Event Recording

Legacy Enterprise IAM/IAG Transformation

Show description
Speakers
Krishna Balan Kannappan
Solution Design Owner - IAM
KONE
Krishna Balan Kannappan
16+ years of experience in Information Technology and worked on various technology frameworks and domains. Have extensive experience in Identity Access management domain. Having worked with many international organizations, specialized in SailPoint Identity IQ and PRIVX SSH tools, CyberArk....
View profile
Thorsten Niebuhr
CEO
WedaCon
Thorsten Niebuhr
With nearly 30 years experience in IT and in the fields of Directory Technologies, Identity Management and Data Privacy, Thorsten is a recognized expert in our industry. As a technical trainer, consultant and developer he co-developed one of the first Identity Management Solutions which was...
View profile
Martin Sandren
IAM Product Lead
IKEA
Martin Sandren
Martin Sandren is a security architect and delivery lead with over eighteen years of experience of various information security related roles. Primarily focused on security architecture and digital identity including global scale customer, privileged and internal IAM systems using...
View profile
Patrick Shirazi
Enterprise Security Architect
Swedbank
Patrick Shirazi
Patrick is an accomplished Security Advisor at Swedbank, where he spearheads the design of cutting-edge solutions in Cybersecurity, and enabling the organization with developing guidelines and advisory services. His work is instrumental in safeguarding the financial sector and ensuring the...
View profile
Playlist
European Identity and Cloud Conference 2023
Event Recording
eIDAS 2.0 and EUDI Wallet - State of Play
May 12, 2023

While eIDAS 2.0 is still under legislative process, closing to the end, the European Commission prepares the framework for the EUDI Wallet reference implementation, and standardization bodies are working on developing new technical standards.
There is a real need for updated information on all efforts around eIDAS 2.0, as the implementing deadlines are very tight.
The session will shed light on latest developments and impact on the market.

Event Recording
Fallacy of Decentralisation
May 10, 2023

Common Web3 narratives go like this: Web1 was decentralised. Web2 is centralised and dominated by GAFAM/BigTechs. Web3 will be decentralised.

Is this real?

Let us look back. Web1 was about publishing web pages that were linked to other pages. The publishing sites were decentralised all over and were connected by links. Schematics resembled spider webs. Thus, the name “web”. 

Web2 was the read-write web. In other words, API Economy. Was it a centralised architecture? Definitely not. What we imagined as Web 2.0 back in 2004 was that instead of monolithic systems, each site provides a function as REST API, and new services quickly emerge by combining these APIs like LEGO. APIs were decentralised and distributed all over the internet. API calling relationships connected those sites; the schematics resembled a spider web. Thus, the name Web 2.0.

Note, in 2004, none of Google, Amazon, Facebook/Meta, or Apple resembled what we have now.
Google just acquired Double Click, but it still had the banner word “Do not do evil.” The size of the company was 1/10 of Hitachi. Amazon still was an internet merchant. Facebook was just founded, but it still was primarily confined to Harvard and other American university students. Apple was an iPod and Mac company. Were they BigTechs? No! Big guys were IBM, Hitachi, etc., and Google, Facebook etc. were carrying the liberation torch!

Then, how come we end up here, despite the fact that the architecture was completely decentralised?

It was the combination of free market competition and technology that exhibited increasing returns. Any IT technology has decreasing cost/increasing return on investment. Under the circumstances, it will end up in Cournot equilibrium in a fashionable vocabulary - in a common word; winner takes all - monopoly/oligopoly. That’s how we ended up.

What about web3 and decentralised identity? Would the decentralisation dream finally come true?

Well, they still are IT. They still exhibit increasing return necessarily. Then, how can you believe that it will not be dominated by large players just like it happened to Web 2.0? If you let the free market play, it will certainly be. Unlike in the case of Web 2.0 where there still were 100s of thousands of IdPs, we may end up with two Wallets where the wallet provider can come in and decide to delete your verified credentials or ban your account. How decentralised!

