Event Recording

Cyber-Defense Strategies to Protect Cloud Resources & Identities

Show description
Speaker
Morey J. Haber
Chief Security Officer
BeyondTrust
Morey J. Haber
Morey J. Haber is the Chief Security Officer at BeyondTrust. He has more than 25 years of IT industry experience and has authored four books: Cloud Attack Vectors, Privileged Attack Vectors, Asset Attack Vectors, and Identity Attack Vectors. He is a founding member of the industry group...
View profile
Playlist
European Identity and Cloud Conference 2023
Event Recording
Spicing up Authorization - A Zanzibar inspired approach
May 11, 2023

As a global OEM of highly critical and complex industrial devices, managing access to hundreds of millions of IIoT device resources spread across customer sites all around the globe is already a challenging task.  
Use cases for providing a digital service platform need to address end customers accessing devices owned by themselves as well as priviledged access for in house and third party analytics applications and serice personnel. A combination of requirements for excelent user experience, authorization management and high performance for cross-tenant queries for endless scenarios can become a nightmare.  
The task was to analyze the access requirements, abstract them and then deploy a “Zanzibar” inspired approach to manage access authorizations with a swift and reliable backend architecture, able to handle millions of information assets to be protected against unauthorized access.  
Creating a mere access model does not do the full trick - it has to be cleverly designed into data storage structures and queries to achive the required performance goals!  
The talk quickly introduces the problem set and then dives deeper into how to implement data storage optimization magic to get quick response times and swift adjustments of authorizations.

Event Recording
FIDO à la Carte
May 12, 2023

Finding the right passwordless solution can be a daunting task. Searching the web for a passwordless authentication solution will present many options for various use cases. With so many options, how do you choose the solution that best meets your requirements?

This presentation will help guide you through the different FIDO standards, Passkeys and provide real-world examples of how they are being used today. We'll explore the benefits of FIDO, including increased security and improved user experience, and discuss the challenges and limitations.

If you're ready to say goodbye to passwords and embrace the future of passwordless authentication, join us and learn how to find the right FIDO solution for your passwordless needs.

Event Recording
IAM Across Hybrid On-Premises and Cloud Resources
May 10, 2023

We will be discussing an identity fabric model that allow for growth, ease of integration, and a way to future proof your organization.

Event Recording
Decentralized Identity Ecosystem for Southeast Asia: A journey from MVP to Production
May 12, 2023

Decentralized identity has made its waves in the EU with European Blockchain Services Infrastructure (EBSI) and in the US with various funded projects. A vast market in south-east Asia stays untapped. We have enabled our partner organization ZADA to build a decentralized identity ecosystem that connects various southeast Asian countries with numerous cases like 'Decentralized Vaccination TravelPass', 'Employment IDs', and 'Government issued Educational Credentials'. The journey of a decentralized identity platform from ideation to MVP and to a scalable production system can bring tremendous insights. We were able to successfully enable the public sector in Myanmar to engage with self-sovereign identity and bring value to its citizens by issuing over more than a quarter million digital credentials. Monetization of these credentials was an essential factor for us. These self-sovereign identity credentials varied in use cases and were verified by Singapore immigration, Public sector hospitals, the Education Ministry of Myanmar, the Health Ministry of Myanmar, and various other private sector vendors. Our journey covers various use cases in EdTech, HealthTech, IAM, and KYC. Explored right, these cases can help us dive into how enterprises can engage with the southeast Asian identity market.

Event Recording
The Future role of PAM: Securing any Privileged Workload & Access
May 11, 2023

PAM (Privileged Access Management) is one of the established core disciplines within IAM. PAM also is the IAM discipline that is changing most from what it has been in the past.

On one hand, there is the impact of CIEM & DREAM, Cloud Infrastructure Entitlement Management or Dynamic Resource Entitlement & Access Management. This is about the expansion of PAM beyond humans accessing servers and selected applications towards any type of human and non-human (silicon) identity accessing any type of workload, from servers to dynamic cloud resources. This also implies an expansion from serving static data center infrastructures to dynamic workloads in today’s agile IT. PAM is changing, with more parties involved – a “PAMocracy”, as KuppingerCole Analyst Paul Fisher recently named it.

These changes also require expansions in integration to other IT services. There needs to be a dynamic governance approach, where IGA comes into play. It requires rethinking whether PAM tools really should care for authentication. There is no need for authentication point solutions in an age where most organizations have a strong Access Management solution with MFA, passwordless authentication and adaptive, risk- and context-based access in place. Finally, this new PAM must integrate with the DevOps tools chain for permanent updates about new code and the resources used as well as with IT Asset Management for an always up-to-date insight into the ever-changing, dynamic IT landscape that needs to be protected.

Also worth to think about is integration with further security solutions, beyond the standard SIEM/SOAR integration. AI-powered security solutions are one aspect. Integration to Cloud Security Posture Management is another example.

In this panel, the state and requirements on the future PAM will be discussed.

Event Recording
Managing Your Enterprise Security Posture to Avoid Web3 and Smart Contract Breaches. Practices & Lessons for Enterprises with Case Studies
May 11, 2023

Web3 is a revolutionary changing aspect of technology in the current era but protecting Web3 will be a challenge considering how smart contracts are challenging. New businesses utilizing blockchain technology are more focused on business while their different assets need eyes, such as the most vulnerable DApps and Web3 services.

Decentralized applications, commonly referred to as dApps, are not controlled by a single point of authority. Instead, they run on a blockchain or a P2P network, making them more complex and riskier than traditional applications.

