Podcast 101 | AWS Cognito & CIDPRO with Sarah Cecchetti

Podcast 101 | AWS Cognito & CIDPRO with Sarah Cecchetti
Podcast-Visual-System-IAT-Landing-Page

Podcast-Visual-System-IATCSpotify-Icon

Subscribe to Identity at the Center

Identity at the Center is a weekly podcast all about identity security in the context of identity and access management (IAM). With a combined 30+ years of IAM experience, hosts Jim McDonald and Jeff Steadman bring you conversations with news, topics, and guests from the identity management industry.

Do you know who has access to what?

 

Subscribe


Protiviti Podcast Transcript Transcript
Jeff Steadman

You’re listening to the Identity at the Center podcast. This is a show that talks about identity and access management and making sure you know who has access to what. Let’s get started. 

Welcome to the Identity at the Center podcast. I’m Jeff, and that’s Jim. 

Our guest is Sarah Cecchetti. She is the principal product manager for AWS Identity. She’s also the cofounder, a board member and president of IDPro, which has a lot of different things going on. Welcome to the show, Sarah. 

Sarah Cecchetti
Thanks very much, Jeff.
Jeff Steadman
I’m excited to have you on here for a couple of reasons. IDPro, I’ve been a member since inception. I know you founded it a couple of years ago — 2017, I believe.
Sarah Cecchetti

Correct. 

Jeff Steadman

So, I’ve been there since the beginning. Little bit of a fly on the wall, but I have served on a couple of boards: one for the board selection committee — sorry, I’m butchering the name on that one —then, most recently, on the IDPro certification, or CIDPRO, which we’ll talk about later. 

Before we get too far along, what I’d like to understand, though, is from your perspective, how did you get into the identity space? Is it something that you chose, or did it choose you? 

Sarah Cecchetti

I sort of fell into it sideways, which I think happens more or less to everyone. My undergraduate degree is in physics. I was really excited about being a rocket scientist when I was in my early 20s. Then, I got my undergraduate in physics and realized one undergraduate degree is not enough to go be a rocket scientist — that you need a lot more school — and I was not up for a lot more school at that point in my life. 

So, I didn’t know what I wanted to do. I went out and got a secretary job at a nonprofit, and their website was god-awful. So, I took it upon myself to make the website better, and they were using a content management system — they had Python, so I taught myself Python. Then they moved their headquarters from Seattle, where I’m based, to New York, and I said, “Well, moving to New York on a secretary’s salary just really doesn’t seem like a good life plan. So, I’m going to stay in Seattle and take the severance package, but while I’m doing that, can you change my title to a technology services something-something?” And they said, “Sure, that’s the least we can do. We feel super bad for laying you off.” And so they changed my title — I became a technology services something-something. 

Eventually, I got recruited by an identity team that basically said, “We know identity really well.” This is at the University of Washington — they’ve actually built a lot of the identity tools that other universities use and open source them. They said, “You don’t need to know identity. We can teach you, and you have a year to ask all the stupid questions.” And that was awesome. I had just gotten out of grad school at the time, and so the first thing they said was, “Hey, you should go and read all the new specifications and summarize them and tell us about them.” So, I went and read FIDO, I went and read UMA, and I went and read OAuth and everything that was going on at the time. 

Then I started going to conferences, and I met the people who had written the standards, which was amazing. So, I got to ask them, “Why is it this way? Why did you put this in there? Why are there only baratokens? Why aren’t there other kinds of tokens?” Normally, when you go to technology conferences, people do not have time. They do not want to answer your questions, they will not sit and explain things to you — they get very impatient with that. Identity people are not that way at all. Identity people are super nice, super generous with their time, and they’re so happy that someone has read their standard and that anyone cares, and they will happily sit in the bar for two hours and explain why Baratokens are Baratokens. So, I got to learn the identity field really well. 

Eventually, people said, “Oh, wow, you’ve read all these standards, and you understood them. Can we hire you? Will you work evenings and weekends? Will you come to our office and explain these to us, because we don’t have time to read all of them.” And so, I said, “Sure.” And I started moonlighting, in addition to my university job, as a contractor. Eventually, I was working 20 hours a week as a contractor in addition to my 40-hour-a-week job, but I was making twice as much money contracting. So I was able to jump ship, and I quit my full-time job and became a contractor, and my company was called Engage Identity, and that’s roughly when I founded IDPro. 

