While 2024 was my first time attending Identiverse, I’ve been attending to the architecture of Las Vegas since at least 1984. Only later did I realize that all the bright lights and bravura fakery of the facades along the Strip had already been put into perspective by two powerhouses of postmodernist architecture in Learning from Las Vegas. What Denise Scott Brown and Robert Venturi learned alongside their students in 1972 influence iconic buildings for decades to come, into the 1980s and 1990s.
While I hope it won’t take that long for developers to deploy policies and permissions, it will still take me many more issues to evaluate everything I learned in Las Vegas about AuthZ architecture. In the meantime, the Ceasar’s Palace-worthy bacchanal has already bounced to Berlin at the Kaiser’s Platz for the European Identity Conference this week. So let’s dive right into all the news that’s authorized to clip…
Thanks for reading Authorize Clipping Service! Subscribe for free to receive new posts and support my work.
Is Identiverse already an AuthZ affair?
Authorization was all over Identiverse this year, right from an awesome AuthZ happy hour before the show started, straight through to the crescendo of a closing conference keynote on The Future of Authorization. There were some slots where several simultaneous AuthZ gatherings were going on at once!
Instead of audio or video recordings to sample what was missed, this year the organizers offered an au courant option of AI-generated summaries of each session. Like lots of other AI experiences, I found them only approximately accurate for the talks I actually attended — yet still think they’re handy for all those I couldn’t cross-check. So please take these all with many, many grains of salt:
AI Summary1 of The Authorization Conversation with David Brossard (Axiomatics), Atul Tulshibagwale (SGNL), Alexandre Babeanu (3 Edges), David Warner (Union Pacific), Omri Gazitt (Aserto), and Eve Maler (Venn Factory)
AI Summary2 of The Future of Authorization with Sarah Cecchetti (Amazon), Pieter Kasselman (Microsoft) and George Roberts (McDonald’s)
AI Summary of Architectural Patterns for Distributed Authorization by Tim Hinrichs (Styra)
AI Summary of Externalizing Authorization is More than a Technology Problem… by Sarah Cecchetti (Amazon) and Pieter Kasselman (Microsoft)
AI Summary of A Year of NO: Building Organizational IAM Guardrail Policies That Work by Noam Dahan (Tenable)
AI Summary of The State of Authorization 5 Years From Now by Chris Hendrix (Styra)
AI Summary3 of IAM and OWASP in the Cybersecurity Landscape by David Brossard (Axiomatics)
[No summary yet] of Read Out from the AuthZEN Interop Event with David Brossard (Axiomatics), Omri Gazitt (Aserto), Allan Foster, and Gerry Gebel (Strata Identity)
AI Summary of ACR: The Missing Security Control by Pamela Dingle (Microsoft)
AI Summary of Embracing Zero Standing Privilege by Sean O’Dell (Walt Disney)
AI Summary of Identity Security with CAEP, the Hype is Real! with Sean O'Dell (Walt Disney), Shayne Miel (Cisco), Atul Tulshibagwale (SGNL), Tim Cappalli (Okta), and Jeff Steadman (Identity at the Center Podcast)
AI Summary of Don’t Ask for Forgiveness, Ask for Permission! by David Brossard (Axiomatics)
I hope to dive deeper into some of these once we have slides and speaker notes in the weeks ahead, so don’t hesitate to share your own impressions and suggestions to authorize@googlegroups.com
Lessons from Las Vegas
From the Cyber Risk Alliance’s own 2024 Identiverse trends report | SC Media, one of their key findings on page 5 was:
“It’s equally interesting to note that Authorization & Access Control is a close second. During Identiverse 2023 we spoke about the need for the industry to turn its attention back to access control — an opinion also reflected in the IDPro Survey — and the industry is responding.”
One takeaway from the booths on the show floor; how speakers described what’s different since last year; and how familiar audiences were with AuthZ buzzwords, was that a trickle of promises to pay attention to AuthZ turned into a torrent of innovation this year.