In this talk, we'll discuss how hackers are utilizing their techniques to attack web3 and smart contracts and what are best practices for enterprises to prepare for the challenge.

Event Recording
Policy Based Authorization Architecture Considerations
May 10, 2023

Policy Based Authorization is becoming the new normal when it comes to identity-centric access controls. However, there is no standard approach to PBAC deployment that fits all use cases. In this session we will look at PBAC requirements for common use cases such as microservices, cloud, API, data & analytics.

Event Recording
What’s Next In Enterprise Authorization
May 11, 2023

As organizations undergo digital transformation to zero-trust architectures, identity-driven security becomes a critical aspect. Beyond new authentication technologies, organizations must have strong authorization controls. Today, if and when an identity is compromised, the attacker can make lateral movements with very few restrictions and access a wide range of critical systems and information. Much of this over-permissive environment can be attributed to manual permissions management processes that are hard to maintain over time. Role-based Access Control (RBAC) and Attribute-based Access Control (ABAC), which underlie these manual processes, provide a good baseline for access security. However, their complexity grows over time and the management overhead they place oftentimes subvert the very goals of security and compliance they are deployed for. Just-In-Time Access Management (JITAM) represents a new robust and secure authorization strategy that can reduce the need for periodic access certifications and manual role administration, while providing auditability. Learn how the authorization space is rapidly changing from RBAC and ABAC to JITAM, and how it could benefit your organization.

Event Recording
Panel: What Happens When Applications Don't Use the Identity Standards We Have Built
May 11, 2023

OAuth 2.0 is a widely adopted standard for authorization, but it can be complex to implement correctly. It's not uncommon for developers to have difficulty understanding the nuances of the OAuth 2.0 flow and instead rely on simpler approaches such as using API keys in "god mode."

OAuth 2.0 can be difficult to set up and configure, especially for developers who are new to the standard. It involves creating an OAuth 2.0 client, setting up redirect URIs, and managing access and refresh tokens, which can be confusing and time-consuming. Additionally, the standard requires developers to handle user authentication and authorization separately, which can be difficult to understand for those who are not familiar with the concepts.

Many developers may not understand the security benefits of OAuth 2.0 over API keys. OAuth 2.0 allows for fine-grained access control, enabling developers to limit access to specific resources and actions. In contrast, API keys provide more open access, allowing all actions on all resources. Developers may be inclined to use API keys instead of OAuth 2.0 because they are simpler and easier to implement, but they don't offer the same level of security.
Developers may find it hard to understand the standards, and may end up using an inconsistent approach.

The panel will discuss these reasons and other potential causes for why developers may not be using OAuth 2.0 correctly, and provide recommendations for how to overcome these challenges. We will highlight the benefits of OAuth 2.0, such as improved security and the ability to provide fine-grained access control, to encourage developers to adopt the standard. Additionally we will give examples of real-world attack scenarios that could have been avoided if the application was using OAuth 2.0.

Event Recording
Decentralized Identity: The Way Forward
May 10, 2023

Decentralized Identity is enabling individuals and organizations to have control over their own personal data, providing self-sovereignty, privacy and security. But, is a relatively new concept with high development and standardization dynamics. In this session we will look into what we should do today to take full advantage of this promising concept.

Event Recording
Identity in the C-Suite? The Role of the Chief Identity Officer
May 11, 2023

Whereas our Privacy and Security peers have top executive-level access and presence as well as often Board-level access, Identity typically does not.

Should that continue to be the case? Are the conditions right for the establishment of a Chief Identity Office… and is that even a good idea?

In this panel, Drs. Jacoba Sieders, Denny Prvu, and Ian Glazer will debate the pros and cons of the notion of a Chief Identity Officer role. Topics will include:

  • What would the value of such a role be? And how is such a role measured?
  • What would the responsibilities of said Officer be and what is the role’s remit? What are its boundaries?
  • What questions should the Board and C-Suite be asking? What should they know about identity that they don’t today?
  • How would such an Officer quantify the value of the identity infrastructure to the business?
  • Does the need for the role differ based on industry sector and geography?
  • How would this role fit with the Chief Digital Officer, Information Security Officer, and Privacy / Data Protection Officer?
  • And how would this make things better for the digital identity practitioner and the industry as a whole?
Event Recording
Why Active Directory is the Prime Cyber attack Target - and what to do about it!
May 10, 2023

For more than two decades, Microsoft Active Directory (AD) has been the de facto method organizations use to authenticate and authorize users for access to computers, devices, and applications within a company’s network. Most companies still rely on it and have further extended its reach into the cloud by synchronizing their on-prem AD with the Microsoft Azure AD to allow proper SSO to cloud-applications by their users. AD is celebrated for its extensive compatibility with various applications and Windows editions, but that compatibility comes with security downsides.

Compromises of Active Directory can occur as an entry point leading to a further attack or can arise at various other points along the kill-chain following an initial compromise via some other mechanism. Even in cases where a compromise is gained following an attack on applications or infrastructure directly, it is frequently infeasible for an attacker to progress further without elevating privileges, making Active Directory a primary target in an overall breach strategy.

It is therefore important that Active Directory defense tools are paired with a wider Zero Trust and XDR approach to provide full visibility over organizational infrastructure, enabling security teams to accurately identify the point of origin of an attack, and to perform the containment and remediation actions required to neutralize and prevent reoccurrence of an attack.

Join Principal Technologist, Guido Grillenmeier, to discuss AD access points used in recent cyberattacks, security risks to watch for in managing AD with Azure AD, how to look for warning signs that AD has been compromised and steps to take in the event of an attack.