Excellent, thank you. So my name is Kaka. I'm from Severity and at Severity. So we are a market leader in applying decentralized identity for compliance use cases and for cybersecurity use cases. So in simple terms, we work with identity trust chains for provenance and authorization chains in regulated industries. And with me is and Matthias and yeah, short introduction from your side.
Well, in fact I did not present myself in the previous explanation. So I am a lawyer, very particular lawyer with a PhD on the EIF as one. But I've been 25 years working on identity and true services standardization. I'm in fact founding member of at CT C E S I. The last four years I've been working for Epsy and promoting a standardization activities in ISO and ISO TC 3 0 7 and TC 2 24 and other places.
Excellent. Matthias,
I come from a totally different angle. I'm an engineer and data space architect as well. Cloud solution architect implemented these zero trust approaches in in different clouds in AWS and and Microsoft Azure. So I also give this perspective
Super. And what do we do? First we do a framing. What does zero trust mean for us? For us three, after we have done the framing, we look a little bit in zero trust architecture in inter-organization, cross organization use cases, the challenges are, and then we do a deep dive in attributes based access, control and trust trends and trust domain, how credentials and identity can enable the abac and what, what kind of other tools such as reasoning we need maybe materials you give kind of a framing. So what does zero trust mean for us? Short framing, Matthias,
This is as you can see, a holistic approach. And as you can see here, we have six different areas we are focusing. That's identity as cast mentioned already. That's endpoints. And as you can know today, you bring your own device. So that means there's also corporate personal endpoints on, on your device. You need to protect both. You have to protect your data, you need to classify your data, you to, you have to know what you have and you label that you need to encrypt that you have applications and here we ha you have adaptive access for your software as a service applications, but also on-premise applications. And then you have a wide range of infrastructure as a service here you need runtime control. And here that comes in place, this role-based access control and we discussed this earlier, we have some struggle with this role based access control and you mentioned the next big thing is attribute based access control.
Excellent, thank you. And we, we have heard a lot of presentations today in terms of applying zero trust architecture within an organization and what the challenges are. And now if we think beyond even the original white paper from nist, they're talking about one organization and micro segmentation and identity governance and one organization. But the two challenges in today, today's world. So when we have dynamically defined value chains, cyber physical systems where everyone interacts with everyone else is really go beyond the enterprise cost organization cost, government cost entity. So natural what, what are the challenges from your perspective moving zero trust beyond the organizational boundaries? Well
In fact, this is something I was referring to before in my presentation. So when I look at this kind of diagram and I fe I think in a real use case for instance, I, I can see much in a hospital, my hospital for instance, right in in Spain that needs to give access to a German doctor to my medical records because I have have, I'm injured here and need to be to re to receive healthcare. When I look at this, I, I see that it won't work. And mainly the major issue is because the, the German hospital will or German doctor will need to be authenticated into my hospital back in Catalonia. And then to design, they will need to set up a trust agreement. They will need to federate their identity systems because otherwise the German doctor won't have access. So when we look at digital trust architectures, we don't look only effectively to internal organizations but to the fact that we will need to engage in relationships with people that we don't know beforehand. Therefore we need new trust approaches to be able to perform policy calculations automatically and make informed decisions. In this sense we have a challenge which is that we cannot anymore rely on organizational air back. We need to move into cross organizational aback.
Yeah, that's good insight. So big change moving beyond from airbag to ABAG cross organization and Matthias, you have done as an engineer and architect a lot of work in terms of Gaia and data spaces. So can you give us some examples about what role plays the ABAG and credentials and decent identity in your data space works that you're doing at the moment?
Data spaces for example are like in the automotive business, Katina Xs, they're handling more identities, non-human identities. But we also have different data spaces like education, health, we have human identities, so we need consent management in that we need strong authentication but for both identity types, you know,
And yeah, this is the examples I have. Yeah. Excellent. And Nacho, you mentioned you have the abec and the trust train and the root of trust and the, how does this all fit together and what do you think are the emerging next steps to bring the technologies together in a legal fulfilling legal requirements to deploy systems to production?
