I didn’t get to go to Cloud Identity Summit again this year. At least, not physically. I was there at a distance, attending via the very full twitter feed on #CISmcc. My experience was choppy. There were few slides. Ideas were filtered through the varied perspectives of the people tweeting. Then something odd happened in the middle of the whole experience. It changed the way I assimilated the ideas. Since attending at a distance also cuts off the nightlife, I spent the evening between the two major days of presentations knocking off a long standing item from my Netflix list. I watched a documentary based on conversations with Noam Chomsky called “Is the Man Who Is Tall Happy?” As always, listening to Chomsky talk linguistics and philosophy is a bit mind blowing. Then all these cascading connections began to form between the philosophical ideas and the identity ideas. That’s where the fun began. What struck me was a deep sense of irony. There is a stark contrast between the way ideas are progressing in identity and the advice contained in those ideas.
Walking into CIS, many were already primed with notions swarming around IRM (identity relationship management). That noise reached its pitch with Ian Glazer’s thoughts and the reaction to those thoughts (the links are only examples, there’s a ton more out there). Both implicitly and explicitly it felt like this debate was very present. Thoughts were flying by fast, but I sensed a tension that felt familiar. The notion that focus on relationship was paramount versus a focus on identities (or users) had a dynamic I recognized. It was only watching Chomsky that shook loose where I had felt that before.
At one point, the documentary talks about cognitive science. It treats the subject briefly. But I’ve studied it pretty deeply. That’s where the link is. There are schools of thought that focus on a homunculus based approach to mind, looking at the entities that make up thought mechanisms (e.g. brain cells, ideas). There are other schools of thought that focus on the connections (e.g. networks of neurons, or constellations of notions). I should say here that I know I’m slaughtering the heart of both of these schools of thought for the sake of brevity. Feel free to make me pay for it in the comments. But don’t think that will stop me now – in for a penny, in for a pound. This homunculus versus connectionism dynamic suddenly became very like the identity notions of user/identity centered versus relationship centered. The reasons I rejected the dichotomy of these cognitive science ideas began to seem relevant. The battle line between focus on the points versus focus on the lines that connect the points seems to be too artificial to me. In my mind, you only get realism with all of it included.
Imagine the difference between Abbott and Costello discussing the Middle East versus Mahmoud Abbas and John Kerry discussing the Middle East, or, if you prefer, the difference between Abbott and Costello doing “Who’s on first?” versus Mahmoud Abbas and John Kerry doing “Who’s on First?” Clearly, the people and their relationships both matter when you want a full understanding of how you should react to something. We can’t have a full understanding of how identity should react (in authentication, in authorization, in entitlement management) without understanding both the identity and the relationships in which that identity are currently involved. Both the current state of being and the current state of relationship of Abbas/Abbott and Kerry/Costello are informed – even formed – by the past states of being and the history of their relationships. To imagine understanding either the men or their relationships in some idealized, ahistorical setting is ridiculous. To me, it’s the same with identities and their relationships. It’s all or nothing. You need it all to answer the basic questions. Who’s on first? Exactly*.
I said there was a deep irony here. We need to go a level deeper to root it out.
That artificial division of concepts, the burst and stop twitter feed, these discontinuities underlined another idea Chomsky brought into the discussion in the documentary: continuity. Continuity was discussed in many ways, but the basic idea was encapsulated in a children’s story. Sylvester the donkey becomes a rock, and then is turned back into a donkey later. Chomsky uses this to show how children don’t bind words and concepts tightly. If you ask a child if Sylvester is still a donkey, even when he’s been turned into a rock, they will say yes. The identity of Sylvester transcends his physical form. Chomsky calls this continuity. In the child’s mind, and I bet in most of ours, Sylvester is a being that is a donkey and having been turned into a rock doesn’t change that. The story’s dramatic tension is the contrast of form and identity. We’re happy when things are all right: Sylvester is again a donkey in form and identity.
I see continuity echoed in so many of the themes from CIS – and the wider identity threads with which we all weave our thoughts. My friend Nishant (if one can call a man who depicts you as a bizarre mix of Jedi and nun in front of large crowds a friend) raised the ever present specter of killing IAM, making the ultimate break in continuity. Bob Blakley (who gets a halo, not a habit, from Nishant) again pointed us to a future of continuous authentication. The heart of a dichotomy like IdM versus IRM suggests a lack of continuity. Make no mistake, the breaks in continuity also fit the trend. Chomsky brings up continuity specifically because so many people wish to set up a dualistic relationship between ideas labeled by words that map intimately to “real” objects in the “real” world. But, if Sylvester the “donkey” is still a “donkey” when he is a rock, that sort of dualism doesn’t fly. The map is in the mind and it’s drawn using the continuity we all sense. When we want to label things neatly, as we so often do in technical circles, we try to break the messy continuities that come naturally in a messy world. Identity is a messy business. Anything that attempts to sum identity up neatly must betray its core features. Sylvester is always a donkey because being a donkey is part of his identity. I am always Sander regardless of my company, my relationships to other people at given times, or the avatars with which I present myself to the world (habits and Jedi robes notwithstanding). We get so frustrated with these messy threads and the knots they tie us into that we want to burn the whole thing, kill IAM off in favor of a new shiny thing that will fix all the problems. Identity is an attempt to bind a narrative that spans a lifetime to single concept. That means we will have to deal with messy continuity, and all the things we killed trying to neaten up our ideas will rise up like zombies to join us again.
