KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
OAuth is a widely used authorization framework that enables third-party applications to access resources on behalf of a user. However, it has been historically difficult to meet very high security and interoperability requirements when using OAuth. Daniel and Joseph have spent much of the last five years working to improve the state of the art and will present the latest developments in the field.
There are challenges when trying to achieve high security and interoperability with OAuth 2: Many potential threats need to be addressed, some not part of the original OAuth threat model. To seamless authorizations, optionality must be minimized OAuth itself and also in any extensions
used.
Six years ago, the IETF OAuth working group started work on the Security Best Current Practice document and more recently on OAuth 2.1. Meanwhile, the OpenID Foundation has created FAPI1 and FAPI2 security profiles.
We will introduce these specifications and help you understand the focus of each document and when to use which. We show how to achieve on-the-wire interoperability and high security through the use of techniques like asymmetric client authentication and sender-constraining via DPoP and MTLS. We highlight the benefits for implementers and the role of conformance testing tools.
OAuth is a widely used authorization framework that enables third-party applications to access resources on behalf of a user. However, it has been historically difficult to meet very high security and interoperability requirements when using OAuth. Daniel and Joseph have spent much of the last five years working to improve the state of the art and will present the latest developments in the field.
There are challenges when trying to achieve high security and interoperability with OAuth 2: Many potential threats need to be addressed, some not part of the original OAuth threat model. To seamless authorizations, optionality must be minimized OAuth itself and also in any extensions
used.
Six years ago, the IETF OAuth working group started work on the Security Best Current Practice document and more recently on OAuth 2.1. Meanwhile, the OpenID Foundation has created FAPI1 and FAPI2 security profiles.
We will introduce these specifications and help you understand the focus of each document and when to use which. We show how to achieve on-the-wire interoperability and high security through the use of techniques like asymmetric client authentication and sender-constraining via DPoP and MTLS. We highlight the benefits for implementers and the role of conformance testing tools.
As long as passwords exist, enterprises are vulnerable to account takeover attacks –yet organizations looking to eliminate passwords may not know where to begin their passwordless journey. While passwordless authentication methods—especially those based on FIDO2—are widely available, they are not yet universally supported nor adopted. This lack of a universal approach can cause confusion and complacency—or both. Attend this session to learn why (and how) organizations should move away from passwords and legacy MFA to advance to and adopt a secure passwordless strategy centered on phishing-resistant MFA in 2023
This panel discussion is addressing what is currently happening to make the travel and tourism ecosystem ready for the use of a digital identity that has the level of assurance to cross an international border, board a flight and sign in to a hotel. The travel ecosystem still revolves around a physical passport/ID card or drivers licence and this is about to see incremental, but pivotal changes. The digital wallet will also ad to the way we get ready to travel and add verifiable credentials that travellers can share in advance of their trip.
Samuel Devasahayam will discuss the past decade of identity sights through Microsoft’s lens, demonstrating that security in a digital age remains valuable, and detailing what these insights imply for the next decade to continue building customer trust and resilient infrastructures.
Autonomous networking aims at the appropriate handling of the growing number of devices, machine, sensors and components for which authentication and authorization must be ensured, i.e., identities must exist. The initial provision of such identities, but also the handover and onboarding into the respective operational environment (WiFi, smart home, factory floor) require scalable, automated, end-to-end secured procedures and concepts to facilitate trusted communication, but also e.g., the provision of made-to-measure updates.
Making IoT/OT/IIoT identities and networks secure by design is essential. ACP (Autonomic Control Planes) and BRSKI (Bootstrapping Remote Secure Key Infrastructure) lay one foundation for achieving this.
Phishing, hacking, threats, fraud, and malicious behavior online of all types all share a common root: verification. In this session we’ll go beyond identity and explain how decentralized identity and verifiable credentials can provide a complete, secure system for exchanging different types of information between multiple parties. Learn how Trusted Data Ecosystems can connect people, machines, companies or any two entities to multiple businesses and jurisdictions without sharing private information. In this conversation, long-time community contributor at Hyperledger, working group leader at Decentralized Identity Foundation, and Indicio Senior Engineer Sam Curren will share more about digital trust and describe the critical importance of digital verification to decentralized healthcare, finance, the metaverse, and to the interaction of digital objects and non-digital objects in the spatial web—the “Internet of Everything.”
