Latest videos

As the buzz around Artificial Intelligence has increased, so have the issues around trust. There is an increasing polarisation in the discourse around AI, ADS and automation. So what can you do as a tech leader or employee in a company utilising tech, to build trust? Or much more to the point, what can you do to become trustworthy?

An important step is to communicate honestly with your customers and stakeholders about the technology you use. However too often organisations fall at the first hurdle due to the damaging visual misrepresentations of AI that accompany their written communications, promotional material or media coverage. This session investigates the way that organisations and the media represent AI through images, and what this says about what they and customers expect and understand about the benefits of technology. We look at how this exposes the broader implications of anthropomorphising technology, and how to deal with describing the role of humans and human agency in your solutions.

As well as exploring how public perceptions of AI will shape the risks and opportunities faced by your organisation, you will leave this session with some practical suggestions on earning and building trust in your AI solutions, and helping to imagine a more positive AI future.

John Tolbert joins Matthias and shares insights about the results from the just recently published Leadership Compass CIAM. They talk about the overall maturing of the market and the areas of innovation in products, standards and integration scenarios.

Annie joins Matthias to talk about the topic of Verified Digital Identity. They explore what these are, why they are becoming increasingly important and where they add new aspects to the concept of digital identity. A special focus is put on existing and emerging use cases, where verified digital identities can be beneficial to all types of real life entities in their day by day interaction.

Congratulations. Your AI business case is crisp; you already have a data strategy in place; your proof-of-concept looks and feels great; you have the right talent to build the AI product or service which will push your organisation directly into the digital age. Sounds familiar? It is at this stage where most organisations give up on the AI initiatives due to lack of value creation. Why is that, one might ask? The business case was already locked, among other aspects, where's the problem at? One word: Production. AI products and services are notoriously different in terms of production than any other SW, and traditional workflows do not work anymore. This is what we are going to talk about. I will share my vision, blue print and personal stories across telecom, manufacturing and automotive industries, including both corporate and start-up experiences. I will tell you how to go from a shiny proof-of-concept to AI production systems, what challenges we faced, and the best practices to avoid the pitfalls.
Key takeaways: 1) Vision and strategy to create value out of AI - The last mile
2) How to go from a shiny proof-of-concept to AI production systems
3) AI production challenges and pitfalls
4) Multi-industry use cases across corporate and start-up ecosystems

Over the last year, an unprecedented scale of digital transformation has resulted in exponential growth of organisational data, which could impact decision making. Using machine learning approaches to mine and reason through masses of data is ineffective. In this session you will learn that while the first wave of AI involved many narrow applications, the next wave will help generate a dynamic understanding of relationships and patterns in a corpus of information. This understanding primarily happens through explainable AI.  It will become a key part of enterprise digital transformation initiatives that fundamentally change how organizations make sense of real-world information.

So far, AI relies totally on human intelligence, in the form of human-written programs in classical AI or the human-provided sample data of deep learning.  The pursuit of AI over the last five decades has been caught within a fixed conceptual framework. Given the current level of tremendous attention, investment, technological infrastructure and application potential, maybe we are just a simple fundamental change in perspective away from a tremendous technological explosion.

Cybernetix Is What Makes Things Move, From Production to Modern 5G Based Public Infrastructures

Cybernetix is not a new discipline. However, it appears being more important than ever before. It is ubiquitous when it comes to AI (Artificial Intelligence). And when AI meets industrial IoT (Internet of Things) and OT (Operational Technology) , it is about the cybernetic model. In contrast to past times, it is about hundreds of signals per second per thing, device, and machine, which needs to be processed and used for optimization. No way doing so without AI.

When looking at public infrastructures such as the ones making connected vehicles drive without (too many, too severe) accidents, when it comes to smart services (cities, utilities,…), it all is about immense amounts of signals that need to be delivered (5G) and stored (blockchains and beyond, e.g. IOTA), and processed (AI again).

All with security in mind, in the context of users and their settings, their consent, their preferences.

Fast and efficient, without too much of latency.

Cybernetix brings together all these technical evolutions that are discussed today.

In his talk, Martin Kuppinger will look at how all this is connected and why we need taking a broader perspective, beyond single innovations, towards what makes the modern world move: Cybernetix.

Join our Analyst Mike Small and Paul Hampton, Product Manager at Thales Security as they talk about the importance of securing data in the cloud.

This podcast has already looked at the Zero Trust concept as a challenging architectural paradigm for security and an important component of modern and future-oriented security architectures from various angles. This time Christopher and Matthias focus on a phased project approach towards implementing Zero Trust in a well-paced, phased, "one-bite-at-a-time" manner.

The Zero Trust concept comes with the promise to adequately secure our modern, hybrid IT world at any time and any place. Manufacturers, consultants and even analysts agree as rarely as they do that this changed architectural paradigm is an important component of modern and future-oriented security architectures. Alexei and Matthias address the question why in practice only a few powerful zero trust architectures deliver on this promise. They try to answer the question what organizations need to consider in order to get off to a good start.

• Zeit für die Renovierung: Wie man vom Bestands-IAM fokussiert zu einer zukunftsfähigen IAM-Infrastruktur kommt

Martin Kuppinger spricht über die Herausforderungen von IAM im Zeitalter der Digitalen Transformation und die sich ändernden Anforderungen, die heute weit über ein „Mitarbeiter-IAM“ hinausgehen. Er zeigt auf, wie man das IAM fit für die neuen Herausforderungen machen kann, vom Betriebsmodell zur Bedienung hybrider Zielsysteme bis hin zur Unterstützung aller Benutzergruppen wie Partner, Konsumenten und Mitarbeiter, aber auch von weiteren Identitäten wie denen von Dingen, Software-Robotern (Robotic Process Automation) oder Geräten. Gleichzeitig erläutert er auch, wie man hier einen schrittweisen, selbstgesteuerten Übergang schaffen kann, bei dem ein schneller Nutzern für das Business erreicht wird.

Markus Malewski, Head of SOC / SIEM at thyssenkrupp gives an insight how thyssenkrupp re-formed the Security division after the Winnti attack in 2016, why the company is so well prepared for current and future challenges and how the solutions of Elastic help to achieve those. Jörg Hesske, AVP CEMEA at Elastic shows how Elastic Security helps SecOps teams to protect their company against threats quickly and precisely with an integrative security approach.

In seiner Keynote beleuchtet Jochen Werne aus historischer Sicht warum Verfügungsmacht über Werte, jedoch auch über Informationen immer schon ein politisches und wirtschaftliches Machtinstrument war. Er zeigt auf wie leicht wir die Hoheit und die Verfügungsmacht über unsere Daten abgegeben haben und dies unabhängig vom COVID-Kontext. An Best-Practice Beispielen wird ein Überblick geschaffen mit welchen neuen Konzepten wir uns in einer vernetzten und mit KI-Technologien durchdrungenen Welt auseinandersetzen werden.

In unserem praxisorientierten Workshop legen wir im ersten Teil den Fokus auf das Thema Integration in bestehende Infrastrukturen unserer Kunden. Mit dem Fokus auf eine SIEM-Integration zeigen wir auf, wie sich Ihre IT- Sicherheit durch die Investition in eine PAM-Lösung signifikant erhöht.

Im zweiten Teil gehen wir speziell auf die Anforderungen unserer Kunden ein. Wir bereiten eine Teststellung vor und zeigen den großen Mehrwert auf, den auch bereits getätigte Investitionen in die IT-Sicherheit durch die Implementierung einer PAM Lösung erfahren.
 

• Integration aus Sicht einer PAM-Lösung mit Fokus SIEM
• grundsätzliche Integration in die Kundeninfrastruktur
  (Verzeichnisanbindung, Monitoring, etc)
• Mehrwert einer Integration mit Fokus SIEM
• Mehr Sicherheit mit MFA

• Der Weg zu einer PAM-Lösung und seine Wertigkeit
• Anforderung seitens der Kunden
• Vorbereitung und Durchführung einer Teststellung
• Die typischen Use Cases
• Mehrwert einer PAM Lösung

Brought to you by Prisma™ Cloud, our Cloud Native Security Camp is a three-hour virtual workshop for professionals focused on learning more about how to help their organizations develop the people, processes and tools necessary to secure their cloud-native deployments. Attend to learn:

• Why organizations need to treat cloud-native security differently
• How to integrate security patterns into DevOps
• Why it all starts with visibility and ends with automation  
• Key considerations when choosing security tools for your organization

You’ll have the chance to network with peers to get insights into securing a cloud-native environment for your organization, get hands-on to see how Prisma Cloud addresses security risks throughout the development lifecycle, and enjoy some spirited competition.

• Welche Vorarbeiten sind nötig?
• Mit welchen Accounts fange ich an?
• Welche Accounts sind schwer reinzubringen, schiebe ich nach hinten?
• Anbindung IAM System
• Automatisierung der Zugriffe
• Automatisierung des Onboardings
• Rolle von SIEM

Homeoffice und remote Zusammenarbeit werden durch ein weites und attraktives Angebot von cloudbasierten Collaborations-Tools begünstigt. Die aktuelle Covid-19 pandemische Situation hat zu einem großflächigen Aussetzen der Präsenzzusammenarbeit geführt. Ein nicht unerheblicher Teil der digitalen Collaboration findet - unter Access Management Gesichtspunkten betrachtet - mäßig bis schlecht organisiert statt. Wie bekommt man solche Collaborations-Szenarien (wieder) unter Kontrolle? Wie verhält es sich mit ad-hoc Szenarien? Der Vortrag wirft einen kritischen  Blick auf Cloud-Collaboration und stellt einige hilfreiche praxiserprobte Lösungsansätze und Patterns im IAM-Umfeld dar.

