Identity Management

14 March 2019

Steigenberger Airport Hotel Frankfurt




Conference Chair's Opening Address

Dr Gilad L. Rosner, Founder: IoT Privacy Forum; Expert in Public Policy of IoT & Identity Management; Privacy and Technology Policy Researcher

The Identity and Access Management transformation: from an IT to a Business-driven Approach

Bertrand Hanappe, Global Head of Identity & Access Management, Euroclear

Jérôme Desbonnet, Head of Security Technologies & Operations, Euroclear

Over the last few years, with the evolution of the risk landscape, the Cyber Security framework has had to be reviewed and its fundamentals redesigned. Indeed, this has not only triggered major roadmap projects; but forced the majority of us to review our Identity and Access Governance.

In this presentation, we will share with you our key learning outcomes in implementing this new framework and the key concepts you need to keep in mind if you were to jump into this transformation.

• Risks evolution
• Pitfalls in IAM project like delivery
• Client and end-user centricity
• Lessons learned

From Traditional IAM to Next-Gen Identity Governance Using Best-Practices

Dr. Alfons Jakoby, Business Advisory, Omada

Most organizations today are operating in a hybrid IT environment of on-premises and cloud-based applications, which makes it difficult to get transparency on who has access to which IT systems and applications in an organization and why. But in a world where rules and regulations are proliferating, when it comes to managing IT users and their access, being compliant is seen as a basic license to operate. So how do you enable your company to continue to grow and adapt while still handle identity governance and administration (IGA) challenges? And how do you do this without repeating history and starting yet another protracted IT project with no ROI?
IGA has become the cornerstone of solid IT security and compliance, allowing organizations to implement processes for controlling, managing, and auditing access to data- an important prerequisite for reducing security risk. In this presentation you will get an insight into best practice processes that are based on almost two decades experience in implementing IGA solutions in complex enterprises worldwide.

Key takeaways:
• Why do best-practice processes work for IGA?
• What does the best-practice IGA process framework cover?
• How can you use the argument for best-practices to move standards and alignment in your own company?

“works with” won’t help you – how to reliably crash any IAM project

Stefan Bosnjakovic, IAM and Corporate IT-Security Architect, Deutsche Kredit Bank

Embarking on and completing an Identity and Access Management project can be a tricky task that has to juggle differing business needs, technological constraints and a complexity arising from IAM systems which have to span the entirety of a global enterprise’s IT infrastructure.

In this presentation, we examine the ways you can approach IAM project management to ensure success through:

  • How to read between the lines of product brochures
  • How to set up a sensible Proof-of-Concept
  • Instead of becoming a vendor’s Guinea Pig during the project implementation phase
Back from the Future

Ben Bulpett, EMEA Identity Platform Director, SailPoint

How the next generation of Identity Platforms will have to deal with the challenges of 2020 and beyond…..Are you ready to go back to the future?

Moving on from 1980’s X.509 certificate

Henk Birkholz, Standards Expert, Fraunhofer Institute for Secure Information Technology

Up to this day, X.509 certificates provide the general basis for authentication and privilege management in order to authorize access to particular resources. Today’s usage of X.509 certificates, though, has extended way beyond that initial scope, rendering relying parties with the challenge to provide functional and secure ASN.1 decoders that can handle these additional “flavours” of X.509 certificates. Over time, the versatility of the X.509 framework became a curse, as “general decoders” that can always decode the corresponding BER representations, correctly, and also map the resulting output to application-semantics, securely, practically do not exist.

This presentation illustrates a new way forward, using an alternative binary representation suitable for constrained-node networks (CBOR), addressing the current scope, intent and audience of today’s X.509 “flavours”, utilizing a simpler way to create signed bundles of assertions (CWT), while also allowing for more secure decoding.

The vision of identity brokering for the International Federation of Red Cross and Red Crescent Societies

Amol Sawarkar, Enterprise Architecture, Global IT Planning and Project Management Unit, IFRC

IFRC is one of the largest International humanitarian non-profit organisations in the world. IFRC works with 190 national Red Cross – Red Crescent Societies in response to natural or health crises. This involves thousands of RCRC staff and over 1 million volunteers assisting many millions of vulnerable people worldwide.

As digitalisation continues to move ahead from bare excel files and web pages to interactive/live systems, the digital identity of each involved in the entire movement is itself a challenge. The digitisation of identities may be useful for administrative support for staff/volunteers or receiving benefits for the volunteers. At IFRC, we are trying to solve this challenge by establishing a single movement-wide system with the help of available technologies without having to generate duplicate data and access control mechanisms.

This session is to summarise IFRC’s Digitalisation state, discussing challenges and a high-level roadmap.

Questions to The Panel Of Speakers
Morning Networking and Refreshments Served in the Exhibition Area
Getting the IAM basics right

David Doret, IAM & Data Protection Manager, BNP Paribas

The IAM industry is innovating at a steady pace and we all feel excited about fancy buzzwords and new products reaching the market with great promises.

Meanwhile, we – CISOs / IAM managers – must confront a tough reality. That reality is made of elusive and fragmented information systems, workforce and business processes. Still, as each day goes by, we protect our companies with our IAM processes and deliver productivity, compliance and security.

How do we accomplish that?

First and foremost, by getting the IAM basics right. Again, again, and again.

In this talk, we will review what the IAM basics are and the foundational principles on which they are based.

• Key principles
• Key processes
• Key practices

Smart and GDPR Compliant Management of Employee and Partner Identities and Access!

