Identity and Access Management

by Mike Schwartz

Today, a supply problem is one of the factors contributing to a less secure Internet. There aren’t enough people who understand Identity and Access Management (IAM).  Failure to properly authenticate a person, or to control what digital resources that person is allowed to access, is the root cause of the vast majority of security breaches. IAM is a critically important field if we want to make the Internet a safer place.  Consequently, we need more IAM engineers.

It was this belief, in 2009, that lead me and the Gluu team to open source the Gluu Server, which is a platform for IAM.  If engineers can’t download and use the software, they’ll never learn it. Most of the IAM solutions at that time were expensive enterprise software products. It was hard to obtain the software and to gain experience using it. However, we soon realized that providing the software was not enough.  We needed to improve the documentation for the Gluu Server. Without documentation, it was almost impossible to deploy and configure it. And documentation was only a piece of the puzzle - the documents only focused on the specifics of the Gluu Server implementation. Without a solid foundation in the theory, they lacked context. I realized that when the community asked for more documentation, what they frequently wanted was more examples.

What was needed was a book. While there are a lot of resources on the Internet, they are not organized in a systematic way to present the theory, nor do they provide examples of how to deploy the software (this is not just true of the Gluu Server, but of other additional open source tools that comprise the totality of an open source IAM platform.) I was almost ready to give up on the idea when I ran into Apress at SXSW in 2016. At that point, things were busier than ever at Gluu. But a book was a missing piece to the puzzle, and it aligned with Gluu’s mission to grow the community.

Along the way, I realized that I needed some help to get to the finish line. Maciej Machulak, who is one of the leaders in the OAuth community, and who originally volunteered to be a technical editor, decided to step up his role and contribute quite a bit of content. I also got some help from the contributors to several open source security and identity projects.

The book is organized into ten chapters. In each chapter, the goal was to devote half the content to theory, and half to examples. Although it’s pretty long, each chapter is actually a summary treatment of the topic. For example, OAuth is one chapter, but entire books have been written about OAuth. You can think of the book as a launching point into each of these areas of interest.

If you want to get started in the industry, I hope this book serves as an entry gate into the domain. To learn more about IAM, you have to get your hands dirty! Deploy the software. Look for entry level work in the field. Just get out there! The world needs you.

About the Author

Mike Schwartz is a domain expert on digital authentication and centralized application security policy management. Since starting an ISP in 1995, he has been directly involved in network and application security. In 2009, he founded Gluu Inc, a security software development company that has created an IAM distribution based on free open source components. In addition to his participation in several identity standards, Mike is the co-chair of the OTTO working group at the Kantara Initiative, which is developing new standards for identity federation. Mike has worked with organizations in many sectors, including finance, government, education, and enterprise. A graduate of Washington University in St. Louis, he currently resides with his family in Austin, TX.

Maciej Machulak is an expert in security, privacy and trust in the Cloud. He works on digital identity and security at HSBC. In the past, Maciej worked for various companies in the identity and access management space. He also founded and became the CEO of Cloud Identity Limited (acquired by Synergetics), a company that developed innovative security software based on proprietary and open source components. Maciej serves as the Vice-Chair of the User-Managed Access (UMA) Work Group at Kantara Initiative and is one of the authors of the award-winning UMA protocol and of two OAuth-related specifications used in Open Banking. In June 2015, Maciej was awarded the prestigious MIT Technology Review Innovators Under 35 Poland award for his work on privacy and security. Maciej is a PhD graduate from Newcastle University. Outside of work, he enjoys various outdoor activities and sports with his family.

This article was contributed by Mike Schwartz, author of Securing the Perimeter.