Key Topics:

* Remote Zusammenarbeit und digitale Collaboration

* Typische Situationen: ad-hoc, Homeoffice, Beteiligungen und Partner

* Typische Cloud-Tool-Landschaft

* Patterns und Antipatterns zu Access-Management und Collaboration

95% der IT-Führungskräfte sehen die Nutzung von Passwörtern als Risiko. Dank Enterprise Identity- und Access Management können Unternehmen die Sicherheit erhöhen und Mitarbeitern gleichzeitig einfacheren Zugriff ermöglichen. Gerald Beuchelt, CISO bei LogMeIn, geht in diesem Vortrag auf die aktuelle Situation der Absicherung von Remote-Arbeitsplätzen ein und die Zukunftsvision des passwortfreien Arbeitens.

In dem Maße, in dem Computerdienste kostengünstiger werden, sind böswillige Akteure in der Lage, Bot-basierte Angriffe auszuführen, um auf Benutzerkonten kostengünstiger und einfacher als je zuvor zuzugreifen. Dies bedeutet, dass die Bedrohungen nicht auf Banken oder "hochwertige" Ziele beschränkt sind. Vielmehr werden alltägliche Verbraucherdienste in großem Maßstab angegriffen, was Sicherheitsprobleme für Einzelhandels-, Reise-, Lebensmittel- und Medienunternehmen schafft. Wie sehen diese Angriffe aus? Wie lassen sie sich identifizieren? Wie schützen Sie Ihre Kunden und Ihr Unternehmen vor kompromittierten Konten und dem Verlust digitaler Vermögenswerte? In dieser Sitzung werden wir die Form und Verbreitung moderner Bot-Bedrohungen wie Brute-Force-Angriffe und Credential-Stuffing-Angriffe erörtern und diskutieren, was Sie dagegen tun können.

Verteilte IT-Umgebungen, der Einsatz einer Vielzahl von SaaS-Anwendungen, hybride IT und Multi-Cloud-Strategien: All das führt zu einer unübersichtlichen Zahl verteilter Identitäten in den zugrundeliegenden Systemen. Eine solche jenseits des Perimeters gewachsene IT-Landschaft bietet neue Angriffsfläche für Cyberangriffe und birgt Sicherheitsrisiken. Zero Trust ist die Antwort. Doch wie baut man das notwendige Vertrauen in einer Zero Trust Welt auf?

Privilege Access Management (PAM) sollte ein Schlüsselelement in Ihrer Sicherheitsstrategie sein. Daher müssen Sie sicherstellen, dass sich die von Ihnen gewählte Lösung leicht in Ihre Geschäftsprozesse und -vorgänge integrieren lässt. Erstens muss die Lösung schnell in Ihrer Umgebung implementiert werden können und möglichst wenig Reibung im täglichen Geschäftsbetrieb verursachen. Darüber hinaus muss sie sich nahtlos in andere Geschäftsvorgänge wie IGA, DevOps, Robotische Prozessautomatisierung und Active Directory integrieren, um Just-in-Time-Privilegien zu bieten, die Zero Trust ermöglichen. Außerdem muss die Verhaltensanalyse genutzt werden, um Risiken in Echtzeit zu beheben. Bevor Sie weitere Schritte mit Ihrem aktuellen PAM-Projekt unternehmen, nehmen Sie an dieser Sitzung teil, um zu sehen, wie das PAM-Portfolio der nächsten Generation von One Identity den Schutz, die Sichtbarkeit und den Umfang bietet, den Sie benötigen, um die schnellste Wertschöpfung und die niedrigsten Gesamtbetriebskosten zu erzielen. 

Die Präsentation zeigt, wie ein großes international tätiges Telekommunikationsunternehmen auf Basis einer umfangreichen, historisch gewachsenen Systemlandschaft ein modernes IAM-System aufbaut und in der Praxis in einem länderübergreifenden Systemharmonisierungsprojekt umsetzt. Der Fokus liegt auf den notwendigen organisatorischen Änderungen, dem Aufbau eines unternehmensweit gültigen Rollenkonzepts, der Etablierung von Compliance- und SoD-Kontrollen und anwenderfreundlichen Mitarbeiter-Rezertifizierungen.

Beim Übergang von einer dezentralen, rechenzentrumsbasierten IT-Infrastruktur in die Cloud wird IAM oft zu einer zusätzlichen Hürde. Die Cloud setzt zwingend zentrale, konsistent betriebene IAM-Strukturen voraus, die in der Legacy-Infrastruktur nicht erforderlich waren. Alpha Barry zeigt anhand von Fallbeispielen auf, wie die Cloud-Transformation durch den Einsatz moderner IAM-Technologien signifikant vereinfacht werden kann, und welchen Beitrag IAM zur Absicherung der Cloud-Infrastruktur leisten kann.

Anhand der Darstellung konkreter Business Cases betont der Vortrag die enorme Wichtigkeit von Zugangskontrollen für die IT-Sicherheitsstrategie von Unternehmen. Er beschreibt, welche Risiken und Schwachstellen damit gezielt adressiert werden. Sie erfahren außerdem, wie der Aufbau eines Security-Konzeptes auf Basis von sicherem Access Management konkret gestaltet werden sollte und welchen Mehrwert die Integration einer Access Management Lösung in eine bestehende IT- Infrastruktur generiert.

Viele Organisationen stehen vor der Herausforderung Richtlinien für das Arbeiten aus dem Home-Office zu implementieren, um unter anderem eine stetig steigende Anzahl an Remote- und Hybrid-Mitarbeitern zu unterstützen. Während ein hybrides Arbeitsmodell eine interessante und aufregende Entwicklung darstellt, waren viele Organisationen nicht auf diese rasche, anfängliche Verlagerung der Arbeitsstruktur in Hybrid- oder Remote-Modelle vorbereitet. Die Nutzung einer Privileged Access Management-Lösung kann federführend dabei unterstützen, Sicherheitsauswirkungen dieser wachsenden Remote- und Hybrid-Belegschaft zu minimieren. Der Vortrag zeigt auf, wie diese neuen Arbeitsmodelle sicher supported sowie weiter ausgebaut werden können und legt dar, welche Rolle ein ganzheitlicher Privileged Access Management-Ansatz hierbei spielt.

Ferner behandelt der Vortrag:

• CISO-Überlegungen bezüglich einer sich wandelnden Arbeitsbelegschaft sowie Sicherheitsauswirkungen einer schnellen Transformation
• „New Normal“: Implementierung & Skalierung starker Sicherheitsprotokolle, um eine hybride Belegschaft zu ermöglichen
• Wichtigkeit eines ganzheitlichen PAM-Ansatzes zur Absicherung jeglicher Privilegien, immer und überall

Bei Cisco Duo Security beginnt der Weg zu Zero Trust mit der Multi-Faktor Authentifizierung (MFA). Heutzutage müssen Unternehmen eine mobile Belegschaft sichern, die Unternehmensgeräte, aber auch ihre persönlichen Geräte verwendet, um auf Unternehmensanwendungen zuzugreifen. Duo bietet der Belegschaft "Zero-Trust" durch MFA, Tools für adaptive Zugriffsrichtlinien und Gerätevertrauen.

In dieser Keynote erfahren Sie, ob der „Zero Trust“ -Ansatz für Ihre IT-Sicherheit geeignet ist und wie Sie diese Reise beginnen können.

Folgendes werden Sie lernen:

Warum ist Zero Trust wichtig und wie gehe ich programmatisch vor?

Welche Lehren haben wir aus früheren Erfahrungen gezogen?

Was sind die ersten Schritte zur Implementierung von Zero Trust?

Vor welchen möglichen Herausforderungen und Hindernissen werde ich stehen?

Learn how the latest security capabilities in the Elastic Stack enable interactive exploration, incident management and automated analysis, as well as unsupervised machine learning to reduce false positives and spot anomalies — all at the speed and scale your security practitioners need to defend your organization. Additionally, we'll be talking about the new protection and detection capabilities of the free Elastic Endpoint, now also part of Elastic Security, as well as EQL - the event query language, which brings new query and detection capabilities to Elastic Security.

Martin Kuppinger and Danna Bethlehem, Director of Product Marketing at Thales discuss their perspectives on the interplay of Zero Trust and Identity and Access Management.

The PAM market continues to evolve and many organizations are adopting the DevOps paradigm where critical access and sensitive accounts are required in fast moving and agile environments. Paul Fisher meets Matthias for this episode and shares his research on PAM for DevOps. They talk about the challenges of this area of application, but also about the differences and similarities with "classic" PAM. And about the opportunities on a path towards a hybrid approach to PAM in today's organizations, in the midst of the Digital Transformation.