Ian Glazer, who runs identity for Salesforce, and I were — I think we were at a bar at RSA, and we were bemoaning the fact that security gets so much attention and privacy gets so much attention. They have C-suite positions. Identity is the third leg of this stool that’s critical to both of them, and it gets no respect, no attention — we don’t even have a professional organization that identity nerds can join to learn more about their own field, and isn’t that a travesty? Then, we looked at each other, and we were like, “Shit. We’re going to have to do all this work ourselves, aren’t we? We’re going to have to found this thing. We’re going to have to move forward.” And so, we did that. We founded IDPro — that was in 2017. Then, after that, I spent a year at Ping, and then I came to AWS, and I have loved AWS. I’m a fish in water here — it is totally my culture and my jam, and I will probably be here for a long, long time

Jeff Steadman

It’s a fascinating story. I especially like the part where you sat at the bar and were thinking, “How are we going to solve this issue of awareness around identity?” Because I feel the same thing. It’s always been tucked under infosec or maybe audit, and some earlier stages and things like that, but it really is foundational. Any security component has to have identity in it. If you don’t have that addressed, you’re going to have a bad time. You’re probably going to be in the news for all the wrong reasons. So, I’m glad that you started it. I’m glad it started at a bar — that’s even better. We’ve had Ian on the show as well. I think he kicked off our first episode for 2021 — he’s a good dude. Definitely we’ll echo what you said, too, about the identity industry being so welcoming. I think it’s one of the industries — at least that I’ve been part of — where everyone really is willing to share their knowledge. It’s not an arms race when it comes to trying to be better or worse. 

I understand there’s probably some of that when it comes to product. For sure, people are trying to have the best product out there, but all the people who are in the industry are very willing to share information. We have them at this show, and we talk to them at conferences. We’re going to all kinds of different things, and people are very gracious with their time. I would certainly encourage folks who are looking to get into identity, or if they’ve only been in identity for a short time, or if they’ve been identity for a long time, to reach out and talk to somebody. I think you’ll find most people are pretty open. They are certainly receptive to having their work read and commented on. Otherwise, it dies somewhere in a LinkedIn post somewhere where maybe not a lot of people might see it, so I echo that. 

Sarah Cecchetti

Yes, and a lot of the work that we do in identity has to do with interoperability. So, we are unlike other technologies, in that we have to work together. The way to make our customers have better experiences is for us to talk about it with each other and make sure all the attributes we have are coming across, and that they’re coming across correctly in the way customers expect. So, identity is an unusual field to work in, in that you have to work with your competitors. We have these teams of rivals all the time where we have to build standards together. We all know each other — we can all share knowledge. That’s really the only way to learn this field. There is no accredited undergraduate degree for identity and access management. You can’t get one. You have to learn it on the job— it’s the only way. 

Jeff Steadman

So, I’ve got to imagine that not everyone always agrees when you’re sitting in these rooms and you’re trying to come up with something that is interoperable between different products. What is something that people might argue about when it comes to integration? I’m not looking for dirt or anything, but I’m curious as someone who’s not taking part of these conversations: What are some of the things you guys are trying to figure out, and maybe one organization or one person thinks it should be done this way, and another person another way? How do you come to consensus around that? 

Sarah Cecchetti

 I was one of the coauthors of the NIST Digital Identity Guidelines, which were rewritten in 2018. One of the contentious things was that we wanted to deprecate SMS MFA, because when you send a multifactor authentication code as a text message, that text message can be intercepted with off-the-shelf hardware and software — we know that. So, it’s not very secure. There’s SIM-jacking. There are lots of ways for an attacker to get to that message. SMS as an infrastructure was never intended to be secure.

So, the telco companies obviously took issue with us publicly saying, “This is insecure, and we need to deprecate it” and said, “Look, we have ways to detect SIM-jacking. We have ways to time limit these codes so that they can’t be used for very long. This is an OK way to do multifactor authentication.” And it’s better than just a password, and there’s no question about that. It’s really easy to deploy. It doesn’t require anyone to install an app. So, there are a lot of benefits to it, there are a lot of drawbacks to it, and the same sort of discussion is happening right now with using email for multifactor authentication. 

