Session one – IAM as a Business Enabler
Through cross-sector case studies and industry perspectives, we charter key IAM imperatives including accountability, transparency, user experience and managing trust, privileges and entitlements. The early morning session will also explore:
- Identity governance and data access controls
- Privileged Access Management and user authentication methods
- Innovation and future-proofing your IAM programme
- IAM security architecture
- Digital transformation and your IAM platforms
- How to utilise IAM to achieve business goals and empower digital business
- Operationalising identity intelligence for risk mitigation
- Future trends in the IAM space
Conference Chair’s Opening Address
Ruth Puente, Director of Kantara Europe, Kantara Initiative
Implementing a Full Lifecycle Incident Management Solution
Manoj Kumar, Global Director – Identity and Access Management, Philip Morris International
The IT Ecosystem is becoming increasingly complex to manage and secure. We explore the intricacies of a robust incident management system, discussing:
- Cyber Attack Lifecycle Steps
- Automation and detection of unusual behaviours
- A how-to guide – for reducing teams Mean Time to Detect (MTTD) and Mean Time to Respond (MTTR)
- A toolkit – disaster recovery post-security breach
IDAAS: WHAT CAN IT DO FOR YOUR ENTERPRISE?
It has been predicted that by 2021, IDaaS will become the dominant delivery model for new IGA deployments. By 2020, 40% of the global larger and midsize enterprises will use IDaaS capabilities to fulfil most of their IAM needs. An IDaaS will be the chosen delivery model for more than 80% of new access management solution purchases.
While only native cloud companies can quickly adopt IDaaS, for most companies migrating to the cloud is a big concern.
This session will explore:
- Is a hybrid system the answer for your enterprise?
- What are the benefits of using IDaaS to give you the speed and agility while deploying on-premise IAM to deliver flexibility?
- Comparing challenges and concerns of cloud migration versus hybrid identity systems
Business Roles and Least Privilege: (Re-)Balancing Risks and Efficiency
Oliver Briese, IAM Project Lead & Head of SoD, Deutsche Kreditbank AG (DKB)
Markus Duda, External Project Manager, Deutsche Kreditbank AG (DKB)
In today’s advanced and distributed IT landscapes business roles (BR) is the means to cope with the size and complexity of user access rights. Building BRs means a constant struggle to fulfil conflicting interests such as least privilege, need to know, segregation of duty and reducing building and provisioning efforts. As of late auditors have also been stressing the importance of least privilege.
We will therefore show a risk-oriented approach on how to harmonize the contradicting goals.
IAM IN THE CLOUD
What is the biggest concern when it comes to securing the cloud? Most people would claim data loss, malicious outsiders —or careless insiders— but what about implementing adequate IAM practices? This seems not to be a top concern when, paradoxically, IAM practices can help mitigate both insider and outsider cyber risks.
- How we can increase the awareness of the benefits of implementing a robust IAM programme, especially a
- Discussing the state of the art technologies to tackle IAM/PAM cyberattacks
- Options to meet the standards of PAM cloud security
How to convince your organisation that effective IAM is its top priority
Ian Evans, IAM Expert, Hargreaves Lansdown
You know that effective IAM is crucial for your organisation’s survival. But how do you convince others? Ian draws on his dual experience of client-side IAM and influencing/ presenting/ negotiating to propose approaches that could prove useful:
- Structuring an IAM proposal
- Real-world examples of good and bad IAM outcomes
- The benefits and costs of IAM – and the alternatives
- Likely questions and objections to an IAM proposal
WHY JUNIOR ROLES IN IAM ARE IMPERATIVE TO YOUR STRUCTURE
Joe Matthewson, Senior IAM Manager, Sky Betting and Gaming
Presentation on my journey and why I think it is so important to bring young individuals into the IAM world and help mould them into an IAM specialist.
Discuss topics such as
- New ideas
- A fresh outlook on access control
- Simplicity is key
- Building bridges
Questions To The Panel Of Speakers
Refreshment Break Served in the Exhibition Area
Case study – GDPR and Compliance Practices within IAM
Norbert Eschle, Enterprise Data Architect, Direct Line Group
The GDPR is a crucial driver within the IAM landscape. Enterprises are required to maintain high levels of compliance and data governance practices, transforming IAM into a critical aspect of their data and cybersecurity strategies.
- The impact of GDPR and new compliance practices on global business strategies
- Moving to the cloud, GDPR territorial scope and data sovereignty
- Enforcing compliance based on the business need for data
Case Study – Leveraging Third-Party IAM
Granting full or even partial access to third-party subcontractors can pose a severe risk to the corporate cybersecurity, thus increasing need to strictly control or monitor third-party vendor access, especially in the cloud.
