Event Recording

How Much Data do You Need to Collect to Really Know Your Customer

Show description
Speaker
Denny Prvu
Director of Architecture - Innovation and Technology
Royal Bank of Canada
Denny Prvu
Denny Prvu has been fortunate enough to work around the world with public and private sector organizations as a strategist, architect, and communicator on identity, security, and privacy topics for over 20 years.  Experience by working on standards and active contributions in areas...
View profile
Playlist
European Identity and Cloud Conference 2023
Event Recording
Rogue on Steam? Risks and Rewards of a Seamless Digital Life in the Metaverse
May 10, 2023
Event Recording
CIAM-as-a-Service for 50 Million Customers at OLX Group Europe
May 12, 2023

Still developing CIAM in-house? Discover the realities of serving 50 million customers using Hosted Customer Identity and Access Management (CIAM) as a service (SaaS) from a vendor.

Customer Identity and Access Management is one of the most critical platform components. How big of a risk would it be for the large enterprise to delegate it to the vendor solution? And how much risk would it be to not do it?

In 2019 our Eastern Europe business was struggling with Accounts Takeovers where botnets of 1 million IPs total size were involved in massive credential stuffing attacks. And we decided to replace all our legacy auth with a vendor solution.

In this session we will go through the key moments of such transition and the key learnings from the past 4 years. We won’t miss the aspect of value proposition, customer experience, real cost and return on such an investment.

Event Recording
Weaving a Standards Framework for Non-Human Identities
May 11, 2023

We entrust workloads and devices with our most sensitive data, giving them access to far more information than the human on whose behalf it operates, if it is even operating on behalf of a human. Yet, managing these non-human identities and applying Zero Trust Policies to them is a Herculean task complicated by a heterogenous technology landscape, amplified by multi-cloud/multi-hybrid environments, exacerbated by critical skills shortages and magnified by exponential growth in workload and device identities.

It's the kind of problem standards excel at solving by creating interoperability layers between heterogenous environments, codifying the wisdom of the crowd to alleviate pressures on rare skills, and creating eco-systems of interoperable solutions that meet a common security bar.

Fortunately there are already several standards efforts that can help us manage non-human identities. But how are all these efforts related and how to we avoid replacing a patchwork of heterogenous solutions with a patchwork of heterogenous standards? Is it possible to craft a standards framework and connect all these efforts in a single identity trust fabric, and is that desirable? If we had such a framework, what would it look like?

In this talk we explore the benefits of weaving a standards framework for non-human identities by bringing together more than 18 standards from at least 7 standards bodies while identifying opportunities to align and connect them all to solve the emerging challenge of managing non-human identities at scale.

Event Recording
The Future role of PAM: Securing any Privileged Workload & Access
May 11, 2023

PAM (Privileged Access Management) is one of the established core disciplines within IAM. PAM also is the IAM discipline that is changing most from what it has been in the past.

On one hand, there is the impact of CIEM & DREAM, Cloud Infrastructure Entitlement Management or Dynamic Resource Entitlement & Access Management. This is about the expansion of PAM beyond humans accessing servers and selected applications towards any type of human and non-human (silicon) identity accessing any type of workload, from servers to dynamic cloud resources. This also implies an expansion from serving static data center infrastructures to dynamic workloads in today’s agile IT. PAM is changing, with more parties involved – a “PAMocracy”, as KuppingerCole Analyst Paul Fisher recently named it.

These changes also require expansions in integration to other IT services. There needs to be a dynamic governance approach, where IGA comes into play. It requires rethinking whether PAM tools really should care for authentication. There is no need for authentication point solutions in an age where most organizations have a strong Access Management solution with MFA, passwordless authentication and adaptive, risk- and context-based access in place. Finally, this new PAM must integrate with the DevOps tools chain for permanent updates about new code and the resources used as well as with IT Asset Management for an always up-to-date insight into the ever-changing, dynamic IT landscape that needs to be protected.

Also worth to think about is integration with further security solutions, beyond the standard SIEM/SOAR integration. AI-powered security solutions are one aspect. Integration to Cloud Security Posture Management is another example.

In this panel, the state and requirements on the future PAM will be discussed.

Event Recording
Best and Worst Practices of Digital Wallets User Experience
May 10, 2023

Digital identity wallets are central components for Decentralized and Self-Sovereign Identity (SSI) approaches. They are the interface for users to manage their identities and gain access to services. Hence, the usability and user experience of these wallets is pivotal for the adoption of those popular and privacy friendly identity management concepts.  This talk will summarize research findings into naming some of the Best and Worst Practices to be considered in the further development of the user experience of Digital Wallets.

This talk would highlight multiple studies, publications, and projects that I have done on this topic.  However, if you would prefer another topic, I could propose another talk idea that would be related to other identity topics in either the Digital Wallets, mGov/eGov Services, or Trust Management.