For a long time, we said, “That doesn’t even count as multifactor authentication, because it’s supposed to be something you know, something you have and something you are. If you just have a password and email, then that’s something that’s protected by a password, and something else that’s protected by a password, so you’re not protecting against different kinds of attacks.” But if you’re in a corporate environment where you can put multifactor on the email, maybe that is a valid form of MFA, because you know that that person has had another factor checked via another channel. So, a lot of companies are having this struggle with, “What counts as MFA? What doesn’t count as MFA? Does it have to be just more secure than just a password, or is there a higher bar for security that we want to talk about?” 

Identity nerds love to argue, and we’re very bad at agreeing on things, but we’re good at moving forward. We do build new technologies fairly quickly — the identity field moves forward really fast. 

Jim McDonald

Yes, I think even phishable forms of MFA are better than no MFA at all. It’s funny, because I was listening to your how-you-got-into-IAM story, and you’re talking about all these standards, and people are like, “You understand these?” And you’re like, “Yes.” They have to remember that you wanted to be a rocket scientist, and you have a degree in physics, so it all adds up to me anyway. The other part — the endpoint of your journey, or where you currently are — AWS, putting together, or being responsible for, the AWS Cognito project is fascinating. I work with clients all the time, and when we’re working on customer IAM projects and strategies, the question asked is always, “What about Amazon? What about Amazon’s customer IAM capabilities?” And that’s AWS Cognito. Maybe you can tell us a little bit about what it is, who’s it for and all those great things. 

Sarah Cecchetti
Yes. So, the way that AWS thinks about identity is, we divide it between workforce and consumer, and it’s absolutely huge here. Between the two of those, we do over 500 million authentication and authorization calls per second. So, the scale you work at at AWS is just bonkers. 
Jeff Steadman
Wait — you said 500 million per second? 
Sarah Cecchetti
Yes.
Jeff Steadman

That’s ridiculous.

Sarah Cecchetti

It is completely ridiculous.

Jeff Steadman

Only slightly less than what Bezos makes per hour — but anyway, keep going.

Sarah Cecchetti

The part that I’m excited about and that I’m diving a lot of my energy into is the Amazon Cognito product, which is our consumer-facing product. The reason I’m really excited about it is because I don’t think that any company is really delivering a great consumer-identity product right now as a service. Consumer identity is a friction point at the beginning of every app, at the beginning of everything you want to do. And there’s no great way to have an end user remember a password or have to enter an MFA code. That’s always a pain. So, we’re researching new ways: “How we can make this easier? How can we make it less friction. How can we make it harder for attackers to get in and easier for good guys to get in?” And that’s a really interesting problem for me. 

Amazon Cognito is a lot of fun because it’s a Swiss Army knife — or, I like to say, it’s like a box of identity Legos; you can build a whole bunch of stuff with it: It’s got a native directory, it does OIDC, it does SAML, we just added a token ramification — there’s a whole bunch of stuff you can build just with Cognito. Our customers do all sorts of really neat things with the product that we never expected them to do. We can talk to them about, “Hey, what are you building? Oh, you’re building a castle? Cool. That guy over there is building a car. If we built a wheel, will that help both of you somehow?” We’re building new stuff all the time and talking to people about how they’re using the product, and it’s a lot of fun. 

Jeff Steadman
 I won’t claim to be an expert on Cognito. So, for the folks who aren’t as familiar with it, you mentioned workforce and customer IAM. Is it the same product for both? Cognito is both, and it’s just a matter of configuration, or is there something more to it that people should be thinking about when they’re talking about either constituency? 
Sarah Cecchetti

Cognito is the consumer-identity piece, and then Workforce is handled by a product called AWS SSO.

Jeff Steadman

 We have SSO, and we have Cognito. Then, on the Cognito side, who’s taking advantage of Cognito? Is it app developers who are already building on AWS services? Do you see an uptick from people who are using other platforms like Azure or Google Cloud, but then they come in and use Cognito for some reason? Can you help me understand? What does it look like from a development perspective if I’m trying to layer on IAM on top of my product?

