KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
Enterprise IDM/IAG and gardening do have much in common. Usually, if the general architecture and setup of the garden is done and completed, only minor changes and adjustments will be done over the years. But still: The yard will look different after a few years, not only because the trees and plants have grown, but also because of replacements, adjustments and optimizations over the years.
Sometimes, calling a bulldozer for a more complete ‚redesign‘ and restart from scratch is considered, but still limited by the boundaries of the property (and the budget of the landlord).
Whether you plan to bulldoze your legacy IAM/IAG Program, or replace a few elements just as you would replace plants, trees and flowers because of their age or cost: In this panel we will discuss the options, do‘s and dont‘s, stories from failed ‚gardening projects‘ and many more related to modernizing your legacy IDM/IAG set of tools.
Enterprise IDM/IAG and gardening do have much in common. Usually, if the general architecture and setup of the garden is done and completed, only minor changes and adjustments will be done over the years. But still: The yard will look different after a few years, not only because the trees and plants have grown, but also because of replacements, adjustments and optimizations over the years.
Sometimes, calling a bulldozer for a more complete ‚redesign‘ and restart from scratch is considered, but still limited by the boundaries of the property (and the budget of the landlord).
Whether you plan to bulldoze your legacy IAM/IAG Program, or replace a few elements just as you would replace plants, trees and flowers because of their age or cost: In this panel we will discuss the options, do‘s and dont‘s, stories from failed ‚gardening projects‘ and many more related to modernizing your legacy IDM/IAG set of tools.
While eIDAS 2.0 is still under legislative process, closing to the end, the European Commission prepares the framework for the EUDI Wallet reference implementation, and standardization bodies are working on developing new technical standards.
There is a real need for updated information on all efforts around eIDAS 2.0, as the implementing deadlines are very tight.
The session will shed light on latest developments and impact on the market.
Common Web3 narratives go like this: Web1 was decentralised. Web2 is centralised and dominated by GAFAM/BigTechs. Web3 will be decentralised.
Is this real?
Let us look back. Web1 was about publishing web pages that were linked to other pages. The publishing sites were decentralised all over and were connected by links. Schematics resembled spider webs. Thus, the name “web”.
Web2 was the read-write web. In other words, API Economy. Was it a centralised architecture? Definitely not. What we imagined as Web 2.0 back in 2004 was that instead of monolithic systems, each site provides a function as REST API, and new services quickly emerge by combining these APIs like LEGO. APIs were decentralised and distributed all over the internet. API calling relationships connected those sites; the schematics resembled a spider web. Thus, the name Web 2.0.
Note, in 2004, none of Google, Amazon, Facebook/Meta, or Apple resembled what we have now.
Google just acquired Double Click, but it still had the banner word “Do not do evil.” The size of the company was 1/10 of Hitachi. Amazon still was an internet merchant. Facebook was just founded, but it still was primarily confined to Harvard and other American university students. Apple was an iPod and Mac company. Were they BigTechs? No! Big guys were IBM, Hitachi, etc., and Google, Facebook etc. were carrying the liberation torch!
Then, how come we end up here, despite the fact that the architecture was completely decentralised?
It was the combination of free market competition and technology that exhibited increasing returns. Any IT technology has decreasing cost/increasing return on investment. Under the circumstances, it will end up in Cournot equilibrium in a fashionable vocabulary - in a common word; winner takes all - monopoly/oligopoly. That’s how we ended up.
What about web3 and decentralised identity? Would the decentralisation dream finally come true?
Well, they still are IT. They still exhibit increasing return necessarily. Then, how can you believe that it will not be dominated by large players just like it happened to Web 2.0? If you let the free market play, it will certainly be. Unlike in the case of Web 2.0 where there still were 100s of thousands of IdPs, we may end up with two Wallets where the wallet provider can come in and decide to delete your verified credentials or ban your account. How decentralised!
Wait, there is more.
How can you believe that code that runs on your phone adheres to what it says?
The data stored on your wallet that runs on your phone may be extracting your data and sending it to criminals. We have seen many times that the initially benign code turns malicious with an update.
According to the Devil's Dictionary of Linguistic Dark Patterns compiled at IIW 2022b, “Decentralised” means “We run our code on your machine at your own risk”. Yes, at your own risk. If it is completely “decentralised” and there is no “provider”, then there is nobody to go after from the point of view of a regulator. Having a “centralised” provider is much better from a consumer protection point of view in this respect.
Is there no light? Are we going to live in the darkness of decentralisation?
Let us briefly think about what web3 was supposed to be. Forget about something that is found between A and Z. I am not talking about that. I am talking about cypher-punks' idealistic dreams.
Many people believe that blockchain is just an immutable ledger. No, it is not! That’s not the innovation of blockchain. Chained immutable records were there long before Satoshi’s invention. It is called Hysteresis signature and was invented in 1999.
Then, what was the innovation? it was the committing of the code into the it to make it immutable and executing it by multiple machines to exclude the result from changed code. In other words, it was the establishment of trust in the running code.
The light could be diminishingly small, but it still is light. That’s the light that I see in web3 that’s not between A and Z.
Digital Identity and Security solutions impact our environment, typically in a positive and securing manner. However research shows that increasingly digitization of identity services, for digital identity, also exclude and harm individuals.
In this presentation Henk will detail his research into the impact of digital identity solutions on nation state level and how to start involving ethics in the design and implementation of these solutions.
