SSOCircle

This year the European Identity and Cloud Conference celebrated its 10th anniversary and it is impressing how the event and the company KuppingerCole itself evolved. The conference turned to one of the leading events in the IAM industry with over 700 participants and KuppingerCole is now a global player with operations and partnerships in the US and APAC. During the last 10 years the industry and the vendor landscape changed noticeable: Comparing the platinum sponsor list of EIC 2007 and 2016 you will only find Microsoft on both.

When travelling to EIC, I always ask myself: What will be the hot topics this year? What will be announced dead? Unlike in former years the answer to the first question could easily be guessed beforehand: Blockchain. Yes, undoubtedly Blockchain was the hot topic – speakers only varied by using “Distributed Ledger” when they tried to avoid the word “Blockchain”. A full day pre-conference workshop on Monday and a full day breakout track centered on Blockchain technology and their use cases. But it also became clear that the technology is in early stage and the usages and benefits are not yet obvious. Andy Land tweeted: “Feels like a technology is looking for a problem”. According to Sebastien Meunier the technology is currently and the next 8-18 months in experimentation phase, standards will be available in 2-3 years and in 4+ years we will see mainstream adoption.

Newcomers to the conference might be impressed by the fully packed agenda which provided sessions from 8:30am to about 8 pm. Attendees who visited EIC 2008 might remember that the KuppingerCole team had been even more relentless introducing concepts like birds-of-a-feather sessions at 7:00 in the morning. This year the team provided an upgraded conference app with a polling feature and the opportunity to ask questions which were displayed and answered by the speaker at the end of the talk – a very well received improvement of getting feedback from the audience.

The main conference started at Tuesday afternoon with the keynote of Martin Kuppinger, followed by other high quality keynotes, continuing on Wednesday and Thursday with a mixture of keynotes and breakout sessions and a final workshop day on Friday.

In the opening keynote Martin Kuppinger described the new role of the CIO and CISO. As the IT moves to the cloud and utility computing becomes reality, IT knowledge is not so important anymore. IT moves closer to the business. A CIO has to decide whether he follows the path of a Chief Infrastructure Officer or the role of a Chief Innovation Officer (aka CDBO=Chief Digital Business Officer). According to Kuppinger the CISO will be part of the Corporate Audit / Enterprise Risk Management department and will be responsible for the governance (security, privacy, data protection) of all areas (Business IT, Operational IT, IoT).
Kuppinger listed the 15 Top Innovations for Business Agility

1. Cloud IAM
2. Big Data & Cognitive
3. Industry 4.0 & Smart Manufacturing
4. IoT
5. Identity Relationship management
6. Consumer IAM
7. User behavior analytics (risk mitigation)
8. Real Time Security Intelligence
9. Machine Learning & Depp Learning
10. Microservices
11. Device Mesh
12. Privacy & Agility by Design
13. Ambient user experience
14. Robotics
15. Distributed Ledger & Blockchain

and the top 5 from a disruption perspective:

1. Distributed Ledger & Blockchain
2. IoT
3. Consumer IAM & Identity Relationship Management
4. Big Date & Cognitive
5. Privacy & Agility by Design

Mia Harbitz, adviser to the World Bank, illuminated totally different aspects of identity and gave the audience new food for thought. To quote her definition of Identity Management:

A combination of systems, rules, and procedures that are defined between an individual and organizations regarding the entitlement, use, and protection of personal information in order to authenticate individual identities and provide authorization and privileges within or across systems and enterprise” boundaries.

Identity is required to have a prosperous life. It has dramatic life implications considering the fact that estimated 1.5 billion persons are unable to prove their identity because they have no birth registration and without that they have no access to many services – for example a child with a birth certificate receive 3 times as much vaccines. Another aspect discussed is the need for identification of individuals among the 60 million refugees to provide them access to services. A difficult endeavor due to capacity, expertise and agility restrictions of national governments and the lack of trust to national systems of failing countries. Could this be a use case for a Distributed Ledger/Blockchain?
A panel session further discussed these topics and raised some interesting aspects: Whereas in first world countries over-identification is the problem (privacy concerns), in most countries it is under-identification. Harbitz mentioned a report from “Le Monde” which states that 20% of the passports created in France are based on wrong identities. It is difficult to bootstrap identities and there is no concept of “accuracy of authentication” in many countries.

