Event Recording

Continuous ZeroTrust as a Way To Know Your User

Show description
Speaker
Mateusz Chrobok
VP of Innovation
Revelock
Mateusz Chrobok
I am following the data as a VP of Innovation in Revelock (formerly buguroo). Behavioural biometrics, ethical data processing and continuous authentication is my current focus. I am a Security geek with a strong belief that changing the World to make it better is possible. I have...
View profile
Playlist
European Identity and Cloud Conference 2021
Event Recording
Panel | A First-Person Account of Third-Party Identity Risk Management
Sep 15, 2021

In a 2018 study by Onus & Ponemon on data risk in the third-party ecosystem, more than 75% of companies surveyed said they believe third-party cybersecurity incidents are increasing. Those companies were right to believe that.

As our world becomes more digitized, and thus more interconnected, it becomes increasingly more difficult to safeguard organizations from cybercrime. Tack on to that challenge a global pandemic that all but forced organizations to become “perimeter-less,” if they weren’t already, and the potential access points for bad actors through third-party access increases exponentially.

The problem is two-fold.

The landscape of third-party users is vast and continues to grow. From third-party non-employees like vendors, contractors and affiliates to non-human third parties like IoT devices, service accounts and bots, more organizations are engaging third parties to assist with their business operations and help them to innovate, grow faster, improve profitability, and ultimately create greater customer value – faster. On average, companies share confidential and sensitive information with more than 580 third parties and in many cases, an organization's third-party workers can actually outnumber their regular, full-time workforce.

Yet, despite the increased use of third-party workers in business, most organizations lack the proper third-party risk culture, processes, and technologies to protect themselves against the long list of third parties with access to their sensitive data and systems. Organizations have these systems in place to manage their full-time employees but lack the same level of rigor to manage these higher-risk third-parties. As a result, many third-party users are provided with more access than needed for their roles, and most disturbingly, that access is frequently not terminated when the third party no longer needs it.

Without the right third-party identity lifecycle management procedures in place, businesses unwittingly expand their attack surface, unnecessarily put sensitive information at risk, and create additional access points for hackers.

Event Recording
Security Automation in the Financial Sector: Research Findings, Best Practices, and Lessons Learned
Sep 15, 2021

This presentation combines the findings of a doctoral study into security automation in the financial sector with real-world experiences in implementing security automation. The research focused on strategies financial institutions need to reduce the gap between the attacker's time to compromise and the defender's time to detect and respond. Learn from the experiences of companies that have implemented or are implementing security automation. This session will look at what to expect from security automation (and what not to expect), how to decide what to automate, strategies to help ensure a successful security automation program, and lessons learned from success and failure.

Dr. Donnie Wendt, Principal Security Researcher, MasterCard
Event Recording
Introducing The Global Assured Identity Network (GAIN)
Sep 13, 2021
100 experts propose an interoperable scheme to create a virtual IDP.
Event Recording
Mission Possible or How to Implement Automated Identity Lifecycle in a 200 years old Enterprise
Sep 15, 2021

Identity Lifecycle automation project in Swedbank lasted for 4 years. During all those years I fulfilled business analyst role in IAM area. I collected requirements, draw process models, and did detailed analysis. I also defined minimum viable scope of the project and drove the team to reach the goal. Finally, I did acceptance testing. I can share key activities for business analyst throughout different phases of the project.
Analysis
* Get descriptions or describe yourself HR-processes, which are related to identity area.
* Get descriptions/explanations of data feeds from HR-systems.
* Describe your needs to HR-system development team, such as future employment changes, deputies etc in advance.
* Trust but verify: ask for example files /data. Perform data analysis to makes sure, that previous descriptions and processes are valid.
* Just acknowledge that “roll-out” of new processes is not one day activity, this can last for multiple months and must be treated and described as a separate process.

Development
* Help developers with clarifying tiny details from stakeholders
* Document the details
* Control the scope and drive team to do correct prioritization
* Discuss alternative solutions to implement same business need

Testing
* Rehearse migration
* Rehearse roll-out
* If testing resource is limited – verify major business cases. Prolong pilot period to see rare business cases in production.

Roll-out
* Define different scopes and roll-out in smaller scopes (to keep incidents queue managed)
* Start roll-out from the process, that has smaller impact on acting employees (In our case we decided to start roll-out with leaver)
* Set up regular meetings with major stakeholders to inform them about changes in the processes. Good if you managed to agree on convenient communication channels (such as chat in Teams) between operational teams to be able to resolve incidents quickly.

Pilot
* Verify not only concrete cases, but also analyze the data.
* Agree on convenient way of communicating issues/bugs/questions to developers.
* Resolve incidents and fix bugs as quickly as possible, so that operating units don’t feel alone with software/data issues.

