Don’t miss IDPro member presentations!
Due to travel restrictions and in the best interests of attendees, Identiverse 2020 is being held virtually as a series of webinars timed to accommodate a global audience. All previous presentations are available on-demand (watch sessions from the previous two weeks here).
View the full Identiverse agenda here and register to attend. Join the conversation with other IDPro members in IDPro’s Slack workspace in the #Identiverse channel. Also, Identiverse has a separate Slack workspace for support help, to discuss hot topics, and network with digital identity professionals. If you need an invite, or if you’re not receiving the email list messages, contact membership@idpro.org.
Follow IDPro and Identiverse on Twitter for updates. Don’t miss this year’s Identiverse presentations!
Following are IDPro members presentations for the remainder of the Identiverse 2020 virtual event:
Week 3: June 29 – July 3
Monday, June 29, 10:30 – 10:55: A Crew as Nuts as You Are: Building a Local IAM User Group
The ability for identity practitioners to network with their peers at a local/regional level on a periodic basis is incredibly valuable, especially for those who do not have the means to travel to other events where such professionals gather. These groups provide a forum for sharing technical presentations and real-world experiences that help not only the practitioner, but their employer as well. Ocean’s Eleven, meanwhile, is the classic heist movie where a small group of people with a plan — and a killer soundtrack — craft something extraordinary. Steve “Hutch” Hutchinson and Mike Kiser have both started IAM user groups in their city and, with a little help from Clooney & Pitt, will provide you with a blueprint for something no less ambitious than ripping off three casinos: starting your own identity focused meetup. So join us and we’ll show you how to pull off the meeting, plus maybe even a Boesky, a Jim Brown, a Miss Daisy, two Jethros and a Leon Spinks, not to mention the biggest Ella Fitzgerald, ever. – Speaker/s: Stephen Hutchinson, Mike Kiser
Monday, June 29, 12:00 – 12:25: Distributed Open Identity: Self-Sovereign OpenID: a Status Report
Self-sovereign Identity is a philosophy. Distributed Identifier (DID) and Verifiable Credentials are aspirational implementations of it. However, a completely new protocol may face formidable adoption challenges as it will easily get into a chicken-and-egg situation of user adoption and service adoption. From this point of view, minimizing the wire-protocol differences to the current mainstream protocols have large advantages as it would be easier at least to persuade service providers to adopt it. After all, most users use its online identity to get services from those service providers and not for the sake of using the identity. In November 2019, OpenID Connect WG decided to separate out Chapter 7 of OpenID Connect Core to make it an independent specification to close the gap between “Self-issued OpenID Provider” and “Self-sovereign Identity”. This session will provide an overview of the development since then and brings the audience up-to-speed on what is happening in the space including Demo of such implementations. It is a follow up of the Identiverse 2019 session “SSO: Self-sovereign OpenID Connect – a ToDo list”. – Speaker/s: Preeti Rastogi, Nat Sakimura
Tuesday, June 30, 10:30 – 10:55: Mission: Impossible – Identity Mythos
If there’s one thing that we can rely on the Mission: Impossible movies to deliver, besides awesome shots of Tom Cruise running like only Tom Cruise can, it’s the use of technology as a core part of the Impossible Mission Force’s plan. These plans often involve bypassing security systems or fooling opsec in a way that plays with identity. Your mission, should you choose to accept it, is to join me as I show how the M:I series has some pretty interesting lessons on how to do identity-based security right (or wrong). There are misconceptions about identity technologies that many security and even identity professionals have today, that the (non IDPro) writers of the series have figured out, and have used to great effect in creating the thrills of the M:I movies. Looking past the action, there are same great lessons we can all take away that can make our security programs better, help our organizations avoid some common (and costly) mistakes, and keep any potential Ethan Hunt’s out of your business. And unlike those coded messages, these lessons won’t self-destruct in 5 seconds. – Speaker/s: Nishant Kaushik
Tuesday, June 30, 11:00 – 11:25: SailPoint Presents: LogMeIn’s Identity Governance Vision Uses the Power of AI & Machine Learning
