Prime Discount
expires in
Register Now


Practical IAM & CIAM

Practical IAM & CIAM

Combined Session
Thursday, June 06, 2024 11:00—12:00

Securing Workload Identities: Best Practices for Tokenizing Third-Party API Keys and Access Tokens

Stolen secrets and credentials are one of the most common ways for attackers to move laterally and maintain persistence in cloud environments.

Modern cloud deployments employ secrets management systems such as KMS to protect key materials at rest and avoid leaking keys or credentials in source code or other build artifacts. However, secrets are unprotected at runtime, so any vulnerability or compromise of a service could lead to credential theft.

This talk will propose an architecture that, in conjunction with a secret manager, tokenizes secrets and rewrites requests at runtime. Through this approach, application code never directly interacts with key material. Additionally, it enforces stringent access control rules based on Open Policy Agent (OPA) policies for accessing secrets, significantly reducing the blast radius in the event of a security breach.

Vincenzo Iozzo
CEO and Co-founder of SlashID. Previously, Founder & CEO of IperLane (acquired by Crowdstrike). Vincenzo is a Committee Member of the Black Hat Conference Board and was an Associate Researcher...
Facilitating Ownership in External Authorization

In a world where authorization is externalised, ownership often still relies with decentralised application teams to allow for organisational scalability. Autonomy of these teams is important so that they can move fast. Zalando has 2000+ inhouse applications owned by 100s of engineering teams who will use externalised authorization. Each of these teams will write their own authorization policies as code using Open Policy Agent.

This talk will share insights into how we started treating authorization artefacts similar to other application development artefacts. The focus will be on building blocks and safeguards that enable engineering teams to take authorization policies through the development life cycle.

Pushpalanka Mankotte Kankanamalage
Senior Software Engineer IAM
Pushpalanka is a software engineer with over a decade of experience in identity and access management. At WSO2, she worked on the Identity Server product and contributed to various customer...
Torsten Wunderlich
Principal Engineer
Zalando SE
Torsten is a principal engineer at Zalando focussing on fine-grained authorization and developer experience. With more than 15 years of experience as a software engineer and more than 8 years...
Appropriate Level of Assurance - A Foundation for Proper CIAM

There is no good or bad Level of Assurance to root any CIAM upon. It all depends on the business and the risks. A unique mix of business, legal, IT security, technical, and CX skills is required to discover, define, and communicate requirements for customer authentication methods. The correct balance between these factors brings peace of mind and enablement to the business. Hear some highlights of If P&C Insurance's journey of defining and enforcing a Level of Assurance aligned with realities of insurance enterprise.

Mihails Galuška
IAM Global Product Manager
If P&C Insurance
Since 2021 managing the portfolio of customer and partner identity related services across If P&C Insurance - the largest insurance group in Nordic countries with operations also in Baltics....
Secure your ticket
Be quick before the Prime Discount expires in
00d 00h 00m 00 s
Get a ticket
Almost Ready to Join EIC 2024?
Reach out to our team with any remaining questions
Get in touch