Sarah Cecchetti
We do. We see multicloud use cases, and we see AWS native use cases, and we see, “Hey, I’m hosting an app on Rackspace” or whatever — DreamHost, or whatever my developer is — “and I just want to add some identity on top of it.” We get customers from all over the place using Amazon Cognito, but it’s mainly app developers. It’s people who are building something new, and they need an easy way to log people in. We call that undifferentiated heavy lifting. They don’t want to do all of that heavy lifting. It’s not going to make their company a better company to build a whole login system from scratch and try to do it in a secure way, but they know that at Amazon, security is job zero. If Amazon is holding all the passwords, and no passwords ever go through my system, I feel better about that than I do about trying to build all of this myself to a standard that would be considered best-of-breed. 
Jim McDonald

Sarah, what are the use cases that Cognito supports today? Is it the authentication? Do you have a directory? Do you have a registration widget? Talk to us about what’s there today and about what we can expect to see in the future. 

Sarah Cecchetti

Today, it’s a native directory, it’s a federation service, it is authentication, and we have a service called Hosted UI, where we will host your login page, your account recovery page, your MFA page, anything that has to do with user credentials or creating the account, recovering the account. Those, you can host on AWS servers, but they will still look like they’re on your domain. There won’t be a change in the URL, but it will be hosted by AWS, so that credentials never go on your server. You never have to touch any of that. The liability of having to deal with passwords and usernames and all of that is taken away from you, which our customers really like. We’re going to continue building. As I said, we want to make this an easier experience with less friction and more security. Those are the types of things you’ll see us releasing in Cognito in the future. 

Jim McDonald

I believe I’ve heard somewhere that you have taken a low-code, no-code approach, is that correct? And whether it is or isn’t, is there a certain developer skill set or language that people need to be familiar with in order to have success with Cognito, or is it something where you guys support pretty much whatever — bring your own language?

Sarah Cecchetti

We go in the direction of, if you want to do a bunch of custom code, we have APIs you can call, and you can use Cognito for that, and that is totally fine, but we also recognize that a lot of people don’t want to do that. They want a low-code, no-code option, and so we’re building out more and more functionality in the AWS console that is just like, “Do you want MFA, yes or no? Click a radio button. Click Save, and you’re done.” You don’t have to write all that code, and we will even host the page for you. You can have a Cognito instance up and running with zero code, which is really cool. That’s something that when I started in identity, that was not an option from any vendor. We’re hoping to get more and more people into identity just as administrators who know the security implications of the decisions that they’re making but don’t necessarily have coding skills. 

Jeff Steadman

 I always struggle with organizations that are looking to build something that already exists as a product somewhere else, and I think what you hit on earlier was something that I always agree with: “Who’s spending more on security? Is it going to be an organization that’s doing 500 billion authentications per second, or is it going to be an organization that builds transmissions?” I’m going to go with the company that’s actually spending money on the actual security part of it, because chances are they’re probably going to be successful with it, and it’s not a core competency or really core to the product or mission for another organization, so it makes a lot of sense to be able to take advantage of those types of solutions. I definitely see the low-code, no-code approach. 

I love the Lego brick analogy. I think that’s something that I’ve seen elsewhere. We see it a lot in ITSM tools — things like ServiceNow and Pega and other things like that, where it’s becoming more business-friendly to configure identity services, but all that does is really mask the hard work that takes place behind the scenes to make sure that stuff works, and interoperability and things like that. 

That leads me to the next conversation topic that I want to bring up, which is around IDPro itself, because it takes an army of really smart people to come up with these types of standards and having the conversations to allow companies to interact in a safe way through their identity mechanisms. Why don’t we talk a little about IDPro? I know that, just for a starting topic, let’s say, you recently were at Identiverse and announced the new CIDPRO certification. I know that is something that has been near and dear to a lot of people’s hearts within IDPro itself, and figuring out, how do you prove you can do IAM work? Are you qualified? Why don’t we start with that. What is this CIDPRO? Who is it for? 

Sarah Cecchetti

This goes back to the conversation Ian and I had when we founded IDPro. Identity is critical to the success of security and privacy, but security has CISSP. And privacy has certifications as well, but there’s nothing for identity. There’s no vendor-neutral way to prove, “Yes, I know general identity skills. I can do critical thinking about security issues.” Until now. We decided, “Hey, we’re going to build one.” 

