Event Recording

When SSI Meets IoT: Challenges and Opportunities

Show description
Speaker
Dr. Xinxin Fan
Head of Cryptography
IoTeX
Dr. Xinxin Fan
Dr. Xinxin Fan is the Head of Cryptography at IoTeX, a Silicon Valley-based technology platform that empowers the emerging machine economy with innovative combination of blockchain and IoT. He is responsible for directing the company’s strategy and product roadmaps as well as developing...
View profile
Playlist
European Identity and Cloud Conference 2023
Event Recording
Three Years is a Long Time in Identity
May 10, 2023

Landing in a new organisation with a declared objective to transform the way customer identity was done but no mandate was daunting. Being able to look back three years later and tick of an infrastructure consolidation, the deployment of a central authorisation solution, being on the precipice of participating in a Digital ID scheme, and having the Chief Digital Officer shouting from the rooftops about a universal login is priceless. Come along to hear me talk about some critical success factors, calculated risks, fortunate circumstances, and the incredible support of some incredible people helped make this happen. I’ll also touch on my personal journey from an engineering role to a product person to illustrate the increasing maturity levels we went through.

Event Recording
Cloud-Powered Technologies and Strategies for Secured DevOps Environments
May 10, 2023

As organizations shift to agile development methodologies and the use of cloud-based platforms, they have the opportunity to leverage the cloud to improve their security practices. By adopting a DevSecOps approach, organizations can integrate security into the development lifecycle and take advantage of the scalability, flexibility, and automation capabilities of the cloud.

In this session, We will explore the benefits of leveraging the cloud for security in DevOps, and discuss the key principles of DevSecOps architecture, including collaboration, automation, and continuous integration and delivery. We will also examine the role of security tools and technologies, such as static code analysis, dynamic testing, and vulnerability management, in the DevSecOps process, and discuss how these tools can be effectively deployed in a cloud environment.

In addition, I will provide practical guidance and strategies on how organizations can implement the latest DevSecOps strategies in their cloud environments. This will include a discussion of best practices for integrating security into the development process, such as setting up security gates, implementing security testing early in the development process, and automating security checks.

Overall, this session will highlight the benefits of leveraging the cloud for improved security in DevOps, and provide practical guidance with the latest cloud technologies on how to implement DevSecOps effectively in a cloud environment.

Event Recording
Reducing Complexity – Introducing a Practical Model for Security Classifications
May 11, 2023

Practical Cyber Security Architecture: Reducing complexity – Introducing a practical model for security classifications. Building and running cyber security in both worlds modern cloud security in combination with legacy on premises introduces extra complexity.  Some of the well-known security patterns and models are not applicable in cloud systems while the modern security models like zero trust barely  fit in legacy systems. Based on a model for security classification we will explore some practical methods for reducing complexity in modern cyber security.

Event Recording
Automated Serverless Security Testing: Delivering Secure Apps Continuously
May 10, 2023

Serverless technology eliminates the need for development teams to provision servers, and it also results in some security threats being passed to the cloud provider. This frees up developers to concentrate on building logic and producing value quickly. But cloud functions still execute code. If the software is written poorly, it can lead to a cloud disaster.

How can developers ensure that their code is secure enough? They can scan for common vulnerabilities and exposures (CVEs) in open-source code. They can even scan their Infrastructure-as-Code (IaC) tool to identify insecure configurations. But what about custom code? At many organizations, the application security team struggles to keep up with the speed of development in a serverless environment. Traditional testing tools not only provide very limited coverage, but also slow development cycles unacceptably. Serverless code contains a mixture of cloud configurations and application programming interfaces (API) calls. As a result, legacy solutions lack the context that is necessary in a serverless environment, and the consequence is a lack of observability and slower response times.

Fortunately, it does not have to be this way. Organizations can leverage robust security during serverless development, automatically—if it is done properly. In this talk, we will discuss common risks in serverless environments. We will then cover existing testing methodologies and why they do not work well for serverless. Finally, we will present a new, completely frictionles

Event Recording
Zero Trust with Zero Buzz
May 11, 2023

The objective of the talk is to:

  1. (10%) Clear out the noise around Zero Trust: why Zero Trust has became a buzzword
  2. (20%) Define Zero Trust
  3. (60%) Set the journey:
    • how can we implement Zero Trust?
    • where to start? how to do it?
    • what are the building blocks?
    • building blocks stages and maturity?
  4. (10%) How can Zero Trust protect us against today's threats.
Event Recording
Passwordless For the Masses
May 10, 2023
Event Recording
All the IAMs - Modern Convergence of Digital Identity for Different Populations
May 09, 2023
Event Recording
AI Governance & Regulation - How to Prepare for the Inevitable
May 12, 2023