Supporting and securing remote workers has never been more critical than now, and identity needs to be the lynchpin of that strategy. Companies are facing significant changes in their programs as AI and machine learning technologies redefine how businesses do identity. The future of identity is here. Now, organizations of all sizes are starting to use AI & Machine Learning (ML) to build identity programs efficiently. Kayla Williams, Director of GRC at LogMeIn (makers of LastPass) and Po Wang, Sr. Manager, CIO Portfolio Manager, will share their identity journey on how AI/ML technologies are integral to their strategy, how the integration of systems and process changes was significant in their process, and the efficiencies they’ll gain with a cloud-first identity program. – Speaker/s: Po Wang, Kayla Williams
Wednesday, July 01, 10:00 – 10:50: Identity Standards: What’s Up, What’s New, What’s Next
Alex will share his thoughts on the importance of Open Standards, and some areas of amazing recent progress. Additionally he will discuss a few emerging areas and the opportunity they present for enhancing user security and providing breakthrough personal privacy. – Speaker/s: Alex Simons
Wednesday, July 01, 11:00 – 11:25: Microsoft Presents: A Zero Trust Approach for Today’s World
Organizations have traditionally invested in network as a perimeter. In current times with the shift to remote workforce, organizations had to quickly adapt to the new reality and enable secure access to corporate resources. End users are working from home and VPN isn’t always a viable option. A Zero Trust approach to securing your data is more important than ever. In this session, we will demystify Zero Trust and dive into steps to start your zero trust journey. – Speaker/s: Nitika Gupta
Wednesday, July 01, 12:00 – 12:50: Scaling Strong Authentication
Join our expert panel for an in-depth discussion of the challenges and pitfalls of handling strong authentication at large scale – and an exploration of possible solutions. – Speaker/s: Lorrayne Auld, John Fontana, Blake Hall
Thursday, July 02, 12:00 – 12:50: A Balancing Act: Identity, Privacy, and Security in a Data Sharing Economy
As the value of enterprise data increases, so too do the risks to the enterprise, to the individual, and to the industry. Do you as an identity, privacy, or security professional know how to recognize those risks, let alone mitigate them? If we do this right, everyone recognizes meaningful value. If we do this wrong, everyone loses. As professionals in these areas, you need to consider information governance, regulatory compliance constraints, and data provenance. Join this panel of experts as they discuss recognizing and overcoming the risks, maximizing data use and sharing opportunities, as well as impart practical techniques for implementation. – Speaker/s: Pamela Dingle, Heidi Wachs, Alice Wang
Week 4: July 6 – 10
Tuesday, July 07, 11:00 – 11:25: Ping Identity Presents: Passwordless: Transform Customer Experiences in the New Digital Era
By 2022 Gartner expects that 60% of large and global enterprises, and 90% of midsize enterprises, will deploy passwordless verification. With most businesses delivering friction-free sign-on to their customers that doesn’t require passwords, you will have to keep up to stay competitive and retain market share. No matter where you are on your journey to get rid of passwords there are important considerations you have to make. What is the most secure password substitute? Should I allow passwordless access for all apps? Which authentication factors will my customers actually use? How many passwordless authentication factors do I need to offer? In this session, we’ll tackle these questions and more in order to help you navigate the critical decisions you’ll need to make as you embark on your passwordless journey. – Speaker/s: Rob Otto
Tuesday, July 07, 12:00 – 12:25: Enabling Scalable Multi-Lateral Federations with OpenID Connect
Numerous large-scale multi-lateral identity federations are in production use today, primarily in the Research and Education sector. These include national federations, such as SUNET in Sweden, regional federations such as NORDUnet in the Nordic countries, international federations with thousands of sites, such as InCommon, and even inter-federations among dozens of federations, such as eduGAIN. Yet these existing federations are based on SAML 2 and require the federation operator to poll the participants for their metadata, concatenating it into a huge file that is distributed to all federation participants nightly – a brittle process with significant scalability problems. Responding to demand from the Research and Education community to migrate from SAML 2 to the simpler OpenID Connect protocol, the OpenID Connect working group has created the OpenID Connect Federation specification to enable this. The new approach incorporates lessons learned from existing SAML 2 federations – especially using a new, scalable approach to federation metadata, in which organizations host their own signed metadata and federation operators in turn sign statements about the organizations that are participants in the federation. As Shibboleth author Scott Cantor publicly said at a federation conference, “Given all my experience, if I were to redo the metadata handling today, I would do it along the lines in the OpenID Connect Federation specification”. This presentation will describe progress implementing and deploying OpenID Connect Federation, upcoming interop events and results, and next steps to complete the specification and foster production deployments. The resulting feedback from Identiverse participants on the approach will be highly valuable. – Speaker/s: Michael Jones