 

Key takeaways:

 

* Everything is possible but
* Define viable minimum
* Management team must be involved and work for your project. Your project must be a priority for all stakeholders / involved parties
* Start roll-out from the end
* Find a way to analyze your data to make sure, that everything is ok

Ekaterina Silina, Business Analyst, Digital Identity team, Swedbank
Event Recording
How to Stay Relevant in the Age of Conversational Banking
Sep 14, 2021

The age of conversational banking represents a transformation of how and when banks interact with their users.

Şebnem Elif Kocaoğlu-Ulbrich, Founder, Contextual Solutions
Event Recording
Securing the Privacy of Non-logged in Devices
Sep 14, 2021

Many services across the web today allow users to consume the service without explicitly signing up. They generally identify users by a cookie containing a unique browser-id and store user data against it.

George Fletcher, Identity Standards Architect, Verizon Media Group
Deepak Nayak, Privacy platforms Architect, Verizon Media
Event Recording
The human factor in Cyber Security - Creating a cyber aware culture
Sep 14, 2021
Alex Weishaupt, Practice Lead Cyber Security, Morgan Philips
Event Recording
Why We Need Guardianship in the Digital World, and How We Might Approach Delivering Guardianship Using Verifiable Credentials
Sep 14, 2021

 

Guardianship is a condition of life in human societies. When we are young we may be looked after by parents until we become adults. When we are adults we on occasions need others to look after us, and sometimes we may need increasing levels of care as we age.
In our physical world, we may recognise a guardianship role between parents and children and within families, and we may have more or less sophisticated laws to recognise instances where someone needs to take care of another for medical, financial or other needs.
While the concept of Guardianship is reasonably well developed and understood in our physical lives, it is scarcely considered in our digital lives. Very few (if any) considerations are made for the possibility that someone may need another to look after their affairs online. Without this consideration, we resort to poor approaches such as where a Guardian needs to "log in" as the dependent, without the visibility of the service provider, or has to prove their Guardianship status to a service provider who is physically remote and often in a different legal jurisdiction.
In late 2019, the Sovrin Task Force on Guardianship wrote a white paper on Guardianship considering these issues against two specific use cases: a child refugee and an adult living with dementia. A Working Group was established at the beginning of 2020 to develop these ideas further within the context of Trust over IP and has produced two key documents: an Implementation Guide to Guardianship using Verifiable Credentials, and a Technical Requirements document for Guardianship using Verifiable Credentials.
I would like to present these new pieces of work and, hopefully, engage in a discussion on guardianship in the digital world.
**Please note that this work was created by a team working with the not-for-profit Sovrin Organisation and is provided on a Creative Commons BY SA 4.0 Licence**

John Phillips, Partner, 460degrees
Event Recording
Closing Keynote & Announcement of EIC 2021 Gamification Winners
Sep 15, 2021
Event Recording
Implementing Identity Management on AWS
Sep 15, 2021

Identity on AWS may be well trodden ground, but that doesn’t necessarily make it any more inviting for enterprise practitioners who may not have had occasion to yet dive into the topic when tasked with an implementation.

Jon Lehtinen, Director, Okta
Event Recording
Panel | Futureproofing Pharmaceutical Supply Chain Security
Sep 14, 2021
Bob Celeste, Founder, Center for Supply Chain Studies
Jeffery Denton, Vice President, Global Secure Supply Chain, AmerisourceBergen
Georg Jürgens, Manager Industry Solutions, Spherity
David Kessler, President, Legisym
David Mason, Supply Chain Compliance and Serialization Lead, Novartis
Gena Morgan, Strategic Consultant, GS1 US
Dr. Oliver Nürnberg, Chief Product Owner, SAP Life Sciences
Event Recording
Identity Management as a Service - What it is and How to Build One
Sep 14, 2021

I considered myself quite an experienced programmer and having some expertise in Identity management when I was hired by Swedbank to work as full time Identity engineer. Besides projects, I had assignment to describe an architecture of the IAM as a service from my manager. Honestly, I had no clue about how to envision it. I tried to assemble standards and squeeze something out from practices and papers. But these were not really all my ideas and I did not feel much confident. But something started to happen in few last years when we had a very hard time implementing our IAM project (believe or not, it was successful). We had to answer hundred times to questions "why", "what" and "how". And finally the blueprint of the architecture of IAM as a service appeared from the mist. It is not one and only, because same size does not fit for all. Still, I do not agree that there are indefinite number of possible solutions. I think similar enterprises and engineers may find this presentation useful to draw their own blueprints.

IAM projects start usually from implementing baseline IAM processes - joiners, leavers, movers. Because this is what is usually most needed. But then you will get asked for more - identity data, events, other services. This is what makes up IAM as a service.

Neeme Vool, Software Engineer, Swedbank