OneLogin case study presented by Lars-Thorsten Sudmann, Founder & Managing Director, bloola

Today companies are dealing with the challenges around centrally managing business partners and customer identities, giving both of them and also internal employees access to specific applications and portals. Nowadays higher demand must be placed on making sure that sensitive data, applications and business insights are protected by a second factor to ensure a high level of security.

Having a centralized location for the digital identity of partners and customers is a key factor for being compliant with GDPR regulations.

This session aggregates the challenges and topics, shows possible concepts and provides concrete solutions in a customer example of a 16.000 employee company incl. more than 10.000 partners.

Automate everything!

Daniel Friman, DevOps Chapter Lead for Information Security and PKI, ING

Automation comes into play in an increasing number of aspects in our organizations and it is gradually becoming the normal way of managing IT.

In this presentation, we will dive into the automated management of infrastructure, systems, and applications. We will start with a brief orientation of automation terminology and then discuss benefits and drawbacks. There is a lot to consider with automated testing, provisioning, deployment, self-service, and operations. Do you have overlooked opportunities?

Questions to the Panel of Speakers Delegate movement to the Seminar Rooms
Seminar Sessions
Networking Lunch Served in the Exhibition Area
Conference Chair's Afternoon Address
Build vs Buy: Why Apiture Chose a Ready-to-Use Authorization Solution

Apiture case study presented by Gal Helemski, Cofounder & Chief Innovation & Product Officer (CIPO), PlainID

Many companies find themselves in the predicament of whether they should use internal IT resources to build out technology that will solve for an internal need, or should they purchase a vendor solution. In this customer focused session, we will discuss how Apiture went through this decision-making process for their need of an Authorization solution.

We’ll focus on:
• The business challenge Apiture wanted to solve
• The important capabilities you should be looking at in an authorization solution
• Why ‘buy’ won over ‘build’ for Apiture

Cloud Security and Access Management: Meeting the Challenges

Thomas Günther, Principal Architect, IAM & GRC, Steel Industry 

Cloud assets are increasingly becoming a favoured target for nefarious actors. In this presentation, we tackle some of the key challenges associated with cloud security and IAM, looking at:

  • Meeting identity provisioning challenges
  • Ensuring system resources are allocated in a sustainable way
  • Manging privileged cloud users through strong authentication, conditional access and administrative overview
  • Frameworks to support tracking user access
Strategies to Secure and Manage Privileged Accounts

Mohsin Choudhury, UK Head of Cyber Security, Information & Data Office of the Chief Operating Officer, Bank of Ireland UK

Privileged accounts are an attacker’s most sought after prize, and capable of inflicting tremendous damage across your organisation as they evade access controls.

We explore how businesses can secure access pathways to their network through the deployment of techniques and analytics solutions that mitigate risk, look at the ‘right’ data – not all the data, and meet high stakes compliance requirements.

Questions to the Panel of Speakers
Afternoon Networking and Refreshments served in the Exhibition Area
Securing Big Data with Identity Management

Robin Jose, Chief Data and Analytics Officer, wefox 

Statistics and data are the lifeblood of any organisation looking to drive evidence-based decision making. Integral to this is the ability to allow data and insights to be shared across different sectors so that the benefits of data collection can improve all areas of business.

But as data sets are merged, shared, snipped and in some cases released to the public, the complexity of who is responsible for data and who it can be shared with can become infinitely complex. Strict rules on data protection means this is not just a philosophical concern, the unplanned sharing of personal data can result in heavy fines and regulatory punishment.

We deep dive into the ways identity and access management can be utilised to secure production environments and data sets in large organisations.

Securing APIs in a Cloud Native Environment Using OAuth

Thought Leadership session presented by Travis Spencer, CEO, Curity

In this talk, Travis will explore the world beyond microservices and illustrate how to securely distribute identity information in a world of lambda functions and worldwide geographical distribution. He will also show how to scalably verify tokens, revoke tokens and distribute keys and trust when the concept of data center no longer matters.

The OpenID Self-Certification Program

Hans Zandbelt, IAM Architect, OpenID Foundation

The OpenID Foundation has created a test and self-certification program for OpenID Connect protocol implementations to stimulate interoperability, deployment and robustness of these implementations. The certification suite can be used to certify both Relying Parties and Provider implementations against the OpenID Connect protocol specifications. This presentation provides an introduction into the certification program and will cover the following topics:

•Why OpenID Connect certification is important
•How self-certification addresses the goals of the program
•What the certification program consists of, and how certification can be achieved by implementations

Closing Keynote: The Future of Digital Identity

Aisling Connolly, Cryptography and Privacy Researcher, Information Security, Ecole Normale Superieure

In communities, forums, workspaces and every conceivable online corner, people are already able to hold numerous, ephemeral digital identities that transform depending on their environment and usage.

As technologies like AI, virtual reality and biometrics seep deeper into the way we perceive the world and interact with others, digital and real identity will also adapt and change.

In this closing keynote, we explore the ways digital identity may change, and how we as practitioners can meet the challenges and demands this will bring.

• Responsibility – Developing technologies mount pressure to augment our strategies to be increasingly societally responsible
• Diversity – Emerging methods of Authentication mandate that we develop future technologies with a global view of identity.
• Emerging Technologies – data minimisation, pseudonymisation, unlinkability, transparency, and privacy.

Questions to the Panel of Speakers
Conference Chair's Closing Address
Conference Closes and Delegates Depart

Please note:
Whitehall Media reserve the right to change the programme without prior notice.