Event Recording

Access Management Trends in a Connect Anywhere World

Show description
Alejandro Leal
Research Analyst
Alejandro Leal
Alejandro joined KuppingerCole as a Research Analyst in December 2021. His main areas of expertise include digital transformation in the public and private sector, managing business in today’s geopolitical context, and governance in artificial intelligence and cyberspace. Background...
View profile
European Identity and Cloud Conference 2023
Event Recording
Decentralized Identity: The Way Forward
May 10, 2023

Decentralized Identity is enabling individuals and organizations to have control over their own personal data, providing self-sovereignty, privacy and security. But, is a relatively new concept with high development and standardization dynamics. In this session we will look into what we should do today to take full advantage of this promising concept.

Event Recording
How to Get Your Cyber Insurance, Bring Down the Premium and Up the Coverage
May 12, 2023

More and more it becomes difficult to Insure yourself against a Cyber attack. Understanding all the different vectors of your risk posture, the flood of different tools and checklists that need to be taken into account and the way to consolidate this risk into an overarching risk dashboard is an immense challenge for CISO's, Risk Managers and their senior leadership. Because of this major challenge and a non-standard way of calculating the risk; more and more Insurance companies are putting a high demand on the information provided in order to get a proposal for a Cyber Insurance and then, if and when a Cyber Insurance is offered, the premiums and coverage become another big challenge and financial burden on companies.

The presentation will highlight these challenges and will provide hints and tips on how to deal with this problem, ensuring to get Cyber Insurance at the lowest possible premium and with the highest coverage.

Event Recording
When SSI Meets IoT: Challenges and Opportunities
May 11, 2023

In this session, I will first talk about the design considerations and challenges when applying SSI to IoT, followed by the description of an initiative for creating an embedded SDK for SSI. Finally, I will discuss new opportunities for building decentralized identity and access management solutions for IoT.

Event Recording
The AML-Compliant ID-Wallet
May 10, 2023

AML-compliant customer identification in the finance and banking sector (KYC) in Germany is subject to the requirements of BaFin (the regulatory authority) and the Money Laundering Act. This involves the use of both on-site and online identification procedures, which are often provided by external service providers as “critical outsourcing" and as data order processing. In the age of ID wallets, this KYC process needs to be redeveloped from a regulatory, data protection and technical perspective - especially because the regulatory framework currently does not (yet) explicitly provide for the case of an ID wallet. The presentation describes the challenges for ID wallets and ID issuers in the AML context and shows an exemplary implementation.

Event Recording
Identity in the C-Suite? The Role of the Chief Identity Officer
May 11, 2023

Whereas our Privacy and Security peers have top executive-level access and presence as well as often Board-level access, Identity typically does not.

Should that continue to be the case? Are the conditions right for the establishment of a Chief Identity Office… and is that even a good idea?

In this panel, Drs. Jacoba Sieders, Denny Prvu, and Ian Glazer will debate the pros and cons of the notion of a Chief Identity Officer role. Topics will include:

  • What would the value of such a role be? And how is such a role measured?
  • What would the responsibilities of said Officer be and what is the role’s remit? What are its boundaries?
  • What questions should the Board and C-Suite be asking? What should they know about identity that they don’t today?
  • How would such an Officer quantify the value of the identity infrastructure to the business?
  • Does the need for the role differ based on industry sector and geography?
  • How would this role fit with the Chief Digital Officer, Information Security Officer, and Privacy / Data Protection Officer?
  • And how would this make things better for the digital identity practitioner and the industry as a whole?
Event Recording
Building reputation for blockchain wallets: Soulbound NFTs as on-chain verifiable credentials
May 11, 2023

There has been a heated discussion between how (not) to use verifiable credentials, decentralized identifier and soulbound tokens for building better digital identities. We believe there is room for both or even a merge of on- and off-chain technology.