We discuss how to achieve full visibility of subcontractor’s actions, granular access management for different groups of vendors, or vendor monitoring to avoid misuse of granted privileges.
We also discuss how to federate your third party IAM to coordinate your own authentication with the authentication efforts of your partners, allowing you to ensure your own security by utilising the protection tools of others.
Questions to the Panel of Speakers and Delegates move to the Seminar Rooms
Networking Lunch Served in the Exhibition Area
Session two: technology, threats and security
- Machine identity capabilities
- User managed access
- Enterprise application integration
- Adaptive authentication analysis in behavioural patterns
- Risk based authentication
- CIAM landscape
- IAM and PAM integration
Conference Chair’s Afternoon Address
Identity data types for access management: transforming identity management at the BBC
Ros Smith – Executive Product Manager – Identity & Access Management, BBC
Carlos Trigoso – Lead Architect – Identity & Access Management, BBC
The BBC has a relatively advanced Identity and Access Management programme covering all user types within the corporation’s business ecosystem.
Carlos Trigoso and Ros Smith will present a compact history of this programme and then will focus on the results obtained in the past three years.
The presentation highlights the close correlation and interdependence between Identity Management and Organisational Transformation.
Details will include:
- The Four-layer model
- The BBC ecosystem
- An outline of the current BBC Enterprise IAM
Blockchain and Self-Sovereign Digital Identity
While our dependence on Social Media and API increases, so does the user information they store, which makes managing our digital identity a big issue. With users’ personal details, behaviours and likes spread all over the Internet, the chances of reaching self-sovereign seem like a distant dream. However, blockchain may bring us closer to that desired utopic situation where we are in control of our digital identity.
- The problems associated with self-sovereign identity. Do users manage their own keys? Will they recover their own identity?
- Governance and compliance issues
- Real-world cases of early applications with public blockchains (e.g. Civil and Po.et)
Privileged Access Management & Cyber Security Baseline
Martin Ofori-Atta Williams, Privileged Access Management Subject Matter Expert, AP Moller Maersk
A Lack of visibility and control over privileged accounts, users and assets could lead to critical data being compromised and networks of organisations being hacked.
- Why provisioning and de-provisioning of accounts must be a top priority for all organisations
- Reviewing the PAM processes to ensure that the high risk of malicious use of data by the employees, contractors and suppliers is minimised
Questions to the Panel of Speakers
Afternoon Networking and Refreshments served in the Exhibition Area
IAM Delivery with DevOps
Vilma Blomberg, IAM Solution Design Owner, KONE
IAM programmes are traditionally slow and expensive multi-year investments for organizations. Today organizations must be able to adapt fast to changes in the IAM environment and implement IAM solutions faster with lower cost.
Organizations could accelerate and automate the delivery of value from IAM by using DevOps principles and mechanisms… but how?
A solution to this challenge will be presented by using a case study on how to adopt DevOps in IDM (SailPoint IIQ) delivery in a large corporation.
- IAM is a business-critical area of IT that is heavily driven by security risk management
- IDM system must be highly configured and customized to meet organizations’ requirements and to become an IAM solution that brings value to the organization
- Today organizations must deliver these solutions faster and cheaper than ever to meet business, security and regulatory requirements
- Automated DevOps pipeline can be built to automate IAM deployments, shorten the release cycles and speed up the resolution time of the incident
MULTIFACTOR AUTHENTICATION VS SINGLE-SIGN-ON – OR BOTH?
Most security officers often deal with having to choose between SSO or MFA. While MFA provides high-quality IAM solutions, SSO provides a user-friendly strategy. Combining the best of both worlds seems the best solution to provide users with safe authentication systems without compromising user experience – if you can afford it. In turn, this combined system may offer fewer password resets and fewer help-desk calls.
It all comes down to a question of whether the time and money allocated are worth it and whether the outcome outgrows the investment. This session looks at the benefits of a combined system and how to go about implementing it.
Putting the Sec in DevOps
Andrew Hardie, Dev Ops Strategy Architect, Metropolitan Police
DevOps, for sure, has taken the IT world by storm. Accelerating application development and managing the infrastructure into which those applications will be deployed has turned the SDLC from “compile and package” into the entire pipeline from code commit to running in production. Speed via automation is the dominant principle of DevOps, but that speed can deploy bad things just as fast as good things.
In this presentation, Andrew will examine the risks and discuss mitigations to help turn DevOps into DevSecOps.
Questions to the Panel of Speakers
Closing Remarks from the Conference Chair
Whitehall Media reserve the right to change the programme without prior notice.