eIDAS 2.0 and EUDI Wallet - State of Play

Learn how Raiffeisen Bank International heads toward decentralized identity to empower their customers across Europe and set the gold standard for privacy protection.

The increased mobility of users and their demand for personalized, unified omnichannel access experiences has stretched federated IAM beyond its limits. Meanwhile, the need for organizations to collaborate more to compete, and build communities of trust and value for those same users affordably and securely, cannot be met by existing federated IAM solutions. Learn how Raiffeisen Bank International (RBI) will embrace the new paradigm of decentralized identity to improve existing experiences and create the opportunity for new, valuable user experiences and increased levels of engagement and collaboration withbusiness partners across multiple jurisdictions, without the need to replace their infrastructure. Simultaneously, understand why starting their journey now, enables RBI to future-proof their ecosystem to rapidly support the EU Digital Wallet and official digital credentials that will become available. Get a glimpse into the solution architecture being deployed at RBI and an understanding of the benefits and how they can be communicated to executive leadership and business partners. Yes, decentralized identity may be great for web3 someday; however, learn from RBI how it can also solve today’sproblems in a practical way and work in harmony with existing IAM systems enhancing existing federationplatforms.

As organizations shift to agile development methodologies and the use of cloud-based platforms, they have the opportunity to leverage the cloud to improve their security practices. By adopting a DevSecOps approach, organizations can integrate security into the development lifecycle and take advantage of the scalability, flexibility, and automation capabilities of the cloud.

In this session, We will explore the benefits of leveraging the cloud for security in DevOps, and discuss the key principles of DevSecOps architecture, including collaboration, automation, and continuous integration and delivery. We will also examine the role of security tools and technologies, such as static code analysis, dynamic testing, and vulnerability management, in the DevSecOps process, and discuss how these tools can be effectively deployed in a cloud environment.

In addition, I will provide practical guidance and strategies on how organizations can implement the latest DevSecOps strategies in their cloud environments. This will include a discussion of best practices for integrating security into the development process, such as setting up security gates, implementing security testing early in the development process, and automating security checks.

Overall, this session will highlight the benefits of leveraging the cloud for improved security in DevOps, and provide practical guidance with the latest cloud technologies on how to implement DevSecOps effectively in a cloud environment.

IAM and security leaders end up certifying far more access than necessary, owing to a failure to classify business resources. Furthermore, business users pay the price because they must spend an inordinate amount of time filling out these lengthy surveys. Benoit will show how to reduce certification fatigue through robust role management, which helps business users achieve better results while taking less time out of their day.

Identity Governance and Administration (IGA)is a core component of Identity and Access Management (IAM) infrastructure and refers to integrated solutions that combine Identity Lifecycle Management (ILM) and Access Governance. IGA helps to cut costs, increase security, improve compliance, and give users access to the IT resources they need.

Depending on maturity in terms of IAM, some organizations may need to bolster their capabilities in ILM while others need to focus on Access Governance. But most organizations are looking for a comprehensive IGA solution, that combines traditional User Access Provisioning (UAP) and Identity and Access Governance (IAG).

Cross device flows lets a user initiate an action on one device (e.g. a SmartTV) and authenticate or authorize that action on a trusted personal device (e.g. a mobile phone). Examples includes authorizing a smart TV to access streaming content, or authenticating to a service by scanning a QR code with a mobile phone and completing the authentication on the mobile phone. This process of authorizing an action on a separate (but trusted) device from the one on which an action is initiated is an increasingly common flow, whether used for devices with limited input capabilities, multi-factor authentication or credential presentation. A number of standards have adopted this pattern including Device Authorization Grant (formerly Device Code Flow), Client Initiated Backchannel Authentication (CIBA) and Self Issued OpenID Provider (SIOP). These flows solve important business problems, but is vulnerable to attacks where the user is tricked into granting consent to an attacker. The IETF OAuth working group has recognised this challenge and is creating new guidance that leverages zero-trust principles to defend against these "illicit consent grant" attacks. This session will discuss the attacks and how the new guidance can mitigate these threats against cross device flows.

This presentation will provide an overview of the terminology and basics of AI and ML in the context of Identity and Access Management (IAM) and Identity Governance and Administration (IGA). It will explore a number of current use cases for leveraging ML in IAM, demonstrating the benefits of automation and enhanced security that ML can bring to identity management. The presentation will conclude with strategic considerations for using ML in IAM, highlighting the importance of considering business value, available data, and existing technologies when implementing ML-based solutions for identity management.

As organizations undergo digital transformation to zero-trust architectures, identity-driven security becomes a critical aspect. Beyond new authentication technologies, organizations must have strong authorization controls. Today, if and when an identity is compromised, the attacker can make lateral movements with very few restrictions and access a wide range of critical systems and information. Much of this over-permissive environment can be attributed to manual permissions management processes that are hard to maintain over time. Role-based Access Control (RBAC) and Attribute-based Access Control (ABAC), which underlie these manual processes, provide a good baseline for access security. However, their complexity grows over time and the management overhead they place oftentimes subvert the very goals of security and compliance they are deployed for. Just-In-Time Access Management (JITAM) represents a new robust and secure authorization strategy that can reduce the need for periodic access certifications and manual role administration, while providing auditability. Learn how the authorization space is rapidly changing from RBAC and ABAC to JITAM, and how it could benefit your organization.

Today’s IT leaders are challenged to secure their complex multi-Cloud hybrid organizations while dealing with a severe cybersecurity skills gap and record levels of burnout and dissatisfaction from existing team members. The only way to overcome this challenge is more intelligent and pervasive automation to enforce policies governing access and behavior. IGA traditionally focuses on positive policies to grant access where appropriate, while Risk Management, as the other side of the coin, defines the negative; access, behaviors, and configurations to be prevented or at least identified and mitigated. In this talk, we’ll review how policies for granting and preventing access are complementary and form a balanced Yin and Yang for automation toward a Zero trust model.

Identity governance and administration (IGA) is a mission-critical part of every business as it relates to security, compliance, and operations. For large, global enterprises like ABB, finding the right identity solution is especially important—and especially complex. With operations in over 100 countries, 180,000 employees and contractors, 13,000 servers, 6,500 applications, more than 100 HR systems, and a complex Active Directory implementation, this was a challenging undertaking. 

In this session, attendees will learn how ABB leveraged its existing IT Service Management (ITSM) provider, ServiceNow, and Clear Skye, an identity governance and security solution built natively on the platform, to overcome the business complexities of implementing IGA. By aligning once locally managed systems across the business in one platform, ABB saves time, money, and frustration often associated with new tech integrations and onboarding processes. Stefan Lindner, Global Identity and Access Manager, will discuss how a strategic, platform-first approach to identity enables ABB to: 

• Maximize its current tech investment in ServiceNow 
• Eliminate the use of multiple, siloed tools, applications, and processes 
• Deliver an easy, familiar user experience for employees

IGA activities in organizations have largely been around defining access policies manually, configuring access request workflows and scheduling periodic access reviews.  Such activities require significant administration as well as continuous involvement by stakeholders.  There are also delays that come with this model that could potentially cause security risk and non-compliance in the organization.  An approach that is more intuitive is to discover policies, review them and apply access changes based on policies. This results in fewer IGA administrative and end-user activities for the organization while ensuring that both excess access and under access are addressed in a timely manner.