Debriefing after my first talk at Identiverse

Yesterday I spoke for the first time in a tech conference. I did it because I wanted to attend Identiverse, one of the biggest global conferences dedicated to Identity, Security and Privacy professionals, vendor agnostic and community oriented, which I wanted to experience for a long time.

To my surprise the room was packed despite that many attendees were wrapping up their participation in this annual event that gathered people from different parts of the globe. Although the conference ends today, the expo closed yesterday, attendees were carrying their suitcases to head back to their homes and I noticed many sessions were half-full despite the great content offered by the speakers (to be honest, I was very disappointed, because preparing each presentation required months of effort from the speakers and the content panel and they deserved to be heard as well).

The night before to my presentation I couldn’t sleep much and during the day I went multiple times to the bathroom as my irritable bowel syndrome was at its peak, but I realized that attending other people’s talks calmed me down as learning from them and engaging asking questions distracted me from my own challenging task ahead.

During the presentation I owned the stage and I showed my best self. I was so grateful for the opportunity and the support of the people who showed up, that I just grabbed the clicker, got me started and kept it going… until I suddenly noticed the time: 19 minutes flew like nothing and I only had 6 minutes to cover more than half of the content. So, I rushed through my slides knowing that they’re going to be shared after the presentation, and I went straight to the message I wanted to leave to my audience: the lessons we learned on these 2 years of implementing our workforce identity strategy.

Now that the presentation is over and my nervousness and anxiety are gone, the adrenaline is still pumping and my brain keeps reviewing what I would have done differently to share everything I prepared and still have time for the questions from the audience. I wasn’t able too sleep much again and I started a “debriefing comment” on the LinkedIn post I published yesterday a few hours before my talk. However, I ran out of characters and I had to move this to a real blog post as I had too much to share from this experience.

First I wanted to reiterate the lessons learned that I shared in my presentation:

1. Have a strategy sponsored by your leadership and make sure they acknowledge this is a multi-year complex effort.

2. Build and empower a strong dedicated engineering team. I’m so lucky to having crossed paths with other 12 smart, curious and diverse individuals that joined me under different circumstances and have helped me to endure and pivot multiple times to get were we are today.

3. Create a safe space for INNOVATION. If your engineers are afraid to fail they’ll paralyze and will always wait until you validate them before experimenting. Instead, offer a playground to explore, help them to recover when they break something and encourage collaboration between peers instead of imposing your own solutions.

4. Don’t rely 100% on your vendors. They’re not going to tailor their product to your needs and they’ll try to shift the blame on you if something goes wrong and they didn’t catch it before it became a problem. They may promise to look into it, to add your feedback to their roadmap, but especially SaaS providers have to prioritize their own needs and balance yours with what other customers need, so if they ever come with a solution for your problems it will be late for your business. Instead rely on your internal team, get advice from consultants, ask questions to the community and create your own workarounds.

5. Validate and exchange your ideas with others in the field. Attend events such as Identiverse, user groups, meetups, webinars and other forums to learn what others are doing and whether you are on the right direction or need to pivot again.

Takeaways from my talk:

1. Prepare the draft presentation before you submit your proposal so you can estimate whether your content fits in a short session or a master class.

2. Create a compelling story, but skip the details. The audience can get a deeper view in your PPT when the organization releases the materials.

3. Engage your audience and watch them while you speak. I lost my lines several times but I moved on and relied on telling my story because I noticed they were sill nodding their heads and expressing emotions as I speak.

The questions from people that approached after my session made me realize other things as well:

1. You won’t have everyone happy in such diverse audiences. There were leaders, new professionals and architects. Some were just starting their IGA implementation, others were in the middle of a mess and were looking to find solutions to their problems and others already lived through the same experience and wanted to hear from others and validate their approach.

2. The implementation that worked for us may not apply to you. I intentionally left vendor names out of my presentation and didn’t want to go into the details of our solution because each organization is different and your approach needs to adapt to your systems and processes.

If you’re still curious about what was our solution to implement a dynamic lifecycle:

1. Stop the pre-provision of Identity objects when employees are onboarded in the HR system. Instead, identify the system that all users will touch on their first day (usually the collaboration suite) and trigger provisioning events “just in time” when they use the systems they’re trying to access based on preconfigured policies that grant some initial birthrights that open the door to other systems as their role and needs evolve.

2. In our case, our SSO federates with our parent company’s IdP and as our IGA rollout we connected it to SSO for authentication, so when users got to the IGA to request something for the first time, their “Identity” is created “just in time” and that profile is enriched with the data still imported from the HR system as a secondary source. In our case our parent’s IdP doesn’t come with manager info, nor start/end date, and other important fields for our lifecycle, so we take them from the HR feed.

3. Prioritize downstream systems your users need the most and connect them to your IGA (and if possible to SSO).

4. We're collaborating with managers in your organization to define who are their team members and use access information from systems connected to IGA and SSO, to build roles for their teams.

5. If you don’t have consistent HR data to assign those roles using ABAC, make roles “requestable” and empower team managers to be responsible for approvals and reviews on who receives those roles.

6. Collect activity data in downstream systems and implement policies to deactivate accounts based last time the system was used. If the user comes back, the just in time and established roles described above will take care of the restoration of the account.

7. We still rely on the end date synced from HR to trigger Leavers events that deactivate accounts in all connected systems with IGA.

8. Keep learning from your systems data and adjust as you go.

After Identiverse, we’ll continue exploring new standards (AuthZen, CAEP, event SCIM and others) to go deeper developing this dynamic lifecycle using an event and data driven approach to enforce Least Privilege and Zero Trust while still providing a seamless and secure user experience.

Thanks again to everyone who made this possible and supported me to go through this challenge.

My colleague and I hope we can come back next year to get the motivation and inspiration experienced throughout this event.

We’re bringing back too many ideas to improve our program and we’re fully energized to endure whatever comes next.

I hope we can continue this conversation with the many contacts we made this week and we’ll see you again soon!