KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
The increased importance of a frictionless user experience as a digital business success factor on the one side, and a big wave of ransomware and similar attacks with user credentials as a main entry point are forcing us to rethink authentication and finally get rid of the password. Interview guests of this session will be KC Analyst Martin Kuppinger, Paul Fisher and Jochen Koehler from HYPR.
It is the same set of drivers – first and foremost remote workforce requirements and seamless customer interaction, that make our infrastructure and service even more complex as they used to be, with multiple public and private clouds, on-site IT, all of them with identity silos. In this session, KuppingeCole´s Analyst Martin Kuppinger and Paul Fisher, will talk with André Priebe from iC Consult on how to leave silos behind and take advantage of global identity proofing networks, Decentralized (DID/SSI) or chain-agnostic (GAIN etc.) and how CIEM/DREAM can help reducing complexity.
The pandemic has dramatically accelerated the shift to online transactions in most industries, with the financial industry as an example for a heavily regulated sector being in the forefront of a movement to establish a global standard that leverages the assurance level of online identity vetting (the onboarding process of a digital identity) with traditional face-to-face methods. In this session, KuppingerCole Analysts Martin Kuppinger and Paul Fisher together with ForgeRock's Eve Maler will discuss the relevance of identity proofing for your enterprise and why it will be one of the key topics 2022.
Website www.forgerock.com, email eve.maler@forgerock.com, LinkedIn https://www.linkedin.com/in/evemaler/
Workflows, integration, automation, low & no code – whatever reduces complexity and manual workload will be an even hotter topic in 2022. KuppingerCole Analysts Martin Kuppinger and Paul Fisher will discuss with Clear Skye´s Jackson Shaw on the new era of platform services and how they will help automating Identity & Access Management.
Zero Trust will continue to play a crucial role in cybersecurity and identity management. In this session, KuppingerCole Analysts Martin Kuppinger and Paul Fisher will discuss with Sergej Epp from Palo Alto Networks on how to apply Zero Trust thinking to converge IAM, UEM, MDM, XDR, SIEM, SOAR to a seamless and holistic cybersecurity infrastructure.
Paul Fisher and Matthias present their very subjective summary of a really special and, in particular, especially challenging past year, 2021. They cannot do without the word 'pandemic' after all, but they also try to reach a first perspective on the year 2022 from the past 12 months.
The announcement of the GAIN initiative for the secure distribution of verified and assured identity data has been made at EIC in September. While the core concepts of this initiative have been discussed in earlier episodes, Martin and Anni sit down with Matthias to do a deeper dive into further aspects of GAIN, including the use beyond customer-related IAM and the challenge of privacy in such a hyper-connected network for PII.
Raj Hegde is joined by Sebastian Manhart - Technical Advisor on Digital Identity for the German Chancellery to explore governmental reform and understand stakeholder expectations behind the rollout of digital identity projects in the post-COVID era.
Tune in to this episode to learn how governments can transition from risk-averse waterfall approaches, improve human factors in public services and navigate through the government-private sector nexus to promote citizen access to essential services.
Senior Analyst Graham Williamson joins Matthias from down under to talk about edge computing. Starting from the definition and relevant use cases, they focus on where the edge brings value. They discuss what the key criteria for a successful deployment are and what needs to be looked at to do edge computing while preserving security and privacy.
Knowing who you are doing business with online has been and still is a major challenge. But why do you really need to know, and what are the pitfalls? The presentation will look at some of the important challenges of identifying, validating and authenticating people online.
Inconvenient and weak digital identity affects our digital economy. Adding more band-aids to the legacy knowledge-based digital identity infrastructure isn’t effective anymore.
The FIDO Alliance introduced standards for possession backed authentication which are now supported by all major platforms. Additionally, the Alliance is developing new standards for document based ID verification and passwordless device onboarding.
With standardized approaches supported by the ecosystem, we have all ingredients for a wholesale upgrade to the “fabric of identity” in our hands. It is on us to use them.
The presentation will give context on the EU commission announcement of European Digital Wallets and explains what eIDAS 2.0 defines for member states when it comes to digital identities. SSI can be a potential solution, but currently does not meet the eIDAS 2.0 regulation fully. We will explain why and give an idea on how to evolve SSI and create an ecosystem that is compliant with eIDAS 2.0.
It is no surprise that decentralization is key player in blockchain's role in disrupting every industry requiring trust. But how to do create trust around decentralised solutions? Creating 'Decentralised Trust' is how we solve this. Through Decentralised Name Systems, Decentralised Certificates, Decentralised Bots and more can we enable decentralised trust around decentralised solutions. Such solutions are key in embracing a truly digital society where this 'trustlessness' is key in the greater security, efficiency and trust of the public sector and all industries requiring trust.
Cybercrime, often driven by fraud, continues to plague organizations leading to data breaches and loss of revenue. Account takeovers and account opening fraud contribute to this. But as organizations transition to heavier dependence on digital identities, how do we deal with the rising and changing stakes?
In this session, Anne Bailey will discuss the intersection of digital identity and fraud prevention: identity verification. Listen in to hear how identity verification can be integrated into digital identity management as a preventative measure against fraud.
Lead analyst Alexei Balaganski joins Matthias for an episode on Data-Centric Security. Starting with a definition behind that term, they look at relevant technologies and market segments and discuss adequate ways of adding Data-Centric Security to an organization's cybersecurity strategy.
From November 9th to 11th, the Cybersecurity Leadership Summit 2021 took place in Berlin and virtually online. The Monday after, Martin Kuppinger and Matthias sat together to talk about some first impressions and insights from this event.
The recordings and slide decks are available for participants and those interested.
The Right Reporting Line is the One that Works. Period.
Emerging privacy-preserving frameworks for biometrics and identity limit the need to store personal data while still ensuring digital security.
Dream - Policy-Driven Management of Security, Identity and Access for All IT
The Future of Work is coming. And it’s borderless, lightning-fast, highly creative.
API Management & Security Market: Challenges, Solutions, Future Trends
Ransomware Attacks have become the biggest single cyber risk for enterprises of any size and industry. Current surveys and KuppingerCole´s own research indicate a steep rise not only in the number of attacks, but as well in the average damage per incident. The dark side of digital is industrializing itself, turning ransomware into big business The question is no longer if and when your organization will be attacked, but whether and how successful the attackers will be. “Sophisticated recent ransomware attacks are fully aware of standard backup strategies and corrupt or destroy your one and only option to recover without paying the ransom.” says KuppingerCole´s Cybersecurity Lead Christopher Schütze. “The complexity of today´s multicloud environments require more than traditional backup & restore approaches” he continues.
In this workshop, we will provide you with an overview on the pillars of a proactively resiliient IT Infrastructure. Starting with an individual ransomware resilience assessment, each participant will (individually and anonymously) benchmark the resilience of her organization against ransomware attacks, relative to the average value of the whole group that conducted the assessment. The key topics of this workshop will be:
In the past, servers and applications were rather static, and entitlements too were static. But this has changed. Organizations must deal with a multi-cloud, multi-hybrid IT. Entitlements and access in today’s cloud environments are dynamic, just like workloads. Martin Kuppinger joins Martin to explore the area of Dynamic Resource Entitlement and Access Management (DREAM). Together they look at policies and automation as one key building block for managing today's volatile IT.
No big celebration, but at least a mention: this is the 100th episode of the KuppingerCole analyst chat. Martin Kuppinger joins Matthias to discuss the increasingly important topic of "everything as code" and how to define proper strategies for approaching this, especially in the context of the BASIS concept. For more on this, both recommend revisiting Martin's opening keynote from this year's EIC.
Industry 4.0 is all about connected industries. However, more connectivity also brings more cyber-physical threats, in particular in relation to constrained IoT devices. Distributed Ledger Technologies (aka blockchain) and decentralized identities can help to re-establish trust, improve security and develop new business models. This talk will discuss the role of IOTA DLTs in securing connected industries and present some of the solutions and use cases currently being developed.
Internet of Things (IoT) devices also known as connected devices like smart speakers or smart thermostats have become more common features in modern digital life. As IoT devices become more ubiquitous the concerns about security and privacy of the data captured become more pressing. This session will explore the following:
In his talk, Martin Kuppinger, Principal Analyst at KuppingerCole Analysts, will look at security challenges in Industry 4.0 and how established technologies from IAM and cybersecurity might be utilized for improving security. His talk will also cover the wide range of themes to look at from a security perspective in Industry 4.0, including Edge Computing and SASE.