Event Recording
Navigating B2B2X Complexity with Identity-Centric Personas and Policy-based Access controls
May 10, 2023

As ecosystems of customers, workforce, partners and suppliers become increasingly intertwined, companies face the challenge of managing access consistently. Companies often install different access systems for different populations, with different types of accounts and different lifecycle management.

This session presents an approach whereby different populations can be managed with a single system and a single user profile. Key in this approach is that the user profile indicates to which population (or more than one population) the user belongs. The approach also enables delegated administration and temporary accounts in a very intuitive way.

Event Recording
Oh, How the Identity Industry Has Changed!
May 12, 2023

Since IDPro began its skills survey in 2018, we have seen technologies rise and fall and how IAM practitioners continue to struggle to feel proficient in their field. From the decline in directories to the power of personal identity, the IAM field is certainly not boring!

In this session, we’ll take a look at the trends over the last several years as seen from the IAM practitioners’ perspectives on the state of the industry, their professional goals, and their alignment with their employers. We’ll also consider what has changed – and what hasn’t – when it comes to our demographics and the diversity of the field. We will also offer some teasers of the results of the most recent IDPro Skills, Programs, & Diversity Survey, which closed in March 2023.

Attendees will leave the session with a better understanding not only of the state of the industry but what skills they might want to consider adding to their repertoire for the coming year.

Event Recording
From A (ACLs) to Z (Zanzibar): Standardizing Access Policies with IDQL/Hexa
May 10, 2023

The adoption of multiple clouds is accelerating across all industries. While multi-cloud brings many benefits, it also results in new challenges. Organizations must manage platform-specific access policies in the bespoke policy syntax of each cloud.
Security and risk gaps arise between cloud identity systems due to the increased policy fragmentation and technical complexity that can obscure visibility and make it difficult to determine who has access to what.
These challenges grow exponentially when you consider the various access policies (and system languages) associated with each data, network, and platform layer (and vendor) in an organization’s tech stack.
This session will describe an open-source solution to multi-cloud access policy fragmentation: Identity Query Language (IDQL) and Hexa Orchestration. IDQL and Hexa are two sides of the same coin that together perform policy orchestration across incompatible cloud platforms.
IDQL is the universal declarative policy language that can be translated into a target system's proprietary or bespoke access policy format. Hexa is the open-source reference software that brings IDQL to life and makes it operational in the real world by connecting to target systems and performing the three main functions of discovery, translation, and orchestration.
Hexa Policy Orchestration was recently accepted as a Cloud Native Computing Foundation (CNCF) sandbox project. The session will include a technical review of Hexa plus a demonstration of current capabilities.

Event Recording
Hack a Cloud and Kubernetes
May 10, 2023

People are under the impression that when you spin up the latest and greatest AKS, EKS, OpenShift or GKE instance, that you're secure. However with K8S, now more than ever the workload underneath matters. One privileged, neglected, container can compromise an entire setup. Rather than just talking about the risks or best practices, this talk is all about showing how easy it is to do.

The talk will first discuss possible attack paths in the Kubernetes cluster, and what differences exist in the attack techniques compared to classic infrastructures. For this purpose, a web application in a container will be compromised, then the Kubernetes cluster and the cloud account. Subsequently, 2 open-source tools will be discussed how such vulnerabilities and misconfigurations can be detected in the different infrastructure layers.

Event Recording
Fallacy of Decentralisation
May 10, 2023

Common Web3 narratives go like this: Web1 was decentralised. Web2 is centralised and dominated by GAFAM/BigTechs. Web3 will be decentralised.

Is this real?

Let us look back. Web1 was about publishing web pages that were linked to other pages. The publishing sites were decentralised all over and were connected by links. Schematics resembled spider webs. Thus, the name “web”. 

Web2 was the read-write web. In other words, API Economy. Was it a centralised architecture? Definitely not. What we imagined as Web 2.0 back in 2004 was that instead of monolithic systems, each site provides a function as REST API, and new services quickly emerge by combining these APIs like LEGO. APIs were decentralised and distributed all over the internet. API calling relationships connected those sites; the schematics resembled a spider web. Thus, the name Web 2.0.