We started building a body of knowledge last year, where IDPro members who have been in the industry for decades are writing scholarly, journal-level articles about identity and access management topics, and we said, “Oh, we can certify against that.” So, you, Jeff, and a lot of other identity professionals all got together and wrote questions that said, “Hey, our target candidate is someone who has two years of experience either as a developer or an administrator with an identity system.” So, these are questions that are aimed at someone who’s been in the field for two years, and, “Hey, this is what you should know by the time you’ve in the field for two years. This is what you should be up to speed on.” And someone with two years of experience should be able to take the test and pass it without studying it. That’s our goal. 

Jeff Steadman

It hits a good target audience. I like it because it’s still relatively entry-level but does require some experience in the industry to be able to come up with the stuff, or at least be able to read the body of knowledge on the IDPro.org website, which is a great read. If people are looking for good identity content, go there, and I say that not just because we’re on the list as a podcast, but also because there’s a wealth of information out there, and I do like the fact that if you’re looking toward the certification process through IDPro, essentially, that’s the page you can go to study. Most of the questions have sources that come from that area to make it — I won’t say easy, because you still need to have the knowledge to demonstrate it, but easy from the fact that you’re not having to scour the web, eight different websites, a bunch of YouTube channels. However, for people who are studying for Security+ and CISSPs and things like that — I think it’s a good place to start. 

You mentioned that the certification focuses on more the technical, the administrator, side of identity. I think there’s a large constituency of people who are maybe not as technical. They might be more a business analyst, or process-oriented when it comes to identity. What are your thoughts around how we include those people as part of that? Is this test for them, as well, or do you see a different path to demonstrate IAM-as-a-process knowledge, and maybe less so on the technical side of things? 

Sarah Cecchetti

A couple of things: One is that it is intended for them. We intentionally crafted the questions so that they’re not gotcha questions. There’s nothing that requires rote memorization of the FIDO standard, where you must know exactly what string this API returns.” That’s not the kind of thing we're testing against. 

The questions are things like, “A developer is making an identity system, and he’s getting a token from a federation situation, and he decides not to check the signature on the token because his system works fine without checking that signature, and he’s got stuff to do. So, he just pushes to production and leaves the office.” If you are an identity person who doesn’t know you should be checking signatures on tokens to make sure that they actually came from where they said they were coming from — you should fail this test. So, if you don’t know those sorts of things that require critical thinking, and understanding of this system and why we trust the system, those are the types of things we’re testing for, not specific gotcha questions. 

However, people have expressed interest in future certifications and going deeper. We’ve had people say, “I want to do a whole certification about governance and how you govern an identity system and how the business processes work — how do you make sure all of these mechanisms are in place to keep the system healthy?” and “I want to do a whole legal certification about the legal restrictions and requirements and enablements around identity, and can I prove that I know those things?” 

For future certifications, we can go in that direction, where we’re going deep into one specific role in identity, or we can go by industry and say, “Hey, finserv identity has its own special requirements, and healthcare identity has its own special requirements, and hospitality identity has its own special requirements.” We could go in a horizontal direction as well. There are a few ways to slice it, and if all of you listening out there have opinions, please join IDPro, please join the certification committee, because these decisions are decisions that are being made now, and they’re going to affect identity professionals in the future. 

Jim McDonald

Yes, I think this is such important work, and it’s really providing some credibility, or if somebody needs to have some kind of certification to advance in their career or at least prove some baseline level of knowledge, I think that’s where certification can be really handy. It’s interesting, Sarah, because in the beginning of the episode, where you were describing your background of whether you chose IAM or IAM chose you, you said, “Of course, IAM chose me.” Folks who have been in this industry a long time, that’s how 99% of us got into IAM — it chose us. We lucked our way into this very cool industry. 

I think in the future, that’s going to change. Maybe somebody will have their entry into IAM via a project, but others might choose, like, “Hey, that’s an industry that I know somebody who’s in the industry. I want to get into that industry.” And they start by getting certified, and what the certification really means to me is, when you’re talking about the signing tokens, that is some baseline knowledge — if you have that, you understand what’s going on when it comes to IAM. So, I think it’s very important what you’re doing. It helps that next generation of IAM practitioners get into the space, which is important for all of us to do — handing this industry down and making sure that the next round of qualified people don’t have to kill themselves to figure it out. We’re passing our knowledge on. 

