KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
With digital transformation continuing to change the way customers interact with businesses, organizations need to provide a personalized, seamless and friction free experience to their customers to increase engagement and retain subscribers. All of this amidst a rapidly increasing threat landscape and a growing awareness of data privacy and ownership. Join James Lapalme from Entrust, to learn about the evolution of CIAM to meet the customer expectations of today, while looking ahead as to what the future of Identity holds.
With digital transformation continuing to change the way customers interact with businesses, organizations need to provide a personalized, seamless and friction free experience to their customers to increase engagement and retain subscribers. All of this amidst a rapidly increasing threat landscape and a growing awareness of data privacy and ownership. Join James Lapalme from Entrust, to learn about the evolution of CIAM to meet the customer expectations of today, while looking ahead as to what the future of Identity holds.
Decentralized identity has long been seen as a solution to the interconnected problems of verification, privacy, and security online, but now that it is being deployed in the marketplace, how does it manage the complex information flows and rules required by enterprises and governments? Much theoretical discussion has focused on what should happen, but in this conversation, we’ll discuss what actually happens when a customer implements a decentralized identity solution. We’ll explain why decentralized ecosystem governance is preferred to centralized trust registries, the importance of portable trust, automation, updating, and offline functionality, and why customers need to be able to choose between hierarchical and distributed governance.
You often think service providers should build identity and API security infrastructure by themselves to have full control and flexibility so that it can fit into their business and technology stack. But it tends to be time consuming and costly due to lack of expertise to do so. Buying a heavy-weight solution is another considerable option, but it reluctantly leads dependency on the particular vendor of the solution, which may have redundant features and may not accommodate to customize in a cost-effective and timely manner. In this session, we will discuss a third option to “buy and build” that can combine the best of both worlds and give you control by building from scratch, as well as minimize the time and resource by leveraging “Identity Components as a Service.”
This workshop will feature the innovative and strategic initiatives underway at the Kantara Initiative. Where do you fit in and how can you benefit from all that Kantara has to offer? Key takeaways:
Do you know during the peak holiday season, 75% of the traffic on your site can be malicious or bot?
In 2022, there has been an 85% increase in Account takeover and it results in not only monetary losses but also losing consumer trust.
To address these, the right authentication strategy is a combination of active authentication (SMS, Push Notification, WebAuthn, passkeys) and passive authentication that includes IP reputation, device fingerprinting, and user behavior analysis. This enables a frictionless experience for “good users” without lowering the defenses for “bad users.”
In this session, we’ll explore Dark Web techniques, open-source tools, and services that fraudsters use for credential stuffing, fake account creation, and account takeovers. In addition, we’ll share a practitioner's viewpoint on rolling out various active and passive authentication solutions and how the convergence of identity and fraud can help you build the right passwordless strategy.
Serverless technology eliminates the need for development teams to provision servers, and it also results in some security threats being passed to the cloud provider. This frees up developers to concentrate on building logic and producing value quickly. But cloud functions still execute code. If the software is written poorly, it can lead to a cloud disaster.
How can developers ensure that their code is secure enough? They can scan for common vulnerabilities and exposures (CVEs) in open-source code. They can even scan their Infrastructure-as-Code (IaC) tool to identify insecure configurations. But what about custom code? At many organizations, the application security team struggles to keep up with the speed of development in a serverless environment. Traditional testing tools not only provide very limited coverage, but also slow development cycles unacceptably. Serverless code contains a mixture of cloud configurations and application programming interfaces (API) calls. As a result, legacy solutions lack the context that is necessary in a serverless environment, and the consequence is a lack of observability and slower response times.
Fortunately, it does not have to be this way. Organizations can leverage robust security during serverless development, automatically—if it is done properly. In this talk, we will discuss common risks in serverless environments. We will then cover existing testing methodologies and why they do not work well for serverless. Finally, we will present a new, completely frictionles
In this session, I will first talk about the design considerations and challenges when applying SSI to IoT, followed by the description of an initiative for creating an embedded SDK for SSI. Finally, I will discuss new opportunities for building decentralized identity and access management solutions for IoT.