Note, in 2004, none of Google, Amazon, Facebook/Meta, or Apple resembled what we have now.
Google just acquired Double Click, but it still had the banner word “Do not do evil.” The size of the company was 1/10 of Hitachi. Amazon still was an internet merchant. Facebook was just founded, but it still was primarily confined to Harvard and other American university students. Apple was an iPod and Mac company. Were they BigTechs? No! Big guys were IBM, Hitachi, etc., and Google, Facebook etc. were carrying the liberation torch!

Then, how come we end up here, despite the fact that the architecture was completely decentralised?

It was the combination of free market competition and technology that exhibited increasing returns. Any IT technology has decreasing cost/increasing return on investment. Under the circumstances, it will end up in Cournot equilibrium in a fashionable vocabulary - in a common word; winner takes all - monopoly/oligopoly. That’s how we ended up.

What about web3 and decentralised identity? Would the decentralisation dream finally come true?

Well, they still are IT. They still exhibit increasing return necessarily. Then, how can you believe that it will not be dominated by large players just like it happened to Web 2.0? If you let the free market play, it will certainly be. Unlike in the case of Web 2.0 where there still were 100s of thousands of IdPs, we may end up with two Wallets where the wallet provider can come in and decide to delete your verified credentials or ban your account. How decentralised!

Wait, there is more.

How can you believe that code that runs on your phone adheres to what it says?
The data stored on your wallet that runs on your phone may be extracting your data and sending it to criminals. We have seen many times that the initially benign code turns malicious with an update.

According to the Devil's Dictionary of Linguistic Dark Patterns compiled at IIW 2022b, “Decentralised” means “We run our code on your machine at your own risk”. Yes, at your own risk. If it is completely “decentralised” and there is no “provider”, then there is nobody to go after from the point of view of a regulator. Having a “centralised” provider is much better from a consumer protection point of view in this respect.

Is there no light? Are we going to live in the darkness of decentralisation?

Let us briefly think about what web3 was supposed to be. Forget about something that is found between A and Z. I am not talking about that. I am talking about cypher-punks' idealistic dreams.
Many people believe that blockchain is just an immutable ledger. No, it is not! That’s not the innovation of blockchain. Chained immutable records were there long before Satoshi’s invention. It is called Hysteresis signature and was invented in 1999.
Then, what was the innovation? it was the committing of the code into the it to make it immutable and executing it by multiple machines to exclude the result from changed code. In other words, it was the establishment of trust in the running code.
The light could be diminishingly small, but it still is light. That’s the light that I see in web3 that’s not between A and Z.

Event Recording
Decentralized Identity Ecosystem for Southeast Asia: A journey from MVP to Production
May 12, 2023

Decentralized identity has made its waves in the EU with European Blockchain Services Infrastructure (EBSI) and in the US with various funded projects. A vast market in south-east Asia stays untapped. We have enabled our partner organization ZADA to build a decentralized identity ecosystem that connects various southeast Asian countries with numerous cases like 'Decentralized Vaccination TravelPass', 'Employment IDs', and 'Government issued Educational Credentials'. The journey of a decentralized identity platform from ideation to MVP and to a scalable production system can bring tremendous insights. We were able to successfully enable the public sector in Myanmar to engage with self-sovereign identity and bring value to its citizens by issuing over more than a quarter million digital credentials. Monetization of these credentials was an essential factor for us. These self-sovereign identity credentials varied in use cases and were verified by Singapore immigration, Public sector hospitals, the Education Ministry of Myanmar, the Health Ministry of Myanmar, and various other private sector vendors. Our journey covers various use cases in EdTech, HealthTech, IAM, and KYC. Explored right, these cases can help us dive into how enterprises can engage with the southeast Asian identity market.