Event Recording

3 Dimensions of Digital Sovereignty

Name: 3 Dimensions of Digital Sovereignty
Uploaded: 2023-05-09T12:00:00+02:00
Duration: 19 min 34 s

Posted on May 09, 2023

Digital sovereignty has become an important topic for individuals as well as a strategic issue for countries and businesses, allowing them to operate in an environment that they trust and can control. This necessitates technology that is not overly reliant on third parties, where there is a risk of misuse of trust or non-compliance.

In this session, we will explore 3 dimensions of digital sovereignty related to identity:

Sovereignty of the Individual: The need to protect the individual has triggered privacy laws around the world, like GDPR. Providing end users with more control is now taken one step further with the adoption of the so-called "Self-Sovereign identity (SSI)" and "identity wallets." With SSI, users are in powerful control of their personal data, resulting in a privacy-first user experience.
Geopolitical Sovereignty: According to geopolitical sovereignty, data about citizens is subject to the laws and governance of the nation or state to which they belong. As data and the behavior of people become more valuable for countries, the transfer of data is regulated by laws like the US Cloud Act and GDPR. Compliance with cross-border data transfers is becoming more important than ever.
Organisational Sovereignty: Organizations want to protect the interests of their employees, gig workers, customers, and business ecosystem. They also have to comply with multiple data sovereignty laws in various countries (for example, Schrems II, CCPA, LGPD, and so on). This leads to questions like, "Where is my data?" "Who has access?" and "Who holds the keys?" The more global organizations are, the more complex this process is due to the numerous local regulations they have to follow.

Show description

In this session, we will explore 3 dimensions of digital sovereignty related to identity:

Sovereignty of the Individual: The need to protect the individual has triggered privacy laws around the world, like GDPR. Providing end users with more control is now taken one step further with the adoption of the so-called "Self-Sovereign identity (SSI)" and "identity wallets." With SSI, users are in powerful control of their personal data, resulting in a privacy-first user experience.
Geopolitical Sovereignty: According to geopolitical sovereignty, data about citizens is subject to the laws and governance of the nation or state to which they belong. As data and the behavior of people become more valuable for countries, the transfer of data is regulated by laws like the US Cloud Act and GDPR. Compliance with cross-border data transfers is becoming more important than ever.
Organisational Sovereignty: Organizations want to protect the interests of their employees, gig workers, customers, and business ecosystem. They also have to comply with multiple data sovereignty laws in various countries (for example, Schrems II, CCPA, LGPD, and so on). This leads to questions like, "Where is my data?" "Who has access?" and "Who holds the keys?" The more global organizations are, the more complex this process is due to the numerous local regulations they have to follow.

Speakers

CTO of Thales Digital Identity & Security
Thales Digital Identity & Security

Benoît Jouffrey

Benoît is actually the CTO of Thales Digital Identity & Security. He is in charge of the worldwide technical and innovation strategic plan and overall engineering coordination. His ambition is notably to identify and implement new technologies that can improve...

View profile

VP Global Enablement IAM
Thales Digital Identity and Security

Maarten Stultjens

Maarten is VP Global Enablement IAM at Thales Digital Identity and Security. He has a passion for identity and access management (IAM) and information security. On a daily basis he is in close contact with customers, IT-industry analysts, technology partners and deployment partners...

