Building the systems that decide who gets access to what — and proving they can be trusted.
My love for cybersecurity began during idle and harmless teenage years, at a time when the Internet was starting to come into its own. What a delight it was to use simple parlor tricks to show my friends that I could “guess” their passwords.
The turning point was the Mars Pathfinder mission in 1997. I still remember the scratchy tones of the modem running through the night as I downloaded pictures from Mars. That, I think, is when I fell in love with technology.
My first job was at an enterprising startup that developed a novel way to solve access-control problems. Our success came not just from the quality of what we shipped, but from the close friendships that let us rely on each other and perform. In time we were acquired, and I found myself at Sun Microsystems — one of the best things that ever happened to me.
After Sun and Oracle, a few of us took a chance: we missed working with customers, so we joined a small team out to grow its identity business in Europe. I founded its international arms and spent those years on the road, building country by country until we’d become the largest identity-services shop around. A private equity acquisition followed, I made the leap into product, and then one day Google came knocking.
Google has been the longest and most defining chapter of my career — the one that shaped me most as a product leader. Working across Cloud, Ads, and the frameworks now shaping how AI is built, alongside some of the sharpest minds in the field: engineers, architects, and product leaders who’ve stretched my thinking and shared their vision for identity.
I try to pass some of it along here, sprinkled with my own opinions.
I believe in the Feynman technique — to learn by teaching others.
From the cryptographic plumbing of access control to the product strategy of identity at planet scale.
Core IAM architecture — authentication, authorization, lifecycle, and governance across the enterprise.
Least-privilege at cloud scale, including Google Cloud IAM recommendations and policy intelligence.
The machine-learning models that turn access logs into actionable, risk-aware recommendations.
Securing elevated accounts and the unique challenges they pose beyond traditional IAM.
The evolution of IDaaS — from hosting to full-service, orchestrated, managed identity.
Identity proofing, assurance levels, and the trust frameworks that make federation work.
Customer engagement and innovation in consumer identity — including blockchain identity.
Access intelligence and governance as a standard feature, not an afterthought.
I love public speaking — conferences, panels, and user groups across the identity community.
Articles published here and on Google Cloud, Oracle and beyond — collected in one place.
IAM Recommender helps security professionals enforce the principle of least privilege by identifying and removing unwanted access to Google Cloud Platform resources. A look under the hood at the security analytics — and the machine-learning models — that make those recommendations possible.
As cloud adoption grows, we're seeing exponential growth in cloud resources — and in the permissions granted to humans and workloads to access them. That introduces real risk. Here's how IAM Recommender helps you reach least privilege without the manual grind.
Unlike many recommendation engines that rely on policy-based rules, some Google Cloud recommenders use machine learning. This piece explores the models behind the Cloud IAM Recommender and how they help fine-tune your environment.
OneWorld Identity's Cameron D'Ambrosi sat down with Shawn Keve and me to discuss the unique challenges of Privileged Identity Management compared to traditional IAM — aired on the August edition of his “The State of Identity” podcast.
The third and final post in a series on the five growing expectations driving transformation in the Identity-as-a-Service industry — what I’ve called “next-generation IDaaS” — and how vendors are rising to meet them.
The “Service” in Identity as a Service means very different things to different companies. To us it means full service — a stark contrast to firms where “Service” only means they host and maintain the identity platform for you.
Perimeters are dissolving. As the old “wall” around the enterprise gives way, identity becomes the new control plane — and the future of cybersecurity is increasingly a story about who, not where.
The first in a series unpacking what “Service” really should mean in Identity as a Service — and why the distinction matters for organizations choosing how to run identity.
A technical white paper published via Oracle examining a modern, wave-based approach to access control. Opens the original PDF.