Event Recording
The Identity Security Blind Spot: MFA for Legacy Systems and Service Accounts
May 10, 2023

MFA and other identity security controls are very effective in stopping cyber attacks, and are widely used on modern apps, but until now they couldn't be applied to legacy apps, service accounts (non-human identities), command-line interfaces, OT systems and many other critical resources. These 'blind spots' are targeted in almost all data breaches and ransomware attacks, and often prevent compliance with regulations and cyber insurance requirements. Join this session to learn how your existing MFA and modern identity solutions can be extended to all these legacy assets using a new technology.

Event Recording
Centralized eID May be the Target of the Next Nordstream Pipeline Attack
May 11, 2023

With the vast centralization of government digitization in general, and issuance and operation of Digital Identity services in particular, the Nordic countries have made themselves unnecessarily vulnerable to attacks by actors such as those with the resources to blow up the Nordstream pipelines in the Baltic Sea.

With the new Danish digital identity, MitID, as an example, I will discuss

  1. How governments and/or banks centrally attempt to strike a balance between vulnerability and user adoption,
  2. Why compliance and certification may only take you so far, and finally,
  3. How concepts such as wallets and Verifiable Credentials may decentralize the digital identity ecosystem not only for increased privacy but also for more robust and secure infrastructures less prone to attacks by bad actors.
Event Recording
Ditch Siloed IAM: Convergence, a Must For Identity Threat Detection & Response
May 09, 2023

An increase in the types of digital identities, coupled with multi-cloud adoption, has added complexity to managing identities and privileges. How does one get future-ready, to address these new-age challenges? An Identity-centric security strategy centers on effective governance with zero trust, that simplifies and unifies critical aspects of Access Management (AM), Identity Governance Administration (IGA) and Privileged Access Management (PAM). Join us to explore the benefits of a Converged Identity security approach that is outcome-driven, and looks to ditch the silos of key IAM components.

Event Recording
AI & Identity - Perspectives and Use Cases
May 11, 2023
Event Recording
Three Pillars of Secure Development - Why Nobody Cares and How to Fix That
May 11, 2023

Speed to market, extensive use of so-called standards and the quest for low cost: Successful product development is using lopsided metrics. That comes with a big penalty - from physical product safety and cyber security, companies around the world spend big money on fixes that often come too late. Learn about three often overlooked pillars of successful, resilient product lifecycles and what leverage unexpected skills like penetration testing can apply.

Event Recording
Interworking of Verifiable Credential Products
May 10, 2023

The EU funded Next Generation Internet (NGI) Atlantic project "Next Generation SSI Standards" and the Walmart funded Jobs for the Future (JFF) Plugfest, both have the same aim of fostering wide scale adoption of Verifiable Credentials. They are doing this by funding global interworking of Verifiable Credentials products from many different suppliers located in Europe, the USA and Asia. The NGI Atlantic project is committed to using the OpenID for Verifiable Credentials (OIDC4VCs) draft standard specifications, whilst JFF is allowing the 30+ participants to decide amongst themselves which protocols to use. Three protocol suites have been chosen: OIDC4VCs, VC-API with CHAPI, and DIDComm.

This presentation will provide an overview of the two projects, will provide an overview of the 3 protocol suites that have been chosen, and will present the results of the interworking trials.

The NGI Atlantic project will finish in December 2022, and besides interworking trials, will deliver an open source test suite that suppliers can use to test their implementations for conformance to the OIDC4VCs protocol suit for both credential issuing and verification. Some tests are being added to the W3C CCG Traceability test suite (written in POSTMAN) and some are being added to the Open ID Foundation's existing OpenID Connect conformance test suite (written in Java).

The JFF Plugfest will finish in 1Q2023. In November 2022 each VC Issuing software supplier must demonstrate the issuing of a verifiable credential to the wallets of at least two different wallet software providers, whilst each wallet software provider must obtain a verifiable credential from at least two other VC Issuing software providers. In February 2023 VC wallets must demonstrate the presentation of a Verifiable Presentation/Verifiable Credential to at least two different verification software suppliers, and each verifier must demonstrate that it is capable of accepting a VP/VC from at least two different wallets.

The success of these projects should catapult the acceptance of inter-workable verifiable credential products to the market.

Event Recording
Avoiding Accidental Architecture - Implementing Graph-Based IAM & CIAM goes Beyond Better Access Control
May 11, 2023

Graph is having its moment and rightfully so. Regulatory challenges, overly complex authorization scenarios and retrofitting legacy programs to meet new business needs are squeezing businesses. Implementing a graph-based approach can remove these obstacles and reduce risk. 

But for many businesses, this is where graph-based implementations start and stop. 

In this session, we will discuss how to turnidentity data into identity knowledge and what that can deliver. We will dive into data models that drive contextual and real-time decisions - data models which are foundational for enabling complex authorization use cases and beyond. 

Finally, we will explore the benefits of graph-based deployments in your existing environments, including the value of a holistic and visually simplified data model and avoiding the accidental architecture challenge