Wednesday, July 08, 11:00 – 11:25: Auth0 Presents: A Centralized Identity Strategy Using Standards Helps Minimize Threats
Modern architectures continue to become more distributed and fractured. How can developers continue to develop and build what they understand without having to become identity experts? How can they do that and ensure that their applications remain secure? A centralized, standards based identity management system can provide a system that is easy to interact with without requiring expertise or a reduced security footprint. – Speaker/s: Carlos Mostek
Thursday, July 09, 10:30 – 10:55: Ethics in Data Privacy: Is User-Owned Data the Future of Data Privacy?
As the movement towards data privacy grows, there are a number of concepts for how users can regain control over their data – data ‘dividends’, person blockchains, cash-for-data exchanges, but all have both upsides and downsides. This session explores a few different schools of thought around the pros and cons of user-owned data and alternatives for the future of ethical data privacy. – Speaker/s: Marla Hay
Thursday, July 09, 12:00 – 12:50: Dev, Sec, or Ops: The Future is Hybrid and Automated
Many enterprise practitioners are struggling to adopt infrastructure-as-code, let alone containers, and automated pipelines. Not all of the challenges are technical, and many are rooted in leadership not being comfortable with the culture change that comes with automating processes and trusting code over people. Our panel will talk about some of the real-world struggles their organizations have faced moving to a DevOps culture both from a technical and cultural perspective. The panel’s viewpoints will cut across both industries (healthcare, financial services, government) and business relationships (vendor, integrator, and customer) to show different perspectives on how the problems are being solved. – Speaker/s: Matt Topper
Friday, July 10, 10:00 – 10:50: Demo 2020 of the Kantara Personal Data Consent Receipt!
You will hear lots of talk about the Business-Legal-Technical sandwich** at identity and security conferences. Come hear about what a BLT looks like with real companies and regulators working out how the Kantara Consent Receipt can work in the real world for consumer data protection. Our presenters will share their insights about how the BLT works, concerns and hurdles, and what improvements are still needed. It’s been a busy year since Kantara members demonstrated 6 real implementations of Consent Receipts at Identiverse 2019. And the pace has just kept increasing! In this Masterclass/Demo session we’ll dig into: •the consent receipt specification and, how you can use our new data receipt framework to build your own personal data receipt customized to your scenario, •how our member companies have implemented receipts in innovative ways, •how our partners at FDX have made it part of their Open Banking API work, •the conversion of the Kantara specification into an ISO International Standard, and •what a state consumer protection regulator is doing to give their constituents data protection tools. If you’ve ever wondered why people are not given a receipt when asked to give up their data, this is the session for you! ** No actual sandwiches were harmed during the preparation of this session – but they certainly were delicious. – Speaker/s: Andrew Hughes
Week 5: July 13 – 17
Monday, July 13, 10:30 – 10:55: Beyond 2.0: OAuth, TXAuth, XYZ, and Growing New Standards
The OAuth 2.0 protocol has been wildly successful across the internet, but it has many shortcomings that come to light in today’s world. We’ve learned a lot about what works and what doesn’t in practice, and the time has come to build on those lessons. Come learn how we are building the next generation identity and security protocols that could lay the groundwork for the next decade of internet security. – Speaker/s: Justin Richer
Tuesday, July 14, 10:00 – 10:50: Next-Gen Authorization Throwdown: It’s Not Your Grandfather’s OAuth
OAuth has seen several iterations over the last decade as the expert community has worked to solve difficult security, authorization, delegation, and consent challenges on behalf of both enterprises and end-users. We’re now in “interesting times” as OAuth 2.0 is being stretched – some might argue to a breaking point – to cover new use cases. How should we enable fine-grained authorization? How similar should our handling of consent and authorization be? Can enterprise authorization and cross-domain authorization use the same model efficiently? Where do authentication inputs end and authorization decisions begin? And what about Alice? Join our panel of experts to hear their differing perspectives on OAuth innovation and how its next wave(s) of iteration must proceed for success. – Speaker/s: Daniel Fett, George Fletcher, Eve Maler, Justin Richer
