Jet lag and other issues caught up with me the next day (Tuesday) and I didn't attend any sessions :(
One thing I love is that most presentations including keynotes are only 20 min long so even when we get a terrible one -- we know it will be over soon. But most of the sessions were good and some were great!
My first Wednesday session was listening to Sebastian Goodrick of SUVA and Dr. Jacek Jonczy discussing how agile methodologies did and didn't work well with replacing their existing Identity Management system with another one. Hire an agile coach! Recognize that replacing an existing system is often big bang and so you won't really be pushing out to production, but you can still do sprints.
Martin Kuppinger covered whether it is best to buy best of breed or a suite. The answer -- it depends! But Martin laid out a good model to help us evaluate the suites.
Matthias Reinwarth covered Privilege Management and Access Governance and how they can work together. Although one snag I see is that for access governance you need to have mature policies about who can access what and many organizations are still in adolescence or infancy. Still, it was really interesting to remember that integrating them is a good idea so that when people no longer need to be privileged we remove their privilege.
My favorite of the day was by Joseph Carson who talked about how a light bulb almost allowed pirates to ruin Christmas, in his talk "The Anatomy of a Privileged Account Hack."
Then we had a 20 min panel on How to Establish governance. Some interesting tidbits. Matthias determined that 20 min panels are hard to run but I don't mind it because it forces the panel to be prepared with two or three prepared responses to questions.
After the break, we returned with three sessions on lessons learned, starting with mine on Top Lessons from Disasters in Identity Management. Martin Kuppinger introduced me and wanted to know why I ended up doing the Top 13 lessons instead of Top 10 like I proposed. I told him that 13 is luckier than 10. The reality of it was just based on my stories. As I told my war stories I got some good laughs and lots of great comments. After, three people including Martin shared their stories. Another attendee even emailed me his story.
Following my presentation, Nishant opened our eyes to the importance of user experience. Finally, Andrea revealed something that in hindsight should be obvious that Separation of duties needs to be applied based on the effective permissions rather than roles. Because it is too easy for us to later modify roles in ways that could violate SOD but if our SOD check is merely to ensure that someone isn't in the two roles.
Then we had the evening Keynotes. Of the three, Ian Glazer's merits mentioning. It was very insightful as he presented how to evaluate our skills on competence and reputation. I really enjoyed it.