Specifically, both WIMSE (harmonizing human and non-human identities) and AuthZEN (common interfaces to policy engines) are standardization efforts that came together out of hallway conversations at conferences in 2023 and earned their spotlights in 2024. I wonder what we’ll see in 2025!
A Moveable Feast: European Identity Conference
A prime mover behind this week’s doppelgänger of an event, Martin Kuppinger, echoed some of the same sentiments in his own EIC 2024: Don’t Miss These Highlight Sessions:
“As many know, I’m an advocate of policy-based access control (PBAC), authorization, and just-in-time access. In the panel Why Authorization Standardization is Imperative, Allan Foster, David Brossard, and Gerry Gebel will talk about standardization for authorization and how to finally deliver on the promise that XACML once held.”
So for those about to rock in Berlin, we salute you for trying to take in this surfeit of sessions as well:
Panel: Why Authorization Standardization is Imperative
Dynamic Authorisation: The Key to Unlocking Open Banking
Graph-Based Harmony: Simplifying Zero Trust Authorization
Micro-Authorizations: Unlocking the Potential of Zero Trust in PAM by Justin McCarthy (StrongDM)
Build Your Own Authorization Server by Ali Adnan (Authlete)
Facilitating Ownership in External Authorization from Zalando
Non-Human Identities (NHI):
Enabling Fine Grained Authorization for Microservices with Standards Pieter Kasselman (Microsoft)
Securing Workload Identities: Best Practices Vincenzo Iozzo (SlashID)
Improving Zero-Trust in a Multi-Workload Environment George Fletcher (Capital One)
Protecting Service Accounts and Other Identity Security ‘Blind Spots’ by Hed Kovetz (Silverfort)
Philosophy & Ethics:
Consent Is Dead by Eve Maler (Venn Factory)
Reframing (Digital) Identity Systems as Institutional Memory by Kaliya Young and Decentralized Federation by Lucy Yang, (both Identity Woman in Business)
Resolving the Conflicts between Ethics and Human-Centered Design Nishant Kaushik, Uniken
AI Cloning & The Future of Digital Identities by Heather Flanagan (Spherical Cow)
Recovering Boléro and the Death of Authenticity by Mike Kiser (Sailpoint)
Least-Privilege & Cloud Security:
Is Least Privileged Even Possible? By Hans-Robert Vermeulen (SailPoint)
Myths of Least Privilege Management by Ashish Shah (Andromeda Security)
Automating Security Checks on AWS - A Deep Dive into Preventing Privilege Escalations by Manuel Benz (CodeShield)
Identity as Profession:
IDPro’s Body of Knowledge and Future Forward: Shaping Identity with Diversity & Expertise
Digital Identity Advancement Foundation introduced in Standing on the Shoulders of Giants by Allan Foster & Ian Glazer
AI Security
Navigating the New IGA Frontier: Harnessing LLM AI Agents with Dynamic Authorization by Patrick Parker (EmpowerID)
Generative AI in Cybersecurity – It's a Matter of Trust from KuppingerCole’s blog
Coming Attractions…
What, you thought we’d keep focusing on film-studies while Leaving Las Vegas, with flashy Flying Elvi paradropping in from Honeymoon in Vegas? (and those are only the Nicholas Cage references!)
Maybe next week, which you can prepare for with a count-up to Eins, Zwei, Drei (“One, Two, Three”), a slapstick Billy Wilder comedy about a Coca-Cola Communist stuck at Checkpoint Charlie! At least it’s an icon in the architecture of access control4 in both senses of the term :)
1
Hallucinated ABAC as “ABAP”!
2
Hallucinated Cedar as “CeDR”!
3
Hallucinated XACML as “ZACML”!
4
Ironically, though, the Berlin Wall went up right after filming, scuttling its US release. Without the Wall, the shenanigans at Checkpoint Charlie to deport the co*ke heiress’ East German boyfriend back as a Russki, then smuggled back across as top-hat-and-tails capitalist are rather more comical than deadly.