I always enjoy participating in conferences. The number of ideas shared through presentations, demos, and conversations is overwhelming. Additionally, having the option to discuss your ideas with intelligent people from the industry is priceless. The 2023 European Identity & Cloud Conference was no exception, since I gathered many inputs and had various discussions with the people there. In this blog, I will share my impressions and thoughts on how the most recent trends in identity affect midPoint.
The conference covered the entire spectrum related to digital identities. The topic about Identity Fabrics by KuppingerCole was thoroughly explained in the presentation, which described all areas relevant to working with digital identities in a comprehensive system that can be easily used for evaluating any solution. Even though it didn’t bring anything new, the precision on how the whole scope was divided in smaller sections, and the potential to use this analytical framework was astonishing.
I’m naturally inclined to identity management and identity governance, so I was curious about the news in this area. I was surprised that there was not a single significant new trend or idea. At least, I had several exciting talks that reassured me about my approach and knowledge in this area, which was also valuable. Ultimately, most people work hard to improve existing products just to achieve what has already been known for some time. It might appear that Evolveum is no exception, however, we hit it big with the Simulation feature presented by Katarina and demonstrated in our booth by Viliam and myself. Even though the idea is not particularly revolutionary, the options available in midPoint were a pleasant surprise for many.
To mention at least some of the trends from IdM and IGA areas, I must first refer to the Zero Trust principles. This topic has been discussed heavily in the past, but I don’t think it brings any new principles. Instead, it shows flaws in architecture that many had been building and relying upon. IAM Experts have known for a long time that proper authentication, authorization, and account management are a must for all systems. Relying on shortcuts, such as allowing access from the local network or VPN, is a serious pitfall. The second notable topic is, of course, AI and big data. There is enormous potential for it in IAM and IGA areas. From the well-known concept of role mining, to intelligent assistants that will help you with various tasks within the system, security can be improved by spotting configurations with high risk and so on. I enjoy seeing people refine all these ideas and by that, preparing the whole field to move forward in this direction. Frankly, I’m curious to see some demos and case studies on its use in practice.
An inseparable complement to IdM and IGA is Access Management. In this area, several topics caught my attention. The obvious one is distributed identities and related subjects, such as micro-credentials, self-sovereign IDs, verifiable credentials, and European identity represented by EIDAS 2.0. All of this is gaining a significant traction, and rightly so. This innovative approach has the potential of transforming the way how we work with identities nowadays. There are still many open issues, however, many people are working on them, and thanks to the support from the European Union, industry, and academia will help speed up the adoption. Even though this is mostly discussed from the authentication and related attributes release point of view, I wonder how it will fit in the IdM area. The first part is to learn how to use it as another user identity, which can simplify the onboarding process and be a source of highly assured attributes for standard IdM processes. The second part uses data in IdM to release (and later revoke) attributes and micro-credentials to the distributed identities ecosystem. This offers many options worthy of exploration, but let’s leave that for another blog post.
Another heavily-discussed Access Management topic is Policy-based Access Control (PBAC). The idea is to use dynamic policies for authorization, rather than static roles or dynamic attributes. This is a handy idea because, in a modern world, we need more comprehensive options to not only formalize, govern, and access properly, but also evaluate possible risks in real time in order to prevent increasing cybersecurity attacks. To provide an authorization decision with PBAC, we can formulate policies covering user attributes, parameters of the current session, the environment, and potentially include other relevant factors to evaluate access. Personally, I would like to see this in combined with traditional role-based access driven by IGA principles. IGA gives us excellent visibility and auditability that users can understand and govern by themselves. I would like to use this layer and take additional policies from PBAC that will be dynamic, such as evaluation of the environment and other session parameters. This will thus lead to a system where users can understand (and view anytime) what they are authorized to, thanks to IGA. PBAC will still apply the additional rules during authorization delivering extra security without confusing users.
To sum up, I enjoyed the conference, and I look forward to taking some of the ideas I have just described and applying them using midPoint. I’m confident that this will help the midPoint community move their solutions forward by taking advantage of all those modern trends.