Well again, this is a difficult question but, but maybe we, we can share some insights in fact again from the, the point of view of truss tanko. So at the end of the day, if you are responsible, let's take the example of the, of the health data space that has primary purpose information and secondary use purpose information regarding sharing data, blah, blah blah. So if I am the, the, the responsible for giving access in here, whether and and I need to be give access to people I don't have any relationship with with before people, I don't know somehow it is a kind of bring your or identity approach. It means that I need to rely on that. But the problem is how I do rely on someone if I don't have any previous trust relationship established. This is when d EI does to, in my opinion comes.
So if the medical doctor has a identity wallet with identity attributes which are asserted in this case, it is a human identity. This human identity is bound to a device to achieve high-level assurance and it follows a vocabulary using for instance an ontology which is agreed upon at the European level, then I will be able to onboard automatically this person even if I don't have any, any previous record of that person and give access. In this sense, the most important thing is how can we rely on the authenticity of the information? How do we know that this German doctor is effectively a doctor? And this is where this approach works. My, the credential of the medical doctor had will have been issued by an authority, which I can't rely upon because there is a governance framework at the European level and this credential has been issued to a particular wallet which provides an A level of assurance. The next thing we need to think about then is how we get these attributes and how do we compute to make decisions on these attributes. Therefore we need, as I explained before, specific types of stanko and some a bit of little recognition and then we can promote new kinds of policies.
Excellent. I think you're talking about abic credentials and making decisions. I think it's also important and not much explore in zero trust architecture ecosystem. The newspaper, the original newspaper, they're talking about trust algorithms and you get information from different trust domains and maybe different AB credentials. And if you get the information neighbor credential is not like binary, it's a hundred percent faults or two, there's always probability combined to it. And that's what the trust algorithms take into consideration to make an informed decision about the threshold, a threshold security, do the authorization credentials, do they fulfill a certain threshold? If yes, I proceed. If not, I don't proceed. And I think the idea that data comes with trust and the data kind of related to risk scoring and I need to apply trust algorithm, that's pretty much underexplored yet. But what you are saying natural combining abec credentials, verifiable credentials with trust algorithms, this might be solution for the future. Maybe Matthias some, some of your thoughts. In addition,
Yesterday I had also a session about adaptive protection in data spaces and we struggling to get these policies from the customers because we have to start with something. So we have ODL policies and we asked the customers, Hey, how you want to protect your data with which policies? I said, I don't know because this is like a journey for all of us and if you share information with suppliers and customers, you have also a, a bigger attack vector. So everyone is scared about it. So what we need to establish is this kind of evolutionary process and feedback loop. And as you can see this feedback loop goes, we feed the policy optimization with all these six different areas, identity endpoint, network data, apps, infrastructure, learn from that, optimize our policies. But that's the attacks are very fast. So no human can act so fast. So in this case we need threat protection and with this threat protection they have machine learning behind, they make the risk risk assessment and goes back to the zero trust policy. So
Ken's machine do risk assessment based on ABK credentials. What are your thoughts?
It's, it's very early I would say to do that we wish
If, if I may I want to add something about abac ABAC policy evaluation. Of course all policy languages are typically based on rules. So rules is are are something that we can work with to define what should be the outcome of, of a decision partner with rules. And this happens both with APAC and with apac is that the logic you need to define this language rule is limited. So there is a point where you cannot make a real good decision because you get inconsistencies and you get limitations. In this sense, I truly believe that artificial intelligence has a role to play in here learning what happens, reinforcing, and then making decisions not based on formal logic but but make but on the statistics. So in this sense I think it is a promising technology to compliment this reasoning based in a, but the true point is that when you are going to give access, it is you the verifier who are going to request to the other party which attributes shall be presented. So once you have the attributes and the attributes are wealthy and you have checked that they have a security assurance level and you have your trics, then it is not that important whether the decision is made by a human or by a rules-based system or by an artificial intelligence. So the thing is that the, we should move quickly from Arabic and high rigid identities into the attribute world, otherwise we won't be receiving the information we need. And this should information should be trustworthy.
