KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
Authentication is broken, and longer, stronger passwords combined with first-generation MFA will not save the day. Hopefully, this is no longer controversial. We have over a decade's worth of data showing how most successful breaches involve stolen credentials. Now we are witnessing a rapidly rising number of breaches bypassing existing MFA. It is beyond time to address this problem head-on, but what are the key requirements for MFA that is up to the task? While the situation is dire, this will be a very hopeful view of the path forward. Help IS on the way!
Authentication is broken, and longer, stronger passwords combined with first-generation MFA will not save the day. Hopefully, this is no longer controversial. We have over a decade's worth of data showing how most successful breaches involve stolen credentials. Now we are witnessing a rapidly rising number of breaches bypassing existing MFA. It is beyond time to address this problem head-on, but what are the key requirements for MFA that is up to the task? While the situation is dire, this will be a very hopeful view of the path forward. Help IS on the way!
In this session, KuppingerCole´s Paul Fisher will give an overview of the market for Privilege Access Management (PAM) platforms and provide a compass to help buyers find the product that best meets their needs. KuppingerCole examines the market segment, vendor capabilities, relative market share, and innovative approaches to providing PAM solutions. He will also explain how the new Pamocracy is affecting the market.
Identity and access have always been joined at the hip. In the age of LDAP, authenticated users were granted permissions based on group membership. But this mechanism hasn’t transferred into the federated identity landscape.
Instead, modern identity systems try to generalize permissions into scopes that are embedded into access tokens. But this doesn’t facilitate fine-grained authorization - a “read:document” scope doesn’t typically mean the user can access every document!
While identity has moved to the cloud, we still don’t have fine-grained, scalable mechanisms for generalizing authorization. So every application builds its own, and IT ends up administering every application differently.
Fixing this is arguably the most pressing challenge for the IAM industry. In this talk, we propose a set of principles, inspired by zero-trust and the latest work in cloud-native authorization, that should underlie the solutions we build:
In many respects, identity programs are inherently vulnerable because they often rely on something that is shareable; something that a person knows or something that they have.
Join iProov to hear how biometrics can improve security for both digital and physical access. Included in this presentation will be guidance on: aligning biometrics to high-risk inflection points in the identity lifecycle; important considerations for inclusivity; and how to mitigate the risk of generative AI in modern attack methodologies.
After several tumultuous years, the cyber insurance safety net is in question as costs rise and coverage contracts. Research conducted with IT security professionals to understand the real-life experiences companies have in obtaining and using cyber insurance.In this session we’ll unpack the survey findings and put them in context. Join the discussion to prepare for your next cyber insurance assessment so you end up with coverage and rates that accurately reflect your organization’s risk profile.
Joe Carson will talk about
And help you find answers to these questions
Securing access to data and applications has become a cornerstone of any modern cybersecurity strategy.
User access governance projects however have a history of incurring multi-year roll-outs and requiring specialized personnel, making many companies shy away and bear excessive cyber risk.
For those companies, approaching user access governance as a data problem can provide the answer. This approach effectively trims down user access governance to its essentials: low-effort data collection, user-friendly risk analytics, access reviews and plugging into the existing ITSM processes. This data-driven approach has the potential to let companies achieve mature access governance in a matter of days, not months.
In this session, Elimity CEO Maarten will give an overview of the essentials of user access governance and will showcase how this approach is successfully applied in practice by industry leaders such as Securitas, the Belgian Railroads and Federale Assurances.
There’s a lot of foundational work happening in the space of Selective Disclosure (SD) right now. Selective Disclosure enables you to have a token with many claims (say, an ISO Mobile Drivers’ License (mDL)), and only release the claims necessary to the interaction – for instance, your birthdate but not your home address. Selective Disclosure enables Minimal Disclosure. This is sometimes realized using Zero Knowledge Proofs (ZKPs) but that’s not always necessary.
In decentralized identity ecosystems, users hold their own credentials to share them with others when needed. One key requirement for these credentials is selective disclosure: instead of sharing the entire credential, users should be able to share only the minimal amount of information necessary for a given use case. This is where SD-JWT comes in.
SD-JWT (Selective Disclosure JWT) is a new format for enabling selective disclosure in JWTs. It is based on the JOSE family of standards for signing and encryption, making it easy to understand and implement.
Developed by the IETF OAuth Working Group, SD-JWT is not limited to verifiable credentials, but can be used universally to provide selective disclosure for any JWT.
