I spent the last week of June at Identiverse 2019, an industry-wide identity management conference hosted by Ping Identity.
In the mobility, VDI, and EUC space, we’ve been paying more attention to identity over the last few years, but Identiverse represents the identity industry through its own lens. This means that as a mobility and EUC person, I was in the minority here. This is a good thing, as it gave me the opportunity to not only learn a lot, but to also see the EUC space and the issues we’re tackling from a different perspective. With that, here are some of my notes and thoughts from the show.
Standards for federation and authentication
It really is a good time for identity standards. We’re finally at the point where most of us in the EUC space are familiar with SAML, which is often used to federate enterprise SaaS apps. But, we really need to add OAuth2 and OpenID Connect to our working knowledge, as many apps and vendors like Microsoft are making it a big part of their strategy. There’s always more work to do, and the refrain from several speakers was that ISVs should adhere to standards whenever possible, and that customers should begin demanding support as part of their requirements.
Without a doubt, the biggest buzz in identity today is FIDO2 and WebAuthn, the phishing-resistant authentication standards. They’ve made a lot of progress in the last year with many more certified implementations, and I don’t think a single conference session failed to mention how big of a deal they are.
So, it would seem like FIDO-certified authentication methods like biometrics and security keys are on the verge of becoming mainstream, but as you’d expect, another big topic of conversation was that changing authentication techniques is like turning around an ocean liner.
Speakers spent a lot of time on things like identity verification and proofing, different types of authentication, the role of SMS and email verification, and how to actually get to truly password-free authentication. (It’s possible, but it has to be done carefully.) This is all great, but there was also acknowledgement that, overall, adoption rates of multi-factor authentication are still low, and doing anything at all—yes, including SMS one -time passcodes—is way better than doing nothing at all.
Identity and endpoints not yet fully aligned
As I mentioned, as a mobility person, I was in the minority at Identiverse. There was a comprehensive mobile identity intro session on the first day of the show, but otherwise, I learned that the distance between the endpoint management / EUC space (for example VMware, Citrix, MobileIron, etc.) and the pure identity space may be slightly greater than I thought.
There’s widespread agreement that identity is the next control plane, and that conditional access that takes device posture into account is a key component of identity and access management going forward. However, there were a few times where I felt the differences between the two areas.
One example is with iOS 13 and macOS Catalina. Sign In with Apple, the new consumer-oriented frameworks, got a decent amount of attention, but the new enterprise-oriented identity features didn’t really come up. As we covered in June, new features like User Enrollment, SSO Extensions, and Extensible SSO MDM profiles could have a big effect.
To be fair, Identiverse also covers customer-facing identity, so it’s not all about enterprise users, and WWDC was only three weeks before the show. So for now, I’ll just say that I’m hungry for more industry conversations about these new Apple frameworks.
The second example relates to an issue that I brought up a few weeks in an article called When you have both IDaaS and UEM, where do you build your conditional access policies?
Everybody acknowledges that conditional access systems will need to pull in more data sources. We’re actually off to a decent start—just look at all the one-off integrations between UEMs, IDaaS vendors, and third-party security products, as well as branded programs like the VMware Workspace ONE Intelligence Trust Network, or the Google Cloud BeyondCorp Alliance. But so far, many of the conversations and sessions that I heard at Identiverse treated device posture in a simpler way, for example as a binary check that’s delegated over to MDM.
Along these lines, at Identiverse I learned about the Identity Defined Security Alliance (IDSA). This started out as an effort inside Ping Identity a few years ago, but has since become independent. The IDSA defines “controls,” which outline in a general way how different types of integrations and policies could work, along with blueprints and best practices. Their work is on my reading list now.
Overall, this challenge of integrating endpoint management, identity management, threat feeds, and other context is going to be a big one. I believe that this is how we create an awesome and secure end user experience, but there’s a lot of work to be done. I’ll be watching the partnership and integration landscape carefully.
Other interesting identity trends from Identiverse
Self-sovereign identity (which I first learned about two years ago at the very same conference) was a big topic, but it still seems like it’s a few years away, especially for the enterprise. Perhaps the first place that the enterprise deals with it will be in B2B or contractor and gig workers use cases. But for someone that’s currently working on modernizing a corporate end user experience, this probably isn’t something to worry about yet (though it’s good to know about, of course).
Machine learning and artificial intelligence came up often. The IT industry is just getting started with adopting them, but now that we’ve had a few years to get our minds around the concepts, they’re starting to feel like business as usual. In other words, it’s less interesting that a product is using machine learning and AI, and more important what it does.
It was great to hear about a new organization called IDPro, which is working to address the shortage of knowledge and talent in the identity space (another common theme at the show). They’re just getting started, but the eventual goal is to have a whole body of knowledge to train people on the industry. Having followed the early days of the EMM space, I can really appreciate this need, and I hope the effort succeeds.
At Identiverse, there was no shortage of fascinating sessions, like a whole session on usernames (not passwords!), or the session on the really well thought out and well-intentioned Project Verify, an effort by U.S. carriers to build a mobile phone-based authentication framework. (Seriously, I know the carriers don’t have the best reputation right now, but I saw a whole room full of identity management pros express their approval and interest in the project.)
Today’s article is just scratching the surface of the show—there’s a lot more to cover.
Overall, the event had a really great community feeling that reminded me of BriForum. This was a show full of people tackling problems that are difficult and idiosyncratic (just like desktop virtualization pros), and everywhere you turned, you could find people that worked on important standards, from a broad cross section of vendors. I hope to see more crossover between the identity space and the EUC/mobility/VDI space in the future.
Identiverse also featured a great band made up of identity industry leaders (I’m a walking testament to the fact that there are a lot of musicians in the IT space). They also had some interesting guests, like Steve Wozniak (he’s quite a character) and Bill Foster (a member of the U.S. House of Representatives that actually has a science background and some important ideas about identity).