An Interview With Hannah Sutor
Hiya,
This is another in my series of interviews with experts in the space about the future of CIAM.
Hannah Sutor is passionate about all things digital identity and security. She currently works as a Principal Product Manager at GitLab, focusing on authentication and authorization in a DevSecOps context.
Hannah has spoken at various conferences on digital identity, privacy, cybersecurity, and devops workflows. She is passionate about balancing security and usability, and building secure software. She is a participant in OpenSSF working groups and serves on the board of IDPro. She lives outside of Denver, Colorado, USA, and decompresses with nature and vigorous workouts.
I am thrilled to have her share her views on CIAM.
Dan: What problems do you see customer identity and access management (CIAM) solving for your customers?
Hannah: GitLab is the place where our customers store their intellectual property - so protecting it is very important, but so is making access as frictionless as possible. We have a very technical user base who are very aware of the latest innovations in CIAM, and they expect to be able to use them.
Improving the authentication experience from the command line is really interesting to me. Often, users are just kicked to a browser window to authenticate. Is there a way we can still provide secure authentication, but allow the developer to stay where they are most comfortable?
CIAM really helps our enterprise customers scale admin overhead in GitLab. Automated user lifecycle management and SSO facilitated by the identity provider combined with our enhanced user management tooling which we call Enterprise Users, I'd like to think that we are constantly improving user management at scale.
Many customers have both internal developers and external contractors, and the groups should be treated differently in our system. So that's a use case we try to provide tooling for, too.
Dan: What are major challenges you see with CIAM (in the industry, in implementation, etc)?
Hannah: Lack of visibility into credentials.
Usernames and passwords are one thing, but we now have many different credential types: tokens, service to service authentication, keys, OAuth access, etc.
The username and password landscape has been mostly solved, but with these other credential types, a lot of the old paradigms no longer fit. We can't enforce MFA on a token that is being used in an automated process, or else it will break.
How can an administrator of a system take inventory of all of the different ways of authenticating, and make sure that there are appropriate security/usability tradeoffs for each mechanism?
Dan: What excites you about the future of CIAM? Any predictions?
Hannah: In the past, security and usability have always been at odds with each other. I've seen CIAM innovations that are more secure, and easier to use, instead of more difficult.
I'm really excited to see the "up and to the right" trend of technologies that can do both. I also have to think that authorization may come upstream at some point.
Managing roles and permissions in downstream applications, and "just" being able to segregate by group at the identity provider into the downstream systems, doesn't seem like enough.
I'm hopeful that a more centralized management experience for authorization is in our future.
Thanks again to Hannah, and thanks to you for reading!
Dan