I want to get into the some of the tactical components: Now, if somebody wanted to take this exam, do they need to be an IDPro member? Where would they go to sign up, and how much does it cost to take the certification exam? 

Sarah Cecchetti

You don’t have to be a member. It’s open to the public. You sign up at IDPro.org/cidpro. That’s what we're calling certified identity professionals — CIDPROs, the credential you get. However, if you pass the exam, you get a year of IDPro membership for free, so you can come and hang out with all the IDPro members. We have a Slack where we hang out all day, and lots of people ask random questions of identity professionals: “Hey, you’ve been around for 10 years. How did you handle this problem? How did you do this?” Those sorts of things. The exam is $750. IDPro is a nonprofit — nobody is making money off this. This is what it costs us to develop and deliver the test. We’re hoping to make this a sustainable program where we can deliver more tests on different subsets of identity. 

Jeff Steadman

I think it would be interesting to see identity as a formal education path. There’s a lot of information security, but building out the curriculum for someone to show career progression specifically in identity would interesting to see, and this is one of those first steps toward that. I will tell you right now that the Slack channel for IDPro is, just alone, worth the price of admission for an IDPro membership, which is $150 a year. That Slack channel alone is well worth it, and then you get everything else. 

We’re burying the lead a little bit. That’s where we want people to be, because there are really smart people and really friendly people who are asking questions, answering questions. If you are struggling with an IAM question somewhere, there are forums — I probably date myself, but Stack Overflow, and things like that, where people go to ask questions. It’s a great spot to be able to pick the brains of fellow identity nerds out there to answer things that, chances are, someone might have seen it or solved that already, or can tell you what doesn’t work so you don’t go down a rabbit hole of making mistakes that have been made before, so I think that’s always helpful. I’m a big supporter of IDPro, for sure, and I love the fact that there’s a certification for it. 

I wish I had contributed more — I think I have one question on the test. There are others who are out there who definitely did double digits, like yourself. I know Ian has written a lot of questions. People like Matthew Carter and Chris Phillips have also contributed a lot. It has taken a lot of work to get to the state you’re in right now in a launch release. From start to finish, how long did it take to actually get this into “OK — we’ve got something. Let’s announce it, and let’s start people registering it.” Was it six months, a year, longer than that? 

Sarah Cecchetti

It took almost a year. I took three months of maternity leave in early 2020. I came back in July expecting that the IDPro board would have moved forward on this project, and they had just been super busy, and nothing had happened. So, I had cleared my calendar to take leave, and I was like, “All right. I’m going to take this on. I’m going to do this. We’re going to bring this in. I’m going to launch it at Identiverse this year.” 

Jeff Steadman

 So, what happens when you show up at Identiverse, and you have that presentation that you gave to announce it? What was it like to get on that stage and say, “OK, this thing that we’ve thinking about, here it is — have at it”? What was the reaction to it? 

Sarah Cecchetti

It was so amazing, Jeff. I literally did a happy dance on stage. I was so, so happy we could finally open registration for the test. Everyone was stopping me in the hallways and going, “I’m so glad you did this. I’m going to sign up. I’m going to have my whole company sign up. I’m going to have my whole consultancy sign up.” We’re getting a huge amount of traction for it. It’s great to see that the industry was clearly ready for this — this was the right time. 

Jim McDonald

I’m sad that I didn’t get to Identiverse this year. You spoke at Identiverse — you alluded to it, doing the happy dance. I know I’m definitely going next year, God willing, but can you give us a recap and tell us a little bit about what you enjoyed? What was your favorite session? 

Sarah Cecchetti

Sure. The conference this year was a lot smaller because of the pandemic. The people who came were really industry veterans, and they pulled out all the stops. They were so excited to be there that the sessions were extra well done and extra well researched. I think it also helped that they had to record beforehand, because it was a hybrid event where half of it was done online. They couldn’t just put in their slides the night before — they actually had to at least do one dry run to record it for the online audience, but it was really awesome. 

There was a great session by Tori Meyer, who was a first-time Identiverse speaker. She’s a product manager at Ping. She’s talking about why you need product management in your IAM team in order to have a strategy and listen to customers. Not just do product management of Gantt charts and how you get things done, but really make sure you’re doing the right thing and make sure you’re doing the right things for the long term. That’s a really great talk. David Lee of Cloudentity gave a great talk on diversity in the identity industry and how we can do real work there and have real solutions, and not just do thoughts and prayers— “Gee, this is bad. I hope it gets better.” Brian Campbell gave a great talk on the new par standard. Jon Lehtinen did a talk that is actually going to be a book. He wrote a book about identity at AWS. 

