Event Recording

Lessons Learned from More Than 6 years of CIAM in a Media Company

Show description
Speaker
Tom Bruggeman
IT Area Manager
DPG Media
Tom Bruggeman
Tom is working as an IT Area Manager for DPG Media. As part of his role he manages a number of development teams, one of which is the Identity team responsible for development and rollout of DPG's custom built identity platform across for millions of users spread across 2 countries.
View profile
Playlist
European Identity and Cloud Conference 2023
Event Recording
Automated Serverless Security Testing: Delivering Secure Apps Continuously
May 10, 2023

Serverless technology eliminates the need for development teams to provision servers, and it also results in some security threats being passed to the cloud provider. This frees up developers to concentrate on building logic and producing value quickly. But cloud functions still execute code. If the software is written poorly, it can lead to a cloud disaster.

How can developers ensure that their code is secure enough? They can scan for common vulnerabilities and exposures (CVEs) in open-source code. They can even scan their Infrastructure-as-Code (IaC) tool to identify insecure configurations. But what about custom code? At many organizations, the application security team struggles to keep up with the speed of development in a serverless environment. Traditional testing tools not only provide very limited coverage, but also slow development cycles unacceptably. Serverless code contains a mixture of cloud configurations and application programming interfaces (API) calls. As a result, legacy solutions lack the context that is necessary in a serverless environment, and the consequence is a lack of observability and slower response times.

Fortunately, it does not have to be this way. Organizations can leverage robust security during serverless development, automatically—if it is done properly. In this talk, we will discuss common risks in serverless environments. We will then cover existing testing methodologies and why they do not work well for serverless. Finally, we will present a new, completely frictionles

Event Recording
Verifiable Credentials for the Modern Identity Practitioner
May 10, 2023

You heard about Verifiable Credentials and decided to learn more. You found some stuff online, but despite knowing your way thru identity, you still can't really tell how they work in practice (wallets? presentations?) or how the boldest claims (no more centralized DBs! Apps cannot save PII!) will play out. This session will dive into VCs and separate the hype from their true, remarkable potential.

Event Recording
Reflections & Predictions on the Future Use (and Mis-Use) of Generative AI in the Enterprise and Beyond
May 12, 2023

Generative artificial intelligence (AI) has the potential to revolutionize a wide range of industries and applications, from creating realistic images and videos to generating natural language responses. This Future Enterprise Use of Generative AI Deep Dive session will explore the current state and future trends of Generative AI technologies. Attendees will gain a comprehensive understanding of Generative AI technology and its current and future applications in various industries.

Over the last years, Generative AI has presented significant advancements in industries such as software development, finance, insurance, education, healthcare, government, manufacturing, etc. It is expected that in the coming years Generative AI will enable businesses and organizations to create more personalized and engaging experiences for customers, optimize operations, and make more accurate decisions.

However, with great progress comes great responsibility. The growing sophistication of these algorithms also raises concerns about their impact on society, such as the potential for misuse, bias, and the displacement of human jobs. Generative AI poses significant challenges as well as opportunities. It is therefore essential to balance the development of Generative AI with responsible research and ethical considerations to ensure that its advantages can be harnessed while minimizing its potential disadvantages.”

Event Recording
Navigating the Complexities of User and Group-Focused Authorization in Modern Applications
May 10, 2023

Authorization in modern applications is becoming increasingly complex, particularly when it comes to managing access to resources at the individual user and group levels. OAuth has become a widely-used standard for granting access to resources on behalf of a user, but it is not well-suited for these more nuanced use cases. In this talk, we will explore the confusion surrounding the use of OAuth for user and group-focused authorization in applications. We will discuss the standard meaning of authorization in OAuth, which is to grant access for an application to call APIs on behalf of the user, and how misusing OAuth for this purpose can lead to bad architecture and bloated JWT tokens. We will also introduce alternative standards like UMA (User-Managed Access) and GNAP (Group-Based Nested Access Protocol) as potential solutions for user and group-controlled resource delegation. These standards provide a more fine-grained and dynamic approach to access control and can be integrated with policies created by a PBAC (Policy-Based Access Control) server for a more comprehensive solution. Attendees will leave with a better understanding of the limitations of OAuth for user and group-focused authorization, and with a clear understanding of the potential of UMA and GNAP as solutions for these use cases.

Event Recording
EUDI Wallet - Critical Success factors for Digital Single Market and Private Sector Use
May 10, 2023

Why the private sector is the major milestone for the European Identity Wallet to succeed ? Let’s discuss:
• Will the current EUDI-wallet enable or hamper eg the banking sector in future (in relation to KYC, Strong Customer Authentication, Payments, ….)?
• Which standards are the right ones to enable eg the travel / mobility sector (mdoc, icao, verifiable credentials)? Which give the most added value?
• How will current private sector wallets at large --like those used in ecommerce-- interact with the EUDI whilst ensuring citizen privacy-by-design?
• Which technologies are at hand to keep our wallets secure and combat identity theft/fraud/threats when Europe has no control over those mobile devices?