John Tolbert sits down with Matthias and shares his insights into current approaches for protecting and defending essential enterprise systems beyond traditional, often office-focused cybersecurity. Safeguarding Operational Technology (OT), Industrial Control Systems (ICS), and the Industrial Internet of Things (IIoT) is getting increasingly important. John explains that modern approaches like Network Detection and Response (NDR) and especially Distributed Deception Platforms (DDP) can be valuable building blocks in an overall strategy for defending, for example, the factory floor or critical clinical systems.
A short status review of Blockchain: The development so far and operational challenges
• The race of application solutions
○ Blockchain without tokenization
○ Blockchain with tokenization
• Hurdles of the future
Blockchain is a revolutionary technology, but before it redefines the organization as we know it today, it will revolutionize the way we transact in small ways first. This presentation will discuss the use cases that where blockchain is moving beyond PoC to enterprise implementation.
The explanation will enable CEOs and CFOs of any business to understand how this technology will impact their business.
Covid19 has laid bare just how far behind most governments are in digitising public administration and services for citizens. As countries around the world scramble to catch up, digital identity has emerged as one of the key building blocks. The approach, however, varies greatly. Most governments fall back on a default pattern characterised by centralised approaches and a narrow focus on the public sector only. Other countries especially in Europe and most notably Germany, are taking a different strategy and implementing user-centric, decentralised, self-sovereign digital identity with the goal of providing a holistic identity solution citizens can use everywhere and across borders. Join this talk with Sebastian Manhart, Advisor on Digital Identity to the German Chancellery (Angela Merkel´s Office), who will share what is happening in Germany and Europe, and why this could set the stage for digital identity globally.
Annie Bailey and Matthias take a deeper look at the emerging concept of the Global Assured Identities Network (GAIN) and also seek a broader perspective on the benefits and challenges of reusable identities in general.
The idea of low-code/no-code (LC/NC) application development is for end users to create their own custom applications, perhaps using a graphical design tool, selecting from a library of existing building blocks, or perhaps even with the assistance of artificial intelligence. Alexei Balaganski explains the concepts behind this new development, takes a look at the current market and, finally, highlights the challenges and security issues that may be hidden behind the use of such application development.
In this episode, Raj Hegde sits with Dr. Michele Nati - Head of Telco and Infrastructure Development at #IOTA Foundation to understand how decentralization offers a fresh perspective towards marketplace transactions.
Tune in to this episode to explore how an international initiative comprising of banks, universities and telco providers comes together to safeguard the e-commerce ecosystem.
While moderating and speaking at KuppingerCole's flagship EIC 2021 event in Munich, Matthias also took the opportunity to sit down one-on-one with his fellow analysts in the conference studio for some EIC special analyst chat episodes. In the third and final special episode, Martin Kuppinger and Matthias look at how current technologies and concepts complement each other to improve security and convenience for users of modern technologies at the same time.
KuppingerCole's flagship event EIC 2021 took place very successfully in Munich and online in September. Of course, Matthias took the opportunity to sit down with his fellow analysts in person for some EIC Special Analyst Chat episodes. Building on the themes of his Opening Keynote, Martin Kuppinger explains the concepts behind "Deconstructing the User Journey".
EIC 2021 finally took place in Munich in a hybrid format between on-site and online. Of course, Matthias took the opportunity to sit down with his analyst colleagues in person for some EIC special analyst chat episodes. In the first of three specials, Christopher Schütze talks to him about the findings from his pre-conference workshop on defending against ransomware, and they also turn their attention to a promising new approach to creating globally secured identities.
Leading service providers have started developing their software in-house to achieve competitive business advantages.
Denmark is among the most digitaized countries in the world and as the digitarization strategy moves forward, it is necessary to improve and enhance the nation's overall cyberprotection. In 2019, the Government appointed a new 20-member national Cybersecurity Council for the period of two years. The council’s role is to advise the government on new initiatives that can support both the private and public sectors by improving resillience and better cyberprotection; contribute to knowledge sharing, advisories and guidance on the strategic level; and look into the need for cyber security competences and suggest measures to further develop these, both among private citizens and employees, as well as within education and research.
In this session, you will get a view into the midway status of the work of the Council, and will learn which initiatives work and which need more effort. The Council has been advising the healthcare authorities on the Danish COVID-19 app, and has been discussing the SolarWinds hack and the upcoming vaccination passport.
Back in November 2013 the U.S. congress enacted the Drug Supply Chain Security Act (DSCSA). Part of the regulation is that actors within the U.S. pharmaceutical industry must verify the U.S. state license, which is issued by the U.S. Drug Enforcement Administration (DEA), status (and thus the authenticity) of every trading partner within their supply chain. And this does not stop just by direct trading partners a pharmaceutical supply chain actor might have, the regulation states, that also indirect trading partner’s U.S. state license status must be proofed.
The Accountable Digital Identity (ADI) Association is a nonprofit organization dedicated to advancing an open framework for digital identity that focuses on accountability, privacy, and interoperability. The Association is a global coalition of private and public organizations spanning finance, government, healthcare, and technology parties.
Explore the:
- Landscape of digital identity in Germany
- Success factors
- Future Outlook
Enterprise hiring in the time of Covid is putting greater emphasis on supporting remote on boarding of new employees. This creates new challenges for the IAM team as it is no longer self evident that new contractors and employees to show up at a physical helpdesk, provide ID and pick up their new accounts. How do you organize the remote onboarding and are there technologies and approaches that are used in digital customer onboarding and KYC processes that can be leveraged to also handle employee onboarding? |
How do you support remote onboarding at scale? |
The FIDO Alliance was launched in 2013 with the audacious goal: to change the very nature of authentication. To move the entire world away from usernames and passwords and traditional multi-factor authentication with an open and free web standard that makes authentication simpler and stronger. It’s 2021, so why are passwords still persisting? The session will answer that question, and detail the progress that has been made towards standardizing strong authentication and the opportunity for companies to start on a journey past passwords. |
-- Attendees will understand how a global pandemic affected companies' digital transformation plans, including strong authentication projects Key Takaways:
|
What if we took the traditional way of thinking of Identity Governance and reversed it completely? Putting together a successful IGA program has commonly been a long haul, |
Decentralized Identity is seeing a proliferation of activity -- so much that even experts struggle to make sense of it all. Even the names of the emerging specs have gotten wacky (or, technically, WACI...)
We will look at OAuth protocol and its misusage for authorization purposes. What is the difference between client and user authorization and at which stage should each happen? We will revise what Identity is at its core and what should or should not be part of it. And what about Group Membership – a ‘domain-driven’ advise how to triage roles between Identity and Authorization. All these best practices are backed by real-life experience. |
- OAuth and its misusage as an authorization protocol |
The reason to use biometrics as a form of identity is because they are unique, unchanging and are the one direct and unequivocal link to an individual. But what if these identifiers are compromised? This is not a hypothetical scenario as the U.S. Office of Personnel Management breach sadly taught us several years ago. For years, this has been a conundrum in the world of biometrics - to store the data in a centralized system that has to be protected or choose device-based biometrics that are not linked to a vetted physical identity. In this never-ending loop of having to choose between privacy and security, we as a society have ended up with neither. This is about to change.
There are multiple forces now converging, that are driving serious attention and urgency to solve this problem as never before - continued, massive data breaches, skyrocketing use of biometrics and the emergence of far-reaching privacy and data protection laws that put the onus on protecting personal data on the private sector.
Owning personal data, and especially biometrics, has become a hot potato. Noone wants to hold it, but it is necessary for doing business. Consumers on the other hand are asking for more control. As a result, we are seeing new frameworks emerge, frameworks that go beyond blockchain and take into account the need for holistic, decentralized identity management that binds a rooted identity to a trusted authentication key that cannot be stolen, lost or circumvented by fraudsters operating under assumed identities with stolen PII.
Join us as we take you through a journey of what these new frameworks look like and the new possibilities that emerge when there is no binary choice to be made between privacy and security. It will finally be possible to have both.
2020 will be eternally known as “The Year of COVID.” It will also be known as the year remote digital onboarding was near instantaneously transformed from a strategic, forward-thinking business development objective to an urgent, mission critical business priority. This has accelerated the adoption of biometric face recognition and liveness detection to create secure, trusted, and frictionless onboarding experiences.
The market landscape is being shaped by a range of innovators. From biometric face recognition and liveness technology providers to targeted digital onboarding and identity verification platforms, to the identity BIG THREE: IDEMIA, NEC, and Thales; everyone wants in. The market is heating up as the stakes couldn't be higher.
Using Acuity’s proprietary Constellation market landscape model as context, the current state of play will be evaluated in terms of the key market sectors, drivers, challenges, and opportunities for real world problem solving and disruptive innovation.
One crucial component to SSI is end-users being able to interact with verifiers directly, without relying on a third-party provider or having to operate their own hosted infrastructure.
