Chances are, you’ve never had a meal without salt. Maybe salt was called for in the recipe. Maybe the chef added it in the kitchen. Maybe you added it yourself at the dinner table. Or maybe it’s in the ketchup, soy sauce, or any one of a hundred other condiments you might be using. Salt is literally everywhere. And yet, if someone asked you what you wanted for dinner, your answer probably wouldn’t be “salt.” Salt isn’t a centerpiece—it’s a secret agent. It works behind the scenes without drawing attention to itself, making everything it touches better and more flavorful. People don’t want to eat salt—they want to eat what’s been salted.
Identity security needs to be like salt. It needs to play a background role that brings users joy by enabling them to do their jobs better…without ever drawing too much attention to itself. A good identity management solution is always there, always working, and always streamlining access without sacrificing security. In fact, examining the role salt plays in enhancing the culinary experience—from recipe to kitchen preparation to dining room table—can tell us a lot about the future of identity. There are significant parallels both in how identity functions and in the critical, behind-the-scenes way it makes the solutions around it work more effectively.
Striking the Right Balance
First, let’s talk about measuring spoons and following recipes. We use measuring spoons when we need an exact, precise amount of an ingredient. If you’re baking a cake and it calls for a teaspoon of salt, you want to be pretty darn sure you don’t add any more than that. The right amount of salt can bring out all kinds of flavor…but too much salt can overwhelm the palate or render a sweet treat inedible. If you’re experimenting with a new recipe, getting the salt content right is important—and when you nail it, you write it down. You log it in your recipe book, and it enters your regular rotation, your family traditions. It becomes, essentially, a policy for how to make that particular dish.
Identities need to be considered in essentially the same way. It’s important to think in terms of a recipe—or a policy. A policy that decides what access privileges a certain identity will receive based on static attributes, dynamic attributes, past activities of the user, and other factors. Over salt the dish by granting too much access, and you put the business at risk. Under salt the dish by keeping access restricted, and you risk impeding productivity. The goal is to determine how to give them easy, appropriate access to the systems and data they need while also keeping the business secure. Before provisioning that access, it’s important to be able to communicate the relevant policy to any interested party so that they can understand why access is being granted or denied.
Communication Is Essential
Specific measurements are only a part of the equation, though. Yes, you can make a meal “recipe perfect” if you want, but that’s not always the goal. At that point, we put down the measuring spoons and pick up something that allows for more variance—for example, a salt cellar. When you cook a meal in your kitchen, you’re creating an experience for a specific time, a specific place, or even a specific diner. Maybe you want to add a local ingredient and a little extra salt will bring out the flavor. If you’re cooking for someone with high blood pressure, you might even remove some salt. Within the framework of a recipe, you can adjust for a wide variety of factors. And there’s a surprising amount of communication that goes into this: for instance, if the asparagus is very salty, it’s a good idea to let the meat station know that the meat may not need quite as much. It’s important to view the meal in a holistic manner and build a balanced, cohesive dish.
Identity works similarly. Once a policy has been communicated throughout the organization, it can be enforced in a manner appropriate for specific situations. Access decisions can be based on factors like an identity’s previous activity, the device or application being used, the user’s location, and more, adding important context under the broader policy umbrella. In essence, the overall policy provides security for the business, but it can be adjusted when it makes sense to do so. But communication is critical if this is going to work: if an exception or adjustment is made, it’s important to communicate why. Likewise, if an identity exhibits risky or suspicious behavior such as attempting to access data from an unfamiliar device or location, that information needs to be disseminated so that the identity security solution has the information it needs to make informed, accurate, and timely decisions.
Identity’s Personal Touch
Finally, the dish arrives at the dinner table. How many times have you taken a few bites of dish only to realize, hmm, this is a little bland. So, what do you do? You add salt from that small container that is always nearby. By placing a salt shaker on the table, the diner being invited to participate in the creation of the meal. They play a critical role in creating their own ideal experience. Today, identity security is on the cusp of achieving something similar: allowing people to bring their own verified identities.
A new standard called “verifiable credentials” is gaining momentum in Europe (and, to a lesser extent, the US) thanks in part to the eIDAS 2 program—and by 2026 most European citizens are expected to have a verifiable digital identity. This means that instead of passive users, organizations will have employees, vendors, and customers bringing their own proven identities with their own preestablished attributes. As these programs become more widely adopted, they will also become more integrated with identity management solutions, allowing users to provide their own data that the organization can then use to express its access policies. It also gives those same users more agency when it comes to their own data privacy and risk tolerance. Like a salt shaker on the dinner table, they can play a role in shaping their own experience.
The Interconnected Nature of Identity
One final thing to remember: these elements not siloed. They are deeply interconnected. If diners at a restaurant are regularly adding large amounts of salt to a dish, word should get back to the kitchen so the chef can adjust the recipe in the future. The same thing happens with family recipes. Tastes change. New people are added to the family. Adjustments are inevitable.
Identity is the same. It needs to be a living, breathing team sport. It needs to evolve over time as the needs of the organization change. Emerging standards such as the Shared Signals Framework from the OpenID Foundation seeks to provide the conduit for identity context to flow between components, allowing identity, its usage, and its governing policy to evolve along with the environment.
So, the next time you’re out to dinner and you reach for the salt shaker, take a moment to reflect on the important role salt has played throughout the entire dining experience. Then think about the similar role identity plays throughout your business, and how it will impact you as you move into the future. The point of identity is not just administrative—when done correctly, it can build a more positive (and productive) experience for every employee. And, the next time we find ourselves sharing a meal, please pass the salt.
