Session One – Building An Effective and Resilient IAM Infrastructure
- EU Regulations and pan-European IAM initiatives and projects
- CIAM and Excellent User Experiences that drive innovation and change
- Implementing complex IAM projects across large enterprise organisations
- Technical challenges, methods of Access Control, and Identity Provider implementation
- Creating IAM infrastructure that is robust and resilient to attack
- Improving access security across your organisation
- Operationalising identity intelligence for risk mitigation
- Using IAM to achieve business goals and empower digital business
- Developing DISP strategies that support innovation
- Decentralising Identity Management using a Blockchain approach
The Conference Chair's Opening Remarks
Dr Gilad L. Rosner, Founder: IoT Privacy Forum; Expert in Public Policy of IoT & Identity Management; Privacy and Technology Policy Researcher
The Identity and Access Management transformation: from an IT to a Business-driven Approach
Bertrand Hanappe, Global Head of Identity & Access Management, Euroclear
Jérôme Desbonnet, Head of Security Technologies & Operations, Euroclear
Over the last few years, with the evolution of the risk landscape, the Cyber Security framework has had to be reviewed and its fundamentals redesigned. Indeed, this has not only triggered major roadmap projects; but forced the majority of us to review our Identity and Access Governance.
In this presentation, we will share with you our key learning outcomes in implementing this new framework and the key concepts you need to keep in mind if you were to jump into this transformation.
• Risks evolution
• Pitfalls in IAM project like delivery
• Client and end-user centricity
• Lessons learned
User Experience as a Central Pillar of CIAM
Customer expectations have never been higher when it comes to online services. Meeting the basic requirements of online access is no longer adequate as users are increasingly deterred by obtuse interfaces, difficult to navigate systems and other barriers to ease of use.
In this environment, user experience needs to be the central pillar of any CIAM system, and IAM architects have to utilise the newest technologies and techniques to create systems that are user-friendly and allow easy interaction across multiple login portals.
In this session, we explore:
• What can be done to create better interfaces that offer customer a great IAM experience
• Flexible access and SSO
• Removing impediments to the customer journey, without reducing security
• Scalability challenges – creating systems that are able to manage exponential increases in demand, without impacting performance
“works with” won’t help you – how to reliably crash any IAM project
Stefan Bosnjakovic, IAM and Corporate IT-Security Architect, Deutsche Kredit Bank
Embarking on and completing an Identity and Access Management project can be a tricky task that has to juggle differing business needs, technological constraints and a complexity arising from IAM systems which have to span the entirety of a global enterprise’s IT infrastructure.
In this presentation, we examine the ways you can approach IAM project management to ensure success through:
- How to read between the lines of product brochures
- How to set up a sensible Proof-of-Concept
- Instead of becoming a vendor’s Guinea Pig during the project implementation phase
Do You Need Federated Identity Management for Single Sign-on?
When starting on an IAM implementation, it’s good to first start with user needs and match accordingly. In the case of SSO, it’s all about making multiple services easier to access for users and customers while maintaining a robust level of security. Complexity comes in when deciding if you need Federated Identity Management (FID) to achieve this goal.
• The advantages and disadvantages of having an identity provider
• Cost benefits depending on organisational needs
• Protecting critical assets, incorporating MFA, and other security concerns
Moving on from 1980’s X.509 certificate
Henk Birkholz, Standards Expert, Fraunhofer Institute for Secure Information Technology
Up to this day, X.509 certificates provide the general basis for authentication and privilege management in order to authorize access to particular resources. Today’s usage of X.509 certificates, though, has extended way beyond that initial scope, rendering relying parties with the challenge to provide functional and secure ASN.1 decoders that can handle these additional “flavours” of X.509 certificates. Over time, the versatility of the X.509 framework became a curse, as “general decoders” that can always decode the corresponding BER representations, correctly, and also map the resulting output to application-semantics, securely, practically do not exist.
This presentation illustrates a new way forward, using an alternative binary representation suitable for constrained-node networks (CBOR), addressing the current scope, intent and audience of today’s X.509 “flavours”, utilizing a simpler way to create signed bundles of assertions (CWT), while also allowing for more secure decoding.
The vision of identity brokering for the International Federation of Red Cross and Red Crescent Societies
Amol Sawarkar, Enterprise Architecture, Global IT Planning and Project Management Unit, IFRC
IFRC is one of the largest International humanitarian non-profit organisations in the world. IFRC works with 190 national Red Cross – Red Crescent Societies in response to natural or health crises. This involves thousands of RCRC staff and over 1 million volunteers assisting many millions of vulnerable people worldwide.
As digitalisation continues to move ahead from bare excel files and web pages to interactive/live systems, the digital identity of each involved in the entire movement is itself a challenge. The digitisation of identities may be useful for administrative support for staff/volunteers or receiving benefits for the volunteers. At IFRC, we are trying to solve this challenge by establishing a single movement-wide system with the help of available technologies without having to generate duplicate data and access control mechanisms.
This session is to summarise IFRC’s Digitalisation state, discussing challenges and a high-level roadmap.
Questions to The Panel Of Speakers
Morning Networking and Refreshments Served in the Exhibition Area
Getting the IAM basics right
David Doret, IAM & Data Protection Manager, BNP Paribas
The IAM industry is innovating at a steady pace and we all feel excited about fancy buzzwords and new products reaching the market with great promises.