For many years public concern about technological risk has focused on the misuse of personal data, with GDPR, most hated and loved at the same time as one of the results. With the huge success of LLMs and generative AIs such as ChatGPT,  artificial intelligence soon will be omnipresent  in products and processes, which will shift regulator´s attention to the potential for bad or biased decisions by algorithms. Just imagine the consequences of a false medical diagnose, or of a correct diagnose created by an AI and then not accepted by the doctor. Not to mention all the other fields where bad AI can be harmful, such as autonomous cars or algorithms deciding on your future credibility. Inevitably, many governments will feel regulation is essential to protect consumers from that risk.

In this panel discussion we will try to jointly create a list of those risks that we need to regulate the sooner the better and try to create an idea on how this future regulation will impact the way we use AI in our bsuiness and private lives.

Event Recording
High-security & interoperable OAuth 2: What's the latest?
May 10, 2023

OAuth is a widely used authorization framework that enables third-party applications to access resources on behalf of a user. However, it has been historically difficult to meet very high security and interoperability requirements when using OAuth. Daniel and Joseph have spent much of the last five years working to improve the state of the art and will present the latest developments in the field.

There are challenges when trying to achieve high security and interoperability with OAuth 2: Many potential threats need to be addressed, some not part of the original OAuth threat model. To seamless authorizations, optionality must be minimized OAuth itself and also in any extensions
used.

Six years ago, the IETF OAuth working group started work on the Security Best Current Practice document and more recently on OAuth 2.1. Meanwhile, the OpenID Foundation has created FAPI1 and FAPI2 security profiles.

We will introduce these specifications and help you understand the focus of each document and when to use which. We show how to achieve on-the-wire interoperability and high security through the use of techniques like asymmetric client authentication and sender-constraining via DPoP and MTLS. We highlight the benefits for implementers and the role of conformance testing tools.

Event Recording
Ethics in Security Design - For Digital Identity
May 11, 2023

Digital Identity and Security solutions impact our environment, typically in a positive and securing manner. However research shows that increasingly digitization of identity services, for digital identity, also exclude and harm individuals.
In this presentation Henk will detail his research into the impact of digital identity solutions on nation state level and how to start involving ethics in the design and implementation of these solutions.
The findings also apply to designing and implementing security solutions for other purposes than digital identity.
The approach to engage with ethical conversations during design will be explained theoretically, linking to the background of Value Sensistive Design (https://en.wikipedia.org/wiki/Value_sensitive_design) and made practical by case studies of Ethics in Security Design.
Henk has been researching the ethics of digital identity at Leiden University, NL, in 2022.

Event Recording
3 Dimensions of Digital Sovereignty
May 09, 2023

Digital sovereignty has become an important topic for individuals as well as a strategic issue for countries and businesses, allowing them to operate in an environment that they trust and can control. This necessitates technology that is not overly reliant on third parties, where there is a risk of misuse of trust or non-compliance.

In this session, we will explore 3 dimensions of digital sovereignty related to identity:

  • Sovereignty of the Individual: The need to protect the individual has triggered privacy laws around the world, like GDPR. Providing end users with more control is now taken one step further with the adoption of the so-called "Self-Sovereign identity (SSI)" and "identity wallets." With SSI, users are in powerful control of their personal data, resulting in a privacy-first user experience.
  • Geopolitical Sovereignty: According to geopolitical sovereignty, data about citizens is subject to the laws and governance of the nation or state to which they belong. As data and the behavior of people become more valuable for countries, the transfer of data is regulated by laws like the US Cloud Act and GDPR. Compliance with cross-border data transfers is becoming more important than ever. 
  • Organisational Sovereignty: Organizations want to protect the interests of their employees, gig workers, customers, and business ecosystem. They also have to comply with multiple data sovereignty laws in various countries (for example, Schrems II, CCPA, LGPD, and so on). This leads to questions like, "Where is my data?" "Who has access?" and "Who holds the keys?" The more global organizations are, the more complex this process is due to the numerous local regulations they have to follow.
Event Recording
Three Pillars of Secure Development - Why Nobody Cares and How to Fix That
May 11, 2023

Speed to market, extensive use of so-called standards and the quest for low cost: Successful product development is using lopsided metrics. That comes with a big penalty - from physical product safety and cyber security, companies around the world spend big money on fixes that often come too late. Learn about three often overlooked pillars of successful, resilient product lifecycles and what leverage unexpected skills like penetration testing can apply.