View profile

Show Transcript

Thank you Yako. We, we could do Dutch today together. Okay, well good to see you everybody. Indeed. We have in a moment. Well, we already have Ben, we there. Ben WAIS is in France. He couldn't make it to come here. This is my, well, I missed one European identity conference and during the coffee break, a lot of people say How? How come? Why do I heard about one Welcome. Well one, welcome. I welcome. I've been in Siam for 10 years. We were, well that was our claim, at least European Siam provider. We cared a lot about user experience but also a lot about sovereignty, about protecting the data, about consent management and so forth. And October last year we got acquired by Tais Talls Digital Identity and Security and that is a large organization in digital identity, about 15,000 people with all kinds of technologies.
Technologies for, well we are close by pass keys, but also like wallets, pki, HSMs. So a lot of related technologies and the topic that we would like to talk about today is following up on Mark Schrems about sovereignty and then especially what kind of technologies we can deliver to provide the, the sovereignty. And we will take that from a few directions. We will look at it from a user's perspective. So how can we protect the sovereignty of the individual, the user? How can we provide sovereignty for our customers? So customers have to control their data. They need to comply to the rules that of the regulations that we just heard. And last but not least, how can we live in a geopolitical area? So here we live in Europe, but there are other geopolitical areas that also want to protect their data and have regional rules here. Think about New Zealand and Australia. So combining all of this, we thought that it would be good to not only focus at pure IM, but take that a bit broader and that is exactly why I invited UA to present to you the broader perspective on sovereignty from all these three angles as well as from what we tend to call the edge and the core. So the user device and where the data resides. So with that, I would like to give the word to
. Hello. So, so having said that, the picture you have is not me. Okay. You see, I'm not, not a lion. And the second point is that it's not because you know, I spent several years in Bavarian, so I have the, no, you know, of the Bavarian lion. It's just, you know, to illustrate the topic we are going to to cover in this presentation, which is about sovereignty, Martin, if we go to the next slide, the way, I mean we can define this, sovereignty is at three different levels. The first part is obviously at individual level. I want to be able in control of the data that I present. This is coming with all the notions that you all know around, you know, the cells identity. The second element, the second level is at level you are an enterprise and you want for sure as an enterprise, as a company, as an entity to master, you know, the way I mean your data is, is being shared, is being protected.
And there is as well, you know, this third notion, which is the most abuse one, which is at regional level, it was a bit, you know, covered in the precedent presentation. You know, the fact that you want your data to reside in a dedicated region for instance, which can be a good discretion of the sovereignty concept as introduc by by Martin. The way we see that is not only at these three levels, individual, organizational and regional that we cover. We have for instance, couple of agreements that we signed, you know, to provide data security with the hips. But it's really, you know, at this edge and core side. So meaning both, you know, in the way we can secure the data in the device that is in the hands of the individual and the way we can for sure, as I just mentioned, I mean protect the data when it's residing on the core, meaning on the cloud side.
To illustrate that, I would like that we think, you know, together that we review together six topics which are a bit seen as challenges, you know, in this adoption of this I would say digital sovereign or if we are a bit more precise, the adoption of this self-sovereign identity or even more precise, you know, we can take one example, which is the EU ID wallet. You know, what are these challenges? The first two that you have on the left part of the slide, security and convenience came first in a survey that we run within seven countries in Europe. We had, you know, around thousand 800, you know, people that were interviews. So in these, in these seven countries, and we were asking, you know, what are the main, you know, blockers or challenges that you're seeing as an end user when deploying this EU ID wallet?
And the two points that came first is the security. So we have to take this notion of security in the broad sense of the term, including, you know, the privacy elements that were covered in the precedent presentation. But it's interesting to see that 60, 66% of the respondents, you know, highlighted this as being the main criteria. The second one is the convenience. And I have to say we don't have to undermine, I mean this one because depending on the edge, for instance, the, the younger, I mean the people were the more, you know, they were taking care about this convenience topic. So those who are really, you know, the two main pillars to ensure that people would feel at ease when deploying the EU ID wallet. I will not detail now all the topics which are there because I will cover a bit more into details.
