from Identiverse 2018, the Digital Identity Conference, in Boston, MA! (Monday)

Identiverse 2018

7:57 Good morning! Solutions Review is reporting live from Identiverse 2018 (formerly the Cloud Identity Summit) located in the heart of Boston, MA! We’ll be reporting live throughout the day, so keep an eye on this post as we update throughout the conference!

7:59 We’re currently in the Ballroom of the Hynes Convention Center awaiting the first Keynote of the Day “Identity’s Cambrian Moment: The State of Identity in 2018” presented by Andre Durand, Founder and CEO Ping Identity. He is also the chair of Identiverse.

8:09 Andre Durand begins his Keynote speech!

8:10 Andre Durand says digital identity is stronger than ever, comparing it to the Cambrian explosion of life.

8:13 Andre Durand says that digital identity is poised to overtake and subsume all other categories of digital security and/or cybersecurity. He also notes an explosion in investment in identity (if not seen so much in the security budgets).

8:15 Andre Durand notes the power and risk of biometrics in digital identity. He also speaks to the market size of digital identity and how cloud and mobile are changing that market size.

8:19 Andre Durand introduces Andrew McAfee, the next Keynote Speaker!

8:20 Andrew McAfee begins his Keynote Speech “Business Advice We Shouldn’t Believe in Any More.” He begins with the premise: technology re-writes the business playbook.

8:21 Andrew McAfee says the Industrial Age play in the current context would be to let the machines handle the routine work and let people make the judgement calls.

8:23 Andrew McAfee talks about Hippo decision making; that is to say decision making by the highest-paid person on the team. It seems he does not approve.

8:25 Andrew McAfee contrasts the Hippo with the Geek, the individual who uses both their intuition and logical, scientific exploration of the evidence. Mr. McAfee presents a study in which nearly half the time Hippo decision makers weren’t contributing to better decisions or were actively causing damage.

8:28 Andrew McAfee argues that we need to make Hippo decision-making endangered in favor of Geek. He compares the two to a game of Go.

8:30 Mr. McAfee discusses the victory of Go playing AI as a sea change.

8:32 Mr. McAfee discusses the optimal opening moves of Go, and how certain moves indicates levels of competence and personalities.

8:34 The Go Playing AI made moves that seemed sub-optimal, and yet won handily. Technology is not only changing the playbook, it is demonstrating better judgement in fields humans have studied for thousands of years.

8:37 Andrew McAfee talks about the power of the crowd–the legions of people available online to lend their collective wisdom and knowledge.

8:40 Mr. McAfee discusses the power of the crowd to develop better solutions, faster and more accurate than ever.

8:42 Crowd energy is going in unexpected directions, like building drones.

8:44 Crowd-generated sources are generating better results, and opening up opportunities. The crowd is surprisingly wise.

8:46 Andrew McAfee, presenting at Identiverse 2018, speaks about how the old wisdom that stated that industrial structures determined success. He also notes that there are far more buyers than sellers in plenty of industries. He notes that Steve Jobs, in the first year and a half of the iPhone, wouldn’t allow users to download apps not developed by Apple. While that makes sense from a certain perspective, it threatened to stall Apple’s success.

8:50 When a platform to bring buyers and sellers together is built, then sellers and buyers tend to be closer to equal in numbers. Smartphone manufacturing is a rough market, with Apple carrying 103% of the profits.

8:52 Andrew McAfee begins discussing industrial transportation: Uber, Lyft, bike-sharing, etc. all made possible by information-sharing devices.

8:54 In his Identiverse 2018 Keynote, Andrew McAfee notes that he didn’t think at first that group exercise would be affected by digital technology. He then discusses ClassPass, which tries to replace the brick-and-mortar gym by connecting teachers and students of kickboxing, yoga, etc. Studio owners can fill their empty spaces by giving them to ClassPass members. It demonstrates network effects and demand side economies of scale. It also demonstrates, according to Mr. McAfee, control of user interface and user experience.

