Event Recording

Hybrid. It’s Never Only One Thing

Show description
Eve Maler
Eve Maler
Eve Maler is ForgeRock’s CTO. She is a globally recognized strategist, innovator, and communicator on digital identity, security, privacy, and consent, with a passion for fostering successful ecosystems and individual empowerment. She has 20 years of experience innovating and leading...
View profile
European Identity and Cloud Conference 2021
Event Recording
Browser Features vs. Identity Protocols: An Arms Race?
Sep 14, 2021

In an attempt to protect users from excessive tracking and surveillance, the last couple of years have witnessed major browser vendors introducing increasingly restrictive anti-tracking measures. Identity protocols and features got caught in the crossfire, however, forcing identity software vendors and developers to hastily introduce changes to restore functionality that browser changes broke. Is this the new normal? What will we do when a change will break an identity feature beyond repair?

This session will review the main browser changes that have affected identity over the last few years – Chrome’s SameSite and Safari’s ITP2 in particular, interpreting them as part of a larger trend and attempting to predict what the future will look like for identity customers and practitioners.

Vittorio Bertocci, Principal Architect, Auth0
Event Recording
Identity Management as a Service - What it is and How to Build One
Sep 14, 2021

I considered myself quite an experienced programmer and having some expertise in Identity management when I was hired by Swedbank to work as full time Identity engineer. Besides projects, I had assignment to describe an architecture of the IAM as a service from my manager. Honestly, I had no clue about how to envision it. I tried to assemble standards and squeeze something out from practices and papers. But these were not really all my ideas and I did not feel much confident. But something started to happen in few last years when we had a very hard time implementing our IAM project (believe or not, it was successful). We had to answer hundred times to questions "why", "what" and "how". And finally the blueprint of the architecture of IAM as a service appeared from the mist. It is not one and only, because same size does not fit for all. Still, I do not agree that there are indefinite number of possible solutions. I think similar enterprises and engineers may find this presentation useful to draw their own blueprints.

IAM projects start usually from implementing baseline IAM processes - joiners, leavers, movers. Because this is what is usually most needed. But then you will get asked for more - identity data, events, other services. This is what makes up IAM as a service.

Neeme Vool, Software Engineer, Swedbank
Event Recording
From top-down ecosystems to collaborative ones
Sep 14, 2021
Traditional identity and access management solutions built so far on the trust for selected identity providers and their adoption from an ecosystem of identity owners and identity verifiers. The decentralized identity paradigm is disrupting these ecosystems and required more democratic collaboration and competition among a number of identity and credential issuers, identity owners, and verifiers selecting and using them. This requires not only to design and implement new technologies but also to identify new business opportunities and business models. Collaboration, experimentation, and evaluation are the road to adoption, and the EU collaborative H2020 research and innovation framework offers the opportunity to de-risk such collaborations, in favor of innovation.
This talk will present the activities and lessons from three EU collaborations, CityExhcange, ENSURESEC and ORCHRESTRA, generating innovation with the adoption of decentralized identities for individuals, things, and organizations among complex stakeholders ecosystems in the smart energy, e-commerce, and smart transport domains.


Dr. Michele Nati, Head of Telco and Infrastructure Development, IOTA Foundation
Event Recording
Panel | Identity vs Authorization - Where to Draw the Line
Sep 15, 2021

We will look at OAuth protocol and its misusage for authorization purposes. What is the difference between client and user authorization and at which stage should each happen? We will revise what Identity is at its core and what should or should not be part of it. And what about Group Membership – a ‘domain-driven’ advise how to triage roles between Identity and Authorization. All these best practices are backed by real-life experience.

- OAuth and its misusage as an authorization protocol
- Essence of Identity
- Difference between client authorization and user authorization in the context of OAuth
- Group Membership – where do roles belong?
- Theory backed by practice

Hristomir Hristov, Solutions Architect, KPMG
Martin Manov, Software Architect, Cobuilder International
Fabian Süß, Project Manager, KuppingerCole
Event Recording
Panel | Is Traditional MFA the Right Solution in a Post-COVID World?
Sep 14, 2021

The hybrid mix of remote and office work combined with digital transformation initiatives is driving the rapid adoption of cloud. This trend is also prompting organizations to rethink requirements for authenticating employees and other members of an organization supply chain. Companies are now exploring how to significantly improve both security and the end user experience. Unfortunately traditional multi-factor authentication is lacking in both areas. 

Joni Brennan, President, Digital ID & Authentication Council of Canada
Martin Kuppinger, Principal Analyst, KuppingerCole
Patrick McBride, Chief Marketing Officer, Beyond Identity
Andrew Shikiar, Executive Director and Chief Marketing Officer, FIDO Alliance


Discussion topics include:

  • How is the post COVID era changing the security and identity / access management landscape?
  • Should traditional MFA still be the “go to”?
  • What new requirements have emerged and why?
  • What approaches are advanced customers adopting?
  • What is the difference between Traditional MFA and newer options?
  • Is device trust important?  Why or why not?
  • What is the role of continuous, risk-based authentication?
Event Recording
Meeting Expectations – 5 pillars for IoT project success
Sep 14, 2021

Deployment of IoT installations are accelerating as organisations seek to expand their business by adding IoT functionality to their products/service, or reduce their costs by automating processes. Unfortunately, in many cases these initiatives are not adequately executed and, as a result, do not meet expectations.