In his keynote, Bryan will talk on how automating Identity and Access Management can evolve your operational maturity and strengthen your security programs. 

Cyberattacks have rapidly evolved since the advent of online transacting almost 25 years ago, with attackers continually escalating and refining their evasion techniques. While organisations and individuals continue to mobilise in an attempt to mitigate the global disruptions taking place around them, cybercriminals have wasted no time in exploiting the COVID-19 pandemic. Today, attackers and fraudsters call upon a sophisticated suite of tools, including human-powered click farms, social engineering, and malware – all designed to defeat traditional defenses such as WAFs & CAPTCHAs. 

This session will dive deeper into how organisations can keep pace with this precipitate shift and adjust their security postures accordingly, to more accurately reflect the realities of an ever-evolving threat landscape. 

Discussion Points:  

• Attack Evolution - navigate the automated application attack-roadmap as it has progressed from the commodification of Credential Stuffing and ATO schemes to some of the most cutting-edge examples of Manual Fraud capability. 

• Countermeasure Efficacy - discover how F5’s Application Fraud portfolio addresses the whole spectrum of eCrime attacks deterring cybercriminals who continually retool to circumvent traditional countermeasures. 

• Inverting Friction - understand how organisations can protect their customers and brand without compromising user experience or collecting PII. 

In her key note Hila Meller will explain how the new normal impacted by the Covid-19 global pandemic is reflected in the Cyber Security Space.

She will explain the changing threats in this new reality as well as the steps and strategies used by BT to globally adapt to the news ways of working, combined with a wider global view based on inputs and collaboration with large multi-national organizations.

Technological advances and new trends provide great opportunities to the economy and society as a whole. The high reliance on digital technologies especially during the COVID-19 crisis increases at the same time the potential attack surface for malicious actors. The paradigm of security is shifting. The EU is undertaking several actions for its citizens and companies, in order to enhance the resilience of critical infrastructure, support supply chain security (5G) and research, create a European cybersecurity certification and a new, modern cybersecurity strategy for Europe.

Applications of artificial intelligence (AI) for cybersecurity tasks are attracting greater attention from the private and the public sectors. Estimates indicate that the market for AI in cybersecurity will grow from US$1 billion in 2016 to a US$34.8 billion net worth by 2025. The latest national cybersecurity and defence strategies of several governments explicitly mention AI capabili- ties. At the same time, initiatives to define new standards and certification procedures to elicit users’ trust in AI are emerging on a global scale. However, trust in AI (both machine learning and neural networks) to deliver cybersecurity tasks is a double- edged sword: it can improve substantially cybersecurity practices, but can also facilitate new forms of attacks to the AI applica- tions themselves, which may pose severe security threats. We argue that trust in AI for cybersecurity is unwarranted and that, to reduce security risks, some form of control to ensure the deployment of ‘reliable AI’ for cybersecurity is necessary. To this end, we offer three recommendations focusing on the design, development and deployment of AI for cybersecurity.

In this talk, you will learn about the results of the recent KuppingerCole Survey on top Cybersecurity Topics for 2021.

This talk aims to share the experience achieved during Q-Secure Net, a 2020's project co-financed by the European Institute of Technology (EIT) and Italtel, Cefriel, Politecnico di Milano, CNR, UPM and Telefonica. Q-Secure Net will provide a cost-effective and flexible network solution for unconditionally secure communication services based on Quantum Key Distribution (QKD) thought for fiber-optic networks.

The talk will also present an application of Blockchain Atomic Swaps for the exchange of securities and cryptocurrencies, developed in the project and based on QKD. Atomic Swaps have great potentials for financial scenarios regarding securities, crypto exchanges and cryptocurrencies but have specific security threats.

The QKD market is expected to grow over $980 million by 2024. In the long term, the QKD will be strategic for the design of new architectures in many sectors like telco, defence and transports and 5G sectors. QKD's infrastructural security and its ability to mitigate cyber-risks, also allow a whole new class of approaches and applications for Decentralised Finance.

Key Takeaways:

-          QKD Features

-          Capabilities for Fintech applications

-          Atomic Swap and Crypto Exchanges

-          How QKD can mitigate risk in applications like smart contracts for Decentralised Finance Scenarios (for example in the Atomic SWAP use case)

Security is Culture – and culture starts with people (not technology!) The complex topic of SAP-security is a massive challenge for the almost 500.000 companies worldwide using SAP. The challenges are the same for everyone, and it is the combined corporate responsibility of the C-Level and all employees to protect the enterprise from threats. These core applications can be secured by focusing on the 3 main attack vectors: People, Processes, and Technology. Within this keynote, Jochen Fischer shares what needs to be done to define clear ownership and responsibilities for SAP-security. Enabling people to understand the risk in SAP is fundamental to design a sustainable strategy that is based on the individual risk profile of each individual company. It is time to stop the monkey business when it comes to mission-critical topics like security. As independent expert, Jochen Fischer provides state-of-the-art methodologies to deliver the right people the suitable skills required to protect SAP without burning money on tools that have no or limited effect on corporate cyber resilience.

When navigating a big ship, it is crucial to know your position and the course you set. In this case, the ship is a symbol for a company planning its investment in cyber security. In practice, the overall strategic view is often obscured or missing. An assessment of the cyber maturity level will give a better understanding of the position as well as the direction, considering the specific risks. A risk-based approach allows investments in cybersecurity to have the greatest possible, measurable impact.

A flexible architecture is an absolute must in order to keep pace with new challenges within a constantly evolving landscape. Christopher Schütze, Cybersecurity Practice Director and Lead Analyst at KuppingerCole, will look at methodologies that help to structure, reorganize, and extend the existing Cybersecurity landscape within your organization. He will examine current topics such as “Information is the new oil” and “Trust only with verification – Zero Trust” and how you can integrate this into your strategy. Information security and ensuring a high level of trust must be a fundamental part of Cybersecurity strategies in the years to come. This will help you to make the right choices and improve overall security, and learn how to be safer with security.

In the crisis created by Covid-19 it is even more obvious how C-level are reacting and in cases not reacting properly to new cybersecurity situations resulting from rapid and enforced digitalisation. Can or should they be given more time to adapt? Can they build up the proper cybersecurity decision making skillset? Is it worth the effort? The speaker explains how that is possible, what new digital roles should be created within an organisation and how to meet challenges posed by the transforming digital ecosystem.

Next-generation of Smart IoT Systems needs to manage the closed loop from sensing to actuation with safe operational boundaries and the need to be distributed across IoT, Edge and cloud infrastructures with complex and heterogeneous systems, connectivity and failures, as well as being able to operate in an unpredictable physical world facing situations that have not been fully understood or anticipated in the software development process.

In this context, it is necessary to support the continuous delivery of trustworthy Smart IoT Systems, to support their agile operation, to support the continuous quality assurance strengthening their trustworthiness, and to leverage the capabilities of existing IoT platforms and fully legacy, proprietary and off-the-shelf software components and devices. In this talk, it will be explained how to facilitate the development, operation and quality assurance of trustworthy and resilient Smart IoT systems.

Experts define Operational Technology (OT) as «hardware and software that detects or causes a change, through the direct monitoring and/or control of industrial equipment, assets, processes and events.»

OT differs from IT, in terms of functionalities, the culture of operators and threats. In recent months, we witness an increasing convergence of IT and OT systems. This area is a novel and rapidly expanding one for both cybercrime and industry. Recent IBM’s 2020 X-Force Threat Intelligence Index summarizes that attacks targeting operational technology (OT) infrastructure increased by over 2000 per cent in 2019 compared to the previous year. The COVID-19 pandemic accelerated these trends: it is the digital accelerant of the decade and accelerated companies’ digital transformations by approximately a global average of 6 years.

For example, one of the impacts of COVID-19 –at least until a vaccine is discovered– is the reduction of on-site staff. In the case of OT systems, this put a strain on the already limited resources and required an increase in external connectivity. The result is the numerous industrial plants exposed to, for example, ransomware attacks.

From a bird-fly point of view, IT and OT are still missing a holistic approach that includes cybersecurity, physical security and cyber-physical security, an integrated cyber-risk estimation and governance models able to span across IT and OT domains. Overall the primary need concentrates around as reconciliation of IT Security (typically built on Confidentiality-Integrity-Availability paradigm) with OT Cybersecurity (which fundamental properties are instead Safety-Reliability-Productivity).

Key Takeaways:

-          Status of IT and OT security

-          long term impacts of the pandemic on the digital transformation agenda of industry

-          Main challenges and trends for the IT and OT security

-          Some possible solutions

You don’t have to go far these days to find security professionals complaining about skills shortages, and countless media outlets relaying their views. But there are at least two sides to this argument and the situation requires a more balanced approach. The security industry needs to rebuild its narrative to attract more raw talent at all levels.

The machine learning deployment, integration, and release pipeline is unique and unlike any typical software, application or detection life cycle. A SOC has a blend of infrastructure, team dynamics, disparate logs and data sets, a SEIM, ticketing systems and a need for analytics to better serve and improve their defenses, cyber security posture and incident response. Proper implementation of using machine learning for cyber security defenses can be done with both team and engineering integrations. This talk will walk through an example of machine learning implementation for the SOC in an enterprise environment with lessons learned and best practices. 