Due to its simplicity, SD-JWT has quickly gained traction, with several implementations already available and ongoing adoption as an important building block in both commercial and public projects. In this talk, we will introduce the concepts behind SD-JWT and provide a detailed overview of its capabilities and benefits. We will also discuss the current state of SD-JWT adoption and future directions for its development.
Some of the current work pertinent to Selective Disclosure is:
People are under the impression that when you spin up the latest and greatest AKS, EKS, OpenShift or GKE instance, that you're secure. However with K8S, now more than ever the workload underneath matters. One privileged, neglected, container can compromise an entire setup. Rather than just talking about the risks or best practices, this talk is all about showing how easy it is to do.
The talk will first discuss possible attack paths in the Kubernetes cluster, and what differences exist in the attack techniques compared to classic infrastructures. For this purpose, a web application in a container will be compromised, then the Kubernetes cluster and the cloud account. Subsequently, 2 open-source tools will be discussed how such vulnerabilities and misconfigurations can be detected in the different infrastructure layers.
“Graph-Based Access Control'' (GBAC) is a generic term that refers to the use of graphs and networked data to solve Identity and Access Control problems. You may have seen this before through the disguise of acronyms such as ReBAC (relationship-based), KBAC (knowledge-based), PBAC (policy-based), NGAC (Next-Generation), FGA (fine-grained), and even some implementations of ABAC (attribute-based). All of these terms refer to techniques that use graphs to enforce access-control for any level of coarseness.
In this session you will learn why all the latest Dynamic Authorization offerings on the market use GBAC in a way or another, and how you can successfully adopt the technique yourself. Graphs are becoming ubiquitous - one can just look at the rise of the GraphQL API model to witness their popularity first-hand. Through concrete, real-life examples we will showcase the use of graphs to solve common access problems using the same modern and future-proof techniques that you see in the current authorization market.
As a result, storing all identity data in graphs truly unlocks its full potential. Graphs are data-science and analytics enablers, and have the potential to transform the IAM practice from a cost centre to a true revenue generator. We’ll explore how this can happen for you too…
For many years public concern about technological risk has focused on the misuse of personal data, with GDPR, most hated and loved at the same time as one of the results. With the huge success of LLMs and generative AIs such as ChatGPT, artificial intelligence soon will be omnipresent in products and processes, which will shift regulator´s attention to the potential for bad or biased decisions by algorithms. Just imagine the consequences of a false medical diagnose, or of a correct diagnose created by an AI and then not accepted by the doctor. Not to mention all the other fields where bad AI can be harmful, such as autonomous cars or algorithms deciding on your future credibility. Inevitably, many governments will feel regulation is essential to protect consumers from that risk.
In this panel discussion we will try to jointly create a list of those risks that we need to regulate the sooner the better and try to create an idea on how this future regulation will impact the way we use AI in our bsuiness and private lives.
We must secure our organization’s processes regardless of what tech they run on. Originally, security leaders had leverage. We controlled the horizontal. We controlled the vertical. And if people wanted to work, they needed to follow our rules to access corporate apps and services. But then came Cloud apps, and BYOD, and consumerization, pushing security beyond our outer limits. Security happens where psychology and technology intersect. The everyday decisions of employees increase or decrease an organization’s risk.
Employees don’t need us. And by employee, I mean more than end-users. This is a broader conversation; including software developers, IT engineers, DevOps practitioners, and more. To get people to opt in and follow secure practices, we turn to behavior science. IT security leaders must offer them a compelling experience. In this panel we will discuss how to carefully balance the need for security, compliance, and efficient resource management to ensure that your cloud environment is both secure and effective.
Skills not degrees are what matters in today's job market. Using SSI and OpenBadges standards, people can gain micro-certificates based on skills acquired during their studies, work, or volunteering. We will discuss what it takes for educational institutions and employers to adopt a privacy-friendly, frictionless, and more secure onboarding process for students and employees based on this technology. We will explore the new paradigm for IDaaS, an eIDAS 2.0 compliant process, and how we enable Life Long Learning.
AML-compliant customer identification in the finance and banking sector (KYC) in Germany is subject to the requirements of BaFin (the regulatory authority) and the Money Laundering Act. This involves the use of both on-site and online identification procedures, which are often provided by external service providers as “critical outsourcing" and as data order processing. In the age of ID wallets, this KYC process needs to be redeveloped from a regulatory, data protection and technical perspective - especially because the regulatory framework currently does not (yet) explicitly provide for the case of an ID wallet. The presentation describes the challenges for ID wallets and ID issuers in the AML context and shows an exemplary implementation.