Event Recording

The Evolution of CIAM and What’s in Store for the Future of Identities

Show description
Speaker
James Lapalme
VP & GM Identity
Entrust
James Lapalme
James Lapalme is the VP/GM of Entrust. Before that, he was the CRO/SVP of Leonovus Inc. Prior to that, he was the Vice President of Business Development at WinMagic.
View profile
Playlist
European Identity and Cloud Conference 2023
Event Recording
Make Decentralized Identity work in the real world with Decentralized Ecosystem Governance
May 11, 2023

Decentralized identity has long been seen as a solution to the interconnected problems of verification, privacy, and security online, but now that it is being deployed in the marketplace, how does it manage the complex information flows and rules required by enterprises and governments? Much theoretical discussion has focused on what should happen, but in this conversation, we’ll discuss what actually happens when a customer implements a decentralized identity solution. We’ll explain why decentralized ecosystem governance is preferred to centralized trust registries, the importance of portable trust, automation, updating, and offline functionality, and why customers need to be able to choose between hierarchical and distributed governance.

Event Recording
The Killer Credential - Spotting Verifiable Credentials That are Absolute Must-Haves for Every Party in an Ecosystem
May 10, 2023
Event Recording
Security Offered as Components Empowering Enterprises to Gain Control
May 10, 2023

You often think service providers should build identity and API security infrastructure by themselves to have full control and flexibility so that it can fit into their business and technology stack. But it tends to be time consuming and costly due to lack of expertise to do so. Buying a heavy-weight solution is another considerable option, but it reluctantly leads dependency on the particular vendor of the solution, which may have redundant features and may not accommodate to customize in a cost-effective and timely manner. In this session, we will discuss a third option to “buy and build” that can combine the best of both worlds and give you control by building from scratch, as well as minimize the time and resource by leveraging “Identity Components as a Service.”

Event Recording
Kantara Initiative Meet-Up - The Identity Place To Be
May 09, 2023

This workshop will feature the innovative and strategic initiatives underway at the Kantara Initiative. Where do you fit in and how can you benefit from all that Kantara has to offer? Key takeaways:

  • Kantara leads the way in US certifications for compliance with NIST Digital Identity Guidelines, 800-63. With all the major US identity verification companies entering their assurance program to obtain trust marks against the NIST 800-63 standards, earning IA2, AAL2, and FAL2 certifications. Learn how to become part of this elite group of service providers.
  • Version 4 of NIST 800-63 is out and Kantara is defining the requirements in the Identity Assurance Framework. Learn about future updates that will enable you to participate in real-world innovation that allows service providers and relying parties to gain meaningful return on their investment on the cutting edge of digital identity founded on standards.
  • Get the latest reports, white papers, and releases from the Kantara Work Groups, some of which will also be featured during the conference, including the Identity Assurance Work Group (IAWG), Privacy Enhancing Mobile Credentials WG (PEMC), Advanced Notice & Consent Receipt WG (ANCR), User Managed Access (UMA) WG, and Resilient Identifiers for Underserved Populations (RIUP) WG.
  • Equity and inclusion is a key priority for Kantara, learn about recent efforts and ways to use DEIA strategies to raise your bottom line and increase your return on investment by building DEIA into your business case.
Event Recording
Breaking the Good User / Bad User Silos to Create a Better Passwordless Experience
May 11, 2023

Do you know during the peak holiday season, 75% of the traffic on your site can be malicious or bot?

In 2022, there has been an 85% increase in Account takeover and it results in not only monetary losses but also losing consumer trust.

To address these, the right authentication strategy is a combination of active authentication (SMS, Push Notification, WebAuthn, passkeys) and passive authentication that includes IP reputation, device fingerprinting, and user behavior analysis. This enables a frictionless experience for “good users” without lowering the defenses for “bad users.”
In this session, we’ll explore Dark Web techniques, open-source tools, and services that fraudsters use for credential stuffing, fake account creation, and account takeovers. In addition, we’ll share a practitioner's viewpoint on rolling out various active and passive authentication solutions and how the convergence of identity and fraud can help you build the right passwordless strategy.

Event Recording
Automated Serverless Security Testing: Delivering Secure Apps Continuously
May 10, 2023

Serverless technology eliminates the need for development teams to provision servers, and it also results in some security threats being passed to the cloud provider. This frees up developers to concentrate on building logic and producing value quickly. But cloud functions still execute code. If the software is written poorly, it can lead to a cloud disaster.

How can developers ensure that their code is secure enough? They can scan for common vulnerabilities and exposures (CVEs) in open-source code. They can even scan their Infrastructure-as-Code (IaC) tool to identify insecure configurations. But what about custom code? At many organizations, the application security team struggles to keep up with the speed of development in a serverless environment. Traditional testing tools not only provide very limited coverage, but also slow development cycles unacceptably. Serverless code contains a mixture of cloud configurations and application programming interfaces (API) calls. As a result, legacy solutions lack the context that is necessary in a serverless environment, and the consequence is a lack of observability and slower response times.