Three of them, I will speak about security, I will speak about interoperability. I will come back on the regulation point, but let me speak about convenience, I just adjusted it. We have then the device dependency and recoverability. I mean this one is important because this is as well a mean for us to ensure that we have a good level on of inclusion when deploying this digital sovereignty. Meaning if the devices you know, are not compliant or cannot fit, you know, with the expectations or the type of technology we want to deploy to ensure the sovereignty, we have a problem. So we have a huge challenge, I mean behind this one and last one is the, is the business model. The business model is an interesting one, it's an obvious one, but I was a couple of weeks ago in a, in a conference and we're speaking, you know, about, you know, challenges around, I mean these deployments and namely about business model.
And I had one remark coming from someone you know at the api, so European payment initiative. And it was mentioning that when you are in such highly regulated, you know landscape, we have to be very careful about the way you data mine, I mean the business model. Because if you are too strict, you know, given the fact that the regulation could completely change, you know the way the money flows, you know from one you know, entity to the other, you can put at stake your entire business model. So we have, and this is why I put here, you have to keep this flexible and clear business model to ensure the success of the deployment. So let's come now more into details on these three points. I mentioned security first, the security as mentioned, we have to ensure it, I mean from the edge to the core and you know, this is of the points that we particularly have in mind.
You know, at Teles we are present on the two sides of the, of the equation. We are delivering, I mean secure elements. I mean I'm sure you have, you know, in your pocket one of the devices we are providing, you know, and that, and that's, you know, one of these secure element can be a passport, it can be you know, a sim card, it can be a banking card wherever. This is on the other side. I mean you have the, what I call them in the core, which is a bit Porwal of these secure element. We have the hsm, which are basically a sort of replication of the secure element. You know, this is a safe that is sitting on the core part of the, of the equation you have as well, you know, all the kms or the key management solutions that we are providing.
But when we are looking at that, we really want them to take it by the holistic approach. Not considering, you know, just one aspect and the other or the other, but really the entire chain. One message I would have to, I would like to pass here is that we should not try to reinvent them in the wheel. I mean for sure we have, we'll be facing a new problematics, but we have as well fields proven solutions that have been used you know, since quite some time. And we have to benefit from this experiment when this deploying, you know, this digital sovereignty or this, you know, EU I d wallet. Moving to the next slide, you, you know, when you speak about security you could say oi, it's very good, okay, you spoke about, you know, the secure element, et cetera. But there may be cases where actually the device, I mean you want to address has no secure element, et cetera.
And I think it's true and we have to acknowledge that we have, I mean to have, you know, a certain level of flexibility in the way, you know, we want to shape this end-to-end security. But this is, you know, raising a number of challenges like the one, you know, I put here and Emily on the interoperability because if you have, you know, different ways of implementing the security, being sure that one is equivalent to the other, that you're not breaking, you know, the entire security cause the device is a weak point in your encryption. This is a very important point. The second element I would like you know, to highlight here is the vast number of use cases we are addressing. And you could have as well, I mean, you know, there is a huge versatility in terms of use cases. If you look for instance after the document, you know, issued as per, you know, the new regulation, I mean there is a lot of use cases which are mentioned and this is, this can cause, you know, some issues in terms of interoperability.
And the last point is that you could have in other factors and national regulations, which are telling you, okay, fair enough. I mean you define, I mean this has to be implemented this way, but my own constraints, I mean my infrastructure is deployed this way. So it has to be that way. And there is behind that, you know, this interpretability challenge. Let's move to the last one, last one I mentioned is on the regulations. So I put here a number of regulations. So as you can notice, I mean the list is not, you know, complete. I did not put you o GS two, you know, there could be many, many others. There is no quiz. So I will not ask you, you know, to tell me what are, you know, the precise, you know, meaning of each of the acronyms which are there, but you recognize in Digital Market Act, digital services Act, cyber Resilience Act, cybersecurity act and so on and so forth.
What is interesting is that they're all part of the topic we are discussing and the the worry, you know, I have behind that is the consistency between all of them and the time that we have, you know, to implement that. And I think it's very important that we have this capability, you know, to benefit, you know, from this return of experience to be sure that, you know, okay, there is, I mean the consistency that can be expected from, from all of us at the end of the day to solve the two topics I mentioned, you know, the one on interoperability and the one on clarity. I would like to advocate, you know, the, the need for a clear certification scheme. We already have, you know, a lot of ingredients which have been working, worked out, you know, notably by the enza, which by the way has been mandated, you know, to work on this approach in terms of certification for the EU I d wallet.
