Impressions from European Identity & Cloud Conference 2014

English on May 22nd, 2014 No Comments

What are the hot topics this year? What will be announced dead? These are the questions always accompanying KuppingerCole’s European Identity & Cloud conference which was held for the 8th time from 13.-16. May. The conference gathered more than 600 visitors from 35 countries, 150 international expert speakers and 50 exhibitors discussing about the Internet of Things and the agile, connected business. After years of consolidation in the IAM industry it seems that this year more software and service vendors populated the floor space in the Dolce Ballhausforum in Munich. Almost half of the exhibitors were new compared to last year, demonstrating that there is still a lot of movement in the market and space for new players and segments – worth mentioning the application security testing companies exhibiting this year at EIC.

No big surprise that the NSA scandal, Heartbleed and their implications run like a common thread to many of the presentations as it deeply impacts the awareness for privacy issues in society and the information security business itself. It clearly demonstrates to the information security industry and their customers that protection from today’s complex threads cannot only be accomplished by technical standards and trust in the accurate, uninfluenced implementation in software and hardware products.

And what was killed? Was it the absence of the most provoking speakers like the highly esteemed Craig Burton and Fulup ar Foll? This year it was noticeable the speakers were more reserved and cautious in their statements. Martin Kuppinger said: “If something is declared to be dead, it would be SIEM” but not without adding the next sentence that “Real-time Security Intelligence” is the next big thing. Ian Glazer former Burton/Gartner analyst and now with Salesforce, one of the shiny characters at the conference, killed IDM. Identity management dead? Astonishing announcement in an Identity Conference. But …, he only killed IDM in order to save it. According to him the “new” IDM must a) naturally integrate b) be part of the business and c) be ready for the real world. IDM must evolve away from using Excel and CSV as the most important IDM tools and away from hierarchical modelling of relationships. Although not directly IDM related, I would declare the iPad for dead. To me it was obvious that, compared to past years, most attendees were not using tablets to take notes but their more or less conventional laptops.

Like every year the conference lasted three days from Tuesday to Thursday and an additional workshop day on Friday. As always the agenda was fully packed from 8:30 to around 19:30. With up to 5 parallel tracks it is difficult to decide where to go. The selection of topics described here depends on my personal choice.

From four parallel workshops at the first day I visited the Kantara Initiative Workshop on “Consumer Identity – International Use Cases and Approaches” moderated by Joni Brennan and the OpenID Foundation Workshop on “Enterprise Application of OpenID Connect, Mobile Apps SSO, Account Chooser”. The Kantara Workshop described the evolution of today’s identity management requirements from perimeter IAM – the employees – to perimeter less federation and consumerization. The workshop introduced the Kantara certification program: “Identity Assurance Accreditation and Approval Program” which provides a trust status listing service, provider registry and white listing. Maciej Machulak showed a demo of UMA – user-managed access. The consent pages are similar to OAuth but UMA does not necessarily require a close coupling between resource and authorization server and other users are able to request access to personal data of the resource owner. For an overview on use cases visit the Kantara UMA case study page.
The OpenID Foundation Workshop held in parallel centered on the question of the adoption of OpenID Connect. Microsoft Azure Active Directory will support OpenID Connect. Yahoo and Google will support OpenID Connect next year deprecating the OpenID 2.0 and OAuth 2.0 userinfo and scopes endpoint. Watch Google’s migration timetable. Interesting to note: Although OpenID Connect standard was finalized in February 2014, the single logout profiles are not. A discussion around that topic was started in the workshop gathering the opinion of participants about three approaches, which need to balance cheap and easy implementation versus reliability and completeness:

  1. The current logout mechanism in OpenID spec with JavaScript listening for state change at the client. A pattern optimized for Ajax applications but has cons because active Javascript listening is required and it doesn’t work if the browser tab is not active.
  2. Use of a logout page with embedded images/iframes linking to the relying parties – the approach Deutsche Telekom is using. The advantage here is the solution’s simplicity which does not need Javascript. Bad is that the IDP has to track active sessions, it does not work when the browser is closed and last but not lease you need these ugly logout pages.
  3. Notification over the back channel. Probably the completest approach described here. It works even when the browser is closed. The main disadvantage is that the relying party needs a logic to identify sessions by an explicit identifier which causes scaling issues.