Within the Corona Crisis, IT and digitisation have proven their essential role for state administration, economy, as well as society. These techniques are not only the backbone for our highly-industrialized countries, but now also recommended as such.

The keynote will reflect the first months of the Corona Crisis with a focus on digital administration and IT as backbone. In this context, aspects of project management, management culture, and risk tolerance will be addressed. Last, but not least the keynote will present theses on experiences and future do’s and don’ts, especially focussing on cybersecurity and data protection in digital project management.

Cyber resilience, a term often heard but never fully understood, has made headlines for many years. Nonetheless, we are still confronted with ransomware attacks that lead to the standstill of organizations, as evidenced in the 2017 Maersk attack or the declared state of emergency by the mayor of the city of New Orleans in December 2019 after the city was hit by a cyberattack.

Many organizations perceive cyber resilience as yet another regulatory topic to be addressed by the IT department or the IT security teams, ignoring the regulatory requirements deriving from stakeholders such as the European Central Bank, or the need to interlink cyber preparedness with business continuity efforts and the much-needed support not only by the business departments but also the C-suite.
All this stems from an incomplete understanding of cyber resilience and what added value it can offer to an organization. The presentation aims to close this knowledge gap by highlighting key regulatory requirements, and how these can be addressed in coordination with key decision-makers. It will also provide insights into future regulatory developments with a specific view on the EU legislation. The presentation will also talk about testing approaches for cyber resilience, such as the TIBER-EU (Threat Intelligence-Based Ethical Red Teaming for the European Union) framework.

Key takeaways:

1) After completing this session, the participant will be able to refer to relevant CR regulations and put them into context and everyday use and to understand expectations from the FS regulators.
2) After completing this session, the participant will have knowledge about how CR is applied in other FS organizations, and what tools and methods exist to assess CR readiness.
3) After completing this session, the participant will be able to discuss key CR topics with senior management to promote the importance of CR, and to make a business case for it.
4) After completing this session, the participant will be able to refer to available resources on the internet to deepen his/her knowledge of CR.

In 2020 organizations have been forced to accelerate their digital transformation plans to meet the needs of a more digital engaged end user. From remote workforces to shifts to online commerce, nearly every industry has had to adopt to this new reality. This has resulted in rapid cloud service adoption and a need for integration of existing on-premises investments with them. But today's Hybrid Cloud reality needs a comprehensive security policy that encompasses newly acquired cloud technologies all the way down to legacy on premises applications which provide business critical capabilities. In this presentation, we will discuss the characteristics needed in an Identity and Access Management platform that will allow organizations to quickly get address new security issues while allowing for a smooth digital transformation at their own pace.

Is your cybersecurity as fast as your business? Finding the right strategy to secure the growing speed and diversity of DevOps driven application development and dynamic infrastructures is hard. To master this journey, organisations have not only to adapt new security controls but in most cases to redefine their cybersecurity strategy and traditional approaches such as Defence-in-Depth and Zero Trust Architectures from scratch.
In this session, you will learn the FIRST PRINCIPLES how to align the pace of your cybersecurity to your business speed from both perspectives: a cybersecurity expert and a former developer.

The way people are working has changed fundamentally. Cybersecurity is even more essential than before. Martin Kuppinger, Principal Analyst at KuppingerCole, will look at the factors that drive the relevance of cybersecurity, but also change the way cybersecurity is done right. He then will look at the trends in cybersecurity and how new technologies and methods help in mitigating cyber risks and improving cyber attack resilience. This includes looking at the impact of Work from Home, changing attack vectors, or the impact of AI on cybersecurity, and discussing what new technologies such as SOAR and Cyber Ranges can provide for getting better in cybersecurity. He also will look at the need for doing a thorough cybersecurity portfolio assessment, to optimize spending and getting a grip on the zoo of cybersecurity tools most businesses already have to pay for and to manage.

Cybersecurity technologies to identify, protect, detect, respond and recover are extremely important, but not sufficient. HumanOS upgrade is required to safely use the Internet and It is not only about training and awareness. It is about the way users must behave online and IT community must openly acknowledge system vulnerabilities. Humans are the weakest and strongest links in Cybersecurity.

How do you prepare for the increasing regulatory challenges in a time of ongoing cloud migrations with global service providers? The invalidation of the EU-US privacy shield and the enforcement of the NDAA Section 889 will require a thorough review of existing controls and a swift management of stakeholder interests. This key note will provide practical experiences and guidance to ensure you meet your compliance goals.

Interview with Paul Trulove, Chief Product Owner, SailPoint

John Tolbert has just taken a close look at the market for SOAR tools (Security Orchestration, Automation and Response) to prepare a Leadership Compass. This has just been published and this gives John and Matthias the opportunity to take a closer look at this market segment of security infrastructures.

In this keynote we are looking at practically moving existing infrastructures towards the Decentralized Identity world – widely known as Self-Sovereign Identity (SSI). Leveraging the Credential-based Access Control (CrBAC) paradigm, implementing SSI in an enterprise is easier than most people think. We will learn why and how SSI is such a bright way out of the complex and interwoven IAM world still predominant today, more than 11 years after “Dos and Dont´s when Introducing a Compliance Management Tool” in a Role-based Access Control (RBAC) context at EIC 2009.

Customer registration, identity verification, and multi-factor authentication are all critical to reduce fraudulent activity and protect your customers’ identity data. However, they don’t offer the same warm welcome as an instore employee. Join this keynote presentation to learn how to seamlessly convert, engage, and manage millions of customers online—without sacrificing security.

A Flexible, Adaptable Architecture Framework to Meet the Accelerating Demands of a Digital Enterprise

Consumer identity and access management (CIAM) has arrived in the business processes of digital enterprises. Customers, prospects, devices, things and their relationships are becoming increasingly important. At the same time, the innovation cycles for customer-oriented applications are becoming shorter and shorter. And CIAM itself is facing continuously changing challenges.

The service-oriented paradigm of the KuppingerCole Identity Fabric provides the perfect foundation for a steady evolution. This applies both to the CIAM system itself and to CIAM as a building block of a company-wide identity infrastructure.

Thus the KuppingerCole Identity Fabric serves as the umbrella for an entire IAM architecture. It supports distinctive features for CIAM where required, while ensuring efficiency and reuse wherever possible.

With the July 2020 decision of the Court of Justice of the European Union, the „Privacy Shield“ called framework that allowed personal information to be transferred between the EUC und the US; had been invalidated with immediate effect. The only remaining justification to keep on exchanging such information have been the „Standard Contractual Clauses“ (SCC, although they do not fully replace the Privacy Shield. Therefore, the questions now are:

• Where do Standard Contractual Clauses (SCC) come into the game?
• Can SCC fully replace the Privacy Shield?
• Are there Alternatives?
• Do I need to perform an immediate Risk Assessment?   

This Keynote session with Dr. Karsten Kinast, LL.M, and KuppingerCole´s CEO Berthold Kerl will be a combination of an initial interview and a q+a part, where you directly can ask your questions.

Consumers are now accessing gated content, customer portals or smart devices in ways and at a scale never seen before. The most successful companies aren’t just focused on providing secure, seamless and painless access for the end-user. They’re also passionate about delivering a customer experience that will help them drive growth. And it starts at the login box.

The KCLive Award honors outstanding projects, standards, or people in the field of Identity Management, Cybersecurity and AI.

The Role of KYC for CIAM and Where Learning From KYC Will Help You in Getting Better in CIAM

Many solutions in CIAM focus on authentication, while others have their strengths in integrating with marketing automation. However, there is an additional angle, relevant for both highly regulated industries but also any other industries. It is the onboarding process, regardless of whether specific KYC (Know Your Customer) requirements must be formally met or not.

Martin Kuppinger will talk about the role and approaches of Identity Verification in the context of CIAM and how this maps to the entire onboarding process as well as recurring authentication. He will look at new technologies such as DID (Decentralized Identity), but also discuss how registration can be simplified if lesser requirements apply – e.g. by rethinking the flow and putting registration and verification to the end (or even further back – think about using the first successful shipping as part of verification).

The challenge is to offer user-friendly login procedures via social media accounts, passwords or biometric devices while securing and respecting personal data at the same time. This combination must be taken seriously to provide a smooth Customer Experience (CX) and to guarantee that every consumer can control the access to his personal information. Join this panel to hier the best practise advises of experts in the branch.

Earlier in 2020, the European Union published “A European Strategy for Data” outlining its vision for a connected single digital market where the benefits of the digital economy could enhance the lives of its citizens, residents and trade partners.

However, we now find ourselves at a very real crossroad. A post-pandemic world will be a new type of normal. Amidst the tragic loss of lives there have been breakthroughs in science, new ways of working along with embracing new digital tools.

We are at the beginning of a new design and architectural phase where just because technology can, doesn’t mean it should. Personal data linked to identity, fuelled by AI sits at the centre of these decisions.

Enabling citizens, students, patients, passengers and consumers to more equitably join the value chains fuelled by data will ultimately lead to greater trust and personalisation, resulting in a more prosperous society. However, this will require new commercial models, enforceable regulation and the digital tools to transform our connected society.

