Addressing Industry Security Needs at the IdentityFirst Summit

I had the privilege of attending and speaking at the inaugural summit of IdentityFirst.org last week. IdentityFirst is an organization that is building a community of IT professionals to discuss the changing landscape of identity management in the world of cloud applications. It promotes the practices and enables the infrastructure required to make everyone a good "security citizen."

Companies represented at the summit were a good cross section of the entire cloud applications landscape - from large, well recognized consumer companies to smaller service provider startups. It was very clear that small and large companies alike are struggling with this topic of strengthening security, while reducing the costs of identity management and increasing employee productivity. Their user bases are large and geographically dispersed, and they use different end points, such as mobile devices. Making sure that the employee lifecycle is upheld across all critical stages, in terms of access privileges and controlling this from a central, easy-to-manage system, is one of the highest priorities of IT departments.

There were some strong opinions from seasoned IT leaders about what works in their environments, including Active Directory vs. LDAP and discussions over which features different Identity Providers should support. Everyone agreed that there needs to be a single source of truth and how that information gets federated to other systems was a topic that was actively debated.

Numerous companies proposed very creative solutions to this problem, which highlighted how strong leadership can make a positive impact in breaking deadlocks caused by issues that arise from legacy applications. There was widespread agreement that with the strong shift into cloud-based applications and the increasing use of mobile devices in the workplace, topics including managing identity in the cloud, central directory integration and mobile device management are becoming more critical and need to be addressed earlier in a company’s growth.

We reviewed many use cases that different companies showcased to make a point about identity management and security in general. It was clear that while each case was unique, there were some core concepts that needed to be addressed by everyone. There was also an extended discussion on the different compliance requirements that a cloud service provider must achieve in order to gain trust and build confidence in the entire ecosystem of cloud apps. It was apparent that there is a long road ahead and a huge opportunity for members of this initiative to be able to make a lasting impact on open questions that are being actively debated in this field, including a standards-based design for mobile SSO and other similar topics.

Overall, I felt encouraged to see a groundswell of support for addressing this key security issue of identity management for the enterprise as it adopts the cloud. Thanks to the organizers for putting on such a great event.