Ian Glazer described the identity industry as having its TCP/IP moment – similar to the transition from diverse network protocols and the time one had to pay for the TCP/IP implementations to the point where the TCP/IP stack became free and a default and natural ingredient of systems. Identity is currently not widely acknowledged as the key to customer satisfaction and business growth. The identity industry needs to formally professionalize and have organizations where idm practitioners can turn to for advice – similar to ISACA, IAPP or (ISC)2. He announced that Kantara offers a place to support this idea: https://kantarainitiative.org/digital_identity_professional/

Andre Durand’s keynote about disruption “it can kill you … or make you reach” described many examples of changes in the industry and the collateral conflict as humans resists to change resulting in a “happy struggle”.

“In near future we will tell our grandchildren: Believe it or not, I used to drive my car by myself …”

Eve Maler lectured about the risks and rewards related to the Connected Consumer. Giving consent to data sharing is still not solved adequately. Consent standards will help here: OAuth2, OpenID Connect, UMA, Profiles for health data (FHIR API), Consent & Information Sharing Kantara Work Group, commonaccord.

This year’s European Identity Award winners:
Best Innovation / New Standard: STIX, TAXII & CybOX
Acronym helper:

• STIX=Structured Threat Information Expression
• TAXII=Trusted Automated Exchange of Indicator Information
• CybOX=Cyber Observable Expression

The initiatives originated from the US Department of Homeland Security and are now transitioned to OASIS Cyber Threat Intelligence TC in order to define a set of information representations and protocols to mode, analyze and share the data.

Best Innovation in eGovernment / eCitizen: GOV.UK Verify – UK Government Digital Services (GDS)
GOV.UK Verify is an identity vetting service for British citizens. After initial verification of your identification through a certified company (like Verizon or Royal Mail), a person can use British Govenrment Services (e.g. HMRC tax services) very easily.

In a track session Adam Cooper demonstrated the huge savings the service can provide by the “Blue Badge” service use case at a UK county which is soon going in private beta.
Resource: Open Identity Exchange

It is not about identity. it is about building ecosystems of trust

Best Consumer Identity Project: TomTom IAM
TomTom introduced a new standard based IAM platform on the ForgeRock stack to manage identities of customers and devices for services like MyDrive or MySports.

Best Approach to Improving Governance and Mitigating Risks: Qvarn Platform
Qvarn is a platform which was developed for the construction industry federations of Sweden, Finland and the Baltics to securely provision and manage the identities of construction workers with strong privacy requirements (privacy by design). The platform is free open source based on Gluu IAM

Best IAM Project: dm-drogerie Markt
dm-drogerie Markt received the award the second year in a row. This year for the deployment of RFID tokens to provide workstation access and SSO with full traceability.

Best Cloud Security Award: Orange Business Services
Provides their customers seamless access to cloud based applications with multi-factor authentication.

Special Award for Responsive Innovation: Taqanu Bank
This category was awarded for the first time. Taqanu Bank is a new bank leveraging blockchain technology to provide limited debit banking cards to people without a residence or cannot prove their identity (e.g. refugees) who otherwise would not have access to a traditional KYC banking account.

Special Award for Best Project in Research: Leeds Beckett University, Institute for Information Industry, Taiwan, R.O.C. Taiwan
Implementation of a Cloud Computing Adoption Framework (CCAF) with multi-layered security based on the integration of firewalls, identity management and encryption.

Side notes:
Real time security intelligence was declared to be the next-big-thing in 2014 by Martin Kuppinger. In 2016 you really found it to be very present on the agenda.
Dave Kearns was missed this year as a moderator. Hope he is fine.

Inspired by the event it is time to thank the KuppingerCole team for organizing the European Identity Conference for the 10th time. The team is really doing an excellent job building and maintaining the identity community. Every year the event organization seems to be even more perfect than the year before. So, mark the date for EIC 2017 on 09.-12. May 2017 at the Dolce Munich.