Cloud computing has become commonplace in recent years, it is almost inevitable for small to medium sized companies to leverage cloud services largely if not fully. However, it is not easy to run cloud enablement project in bigger and yet most importantly traditional companies, where there are hundreds of legacy applications, which expect data to be closer to the computing units, and which are dependent on bandwidth and reliable network availability. In this presentation, I am going to address cloud migration requirements, usual challenges, and lessons learnt and best practices from project management, security and service management point of view.
As a byproduct of the current activity across industry, government, and regulatory sectors, digital identity leaders face unprecedented opportunities- and challenges.
Covid has accelerated the global imperative to establish a strong and safe global digital economy that is enabled by a secure, interoperable, digital identity ecosystem. One of the most daunting challenges is how, where and when to start.
The reality is that the target global ecosystem will be years in the making despite the widely held view that better identity is crucial to achieving a trusted digital-first marketplace. The fact is that the target state is the quintessential “it takes a village” challenge. It is this speaker’s strongly held view that the leaders who move the market now will be best positioned to substantively shape the government, regulatory and legal frameworks that might otherwise hamper ecosystem growth.
The focus of this session is to speak to the market movers in the audience and provide food-for-thought in devising a strategy to move forward. The ‘right’ strategy will attract global relying parties, identity service providers and the digitally-enabled consumer audience writ large (‘the village.’) The global ecosystem will take time to evolve but the time to build the foundation is now.
Cloud capabilities are driving automation approaches that will upend traditional, linear templates for Identity Governance service delivery. This extends to everything from application/service on-boarding, provisioning and user lifecycle management workflows. In this session, Manoj will share his experience of working on automation approaches for cloud workloads and discuss what this means for the future of IGA in the era of continuous integration and delivery.
In this session Thomas Müller-Martin, Global Technical Lead at Omada will share his insights about the evolving IGA market and why companies today choose an enterprise IGA SAAS platform over an on-premise solution. Learn in this session how to transform your legacy or home-grown solution to a modern IGA solution without the hassle of long and cumbersome implementation and high maintenance costs. Based on best practices, we will demonstrate to you how organizations today can deliver fast value to their business to mitigate risk and increase efficiency. Join this interesting speech by Omada, a global market leader in Identity Governance and Administration (IGA).
Most of the companies today are handling all external users with HR processes using HR systems, which can cause friction and inefficiency when managing external users' lifecycle.
Most enterprise infrastructure and software are in the later stages of cloud transformation. However Identity Management and Governance has lagged behind. First generation monolithic IAM solutions and providers do not provide agility into entitlement and risks in a cloud first world. The complexity of diverse infrastructure, security policies, and development velocity make it virtually impossible to provision, analyze and remediate at scale.
Identity Lifecycle automation project in Swedbank lasted for 4 years. During all those years I fulfilled business analyst role in IAM area. I collected requirements, draw process models, and did detailed analysis. I also defined minimum viable scope of the project and drove the team to reach the goal. Finally, I did acceptance testing. I can share key activities for business analyst throughout different phases of the project. |
Key takeaways: |
|
* Everything is possible but |
Do you want to launch or expand your identity-related business in the Asia-Pacific region but don’t know where to start?
Non-human identities are crucial for managing access risk with IGA, especially for non-standard accounts that provide the most access risk for organizations.
As organizations expand their cloud footprint to accelerate innovation and digital transformation, increased security risks pose an imminent and elevated threat to their growing cloud presence. The market is overwhelmed with numerous security technologies, approaches and frameworks for securing an organization’s cloud adoption journey, but security leaders and architects must meticulously assess the security risks associated with their cloud usage, migration patterns and digital interactions with customers, employees and partners to suite their business requirements and cloud security priorities.
Identity and Access Management (IAM) remains one of the key security disciplines to support digital transformation and cloud adoption objectives, by not only providing a secure identity and access foundation for the user, device and cloud-service types but also by offering additional cloud-specific security provisions that include cloud access management, cloud entitlement management, cloud privileged access and cloud access governance to its evolving technology portfolio.
In this session, we will discuss the important security tenets of an organization's cloud adoption program and how effective IAM architecture and planning can help navigate CISOs and security leaders through their cloud adoption journey.
This presentation combines the findings of a doctoral study into security automation in the financial sector with real-world experiences in implementing security automation. The research focused on strategies financial institutions need to reduce the gap between the attacker's time to compromise and the defender's time to detect and respond. Learn from the experiences of companies that have implemented or are implementing security automation. This session will look at what to expect from security automation (and what not to expect), how to decide what to automate, strategies to help ensure a successful security automation program, and lessons learned from success and failure.
The harm that the misuse of AI/ML can have is obvious, from the ProPublica Recidivism piece from 2016 to the latest discovery of bias in facial recognition classifiers by Joy Buolamwini.
The need for tools to use AI/ML ethically is concentrated in two particular areas: transparency and fairness. Transparency involves knowing why an ML system came to the conclusion that it did—something that is essential if we are to identity bias. In some forms of ML, this is difficult. We’ll cover two tools to assist with transparency: LIME and SHAP. We’ll highlight where each of these tools performs well and poorly, and provide recommendations for utilizing them in unison where appropriate.
Once transparency is established, we’ll pause to evaluate potential sources of bias that would affect the fairness of a particular algorithm. Here the number of tools available is far-reaching. We’ll start with an explanation of bias metrics, explaining the roles that true/false positives and true/false negatives play in calculating various accuracy metrics. The basics of fairness established, then we will explore various tools used against a few, publicly available sample ML implementations. Tools in this review will include: Aequitas, AIF360, Audit-AI, FairML, Fairness Comparison, Fairness Measures, FairTest, Themis™, and Themis-ML. We’ll compare these tools, providing recommendations on their usage and profiling their strengths and weaknesses.
The Ethical Part of AI Governance – my personal learning journey
This talk is about my personal learning journey in AI and AI Ethics together with Bosch. I want to share what brought me to AI and AI Ethics personally and professionally and what instrument is used at Bosch to bring AI Ethics to life.
CIEM (Cloud Infrastructure Entitlement Management) is a SAAS delivered, converged approach to next generation, ideally AI driven multi-cloud security, managing access and privileges in the cloud. It is playing across the disciplines Identity Management & Governance, Access, Privilege Management and Authentication, addressing the complexity of multi-cloud adoption with privilege & access management working differently for each provider.
Cloud services have enabled organizations to exploit leading edge technologies without the need for large capital expenditure. In addition, to survive the COVID pandemic, organizations have had to accelerate their use of these services. The market for these services is forecast to grow significantly as organizations complete their digital transformation and move, migrate, or modernize their IT systems. However, according to some estimates only around 4% of enterprise workloads have currently been moved to the public cloud. The factors limiting this growth are the challenges faced by organizations of managing the security and compliance of this new complex hybrid IT environment. This presentation will describe how we expect the market for cloud services to evolve and the key changes needed to help organizations to manage these challenges.
Artificial Intelligence is a little bit like sex: Everyone talks about it, very few people actually do it and if you don't do it safely, the consequences can be devastating. This session will give you a basic understanding of what you (yes, you!) can do to implement "ethical" AI systems in your organization and enjoy the promising opportunities this new tool offers while being aware of its limitations and risks.
During the last couple of years, hybrid and multi-cloud solutions are becoming very popular. With the emerging cloud options, modern enterprises increasingly rely on hybrid cloud solutions to meet their computational demands by acquiring additional resources from public clouds dynamically as per their needs.
The debate on Customer External Digital Identity has reached fever pitch. This session takes a step back and looks at how Customer External Digital Identity can enable Trust between individuals and organisations in many sectors, what that allows organisations and individuals to do and also looks at the different roles that you might choose for your organisation.
Hybrid IT environments are full of secrets, like tokens, passwords, certificates and encryption keys that open access to mission-critical information. The emergence of concepts like Zero Trust authentication, Just-in-Time access and Zero Standing Privileges suggests that these access secrets don’t need to be permanent. Instead they can be created on the fly and made to expire automatically, paving way for the future where secrets or passwords no longer need to be managed and vaulted at all.
SSH.COM's CTO, Miikka Sainio, explores how reducing the number of permanent secrets enterprises manage in dynamic environments improves security, operational velocity cost-efficiency. He also discusses why managing and vaulting secrets is still a necessary phase in many cases when companies adopt modern and future-proof methods.
Miikka Sainio, CTO, SSH
Our approach to security across all aspects of our lives has changed considerably over the last 20 years. From firewalls to the cloud, Max Faun explores how security technology has evolved since the start of the millennium.
