Published on 10 July 2018 in Conference
On Day #2 we finally got the real kick-off the conference and the Twittershpere that had to warm-up with intense Sunday sessions was on duty to share all the most important moment of the day.
It's been 9 years that @Identiverse (formerly Cloud Identity Summit) is touring the US and educated legions of Identirati to be on the good side of the news, and not the next Ashley Madison, Equifax, or Facebook.
To adapt to the "new" risks and threats, we must comprehend the state our "new" reality: architectures are hyper distributed and so increases the attack surface.
Nothing is so NEW, distributed architectures were taught at university 15 years ago through CORBA courses and attacks still relies on the same OWASP Top 10. What is new is the complexity of the interactions between the components that create plenty of new sides (soft underbelly?)
@andredurand posed then two objectives:
#identity is experiencing its own Cambrian moment. Today’s favorable conditions: a changing perimeter, increasing CIO priority, ubiquity of mobile, #biometrics advancements & user behavioral algorithms...(pt 1/2) #identiverse tps://t.co/IsfU1Hv3Rn
Some quotes brought us back to the reality of the technology and the abuses that can rise from it:
Every convenience we enable today has a future unintended consequence." #identiverse
And what's great is that:
HiPPO has a nemesis: the geek. Who starts with gut feeling and then find proofs to its point. Number shows that HiPPO are an endangered species #identiverse
Integration of the Geek in the equation is fun but the presentation diverged in two paths:
Where the former is clearly an interesting movement (we just have to look at the disruption of the Bug Bounty market), it relies on a strong pre-requisite:
The power of the crowd in problem solving... If you can translate a problem in an agnostic language / code. Overpass the experts proposals #identiverse
As for the latter, we were all amazed by the progress of AlphaGo in the competition to demote all the human champions. @amcafee explained that the famous Move 37 of AlphaGo would have been considered as a juinior/non expert move by any serious Go Player standards. It later revealed to be an initiative from the Machines to reach the fixed goal: winning the game. Can't we conclude that one #AI will then be able to solve any problem? The same prerequisite applies: If you can translate a problem in an agnostic language / code.
But @amcafee and other Identirati saw a line between the two:
Let machines handle the routine work; let people make the judgment calls
RT @adfskitteh : When evidence and gut diverge - the Geek will abandon their gut and go where the evidence leads. The HIPPO will abandon the evidence and go where their judgment leads.
RT @NishantK : Uncomfortable with the assertion that machines are displaying excellent judgment. Yes, they may be able to see all the possibilities in a game to play strategically. But @andredurand just talked about the unintended consequences of today's convenience based decisions
RT @NishantK : I've come to the conclusion that any talk on the power of machine learning to transform business that doesn't talk at least a little about #AlgorithmicAccountability and #EthicsInAI is incomplete and skewed.
As a starter for the session, I went then to @jonlehtinen session on how to go from strategy to Execution... I was in need for such a speech and I was not deceived because that was great:
Strategy is easy and fun but execution .... That s a lot harder. You need a framework @jonlehtinen #identiverse
The Framework is defined as follow:
Three key takeaways:
Any IT transformation should be through a true partnership with Business @jonlehtinen << IAM [and Cybersec] can bring value, reduce friction... And yes we put controls too on top but that's the cherry #identiverse
The next session was a kind of a trap... "Can't hire IAM engineer, make one" spend too much time on explaining that the market advantages the candidates but that the funnel is depleted. I did not get what I was looking for on how to really make one IAM engineer.
As to finish the morning, I attended to session on Advanced IoT. A very deep dive into JSON and the world of data exchange within constrained devices by @dwaite. I learned about CBOR and JCOR to allow:
After the lunch break, we resumed the keynotes with @iglazer from @IDPro_org who has done a difficult and personal skillset introspection to correctly define where the imposter syndrome lies and how we can improve ourselves. And also how Identirati can explain to their families what they do all day long.
To do so, @iglazer to fill a grid.... twice. The second to be transparent with ourselves and to correct the emotional answers we have given on the first try.
Do the survey at the link below:
Small but important intervention of Kaliya-IdentityWoman (@IdentityWoman) who finished her thesis on Digital Identity and shared with all of us the results of her study over 16 domains. The document can be downloaded at https://identitywoman.net/domains-of-identity/
First track of the afternoon was Steve "Hutch" Hutchinson @IdentityHutch from General Electric. A different kind of track oriented more on data generated by the IoT. Knowing that GE is the oldest faithful startup in the World:
In GE IIoT, Edge / Hub get the identity and connected devices are just attributes. Clever @IdentityHutch
Certificates are one of the best things we have for IoT security @IdentityHutch
On top of that, for every take off
Every plane triggers a motor a digital twin is created at GE allowing simulations, training and testing on real information and context
Second track was also oriented on the transportation: the car industry. An Industry that had and still has its amount of digital disruption:
Lots of change in the automotive industry : trying to sell services through cars see BMW parkNow, DriveNow, etc.
