Let us start with some brief definitions to get us all on the same page. Firstly – what is meant by the term “market failure”? A textbook description would be something that articulated the “inefficient distribution of goods and services in a free market”. But how do we decide whether the distribution is inefficient or not? Perhaps, let us look at how "efficient" is described first, then work backwards.  An efficient market would probably display a scenario where goods and services are distributed, priced and made, in a manner which can not be improved upon, with the amount of waste minimised ..read more

Back in July, I wrote an article taking a brief look at venture capitalist funding patterns within the identity and access management space, for the first half of 2019.  I am going to revisit that topic, but for the second half of the year. Key Facts July to December 2017 / 2018 / 2019 Funding increased 309% year on year for the second half of 2019, compared to the same period in 2018.  Taking a 3 year look, it seems, that perhaps 2018, and not 2019, was the unusual year. The number of organisations receiving funding, has reduced every year since 2017.  The drop between 2018 and 2019 was ab ..read more

This is the first in a set of blogs focused on high level briefings - typically 5 minute reads, covering design patterns and meta trends relating to security architecture and design. When it comes to cyber security design, there have been numerous ways of attempting to devise the investment profile and allocative efficiency metric.  Should we protect a $10 bike with a $6 lock, if the chance of loss is 10% - that sort of stuff.  I don’t want to tackle the measurement process per-se. I want to focus upon taking the generic business concept of outcomes, alongside some of the uncertainty that is ..read more

I want to talk about the age old trade off between the simplicity of the website or app, versus the level of friction, restriction and inhibition associated with applying security controls. There was always a tendency to split security at the other end of the cool and usable spectrum. If it was secure, it was ugly. If it was easy to use and cool, it was likely full of exploitable vulnerability. Is that still true? In recent years, there have been significant attempts – certainly by vendors – but also designers and architects, to meet somewhere in the middle – and deliver usable yet highly sec ..read more

As the first half of 2019 has been and gone, I've taken a quick look at the funding rounds that have taken place so far this year, within the identity and access management space and attempted some coarse grained analysis.  The focus is global and the sector definition is quite broad and based on the categories Crunchbase use. Key Facts January to June 2017 / 2018 / 2019 Funding increased 261% year on year for the first half of 2019, compared to the same period in 2018.  There were some pretty large, latter stage investments, which looks like that has skewed the number some what.   The numb ..read more

Many of today's security models spend a lot of time focusing upon network segmentation and authentication.  Both of these concepts are critical in building out a baseline defensive security posture.  However, there is a major area that is often overlooked, or at least simplified to a level of limited use.  That of authorization.  Working out what, a user, service, or thing, should be able to do within another service.  The permissions.  Entitlements.  The access control entries.  I don't want to give an introduction into the many, sometimes academic acronyms and ideas around authorization (see ..read more

Today's authentication requirements go way beyond hooking into a database or directory and challenging every user and service for an Id and password.  Authentication and the login experience, is the application entry point and can make or break your security posture and end user experience.  Authentication is typically associated with identifying, to a certain degree of assurance, who or what you are interacting with.  Authorization is typically identifying and allowing what that person or thing can do.  This blog is focused on the former, but I might stray in to the latter from time to time ..read more

Schools out for summer?  Well not quite.  Unless you're living in the east coast of Australia, it's looking decidedly bleak weather wise for most of Europe and the American east coast.  But I digress.  Is it looking bleak for your digital identity driven projects?  What's been a success, where are we heading and what should we look out for? Where We Are TodayPasswordless - (Reports says B-) Over the last 24 months, there have been some pretty big themes that many organisations embarking on digital identity and security related projects, have been trying to succeed at.  First up, the age old ..read more

Actually, this has nothing to-do with being green.  Although, that is a passion of mine.  This is more to-do with a paradigm that is becoming more popular in security architectures: that of being able to re-spin particular services to a known “safe” state after breach, or even as a preventative measure before a breach or vulnerability has been exploited. Triple R's of Security This falls into what is known as the “3 R’s of Security”.  A quick Google on that topic will result in a fair few decent explanations of what that can mean.  The TL;DR is basically, rotate (credentials), repair (vulnera ..read more

A Google search for “zero trust” returns ~ 195Million results.  Pretty sure some are not necessarily related to access management and cyber security, but a few probably are.  Zero Trust was a term coined by analyst group Forrester back in 2010 and has gained popularity since Google started using the concept with their employee management project called BeyondCorp. It was originally focused on network segmentation but has now come to include other aspects of user focused security management. Below is a hybrid set of concepts that tries to cover all the current approaches.  Please comment bel ..read more