Tuesday, July 14, 11:00 – 11:25: Radiant Logic Presents: Battling Repetition & Inefficiency: How Colorado Consolidated Identities
The State of Colorado Office of IT works to empower the state with flexible technology that will drive sustainable and intelligent business decisions. However, with 17 different state agencies acting as independent IT shops, there was a lot of product repetition, process inefficiency, and difficulties in collaboration across agencies. Working together required extensive firewall and infrastructure maneuvering. In 2008, the Governor issued a mandate requiring a consolidation of the state’s agencies into one overarching IT department. One of the goals for the newly created agency was creating a unified directory from all of the independent directories. This session will talk about how a federated identity and directory service was used to meet this requirement. As a result of doing this, all of the CO state agencies are able to collaborate cohesively together as one, which in turn decreased redundant tasks, increased productivity, strengthened overall security and created efficiencies all around so that now synergies are actually realized. –
Tuesday, July 14, 12:00 – 12:25: Identity Kill Chain: A Hacker’s Eye View of How your Systems Get Pwned
A kill chain is the set of steps an attacker takes to achieve their objective. Come walk the Identity kill-chain from an attacker’s perspective: What does an attacker see as they are taking over your domain? What are the tools, and how do attackers apply them, and how do they move from one guessed password to total domain take-over? In this nerve-wracking session, through live demos of current attack methods you’ll gain a deeper understanding of the criminals’ “tools of the trade,” where the weakest links in identity systems are, and how best to break the kill-chain for each step, walking away with a deeper understanding of attack mechanics and a greater confidence in your ability to defend your organization. – Speaker/s: Alexander Weinert
Wednesday, July 15, 10:00 – 10:50: Keynote Panel: Identity at Scale
The ways and frequency with which we use our identity data are increasing at an almost unimaginable rate. Dealing with Identity at scale is a challenge we will have to face. In this panel, hear how some of the largest providers and users of identity services are addressing those challenges today, and discover approaches and techniques that you will be able to use in the future. – Speaker/s: Richard Bird, Sue Bohn, Sam Srinivas
Wednesday, July 15, 12:30 – 12:55: Vectors of Identity: A Model for Better User Experience
In many identity flows today, the user experience is the same regardless of the operation the user is trying to perform. This often means that from the user’s perspective, they have a binary experience; either they are already logged in and are NOT challenged, or they are not logged in and are challenged. These concepts go beyond “adaptive authentication” in that “authentication strength” is only one of the vectors being considered. This talk will define a set of identity “vectors” that can be used to provide better user experiences across the full life-cycle of user identity and service interactions. – Speaker/s: George Fletcher
Thursday, July 16, 10:30 – 10:55: The Password Mess: Your Security Policies Are Destroying Your Users
We all use passwords to secure things, and rarely do people actually like them from either a security or usability perspective. This is especially true with the arcane composition and rotation rules that we all face. But do these rules help our security, and are we even using passwords correctly to begin with? In this fast-paced talk, NIST Digital Identity Guidelines co-author Justin Richer will walk through how we got into this password mess and what we can do it about it. – Speaker/s: Justin Richer
Friday, July 17, 10:00 – 10:50: Modern Identity for Developers 101
Modern identity promises to solve some of the thorniest problems that historically plagued handling authentication and access control in applications. That sounds great in theory, but how do thinks really look like when the rubber hits the road – what does it take to incorporate modern identity in your applications development practice? Come to this session to learn the basis of modern identity development and be better equipped to understand and participate to more advanced developer themed sessions, at Identiverse and beyond. – Speaker/s: Vittorio Bertocci
Friday, July 17, 10:00 – 10:50: The Burden of Proof