One size no longer fits all but everything does come down to trust, or lack of it! Is Zero Trust the way forward for an identity-centric secure future? Max looks at four pillars that businesses and individuals can apply to gain trust back and reap the benefits.
Identity on AWS may be well trodden ground, but that doesn’t necessarily make it any more inviting for enterprise practitioners who may not have had occasion to yet dive into the topic when tasked with an implementation.
When we traditionally think of vaults, we expect them to be in the close vicinity of a user. In our rapidly digitising world, the nature of such vaults have transformed as well. Data *(or Password, whichever word you think is correct)* vaults which are expected to be located on premises are now digital, making ownership of these vaults and access to these vaults critical functions for an organisation. The Cloud hosts a lot of secrets and this journey of vaults becoming digital and part of Cloud Environments is nothing but fascinating.
Picos (persistent compute objects) are an actor-model programming system with long-term persistent state. Each pico also has persistent identity and availability for a cloud-native developer experience. Picos are DIDComm-enabled agents supporting SSI. Consequently, picos are capable of running specialized application protocols for any given workflow in a secure, cryptographic environment. The architecture of picos makes them independent of the runtime they executed on, holding out hope of a decentralized SSI agency. This talk introduces picos, demonstrates their DIDComm capabilities, and presents a roadmap for building a decentralized SSI agency, independent of any particular organization.
Looking at the digital transformation in the industries and the relevance Blockchain / DLT will have.
Access Management is a crucial capability in the IT infrastructure of any Enterprise. But it is even further crucial, when the whole application landscape is integrated, i.e., more than 1,800 applications used by millions of users. Back in 2017 we modernized the existing access infrastructure and set up ForgeRock as its successor on-premises in our data center. With rising demands regarding availability, scalability, and support for market-specific customizations, as well as more products and applications are going to the cloud, it became increasingly clear that project will have to cloudify its infrastructure and application stack. The future setup should follow modern paradigms like GitOps, Everything as Code and making use of highly automated processes based on Service Layers, all whilst keeping the integrated applications up and running and migrating the product stack to the AWS (Amazon Web Services) cloud. Key Takeaways: |
- How does a target architecture look like |
A lot of innovation around physical products is created by connectivity, allowing them to become part of the consumer's larger digital ecosystem and the providing enterprise. Gartner says in its megatrends for the next decade: "Anything costing more than a few USD will be "intelligent and networked". Examples are electronic wall boxes to charge cars or remote-control for dishwashers, cars, etc. Key Takeaways: |
- What are the essential protocols to bring identity and IoT together |
The trend toward adopting multiple cloud providers means identity is now distributed, rendering traditional, centralized access policies and perimeters obsolete. As a result, the way we think about identity and access management (IAM) has to change. This session will present Identity Query Language (IDQL), a new standard for identity and access policy orchestration across distributed and multi-cloud environments.
To date, Digital Identity Trust Frameworks have generally been light touch regarding the specification of fraud controls, relying on the theoretical protection a Digital ID offers through more robust authentication. It is true that improvements in authentication methods, such as soft tokens and biometrics, mean the ID theft vector of phishing for a user’s password may be removed. However, ID fraudsters will continue to use stolen ID information to create an ID in the victim’s name. They will continue to create synthetic IDs. They will also continue to try and take over victim’s accounts, using online account recovery and voice helpdesk channels to replace a strong authentication method with one that the fraudster controls.
In recognition of this ongoing threat from fraudsters, the Open Identity Exchange (OIX) has produced a comprehensive Guide to Fraud Controls for Digital ID Ecosystems.
The guide covers the processes and channels that need to be considered from a fraud risk point of view. It identifies the different types of fraud controls that should be applied in each channel, including ecosystem wide syndicated fraud controls, such as shared signals. The process of dealing with a suspected fraud is examined: how should these be prioritised, what investigation process should be followed, and how should victims be informed. Finally, it covers legal considerations when implementing fraud controls, in particular when sharing information and collaborating across the ecosystem to act as a joined-up defence against fraud attack.
This presentation / panel session will provide discuss these topics and how the guide can help those implementing Digital ID and provide the audience a chance to speak about their own fraud challenges with the authors and how the recommendations in the guide might be applied to help
The presentation explains how institutions can establish relationships with clients and manage their data. Adrian Doerk, Business Development Manager, Main Incubator GmbH
|
In a 2018 study by Onus & Ponemon on data risk in the third-party ecosystem, more than 75% of companies surveyed said they believe third-party cybersecurity incidents are increasing. Those companies were right to believe that.
As our world becomes more digitized, and thus more interconnected, it becomes increasingly more difficult to safeguard organizations from cybercrime. Tack on to that challenge a global pandemic that all but forced organizations to become “perimeter-less,” if they weren’t already, and the potential access points for bad actors through third-party access increases exponentially.
The problem is two-fold.
The landscape of third-party users is vast and continues to grow. From third-party non-employees like vendors, contractors and affiliates to non-human third parties like IoT devices, service accounts and bots, more organizations are engaging third parties to assist with their business operations and help them to innovate, grow faster, improve profitability, and ultimately create greater customer value – faster. On average, companies share confidential and sensitive information with more than 580 third parties and in many cases, an organization's third-party workers can actually outnumber their regular, full-time workforce.
Yet, despite the increased use of third-party workers in business, most organizations lack the proper third-party risk culture, processes, and technologies to protect themselves against the long list of third parties with access to their sensitive data and systems. Organizations have these systems in place to manage their full-time employees but lack the same level of rigor to manage these higher-risk third-parties. As a result, many third-party users are provided with more access than needed for their roles, and most disturbingly, that access is frequently not terminated when the third party no longer needs it.
Without the right third-party identity lifecycle management procedures in place, businesses unwittingly expand their attack surface, unnecessarily put sensitive information at risk, and create additional access points for hackers.
Recent years have seen significant Artificial Intelligence (AI) development across all domains of business and society. This panel aims to bring attention to societal impacts of AI – benefits and challenges, by bringing thought leaders and practitioners from different parts of the world to leverage diverse viewpoints around AI governance that continue to drive AI development across borders.
Identity is a fundamental element in the traditional world to associate information to the same individuals. As we leave more and more digital footprints in the world of Internet, these information are giving birth to our digital profiles, raising issues of privacy protection, monetization of data, identity theft and more. While in this presentation, we revisit the manifestation and formation of identity in the incoming world of Web 3.0, and discover how the native citizens of Web 3.0 are forming their own identities and reputations with native behavior data that are distributed, interoperable, and self-sovereign.
How to future proof a national eID scheme where 13 registered commercial IdPs, 1 government IdP and several brokers operate?
As processing power becomes cheaper, smaller, and more accessible, the issues of Identity in this automated space become increasingly relevant. We will discuss how machine learning (ML) can perform many traditional governance tasks previously the responsibility of managers – from ensuring appropriate access controls to automating the processing of access requests. We will also examine how intelligent devices are acting as agents for other identities and the challenges this brings to traditional identity management. Real-world examples will be presented of ML identifying security concerns and other vulnerabilities.
Disclaimer: The speaker at this session has not been involved either directly or indirectly in the work in the aftermath of any of the Ransomware attacks described in this session. All of the information from the cases is based solely on data that is in public domain.
As more and more organizations go multi-cloud, the question arises how to integrate existing and compliance-proven enterprise IAM processes with the upcoming requirements of managing identity in the clouds. |
The dynamic nature of cloud environments requires a frictionless user experience when it comes to providing and retrieving access
There is no one size fits all - the best solution for your organization depends on your positioning within a large spectrum between agility and control
Implementing a declarative approach for your multi-cloud IAM is a essential when aiming for continuous compliance
I considered myself quite an experienced programmer and having some expertise in Identity management when I was hired by Swedbank to work as full time Identity engineer. Besides projects, I had assignment to describe an architecture of the IAM as a service from my manager. Honestly, I had no clue about how to envision it. I tried to assemble standards and squeeze something out from practices and papers. But these were not really all my ideas and I did not feel much confident. But something started to happen in few last years when we had a very hard time implementing our IAM project (believe or not, it was successful). We had to answer hundred times to questions "why", "what" and "how". And finally the blueprint of the architecture of IAM as a service appeared from the mist. It is not one and only, because same size does not fit for all. Still, I do not agree that there are indefinite number of possible solutions. I think similar enterprises and engineers may find this presentation useful to draw their own blueprints. |
IAM projects start usually from implementing baseline IAM processes - joiners, leavers, movers. Because this is what is usually most needed. But then you will get asked for more - identity data, events, other services. This is what makes up IAM as a service. Neeme Vool, Software Engineer, Swedbank
|
In this lecture I present a reference architecture covering CIAM, API and PAM thinking about closing the main attack possibilities in modern contexts
Over the past decade significant advancements have been made towards decentralised, self-sovereign and tokenised identity. Now that we can tokenise a unique value what is the new value we can enable?
