It is always around May when KuppingerCole Analysts call together the Who’s Who of identity management. From 5th – 8th May over 600 participants and 45 exhibitors gathered at the 9th European Identity & Cloud Conference in Munich to present and discuss the risks and newest trends of the “Digital Transformation”. As every year the conference was accompanied by several pre-conference workshops in which organizations like Kantara Initiative, OpenID Foundation or the FIDO Alliance gave insight into their latest work. The first workshop already started on Monday, giving the conference an effective duration of 5 days. In good conference tradition the organizers prepared a fully packed agenda with the new concept of “expert talks” making the conference a perfect way to saturate your hunger for IAM knowledge. Actually a tough endeavor to go through all tracks – but the conference was, as always, perfectly organized by the KuppingerCole team which made it a pleasant experience.
Getting to the nitty-gritty:
Kantara Initiative announced that the UMA Standard achieves V1.0 status on 5th May.
The OpenID Foundation presented several new working groups like the Health Relationship Trust (HEART) working group specifying several profiles and the FHIR-API (pronounce “fire”) dealing with patient centric health data sharing focused on the individual.
Another working group is the Native Applications Working Group (NAPPS) which has the goal to enable OAuth and OpenID Connect enabled native applications to do Single Sign On without calling the embedded browser. Why that? Because Apple nowadays blocks apps in the appstore which do a call out to the system browser. An example use case for native SSO was given: An airline whose flight attendants use 8 different apps each of them having a timeout of 2h. As a result the attendants are required to relogin 20 times during one shift – not the best user experience.
An update on the Account Chooser project was given, which centers on UX best practice for user account discovery. Yes, this is what you know from Gmail … They are targeting a release of a new draft at IIW. For demos and more information:
A new working group is RISC (Risk and incident sharing and coordination) with the objective of determining ways for providers to share security event information to prevent cross app attacks and help users regain access to lost accounts.
In the OpenID Workshop a new term circulated: “Scope Design”, there is a need to define interoperable and standardized scopes. In OAuth it is not exactly clear what exactly is meant by “scope”.
An update on OpenID Connect whose protocol underpinning specifications (JWT family) are in the last “48h” round of the IETF RFC process. OAuth will get a Form Post response mode as an alternative of the HTML fragment usage. For session management / logout there is no specification available for the back-channel logout which is considered the most reliable logout process. Specs are only available for the GITK based HTML5 state change message propagation and the http based logout (using iframe or hidden images).
The actual conference kicked off at 2pm on Tuesday as always with a trend setting keynote of Martin Kuppinger, founder of KuppingerCole, on the new role of identity access management and security in the age of digital transformation. He proposed 8 fundamentals:
1. The Digital Transformation affects every organization – think of smart watches, connected vehicles, smart homes, smart grids, ebooks, digital music, online retail, online payment, manufacturing
2. Digital Transformation is here to stay – it is not a temporary phenomenon
3. Digital Transformation is more than just IoT – It will affect many industries even without any connected things. Industry 4.0: Connecting things for the sake of connectivity does not create business: it is the change in business models and the services that make the business. Most services will earn more with services than with things (shipping boxes vs. subscription models)
4. Digital Transformation mandates organizational change – no success without agility. Rapid go to market … No room for silos … DevOps mostly ignore security aspects – DevSecOps is needed and a Chief Business Development Officer …
5. Everything and everyone becomes connected – “Cloud + social + mobile” – the troika is still valid but will now be more complex: devices + organizations + people + things. The new “ABC”: Agile Business connected.
6. Security & Safety: not a dichotomy – operational technology security vs. information technology security
7. Security is a risk … and an opportunity
8. Identity is the glue – access control is what we need – see: the seven fundamentals for future identity and access management
The presentations continued with keynotes from well-known speakers and sponsors. Common denominator of most speeches: The threats imposed by the Internet of Things are omnipresent. IT and OT must come together. The firewall protecting the perimeter is still needed but is not sufficient. Identity is the new watch guard and will replace (better say: complement) the security infrastructure.
OT an acronym which came up on many slides was defined as follows: Operational Technologies (OT) is what drives the everyday technology – it is insecure because it was designed, architecture and developed years ago.