While the vast majority of deployments utilize bearer tokens, OAuth does have a rich and troubled history with proof-of-possession (PoP) tokens. The popular canon is that PoP was the reason OAuth 1.0 failed and WRAP abandoned it entirely. The original editor of the OAuth 2.0 spec publicly rage quit over lack of PoP support. Various subsequent standards efforts to add proof-of-possession to 2.0 by extension have stalled out (PoP Key Distribution + Signing HTTP Requests) or been effectively killed off by an unnamed huge search company that also makes a browser (Token Binding). A few efforts have seen more success and made it to RFC but are only partial solutions (PoP Key Semantics for JWTs) or are somewhat niche (MTLS). Recent efforts at rebooting the work (DPoP) garnered excitement among some but have also been met with resistance in the standards development community. It turns out that it’s hard. This session, part history class, part existential crisis, part technical examination, part workation photo slideshow, and part personal tragedy, will explore proof-of-possession in OAuth and endeavor to equip you with the knowledge to discern fact from fiction when it comes to cryptographic defenses against the use of stolen OAuth tokens. – Speaker/s: Brian Campbell
Week 6: July 20 – 24
Monday, July 20, 10:30 – 10:55: Transaction Tokens: Solving the External/Internal Authorization Problem
Any system that deals with “external” clients invoking services has to deal with extending the authorization model of the system to the external clients. The internal authorization model (roles, attributes) often does not translate well to authorization mechanisms used by the external clients (e.g. OAuth2 scopes). For example, an OAuth2 scope may not match well with an internal role as the mapping might be 1:n or even n:n. This talk will explore a mechanism that allows for the external authorization model to remain simple for developers while providing a multi-level (coarse-grained to fine-grained) authorization model internally. – Speaker/s: George Fletcher
Monday, July 20, 12:30 – 12:55: America’s Next Role Model: Revolutionary Role and Access Modeling Powered by AI
Managing and provisioning access can be quite a daunting task in mid or large sized organizations. Having a good answer for “Who should have access to what?” is not easy. With a myriad of existing applications, accounts, file systems, etc. experiencing growth with an ever-changing workforce, awarding and maintaining the right access to the right identity can be quite an ordeal. An accurate model of the access structure makes all the difference when it comes to compliance. Identity governance is predicated on the principle that strongly similar identities should be awarded similar access. Identities, their attributes, and associated access patterns can then be analyzed and modeled by a powerful and highly flexible graph data structure where we can easily track, map, and manage the dynamic relationships between these entities as they evolve. Roles can be thought of as insightful labels which summarize clusters of strongly similar access patterns. In this talk, we will give an overview of a novel network-graph approach to role mining and access modeling. This new approach enables automation, scalability, and optimization of resources while providing a complete solution to managing access across the enterprise. – Speaker/s: Mo Badawy, Jostine Ho
Tuesday, July 21, 10:00 – 10:25: User and Thing Identity in the “Zero Trust” Networking Era
Here we are in 2020 and MAC address is still the prominent identifier used for network identity and policy derivation for the millions (likely billions) of “things”, those IoT and consumer devices connected to enterprise networks. Yes, MAC address. That network interface “hardware” identifier that can be changed in software and is often randomized on user-centric devices in an effort to preserve user privacy. The “Zero Trust” model has brought increased attention to transport-agnostic continuous authorization for applications and resources but network identity and policy-based segmentation still play a critical role at the network edge. We’ll look at new technologies and protocols like the Device Provisioning Protocol (DPP) which simplifies provisioning for end-users and enterprise administrators as well as provides a persistent, cryptographically backed device identity to the network. We’ll also look at some older technologies, like Tunneled EAP (TEAP), that have resurfaced to solve new use cases like binding a user and machine identity together on user-centric devices like laptops, tablets and smartphones. – Speaker/s: Tim Cappalli
Tuesday, July 21, 11:00 – 11:25: Auth0 Presents: Credential Stuffing Attacks: What Are They and How to Combat Them
As a central authentication service that processes billions of logins a month, credential stuffing attacks are the most common threat Auth0 observes. On some days, these attacks originate from more than 50,000 IP addresses and may account for as much as half of all login attempts using our platform. These attacks can lead to fraud, loss of reputation, and ultimately, loss of revenue. Learn how credential stuffing attacks work, what effect they can have on your company, and how you can fight back. – Speaker/s: Andrew Akers
