Lessons From a Passkey Implementation

Everyone’s talking about passkeys, but what does an actual implementation look like? Do any security-UX tradeoffs need to be made? Is it better to build or buy?Listen to this FIDO Alliance webinar where the Branch Insurance CISO shares how passkeys helped them reduce auth-related support ticket volume by 50%.

Watch Now

Goal to 1k

Ok so one change I’m making to this, is I’m just going to start giving you all a snapshot from the dashboard. Because the count I was using last time is real-time..meaning it looks up the number of subscribers at the time you are viewing it.

Current Subscriber Count: 457

Atlas, Risk, AI…oh My!

OOkkkay. Buckle up folks let’s dig into these releases from SailPoint.

CAVEAT: I WAS NOT in attendance at Navigate, so I haven’t seen these live, and I’m going just off of what’s on their website, aaand some background knowledge of their products ( Disclaimer for those that don’t know, I worked at SailPoint for while, back in the day)

Update: There some other announcements that weren’t called out in this specific article I link to. I’ll get to this and move this entire thing into it’s own Community Article as I’ll dig in on the rest of the announcements. Also check out the Podcast from our friends at Identity At the Center as they sat down with Sailpoint’s VP of Product Management

Okay..let’s dig in.

First Up: Dynamic Access Roles

Good feature. I would say one of those “ Should have had this all along” features, but that’s probably just being picky. The gist of this is that it gives organizations flexibility in their Role model to define the situations in which a user gets granted access via role.

Ex: All regional managers get the manager role, with region specific access.

In this case the role is the same. In this case Regional Manager, or even just manager. But the addition of the region, get them assigned to specific entitlements.

Probably going to say this next part a lot: You could do this with IdentityIQ. And the statement is going to ruffle a lot of feathers, but I really think this is the biggest mistake that SailPoint has made over the years. Their inability to reproduce functionality from IdentityIQ to IdentityNow/SecurityCloud/Atlas/what every the hell they call it now has been the Achilles heel, and will continue to haunt them. For the purposes of this post I’m going to refer to it as IdentityX

Overall I’ll give this a C grade feature. For those that are currently on IdentityX and have struggled with this a much needed boost. But docking points because it’s something that should have been there a lot sooner. ( Don’t think I’m making friends with this review..lol)

You can check out the Solution Brief for this here

Next: Access Model Metadata

Ummm……

Ok..so I can see the vision they are planning with this. If you’re going to lean heavily into AI and Automation, you need data. This allows customers to add metadata to their environments, which should lead to more powerful capabilities as SailPoint rolls out more AI features. I could see them basically building a mini LLM type model based off of a specific customers metadata. For now it seems this allows customers to add this data, and enrich areas like access reviews, entitlements, etc.

……..Sigh…..

You could do this with IdentityIQ. And also this is basically just the Entitlement Description problem. ( Quick primer: No one knows what entitlements are, because often they aren’t named for what they do. So you give a text box and tell people to write a description. Great! if you have 50 entitlements, someone MIGHT take the time to create descriptions. 50,000..good luck)

(I’m really not TRYING to be mean)

Again I see the vision…I think….but….really?

Additional info on this here

Giving this one a D

Next up: Data Segmentation

Oooh…I like the title. And appreciate the use case. Basically this comes down to a real life implementation of Least Privilege and Need to Know. This feature allows organizations to create granular levels of control within IdentityX when it comes to what users can and can’t see.

Nice!

I’m probably biased on this one given my background. I started my career in Identity working for the federal government and everything was Need to Know. Again I can see some tie ins to future plans around AI with this. The more contextual data you can collect the better. But this does give a huge advantage to organizations who have very strict requirements around data, and/or are truly down the path of a least privilege approach.

B+ on this one

Sidenote: You could done this with IdentityIQ. ( I told you I was going to say this alot)

Ok last one: AI-driven App onboarding enhancements

This is an update to a feature that’s already out. The ability to rapidly onboard apps is fantastic. The easier we can make this for customers the better. Honestly with cloud apps, or API public apps we should get this to a couple of clicks at some point. But I digress. I would LOVE to see this feature in person as I think it’s the type of innovative features that a company like SailPoint should be focused on, and really helps customers get to showing value.

Giving an A for this one.

All in all…some ok announcements. I know there was something about Privileged Task Automation as well, but this was getting pretty long. So I’ll do an updated version of this in a blog post on the community..in fact I think I’m going to do a series of these and look at different companies…should be fun.

What did you think of the announcements from SailPoint? If you attended Navigate how was it? Let me know!

Because you can’t go a week without talking about AI

I joke, but a solid read about how we look at AI and it’s future in Identity Security.

The State of Multi-Cloud Report

Presented By

Our friends at Strata coming in off the top rope dropping some juicy data nuggets around the state of multi-cloud in the industry.

I got 99 problems and they are all IDP’s

Ok so this Multi Cloud, Multi-IDP thing..it’s real.

Quick story: A not some long time ago in a galaxy not far away, I worked for an organization that was very strict on what we could and couldn’t say. At the time one of the things we couldn’t say was “Multi cloud”. Because it wasn’t real and customers didn’t really use multiple cloud service providers.

……yeah….

Anyway not only is multi cloud a real thing, it’s a real problem for a lot of customers. This latest report by our friends over a Strata drops some good data around how customers are dealing with this.

Some things that jump out:

75% of respondents have 2 or more IDP’s, and 11% had 5 OR MORE…Like 5! I have so many questions around what’s going on there. ( If you’re reading this and you have 5 IDP’s, I’d love to talk to you..I’m genuinely curious).

So it only makes sense that with multiple IDP’s the main thing you would struggle with is complexity around access controls. Not to mention trying to do things like passwordless, or MFA and to get even crazier…governance and user lifecyle. We have to start taking holistic approaches to this. WE CAN NOT continue to think about this in silo’s. Identity has been and will always be connected. A decision you make around your PAM process affects your lifecycle process, and so forth and so on.

The data presented in this report screams one thing to me: We have to create a SINGLE UNIFED VIEW of identity data.

I really don’t see another way. There is so much to manage and monitor, that if you try to piecemeal it…well you get what we’ve done the last decade.

Now let me be clear. Although I believe we need a single united view, that doesn’t mean we have to centralize everything into one monolith. Think centralized, act decentralized.

This was a really good report to read, check it out and let me know what stood out to you!