But I think it's really important that we have something that is clear with no discrepancy. You know, if in one country it's on the paper, the same certification, but actually it's much more easier. I mean to get it in one country, we'll have a problem at the end of the day we will break, you know, this entire security I was mentioning, and again, if we are weak on the security side, we'll have a weak, you know, success from this digital sovereignty we are seeking for. Let's move to in this slide, what I wanted, so I spoke about, you know, some of the challenges I highlighted, you know, six of them and we went a bit more into details on, on particularly three of them. What I want to mention here is that when we are working on this topic, we should look a bit forward, not just, you know, at what we wanna make to achieve today, okay, the digitalization for instance of an existing, you know, physical document, et cetera, which we look at as well, what is upcoming, you know, and I put here, and you are already conscious of that, you know, the fact that tomorrow, this type of solution we want to implement, if I'm creating a wallet, it could apply tomorrow for the iot market.
And the iot market is very vast, very diverse. Put here the example of the connected cars, but you have as well, I mean very low end devices, which are, you know, causing, I mean the type of issue I was mentioning, you know, in terms of having a constraint, I mean devices that needs to ensure instance the level of assurance high. The second point is on digital ID for virtual world. I mean we've been engaged, you know, with some of our customers on this merge between the web two and the web three and the metaverse. But obviously, you know, this point is we have, I mean to have that in mind what we, we, what we are going, I mean to deliver will not only cover you know, the physical world and going a bit further when you are Francis the, in the metaverse in this virtual world, I mean there is, you know, the willingness, you know, to pay there is this notion of cryptocurrency, okay?
And you could have, you know, there implications of what we deploy in terms of KYC or a m l of or it could be, you know, in one of the use case that is popping up, I mean these days, which is about the c C, so the central bank and digital currents. The last point on the slide is related to a topic I already mentioned. This is, you know, I mentioned, you know, in the long list of regulations that it was the cybersecurity act, the Cyber Resilience Act, which are claiming, you know, the fact that you will be able, you know, to upgrade, you know, your overall security case. I mean there is a bug or there is discovered them in weakness when, good example, you know, that we need all, you know, to take into account when deploying. For instance, the E U ID wallet is on the pqc side, which is there we could say, okay, oi, you are dreaming, okay, we will not have any quantum attacks, you know, in the next, you know, 10 years, you know, on this type of solutions maybe, but what is the time then, you know, to protect what is the time, you know, how will you protect against attack with, you know, stealing and start storing you know, your data and waiting for the time and they can decrypt it, you know, to reveal, I mean your, your secrets.
So this is really something we check seriously into account we are intensively working with. To conclude, I would like to recap what I was mentioning in the in introduction and what I put, you know, on the top of the slides is almost, you know, the Talls logo. I mean this is building a future we can all trust actually what we want here all to achieve is building a future sovereignty. We can address squeezed a bit, you know, the tells Mont, I may say it this way, I mentioned, you know, these six, you know, elements which are of utmost importance, you know, to be successful in this digital sovereignty. I took the example of the E Eid wallet giving you the result as well, you know, of a survey that we were conducting, which are by the way, available on our website. And if you go to our website and you do a search, you know, on this topic, you will get, I mean all the details around this, these surveys. And the last point I wanted to mention is that when working on this at EU level, you know that there have been four large scale pilots being deployed. We are participating to two of them and we are really, you know, using, I mean this experience and this participation to, you know, adjust, you know, the way we will serve this digital sovereign. Thank you very much.
Thank you both for this presentation. We do have one question from the audience. It's, there is a view that HSMs cannot satisfy LOA high requirements. What is your opinion?
I think I would then to the i f so the architecture reference framework, which was edited by the Digi Connect in its second version a couple of days ago. And the highlights, you know, in this edit version, which is by the way, very interesting. I really encourage you, I mean to read it three different ways, you know, of ensuring this uha high. And the first one is what I mentioned can be around the elements, et cetera. And one is precisely the usage of hsf. So I would not pretend that, you know, what is right in Europe is totally wrong. So I would humbly, you know, refer, I mean to the, i f to say that I believe we can obtain, you know, a high level of insurance leveraging on hsa.
Thank you. Thank you Martin. Betel, thank you. Oi, thank you for this very interesting session. There are lots of challenges in front of us. Next time you'll come to us, you need to talk about the next steps.
All right.