The cornerstone of the digital world is trust and key to that experience is a secure and verifiable digital identity. More than one billion people worldwide lack a basic verifiable identity. Without recognizable and consistent proof of identity there can be no financial, health, citizen, or digital inclusion. Women in Identity is a not-for-profit organization championing diversity and inclusion in the identity sector. Women in Identity enables change through awareness from our research projects (such as the code of conduct) and through our sponsors and members. In this keynote the chair and vice chair of the Board will share insights on the impact of identity exclusion and provide practical and pragmatic ways organizations and individuals can help drive Identity inclusion.
Italy has two National Digital Identity schemes, namely: SPID and CieID (leveraging the national ID card). Both of them are based on SAML2 and are on their way to supporting OpenID Connect. The reasons for this decision are numerous, and they are primarily related to OpenID Connect Core features such as flexibility, ease of implementation, better support for mobile applications, and widespread adoption, particularly in the private sector. To manage this transition, we considered several documents by the OAuth working group describing security best Current Practices and the OpenID Foundation specifying a profile for iGov and a framework for federation. In particular, the latter defines a hierarchical federation model with high security, interoperability, scalability, and transparency based on dynamic delegation mechanisms; Italy is an enthusiastic early adopter.
In this talk, we introduce the Italian OpenID Connect profile based on the iGov and federation profiles and explain the main security measures that we considered within our design from the aforementioned standards and available best current practices. We also discuss how the Italian OpenID Connect profile contributes to the iGov and OpenID Connect Federation documents. We conclude the presentation with a brief discussion of eIDAS 2.0 and some of the ongoing preliminary works in the context of the Italian digital identity ecosystem to move toward an SSI-based solution using the Italian OpenID Connect profile as a starting point.
None of us in this industry work with bricks and mortar or other tangible, real objects. Everything we do (in IT, not just Identity and Access) is instead a digital representation, an abstraction, of something that might exist in the real world.
Identity and Access is the glue for many of those digital representations, and this concept of representation may be the most important thing to understand when considering the different possible meanings of words.
People new to Identity and Access quickly find that many of the words they encounter have different meanings than they first thought. Most frequently encountered are probably “user” and “identity” - do they represent the same type of entity or is a difference intended? Do they refer to the physical, real life person or do they refer to a virtual, digital object somewhere within the IT systems? Or both at the same time? And since people are often reluctant to show weakness in front of perceived experts, questions are too often not being asked when unsure.
In any industry, a typical consequence of miscommunication is that the end product or project will have lower quality or take longer to get delivered. This presentation highlight how this problem of misunderstanding may be larger in our industry of Identity and Access than in others, discuss why that is, and what might be done to counter it.
The presentation offers examples of where terms are ambiguous (where definitions seem to vary across the industry) and it discusses ways to perhaps improve the situation.
The presentation is based on a corresponding article in the IDPro Body of Knowledge.
AML-compliant customer identification in the finance and banking sector (KYC) in Germany is subject to the requirements of BaFin (the regulatory authority) and the Money Laundering Act. This involves the use of both on-site and online identification procedures, which are often provided by external service providers as “critical outsourcing" and as data order processing. In the age of ID wallets, this KYC process needs to be redeveloped from a regulatory, data protection and technical perspective - especially because the regulatory framework currently does not (yet) explicitly provide for the case of an ID wallet. The presentation describes the challenges for ID wallets and ID issuers in the AML context and shows an exemplary implementation.
This session will share how the concept of a Global Assured Identity Network (GAIN) has evolved since 155 identity experts proposed it in 2021. It summarizes a recent paper by the non-profits that guide the GAIN vision.
GAIN remains a call for collaboration toward globally interoperable identity assurance at-scale - a purpose that underpins the goals of governments, intergovernmental agencies, and private industry. It has inspired multiple working groups and continues to unite six non-profits - even (and especially) as the technical and policy landscape evolves to include emerging standards (e.g. MDLs, DIDs, VCs) and regulation (e.g. eIDAS 2.0).
This talk reflects on GAIN's relevance in today’s landscape and shares progress. It includes a deep dive into the technical community group at the OpenID Foundation, which has built a prototype that demonstrates cross-network trust and high-assurance identity data exchange. It now turns its attention to digital wallets, verifiable credentials, legal entity identifiers, and government-issued IDs.
It also reviews forward-thinking policy work by the Open Identity Exchange, which paves the way for Smart Digital IDs. Their Global Policy Metadata Framework proposes the standard publication of policy characteristics. In this world, policy metadata is shared between each trust framework through trusted wallets.