In an attempt to protect users from excessive tracking and surveillance, the last couple of years have witnessed major browser vendors introducing increasingly restrictive anti-tracking measures. Identity protocols and features got caught in the crossfire, however, forcing identity software vendors and developers to hastily introduce changes to restore functionality that browser changes broke. Is this the new normal? What will we do when a change will break an identity feature beyond repair?
This session will review the main browser changes that have affected identity over the last few years – Chrome’s SameSite and Safari’s ITP2 in particular, interpreting them as part of a larger trend and attempting to predict what the future will look like for identity customers and practitioners.
For most companies, privileged access management is associated with creating borders or limitations. Often organizations are forced to implement PAM due to the legal regulations and do not see it as an investment but rather consider cybersecurity as a cost center. Moreover, most employees think of it as another layer of control and make an assumption that the company does not trust them.
Research from 2020 has shown a phonemonal growth in the access management market.
The pandemic, for all its impact, has enabled organisations to re-evaluate their working strategies and practices. But at what cost? Cybercrime on corporate applications has risen exponentially from the dispersed workforce and rapid cloud adoption has left organisations vulnerable to ransomware, malicious activity and internal subterfuge.
Danna Bethlehem, Director Product Marketing Authentication at Thales discusses how organisations can accelerate their business with the right approach to their IAM strategy. For 2021 and beyond, enterprises need to leave survival mode behind and adopt a drive to thrive.
Drawing on recently released research into the EMEA IAM market, she will highlight:
Artificial Intelligence (AI) has been boosting innovation and creating a whole new wave of business models. With its rapid expansion into most use cases in many industries, a new threat landscape is evolving and as such presenting tough challenges to cybersecurity teams. With its huge impact on the way we interact with technology, the need for good practices and high standards in securing AI infrastructures is becoming a priority. In this panel session, we will
Organisations perceive their users through data. In the world of fewer and fewer opportunities for physical contact, identity verification is going all remote. All online service providers need to model the risks related to user impersonation and user manipulation attacks. |
Static data can be easily spoofed. Dynamic data analysis (mainly in a time series manner) is the way to go. |
Ever since, Identity Management Environments do belong to the ‘more complex’ solution stacks in the world of IT. As a central
component and the ‘spider in the web’, it must adopt to any evolutionary change made in connected applications and systems.
Furthermore, new or modified business requirements or procedures do drive constant changes to IDM-Systems itself.
Depending on traditional, agile or ‘mixed’ service delivery and maintenance approaches in conjunction with multi-tier
environments for development, staging, pre- production and production (or even more), it becomes quite challenging to
appropriately integrate new functionality with the expected level of quantity and quality.
Most likely, its not only code and configuration which needs to be staged between the different system tiers, but also digital
identities and entitlement information.
In this talk, we will investigate different approaches to release and change management techniques specifically for IDM-Systems
and the benefits of integrated Multi-Tier environments. We discuss Good- Practice approaches from several Identity Management
projects from the past two decades, do’s and dont’s and how to deal with pseudonymization in staging environments which can
be used by any team for their ‘real-world’ acceptance tests, demo or lab work.
Key takeaways
• Get an overview of common mult-tier staging environments in IDM/IAM Landscapes
• Learn about good-practice approaches to establish staging functionalities
• anonymization and pseudo-anonymization for entity staging
There is a common theme for many of the mega breaches of recent years – a neglect of basic cybersecurity hygiene that has resulted in a backlog of unpatched apps, misapplied configurations and overlooked tasks. This debt compounds over time and, as with financial debt can snowball to reach a point, where it becomes insurmountable. As organizations become increasingly cloud first, the risk profile from security debt further increases.
Many companies from diverse industries increasingly rely on AI for strengthening their efficiency by automating jobs. Many of these advanced automation tools, however, currently become standard applications. Consequently, an isolated use of these tools will not enable companies to gain a competitive advantage. This presentation builds on an intelligence-based view of firm performance and the ‘Integrated Intelligence’ approach, which highlights the need to integrate AI with specific human expertise to outperform competitors and to transform a firm’s intelligence architecture. It further discusses the leadership implications for general managers and offers a systematic framework for generating growth and innovation beyond automation and efficiency. The ‘I3 – Integrated Intelligence Incubator’ provides executives with a toolset for developing appropriate strategic initiatives for intelligence-based future competition.
The majority of crimes in our industry are initiated with cyber-attacks on people - however, our people can also be our most valuable assets. This presentation start with a walkthrough of multiple "bank robbery" scenarios to focus on a real event from 2016, when in one of the largest cyber heist ever, $1 billion were at stake being stolen from a bank. And how human vigilance (as well as human mistakes by the criminals) finally prevented the worst.
During this presentation, I'll show how the effects can bring in inside the Cloud environment if was exploitable by Malware using PDF file, explaining how each session works within a binary, what are the techniques used such as packers, obfuscation with JavaScript (PDF) and more, explaining too about some anti-desassembly techniques, demonstrating as a is the action of these malwares and where it would be possible to "include" a malicious code.
Join Peter Dulay, Symantec Identity Management Adoption Advisor, Broadcom, as he introduces One PAM, which brings together traditional proxy-based (credential vaulting) with agent-based (granular access controls) capabilities into one consolidated solution and approach, and how One PAM is better positioned to help customers shift to a Zero Trust model.
The hybrid mix of remote and office work combined with digital transformation initiatives is driving the rapid adoption of cloud. This trend is also prompting organizations to rethink requirements for authenticating employees and other members of an organization supply chain. Companies are now exploring how to significantly improve both security and the end user experience. Unfortunately traditional multi-factor authentication is lacking in both areas.
Discussion topics include:
As a leader in innovative aerospace manufacturing with locations across the world, Airbus recognized the need to fortify its third-party identity management processes to better meet the operational efficiency and security needs of its evolving business and supply chain. Specifically, Airbus wanted to upgrade its identity management capabilities around lifecycle management, data quality, and obsolescence management for its third-party, non-employee users.
I today's digital world (post EU DMA, DSA, DGA regulation proposals (now tabled in EU Parliament for legislative approval by 2023), GAIAx birth in Europe and eprivacy new regulations adoption, the hard line separation between personal and non personal data is blurring and companies have yet understood what this means for them. While they thought that only personal data needed to be consented, now it's all the data that need the consent log prof for each digital identity they get associated to. Europeans have also created a new "notion" of cloud (GaiaX). A cloud where data can circulate freely, can be shared and mutualised (upon consent). This will have implications. Huge implications as GaiaX carries the option to "import/acquire" data also originated from other entities (including from outside Europe). The transfer mechanism will only be possible upon user express consent, voluntarily. User will need to be incentivised to agree to share. Since transfer can only be performed by users, and with consent, that will in fact open up to a secondary data market which sees the consent log representing a "transaction event'. Hence privacy will exit the framework compliance to enter the framework of "strategy and business development'. The contextual "data" hunt can begin (vs big data paradigm which fades aways). The de-monopolisation of consumer data, too. |
Insights in how the new european digital policy opens to new business (data driven) opportunities; Isabella de Michelis di Slonghello, CEO and founder, ErnieApp
|
|
Guardianship is a condition of life in human societies. When we are young we may be looked after by parents until we become adults. When we are adults we on occasions need others to look after us, and sometimes we may need increasing levels of care as we age.
|
Disciples of decentralized identity have preached for years that DIDs are the only true path to giving users control over their identity, AKA self sovereign identity. The lack of widespread adoption is evidence that a more pragmatic approach is needed.
As organisations continue to adopt and embrace new technology platforms, it also brings with it the requirement to reassess how these new environments are secured. The Assume Breach mindset, a key aspect of a Zero Trust, shifts the risk posture to that of applying defense against the concept that the perimeter has already been breached.
In this session, we run through the Tactics, Techniques, and Procedures used in recent breaches and highlight the commonality across them; identity compromise and privilege elevation. This analysis will highlight the importance of taking an assume breach mindset to defense and that Identity becomes central to this strategy. Further, we will then position recommendations on how to protect against Credential Theft, Lateral Movement, and Privileged Escalation across hybrid and cloud environments
Identity and privileged access management have existed in silos for decades. But cloud adoption and the rise in remote workers have introduced new vulnerabilities, and cybercriminals have noticed. As ransomware, breaches, and credential theft continue to make headlines, one thing is clear: We need to treat all access as privileged access and understand the context — and risk — of that access.