Playlist

European Identity and Cloud Conference 2023

Event Recording

Entitlements - Claim vs. Reality

May 10, 2023

The claim or desire for authorizations, permissions and the rights set in practice often have a wide divergence. Typically, more rights are assigned unconsciously than were actually required.

The resulting vulnerabilities can have significant consequences therefore, it is essential to be able to monitor the true permissions at any time, regardless of how the permissions have been set. It is almost impossible to manage monitoring manually, even in small environments. Therefore, independent automatisms that can automatically explore, analyze and report the real settings are becoming a requirement.

In this session we will show you how Cygna Labs can support you in these challenging tasks and thereby ensure and improve security in your company.

Watch

Event Recording

Reduce Certification Fatigue with Effective Role Management

May 10, 2023

IAM and security leaders end up certifying far more access than necessary, owing to a failure to classify business resources. Furthermore, business users pay the price because they must spend an inordinate amount of time filling out these lengthy surveys. Benoit will show how to reduce certification fatigue through robust role management, which helps business users achieve better results while taking less time out of their day.

Watch

Event Recording

Verifiable Credentials for the Modern Identity Practitioner

May 10, 2023

You heard about Verifiable Credentials and decided to learn more. You found some stuff online, but despite knowing your way thru identity, you still can't really tell how they work in practice (wallets? presentations?) or how the boldest claims (no more centralized DBs! Apps cannot save PII!) will play out. This session will dive into VCs and separate the hype from their true, remarkable potential.

Watch

Event Recording

Panel: What Happens When Applications Don't Use the Identity Standards We Have Built

May 11, 2023

OAuth 2.0 is a widely adopted standard for authorization, but it can be complex to implement correctly. It's not uncommon for developers to have difficulty understanding the nuances of the OAuth 2.0 flow and instead rely on simpler approaches such as using API keys in "god mode."

OAuth 2.0 can be difficult to set up and configure, especially for developers who are new to the standard. It involves creating an OAuth 2.0 client, setting up redirect URIs, and managing access and refresh tokens, which can be confusing and time-consuming. Additionally, the standard requires developers to handle user authentication and authorization separately, which can be difficult to understand for those who are not familiar with the concepts.

Many developers may not understand the security benefits of OAuth 2.0 over API keys. OAuth 2.0 allows for fine-grained access control, enabling developers to limit access to specific resources and actions. In contrast, API keys provide more open access, allowing all actions on all resources. Developers may be inclined to use API keys instead of OAuth 2.0 because they are simpler and easier to implement, but they don't offer the same level of security.
Developers may find it hard to understand the standards, and may end up using an inconsistent approach.

The panel will discuss these reasons and other potential causes for why developers may not be using OAuth 2.0 correctly, and provide recommendations for how to overcome these challenges. We will highlight the benefits of OAuth 2.0, such as improved security and the ability to provide fine-grained access control, to encourage developers to adopt the standard. Additionally we will give examples of real-world attack scenarios that could have been avoided if the application was using OAuth 2.0.

Watch

Event Recording

Ahead of the Curve - the Customer Demands it, the Market Demands it, do You?

May 10, 2023

Companies today are being faced with business-critical yet seemingly conflicting topics; how to build trust, loyalty and personalized experiences that fuel growth in a world of fading cookies and GDPR. There has never been more urgency than now to focus on strategy and technology to meet the demands of the privacy-conscious consumer. The collection of data and its management is core to this challenge, but current identity methods are missing the opportunity to solve it with legacy approaches and risk-based thinking. At IndyKite, we believe that facing this mounting challenge requires us to make leaps in both our thinking and technology implementations. Join us as we challenge the current operating state and discuss what the world might look like when we have the tools to power a truly customer-centric ecosystem - one where consumer data ownership and personalized services that fuel growth are no longer at odds.