Continuity is a core feature of identity. The attributes, the relationships, the actions, the entitlements, the policies, the authentications have all been about something that has been a continuous thread. You can choose to describe it through the lens of its kinetic relationships and actions; you can choose to describe it through the lens of its associated attributes. The thing you describe remains the same. It’s the continuity of that thing which binds all those other concepts. This is where the irony sets in. As we try to capture this continuity over time, we try to break the threads, disrupt the stories. We worry about picking one of the two lenses, when we need both to correct our collective vision. We want to destroy what we’ve built to rid ourselves of the messy parts we didn’t like, but those are the parts that likely came closest to the essence of what we wanted to capture. “Things that let you do anything make it hard to do anything” said Ian from the stage. And I agree. Does that mean we look for a simple solution? What if we need to get close to that level of fluidity, that ability to do anything, to truly capture the kind of continuity that can let a rock be a donkey that’s physically a rock at the moment? If that sort of extreme continuity is a core feature of identity, then our identity management teapot needs to be strong enough to hold a tempest that strange. We can’t run away from the hard bits of our approaches to identity. Those may be the bits that are the best reflection of how hard it is.
This is not meant to be a Luddite’s cry. Bring on new standards. Bring on new ideas. Bring on new technologies. It is a word of caution. If our new ideas are simply about banishing the bits we didn’t like in the old ones, if we forego dealing with the messy continuity in identity or the complicated wisdom that may be buried in our old ideas, then we’re simply falling in love with novelty. We are hopping from one engineer’s honeymoon to the next. Here we find the deepest irony. It is ironic that we would take identity, which attempts to bind with continuity a myriad of disparate things, and attempt to break it up into neat pieces. The advice we scream at those building new systems is do not simply pick up the easy, familiar identity bits they know or fall in love with the novelty of a shiny new library. We tell them to consider the larger, likely messier whole. Use the standards even if that’s a bit harder for you right now. Take from the complicated (in appearance) fabric of identity that already exists in your organization or the wider web. Do it for the sake of continuity so you can reap the benefits later. It’s advice we should all keep in mind.
If you’ve read this far, then congratulations for navigating the deep waters of my odd mind! It’s taken over a week to get this out. If you think this was complex, you should ask for some of the notes.
This is linked to from above. It’s an entertaining side note from writing this I had to share. When I quoted “Who’s on first?” as saying “Who’s on first? Exactly.” I didn’t realize I was mixing up the actual script of “Who’s on first?”, where “exactly” never appears, with the lines from Purple Rain where they mimic “Who’s on First?” The funny synchronicity is that in Purple Rain the theme they use to mimic the routine is about remembering a password! Identity really is everywhere…
About the Identity Sander
- "So what you mean is we don't need policy now because you guys can fix it all later, right?" Um. No. Not really. #security #facepalm:: 20 hours ago
- and #hacker movie trivia. @securityweekly shames me with one I really should have got /cc @InfoSec_World (2/2) youtube.com/watch?v=WjrvxJ…...:: 1 day ago
- First, the serious bit of #security #philosophy with @securityweekly at the #InfoSec con /cc @InfoSec_World (1/2) youtube.com/watch?v=NeC8hi…...:: 1 day ago
- Yes & don't forget AD #AuthN & data access - Clean Break: Block Ex-Employees' Access inforisktoday.com/clean-break-bl… by @euroinfosec #security #IAM:: 2 days ago
- I sometimes wonder if some of the people really upset about online #privacy overlap with people screaming #PII into mobiles on NYC streets:: 2 days ago
- RT @STEALTHbits: WEBINAR: 1 day left to register! Solve the #IAM blindspot & adopt a better #InfoSec posture @sanderiam @joe_carson | https…:: 2 days ago
- math giveth #encryption, and math will take it away youtu.be/12Q3Mrh03Gk #security via @PBSInfinite:: 5 days ago
- RT @STEALTHbits: 5 Trends for Security Professionals #infosec #GDPR, @sanderiam bit.ly/2oXYC5P:: 2 weeks ago