Identiverse Authorization Talks – Identiverse Agenda

We’re only a few months away from Identiverse 2024, the leading IAM conference this side of the Atlantic. Like last year, authorization will be one of the hot topics. Not only will there be an interop, but the agenda counts no less than twenty authorization-related talks from vendors, customers, and industry experts alike. Here’s an overview of the talks.

Tuesday, May 28th

The halls of the Aria will be abuzz with authorization chitchat well before the conference starts. Members of the OpenID AuthZEN Working Group will gather from 10 am to noon to work on an authorization interop exercise. The likes of Aserto, 3Edges, Cerbos, SGNL, and Axiomatics will be testing their implementations against the draft specification. For more details, check out the interop page.

At 2 p.m., head over to Mariposa 8 for what promises to be a lively panel on authorization: details are yet to be announced for the The Authorization Conversation but expect to hear more on the different authorization paradigms (admin-time; runtime; and event-time) as well as the various approaches (graph, ACLs, and policy).

Wednesday, May 29th

On Wednesday, we’ll start the day with an overview of OWASP and how it applies to IAM (or vice versa). This will be an expanded and revised version of the blog posts I published on IDPro’s website and on this site. I also touched on the topic in my Nordic APIs presentation at the Austin 2024 Summit. See below.

We will continue with a fascinating talk on CAEP (pronounced cape). CAEP is a novel way to tackle ever-changing conditions and more runtime authorization. With CAEP and shared signals, you can signal to SPs that a user’s token needs to be updated. My peers from the OpenID Foundation, Atul Tulshibagwale and Tim Cappalli will bring us the latest. Check out the OpenID Working Group as well.

Wednesday is a busy day as I’ll take to the stage again and talk about runtime authorization. There is a growing consensus around the definition of 3 types of authorization: admin-time, runtime, and event-time. Admin-time (think entitlements-based, role-based, defined by the IdP) is not dynamic enough and not real-time. It fails “zero trust”. Runtime authorization based on policies and attributes will cover the specifics of policy-based access control and explore whether recertification can be reframed as we move forward with these policies that are already key to the future of IAM & Cybersecurity.

From the world of sessions and identity tokens, ruled by OAuth and OpenID Connect, comes a new(ish) profile called OAuth 2.0 Rich Authorization Requests (or RFC9396 for friends & family). This specification introduces a new parameter authorization_details that allows clients to specify their fine-grained authorization requirements using the expressiveness of JSON data structures. David Hyland and peers will present to us a real-world application of RAR in the banking industry.

If you’re interested in RAR and want to use a standard authorization protocol, stay tuned as the AuthZEN WG is working on a new OAuth profile to address that.

My friend Travis Spencer (CEO, Curity) will walk us through the changes we can expect when we moved from a centralized identity paradigm to a decentralized identity model. Travis will explain how this will change when the identities are decentralized, and how we can ensure our APIs can make the right decisions about access.

Thursday, May 30th

The future starts today… And it is definitely true for authorization. Well, it probably started 12 months ago when we all got together at Identiverse to found AuthZEN. Sarah Cecchetti, PM at AWS, Pieter Kasselman, architect at Microsoft, and George Roberts from McDonald’s will discuss evolutions in the authorization realm including of course AWS’s Cedar Policy Language. In the meantime, check out the authorization substack we’ve been running for the past few months.

This is not an authorization talk per se though you could easily get Ian Glazer to talk about it. My former manager at Salesforce and friend I can nag about IAM and SPML will talk about counselors in the digital era. And if the idea of a dank, musty, and small broom closet office behind your high school gym comes to mind, you’re a bit off-target. In Ian’s mind, software agents act on one’s behalf to make introductions of the individual to a service and vice versa; they perform recognition of these services and associated credentials and prevent or at least inhibit risky behavior, such as dodgy data sharing.

If you want to see Ian in action, check out these other fantastic talks:

Sarah and Pieter are back as a duo this time to talk about… authorization. Sarah brings her insights from building AWS’s very own language, Cedar Policy, while Pieter is focused on machine-to-machine identity. He’s currently deeply involved in IETF’s latest working group, WIMSE (Workload Identity in Multi System Environments). This talk will cover the three pillars externalized authorization needs to be successful: value for all stakeholders from engineers to customers, robust business processes, and technology to support these.

The folks behind Open Policy Agent, one of the most successful forays in the world of authorization, will give us a peek into the future of authorization. Torin Sandall (incidentally my neighbor) predicts that soon, authorization will move from an annoying gatekeeper to an innovation enabler. And I can see that: rather than having to walk to a doctor’s office, we’ll be able to browse our medical records online – assuming the right level of authorization checks. Authorization is not about lock-down, it’s about opening up, safely.