Watch

Event Recording

Better Safe than Sorry: A Peek into the Future with IGA

May 10, 2023

Engineers across organizations struggle with increased anxiety and stress every time they hit the push button to make complex system changes. One mistake can hinder business as usual, introduce unnecessary risks, and cause non-compliance with policies that can cripple the whole organization.

Simulations could be the answer engineers are looking for. They are used in various fields to study complex systems and help engineers create hypothetical scenarios to see the impact of certain changes before implementing them.

In this presentation, the Evolveum Development Team Leader, Katarina Bolemant, will explain the motivation and common pain points of deploying an IGA solution. She will show you the endless possibilities of using simulations to evaluate the impact of changes and how to identify potential issues and reduce the risks of errors. Using simulations will lift the burden off engineers’ shoulders, increase confidence in their decisions, and build stronger relationships with other stakeholders.

Offer a peek into the future, and both technical personnel and decision makers will appreciate you for providing the possibility to review the simulated results and make necessary adjustments before implementing changes in the production environment.

Watch

Event Recording

An Analysis of Global Decentralized Identifier Data

May 12, 2023

Decentralized Identifiers (DIDs) offer a unique solution for digital identity verification, allowing individuals to have complete control over their own identity and eliminating the need for a centralized registry or authority. In this session, we will explore the insights that can be gained through the analysis of global DID data. At Danube Tech GmbH, we have developed version trackers that monitor various DID methods, such as did:indy, did:ebsi, did:ion and others, collecting and storing data on DID transactions in our database for analysis. During this session, we will present the results of our latest analyses, including trends in DID transactions over time, distributions across different verification methods, and errors found in DIDs and DID documents. This information can be valuable for businesses looking to understand and utilize DIDs in their operations, as well as for individuals seeking to use DIDs for their own digital identity management.

Watch

Event Recording

Lessons Learned from IAM Transformation in Banking

May 11, 2023

Legacy IAM cannot be just "improved". It needs a "Transformation". But how an IAM transformation could be successful in the financial sector, especially banking? In this presentation I would like to share the top lessons learned from such a transformation.

Watch

Event Recording

Verifiable Digital Credentials: Comparison of Characteristics, Capabilities and Standardization of Emerging Formats and Issuance Protocols

May 10, 2023

In 2022, several standards organizations and open source groups made great progress defining protocol specifications and code for the issuance of digital credentials. In this session, learn about and discuss some of the emerging issuance protocols, and compare their features, capabilities and trade offs.

Watch

Event Recording

Designing the New Identity Fabric

May 11, 2023

Modern applications and environments are driving a new Identity Fabric. Are you ready to build yours? Join Vadim Lander, Chief Technology Office and Distinguished Engineer at Broadcom Software, as he discusses the design considerations to evolving your Identity and Access Management solution to build a Zero Trust foundation and bridge the identity gap across your hybrid environment.

Watch

Event Recording

Zero Trust with Zero Buzz

May 11, 2023

The objective of the talk is to:

(10%) Clear out the noise around Zero Trust: why Zero Trust has became a buzzword
(20%) Define Zero Trust
(60%) Set the journey:
- how can we implement Zero Trust?
- where to start? how to do it?
- what are the building blocks?
- building blocks stages and maturity?
(10%) How can Zero Trust protect us against today's threats.

Watch

Event Recording

Validating the Security of Mobile Authentication Apps

May 10, 2023

You are shifting through RFIs for a new mobile app based multi-factor authentication solution for your company. The vendors claim that their products are 100% secure and we all know that there's no such thing as a 100% secure solution, but it's marketing and you know how marketing sometimes goes overboard. How do you determine if the solution is actually fit for your appetite for risk? Can you be sure development time dev credentials have been cleaned up? Is the rooting detection any good? Does the app store plaintext credentials? Is it vulnerable or can someone build a scalable attack against the product you are about to acquire to protect your crown jewels? Let's take a look at different options out there and talk a little bit about what you can request from the vendors.

Watch

Ask an Analyst

3 Dimensions of Digital Sovereignty