KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
As the pace of digitalization gathers momentum, organizations are witnessing a dramatic increase in the number of digital identities. These identities interact with systems and applications relentlessly to perform day-to-day IT tasks. Nevertheless, maintaining the privacy of this data is a daunting task. Enterprise data is hosted in multi-tenant cloud, managed service providers and distributed data center environments. How an organization can maintain data privacy in this evolving IT access control use-cases depends on the level of preparedness to protect and monitor those digital identities. An identity and access management solution provides adequate safeguards to enforce IT practices necessary to maintain data privacy.
Russia’s invasion of Ukraine has tectonic consequences for citizens and businesses across the world. An expectation of normalcy post the pandemic has been replaced with fears of increased gas prices and supply chain disruptions. Attackers are expected to leverage the context to carry out advanced cybercrime intrusions, leaving businesses susceptible to attacks that could have potential second and third-order effects on their operations. A cyber problem immediately becomes a business problem that requires effective business continuity contingency plans built around defensible, risk-informed choices.
In this panel session, you’ll hear from security leaders who will provide a pragmatic assessment of organizational dependencies to improve your odds of identifying and mitigating cyber attacks, while addressing the increasingly challenging risk environment organizations find themselves in.
David will talk aboout a new technology that allows the person owning a public key to prove that they have memorized a passphrase, from which they could at any time easily compute the private key.
One example use is for votexx.org elections, which are conducted remotely without polling places. The ballot-casting in such elections is done by a signature that is publicly verifiable as corresponding to a particular public key posted in advance by the election authority. The voter registration authority would require a proof that the voter knows the corresponding passphrase and hence ensures that the voter has irrevocable access to the private key corresponding to the posted public key. This lets the voter give all of their keys (in an extreme case) to a vote buyer and/or coercer – while the voter is never able to give up knowledge of the passphrase and the ability that it confers to secretly cancel any vote made with the corresponding private key. This is just one example David will feature in his presentation.
Most OAuth deployments today use bearer tokens – tokens that can be used by anyone in possession of a copy of them, with no way to distinguish between legitimate uses of them and those that stole them and used them for nefarious purposes. The solution to this is proof-of-possession tokens, where the legitimate client supplies cryptographic material to the issuer that is bound to the token, enabling it to cryptographically prove that the token belongs to it – something attackers cannot do because they don’t possess the proof-of-possession cryptographic material.
The OAuth DPoP (Demonstration of Proof of Possession) specification defines a simple-to-implement means of applying proof of possession to OAuth access tokens and refresh tokens. We will describe real attacks occurring every day against bearer tokens and how they are mitigated by DPoP, providing defense in depth and making real deployed systems substantially more secure with minimal implementation and complexity costs.
These attacks and mitigations are particularly relevant to high-value enterprise deployments, such as in the financial, manufacturing, critical infrastructure, and government sectors.
The internet was designed without a trusted identity layer to connect physical entities to the digital world. This layer is now emerging in the form of decentralized digital identity systems (aka self-sovereign identity or “SSI”) based on digital wallets and digital credentials. What industry insiders have demanded for long is becoming reality. This is bringing challenges to the forefront including resistance of the identity establishment and major questions about interoperability between emerging and existing identity systems.
The Trust over IP Foundation was founded by a pan-industry group of leading organizations with a mission to provide a robust, common standard and complete architecture for internet-scale digital trust. In this session, leaders in digital identity from the ToIP Steering Committee will outline the impact this missing layer has had on digitization of trusted interactions, why technology alone won’t solve this and how the ToIP stack is designed to tackle both technology and human governance to bring open and interoperable standards at each layer of the trust architecture. This interactive panel will be moderated by ToIP’s Director of Strategic Engagement and will explore the views of its member organizations for a lively and engaging debate on how we finally establish trust in the digital age.
Decentralized identity is an incredibly flexible technology that solves fundamental problems in the way we manage digital communication. But this capacity to do more than one thing at once can be a source of confusion: How do I actually build a decentralized or self-sovereign identity solution today? How do I put all the components together? In this session we use the framework of a Trusted Data Ecosystem to show how you can use decentralized identifiers, software agents, verifiable credentials, and the supporting infrastructure to verify data without having to check in with the source of data. We show how we used Trusted Data Ecosystems to deliver solutions to financial services, healthcare, and travel to global enterprises—and we give you a preview of what the next steps are for these technologies.
After his presentation on Strategic and Tactical approaches for Zero Trust, in this presentation Fabrizio will breakdown the components of a Zero Trust implementation and highlight what a company needs to implement it. Fabrizio will also cover use-cases like legacy or cloud-based applications.