8:59 The advantages of a platform also include crowd-based discovery, control of the ecosystem, and data and algorithms for matching, pricing, personalization, and trust. Platforms can make ideas that seem untenable on the surface profitable, like AirBnB.

9:02 Andrew McAfee begins his wrap-up of his Identiverse 2018 Keynote speech by providing his new business playbook: the division of labor between minds and machines is shifting rapidly, and the crowd is (usually?) more capable than the core.

9:04 Ping Identity Chief Marketing Officer Brian Bell formally welcomes conference-goers to Identiverse 2018.

9:12 Identity as a business process seems to be the underlying theme of the first few Keynote speeches here at Identiverse 2018. Perhaps this isn’t much of a surprise. Identity management does mean better personalization, UI experiences, and facilitated transactional processes, especially from a CIAM perspective.

9:21 We’re waiting now for the first break out sessions to begin.

9:23 The first break-out session we’ll be attending is “Going from Strategy to Execution in your Enterprise Identity Transformation” presented by Jon Lehtinen.

9:30 Jon Lehtinen begins his Identiverse 2018 breakout session. Opinions he expresses are his own. Identity offers a security perimeter, enabling zero-trust, improved customer experiences, and a competitive advantage for B2B via identity control retention.

9:32 Identity strategy is easy, but the execution is the challenge. This applies for new services, new support, architecture, operations, integration, and legacy support. Additionally, it can be hard to tell when you are “done” when it comes to identity execution.

9:34 Lehtinen first says you must define the baseline IAM service. You can’t transform unless you “muck the proverbial stable.” Who offers the services at your organization? Who are your customers? Who are your partner vendors or 3rd parties?

9:37 Next, document your present state. How are you delivering these services now, and how are they being consumed?

9:39 Add new high quality services. Part of that is consistent execution.

9:40 Design your services to be self-service or automated, as it will reduce friction and lowers costs for identity management platforms. Ask yourself what is the effort baseline? How much effort will it be to build up new services and to maintain them? What could the future effort be?

9:43 The old processes are manual are clunky, unwieldy, and outdated. The self-service option is much smoother and can be a minimal process to achieve parity of features.  

9:46 Automation can’t solve all, there can still be issues with onboarding, offboarding, new client identities, etc. Governance is a huge consideration.

9:47 Containment is not Decommission. Containment means the old ways will stop being acceptable for new requests. Use levers the business understands to drive adoption. 

9:50 Collapse the Old Stuff. Lehtinen points out that enterprises are reluctant to do so, because without true decommission you shoot your transformation in the foot, limiting new solutions’ effectiveness.

9:50 The final step is to start iterating. Iterate service improvements through product management. Run your IAM as a product, manage communities in your enterprise, have a Q&A, etc. This will help you determine the most important assets and features, not just the noisiest ones. The most impactful features will be the ones requested by your “customers” and you should think of them as customers in this regard. 

9:53  Form a true identity partnership within your business. Identity enables new business capabilities, including security. Keep going until time, budget, or executive attention run out. But if you have done your identity transformation right, you don’t need the same budget or attention as you once did, according to Jon Lehtinen at Identiverse 2018.

10:02 Sitting down to hear Mary Ruddy, Research VP at Gartner, at her break-out session “Choosing the Right Consumer IAM Solution”.  

10:03 What is CIAM? Mediating digital relations with your customers, via connection (SSO), collection (collecting data for personalization, and determining bots from people), and protecting that information through governmental compliance and from theft.

10:05 You need to be architecting for scale, and elastically respond to issues. Response times needs to be low. You also need to be able to collect new data at any time. CIAM also needs to provide a smooth user experience to avoid driving customers away.

10:06 CIAM also hinges on the fact that you don’t know your prospects, yet you can’t ask everything you want to know about a customer upfront since that will alienate them. Ask at the right times the right questions.