Tuesday, July 21, 12:00 – 12:50: The Skills and Experiences of Identity Practitioners
Knowing what skills you need to become an identity practitioner isn’t obvious. Picking which technical and nontechnical skills you need to strengthen isn’t a straightforward choice. To get clarity you need to hear from other people who’ve been in the same place in their careers. In this panel co-hosted by IDPro and Women in Identity, you will:See the results from the 2019 IDPro Skills and Program Survey revealing the skills that digital identity practitioners rely on for their successHear from professionals from Amazon, Microsoft, Salesforce, and Thomson Reuters on their journey towards becoming a successful identity practitionerKnow what skills you should strengthen and which you can leave alone Learn by asking a panel of practitioners in different stages of their careers for candid insights as to how to become a stronger identity practitioner. – Speaker/s: Pamela Dingle, Ian Glazer
Wednesday, July 22, 10:00 – 10:50: The Consumer Identity Panel
Dealing with identity – authoritative, verified, or just plain account-oriented – at consumer/citizen scale is not easy. Delivering an improved user experience at scale, while still ensuring appropriate security and privacy safeguards, is a major challenge. Our panel of experts shares their experiences, and discusses their aspirations for the future. – Speaker/s: Jeremy Grant, Charles Walton
Wednesday, July 22, 12:30 – 12:55: Are You really You? Identity Proofing with NIST SP 800-63-3
The global emphasis towards identity-centric protection is crucial towards combatting the increasing number of data breaches by unscrupulous individuals. In the worst cases, a hijacked identity belongs to a privileged user, allowing the imposter to gain access to key systems or to create synthetic identities to obtain all types of services or assets. They use what is considered “private” information as the basis for establishing a fraudulent digital identity. It is essential to establish strong identity proofing processes to help combat these fraudulent online identities as well as to establish trust in a digital identity. The government is taking a serious look at improving their identity proofing processes. The newly released OMB M-19-17 specifically discusses how federal employees and contractors are required to be identity proofed and credentialed following NIST SP 800-63-3 digital identity guidelines. This session will explore the processes necessary for organizations to meet the remote identity proofing requirements for Identity Assurance Level (IAL) 2 and IAL3 following NIST SP 800-63-3 guidelines. It will also tackle the challenges most organizations face meeting these requirements. Finally, the session will provide a worked example to help organizations document their identity proofing processes and requirements as prescribed by the NIST standard. – Speaker/s: Lorrayne Auld
Friday, July 24, 10:00 – 10:50: Microsoft Masterclass: Manage and Secure All Your Apps with Identity as the Control Plane
Today, secure application access is a key challenge organizations face when implementing a Zero Trust strategy. Applications can live anywhere – in the cloud, on-premises, as a service, or on a mobile device – and are used from anywhere, at any time by employees and business partners. In this masterclass, we will discuss how identity can be the control plane to manage and secure all applications – from Office 365, popular SaaS apps and traditional on-premises applications to custom-built lines of business applications. Key learnings: -Learn of the core benefits of bringing all applications under one integrated identity platform -Learn about the different integration pathways available to bring all your applications under one IDP -Some of the common best practices to follow and pitfalls to avoid when trying to migrate applications to a single IDP -Learn about new integration capabilities with your existing infrastructure. – Speaker/s: Jeevan Bisht, Jairo Cadena
Week 7: July 27 – 31
Monday, July 27, 12:00 – 12:25: Ping Identity Presents: Best Practices of Identity in an Era of Ever-Shifting Boundaries
In these uncertain times of increased work from home and heightened business demands, your IT organization likely found itself in a sudden stress test of the scale and maturity of your employee identity and access control systems. As you tackle immediate and long-term improvements, you may find it beneficial to compare your checklist against others through the lens of a blueprint for workforce identity security best practices, including initiatives like passwordless authentication, API security, and Zero Trust. This session equips you with clear, best practices for enterprise workforce Identity and Access Controls—plus, a framework for calculating and building a business case in terms of increased productivity, agility, and security, for your evolving workforce needs. – Speaker/s: Baber Amin
Monday, July 27, 12:30 – 12:55: So You Want to Base on Consent?