Meanwhile, we – CISOs / IAM managers – must confront a tough reality. That reality is made of elusive and fragmented information systems, workforce and business processes. Still, as each day goes by, we protect our companies with our IAM processes and deliver productivity, compliance and security.
How do we accomplish that?
First and foremost, by getting the IAM basics right. Again, again, and again.
In this talk, we will review what the IAM basics are and the foundational principles on which they are based.
• Key principles
• Key processes
• Key practices
Daniel Friman, DevOps Chapter Lead for Information Security and PKI, ING
Automation comes into play in an increasing number of aspects in our organizations and it is gradually becoming the normal way of managing IT.
In this presentation, we will dive into the automated management of infrastructure, systems, and applications. We will start with a brief orientation of automation terminology and then discuss benefits and drawbacks. There is a lot to consider with automated testing, provisioning, deployment, self-service, and operations. Do you have overlooked opportunities?
Questions to the Panel of Speakers Delegate movement to the Seminar Rooms
Networking Lunch Served in the Exhibition Area
Session Two – Security and Innovation
- Cutting-edge techniques and technologies to secure your systems
- Adapting to, and securing, new infrastructure environments
- Managing privileged accounts
- Complying with rigorous data protection legislation
- The future of digital identity
The Conference Chair Opens the Afternoon Session
Machine Learning to Manage Access Risks
This afternoon keynote focuses on how Machine Learning models can be used to provide intelligent, adaptive access rules and privilege management, focusing on:
- The newest techniques to analyse user behaviour, access rights, contextual information and geo-location
- Automating provisioning, authentication and access
- Managing the outliers and calibrating your ML model to suit complex organisational structures
- Implementing ML alongside existing IAM infrastructure
Cloud Security and Access Management: Meeting the Challenges
Thomas Guenther, Principal Architect, IAM & GRC, Steel Industry
Cloud assets are increasingly becoming a favoured target for nefarious actors. In this presentation, we tackle some of the key challenges associated with cloud security and IAM, looking at:
- Meeting identity provisioning challenges
- Ensuring system resources are allocated in a sustainable way
- Manging privileged cloud users through strong authentication, conditional access and administrative overview
- Frameworks to support tracking user access
Strategies to Secure and Manage Privileged Accounts
Mohsin Choudhury, UK Head of Cyber Security, Information & Data Office of the Chief Operating Officer, Bank of Ireland UK
Privileged accounts are an attacker’s most sought after prize, and capable of inflicting tremendous damage across your organisation as they evade access controls.
We explore how businesses can secure access pathways to their network through the deployment of techniques and analytics solutions that mitigate risk, look at the ‘right’ data – not all the data, and meet high stakes compliance requirements.
Questions to the Panel of Speakers
Afternoon Networking and Refreshments served in the Exhibition Area
Securing Big Data with Identity Management
Robin Jose, Chief Data and Analytics Officer, wefox
Statistics and data are the lifeblood of any organisation looking to drive evidence-based decision making. Integral to this is the ability to allow data and insights to be shared across different sectors so that the benefits of data collection can improve all areas of business.
But as data sets are merged, shared, snipped and in some cases released to the public, the complexity of who is responsible for data and who it can be shared with can become infinitely complex. Strict rules on data protection means this is not just a philosophical concern, the unplanned sharing of personal data can result in heavy fines and regulatory punishment.
We deep dive into the ways identity and access management can be utilised to secure production environments and data sets in large organisations.
A Comparison of Authentication Protocols
Authentication of users and applications with third-party systems can be a challenging task for developers, and depending on use-cases and user needs, the variety of authentication protocols available can be confusing.
In this session, we take a look at the major protocols available such as SAML, LDAP, OAuth and OpenID, examine their strengths and weaknesses and suggest ways which can help you find the perfect protocol for every situation.
How to determine the security of a mobile authentication app
Petteri Ihalainen, Senior Specialist, National Cyber Security Centre, Finland
The market is littered with mobile authentication apps from simple OTP generators to sophisticated PKI & biometrics applications. But they all share the same challenge – how can they prove that they are actually secure?
This presentation takes a look at the unique challenge in evaluating the security of mobile authentication apps in the context of national regulation and eIDAS. We will present a global proposal for proving the security of a mobile authentication app. The proposal can be adopted by e.g. governments, organisations deploying app-based authentication solutions or by app vendors to evaluate their systems on how they can resist the various types of attacks.
Closing Keynote: The Future of Digital Identity
Aisling Connolly, Cryptography and Privacy Researcher, Information Security, Ecole Normale Superieure
In communities, forums, workspaces and every conceivable online corner, people are already able to hold numerous, ephemeral digital identities that transform depending on their environment and usage.
As technologies like AI, virtual reality and biometrics seep deeper into the way we perceive the world and interact with others, digital and real identity will also adapt and change.
In this closing keynote, we explore the ways digital identity may change, and how we as practitioners can meet the challenges and demands this will bring.
• Responsibility – Developing technologies mount pressure to augment our strategies to be increasingly societally responsible
• Diversity – Emerging methods of Authentication mandate that we develop future technologies with a global view of identity.
• Emerging Technologies – data minimisation, pseudonymisation, unlinkability, transparency, and privacy.
Questions to the Panel of Speakers
Closing Remarks from the Conference Chair
Conference Closes, Delegates Depart
Whitehall Media reserve the right to change the programme without prior notice.