My peer in the AuthZEN WG, Atul, is back to talk about ZSP (zero-standing privilege). His ideas are definitely music to my ears: moving away from statically assigned permissions at user creation time and to a dynamic policy-based approach just like SGNL and Axiomatics advocate. If you want to see SGNL in action, Aldo Pietropaolo gave a live demo at Nordic APIs Austin Summit last March.

Friday, May 31st

And here we are, in the last mile of this identity marathon. To wrap up in style, we’ve got no less than 2 fantastic talks.

Alex Babeanu (friend, mentor, musician, fellow cyclist, and neighbor), the CTO at 3Edges and deeply enamored with graphs and NGAC, will delve into the Zero-Trust reference architecture outlined by NIST, revealing that authorization sits at its very core. Building on this foundation, Alex will showcase how harnessing the organizational power of graphs can effectively streamline the complexity of ZT initiatives.

(Alex, if you read this, I’m still in💘with XACML , sorry)

An list of authz talks wouldn’t be complete with at least one presentation on governance. IGA is massively impacted by the rise of “dynamic authorization” and in particular by the development of policy-driven authorization. The world has become more complex as well (more users, data, services) and that increases the critical role a governance framework needs to play. My peer at IDPro, Jim Montgomery, will talk about new ways to think about Identity and Governance problems in the context of the business benefits of an ideal end-game. What are we all shooting for with IGA, and where do we go from there?

Last, but not least, Tim Hinrichs, co-creator of Open Policy Agent (OPA), will take us on a tour of distributed authorization architectures. You’ll get an overview of common challenges like data distribution, latency budgets, centralized management, and distributed enforcement, along with potential solutions and best practices.

This talk is bound to be interesting as 15 years ago, most of us were hard-core believers in “One PDP to rule them all”, centralized, with a single enterprise policy. OPA and the rise of microservices have proven this equation wrong. Today, we realize that it’s more about flexibility: decide anywhere with micro-PDPs; enforce close to what you care about with ingress gateways; and manage policies locally alongside your app code all the while retaining some degree of control and governance enterprise-wide.

Curated List of Authorization (& Identity) Talks

Here’s my curated list including a few more talks not aforementioned. Identiverse ’24 is bound to be enlightening.

Did I miss a talk? Let me know in the comments.

Session TitleDateTimeLocation
The Authorization Conversation5/282:00 PMMariposa 8
Navigating the Intersection: IAM and OWASP in the Cybersecurity Landscape5/2911:05 AMJoshua 8
Identity Security with CAEP, the hype is real!5/2911:40 AMJoshua 10
iC Consult presents: To Identity and Beyond: Exploring Tomorrow Together5/291:40 PMTech Theater 1 (Bristlecone)
Don’t Ask for Forgiveness, Ask for Permission!5/292:00 PMJoshua 1
Five Challenges to Building Your Own Identity Platform …and How to be Successful Anyway5/293:10 PMJoshua 10
Rich Authorization Requests – Solving for Flexibility and Performance5/293:10 PMJoshua 1
The Paradigm Shift: From Centralized to Decentralized Identity5/294:35 PMJoshua 1
The Future of Authorization5/309:30 AMJuniper Ballroom
Counselors in the Modern Era: Advancing Identity Management5/302:00 PMJoshua 10
Embracing Zero Standing Privilege: A New Era of Authorization5/302:00 PMMariposa 8
PlainID Presents: Mitigate Identity-Related Breaches in the Era of Identity-Centric Security5/304:35 PMJoshua 6
Externalizing Authorization is More than a Technology Problem….5/305:10 PMJoshua 10
Veza Presents: The Trend Toward Intelligent Universal Access Policy5/305:10 PMJoshua 3
Styra Presents: The State of Authorization 5 Years From Now5/305:10 PMMariposa 3
SGNL Presents: Shrinking Blast Radius With Zero-Standing Access5/305:10 PMJoshua 6
Graph-Based Harmony: Simplifying ZTA in the Age of Data Breaches5/318:30 AMJoshua 10
IGA Paradigm Shift: Permission Life Cycle5/318:30 AMJoshua 6
Architectural Patterns for Distributed Authorization5/319:05 AMJoshua 10
From Keynote to Action: Building Workload Identity Foundations with Standards5/319:40 AMJoshua 10
Healthcare Identity Engines: The Driving Force Behind Digital Patient Engagement5/319:40 AMJoshua 1
List of authorization talks at Identiverse 2024

References