This session will focus on the implementation of real-world case studies including standards, commercial models and technology choices.

In this first of two episodes, Annie Bailey and Matthias Reinwarth lay the foundations for the topic "Emerging Technologies in Healthcare". Beyond hype and half-knowledge, they look at the use of AI, machine learning, block chain, and modern digital identities for the comprehensive improvement of processes and systems in healthcare.

KC Analyst Anne Bailey interviews Ian Evans, Managing Director at OneTrust, about privacy and consent management.

This analyst chat episode is the 50th and therefore a bit different. This time Matthias talks to two experienced analysts, Martin Kuppinger and Alexei Balaganski, about the ECSM, the European Cyber Security Month, which is to provide information and awareness on cyber security in October 2020. The particular aim they pursue is to go beyond awareness to arrive at specific measures that can benefit individuals and organizations alike.

When asked to describe IAM processes, managers tend to think first of traditional lifecycle management processes such as Joiner, Mover and Leaver (JML). While these are clearly essential for identity governance in interplay with authoritative sources, a comprehensive process framework for IAM and beyond encompasses many other areas. Martin Kuppinger and Matthias Reinwarth explore some of these additional areas between convenience and compliance.

Dynamic, risk-based, attribute- and context-related authorizations are becoming increasingly important for many enterprises. Graham Williamson and Matthias Reinwarth take a look at the market sector for dynamic authorization management and policy-based permissions in light of the recent publication of a Market Compass on this topic.

With all of the different IGA approaches available these days, have you ever wondered how global companies have success in centrally and seamlessly managing their mountains of requests while still maintaining critical workflows and compliance standards? Get the strategies you need to navigate and win from Todd Wiedman, Chief Information Security Officer, Landis+Gyr. Todd will be sharing insights and learnings from his successful implementation using the Clear Skye IGA solution natively running on the ServiceNow (NOW) Platform in this ‘not to be missed’ session.

ITSM is going well beyond ITIL and IT ticketing these days: It’s becoming the portal and workflow platform

Not that long ago, ITSM (IT Service Management) was what the name means: A technology used within IT to manage IT services and facing to the end user when it comes to IT requests. IT requests led to tickets as the tasks to be performed by workers in IT. And yes, there was and is ITIL (IT Infrastructure Library) describing common IT processes, there were and are Service Catalogs, and there were and are CMDBs (Configuration Management Databases).

However, this is changing. ITSM platforms are shifting from IT solutions to business solutions and becoming strategic tools for organizations, for service delivery (and thus service definition, service management, and so on) across a range of business functions. They have become a widely used interface for users to a wide range of services, and they support the workflows and process automation behind these interfaces.

With IAM providing interfaces and with workflows and processes being a vital part of every IAM, it is obvious that there is a logical link between IAM and ITSM (or the other way round).

Martin Kuppinger, Principal Analyst at KuppingerCole, in his talk will look at the journey of ITSM and where ITSM is heading. He will look at the overlaps and links between IAM and ITSM. And he will take a high-level perspective on where integration is expected to become deeper and where IAM capabilities might shift to ITSM, specifically in the context of IAM evolving from monolithic platforms to modern, microservice-based architectures that can well make use of existing ITSM services, microservices, and APIs.

As ITSM platforms evolve into strategic tools for service deliver across a range of busines functions, it is tempting for organizations to build in identity access management, governance, and administration functionality to provide a one-stop-shop for all employee requests and eliminate the cost of a separate IAM/IGA system. 

Warwick Ashford, senior analyst at KuppingerCole will explain why this is a risky strategy and discuss the benefits of and some use cases for aligning ITSM with IAM/IGA systems instead.

This session will compare and contrast characteristics of Identity Access Governance built on traditional platforms, with those built on top of ServiceNOW, taken from an field perspective. Session will review implementation costs, common outcomes, and ultimately how to decide which is the most appropriate solution based on business needs.

Why have things like cell phones and automobiles become more advanced, intuitive and cost effective over time while managing Identity, particularly Identity Governance, has remained complex and expensive? The time and resources it takes to implement an identity project hinders the business and slows any hope of digital transformation. The frustration is real and ripping and replacing has not proved to be the answer. So what’s it going to take to truly get IGA right? In this thought-provoking session, Jackson Shaw, an experienced thought leader in IGA will discuss the need to rethink the core of identity and why it’s time for an IDENTITY REVOLUTION.

Central to the ability to identify, authenticate and authorise individuals and allow them access to resources is the validation of the requirements to ensure that someone is who they claim to be, possess the requisite academic or professional qualifications, work experience, skills and understanding their competency within any given skill. Ie. I may have a driving licence with allows me the right to drive but if subsequent to a test I have never had the opportunity my competency will be almost non-existent. And of course ensuring the binding of the identity throughout the lifecycle of an individual to the claimed identity from onboarding through operation and eventual retirement, along with the credentials I’ve just highlighted.

Warwick Ashford and Matthias Reinwarth talk about business resilience again, focusing on cyber supply chain risk management.

In this session PlainID will discuss how organizations can rethink, redesign and modernize their Identity and Access Management (IAM) architecture by implementing PBAC (Policy Based Access Control). This service should be a central service supporting not only one specific set of applications but rather act as a focal point (or a “brain” if you like) for different IAM technologies. This new architecture pattern has evolved to better support more applications and more advanced use cases.

In this session Mr. Darran Rolls with provide a unique perspective on the emergence, growth and future advancement of IGA technology.  In it, he provides an assessment of where we stand today with existing solutions and deployment approaches, and highlights where the industry needs to focus regarding program oversight, cross-system orchestration and integration with cloud and DevOps processes.

I’ll start working on the content this week and have some questions on format and delivery:

• Is there a preferred slide template or format?
• What is the optimum approach record heads-up and rotate slides in a split-screen
• Will each presenter go over their slides live or are things pre-recorded?

While properly defined and tool-supported identity and access governance (IGA) is prevalent in regulated industries to ensure compliance, it is still fairly uncommon in mid-sized or even larger companies in non-regulated industry sectors. This has not been a problem in the past, when classical, data-center based IT infrastructure was dominant. Mr. Barry will point out why a lack of IGA can become a major issue when introducing hybrid or cloud-based IT infrastructure, and will explain why tool-based IGA can even add long term value in automating the administration of a hybrid infrastructure environment.

Alexei Balaganski and Matthias Reinwarth look at the citizen development movement and discuss the potential risks of letting business users create their applications without proper governance and security.

In the early hours of March 18th, 1990, two men entered the Gardner Museum. They left 81 minutes later with 13 artworks, including two Rembrandts, a Vermeer, a Degas, and ancient Chinese vase.  The heist remains unsolved today, with no leads and no suspects — and the museum is offering a $10 million prize for the safe return of the pieces.

Given that background, you might assume that this was another session about zero trust. It’s not.

Recently, a growing emphasis on data privacy has sought to treat identities and their associated data as valuable works of art as well, worthy of protection and compensation for use. Through the lens of the Gardner Theft, we’ll evaluate the current proposals and concepts around user-owned data and explore the benefits and pitfalls of each.

We'll step through the heist, recreate those 81 minutes, and discover how identity data is the new Vermeer. Note: If we somehow crack the case together, we'll split the $10 million between us all.

Technology is evolving quickly and keeping pace requires deep knowledge and experience. Enterprises are also evolving quickly and demand advanced but simple identity solutions to successfully fast track digital transformation, cloud adoption and Zero Trust initiatives. By utilizing “Best of Breed” solutions, organizations can take advantage of the key benefits that only a multi-vendor solution can offer. Join this session to learn about the core principle of best of breed solutions and hear about some examples of what organizations have done to build the right foundation for Enterprise Identity Success.

IAM implementations are not all same, but for sure there is not as many implementations as there are situations.I have selected 3 major factors which defined our IAM project. Of course, final result was a consequence of lot more things.

And yes, we succeeded to implement full Identity lifecycle in the enterprise where starting point is a complex matrix of requirements like multiple legal entities, multiple contracts, kinds of work relationships, several account directories, manual processes.

Just name any situation, we had it. We were on the edge of failure and almost ready to add yet another failed IAM project to the list. But we made it and if I had to do it yet again in another place, in another situation, I would take these 3 with me.

Takeaways:

-Correct data is vital for every IT project, IAM is not special. But where to exactly look in the IAM project? Which issues with the data are toxic?

-The analysis of the system drives implementation architecture and design. Thereby the steering must be correct.

-And finally, how to bring it out in the enterprise scale if you cannot do big bang but same time you cannot left anybody behind?

In this presentation Henk will share the journey that Rabobank made from a situation in 2017 with two solutions and infrastructural environments for IAM and two teams, that merged and went on a journey to become one, as well as overcoming the legacy environments that delivered the service. The presentation details especially the management of this journey and how to move from A to B to C to D to Enlightenment. And perhaps we're not even there yet.

The presentation will detail our specific journey, but general key takeaways can be identified that apply to any IAM department and service.

Virtually every cybersecurity breach today involves the exploitation of privileged access. Privileges are initially exploited to infiltrate an IT environment; once compromised by threat actors, privileges are further leveraged to move laterally, access assets, install malware, and inflict damage.