Wait, there is more.

How can you believe that code that runs on your phone adheres to what it says?
The data stored on your wallet that runs on your phone may be extracting your data and sending it to criminals. We have seen many times that the initially benign code turns malicious with an update.

According to the Devil's Dictionary of Linguistic Dark Patterns compiled at IIW 2022b, “Decentralised” means “We run our code on your machine at your own risk”. Yes, at your own risk. If it is completely “decentralised” and there is no “provider”, then there is nobody to go after from the point of view of a regulator. Having a “centralised” provider is much better from a consumer protection point of view in this respect.

Is there no light? Are we going to live in the darkness of decentralisation?

Let us briefly think about what web3 was supposed to be. Forget about something that is found between A and Z. I am not talking about that. I am talking about cypher-punks' idealistic dreams.
Many people believe that blockchain is just an immutable ledger. No, it is not! That’s not the innovation of blockchain. Chained immutable records were there long before Satoshi’s invention. It is called Hysteresis signature and was invented in 1999.
Then, what was the innovation? it was the committing of the code into the it to make it immutable and executing it by multiple machines to exclude the result from changed code. In other words, it was the establishment of trust in the running code.
The light could be diminishingly small, but it still is light. That’s the light that I see in web3 that’s not between A and Z.

Event Recording
Ethics in Security Design - For Digital Identity
May 11, 2023

Digital Identity and Security solutions impact our environment, typically in a positive and securing manner. However research shows that increasingly digitization of identity services, for digital identity, also exclude and harm individuals.
In this presentation Henk will detail his research into the impact of digital identity solutions on nation state level and how to start involving ethics in the design and implementation of these solutions.
The findings also apply to designing and implementing security solutions for other purposes than digital identity.
The approach to engage with ethical conversations during design will be explained theoretically, linking to the background of Value Sensistive Design (https://en.wikipedia.org/wiki/Value_sensitive_design) and made practical by case studies of Ethics in Security Design.
Henk has been researching the ethics of digital identity at Leiden University, NL, in 2022.

Event Recording
Spicing up Authorization - A Zanzibar inspired approach
May 11, 2023

As a global OEM of highly critical and complex industrial devices, managing access to hundreds of millions of IIoT device resources spread across customer sites all around the globe is already a challenging task.  
Use cases for providing a digital service platform need to address end customers accessing devices owned by themselves as well as priviledged access for in house and third party analytics applications and serice personnel. A combination of requirements for excelent user experience, authorization management and high performance for cross-tenant queries for endless scenarios can become a nightmare.  
The task was to analyze the access requirements, abstract them and then deploy a “Zanzibar” inspired approach to manage access authorizations with a swift and reliable backend architecture, able to handle millions of information assets to be protected against unauthorized access.  
Creating a mere access model does not do the full trick - it has to be cleverly designed into data storage structures and queries to achive the required performance goals!  
The talk quickly introduces the problem set and then dives deeper into how to implement data storage optimization magic to get quick response times and swift adjustments of authorizations.

Event Recording
Identity Inclusion – Why it Matters
May 09, 2023

The cornerstone of the digital world is trust and key to that experience is a secure and verifiable digital identity. More than one billion people worldwide lack a basic verifiable identity. Without recognizable and consistent proof of identity there can be no financial, health, citizen, or digital inclusion. Women in Identity is a not-for-profit organization championing diversity and inclusion in the identity sector.  Women in Identity enables change through awareness from our research projects (such as the code of conduct) and through our sponsors and members.  In this keynote the chair and vice chair of the Board will share insights on the impact of identity exclusion and provide practical and pragmatic ways organizations and individuals can help drive Identity inclusion. 