In this session we will look at 5 pillars of an IoT deployment: the Device pillar ensures we select the appropriate sensors and actuators, the Control pillar guides our decisions on controller functionality, the Communications pillar ensures we consider which options fit our required functionality and budget, the IT pillar determines the level of integration between our IT and OT environments, and the Security pillar guides our protection strategy.

A holistic approach is a success-indicator for our IoT projects.

Graham Williamson, Director APAC / Senior Analyst, KuppingerCole
Event Recording
Why must CISOs and security leaders let IAM drive their cloud security adoption?
Sep 15, 2021

As organizations expand their cloud footprint to accelerate innovation and digital transformation, increased security risks pose an imminent and elevated threat to their growing cloud presence. The market is overwhelmed with numerous security technologies, approaches and frameworks for securing an organization’s cloud adoption journey, but security leaders and architects must meticulously assess the security risks associated with their cloud usage, migration patterns and digital interactions with customers, employees and partners to suite their business requirements and cloud security priorities.

Identity and Access Management (IAM) remains one of the key security disciplines to support digital transformation and cloud adoption objectives, by not only providing a secure identity and access foundation for the user, device and cloud-service types but also by offering additional cloud-specific security provisions that include cloud access management, cloud entitlement management, cloud privileged access and cloud access governance to its evolving technology portfolio.

In this session, we will discuss the important security tenets of an organization's cloud adoption program and how effective IAM architecture and planning can help navigate CISOs and security leaders through their cloud adoption journey.

Anmol Singh, Sr. Cloud Security Advisor, Microsoft
Event Recording
User Terms Engineering Layer for IEEE (The Institute of Electrical and Electronics Engineers)
Sep 14, 2021
Doc Searls, Co-founder and board member of Customer Commons, and Director of ProjectVRM, Harvard's Berkman Klein Center for Internet and Society
Event Recording
Identity, Privacy, Security - The European Perspective
Sep 13, 2021

In recent years, we have seen quite a few transatlantic policy issues with regards to Cybersecurity and the way how personal information is being treated by private and public organizations. The main areas where we see these differences are data protection/privacy, standards & certification and last but not least private-public information sharing.

Event Recording
Malware Manipulated in Cloud Environments - Is it Dangerous?
Sep 14, 2021

During this presentation, I'll show how the effects can bring in inside the Cloud environment if was exploitable by Malware using PDF file, explaining how each session works within a binary, what are the techniques used such as packers, obfuscation with JavaScript (PDF) and more, explaining too about some anti-desassembly techniques, demonstrating as a is the action of these malwares and where it would be possible to "include" a malicious code.

Filipi Pires, Security Researcher, THOR - Threat Hunting Offensive Researcher
Event Recording
Fraud Controls for Digital Identity Ecosystems
Sep 15, 2021

To date, Digital Identity Trust Frameworks have generally been light touch regarding the specification of fraud controls, relying on the theoretical protection a Digital ID offers through more robust authentication. It is true that improvements in authentication methods, such as soft tokens and biometrics, mean the ID theft vector of phishing for a user’s password may be removed. However, ID fraudsters will continue to use stolen ID information to create an ID in the victim’s name. They will continue to create synthetic IDs. They will also continue to try and take over victim’s accounts, using online account recovery and voice helpdesk channels to replace a strong authentication method with one that the fraudster controls.

In recognition of this ongoing threat from fraudsters, the Open Identity Exchange (OIX) has produced a comprehensive Guide to Fraud Controls for Digital ID Ecosystems.

The guide covers the processes and channels that need to be considered from a fraud risk point of view. It identifies the different types of fraud controls that should be applied in each channel, including ecosystem wide syndicated fraud controls, such as shared signals. The process of dealing with a suspected fraud is examined: how should these be prioritised, what investigation process should be followed, and how should victims be informed. Finally, it covers legal considerations when implementing fraud controls, in particular when sharing information and collaborating across the ecosystem to act as a joined-up defence against fraud attack.

This presentation / panel session will provide discuss these topics and how the guide can help those implementing Digital ID and provide the audience a chance to speak about their own fraud challenges with the authors and how the recommendations in the guide might be applied to help

Nick Mothershaw, Chief Identity Strategist, The Open Identity Exchange
Event Recording
Using Hypermedia to Adapt Client-side Login to Go Beyond Passwords
Sep 14, 2021

There are various ways that client applications may need to log in when going beyond passwords. With a username and password, client development is easy -- just collect a couple of inputs from the user and match them on the server. When going beyond these though, how can client applications be deployed and maintained in a way that the server still dictates what the client should present and obtain from the user when authenticating them?

Travis Spencer, CEO, Curity