Event Recording

Lessons Learned from IAM Transformation in Banking

Show description
Speaker
Patrick Shirazi
Enterprise Security Architect
Swedbank
Patrick Shirazi
Patrick is an accomplished Security Advisor at Swedbank, where he spearheads the design of cutting-edge solutions in Cybersecurity, and enabling the organization with developing guidelines and advisory services. His work is instrumental in safeguarding the financial sector and ensuring the...
View profile
Playlist
European Identity and Cloud Conference 2023
Event Recording
Market Overview: Secure Access Service Edge (SASE)
May 11, 2023

The term secure access service edge (SASE) has become popular in recent months and has been adopted by numerous vendors. SASE stands for a concept that integrates a range of cloud-native security services including cloud access security brokers (CASB), firewall as a service (FWaaS), secure web gateways (SWG), and zero-trust network access (ZTNA), with wide-area network (WAN) capabilities for delivering both directly to any edge computing location. In this session, KuppingerCole´s John Tolbert will give an overview of the market for SASE solutions and provide a compass to help buyers find the product that best meets their needs. KuppingerCole examines the market segment, vendor capabilities, relative market share, and innovative approaches to providing SASE solutions.

Event Recording
The Decentralized Identity Journey has Begun in Financial Services
May 11, 2023

Learn how Raiffeisen Bank International heads toward decentralized identity to empower their customers across Europe and set the gold standard for privacy protection.

The increased mobility of users and their demand for personalized, unified omnichannel access experiences has stretched federated IAM beyond its limits. Meanwhile, the need for organizations to collaborate more to compete, and build communities of trust and value for those same users affordably and securely, cannot be met by existing federated IAM solutions. Learn how Raiffeisen Bank International (RBI) will embrace the new paradigm of decentralized identity to improve existing experiences and create the opportunity for new, valuable user experiences and increased levels of engagement and collaboration withbusiness partners across multiple jurisdictions, without the need to replace their infrastructure. Simultaneously, understand why starting their journey now, enables RBI to future-proof their ecosystem to rapidly support the EU Digital Wallet and official digital credentials that will become available. Get a glimpse into the solution architecture being deployed at RBI and an understanding of the benefits and how they can be communicated to executive leadership and business partners. Yes, decentralized identity may be great for web3 someday; however, learn from RBI how it can also solve today’sproblems in a practical way and work in harmony with existing IAM systems enhancing existing federationplatforms.

Event Recording
From Security & Compliance to Business Enablement
May 10, 2023
Event Recording
Automated Serverless Security Testing: Delivering Secure Apps Continuously
May 10, 2023

Serverless technology eliminates the need for development teams to provision servers, and it also results in some security threats being passed to the cloud provider. This frees up developers to concentrate on building logic and producing value quickly. But cloud functions still execute code. If the software is written poorly, it can lead to a cloud disaster.

How can developers ensure that their code is secure enough? They can scan for common vulnerabilities and exposures (CVEs) in open-source code. They can even scan their Infrastructure-as-Code (IaC) tool to identify insecure configurations. But what about custom code? At many organizations, the application security team struggles to keep up with the speed of development in a serverless environment. Traditional testing tools not only provide very limited coverage, but also slow development cycles unacceptably. Serverless code contains a mixture of cloud configurations and application programming interfaces (API) calls. As a result, legacy solutions lack the context that is necessary in a serverless environment, and the consequence is a lack of observability and slower response times.

Fortunately, it does not have to be this way. Organizations can leverage robust security during serverless development, automatically—if it is done properly. In this talk, we will discuss common risks in serverless environments. We will then cover existing testing methodologies and why they do not work well for serverless. Finally, we will present a new, completely frictionles

Event Recording
Verifiable Credentials for the Modern Identity Practitioner
May 10, 2023

You heard about Verifiable Credentials and decided to learn more. You found some stuff online, but despite knowing your way thru identity, you still can't really tell how they work in practice (wallets? presentations?) or how the boldest claims (no more centralized DBs! Apps cannot save PII!) will play out. This session will dive into VCs and separate the hype from their true, remarkable potential.

Event Recording
Use AI to Make Account Takeover a Frustrating Experience... For the Attacker
May 11, 2023

Sure, MFA goes a long way in preventing account takeover but it is only one layer. Using AI to look at identity data to evaluate risk can add an additional layers – not only to prevent takeover but mitigate the impact once a takeover happened. 

Event Recording
Shut The Front Door - A Risk-based Case for Zero Trust Authentication
May 10, 2023

Authentication is broken, and longer, stronger passwords combined with first-generation MFA will not save the day. Hopefully, this is no longer controversial. We have over a decade's worth of data showing how most successful breaches involve stolen credentials. Now we are witnessing a rapidly rising number of breaches bypassing existing MFA. It is beyond time to address this problem head-on, but what are the key requirements for MFA that is up to the task?  While the situation is dire, this will be a very hopeful view of the path forward. Help IS on the way!