Event Recording
Security Offered as Components Empowering Enterprises to Gain Control
May 10, 2023

You often think service providers should build identity and API security infrastructure by themselves to have full control and flexibility so that it can fit into their business and technology stack. But it tends to be time consuming and costly due to lack of expertise to do so. Buying a heavy-weight solution is another considerable option, but it reluctantly leads dependency on the particular vendor of the solution, which may have redundant features and may not accommodate to customize in a cost-effective and timely manner. In this session, we will discuss a third option to “buy and build” that can combine the best of both worlds and give you control by building from scratch, as well as minimize the time and resource by leveraging “Identity Components as a Service.”

Event Recording
Continuous Exposure Management - Keeping one step ahead of attackers through continuous exposure management
May 12, 2023

Companies are facing increasingly complex security threats. Many are struggling to assess their own security risks due to an inability to address potential issues as they arise, due to the breakneck pace at which issues are disclosed, and teams' ability to address said issues as they accumulate and because the huge number of security tools in use create diagnostic fatigue. 

Vulnerability management programs rarely ever match the overall scale of the organization, boosting the number of potential points of exposure. What's more, besides vulnerabilities, attackers are increasingly leveraging exposures such as misconfigurations and stolen credentials to gain access to companies' core business. Because of this, attack paths to critical assets are often overlooked or identified too late.

Instead of looking at vast numbers of isolated issues, XM Cyber aggregates them into an attack graph to proactively identify hidden attack paths and weaknesses in both the cloud and on-premises. XM Cyber helps organizations efficiently address the issues that can have the greatest impact on organizational risk. Then teams can eliminate attack paths at critical junctures, i.e., choke points, in order to achieve ultra-efficient risk remediation.

Event Recording
How to Build Interoperable Decentralized Identity Systems with OpenID for Verifiable Credentials
May 10, 2023

OpenID for Verifiable Credentials (OID4VC) is a set of protocols that enables issuance and presentation of verifiable credentials expressed in any format including but not limited to W3C vc-data-model and ISO/IEC 18013-5 mDL. The power of the protocols lies in its demonstrated simplicity, security, and the implementer's ability to make choices across the tech stack - not just for credential formats, but also entity identifiers, trust model, crypto suites, revocation mechanism, etc. However, this also means that to be interoperable and enable certain use-cases(s), implementers need to agree on the sets of choices across the tech stack, usually referred to as interoperability profiles.

In this talk, we will share implementation experience of OID4VC specifications, and introduce existing interoperability profiles based on OID4VC. Of course we will also provide updates to OID4VC specifications, how they have evolved from the last year based on an overwhelming amount of implementation feedback.

Event Recording
Navigating B2B2X Complexity with Identity-Centric Personas and Policy-based Access controls
May 10, 2023

As ecosystems of customers, workforce, partners and suppliers become increasingly intertwined, companies face the challenge of managing access consistently. Companies often install different access systems for different populations, with different types of accounts and different lifecycle management.

This session presents an approach whereby different populations can be managed with a single system and a single user profile. Key in this approach is that the user profile indicates to which population (or more than one population) the user belongs. The approach also enables delegated administration and temporary accounts in a very intuitive way.

Event Recording
AI Governance & Regulation - How to Prepare for the Inevitable
May 12, 2023

For many years public concern about technological risk has focused on the misuse of personal data, with GDPR, most hated and loved at the same time as one of the results. With the huge success of LLMs and generative AIs such as ChatGPT,  artificial intelligence soon will be omnipresent  in products and processes, which will shift regulator´s attention to the potential for bad or biased decisions by algorithms. Just imagine the consequences of a false medical diagnose, or of a correct diagnose created by an AI and then not accepted by the doctor. Not to mention all the other fields where bad AI can be harmful, such as autonomous cars or algorithms deciding on your future credibility. Inevitably, many governments will feel regulation is essential to protect consumers from that risk.

In this panel discussion we will try to jointly create a list of those risks that we need to regulate the sooner the better and try to create an idea on how this future regulation will impact the way we use AI in our bsuiness and private lives.

Event Recording
OpenWallet Deepdive
May 10, 2023
Event Recording
The Art of Creating a Framework for Responsible AI
May 11, 2023