There was a ton of good talks this year. I think the online portal is still open, so people can watch those. Normally, Identiverse puts them up online for free a few months later. They may be coming to the internet soon, but I don’t know for sure on that. 

Jeff Steadman

Yes. I’ll have to keep an eye out for that, because they usually do have them online somewhere to view, and I’m sad, too, I didn’t make it. This is the first one I’ve missed since 2016, at least. I didn’t make it to this one, so definitely next year for sure. It’s a great conference. I think it’s the best identity conference, at least in the U.S., that I’ve been to — not that other ones are bad, but I think this one, being specifically focused on identity, and the fact that it’s hosted by Ping. I think Ping does a good separating it out that it’s not all about Ping, and it is separate enough where there are certainly competitors there. It really has turned into not just the Ping identity conference — it’s its own thing. They’ve done a really good job of having that level of abstraction, that layer of separation to make it vendor-neutral. Obviously, that’s what we’re trying to do on our show too — not do commercials or anything like that, and talk more substance.

Before we let Sarah go, any final words of wisdom, Sarah, that you want to lay on us and the listening audience for anything that we’ve talked about today?

Sarah Cecchetti

Yes. One of the tenets of the OAF working group that I’ve also made a tenet of AWS identity is, “Make the easy things easy, and make the hard things possible.” When you’re doing identity, you want to make it as easy as possible for people to do things they do every day — log in, change their password, things like that. You want to make it possible for them to really dig into this system and write their own code if they want, and make their own custom stuff if they want, and go to new lengths and new heights. That’s one of the tenets that I firmly believe in when architecting identity. 

Jeff Steadman

 I like that. There are enough hard things in this world — let’s try to make the easy things easy. One of the things I’ve been saying recently is, “I know identity can be overwhelming, but the goal is to make it whelming” — bring it down to a level that’s like, “OK, there are so many things, so many problems to solve or issues or whatever. You can easily get overwhelmed with a list of a hundred thousand things that need to happen. Let’s just take it down to whelmed. Let’s fix the things that you can fix and work them out in order, and that’s how you can eat an elephant one bite at a time.” Jim, how about yourself? Words of wisdom? 

Jim McDonald

Any of words of wisdom I have are from preparing for this episode. I went onto YouTube and watched some videos on AWS Cognito, so I may have known more about it than I led on with my questions. I’d say, anybody who’s interested, there are a ton of videos out there on YouTube around AWS Cognito, so if you want to start that educational journey, that’s one place to start. I’d turn it over to Sarah, because maybe there’s better than what I found. I found things on YouTube, but where else can people go to learn about it? 

Sarah Cecchetti

AWS does a conference every year in Las Vegas called re:Invent, and all of the talks from that conference go up on YouTube. If you search for “re:Invent” and search for “Cognito,” you’ll find some of the best stuff that our solutions architects and our service team have put out there. That’s a great way to get started on learning.

Jeff Steadman

That’s a good spot that we can leave it for this week. Sarah, thank you so much for joining us. I enjoyed the conversation, talking about everything from an AWS Cognito perspective, but also, congratulations on the IDPro success. 

Sarah Cecchetti

 Thank you.

Jeff Steadman

Especially on the certification getting out there — CIDPRO. For folks who want to get information about that certification, you can visit IDPro.org/cidpro. It has all the information there. It’s open to the public — you don’t have to be a member, which is fantastic. We encourage people to check it out, and try to pick out the one question that may be mine that made it to the test. 

With that, we’ll leave it for this week. You can connect with Sarah on LinkedIn as well. We’ll have a link to her in our show notes and a link to CIDPRO, and to AWS Cognito for folks who want to learn more about that specifically. With that, we’re going to wrap it up for this week. We appreciate it. Thanks for listening. We’ll talk with you all on the next one. 

Thanks for listening to the Identity at the Center podcast. If you like what you heard, don’t forget to subscribe, and visit us on the web at Identityatthecenter.com


Ready to work with us?