The ICAO DTC Type 1 and de mDL standard are currently being used/prepared to be used in several pilots. What are lessons learned, what impact do the panellists see and or expect. Also the EU Digital Wallet will have an important role in these developments. The travel ecosystem connects public and private parties around a traveller. Using a digital identity in an ecosystem that crosses international borders and legal systems is complex, for passengers ànd stakeholders, and requires international standards for technology, data privacy and trust frameworks.
The shift to multi-cloud introduces a wide range of cloud security risks that remain unaddressed due to the siloed approach and limited focus of existing cloud security tools. Most cloud security tools offer highly focused solutions that are limited in scope and capabilities to address the growing spectrum of multi-cloud security risks. The convergence of IAM and multi-cloud security tools (CSPM, CWP and CIEM) offer a cloud security platform that takes an integrated approach to securely manage identities and their access entitlements to cloud resources for cloud-native application development, deployment and operations in the cloud. In this session, we will discuss:
For more than two decades, Microsoft Active Directory (AD) has been the de facto method organizations use to authenticate and authorize users for access to computers, devices, and applications within a company’s network. Most companies still rely on it and have further extended its reach into the cloud by synchronizing their on-prem AD with the Microsoft Azure AD to allow proper SSO to cloud-applications by their users. AD is celebrated for its extensive compatibility with various applications and Windows editions, but that compatibility comes with security downsides.
Compromises of Active Directory can occur as an entry point leading to a further attack or can arise at various other points along the kill-chain following an initial compromise via some other mechanism. Even in cases where a compromise is gained following an attack on applications or infrastructure directly, it is frequently infeasible for an attacker to progress further without elevating privileges, making Active Directory a primary target in an overall breach strategy.
It is therefore important that Active Directory defense tools are paired with a wider Zero Trust and XDR approach to provide full visibility over organizational infrastructure, enabling security teams to accurately identify the point of origin of an attack, and to perform the containment and remediation actions required to neutralize and prevent reoccurrence of an attack.
Join Principal Technologist, Guido Grillenmeier, to discuss AD access points used in recent cyberattacks, security risks to watch for in managing AD with Azure AD, how to look for warning signs that AD has been compromised and steps to take in the event of an attack.
Germany's healthcare sector will introduce its own ID wallet called "Sectoral IDP" for all statutorily insured persons on 01.01.2024. The issuers of the wallet are the health insurance companies, and approval will be granted in accordance with the extensive specifications of gematik (the regulatory authority). The ID attributes are issued by 2 issuers: PID and health insurer. The sectoral IDP is based on the OpenID Connect (core and Federation), Open Authorization 2.0 (OAuth 2) and JSON Web Token (JWT) standards. The presentation will describe the specific gematik requirements for product and operations of the ID wallet as well as their possible implementation. Despite the closed system in eHealth (Telematics Infrastructure) by definition, bridges to developments of ID wallets outside the sector such as EU, AML and eIDAS will be shown.
OAuth 2.0 is a widely adopted standard for authorization, but it can be complex to implement correctly. It's not uncommon for developers to have difficulty understanding the nuances of the OAuth 2.0 flow and instead rely on simpler approaches such as using API keys in "god mode." |
More and more it becomes difficult to Insure yourself against a Cyber attack. Understanding all the different vectors of your risk posture, the flood of different tools and checklists that need to be taken into account and the way to consolidate this risk into an overarching risk dashboard is an immense challenge for CISO's, Risk Managers and their senior leadership. Because of this major challenge and a non-standard way of calculating the risk; more and more Insurance companies are putting a high demand on the information provided in order to get a proposal for a Cyber Insurance and then, if and when a Cyber Insurance is offered, the premiums and coverage become another big challenge and financial burden on companies.
The presentation will highlight these challenges and will provide hints and tips on how to deal with this problem, ensuring to get Cyber Insurance at the lowest possible premium and with the highest coverage.