Diary day 2 of an EIC22 passenger
The second day of KuppingerColes European Identity and Cloud Conference started with a number of presentation from EIC sponsors. Glad to report that these presentations are not run of the mill commercial talks, there is some real substance. Explaining why these companies are in Identity, or how they see their added value. Good to see that there are unique selling points and unique views. Makes it more relevant for ‘end user’ companies to investigate what they really need for support.
What struck me most was something completely different. A very small detail of some commercial talk: Classification. One of the keynote presentations was classified as ‘confidential’. Makes you wonder: Are we witnessing a security breach? Or have the visitors to the conference been leveled-up in clearance level? From a regular audience to an audience that can be informed about secrets or at the very least about company confidential information? Or have we, as a security community, last all value of the conceot of classification? Did we forget about the concept of classification? That security controls should be put in place in order to mitigate the risks connected to the risklevel connected to the level of classification?
I will not investigate this issue, just dropping the question, that’s all ;)
Two prominent topics in the keynote sessions (and later in the tracks) were about Zero Trust (it keeps getting back) and Identity Proofing. How can we verify that you are indeed the rightful user of a digital identity? How did you get it and how do you use it? What is the level of assurance (LOA as we call it…)?
The German CIDAAS company showed a practical implementation of an online Identity verification service and afterwards, in track 3, Henk Marsman of Rabobank (Netherlands) showed a concrete implementation of identity proofing, in a real world scenario. Proving that it’s not just a theoretical concept.
Following the keynotes, several tracks started, each with their own topic. Varying from ‘Identity Fabric’ to multi-cloud and Zero Trust to Identity. Since I think that Zero Trust is well known by know ;D, I decided to follow the Identity Fabric track. Identity Fabric is the KuppingerCole concepot of a holistic approach of IAM. Looking at IAM as a whole, Privileged Access Management, Workforce IAM, and CIEM (previously called B2B and CIAM access). It encompasses architecturem, processes and tools, so it’s a broad view on the world of IAM.
Interesting about Martin’s talk is some concepts that we at SonicBee really understand:
- API first – IGA will be around for a while, but access to API’s is nearing fast!
- Flexibility – connecting to Martin’s composable enterprise (see yesterday)
- Policy Management – a concept we fully agree with, Policy Based Access Control is the way to go (although: don’t forget concept 1, in my opinion legacy (like IGA) will be around for at least 15-20 years… I predicted that RBAC is end-of-life, but I made that prediction around 2008…).
- Dynamic access control – roles are static and we need dynamics in the new world.
- Decentralization – central IAM systems will loose their appeal, federation and decentralization will develop fast (although, see my RBAC prediction…)
Then, a great interview with Carsten Fisher, CISO from Deutsche Bank by Berthold Kerl from KC. A few no-brainer security controls:
MFA is definitely the one solution to compensate the risk of lacking controls in the end-user space. No matter the level of security awareness in an organization, people will click. MFA is the easiest way to restrict the risk. Perhaps inconvenience is the price to pay. Implement to secure access to infrastructure and components. No-brainer, ever better, a quick win. It doesn’t make you any money, but is limits risk!
PAM, privileged access management is definitely the one solution to implement to secure access to infrastructure and components. A no-brainer, ever better, a quick win. It doesn’t make you any money, but is limits risk!
An interesting example of a previous hype control: User Behavior Analasys (UBA) hasn’t proven effective. It’s okay when behavior hardly changes, but when in a paradigm shift, like a lockdown with people suddenly working from home, a UBA component results in a magnitude of false positives.
Next presentation was by Matthias Reinhardt from KuppingerCole, describing the difference in the IGA market space for Large and Small companies. Biggest difference: The functional requirements are similar, but teh non-functional differ. Great lesson for anyone interested in that space. There seems to be ample room in the market for SME IGA vendors…
Last presentation I caught was the presentation from my old friend Henk Marsman. And that was special, because some of the fellow members of IDPro decided to have an unconference at the Hofbrauhaus.
And yes, you can work there and have a Weizen when it is 27 degrees.
It was great having this conversation with peers from different countries, discussing IAM, sharing knowledge and enjoying the company.
Tomorrow more in depth sessions. Curious to see what’s in store for us!
An aditional personal note to keep updated
At this spot I should explain why I changed my social media way of working today: Yesterday I posted all updates to my own, personal, misskey instance. Misskey is an open source, distributed and federated social media server. And what’s special, is that all updates are federated to other socialmedia servers that speak the same #activitypub protocol. Most well known network using activitypub is Mastodon. So I posted on my own personal Misskey. That would then be federated via activitypub to, amongst others, my mastodon account. And the I would reboost that message, causing a bridge component to post the same message to Twitter. Almost the same message, it would add some metadate to the tweet, making readability lower. Causing less views… Yeahhh, I don’t care much about views, but still, I don’t my knowledge to be ignored completely ;).
So from now on, I will post to Twitter, get the bridge to crosspost to mastodon and re-note on my Misskey.
You can find me on Twitter: @meneer
On Mastodon: @meneer@mastodon.social
On Misskey: @andre@misskey.myfed.space