Many people seem to believe that having their customers pressing “Agree” button is good enough to collect their “consent”. That’s actually not the case. Obtaining privacy consent has very high bar partly because that is the exception mechanism that you can resort to only when other lawful bases for the processing of personal data does not work. This session will briefly touch on other lawful bases and what is needed for potentially valid consent, then goes on to explain the requirements for privacy notice and consent process set out in “ISO/IEC 29184 Online privacy notices and consent”. ISO/IEC 29184 is an international standard that has been in making for the last 5 years. Stakeholders involved in the discussion included data protection authorities around the globe, technical community, lawyers, and businesses. It sets out the requirements for 1) What are needed to be in a privacy notice, 2) What are needed to be done in obtaining the consent, 3) What are needed to be done in the maintenance of privacy notices. For any business that wants to respect customer privacy, this document provides excellent guidance on what needs to be followed. – Speaker/s: Nat Sakimura
Tuesday, July 28, 11:00 – 11:25: Microsoft Presents: Identity Governance for All your Users Made Easier Through Analytics
The growing number of users, devices, and apps connected to your network has made it increasingly difficult and time-consuming for organizations to proactively detect and remediate access risk. Historically, identity governance solutions assumed that the organization knew exactly what resources to protect and that they are proactively applying the required controls, which could result in insufficient coverage, particularly for cloud apps. In this session we will cover how analytics and machine learning can be used to automate the governance lifecycle management for both internal and external user access and ensure that users only have the access they need. Come learn how analytics can help you: •drive user productivity through automatically granting access to SaaS applications based on usage patterns •drive better recommendations and automation for reviewers who periodically review access •programmatically remove users who are no longer required. – Speaker/s: Rahul Prakash
Tuesday, July 28, 12:00 – 12:25: Will User Experience Kill Open Banking?
Within five years, Open Banking will be the norm rather than the exception in financial markets worldwide. But for all of the hype, there are some serious issues limiting its promise of data portability with informed consent. While the identity security specifications are generally well designed in each jurisdiction, user experience (authentication, user consent and ongoing authorization) is not as easy or as seamless as it should be. What can we learn from Open Banking experiences in the most mature geographies — the UK, Australia, New Zealand and Europe? How has each jurisdiction designed its user experience? How has this, in turn, impacted user take-up? How have open standards been used (or modified) to fit local Open Banking requirements? How has that made the identity experience more transparent, seamless, or easy — for end users, developers and implementers — or not? This session will detail the important lessons from a user experience perspective, cover the efforts being made to remediate existing problems, and make recommendations for Open Banking’s implementation in emerging markets, like the USA. – Speaker/s: Mark Perry
Wednesday, July 29, 10:00 – 10:50: Better Identity at Two Years: Progress, Problems & Promise
Two years ago, the Better Identity Coalition brought together leading firms from different sectors to publish “Better Identity in America: A Blueprint for Policymakers.” At the time, the United States was still grappling with the aftermath of the Equifax breach and questions that breach raised about the viability of certain aspects of the country’s identity infrastructure. The Blueprint laid out a set of five core recommendations for how the government should help, along with an action plan for Congress, the Executive Branch, and states. Two year later, the Blueprint has gotten good reception from Democrats and Republicans alike. The White House has embraced some of its core policies and Congress is considering legislation that would put many others into law. This panel will discuss where we’ve made progress in digital identity and where we still have problems – and discuss what might happen next in the year ahead. – Speaker/s: Jeremy Grant, Matt Thompson
Thursday, July 30, 12:00 – 12:50: Open Banking APIs Convergence: A Holy Grail or A Reality?
