Takeaway Points:

• IAM has become the critical fulcrum for business strategy

  • empowers B2E productivity and compliance

  • generates B2C revenue

  • is foundational for security

  • critical for privacy

• It is also THE major attack vector for internal and external adversarial activity

• To that end we have seen the evolution of identity security

• Whilst we see specific controls within the core pillars of IAM (MFA, IGA, PAM, PxP) we also see two overlay models

• Identity Data Risk Management (aka ISPM/IVIP)

• Identity Runtime Risk Management (aka ITDR, behaviour, intent)

• To measure we need to consider covering ALL identity types

• We also need to consider the end to end life cycle taxonomy of the identity

  • from IDV, credential management, authn, authz, storage, monitoring and so on

• From a security point of view as also need to take a end to end approach and consider several different pillars so we can assess, analyse, recommend and iterate on the identity security layers

• What to measure?

  • Visibility - do you know where your identities are located? Who uses them? What systems do they access?

  • Threat analysis - Can you perform continuous risk and threat analysis of your IAM components?

  • Detection - Can you detect runtime behaviour issues or mis-configuration within your identity data?

  • Protection - Are you applying core IAM controls such as MFA, ZSP, JIT and credential rotation?

  • Response - Breaches happen – can you respond effectively and efficiently – incorporating the right systems and teams?

  • Hygiene - Are you removing redundant identities, permissions and policies?

  • Operations - Do you have buy in and strategic direction?

• Take a look at the The Cyber Hut’s Identity Security Scorecard for more information

Introduction

Simon Moffatt's "Consumer Identity & Access Management: Design Fundamentals" explains the essential concepts of CIAM (Consumer Identity and Access Management), highlighting its differences from IAM (Identity and Access Management). It explores the evolution of identity management, discussing the shift from employee-centric systems to a consumer-focused approach.

The text also delves into key CIAM requirements, emphasizing the importance of user experience, security, privacy, and compliance. It provides a detailed overview of the CIAM lifecycle, including onboarding, proofing, secure login, device binding, contextual and adaptive access, profile management, consent management, data management, and account removal.

Furthermore, the document presents a technical toolbox for CIAM implementers, outlining key cryptographic concepts, standards, and libraries, such as OAuth2, REST, and FIDO2. It concludes with considerations for vendor selection, KPI (Key Performance Indicator) development, and metrics related to data breach prevention, stressing the importance of aligning CIAM initiatives with business objectives.

Audiocast Interview

The following is a NotebookLM generated conversation discussing the book and the role of B2C identity.

Read more