10:07 What are the initiatives are driving CIAM innovations? The need to unify the user experience, to replace homegrown systems, to streamline operations, to facilitate new digital business initiatives, and to obtain a 360-view of customers. 

10:09 IAM is sensitive to compliance initiatives more than any other cybersecurity solution. GDPR is the big one, but there are other initiatives in Canada and China.

10:11 Omni-channel customer experience. The call center needs to know about customer issues before the call comes through. Mobile device experiences need to be optimized. Can’t just enable access, but how that access will fit into your current channels.

10:12 Consider layered experiences for digital assistance.

10:13 Integration with customer data sources (including CRM) is an essential feature of CIAM solutions. It must also provide Consent and Preference Management. According Mary Ruddy of Gartner, security is becoming more challenging. Static authentication isn’t going to keep information safe from the high-tech hackers. We need to move to more dynamic identity corroboration. Transactional knowledge can be much more secure. 

10:17 Mary Ruddy of Gartner presents a Venn diagram of CIAM vendors and their pedigrees.

10: 20 Mary Ruddy of Gartner presents CIAM Vendor Deployment Approaches. 

10:28 Mary Ruddy of Gartner wraps up her break-out session at Identiverse 2018 on CIAM.  With these assets, the question becomes: is a CIAM Magic Quadrant forthcoming? CIAM is a consideration in the Access Management MQ report, but will it break out into its own category?

10:34 Getting ready for the next break-put session here at Identiverse 2018. This time it is “IoT and Identity Standards: Advanced Identity for IoT” presented by David Waite of Ping Identity. 

10:45 David Waite of Ping Identity begins his break-out session on IoT and Identity Standards. IoT Architecture, proposals for bringing more identity into IoT, the standards for that, and future technology apporaches are all on the table. David Waite is the Principal Technical Architect in the CTO office of Ping Identity. 

10:46 The hierarchical architecture of IoT deployment discussed. IoT devices typically don’t talk to each other, may have power and connectivity issues. Also discussed: the edge environment, which may be part of the local environment. Data processing volumes may be beyond internet feasibility. Yet the Edge may still talk with the Cloud, creating a central point of administration.

10:50 David Waite discusses the hypothetical deployments of IoT devices from the Cloud, with the most likely scenario being that each device has its own structure and cloud connection separate from the other IoT devices. Communication between the devices is unlikely if not improbable. Integration can result in new compromises and new deployment issues.   

10:53 Mesh Networking is discussed. Messages in this network must be encrypted, authenticated, and each IoT device needs to be able to authenticate messages to decide whether to send them on. This is where we first see the need for each thing to have an identity that all others recognize.

10:56 David Waite discusses peer-to-peer networking, where a thing may interact directly with another thing without going to the edge. It too requires understanding a message sender’s identity and authorization.

10:58 Other potential requirements include non-repudiation of messages–the need to know sensor data wasn’t modified or omitted later.

10:59 David Waite begins discussing the standards of IoT identity. Mentioned are proof of possession tokens, security events, JSON web tokens, and more.

11:02 The focus of standards seem to be tokens and tokenization for authentication protocols. The tokens can be static or flexible depending on the kinds of access needed. Of interest is security event tokens, which leverage JWT to create self-contained, secured messages. It is meant for interoperability across enterprises and vendors.

11:10 David Waite concludes his presentation on IoT and Identity:

11:18 Should identity professionals own security? Experts such as Heidi Wachs, VP of Stroz Friedberg (an Aon company) say the answer might be no during a panel on this very question at Identiverse 2018!

11:20 Panel discusses the information secured by users. That information has become a first-class resource that needs to be protected. CISO and Identity Professionals can and do butt heads on approaches. The struggle between the two may have come to the head, but they are long-standing. Security may be a broader topic than just identity, even though identity must be a (or the) key component of it. But the misuse of identity in a security context is very possible. 

11:23 Should identity professionals be subsumed by the security professionals or vice versa? The panel discusses the ethical links between identity, privacy, and security. Identity professionals might need to widen their scope on how identities are used. 

