KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
You are shifting through RFIs for a new mobile app based multi-factor authentication solution for your company. The vendors claim that their products are 100% secure and we all know that there's no such thing as a 100% secure solution, but it's marketing and you know how marketing sometimes goes overboard. How do you determine if the solution is actually fit for your appetite for risk? Can you be sure development time dev credentials have been cleaned up? Is the rooting detection any good? Does the app store plaintext credentials? Is it vulnerable or can someone build a scalable attack against the product you are about to acquire to protect your crown jewels? Let's take a look at different options out there and talk a little bit about what you can request from the vendors.
You are shifting through RFIs for a new mobile app based multi-factor authentication solution for your company. The vendors claim that their products are 100% secure and we all know that there's no such thing as a 100% secure solution, but it's marketing and you know how marketing sometimes goes overboard. How do you determine if the solution is actually fit for your appetite for risk? Can you be sure development time dev credentials have been cleaned up? Is the rooting detection any good? Does the app store plaintext credentials? Is it vulnerable or can someone build a scalable attack against the product you are about to acquire to protect your crown jewels? Let's take a look at different options out there and talk a little bit about what you can request from the vendors.
This session will provide an overview of the market for Passwordless Authentication products and services and will present a compass to help you to find the Passwordless Authentication product or service that best meets your customers, partners, or workforce needs. KuppingerCole´s Alejandro Leal recently published a Leadership Compass for Passwordless Authentication and examined the market segment, vendor product and service functionality, relative market share, and innovative approaches to providing Passwordless Authentication solutions.
Regulatory bodies, government agencies, and CIOs are mandating Zero Trust as a cyber security framework. What does Zero Trust mean for your security strategy? With a Zero Trust security model, nobody is trusted automatically, even when they’ve cleared the perimeter. Instead, all identities are verified, minimum access is granted based on context, and activities are monitored to make sure controls are working as expected. The Zero Trust model requires multiple security controls throughout an IT environment to protect and manage identities, devices, networks, applications, and data. This session will take you through the reality check of where Zero Trust started, how it has evolved over the years and what does it really mean for your organization today.
One of the fundamental problems of identity and access governance lies in very unclear relationships between real business needs, access policies and decision making about allowing certain action on the assets. For years we are trying to develop access policies which at the same time corresponds to business expectations, digital security rules and regulations, and people-centric to minimize deviations.
In this session, we will discuss human factor in IGA program and how to provide human factor analytics in access governance using new three-dimensional model called NPR (need, policy and resolution). We will show how NPR reports will help the organization to determine necessary adjustments of the policies and their implementation in Identity Governance workflows and processes to improve maturity, decrease risk of breaches, policy deviations by users and cost of managing and enforcing policies also known as Costidity. We will also show the sample reports based on data from higher education customer.
Decentralized Identity is enabling individuals and organizations to have control over their own personal data, providing self-sovereignty, privacy and security. But, is a relatively new concept with high development and standardization dynamics. In this session we will look into what we should do today to take full advantage of this promising concept.
2022 brought a lot of activity in web3/crypto identity solutions: Soul Bound Tokens, Verifiable Credentials, and even web5?! In this year-in-review we'll examine the varying approaches, the problems they were trying to solve, and discuss how this can inform all of our user-centric identity efforts.
IGA activities in organizations have largely been around defining access policies manually, configuring access request workflows and scheduling periodic access reviews. Such activities require significant administration as well as continuous involvement by stakeholders. There are also delays that come with this model that could potentially cause security risk and non-compliance in the organization. An approach that is more intuitive is to discover policies, review them and apply access changes based on policies. This results in fewer IGA administrative and end-user activities for the organization while ensuring that both excess access and under access are addressed in a timely manner.
Decentralized Identity protection is important in data collaboration because it helps to protect the privacy and security of individuals and organizations involved in the supply chain. By ensuring that only authorized individuals have access to sensitive information, identity protection helps to prevent data breaches and other security incidents. A chain of trust establishes a series of checks and verifications that ensure that the data being shared is accurate and trustworthy. This is critical in the context of supply chain regulations, where inaccurate or incomplete information can have serious consequences for compliance and risk management.
In the second part of the talk, we will explore the concept of adaptive protection for identities in Microsoft Purview. By using a combination of machine learning, behavioral analysis, and risk-based decision making, we can create a dynamic system that adapts to new threats in real time. This approach offers a more proactive and effective way to safeguard identities, and can be applied across a range of industries and contexts. Together, we can work to develop a more robust and resilient digital identity ecosystem that protects individuals and organizations alike.
In 1994, Italian physicist Cesare Marchetti discovered something: cities expand as a function of transportation speed. In short, “transportation is the lifeblood of a city.” Innovation in transportation has driven the expansion of cities—from small, walkable areas to the sprawling, car-based metropolises, presenting a challenge for urban planners.
Identity in the modern organization faces a similar challenge: if transportation is the lifeblood of cities, then identity is the lifeblood of organizations. And our organizations are not ancient, walkable Rome, but modern, sprawling Atlanta—with identities and resources widely strewn around the globe.
Like urban planners, we face a nearly-intractable challenge: how can we provide access to resources and data easily while still meeting the stringent demands of security and compliance?
Thankfully, there appears to be a solution for both urban planning *and* identity, albeit from an unexpected source: Ordinary slime mold. Aka, “The Blob.”
We’ll learn from this simple organism, describe how its simple actions create complex systems that solve these sorts of “unsolvable” problems, and see how the Blob might “think” about identity.
OpenID Foundation leaders and contributors will brief the EIC community on the latest progress and outlook for the OpenID Foundation. As part of this workshop we will cover:
Please join us early to be part of the conversation. Workshop presenters include Nat Sakimura, Gail Hodges, Kristina Yasuda, Torsten Lodderstedt, Tim Cappalli and others.
The Common Ground movement of the Dutch municipalities is developing innovative solutions for greater interoperability. An important part of this is the data landscape, where functionality is accessed through microservice API’s. In the analysis of this architecture, one aspect is barely touched upon: The Access Control aspect in API’s is not appropriately co-developed.
The Municipality of The Hague has performed a Proof Of Architecture (the POA) to demonstrate that it is possible to unlock an existing API in which access is not explicitly modeled, or that still uses traditional Role Based Access Control methods internally, restricting interoperability across contexts.
The POA is done in an effective and efficient way through innovative 'zero trust architecture' concepts, such as Policy Based Access Control. Security and privacy are thus demonstrably realized in accordance with legal requirements. The POA proves that it is technically feasible to add input-filtering of access requests to ignore the restricting RBAC method and thereby open doors for municipalities for interoperability in an autonomous and secure way.
During the presentation the working principles of API access from a perspective of Identity & Access Management are explained, but also how these principles can be applied in practice in an existing application landscape.
The presentation will be a joint presentation between the lead architect of the City of The Hague, Jan Verbeek, and access strategist André Koot.
The term secure access service edge (SASE) has become popular in recent months and has been adopted by numerous vendors. SASE stands for a concept that integrates a range of cloud-native security services including cloud access security brokers (CASB), firewall as a service (FWaaS), secure web gateways (SWG), and zero-trust network access (ZTNA), with wide-area network (WAN) capabilities for delivering both directly to any edge computing location. In this session, KuppingerCole´s John Tolbert will give an overview of the market for SASE solutions and provide a compass to help buyers find the product that best meets their needs. KuppingerCole examines the market segment, vendor capabilities, relative market share, and innovative approaches to providing SASE solutions.