Open Banking is becoming the front line of the data economy in our era. It is seen as a field that fosters new industry that many governments are requiring the implementation of secure but usable APIs as part of their economic growth policy packages. At the same time, it also is closely related to the data protection and privacy policy point of view: it is the forefront in both user consent management and data portability. Given the situation, different geography has been pushing the envelope in their own ways. However, there also seems to be some desire to converge as creating local standards that are not interoperable would lead to higher long-run costs and is likely to cause more security risks. This panel discusses the recent developments, similarity and differences among open banking APIs from different geography including UK, Germany, France, Australia, India, and Japan. It will also touch on the importance of the common test harness on the interoperability as well as on the potential impact of cross-border eKYC. – Speaker/s: Nat Sakimura
Week 8: August 3 – 7
Tuesday, August 04, 10:00 – 10:25: Making Identity a Viable Perimeter in the Cloud
Papers and presentations routinely reach the conclusion that “Identity is the new Perimeter,” and then call it done. The real work when making identity a viable perimeter for cloud and hybrid applications takes a bit more effort! This session draws on three real-world customer scenarios to demonstrate how to successfully navigate this challenging transition. We’ll see how these cloud deployments leverage standards and technologies – including SAML, OAuth, MFA, PIM/PAM, and strong encryption. Together, these ensure a level of security that meets institutional requirements and equips you with techniques to help convince your security peers that modern identity controls provide the perimeter the cloud demands. – Speaker/s: Jonathan Sander
Tuesday, August 04, 10:30 – 10:55: App2App: Improving the Third-party Authorization User Experience on Mobile
Mobile devices are key parts of our daily lives; how can identity architects leverage existing standards to ensure a smooth mobile-first authentication/authorization flow for third party mobile apps? The first party mobile experience for authentication has come a long way in the last 10 years. The majority of modern mobile devices now have built in secure key stores with biometric protection, and these are used to great effect to create secure native mobile applications with slick authentication. Joseph describes how we can extend this experience to third party native and web apps using standard OAuth2 or OpenID Connect protocols, with a quick journey starting with an example of the user experience we’re aiming for. We show the architecture of a system and the snippets of code third party mobile developers need. We also look at some of the common pitfalls, the pro & cons of alternative mechanisms like CIBA, security implications, anti-patterns and other lessons learned from deploying app2app across the UK OpenBanking ecosystem, along with the wider question of “Does my authorization server need a companion mobile app?”. – Speaker/s: Joseph Heenan
Tuesday, August 04, 11:00 – 11:25: AWS Presents: Intelligent Access Administration
Ensuring that the access permissions associated to cloud resources only provide access as intended is an important enterprise use case. As enterprises scale, managing least privilege can become increasingly challenging. This session dives into how automated reasoning can apply logic and mathematical inference to assist administrators with managing access at scale. – Speaker/s: Andrew Gacek, Ujjwal Pugalia
Wednesday, August 05, 12:00 – 12:50: Microsoft Masterclass: Upgrade your Apps Authentication from AD FS to Azure AD
Microsoft Active Directory Federation Services (AD FS) has proven to help organizations start their digital transformation journey by improving access to their cloud and web apps. However, the rapid evolution of the security landscape calls for a more modern and more scalable solution to increase app security, improve employee productivity, and reduce IT costs. Join this masterclass to learn how you can use Azure Active Directory (AD) as your central identity platform and upgrade from AD FS to secure all your apps directly from the cloud and reduce your dependency on on-premises identity systems. During the session, we’ll walk you through the available Azure AD tools and features to help you discover and reconfigure your AD FS apps as well as some best practices to ensure a smooth migration for all your users. Although, we will be focusing on ADFS, the concept and best practice can be applied to migrations from other IdPs. – Speaker/s: Ramiro Calderon, Luis Leon
