The Power of the Policy: Journey to Identity-First Security

Tom Ammirati
June 8, 2022

Over the course of the last few weeks, I have been fortunate enough to travel and attend several top Identity and Security conferences. It truly is uplifting to once again connect with former colleagues, partners and industry professionals who over the years have formed our unique IAM community.

Despite the challenges associated with Covid and related travel restrictions, the conferences were buzzing and full of energy as well as new ideas.

Predictably, the market is awash with legacy and new firms attempting to solve the rubik cube of “passwordless” authentication. The recent announcement by Apple, Google and Microsoft committing to expanded support for a FIDO standard for passwordless sign-in,  is a clear measure of intent.

It also signals another milestone in the continued evolution of security and identity / access management. Authentication shall always remain a vital component in securing digital journeys, however it is swiftly reaching commoditization  and there is a growing recognition that more needs to be done to ensure secure user journeys.

The convergence of IAM and Security technologies and the critical relationship between them, is rapidly gaining mindshare from industry practitioners and analysts alike.

Speaking with firms across the globe from various vertical sectors, the feedback was consistent; the demand for advanced access control and subsequent visibility and management of access control was paramount. What was traditionally considered as “fine grain” authorization, (an exception vs the norm), is now emerging as the next logical step in the never ending battle to secure and protect digital assets while minimizing friction during a user’s digital journey. ​​In a recent blog post, Accenture's Damon McDougald also wrote about the importance of authorization as well "While authorization is essentially a security decision engine that must continuously adapt to the needs of the business, it is also critical in establishing a continuous, adaptive, zero-trust framework. ", which further establishes this point. 

The subsequent impact transcends technology and business pain points. From securing data at key access points such as API Gateways, Applications, Microservices and Data Lakes to ensuring that all users of technology can enjoy the most secure and user friendly experience possible.

That once forgotten IAM module remembered best by IAM practitioners as Authorization, has reemerged out of the shadows to power a new paradigm known as Identity First Security.

Where security resiliency and systems hardening is complimented by taking an identity centric approach to validating the integrity and access authorization of an identity throughout the digital transaction, (in real time).

A highly respected former colleague and IAM thought leader recently asked me if I thought Authorization would / could ever be “cool” ? I paused and responded by commenting that the key, in fact the power, is in the policy. Authorization policies, in how they are written, managed, implemented and enforced is what makes Authorization “cool” and more importantly effective.

Policy based access control (PBAC) fuels the simplicity / manageability of authorization policies, and ultimately will assist in driving the adoption of “Identity First Security”.

That is the power of the (authorization)  policy and yes I do think that is pretty “cool”.

Hope to see you at Gartner Security & Risk Management Summit this week in Maryland.

Download the eBook


Most popular posts