In this session, Chris Owen, Saviynt Director of Product Management, will discuss how identity worlds collide through Saviynt Enterprise Identity Cloud. He will show how this converged platform brings intelligence, visibility, and context together so you can manage the entire identity lifecycle, including governance, privileged access, application access, and third-party access.
Based on our research about critical privacy areas in Social CRM I could present solutions and discuss further potentials provided by upcoming technologies and resulting requirement on privacy management systems.
Social CRM is a bit special as indeed many applications and processes areas are still in legally grey area, without established and accepted standards. Users tend to ignore this fact as many applications and process provide a value for them and/or are comfortable. Based on this specific setup I could build up the discussion and presentation.
This presentation would be more a discussion to show potential solutions and not the presentation of a specific solution
Self-Sovereign Identity – or SSI in brief – is now a major thing. Germany has become one of the world’s key SSI accelerators. Countless people and organizations – small and large – are getting excited and actively involved. Now de facto driving forces are: 1. SSI Pilots by the German Federal Chancellery as first demonstrations of the Digital Identity Ecosystem. 2. IDunion – a solution-oriented research project co-funded by the German Federal Ministry of Economic Affairs and Energy in the cluster of showcases in Secure Digital Identity. This presentation provides a brief SSI introduction and an update on these two major German SSI initiatives.
Mobility-as-a-service is changing the way people move. From mobility based on driving your own car, it is converging to the consuming of various services using multiple modes of transportation. Ranging from eScooters, bicycles, ride-sharing to car-sharing, ride-hailing and public transport.
The Internet and consequently the Internet of Things were built without a trust layer. Decentralized Digital Identities as basis for Connected Mobility may be one of the needed missing components to implement real data sovereignty and a trusted Economy of Things in future Connected Vehicles scenarios.
Zero trust requires an enterprise to identify and monitor all the network identities used in the enterprise. NIST SP 800-207 refers to a zero trust deployment pattern called “enhanced identity governance”. The National Cybersecurity Center of Excellence (NCCoE) has a project on implementing a zero trust architecture that will include enhanced identity governance. This talk will be an overview of the role of network identities in zero trust and the current status of the NCCoE project.
The pandemic has dramatically changed how we work, shop, meet and learn. Simple username and password credentials can no longer be part of this new world. They have become every user’s and every IT departments’ nightmare. Connected IoT things are for the first time outnumbering non IoT connections such as Tablet, Phones and PCs and many emerging business models will drive more revenue through IoT-enabled services than the products through which they’re delivered. Applying zero trust thinking to all identities including connected things and not just employees and their PCs is therefore a concept organisations will need look into to ensure adequate security measures for their employees and things.
In this session we’ll talk about:
Many services across the web today allow users to consume the service without explicitly signing up. They generally identify users by a cookie containing a unique browser-id and store user data against it.
Do people really care about data privacy?
In an insurance sector not yet impacted by uberisation, AXA is moving toward its digital transformation. To achieve its key targets, including reduced time to market and improved user experience, AXA has launched several major programs: network, datacenter, workspace, .., and Identity and Access Management. Come discover how AXA leads the IAM program to support its digital transformation though improved agility, automation & business partnership capacity, both external and internal, while maintaining a high level of security. |
– Adapt your IAM program to your context |
Now more than ever, the world is operating online. Governments and enterprises need a way of securely verifying an individual’s identity whilst providing an inclusive and positive customer experience. iProov is a world leader in cloud-based face biometric authentication technology. Our Genuine Presence Assurance™ technology, powered by flashmark, ensures that the individual is: the right person, a real person, and also confirms that they are authenticating right now.
IAM programs in organizations have a reputation for difficulty and high failure rates. Through education and later through experience, professionals learn that communication is the most critical success factor in all human undertakings. We may have cutting-edge technology, generous budgets, and a competent team and still fail our project miserably. High-quality communication about IAM with our stakeholders is insufficient to succeed, but it is a necessary condition.
And what is the building block of communication? Words and concepts.
Improving the IAM vocabulary's accuracy is the idea behind the TOME (The Open-Measure Encyclopedia) project - an open-source encyclopedia specialized in IAM, authored by volunteer IAM professionals for their peers. Its goal is to become the industry reference dictionary. It is free of charge and licensed under Creative Commons to facilitate its widespread adoption. It is rooted in science with a solid methodology and pervasive references to stand on the shoulders of giants.
In this session, I will present and define a series of IAM concepts, both frequently used and rare but often misunderstood
After applying an agile way of working for the last three years the Rabobank Identity & Access Management service has gone through a transformation. The increased autonomy of teams, using backlogs with prioritized epics, applying agile rituals in order to create space for growth in applying agile principles, all of these have affected how IAM services are developed and delivered. Where the arena is uncertain and customers have a somewhat-defined request the agile, iterative approach works. Yet where the arena is regulatory governed and compliance driven an agile approach works less. The impact of incidents in a 24x7 security service immediately reflects itself on the development of the service when a devops team is used. The strain between waterfall project management and this agile approach is not instrumental but conceptual. Aligning expectations with the wider organization is a challenge in itself. This presentation will demonstrate the pros and cons of agile on IAM. |
Agile pitfalls Henk Marsman, Lead Product Manager IAM, Rabobank
|
Siemens AG drives the comprehensive Zero Trust program enabling most areas of Cyber Security, Enterprise and Product IT. In the presentation we are going to share our architecture vision as well as the implementation road map. We are going to share some lessons learned, which we gained on the way we passed so far.
Companies across the globe are undergoing digital transformation. The main challenge with this approach is the ability to securely manage access for on-premise, cloud and SaaS applications. Entitlement Management across this hybrid landscape requires management of cloud assets, IAM profiles, groups, roles and entitlements in support of Identity Lifecycle Management, Access Management, and Access Governance. |
1. Provide visibility over hybrid-cloud assets |
Deployment of IoT installations are accelerating as organisations seek to expand their business by adding IoT functionality to their products/service, or reduce their costs by automating processes. Unfortunately, in many cases these initiatives are not adequately executed and, as a result, do not meet expectations.
In this session we will look at 5 pillars of an IoT deployment: the Device pillar ensures we select the appropriate sensors and actuators, the Control pillar guides our decisions on controller functionality, the Communications pillar ensures we consider which options fit our required functionality and budget, the IT pillar determines the level of integration between our IT and OT environments, and the Security pillar guides our protection strategy.
A holistic approach is a success-indicator for our IoT projects.
Applying the principles of self-sovereign identity to financial and social media sourced data points will enable businesses to make better and informed decisions about retention, acquisition and eligibility whilst relieving them of most of their obligations under GDPR. |
The paradox of simplicity is that making things simpler is hard work. - Bill Jensen
Building strong passwordless authentication from scratch can be very time-consuming. Integrating the necessary infrastructure into a typical password-centric identity code base increases code complexity exponentially. Taking into consideration that well-known user flows have to be changed and enhanced with new authentication options may also pose significant challenges for developers. They have to get it right - and make it as simple as possible for the end user.
In this talk, we highlight possible pitfalls and necessary considerations when implementing passwordless FIDO and WebAuthn protocols. You will recognize how a cloud-native approach can simplify the integration of passwordless authentication and smoothen the requirements for developers and product owners of any online service. You’ll also learn how to gradually migrate existing users to the new authentication methods in a frictionless manner.
Join us to explore three possible abstraction layers we’ve identified to take the complexity away when dealing with FIDO and passwordless multi-factor authentication. Ranging from utilizing a managed FIDO API and SDKs up to a fully-fledged passwordless-native identity provider that can be integrated with OpenID Connect. We also will share some secrets on useful extensions of the FIDO standards we’ve identified when building our passwordless user experiences.
Felix Magedanz, founder and CEO, Hanko.io
Zero Trust Use Cases: a pragmatic look from well-known use cases to lesser known ones. Focus will be on real world examples and situations proven in practice rather than on formal compliance. Further on we will have some critical thoughts on this topic.
Key Topics:
* What is Zero Trust?
* Some appliances for Zero Trust
- Well-known use case: Web shop
- Current use cases: Bring-your-own-device, Bring-your-own-account
- Further use cases: Micro-segmentation, cloudification
* Some critical thoughts on non-deterministic systems
There are various ways that client applications may need to log in when going beyond passwords. With a username and password, client development is easy -- just collect a couple of inputs from the user and match them on the server. When going beyond these though, how can client applications be deployed and maintained in a way that the server still dictates what the client should present and obtain from the user when authenticating them?
The transformation of the IAM landscape of a Multi Service Provider is taking shape.