The findings also apply to designing and implementing security solutions for other purposes than digital identity.
The approach to engage with ethical conversations during design will be explained theoretically, linking to the background of Value Sensistive Design (https://en.wikipedia.org/wiki/Value_sensitive_design) and made practical by case studies of Ethics in Security Design.
Henk has been researching the ethics of digital identity at Leiden University, NL, in 2022.
As a global OEM of highly critical and complex industrial devices, managing access to hundreds of millions of IIoT device resources spread across customer sites all around the globe is already a challenging task.
Use cases for providing a digital service platform need to address end customers accessing devices owned by themselves as well as priviledged access for in house and third party analytics applications and serice personnel. A combination of requirements for excelent user experience, authorization management and high performance for cross-tenant queries for endless scenarios can become a nightmare.
The task was to analyze the access requirements, abstract them and then deploy a “Zanzibar” inspired approach to manage access authorizations with a swift and reliable backend architecture, able to handle millions of information assets to be protected against unauthorized access.
Creating a mere access model does not do the full trick - it has to be cleverly designed into data storage structures and queries to achive the required performance goals!
The talk quickly introduces the problem set and then dives deeper into how to implement data storage optimization magic to get quick response times and swift adjustments of authorizations.
The cornerstone of the digital world is trust and key to that experience is a secure and verifiable digital identity. More than one billion people worldwide lack a basic verifiable identity. Without recognizable and consistent proof of identity there can be no financial, health, citizen, or digital inclusion. Women in Identity is a not-for-profit organization championing diversity and inclusion in the identity sector. Women in Identity enables change through awareness from our research projects (such as the code of conduct) and through our sponsors and members. In this keynote the chair and vice chair of the Board will share insights on the impact of identity exclusion and provide practical and pragmatic ways organizations and individuals can help drive Identity inclusion.
You often think service providers should build identity and API security infrastructure by themselves to have full control and flexibility so that it can fit into their business and technology stack. But it tends to be time consuming and costly due to lack of expertise to do so. Buying a heavy-weight solution is another considerable option, but it reluctantly leads dependency on the particular vendor of the solution, which may have redundant features and may not accommodate to customize in a cost-effective and timely manner. In this session, we will discuss a third option to “buy and build” that can combine the best of both worlds and give you control by building from scratch, as well as minimize the time and resource by leveraging “Identity Components as a Service.”
Companies are facing increasingly complex security threats. Many are struggling to assess their own security risks due to an inability to address potential issues as they arise, due to the breakneck pace at which issues are disclosed, and teams' ability to address said issues as they accumulate and because the huge number of security tools in use create diagnostic fatigue.
Vulnerability management programs rarely ever match the overall scale of the organization, boosting the number of potential points of exposure. What's more, besides vulnerabilities, attackers are increasingly leveraging exposures such as misconfigurations and stolen credentials to gain access to companies' core business. Because of this, attack paths to critical assets are often overlooked or identified too late.
Instead of looking at vast numbers of isolated issues, XM Cyber aggregates them into an attack graph to proactively identify hidden attack paths and weaknesses in both the cloud and on-premises. XM Cyber helps organizations efficiently address the issues that can have the greatest impact on organizational risk. Then teams can eliminate attack paths at critical junctures, i.e., choke points, in order to achieve ultra-efficient risk remediation.
OpenID for Verifiable Credentials (OID4VC) is a set of protocols that enables issuance and presentation of verifiable credentials expressed in any format including but not limited to W3C vc-data-model and ISO/IEC 18013-5 mDL. The power of the protocols lies in its demonstrated simplicity, security, and the implementer's ability to make choices across the tech stack - not just for credential formats, but also entity identifiers, trust model, crypto suites, revocation mechanism, etc. However, this also means that to be interoperable and enable certain use-cases(s), implementers need to agree on the sets of choices across the tech stack, usually referred to as interoperability profiles.
In this talk, we will share implementation experience of OID4VC specifications, and introduce existing interoperability profiles based on OID4VC. Of course we will also provide updates to OID4VC specifications, how they have evolved from the last year based on an overwhelming amount of implementation feedback.
As ecosystems of customers, workforce, partners and suppliers become increasingly intertwined, companies face the challenge of managing access consistently. Companies often install different access systems for different populations, with different types of accounts and different lifecycle management.
This session presents an approach whereby different populations can be managed with a single system and a single user profile. Key in this approach is that the user profile indicates to which population (or more than one population) the user belongs. The approach also enables delegated administration and temporary accounts in a very intuitive way.
For many years public concern about technological risk has focused on the misuse of personal data, with GDPR, most hated and loved at the same time as one of the results. With the huge success of LLMs and generative AIs such as ChatGPT, artificial intelligence soon will be omnipresent in products and processes, which will shift regulator´s attention to the potential for bad or biased decisions by algorithms. Just imagine the consequences of a false medical diagnose, or of a correct diagnose created by an AI and then not accepted by the doctor. Not to mention all the other fields where bad AI can be harmful, such as autonomous cars or algorithms deciding on your future credibility. Inevitably, many governments will feel regulation is essential to protect consumers from that risk.
In this panel discussion we will try to jointly create a list of those risks that we need to regulate the sooner the better and try to create an idea on how this future regulation will impact the way we use AI in our bsuiness and private lives.