I was in Las Vegas this week for Gartner’s IAM Summit, hosted at Ceasar’s Palace. Vegas isn’t really my cup of tea but one goes where the conferences are. Pro tip: The desert is really freaking cold in December. I mean, not Canada cold, but way colder than a desert should be. Bring layers.
- Deploy MFA everywhere,
- You must have people on your team who are intimately familiar with OAuth and OIDC,
- If you haven’t already, start working on Identity Governance,
- Continuous identity proofing was by far the most interesting and compeling subject for me.
Identity Governance & Administration (IGA)
Just last week I was doing manual extracts of user data and hand producing CSV files for audit stuff. Stop doing that! Investigate IGA options.
Proving the identity of customers, elevating the level of trust in a given identity, continuous re-validation of existing identities. Email address validation, phone number validation, credit bureau checks, RSA-type adaptive risk callouts, elevated trust expiry and re-validation, … automate all of it.
Build an identity proofing API! The API can be called at any time by any app (or other API) to validate, revalidate, or improve the validation of an identity. The API would be modular and each module handles one method of proofing.
Best Practices for OAuth 2.0 and OIDC
- Best Practices for OAuth 2.0 and OIDC,
- OAuth 2.0 and OIDC are evolving rapidly. Have one or more people on staff to stay on top of current standards and best practices,
- OAuth & OIDC mailing lists,
- Documentation: https://oauth.net/2/, https://openid.net/connect/,
- JWT standards & best practices: https://jwt.io,
- Least privilege / Minimize number of claims in a JWT,
- Coarse-grained authorization in the middle layer (API gateway, security proxy)
- Implement a permissions API for anything more complicated than a simple list of roles,
- Permissions API answers the question “What is this identity allowed to do?” on behalf of other apps and APIs.
- Fine-grained authorization in the app / API, either directly in the app / API or via the permissions API,
- Token revocation is a challenge - valid tokens are autonomous, and remain valid until they time out. Keep those JWT timeouts short,
- AppAuth pattern / flow good,
- Implicit flow bad (no real trust here, but also no alternative?)
- (alternative is to stop building SPAs until better solutions are developed)
Gartner Conference ProTips
Install the Gartner app on your phone well in advance of your conference.
Some sessions are limited access and require you to register. This includes Roundtable and Ask the Analyst sessions. I did not get any indication from Gartner when sign up for these sessions was available, and they were all full by the time I found out. If full, you can go to the room for one of these sessions 15 minutes before the start and put your name on a wait list. Lots of people just sign up for everything and then don’t show up
There are also 1-on-1 sessions available. You tell the Gartner folks what you want to discuss and they will match you up with an appropriate Gartner analyst.
Obviously use the networking events when you can, especially those targeted at specific groups. I went to the Financial Industry networking breakfast and made a few contacts there, and our country rep set up a dinner for all the Canadians, which proved to be fruitful.
I changed my travel plans to go down a day early, because there were “tutorials” being offered the day before the event officially started. I have no idea why Gartner calls these tutorials. They were no different than any other presentation style session. Someone from Gartner standing there talking and flipping slides. Which is fine but they were not “tutorials” in any usual sense.
I still recommend going a day early (the day before the day before the event starts). You can register early (no morning rush on the first day) and there was an orientation and networking session that evening.