In this session, learn 10 key steps to achieving Universal Privilege Management, and how it is used to secure every user, session, and asset across your IT environment. Covered topics include: 

• Why relying on password management alone leaves dangerous gaps in protection
• Disrupting the cyberattack chain with privileged access security controls
• Essential steps to achieving rapid leaps in risk reduction
• Keys to a frictionless PAM solution that is invisible to end users

We will also share how the BeyondTrust Privileged Access Management (PAM) platform enables absolute control over every privilege in your environment to drastically reduce your attack surface and windows of exposure, while boosting business productivity.

Warwick Ashford and Matthias Reinwarth discuss the prerequisites and challenges of making a business able to adapt quickly to risks and disruptions.

Anne Bailey and Matthias Reinwarth discuss the findings of the recently published Leadership Compass on Privacy and Consent Management.

Alexei Balaganski and Matthias Reinwarth discuss the concept of ephemeral credentials and its benefits for privilege management, DevOps and beyond.

Why PAM is a must and how you can benefit from it: Many corporations need to comply with regulations which result in extended logging and monitoring of privileged activities. The Presentation shows how to start a successful PAM implementation and how to benefit from it.

Paul Fisher will expand on his analysis of how Privileged Access Management platforms will develop support for DevOps and other key users. This will mean that certain PAM functions will be embedded within the technology stack, opening up password free and secure access paths and enable rapid task fulfilment.

Often I saw in the planning of PAM Projects that the Manager „only“ plan the implementation of the tool. It was a quite good installation but the project was not successful. Here some points I learned to have the customer happy and bring the Project to success:

• Right Projectplanning with the right scope
• The Right Strategy
• Hand Over to run phase
• Documentation
• Interfaces to other Systems
• Lessions Learned

As Enterprises transitions to IaaS, Cloud Security and specifically IAM strategy and execution becomes crucial. IAM controls for IaaS/Public Cloud need to identify, secure and monitor Privilege Assets at the same time deal with the inherent elasticity, scalability and agility of the Public Cloud . As such a Privileged Access Management Program for Cloud i.e Cloud PAM is required to meet the increasingly stringent compliance and audit regulations and keep enterprises secure.

The new normal demands organizations to enable remote workplace in a rapid and secure way. 

The new normal requires privileged asset owners to make intelligent, informed and right decisions even with a fragmented view of risk. 

The new normal requires governance to be integrated and inherent with privileged access workflows and not an after-thought. 

This session would give insights and best practices to create the least privileged model, minimizing the risks associated with standing privileges and prepare enterprises to rapidly transform themselves through secure digital transformation.

SSH.COM polled 625 IT and application development professionals across the United States, United Kingdom, France, and Germany to find out more about their working practices. We found that cloud and hybrid access solutions, including privileged access management software, slow down daily work for IT and application development professionals. These hurdles encourage users to take risky shortcuts and workarounds that put corporate IT data at risk. 

Join SSH.COM’s David Wishart, VP Global Partnerships, to learn:

• Why the user experience of the privileged access management (PAM) solution matters for IT admins and developers in hybrid cloud environments
• How just-in-time access, without leaving behind credentials, helps towards that goal while improving operational speed

John Tolbert and Matthias Reinwarth look at SP 800-207, the NIST special publication on Zero Trust architecture and discuss how it aligns with KuppingerCole's own vision of this topic (spoiler: it does align very well!)

As the adoption of cloud applications and services accelerates, organizations across the globe must understand and manage the challenges posed by privileged access from remote employees, third parties, and contractors. With 77% of cloud breaches due to compromised credentials, making sure your users get easy and secure access to the cloud should be a top priority.
Join Thycotic chief security scientist and author Joseph Carson as he explains a practical approach to help you define and implement privileged access cloud security best practices. He will also share how Thycotic’s new Access Control solutions can safeguard cloud access by both IT and business users.

Alexei Balaganski and Matthias Reinwarth try to make sense of the current state of quantum computing and talk about the risks it poses for information security.

John Tolbert and Matthias Reinwarth discuss benefits and limitations of agentless security solutions.

Christopher Schütze and Matthias Reinwarth discuss Enterprise Risk Management. What is it all about? What large and small companies should be focusing on? What role do IT and cybersecurity play here?

Anne Bailey and Matthias Reinwarth discuss how decentralized identities and verifiable credentials help respond to the pandemic by powering contact tracing applications, immunity passports and other important use cases.

An overview of a number of problem-driven use cases for SSI technology, focusing on a number of different domains; healthcare, distributed machine learning and education. A recap of research undertaken at the Blockpass Identity Lab over the last year.

Digital privacy is a central concern for pretty much everyone. But what does ‘privacy’ really mean? How do you get it and what does it cost you? The identity community has been hard at work on a new identity model that gives people a path to take control of their online identities and personal information, making privacy convenient for individuals and practical for the organizations they interact with. In this keynote, Joy Chik will share why this identity model is necessary, how it’s becoming real, and what steps will catalyze adoption.

Alexei Balaganski and Matthias Reinwarth discuss the security challenges for enterprises moving to the cloud and explain why security in the cloud is still your responsibility.

Anne Bailey and Matthias Reinwarth talk about the technologies that enable employees working remotely or from home access sensible corporate information from personal devices without compromises between productivity and security.

Matthias Reinwarth and Martin Kuppinger discuss the challenges of integrating IT service management with identity governance within an enterprise.

Matthias Reinwarth and Jonh Tolbert discuss the ongoing consolidation of the cybersecurity market and talk about its reasons and potential consequences.

Banking products have become commodities; the only way to stand out from competition is to offer differentiating customer experience. Both retail and corporate clients expect personal, easy, and smart solutions from their banks. Identity & Access Management plays an essential role in this equation – offering high level of security without compromising on customer experience is the main challenge.

In this keynote session, Dinçer Sidar will talk about the changing customer expectations and deep dive into IAM practices and learnings for corporate banking clients.

Hours ago the EU Court ruled that the Privacy Shield called EU-US Data Protection Agreement is invalid, while it considers Standard Contractual Causes to be valid. Also, intersting in this context is the US Cloud Act. This may be of some impact to existing and future transcontinental relationships and the usage of US-based services within the EU. In this interview, Annie Bailey and Mike Small will discuss these new developments and implications.

Matthias Reinwarth and Martin Kuppinger talk about governance and security of data across a variety of sources and formats and the need for maintaining data lineage across its complete life cycle.

Consumer Identity Management (CIAM) ensures privacy, consent management, security, personalization and user experience for external users, especially consumers and customers. Although the drawbacks of building yet another data silo are obvious, many organizations still view CIAM as an isolated system. But this ignores significant potential. Matthias Reinwarth talks about the range of opportunities that can be gained by converging CIAM into an overall IAM concept, but also by integrating CIAM into broader cybersecurity and marketing infrastructures.

Christopher Schuetze and Matthias Reinwarth discuss a security architecture blueprint that implements the concept of Security Fabric.

As organizations are quickly advancing into the digital transformation, there is a growing need to secure access to critical infrastructure assets. IT security leaders have identified the need for a Privileged Access Management solution but, as their infrastructures expand and are increasingly subjected to cyber threats, they too often struggle with deployment and operational challenges. This conference will highlight how modern solutions can adapt to the evolving needs that IT leaders have to address by providing scalable deployment, operational simplicity, and reduced total cost of ownership.

The session will be about threat landscape tips from the practitioners.

In this talk, Alpha will discuss the often arduous way from buying and initially implementing a PAM solution to achieving significantly improved security as a program target. He will share lessons learned about necessary changes to IT infrastructure architecture and operational processes to ensure maximum impact of a PAM project. Overcoming organizational resistance to the new processes and tools is equally important. Alpha will explain what to expect, and leave the audience with some best practice ideas to engage and involve stakeholders in IT operations and general management.

The PAM market has never been so dynamic and competitive as it reacts to changes in demands from organizations grappling with the effects of digital transformation on security and compliance. The findings from this year’s KuppingerCole PAM Leadership Compass reflect this dynamism as the vendors innovate across the board and add much needed functionality. Join Paul Fisher, Senior Analyst at KuppingerCole, as he discusses the findings from the report and what they mean for PAM in your own organization.

Graham Williamson and Matthias Reinwarth talk about consent: what does it mean for identity professionals, service providers or lawyers and how to reconcile all those different views in modern IAM environments.

Privileged Access Management (PAM) is essential to every business – just because every business is under attack, and privileged accounts are what (targeted) attacks are focusing on. Thus, there is a need for PAM, with organization, processes, policies, controls, and technology. But PAM must not be an isolated initiative. It is tightly linked to both cybersecurity and IAM initiatives, and there is also an interplay to ITSM. In his talk, Martin Kuppinger will look at how PAM relates to other areas and how to set up a comprehensive initiative that focuses on mitigating risks and improving security, by linking PAM to the rest of IT in a well-thought-out manner.

Warwick Ashford and Matthias Reinwarth discuss the standards, technologies and organizational changes needed to finally get rid of the password-based authentication once and for all.

Christopher Schuetze and Matthias Reinwarth introduce Security Fabric - a new architectural approach towards cybersecurity with the goal to achieve consistent and fully managed security across the whole corporate IT.

