The recently concluded Cloud Identity Summit isn't the largest security event out there, but is one of the most important. Constellation Research VP and principal analyst Steve Wilson was in attendance, and we recently took some time to discuss his views on the event and why anyone with security matters on their docket should consider attending. The following is an edited transcript of our conversation.
CRInsights: Let's cut to the chase. Why is this show so important?
Wilson: In the last couple of years it has turned out to be most important international conference on identity. About 1,000 delegates attended and only a small part of it is a trade show. The big security conferences are dominated by trade show activity. Cloud Identity Summit is really all about content. It’s an amazing spectrum of content. Very senior government thinkers and policy people are there. There are lot of people who work at the intersection of privacy and ID, which is critical for myself and Constellation's research agenda.
CRInsights: Usually when I attend a tech conference, one bit of content or provocative rhetoric stands out as most memorable. What was the defining moment of CIS 2016 for you?
Wilson: I've gone four years in a row and every year there’s something like that. Last year, there was a lot of talk about ambient authentication—how to make authentication ubiquitous.
This year it was about blockchain [Ed: Go here for more of Wilson's coverage on blockchain, as well as a link to an excerpt of his major new report on the topic]. The real business of blockchain is "consensus"—algorithms for reaching agreement on the state of selected data. Blockchain was all about consensus on the movement of cryptocurrency (Bitcoin at first or a newer one called Ether).
In his CIS keynote last year, the CTO of Ping Identity, Patrick Harding, mentioned blockchain for the first time. Since then it turns out Ping has been working hard and quietly. They've invested in a company called Swirlds. This year they announced they were going to create the 'kill switch for SSO' and described a new algorithm called hashgraph. [Go here for more details of Ping's announcement.]
With SSO, the big problem is if you need to stop the sessions, say if you’re going on holiday or about to jump on a plane. Or maybe your telephone’s been compromised. Maybe it’s a work ID and you’ve changed jobs. It’s been a problem for 10 years in SSO. Security people the world over have been struggling with how you do web single sign-OFF.
Hashgraph is philosophically a derirative of blockchain but it's entirely different math. Blockchain is like the Wright Brothers flyer: It proved you could do flight, but everything else moving forward was new technology.
There’s what’s called the "Identerati." They have not bought off on blockchain. Many blockchain startups are not solving real identity problems.
CRInsights: What forward-looking thoughts did this year's event provoke in you? How will it influence your research agenda going ahead?
Wilson: How do you do R&D properly? How do you have the rigor to solve real problems and bring people along on that journey? This is bleeding-edge stuff. If you’re going to be there you need to know what you’re doing and have no sort of religious attachment to blockchain.
The other thing is there’s this push to drive the UX of ID underneath the covers. The pain point for identity is that every time you go to a new site, you’re typing in your username and password all the time. There are a bunch of new standards making that disappear, such as FIDO. These things are plumbing. You don’t need to tell anyone about it. They allow ID info to be shared across different apps and your phone. Your phone is really the fulcrum of identity. The phone knows you, it knows your biometrics. It knows where you are. The Identerati are kind of making ID diseappear. It's kind of paradoxical but this is the story of technology.
I'm working on a new report about the consumerization of identity and it should be out within a month. The next step here is IoT (Internet of Things). We've got a huge ID headache about to start up with things like Amazon Echo and intelligent buttons. All of these things are agents tied to devices and tied to your life. If the industry doesn't do a good job with IoT identity, we're going to have a privacy nightmare.
Reprints
Reprints can be purchased through Constellation Research, Inc. To request official reprints in PDF format, please contact Sales.