11:29 Much like bad laundry, GDPR returns to the front of the conversation. Legal needs to be part of the conversation if the question comes to industrial espionage and the anonymization of medical data.

11:34 Josh Alexander of Salesforce asks if there are best practices the panel experts recommend. Of note in the answers: prepare for and expect a breach. Have an incident response plan before a breach occurs, says Heidi Wachs. Ask yourself what is identity data, what gets stored, who makes those decisions? Make the answers you find formal–make it a part of the incident response plan.  The incident response plan can be simple, but it needs to exist.

11:41 The panel is wrapping up, and the attendees of Identiverse 2018 are going to lunch. We’ll report on any meaningful interactions we have before the afternoon keynotes!

12:05 The Solutions Review Team is at the Simeio booth on the Identiverse Floor. Currently, we’re listening to their presentation on the Benefits of RPA. The benefits include reduced human errors, improved compliance, improved customer experiences, and higher engagement (40%-60%) reduction in average handling.

12:13 We spoke with Tim Jester of Simeio:

SR: What are the common concerns and interests you are seeing from the attendees at Identiverse 2018?

TJ: One of the common points is the shift to microservices, primary. We’re focusing on RPA but we haven’t seen the engagement on that yet.

SR: I spoke with some of the other  members of your booth, and there seems that some of the attendees aren’t reaching out to learn the distinctions between the different IAM vendors?

TJ: Yes, that speaks to a recurring question in identity: Is identity still an IT tech problem or is it a business problem? The ownership of identity is still up in the air.

SR: That’s interesting I just came from a panel that said identity professionals shouldn’t take ownership of security.

TJ: I agree with that. Identity professionals should be solving business problems, and security is a business process. Security is a byproduct of efficiency. Focusing on just one aspect at a time results in competing technologies.

SR: Thanks, Tim Jester of Simeio!

12:15 We spoke with Naynesh Patel on RPA and how it can reduce human error:

NP: Think about a help desk. You need to get new access, so you take a ticket at the desk, and request the same privileges as Shawn. Well the help desk doesn’t know Shawn, so they have to research him. Maybe they get the wrong Shawn, or maybe Shawn’s access isn’t quite what you need. There is a lot of data to sync. With RPA you can make data driven decisions that forgoes human error–no misspelling errors with the machines.

12:33 Shawn Keve Executive Vice President of Marketing at Simeio spoke to us of a recurring problem: how small teams have to handle 15 solutions at a time in the old-fashioned model, spending 3 months researching and two million dollars in a month on a deployment that may or may not fail. Failure is not an option, so get IAM as a service.

12:58 We’re outside the Ballroom of the Hynes Convention Center in Boston, MA at Identiverse 2018. We’re awaiting the doors to open for the afternoon keynote speakers: Ian Glazer, VP of Product Management at Salesforce and Andrew Hindle, Content Chair of Identiverse 2018.

1:05 Looking at the schedule it appears they will be giving a joint keynote entitled “Our Secret Strengths: The Skills of an Identity Professional.” How intriguing!

1:18 Brian Bell of Ping Identity returns to the stage! He speaks that at the heart of identity is of course the identity professional. But what are the best practices that an identity professional needs to know? What is the body of knowledge they need to have? These questions have not been answered…yet.

1:20 Ian Glazer takes the stage!

1:21 In his Identiverse 2018 Keynote, Ian Glazer says: It takes professionals to make IAM happen, each with their own strengths and skills. Knowing these skills is meant to help foster the strengths of your teams and in yourself. This Keynote is about thinking about skills, and will feature an IDPro survey.

1:23 Humans will downplay skills we do have and inflate skills we don’t have. We need inner honesty and outer voices.

1:25 Ian demonstrates a graph about the different levels of skills and corresponding levels of public awareness, and how they create public understandings of skills.

1:27 Ian outlines the nature of impostor syndrome when it comes to skills, and how it can feel like skating on thin ice.