John Tolbert and Matthias Reinwarth talk about network detection and response solutions: what are the threats they are looking for and how they complement endpoint protection tools to ensure consistent protection against advanced attacks.

Paul Fisher and Matthias Reinwarth continue talking about privileged access management, discussing the core capabilities of modern PAM solutions.

Matthias Reinwarth and Alexei Balaganski talk about the reasons many companies are still failing to protect themselves from cyberattacks and data breaches even after spending so much on security tools.

The rapid growth in both scope and market share, combined with the inherent complexity of cloud computing, seem to exceed the capabilities of existing governance and risk management approaches. As users, and the uses of cloud computing evolve, so must the supporting governance models. This includes the transformation and adaptation of governance and risk management programs into the company's culture, and the evolution of the skills and expertise of the IT and Security professionals.

In his Opening Keynote, Martin Kuppinger, Principal Analyst at KuppingerCole, will talk about the practical consequences of having a “cloud first” strategy in place. Declaring such a strategy is simple. Successfully executing it is the bigger beast to tame. Martin Kuppinger will look at the success factors for executing a “cloud first” strategy and identify what it needs in the organization, operations, integration, vendor selection, risk assessment, management, security, and identity. He also will look at the various levels of such cloud first strategies, from full multi-tenant public cloud to basic “lift & shift”, as well as the interoperability with the remaining on-premises infrastructure as well as the role Edge Computing will play in future.

In a follow-up to an earlier episode, Matthias Reinwarth and Anne Bailey discuss practical approaches and recommendations for applying AI governance in your organization.

Join the conversation as we help you explore laying the foundation of identity and security into your cloud-first strategy.  If the following questions have crossed your mind, we're happy you found your way to this session.   

A.   Business-critical apps are constantly being migrated to the cloud to keep up with business. How do I know who is accessing what and if it is appropriate? Can I eliminate persistent accounts and provide JIT access?

B.   Native compliance controls are provided from each of my cloud providers making it difficult, inefficient, and costly to obtain overall visibility and proof of continuous compliance monitoring. Am I continuously meeting my compliance controls in the shared responsibility model?

Cloud is the foundation for any digital transformation. Most organizations now have cloud embedded not just in their IT strategy but also in their digital strategy. Cloud creates an opportunity to modernize an organization's application portfolio. While the benefits of migrating to cloud are well known, the journey to cloud comes with its own challenges and risks. If not planned properly, this can cause major headaches on the way. The session covers the benefits of a proper cloud strategy, how to set up a cloud journey and the risks that one must be ready to manage on the way.

Moving to the cloud is a relatively settled concept today. We all knew benefits; But who thought someday, the same will offer to stay and work from home; that also 100%. This is a short tour to see why IFRC opted to embrace the cloud, challenges addressed, and derived benefits as well as continued efforts in optimizing further.

Cloud computing is a proven and globally accepted enterprise delivery and operational technology model and with this growing market segment, also concerns regarding privacy, security and compliance are increasing. The rapid growth, combined with the inherent complexity of cloud computing, appears to be straining the capabilities of existing governance and risk management frameworks. In this presentation, I will question the perceived effectiveness of current governance and maturity in the use of risk management frameworks being applied to cloud computing.

All organizations need to consider the risks related to the availability of their business-critical data and take appropriate measures to mitigate these risks.  In most cases this will involve investing in backup and disaster recovery products and services.  In today’s hybrid IT environment these must cover both on-premises and cloud delivered services in a consistent way. This session will cover KuppingerCole’s research into this area and summarize our Market Compass Cloud Backup and Disaster Recovery. 

Cloud Security best practices arise from the shared responsibility model for cloud computing, which states that customers are responsible for the security of data in the cloud. This session will cover the latest trends in cloud security, cloud provider shared security models, and the use of data encryption as a best practice. With cloud encryption key lifecycle management seen by many as a problem yet to be solved, the session will wrap with an overview of CipherTrust Cloud Key Manager from Thales.

A story based on personal experience of leading several companies to smooth cloud migration. We will look at some real-life tips & tricks.
We will discuss how to choose the cloud provider and the cloud setup – single-cloud, multi-cloud, or hybrid cloud.
We will talk about what does ‘cloud-readiness’ means and when it is achieved.
Should we start with a Zero Trust Architecture?
What are the possible approaches for cloud migration - pros and cons.
After all, is a migration a one-off event or a continuous process?

Matthias Reinwarth and John Tolbert talk about profound implications of security products not having their administrative interfaces sufficiently secured with technologies like multi-factor authentication.

Matthias Reinwarth and Anne Bailey talk about Artificial Intelligence and various issues and challenges of its governance and regulation.

Matthias Reinwarth and Christopher Schütze talk about the importance of processes to make your IAM projects successful.

Businesses face various risks when deploying external products and services. Among them is the possibility of cyber intrusion which can pose a major challenge to the company’s infrastructure and require a re-think of cybersecurity strategy. A well thought-out and properly structured management of a supplier base classified as trustworthy is just as much a part of this discipline as the use of standardized certification procedures for such products. In this panel we will discuss the importance of cyber supply chain risk management (C-SCRM) and its effect on resilience of a digital business.

Ensuring business continuity is a challenge during times of crisis such as the pandemic caused by the Covid-19 virus. Companies were and are facing an increasing number of cyber-attacks which can cause damage to their finances, reputation, and growth. Today, most people continue to work from home, hence the attack surface is dramatically increased. In such trying times, the effective cybersecurity measures are of utmost importance. It is essential for businesses to understand that cybersecurity has become part of business continuity and modern, innovative approaches together with a high level of communication with the company is essential to overcome the challenges posed by cyber adversaries.

As the recent widely publicized revelations have shown, the risk of purchasing hard- and software with deliberately or accidentally built-in weaknesses is much higher than we could have estimated – but it is not the only element of Supply Chain Risk. Supply chains can only be as strong as their weakest link. In a world where enterprises must focus on what they can do best and outsource everything else, it is necessary to know these weak spots and to limit the risks occurring from them.

Security teams were already going through a fundamental shift in how they protect the business, even before the acceleration to remote working due to Covid-19. Given that Identity and Access Management (IAM) is now undeniably the first line of defense for organisations worldwide, how can security leaders turn the challenges, both legacy and new, into opportunities to mitigate risk and add value to the business? And all this in a way that will elevate the position, and change the perception, of security at the same time?

Based on a recent study Barry McMahon from LastPass looks at the challenges facing security teams and details five drivers where Identity and Access Management can support the business needs to benefit both the business and security team. There is also some excellent guidance on how best to engage the senior decision makers and speak in a language they understand.

With the introduction of AI, machine learning and UEBA, the SOC objective is to detect abnormal behavior. More than ever Identity is the battleground in this new concept of iSOC.

During this keynote, you will learn how Identity Governance and SOC need to be tight and how to remediate when a threat is detected on a specific Identity with the concept of "Threat Aware Authentication".

While governments and public healthcare specialists are looking into the timing and manner of reopening the economy, it is clear that at some point in the hopefully not-too-distant future restrictions will be eased and businesses will return to normal operations. Returning to recently-vacated offices will certainly signify a return to normality, and for most, that will be a welcome relief after working from home for an extended period. However, just as the shift to working from home required organizations to adapt and act differently, so will the return to the office. In this keynote, we discuss the preparation CISOs should consider making to offset a number of security implications that arise from returning your workforce from home and back to the office.

Matthias Reinwarth and Paul Fisher launch a new series of talks about privileged access management.

The year 2020 will see a transition to a new decade. So will cybersecurity. Gone are the days of networks isolated behind a company firewall and a limited stack of enterprise applications. The current paradigm demands a wide variety of apps, services, and platforms that will all require protection. Defenders will have to view security through many lenses to keep up with and anticipate cybercrime mainstays, game changers, and new players.
Tried-and-tested methods — extortion, obfuscation, phishing — will remain, but new risks will inevitably emerge. The increased migration to the cloud, for instance, will exacerbate human error. The sheer number of connected assets and infrastructures, too, will open doors to threats. Enterprise threats will be no less complex, mixing traditional risks with new technologies, like artificial intelligence (AI) in business frauds.
Security predictions for 2020 reflect experts’ opinions and insights on current and emerging threats and technologies. Report paints a picture of a possible future landscape driven by technological advances and evolved threats to enable enterprises to make informed decisions on their cybersecurity posture in 2020 and beyond. The future looks complex, exposed, and misconfigured — but it is also defensible.

In his talk, Stefan Würtemberger will discuss the caste study of Marabu's cyber-attack. He will address the necessary steps a company has to take after being attacked by cyber-criminals. He recommends calling in external cyber-specialists (expertise & protection of own resources) and filing a complaint with the police. Furthermore, he suggests dividing your forces well a working week > 100 h does not last long. A well-documented infrastructure helps when using external forces.

In this session, you will hear from cyber security thought-leader and Corix Partners founder JC Gaillard. JC will discuss and deconstruct 6 cliches around cybersecurity in small and mid-size firms and why security matters more than ever in the light of the COVID crisis, before answering your questions.

Matthias Reinwarth and John Tolbert discuss the latest "innovations" fraudsters are using during the pandemic crisis and the methods to mitigate them.