Keeping up with the changes in our industry is no simple task. The rate of change for identity technologies, their applications, and their roles in the enterprise is simply too great. Since 2018, IDPro has conducted an industry survey to call attention to the skills that identity practitioners possess and employee to be successful. In 2019, the survey was expanded to explore enterprise priorities to highlight which areas of the identity industry were garning more attention and investment. And in 2021, IDPro expanded the survey again to include questions about diversity and inclusion. Join Ian Glazer, Founder and Vice-President of IDPro, as he explores the results of this year’s survey and the implications for you, your employer, and the industry as a whole.
Distributed Identity (DI) is less known to many and even less in connection with the pandemic. The concept that DI delivers is an excellent starting point for creating a digital vaccination record.
Why DI is generally a good idea and what a digital vaccination record based on it can look like, is shown in this lecture. If you want to explain to your family in practical terms what IAM, IGA and PAM do: get vaccinated and (hopefully soon) apply for a digital vaccination certificate!
Four simple steps to the perfect PAM.
Digital life is a replication of the physical world in a digital ecosystem. As a result, people and things have an equal digital representation, which we call a digital double. Your digital double is active and involved in various activities, even when you take a nap. Therefore, securing the digital double is critical.
Well-designed multi-factor authentication technologies, especially when paired with a mobile device or other token, mitigate security risks from single factor username/password authentication while still providing a positive user experience.
The age of conversational banking represents a transformation of how and when banks interact with their users.
The onslaught of account takeover attacks from insecure passwords is driving the rapid adoption of passwordless solutions. While the risk reduction benefits are substantial, eliminating passwords is just the first step on the path to fundamentally strong authentication. In the “new normal” era of work from anywhere, and rapidly increasing cloud adoption, organizations are moving to a new risk-based authentication model. Advanced organizations are validating users, their devices, and inspecting the security posture of the device for each login. Strong and continuous authentication is a fundamental building block of Zero Trust. Learn how you can make it happen without making the user experience miserable.
Discussion topics include:
Takeaways:
Identity management is critical for digital transformation and continues to evolve and gain importance as the business environment changes in today's hyperconnected world, where employees, business partners, devices, and things are all tightly interwoven. Deploying an identity security solution – regardless of your business size or industry is a fundamental requirement today to facilitate secure communications and reliable transactions.
This panel explores identity security strategies that enable your business to take full advantage of your solution’s capabilities.
Traditional IAM models have focused on users, policies, and roles, which met the needs of web applications in years past but as application development has evolved to APIs, an innovative approach to identity management is required. It is no longer just users, roles, and permissions. APIs must be integrated into the identity and access management framework to ensure adequate governance and security. |
- Why API security requires more than traffic policy management and course-grained enforcement. |
Balancing usability and security is a well-known challenge in the field of identity. With increasing threats to personal and critical business data posed by nation-states and other bad actors, organizations are moving to a default posture of Zero Trust with more and more technology vendors and service providers delivering solutions in the form of complex monitoring and policies designed to keep the bad guys out. Knowledge workers, including an increasing population of frontline workers, require and expect seamless collaboration and productivity without barriers that waste time and require technical expertise. And businesses of all sizes are looking for solutions that can be operated by managers and program owners who are not necessarily identity and security experts. At the same time, individuals are drowning in a sea of passwords and clamoring to maintain their privacy and preventing compromise in their personal lives. With more signals, potentially come more annoyances, and with more annoyances come to the proliferation of unsafe practices. As vendors and enterprises dedicated to secure and seamless identity, it is our responsibility to invest in a more secure future while remaining dedicated to solutions that guarantee higher security but are even easier and more delightful to use than today's conventional solutions. FIDO2 and the move towards passwordless solutions are getting more adoption, but still carry with them some experience challenges in onboarding and recovery. Innovations like distributed identity show promise in decentralizing ownership of personal data and putting control back in the hands of end-users but are in very early days. EIC represents the industry and our commitment to creating trustworthy frameworks that protect organizations and people. Join a panel of experts to share their thoughts on how we can continue on a pace of innovation in zero-trust while maintaining trust and usability for everyday people in a digital world. |
- innovation requires investment across security, privacy, and usability Paul Fisher, Senior Analyst, KuppingerCole
Robin Goldstein, Partner Group Program Manager, Microsoft
Alexander Koch, VP Sales DACH & CEE, Yubico
|
With the merger of AOL+Yahoo, the newly formed Enterprise Identity team had the challenges of planning to support the cloud-first future of the new company Oath (which would become Verizon Media), building a new Identity ecosystem with Zero-Trust methodologies, and supporting a security-minded culture.
Is your IGA strategy keeping up with modern threats? Novel attack methods are revealed daily, compliance requirements never stop evolving, and how and where we work has forever escaped the traditional office. As a result, organizations require more flexibility than ever to protect what matters most. You shouldn’t have to compromise functionality nor security levels because your IT resources and people operate on-premises, in the cloud or in a hybrid environment. The point is that you don’t need to.
Don’t miss this 20-minute keynote address by One Identity’s Rima Pawar, VP of Product Management, as she discusses the secret fears of many CISOs and other senior IT leadership and how an identity-centric security strategy can mitigate modern threats and help IT executives sleep at night. Topics will include best practices to extend security beyond the traditional perimeter; how to take an identity-centric approach to security; as well as hear how your peers are pursuing Zero Trust strategies.
"Act quickly; allow me to think less; protect me from risk." These incongruent objectives are being asked of IT departments and their staff. We are living through a great digital transformation that is rewriting our way of working and means of producing goods and services. Underlying and enabling this transformation is an increasingly complex, obscure, and challenging myriad of interwoven software systems spanning organizational and technological boundaries. IT complexity is no longer isolated to back-office nerds conversing in technobabble and pushing us aside to remedy our newb problems. All portions of the workforce are more exposed and dependent on technology to complete their day-to-day duties.
User recognition and authentication is becoming the central element of companies' digitalisation strategy. Not only are user registration and login the first experiences users make, Identity and Access management will ultimately determine which company recognises and serves the needs of its users best and will be successful in the market. What you can expect
|
Digital ID and Authentication Council of Canada (DIACC) research finds that three-quarters of Canadians feel that it’s important to have a secure, trusted, and privacy-enhancing digital ID to safely and securely make transactions online. As federal governments focus on post-pandemic recovery, investing in digital ID makes strong economic sense, especially for small and medium-sized businesses (SMEs). For SMEs, the impact of digital identity could be used to improve processes that are difficult today.
This is especially true in situations where businesses need to provide proof of identity to another business. Considering SMEs account for approximately 30 percent of Canada’s overall GDP ($450 billion), if we assume that the average SME could be just one percent more efficient with access to trusted digital identity, this results in a potential $4.5 billion of added value to SMEs and reinvestments in the Canadian economy. This presentation will provide a detailed overview of research performed over the course of 2 years to quantify public perception and demand for secure, interoperable, digital identity that works across the whole of the economy.
Join Vadim Lander, Symantec Identity Management Security Chief Architect and CTO, Broadcom as he discusses the new realities that are driving the evolution of Identity and Access Management (IAM) and how organizations use IAM as a key pillar in the architecture for Zero Trust. Vadim will also highlight the future of the Symantec’s IAM suite of solutions and how they will help our customers build their own Identity Fabric.
Everything is famously code today—cars are computers with wheels, appliances have Internet access, smart doors and houses are controlled from mobile phone apps. With all this code around, security is more of a challenge than ever. A central pillar of security is identity management: the technology that protects logins and controls access. This, too, is becoming code to work with all the other code. Libraries for developers are essential, including ID controls in mobile and Web applications for initial sign on, single sign-on, federated sign-on, biometric authentication systems, and controlling access to sensitive data. And code itself is becoming code: automation systems for producing code, deploying code, updating code, configuring resources and access controls. IAM code has to be wherever it’s needed, when it’s needed, and automated, just like any other code. The better we do this, the more secure we all are with our ubiquitous computers.
Blue is the world’s most popular color.
But this was not always the case. Originally, it was little used in art and clothing, and in turn, had little symbolic cultural value. In the course of a few key decades, however, blue overcame obstacles of sourcing and production, and its popularity exploded—rising to represent some of the highest values of society. Subsequently, a wave of innovation democratized the color, placing it in the hands of “normal people” and cementing its cultural legacy.
Identity finds itself on a similar path. After a period of relative obscurity, identity has begun its rise over the past decade—but the journey is just beginning. Like blue, it faces challenges to its ascendancy—both practical and ethical. We’ll extract lessons from the trajectory of the world’s most popular hue and seek to apply them to the arc of identity.
The color of the world is changing once more.