Event Recording
Modern Authorization: The Next IAM Frontier
May 10, 2023

Identity and access have always been joined at the hip. In the age of LDAP, authenticated users were granted permissions based on group membership. But this mechanism hasn’t transferred into the federated identity landscape.

Instead, modern identity systems try to generalize permissions into scopes that are embedded into access tokens. But this doesn’t facilitate fine-grained authorization - a “read:document” scope doesn’t typically mean the user can access every document!

While identity has moved to the cloud, we still don’t have fine-grained, scalable mechanisms for generalizing authorization. So every application builds its own, and IT ends up administering every application differently.

Fixing this is arguably the most pressing challenge for the IAM industry. In this talk, we propose a set of principles, inspired by zero-trust and the latest work in cloud-native authorization, that should underlie the solutions we build:

  1. Support for fine-grained authorization (both ABAC and ReBAC), delivering on the principle of least privilege. Google’s Zanzibar provides an important blueprint.
  2. Managing authorization policy-as-code, enabling separation of duties and policy-based access management. Open Policy Agent is a good building block.
  3. Performing real-time access checks for continuous verification. This function should be downstream from authentication.
  4. Collecting fine-grained decision logs, providing the underpinning for comprehensive offline auditing and access analysis.
Event Recording
Convergence Across Identity, Authentication and Open Banking
May 10, 2023

To date, the world has progressed identity, authentication, and open banking as disparate initiatives. While strengthening each of these independently has indisputably contributed to growing trust, bolstering data privacy, and mitigating the security risks that are today inherent in our every digital interaction, this ‘divide-and-conquer’ approach is unlikely to be sufficient to propel us to the best possible economic and user experience outcomes.

Join this panel of experts to understand how some of today’s most respected thought leaders suggest how convergence across identity, authentication, and open banking can accelerate our journey to a trusted digital marketplace- our collective North Star.

The whole is indeed much larger than the sum of the parts. Join us-

Event Recording
Identity Governance with a Purpose – Deciding and Documenting Why Access is Granted
May 10, 2023

Deciding what constitutes appropriate access to sensitive information is a growing challenge for today’s enterprise. Whether it is regarding securing mission critical enterprise data or protecting the privacy of data gathered about the organization’s customers, an often-overlooked element is capturing and documenting the reasons why a given access request or entitlement is necessary and appropriate for the continued operation of the business.   Organizations are required to manage the data that they are entrusted with in a secure, purpose-based, and privacy-compliant manner.  Identity Governance processes can help the enterprise review the current state of access, make decisions regarding the validity of this access state, and attest to its accuracy.  Identity Governance processes are also ideally suited to also document the reasons why this access state is appropriate and necessary for business operations.

This session will cover how Identity Governance processes can help enterprises refine their security, make better access control decisions, and provide much clearer accountability around why access is granted – all in better alignment with Zero Trust initiatives.

Event Recording
The AML-Compliant ID-Wallet
May 10, 2023

AML-compliant customer identification in the finance and banking sector (KYC) in Germany is subject to the requirements of BaFin (the regulatory authority) and the Money Laundering Act. This involves the use of both on-site and online identification procedures, which are often provided by external service providers as “critical outsourcing" and as data order processing. In the age of ID wallets, this KYC process needs to be redeveloped from a regulatory, data protection and technical perspective - especially because the regulatory framework currently does not (yet) explicitly provide for the case of an ID wallet. The presentation describes the challenges for ID wallets and ID issuers in the AML context and shows an exemplary implementation.

Event Recording
How to Build Interoperable Decentralized Identity Systems with OpenID for Verifiable Credentials
May 10, 2023

OpenID for Verifiable Credentials (OID4VC) is a set of protocols that enables issuance and presentation of verifiable credentials expressed in any format including but not limited to W3C vc-data-model and ISO/IEC 18013-5 mDL. The power of the protocols lies in its demonstrated simplicity, security, and the implementer's ability to make choices across the tech stack - not just for credential formats, but also entity identifiers, trust model, crypto suites, revocation mechanism, etc. However, this also means that to be interoperable and enable certain use-cases(s), implementers need to agree on the sets of choices across the tech stack, usually referred to as interoperability profiles.

In this talk, we will share implementation experience of OID4VC specifications, and introduce existing interoperability profiles based on OID4VC. Of course we will also provide updates to OID4VC specifications, how they have evolved from the last year based on an overwhelming amount of implementation feedback.