Matthias Reinwarth and Alexei Balaganski look at the potential alternatives to VPNs and security gateways.

Matthias Reinwarth and Martin Kuppinger explain how to protect your users from phishing attacks when they're all working from home...

Learn more about how to continue successful business with Senior Analyst Warwick Ashford's Analyst Advice on Business Resilience Management.

Matthias Reinwarth explains how to let machine learning add value to your organization.

Matthias Reinwarth and Alexei Balaganski talk about making the right choice of a database engine to power your next cloud project.

Matthias Reinwarth and Martin Kuppinger dispel a few myths about Zero Trust.

The KuppingerCole Virtual Awards Series 2020 honors outstanding Identity Management and Security projects, standards or people during the upcoming virtual conferences. Today's award category considers Enterprise IAM projects, including Identity Governance & Administration, Identity Federation, Privileged Access Management, and other technologies. These projects may cover all types of identities but should include employee identities and focus on managing hybrid environments. Join the live award ceremony as the KuppingerCole jury announces the Best Enterpise IAM Project winner.

Matthias Reinwarth and Alexei Balaganski discuss the plethora of acronyms for security analytics solutions: from SOC and SIEM to UEBA and SOAR.

Identity Management is on the change. It will never be the same again. It is already more than Employee IAM. The segregation between various parts of IAM is blurring. Digital business require advanced identity services, well beyond the human identities. Identity Fabrics are the model for your Future IAM. They are about a consistent set of capabilities and services in a modern architecture, supporting your business and IT use cases. They deliver the Identity Services for your new digital services, ready-to-use and supporting the time-to-value in the digital transformation of your business. However, they also provide a path for modernizing and consolidating your legacy IAM into a modern set of IAM services, at your own pace. Thus, Identity Fabrics enable your IAM expansion and transition. Martin Kuppinger will explain the fundamental concepts of Identity Fabrics and explain why these are the cornerstone of forward-looking IAM strategies.

Industrial revolutions share two common properties: 1) New Increasing Return Technological Paradigm and 2) New Funding Methods. In the first industrial revolution, they were the steam engine and the fiat money creation. The combination allowed the British to create a Global Empire capitalizing on the increasing return nature. The same pattern holds for the 4th industrial revolution as well. This time, it was the cyberspace and the money creation system called "Silicon Valley". This time, however, the land grab is not on the existing continent. It is on a newly formed 8th continent, also known as "Cyberspace." For the time being, GAFAM seems to be prevalent there but the battle is not over yet. To survive the battle, we have to change the way we conduct our business to fit to the new technological reality. Retrofitting the new technology to the old way delivers quick result but does not allow to fully capitalize on the new reality and result in the colonization. To avoid it, there is no other way but transform the business and system to identity-centric architecture because otherwise, your system will not be increasing return.

Every business today is faced with a digital transformative imperative. In a digital world, where everyone is connected to everything, secure access is key for employees, partners, customers and even things. Organizations are challenged however by the need for controlling and staying on top of constant change and at the same time allowing continuous innovation of both technology and business models. How do you keep up with the speed of change and the need for security?  In his keynote, Tim Barber will discuss the concept of Identity Fabrics - platforms that provide all of the required services with a strong digital identity backend and discuss the essential technologies required to build, deliver and innovate at the speed of business.

The W3C Verifiable Credentials Data Model is being used as the basis for creating standardised COVID-19 certificates of different types: vaccination, test and immunity certificates. 

As the W3C Recommendation clearly states, "DIDs are a new type of identifier that are not necessary for verifiable credentials to be useful. Specifically, verifiable credentials do not depend on DIDs and DIDs do not depend on verifiable credentials." So why are most implementers insisting on building COVID-19 certificates with DIDs and blockchains? This talk will provide an answer to this question, and show how COVID-19 certificate eco-systems can be built without recourse to DIDs or blockchains.

About the author: David has been an invited expert to the W3C Verifiable Credentials Working Group since its inception, and is a co-author of the W3C VC Recommendation and its accompanying Implementation Guidelines.

Verifiable Credentials Ltd is a spin-out SME from the University of Kent, formed to exploit the Verifiable Credentials Middleware created by the University in a project sponsored by Innovate UK.

IAM Performance Measurement In late 2018, a group of seasoned IAM professionals spent an evening discussing IAM challenges in a café. They shared a common frustration: the absence of a standardized Performance Measurement System (PMS) to monitor and compare the performance of IAM programs in organizations. Yet, as the old saying goes, you only get what you measure. They organized a series of workshops throughout 2019, worked hard and here it is: the foundations of a standardized IAM PMS have now been layed out. This not-for-profit project driven by passionate IAM experts is open sourced to facilitate widespread usage within and foster contributions from the community. In this talk, David Doret will share with you the release of the beta version of the IAM Open Measure framework and invite IAM professionals from the audience to join and participate in this venture.

Build or buy? Do we have the staff, talent, & budget to operate a new security service if we decide to build? In this talk, Alyssa Kelber & Jon Lehtinen deconstruct the myth that you need large teams & expensive software to run cloud-native Identity-as-a-Service platforms for your enterprise. They will share their experience building their own at Thomson Reuters using commercial off the shelf software, containerization, and native cloud services, as well as the lessons learned, business impact & costs savings over the year since the service’s launch.

Governments are building huge identity systems because they need to plan service delivery, understand demographics and deliver essentials such as healthcare and education whilst building digital economies and addressing financial inclusion. They also have concerns over fraudulent activity, security and border control. These are conflicting issues with very different needs.

Technology always moves faster than laws and government capacity is often behind the curve. Knowing what to implement, when and how is difficult when capacity is low.

Digital economies need digital identity, as does true service transformation. To be able to do this at national or international scale without creating a mechanism for an attack on all of our basic rights we need the crucial building block of digital identity to act for the users and not just for the use cases.

So how do we do this in a world where country after country is moving to implement ever more capable identity systems?

The current healthcare crisis has drastically changed how and where work is done, and the way organizations operate. To get to this point, it was a battle for IT admins that oversee your Active Directory infrastructure.

Then what happens when this crisis is over? How can your organisation quickly and smoothly bounce back from the identity management challenges brought on all the forced change?

Matthias Reinwarth and Christopher Schütze talk about how to efficiently identify and rate your investments into Cybersecurity.

Christopher Schütze and Matthias Reinwarth explain the importance of having an incident response plan.

Matthias Reinwarth and Martin Kuppinger discuss the measures necessary for securing your favorite online communication platform.

Anne Bailey gives you a list of golden rules to ensure security and compliance of electronic payments.

Matthias Reinwarth and Graham Williamson are talking about managing IAM projects properly.

Matthias Reinwarth and Alexei Balaganski discuss the challenges of explosive API growth without proper security controls in place.

Martin Kuppinger explains the benefits of Identity and Access Management delivered from the cloud.

Matthias Reinwarth and Graham Williamson are talking about designing an IAM project architecture.

Kuppingercole's Principal Analyst Martin Kuppinger gives his opinion on problems and arguments surrounding various apps for tracking the spread of the virus. And privacy is not the biggest challenge here...

Matthias Reinwarth and John Tolbert explain the meaning behind the term and talk about various factors that help identify fraudulent transactions in different industries.

Martin Kuppinger explains the meaning behind the popular buzzword.

Matthias Reinwarth and Martin Kuppinger identify the key topics for cybersecurity in the times of crisis. Get a complete overview on Business Resilience Management for free and read the Analyst Advice from Senior Analyst Warwick Ashford!

Matthias Reinwarth and Christopher Schütze are taking a look at five different phases of cyber security.

Martin Kuppinger explains adaptive authentication.

Matthias Reinwarth and Martin Kuppinger explain what you could be doing wrong with regards to cybersecurity priorities.

Matthias Reinwarth and Alexei Balaganski discuss the history of ransomware and the measures needed to protect yourself against it.

Read also: Business Resilience Management (Crisis Roadmap for Beginners)

Martin Kuppinger explains the reasons why so many Identity and Access Management projects can stall or even fail.

Matthias Reinwarth and Martin Kuppinger are discussing the security challenges enterprises are now facing with the majority of employees working from home.

Martin Kuppinger spricht über die wichtigsten Aspekte von Cybersecurity, die man als Nutzer beachten sollte.

Martin Kuppinger explains the reasons why so many Identity and Access Management projects can stall or even fail.

In the first official episode of the KuppingerCole Analyst Chat podcast, Matthias Reinwarth and John Tolbert are talking about the challenges of data protection in modern times.

Martin Kuppinger spricht über die Dinge, die IT in jedem Fall in der Corona-Krise vermeiden sollte.

John Tolbert is talking about the current situation with regards the pandemic crisis and the cybersecurity-related things to consider for enterprises.

Martin Kuppinger spricht über die wichtigsten Cybersecurity-Maßnahmen für Unternehmen während der Corona-Pandemie.

Welcome to the pilot issue of the KuppingerCole Analyst Chat - our soon-to-be-regular podcast. Stay tuned for more episodes!

Learn more about Legacy IAM and how to modernize IAM solutions leveraging new operating models with the KuppingerCole Identity Fabric.