With February behind us, the cybersecurity industry is about to experience a push toward the annual RSA Security Conference\u00a0\u2014 being held April 16-20 in San Francisco. I expect around 50,000 people to attend this year; it ought to be crowded, loud, and extremely passionate.Now, normally, identity and access management (IAM) is sort of a niche player at RSA.\u00a0 Oh, sure, there are plenty of biometrics, smart card, and security token vendors present, but IAM discussions are muted by a cacophony of noise around things like next-generation endpoint security, behavioral analytics, and cloud access security brokers (CASB).\u00a0I can see why this was the case 10 years ago, but watering down IAM makes no sense today. Why? Allow me to relay the rationale from a CISO friend of mine. He often describes the fact that IT is becoming more and more distributed \u2014 with mobile devices on one side and public cloud services on the other. In other words, IT and security teams own and control less and less of the underlying IT infrastructure these days.\u00a0Now, when his organization was losing control of its IT infrastructure, this CISO decided it was worthwhile to bolster control in other areas. So, in an IT world of mobility and public cloud computing, my CISO buddy firmly believes that there are now two primary security perimeters: data security and identity.\u00a0Thus, the impetus to ramp up our IAM (and data security) discussions at RSA.IAM initiatives to watch for at RSAMy colleague Mark Bowker owns IAM coverage at ESG, and he\u2019ll be joining me at RSA this year. Given this emphasis on identity as a security perimeter, Mark and I plan to comb the halls of the Moscone Center, focusing our RSA attention on IAM initiatives like:Password elimination. While we welcome technical advances such as artificial intelligence into cybersecurity, it\u2019s worth remembering that we still log onto networks using the same method used for accessing timesharing IBM 360 mainframes back in the 1960s. Since we all walk around with unique cell phones (and phone numbers) and these devices are instrumented with biometrics, isn\u2019t it time to make passwords history? Mark believes this is the case, so he and I will be looking to speak with organizations that have ongoing projects to (finally) eliminate passwords once and for all.Software-defined perimeter (SDP) use cases. As I\u2019ve said before, few organizations have an SDP budget, but just about every organization has an SDP requirement. This is especially true with mobility and cloud where organizations want to provide secure\/trusted access to users and devices directly to cloud-based applications and services. Typical SDP use cases include providing secure application access to business partners, eliminating VPNs, and single sign-on form heterogenous hybrid cloud environments. We\u2019ll be chatting about this with enterprise organizations, as well as SDP vendors such as Cyxtera, Google, ScaleFT, Vidder, and Zscaler.\u00a0Establishing a single source of truth. One of the biggest issues organizations face is that identity data resides everywhere \u2014 in authentication systems, VPNs, applications, social networks, etc. Now, this isn\u2019t a new problem; we\u2019ve tried to solve it for years with directories, meta-directories, and federated directories, but nothing has worked. Once again, we haven\u2019t made much progress. Heck, Active Directory has been around 20 years! Mark believes a new wave of cloud-scale directories and identity standards may finally address these issues to create a federated source of identity truth. We\u2019ll be looking to RSA meetings to see which organizations and vendors are proceeding toward this vision.\u00a0 \u00a0Moving toward security \u201cownership\u201d of identity. Everyone (security, IT operations, developers, etc.) has a little piece of identity management, but no one owns identity management, and that creates problems with security and operations. With identity as a new security perimeter, it\u2019s time to build an identity abstraction layer for authentication, authorization, and auditing (AAA). Security teams should lead this effort. Several vendors, such as Amazon, Citrix, Google, Microsoft, and VMware, have their sights on a cloud-based model, but this type of identity service must also interoperate with the legacy identity mess \u2014 and even offer a sensible migration path. Mark and I will be looking for leadership here.It is also worth noting that identity management initiatives are tightly coupled with an increased enterprise focus on data privacy. Security teams play an essential role here as organizations seek to operationalize privacy policies. Hmm, seems like a good time to discuss identity management at the very least.\u00a0More soon on our plans for RSA \u2014\u00a0only six weeks to go!