As we emerge from the first wave of digital transformation, most organizations have embraced multi-cloud and hybrid environments. Companies increasingly use digital technologies to transform the actual products and services they sell to their customers, while modern service and app architectures drive adoption of containers and micro-services. These trends pose new challenges and opportunities for security. The number of machine-to-machine interactions is growing, as is the need to establish trust in real time across many distributed systems. In this thought-provoking session, Joy Chik will explore trends that are making identity even more central to modern security.
As organizations are recovering from the pandemic, the need to adapt to rapid technology, organization and social changes makes many of them embark on a digital transformation at high speed. Investments to drive online business, powered by customer insights and an attractive user experience, yet secure and compliant to rules and regulations, have never been bigger.
Integrating Marketing and Customer Relationship Management (CRM) functions with Customer Identity & Access Management (CIAM), if done well, can help business owners achieve the ROI they are looking for.
Join Gerald Horst, who leads PwC's Digital Identity team in EMEA, as he explains how powerful Customer Identity & Access Management can be when you are transforming your organization to become successful in doing business online. Gerald will share relevant client experiences, demonstrate some key capabilities and give his view on future client demands in this context.
Key takeaways:
In recent years, we have seen quite a few transatlantic policy issues with regards to Cybersecurity and the way how personal information is being treated by private and public organizations. The main areas where we see these differences are data protection/privacy, standards & certification and last but not least private-public information sharing.
New technology is often seen as a total replacement for whatever came before. This is evident in the “Move to Cloud”! However, we are almost never in a greenfield position: we must interoperate with legacy systems and the demands of the business drive towards different and competing solutions for different problems. We will discuss the challenges of a hybrid deployment, addressing multi-cloud as well as on-premises components, and how a hybrid approach to identity is required to competently address these often conflicting requirements. We will use real-world examples of hybrid solutions to demonstrate the solutions.
The first era of SaaS is ending, and we are entering a new era of convergence. This new era will result in new kinds of enterprise platforms that converge discrete functionalities into new systems of delivery. Best of breed solutions will all but disappear. Point solutions will fade away. The identity industry will fundamentally shift. The traditional IAM vendors you know are going to face competition from Salesforce, ServiceNow, Workday and others. You, the customer, are going to be influenced more and more by these players and their new systems of delivery. In this session, I will explore what is driving this trend and how it may shape the future of the identity industry.
IT has changed fundamentally in the past years. Multi-cloud environments mixed with private clouds and on-premises infrastructures (multi-hybrid) are the new normal.
The high pace in transformation, modernization, and innovation required for success in the digital age requires these environments to work smooth and secure.
In his talk, Martin Kuppinger will discuss where and how IT, IT Security, and IAM need to evolve to make the digital business fly.
Martin Kuppinger and Matthias discuss the high-priority topic of how to achieve automation of management and security across the entire multi-hybrid, multi-cloud IT infrastructure based on well-defined policies.
When thinking about what SSI means for enterprises and providers of services to enterprises, it's easy to forget that SSI is about each of our sovereign selves. This means SSI should give us each a clear sense of independence, agency, and obvious freedom from the old centralized Identity Provider Relying Party model, and the federated one that followed from it. But we aren't there yet. What will it take to get us there—for our sovereign selves, and not just for hot new SSI businesses?
Cybersecurity is one of the areas where virtually every business will need to invest because of ever-growing cyber risks and ever-tightening regulations, and in the post-Covid era, the cybsersecurity market continues to evolve and grow, having gained even greater importance. Warwick Ashford joins Matthias to discuss the factors driving the trends in this market and what businesses should be considering when making cybersecurity investments.
Tune in to this episode to explore ways to navigate tradeoffs between privacy and accessibility in decentralized identity and learn about interesting user-centric approaches that can be applied to modern identity protocols.
P.S.: You do not want to miss out on our little surprise at the end of this episode 😉
Christopher Schütze provides the fundamentals for a pivotal topic in cybersecurity, namely how to create processes and systems for comprehensive and continuously improving vulnerability management. Together with Matthias, he provides an overview of elementary aspects that need to be considered.
The market segment of products and services that are designed to manage and secure APIs as essential resources in a multitude of different environments is constantly evolving. On the occasion of the publication of the latest edition of his Leadership Compass "API Management and Security", Alexei Balaganski explains the fundamentals and current developments of these products and services.
Raj Hegde sits down with Peter Busch, DLT Product Owner at Bosch, to discuss how decentralization is enabling a wide range of exciting use cases across industries. Tune in to this episode to explore the concept of machine economy, understand the needs of machines and dive deep into the intersection of decentralized identity and the Internet of Things.
Business Intelligence is the discipline of deriving business insights from raw enterprise data to inform decision making. Although this is a mature market, new trends are stirring up this market sector. Annie Bailey joins Matthias to explain what is changing and what 'Next-generation BI platforms' are.
Graham Williamson, Senior Analyst at KuppingerCole, is to deliver a presentation entitled Meeting Expectations – 5 pillars for IoT project success on Tuesday, September 14 starting at 7:20 pm. at EIC 2021.
To give you sneak preview of what to expect, we asked Graham some questions about his planned presentation.
Paul Fisher has researched the topic of Data Governance Platforms extensively, and he published a Market Compass on this topic at KuppingerCole Analysts just a few weeks ago. In the current episode of Analyst Chat, he explains this market segment to Matthias and provides insight into current developments.
The path toward a Zero Trust architecture to improve cybersecurity for modern enterprises in a hybrid IT landscape often seems overly complex and burdensome. Alexei Balaganski is this week's chat partner for Matthias and he draws attention to an often overlooked benefit of such an infrastructure. One key idea of Zero Trust is to actually reduce complexity and unnecessary effort and instead focus on what really needs to be protected.
In his talk, Martin Kuppinger will deconstruct the term Access Management and look at the various elements and concepts behind. Access Management is multi-facted and includes many concepts. On the other hand, many of the areas we should find being supported in Access Management are still missing in most implementations. So: What does it need for a modern, comprehensive Access Management? How will this look differently from now? Will we get rid of the burden of annoying authentication procedures or reviewing static entitlements we don’t understand? Which roles should policies play? Could we move forward to just-in-time entitlements? And will we finally get rid of passwords.
Martin Kuppinger will cover trends that are already visible, options you can take today, but also evolutions that are just visible at the horizon and innovations vendors should focus on today.
He will deliver you a high-level playbook for tactical and strategic steps for evolving what you have in Access Management towards a broader, future-proof solution.
How do you protect secret information from sabotage? You should consider two possible scenarios when answering this question: Sabotage can be caused from the outside as well as from the inside. In principle, a potential threat can also come from people within your own company.
An essential step is therefore to make sensitive documents and directories accessible only to employees who really need them for their work: Following the need-to-know principle.
In the case of facilities that are vital to life or defense, these employees must also be instructed in how to protect themselves against sabotage.
Consistent checks to ensure that protection instructions have been given are therefore part of the administrator's duties, which in turn requires additional time and organizational capacities.
In this practical presentation, you will learn how automated permission management can relieve IT administrators and at the same time reduce errors caused by manual processes while ensuring compliance with special requirements for the assignment of rights, e.g. through separate data protection instructions.
We're on track towards a world where everything that can be, will be tokenized. Tokenization plays a critical part in enabling more equitable value creation for people, organisations and things. Providing the means to issue and store value, trace provenance, and most importantly achieve consensus to instantly trust.
However, in order for this tokenized world to emerge we first need the infrastructure for people and their digital twins to participate in equitable and fair ways. This will include digital identity, verifiable credentials and payments.
This session will feature some of the use-cases, practical steps, insights and learning along the way.
This episode concludes the four-part series on hybrid IT. To wrap things up, Mike Small and Matthias focus on the latest developments in hybrid infrastructures, between containers, hyperconverged, edge and cloud in a box.
"Progress is the process by which the miraculous becomes mundane.” says Doc Searls, the next guest on our popular podcast series - Frontier Talk. In this episode, Raj Hegde sits down with one of the most prolific technology thinkers of our generation to understand the problems of the identity status quo and to determine the boundary conditions required to usher in a new era in identity - one that gives individuals independence and better ways to engage with businesses.
Part three of the four-part series on hybrid IT looks at approaches to appropriately manage and evolve hybrid architectures. Mike Small and Matthias put the focus not only on technical management, but also on appropriate governance in particular.
The knowledge and skills gap in the cybersecurity industry is a problem that has been identified and discussed for the past 20 years. However, with the rapid acceleration of technology development, the skills gap seems to worsen as time goes by and may soon become a systemic deficiency. In this presentation, I will talk about the first-ever, technical, vendor-neutral credential for cloud auditing. It fills a gap in the industry for vendor neutral, technical education for competent professionals to help their organizations reap the full benefits of cloud environments.