And if I understood you correctly. Now another main difference, we have our algorithms and feed them with abic information and now abec information are coming as a verifiable credentials. So we can really kind of put a level of assurance to individual data and that's probably the first time, yeah, that we have abec and we get abic information with level of assurance and this already kind of articles articulates risk. Yeah, trustworthiness of the data feed us in the algorithm. And probably the next step before we close, I would like, because you mentioned trust anchors, I would like to provide an example. Yeah, trust anchors very abstract. Yeah. So I like the example that also Matthias mentioned in terms of enterprise identity. And I as an enterprise can have different, can get different credentials, authorization credentials from different testaments. One can be might issue a legal entity, identify credential to me then have two identifies in resource seven 70,000 1 27 1 credential to me. And then I have maybe GS one and glyph and industry associations. I have a lot of different credentials from different trust domains. And as a closing remark, Naro and Matthias, what do you think in terms of working with different trust domains in the ABIC context and yeah, putting this in terms of verifiable credentials and connecting
From my side verifi credit, remember that VERIFI credentials are specific general purpose containers for trustworthy data. So it it, the fifth first thing we need to do is to be able to use common shared vocabularies for attributes and of course define what are the vocabulary for defining trustworthiness of these, of these attributes. In fact, the previous discussion was about identity proofing. So we have identity assurance levels, blah, blah blah. So the second thing is of course we need to be able to have a governance framework for this. Probably IDAs two will be one of the most important models in the world. And third, we need to be able to ask someone in our supply chain and this is the supply chain of data, of data to be liable to respond whether they have made a mistake. So if you put all of this in a true metrics, then it is relatively easy to go work. We cannot go today with federated identity. This is in my opinion the promise of this model applied to K rationale identity management.
Excellent. I like tougher of verifiable supply chain of data. So a lot of provenance history of data lifecycle data comes with his own, his history story. That's very good. Mathias. Very short closing your mark from your side.
Hmm, good question. So we need a strong authentication. We need multifactor authentication and we need to get rid of the flat networks, corporate flat networks. We communicate over the internet. This is I think the principle in zero trust. And we cannot trust even the trust anchors. We cannot trust because if the trust anchor is compromised, everything is down. So we need more than one trust anchor. So if one trust anchor is down and compromise, we can trust another trust anchor. And this is the idea of decentralization. So
With ZT trust is not going away, it's just somewhere else. Trust put somewhere else. It is the trust domain, the trust anchor technology. I think that's, that's a key takeaway. Yeah, thank you Matthias Natural. And we might have questions from the audience.
Yeah, we do have one question. How do you address zero trust and principle propagation in arrest based ipi chain from front end to backend layers or across the organization? It's quite complex and and technical.
That's complex. Do you want or should I do otherwise? From my perspective? Yeah. So if I have the credentials and have multiple APIs front and back end in terms of different organizational entities, I need a piece of software that's able to verify different abec credentials from different trust domains sitting next to the api. Yeah. Because if I centralize then the software, then I still don't have zero trust architectures pretty much centralized. So a lot of this logic verifying credentials, the supply chain of data up to a trust anchor. I think this needs to be sit next to the api. That's would be my my takeaway.
We once send as architect, software architect, we see a movement from from from infrastructure to managed identities in the cloud to protect the apps, the data. So you have like a placeholder identity for each database. For each application and it's micro segmentation of the network. So every application live in a small network segmentation. So the blast radios, you have to keep as minimum as possible. And if you do that with this micro segmentation, you ha don't have such a big impact after attack. Yeah.
Great. Well thank you. Thanks Carsten, Ignacio and Matthias, it was a great panel today.
Thank you. Thank you.