Ian Glazer, Salesforce, pointed out differences in employee-centric and customer-centric IAM, particularly in the user lifecycle which is not a “join-move-leave” but a “join-move-move (anonymous-pseudonymous-known) process with long relationships and hopefully no “leave” step having implications on privacy and the technologies used – value is not in the data but in the relationship. He concluded: “stop using employee-centric IAM for your customers”.
Eve Maler, Forgerock, on user-managed identity and access for the digital transformation: “In the age of IoT you will need a single place to organize access rights of your 31 lightbulbs in your house …” that is Forgerock’s OpenUMA.
André Durand, Ping Identity, asked “How can we defend what we don’t control?” Controlling SaaS, Cloud and the Coffee House IT with IDSec (Identity defined security) putting identity as the new perimeter: It is about letting the right people in, enabling your business and playing offense not just defense
Some of the catchy quotations in the keynotes:
Goal of security is not total security. You just want your company having a data breach to be less likely than that of your competitor – Ravi Bindra
We don’t make hammers soft so that people don’t harm other people with them” – Scott David on risk mitigation
If we have quantum computers in 5 years today’s crypto will all be broken” – Jan Carmenisch
“We created a dream – whilst simultaneously creating a nightmare” – André Durand on digital transformation
As every year the highlight of the second conference day was the European Identity & Cloud Award ceremony which honors projects and initiatives in several categories for unique ideas when dealing with complexity and new leaner, faster, better approaches in IAM.
This year’s winners:
Best Innovation New Standard: AllJoyn – an open source software framework for IoT (see https://allseenalliance.org/)
Best Innovation in eGovernment and eCitizen: SkIdentity – a cloud service project that helps to use the technology which is already in place in order to come “closer” to SSO.
Best B2B Identity Project: DNA Ltd. – A Telco from Finland with more than 3 Mio customers which built an IAM system for internal and external users.
Best Approach on Improving Governance and Mitigating risk: University of Nantes –
IAM based on the biggest deployment of Evidian.
Best Access Governance/Intelligence Project: Nord Landesbank IAM project
Best IAM Project: dm-Drogerie Markt
Best Cloud Security: PostNL: a project implementing the 100% cloud strategy of the company.
Special Award I: Meeco.me. A life management platform
Special Award II: Dialog Axiata & Sri Lanka Mobitel: Project mobile connect based on WSO2 infrastructure.
The third day’s agenda mainly split into 4 parallel tracks. It is always difficult to choose between the offerings. Nevertheless I want to point out some of the sessions here:
In the “Bring your own Privacy” track Katryna Dow, the CEO of award winning Australian company Meeco and a new face in the sometimes a little too much seasoned identity community, presented the life management platform meeco.me. Meeco.me is a new platform which beta launched in 2014 and officially started in the beginning of 2015. Meeco is a place to organize your digital life with privacy in mind. Some people say it is a mixture of a Facebook-like platform to communicate and share data with friends, family and businesses combined with a Google-like information repository about you and your intents. An example use case: You might decide to share the information that you want to buy a new car with specific companies in order to get information and offers. But you choose the companies you want to share that intent, you choose to publish the information either anonymously or personalized and you limit that for a time span of, say, 12 months. The value for the businesses is that the information provided is accurate, in real time, in context and with intention. Katryna Dow on the question about Meeco’s competitors: “Google is our biggest competitor”. And what when Google comes up with a similar platform? “If Google change the way they deal with their users, that’s great. Then we (Meeco) just existed to make this happen”.
In the “Internet Scale Encryption, Authentication, Authorization” track a session on privacy ABCs (Attribute Based Credentials) centered on idemix, uProve and Qiy. Jan Carmenisch described the idemix concept of key binding and pseudonyms: Similar to PKI, but better. There is one secret identity (secret key) but many public (pseudonyms public keys) which follow the concept of minimal disclosure constructing certificates which contain only the necessary attributes needed to get access to a service (e.g. age > 12y). Ronny Bjones gave an overview on uProve a similar concept but based on different technology: blind signatures (ISO 18370) aiming for untraceability, unlinkability and minimal disclosure in authentication. Marcel van Galen discussed the Qiy approach of adding an extra trust layer based on a standard making cookies obsolete.
A date to remember: Next year the European Identity and Cloud Conference EIC 2015 will be at 10.-13.May 2015 in Munich at the Dolce-Ballhaus-Forum. Don’t miss it.