Event Recording
Solving a Logistical Nightmare: Imagining a Decentralized Identity Future at DB Schenker
May 10, 2023

IAM is hard enough without the additional complexities that logistics companies face. Warehouses need to be secure, but it’s difficult to find an identity solution that’s suitable for short-term staff who don’t have or can’t use computers, mobile devices, or biometrics in their work environment. Until recently Decentralized Identity has been stuff of dreams, but that is rapidly changing and the lines between identity and authentication blurring even more. In this session, we’ll explore how a future powered by Decentralized Identity is offering logistics giant DB Schenker a path to stronger security while maintaining productivity in its warehouses—providing a fast, flexible and interoperable way for workers to verify their identity.

Event Recording
Managing Your Enterprise Security Posture to Avoid Web3 and Smart Contract Breaches. Practices & Lessons for Enterprises with Case Studies
May 11, 2023

Web3 is a revolutionary changing aspect of technology in the current era but protecting Web3 will be a challenge considering how smart contracts are challenging. New businesses utilizing blockchain technology are more focused on business while their different assets need eyes, such as the most vulnerable DApps and Web3 services.

Decentralized applications, commonly referred to as dApps, are not controlled by a single point of authority. Instead, they run on a blockchain or a P2P network, making them more complex and riskier than traditional applications.

In this talk, we'll discuss how hackers are utilizing their techniques to attack web3 and smart contracts and what are best practices for enterprises to prepare for the challenge.

Event Recording
Best and Worst Practices of Digital Wallets User Experience
May 10, 2023

Digital identity wallets are central components for Decentralized and Self-Sovereign Identity (SSI) approaches. They are the interface for users to manage their identities and gain access to services. Hence, the usability and user experience of these wallets is pivotal for the adoption of those popular and privacy friendly identity management concepts.  This talk will summarize research findings into naming some of the Best and Worst Practices to be considered in the further development of the user experience of Digital Wallets.

This talk would highlight multiple studies, publications, and projects that I have done on this topic.  However, if you would prefer another topic, I could propose another talk idea that would be related to other identity topics in either the Digital Wallets, mGov/eGov Services, or Trust Management.

Event Recording
Pros & Cons of Anonymity and ZKP - Do we Know Them?
May 12, 2023

Within the digital identity wallet-movement (and especially SSI), there is a lot of focus on proving something about yourself, without revealing anything else, also known as ZKP (Zero-Knowledge Proof). It is important to realize that if we build this into the future identity systems, we will also grant any criminal the right to full anonymity.
While there are some marginal use cases (buying beer and adult materials) where we might want this, using ZKP also excludes accountability, unless there is a way to reveal the identity behind the proof. This would then be pseudonymity, and the challenge here, is who is authorized to reveal this, and how to prevent mis-use.

Event Recording
Use AI to Make Account Takeover a Frustrating Experience... For the Attacker
May 11, 2023

Sure, MFA goes a long way in preventing account takeover but it is only one layer. Using AI to look at identity data to evaluate risk can add an additional layers – not only to prevent takeover but mitigate the impact once a takeover happened. 

Event Recording
Orchestrating Zero Trust - "Detect, Decide, Direct"
May 10, 2023

The Zero Trust paradigm, the approach of eliminating inherent trust in an IT architecture and always verifying, has been discussed for over a decade. It is well known that Zero Trust is a team sport, with Identity in the center. The many components, from IGA to Device Management, Network-segmentation to contextual awareness and beyond can be fulfilled by as many vendors, bearing the question about how to integrate these for a secure and convenient user experience. While there may be integrations available for some components, they will most likely be disjointed and/or require custom development, making it a challenge to be agile and innovative.

An alternative to the described problem would be Orchestrating Zero Trust, applying the approach of "Detect, Decide, Direct". Through Orchestration the task of gathering all signals and relevant information (Detect) for an appropriate authorization decision (Decide), and continuing with the proper next step(s) (Direct) can be fulfilled in a flexible manner, facilitating customization in a future proof manner.

In this session we will describe the "Detect, Decide, Direct" approach and see how Orchestration can be a key enabler of Zero Trust.

Event Recording
Building Identity Bridges: Where Digital Identity and People's Expectations Meet.
May 11, 2023

This presentation will bring together and report on experiences in developing identity and privacy standards that are technically feasible but that also address the lived experience of people trying to negotiate a complicated digital identity space.

This will include an update on the Kantara Initiative Privacy Enhancing Mobile Credentials Work Group, as well as identity consideration in some recent virtual care and electronic health records standards. This will consider the impact of self-sovereign identity on the possibilities for reclaiming individual autonomy.