Convener: Sarah Squire, Engage Identity
Notes-taker(s): Dedra Chamberlin, Cirrus Identity
Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:
Judith Bush - OCLC
Jake Pszonowsky - KPMG
Jonathan Hard - Netflix
Ken Klingenstein - Internet2
Colin Walls - Kantara
Brad Hill - Facebook
Robert Burgess - Gigya
Jim Fenton - Independent Internet Technologist
Sarah reviewed current state:
The ID Pro group is forming, with a goal of professionalizing the field of identity management, establishing a shared body of knowledge, and hopefully making it easier to recruit and train qualified people in the identity management (so that it's easier for employers to hire good people and/or train people they hire to learn IAM).
Currently forming a non-profit membership org 501(c) (6)
Seeking founding members (corporations) to sponsor initial foundational work.
Seeking individual members to help build the body of knowledge and provide input on the effort - looking for people who have been doing identity for a long time
One of the first goals is to create a body of knowledge.
For more info, see:
Sarah asks - What do we think of the concept, what kind of services should ID Pro provide?
Consensus that it's very hard to find qualified identity management staff, and when you do hire someone who knows identity management, they usually know only a single identity product (OIM, Sailpoint, Ping, etc). We need more IAM professionals that have a conceptual, non-product specific understanding of identity.
Body of knowledge needs to have different areas of focus (streams/tracks):
Suggestion: ID Pro should identify clear career paths in the identity field - make it appealing for someone looking for a new career path.
In terms of credentialing, Sarah reported that the plan is to outsource any actual testing for certification since there are plenty of companies already that do this well.
WRT credentialing, many in the group expressed a concern that any credentialing process not turn into a gatekeeping function. Some pointed to the (bad) example of CISSP certification. It has become a bit of a requirement to have that certification in some fields. Yet the content for the certification program is not current to the technical realities of the market, and people who are technically savvy actually hold the certification in disdain.
Examples were shared of situations where really qualified people didn't apply for critical security roles because they lacked the CISSP certification, and mediocre people who were certified got the job.
Request from the group: let’s not have have a certification program that repels people who are the most qualified. OWASP has been much more successful. Useful body of knowledge that people can leverage regardless of certification (eg top 10 vulnerabilities list)
It was noted that there are important subsets of IAM knowledge where it is critical to know about how they are different from standard enterprise identity - Higher Ed and Healthcare for example
We talked a bit about the domain of information security and how it historically hasn't included or embraced identity management explicitly and that we should try to change that. Lots of people at Security Conferences don’t seem to know much about IAM, even if they talk a lot about access control. BlackHat, DefCON - where are the IAM folks
Though Brad mentioned he gave a presentation at an RSA conference on the history of authN systems and it was well-received. There is an audience.
Maybe we should look at bug bounty services and make it easier to find identity-related exploits
In terms of the body of knowledge:
- focus on use case descriptions as teaching vehicles for identity concepts. Don't just give people a glossary of terms and conceptual/functional definitions. Describe real world scenarios of challenging identity integrations/problems and different approaches to solving them. That's how most people end up learning identity management in the field.
- Recognize that many organizations deal with lots of legacy tools and heterogeneous environments and in many situations, existing tools are not open source and the best future solutions are not always open source.
- Needs to be useful to decision-makers (budget authorities) and technical implementers. Be sure to include info on how investment in identity returns value to the organization.
How to get more people involved?
- Radiant Logic is sponsoring regional meet ups
- Judith had taken ID Pro flyer to regional meetings
- More recruiting will happen at CIS
- Should the ID Pro organization offer publications for members? Sure, but make sure it doesn't become Gartner-like. Should not be a corporate mouthpiece.
- Would people like a newsletter for members? Consensus was "yes"