1:29 We all have skills in all levels and levels of awareness and no one is perfect in all their skills. We may attribute perfection to others by ignoring their issues, but no one has all Attractor skills.

1:32 Ian Glazer speaks about his own impostor syndrome issues, even as he outlines his own strengths and weaknesses on his graph. he admits to being freaked out at being called an expect. What he needed to hear (every time) was: “The last thing you are is a fraud.”

1:35 Talking about skills is really hard, according to Ian Glazer.

1:40 Ian Glazer introduces Andrew Hindle onto the Identiverse 2018 stage!

1:41 Andrew Hindle discusses an IDPro survey he conducted with Ian on IAM professionals. Key takeaways include the differences between the needs of small businesses and large enterprises, the speed of growth in the identity industry, and 27% of professionals said they still don’t feel proficient as an identity professional.

1:45 72% of identity professional said the top non-technical skill they possess is lateral thinking. 52% said business awareness.

1:46 What would identity professionals have liked to have had? Mentorship and feedback, vendor neutral technical training materials, and networking, among others.

1:47 Ian Glazer returns to talk about finding your own skills.  Ian Glazer also discusses IDPro membership for  developing skills.

1:50 Andrew Hindle returns to introduce a surprise addition to the schedule: Kaliya Young. Ms. Young is best known as The Identity Woman among industry experts.

1:51 Kaliya Young discusses her research on databases and the Domains of Identity. Domains include user-centric and self-sovereign identities, government registrations, civil society registration, commercial registration, etc.

1:55 One domain of identity that is not covered often is surveillance, which can include cookies and sousveillance (people watching the watchers, if you will).  It can also include employment surveillance.

1:56 The last two domains are the data broker industry, which aggregates and sells data, and the black market. Kaliya Young discusses how you can collaborate with her research:

2:06 Just managed to slip into the break-out presentation “The Cake Is Not a Lie – Using Cloud Services to Improve Your Security Posture” by Laura Hunter.

2:09 Is the default security posture of no really acting in the best interests of the enterprise? Is a no trust, zero-trust environment actually removing identity professionals and InfoSec from the conversation? Tough questions from Laura Hunter at her break-out presentation. 

2:13 Laura Hunter is a Principal Program Manager in Microsoft’s Cloud & Enterprise Security division. She just pointed out the “hard no” actually keeps new technologies from being brought effectively into security policies and monitoring. It makes you less secure than working to better secure cloud adoption or dropbox, etc. They will be adopted anyway–employees will seek out easier solutions and will get them even without your consent.

2:18 Laura Hunter quotes Ian Glazer–It is better to be a part of the business conversation rather than apart from it. We need to move away from the draconian approach. The question is how to implement the right controls on the right things at the right times.

2:21 Laura Hunter states a common truth in InfoSec: “Defenders need to be good all the time. Attackers only need to get lucky once.” Laura Hunter adds an asterisk: this only applies if you are going it alone. If you have a cloud services provider on your side, suddenly you are not alone. And the results show that this can have a real, tangible effect. 

This concludes our live coverage of Identiverse 2018 for today. We’ll be back tomorrow for more live coverage of the break out panels, floor booths, and keynote speeches in a separate article. Stay tuned!

Other Resources: 

How IAM Solves Onboarding and Offboarding Challenges

The Importance of Edge Use Access (With Identity Automation)

IAM vs CIAM: What’s the Difference?

The Role of Identity in Digital Transformation

The Current State of Biometric Authentication in IAM

Comparing the Top Identity and Access Management Solutions

Ben Canner

Ben Canner is an enterprise technology writer and analyst covering Identity Management, SIEM, Endpoint Protection, and Cybersecurity writ large. He holds a Bachelor of Arts Degree in English from Clark University in Worcester, MA. He previously worked as a corporate blogger and ghost writer. You can reach him via Twitter and LinkedIn.
Ben Canner