As usual the conference itself started with an afternoon of keynotes. One of the highlights is always Martin Kuppinger’s presentation. He started with a brief history in IT which leads to today’s agile, connected business and the Identity of Things which will be the hot topics of next years. He came up with his gloomy prognosis “Waiting for the disaster …”. To quote him: “Something will happen: hacking the connected car, running out of water and power and/or revealing your secrets.” Raising awareness that privacy needs security and vice versa. The title of his top trends slide was “The Digital Future Buzzword Bingo”:

  • Application Security Infrastructure
  • Information-Centric Security
  • Domain-Independent Security
  • Secure Information Sharing
  • Layered Security and the next generation Firewalls & AVs
  • Realtime Security Intelligence
  • Software Defined Environment/Computing Infrastructure
  • Secure IoEE (Internet of Everything and Everyone)
  • Future of Authentication & Authorization
  • Cloud IAM
  • Future of eMail Security & Privacy
  • Life Management Platforms

Another highlight of the conference was the presentation of Ladar Levison, the founder of Lavabit, talking about building a system that is secure against attacks from an attacker with quasi unlimited computing power and cryptographic expert pool. For more information on the Dark Mail alliance of Silent Circle and Lavabit consult the web site http://darkmail.info. The architecture and protocol specifications are currently under review and will be published by the end of summer. Quoting Ladar: “Publishing date depends on how many protocol holes will be found in the review – but he hopes he will not get so paranoid that he will never release it”. Interesting to watch how the technology will be adopted in the coming years.

One of my personal highlights in day 2 beside the identity award ceremony was the presentations of Paul Fremantle, the founder of WSO2, who propagated the Enterprise Identity Bus Model as the solution to replace the failed single monolithic identity system. The tasks of the identity bus are to bridge between tokens (SAML, OAuth 1.0/2.0, OpenID, OpenID Connect), claims and claim dialects and provisioning SPML, SCIM, Salesforce, Google and other JiT variants.

In the evening KuppingerCole presented the winners of “The European Identity & Cloud Awards 2014” for the 7th time – this year only in 6 categories:

  • Best Cloud Security Project: NXP Semi Conductors
  • Best Access Governance and Intelligence Project: Banca Intesa Beograd
  • Best IAM Project: UK Ministry of Defense
  • Best Innovation / New Standard: Kantara Initiative: UMA User Managed Access (OIDC finalized this year, but it already received the award in 2012
  • Special Award: Best innovation for Security in the API Economy: IETF with JWT/JOSE
  • Lifetime Achievement Award: Ann Cavoukian for Privacy by Design
  • Award details at the KuppingerCole web site: http://www.kuppingercole.com/article/award2014. For Privacy by Design please read the EIC presentation https://www.oasis-open.org/presentations/eic-2014-dawn-jutla-may-12.pdf.
    On day 3 one of the track topics was around adaptive and risk based authentication. The FIDO http://fidoalliance.org/ alliance was founded in February 2013 by 6 members and expanded to 122 members today, clearly demonstrating the need and interest in standardizing authentication. FIDO’s mission is to change the nature of online authentication by developing and submitting technical specifications as well as operating programs to ensure the worldwide adoption. Current specification are: UAF – Universal Authentication Framework and U2F – Universal 2nd Factor which can be downloaded from http://fidoalliance.org/specifications/download.

    Last but not least it is worth saying the European Identity & Cloud Conference again was a success and well organized by the KuppingerCole team. Next year’s conference will be held from 5th-8th May 2015 at the same location.

Tags: , ,

No Responses to “Impressions from European Identity & Cloud Conference 2014”

Leave a Reply

You must be logged in to post a comment.