Fortunately, it does not have to be this way. Organizations can leverage robust security during serverless development, automatically—if it is done properly. In this talk, we will discuss common risks in serverless environments. We will then cover existing testing methodologies and why they do not work well for serverless. Finally, we will present a new, completely frictionles

Event Recording
When SSI Meets IoT: Challenges and Opportunities
May 11, 2023

In this session, I will first talk about the design considerations and challenges when applying SSI to IoT, followed by the description of an initiative for creating an embedded SDK for SSI. Finally, I will discuss new opportunities for building decentralized identity and access management solutions for IoT.

Event Recording
Identity Inclusion – Why it Matters
May 09, 2023

The cornerstone of the digital world is trust and key to that experience is a secure and verifiable digital identity. More than one billion people worldwide lack a basic verifiable identity. Without recognizable and consistent proof of identity there can be no financial, health, citizen, or digital inclusion. Women in Identity is a not-for-profit organization championing diversity and inclusion in the identity sector.  Women in Identity enables change through awareness from our research projects (such as the code of conduct) and through our sponsors and members.  In this keynote the chair and vice chair of the Board will share insights on the impact of identity exclusion and provide practical and pragmatic ways organizations and individuals can help drive Identity inclusion. 

Event Recording
Past, Present and Future of the Italian Digital Identity Ecosystem
May 11, 2023

Italy has two National Digital Identity schemes, namely: SPID and CieID (leveraging the national ID card). Both of them are based on SAML2 and are on their way to supporting OpenID Connect. The reasons for this decision are numerous, and they are primarily related to OpenID Connect Core features such as flexibility, ease of implementation, better support for mobile applications, and widespread adoption, particularly in the private sector. To manage this transition, we considered several documents by the OAuth working group describing security best Current Practices and the OpenID Foundation specifying a profile for iGov and a framework for federation. In particular, the latter defines a hierarchical federation model with high security, interoperability, scalability, and transparency based on dynamic delegation mechanisms; Italy is an enthusiastic early adopter.
In this talk, we introduce the Italian OpenID Connect profile based on the iGov and federation profiles and explain the main security measures that we considered within our design from the aforementioned standards and available best current practices. We also discuss how the Italian OpenID Connect profile contributes to the iGov and OpenID Connect Federation documents. We conclude the presentation with a brief discussion of eIDAS 2.0 and some of the ongoing preliminary works in the context of the Italian digital identity ecosystem to move toward an SSI-based solution using the Italian OpenID Connect profile as a starting point.

Event Recording
Is it a User? Is it a Person? No, it's an.. Identity?
May 11, 2023

None of us in this industry work with bricks and mortar or other tangible, real objects. Everything we do (in IT, not just Identity and Access) is instead a digital representation, an abstraction, of something that might exist in the real world.

Identity and Access is the glue for many of those digital representations, and this concept of representation may be the most important thing to understand when considering the different possible meanings of words.

People new to Identity and Access quickly find that many of the words they encounter have different meanings than they first thought. Most frequently encountered are probably “user” and “identity” - do they represent the same type of entity or is a difference intended? Do they refer to the physical, real life person or do they refer to a virtual, digital object somewhere within the IT systems? Or both at the same time? And since people are often reluctant to show weakness in front of perceived experts, questions are too often not being asked when unsure.

In any industry, a typical consequence of miscommunication is that the end product or project will have lower quality or take longer to get delivered. This presentation highlight how this problem of misunderstanding may be larger in our industry of Identity and Access than in others, discuss why that is, and what might be done to counter it.

The presentation offers examples of where terms are ambiguous (where definitions seem to vary across the industry) and it discusses ways to perhaps improve the situation.

The presentation is based on a corresponding article in the IDPro Body of Knowledge.

Event Recording
The AML-Compliant ID-Wallet
May 10, 2023

AML-compliant customer identification in the finance and banking sector (KYC) in Germany is subject to the requirements of BaFin (the regulatory authority) and the Money Laundering Act. This involves the use of both on-site and online identification procedures, which are often provided by external service providers as “critical outsourcing" and as data order processing. In the age of ID wallets, this KYC process needs to be redeveloped from a regulatory, data protection and technical perspective - especially because the regulatory framework currently does not (yet) explicitly provide for the case of an ID wallet. The presentation describes the challenges for ID wallets and ID issuers in the AML context and shows an exemplary implementation.

Event Recording
GAIN in 2023 - and Beyond
May 12, 2023

This session will share how the concept of a Global Assured Identity Network (GAIN) has evolved since 155 identity experts proposed it in 2021. It summarizes a recent paper by the non-profits that guide the GAIN vision.

GAIN remains a call for collaboration toward globally interoperable identity assurance at-scale - a purpose that underpins the goals of governments, intergovernmental agencies, and private industry. It has inspired multiple working groups and continues to unite six non-profits - even (and especially) as the technical and policy landscape evolves to include emerging standards (e.g. MDLs, DIDs, VCs) and regulation (e.g. eIDAS 2.0).

This talk reflects on GAIN's relevance in today’s landscape and shares progress. It includes a deep dive into the technical community group at the OpenID Foundation, which has built a prototype that demonstrates cross-network trust and high-assurance identity data exchange. It now turns its attention to digital wallets, verifiable credentials, legal entity identifiers, and government-issued IDs.

It also reviews forward-thinking policy work by the Open Identity Exchange, which paves the way for Smart Digital IDs. Their Global Policy Metadata Framework proposes the standard publication of policy characteristics. In this world, policy metadata is shared between each trust framework through trusted wallets.