Identity is everywhere within and around the car ecosystem:
... in desperate need of managing relationships:
A simpler User-Watch-Car-GPS-GMaps-Google_profile identity propagation and relationship model
... that generates a lot of data...
... and that needs Identity Propagation for better security
Afterwards, I choose the DID track and it all started with Zero Knowledge Proof thanks to Clare Nelson aka @Safe_SaaS. A straightforward presentation even if the subject is far from easy (PhD in Mathematics welcomed). Those 3 slides summarized the situation:
I will add a slide from a latter session but which also help understand ZKP
Zero Knowledge Proof when the operation is compare and not match... (Like for a photo) interesting question
How to emit a ZKP for a group of verifier without emitting one ZKP per verifier... it seems that we need to onboard another set of keys....
As a penultimate session for the day and before the B__ session, I came to see Martin Lapointe from ATB Financial talking about there CIAM project. The numbers were interesting for any one that wants to improve relationships with its customers.
Not an easy way to finish the day but.... here came the B__ session and as it was duly noted:
I m not sure a 5 gallons jug will be big enough for the Blockchain and Identity session in room #306 , it will be like OktoberFest in June #identiverse
RT @jonlehtinen: .@amigus points out the 51% attack as a weakness in #blockchain. This attack is increasingly common, btw https://www.coindesk.com/blockchains-feared-51-attack-now-becoming-regular/
#DID by supporting only #blockchain oriented method to store the documents becomes tied to the whole #blockchain debate around immutability, private data in a public ledger, and independence conundrum.
RT @jonlehtinen: Thinking immutability- So what happens when the trolls start putting toxic material (think cp) on a blockchain for the lolz, or to sabotage any other blockchain but their preferred one? #identiverse
In any case, the independence is not guaranteed cause to retrieve information (or at least to search it) we seem to be in need of a resolver which browses all the supported #blockchain.
ClearMe DLIT for #DID integration #identiverse
Responses are scarce and any Security debate bring us back to the Zero Knowledge Proof topic, so let's accept it and let's focus on another problem that must be improved: Loss of keys or of the associated wallet. How can we get out of this situation with DID? By putting the wallet on the #blockchain protected by a #DID AuthN (or I should say a Self-Service DID AuthN Reset).
So blockchain does not need to store identity and attribute on it... But if I lose my wallet though DID I can retrieve my identity from the blockchain... I have a question there
If the recovery involved disclosing my real ID then my #DID is associated to me... So how #DID can protect my privacy?
The solution maybe a hardware module as through @Yubico... but there is so much to solve before going there.
As for a conclusion, risks were identified... but I'm not sure those are the real ones we must focus on:
And from another Blockchain session:
@paulmadsen is dropping massive truths about blockchain and identity! Truthfulness not magically added. Trust not magically added.
@paulmadsen states... we should be careful/thoughtful to layer identity on top of these nascent technologies. Especially as many solutions are being tried. How does this impact the network effects?
RT @BCIdentity: The best part about using a #blockchain is it's #immutability ... The worst part about using a #blockchain is it's #immutability ...
This is how ends the summary my second day at @Identiverse so let's re-run our Graph DB to learn what happen in the other tracks I did not attend:
Being a Go player is the definition of Geek, for who Chess is a just a warm-up #identiverse
Ok I understand that AlphaGoMove37 is a secure default password for my new Website [the HiPPO] #identiverse
I did not get the chance to assist to @NishantK on UX but:
RT @lpeterman: Per @NishantK , having a UX researcher on staff was transformative for @Uniken_Inc > THIS. Some identity companies today get this, many, unfortunately. still don’t. #identiverse #uxmatters https://t.co/IOqVNgJEQ2
Hackers break security by exploiting human nature" says @NishantK
RT @prabath: Open Banking timeline
Open Banking Adoption #identiverse https://t.co/yVoL5bFuGM
UK Open Banking panel #Identiverse "Some banks looking to provide a monetised API above and beyond the standard OB APIs"
UK Open Banking panel #Identiverse "Some big global banks still think of this as a compliance exercise. If that's your attitude, you should just pack up and go home." @cjemichael
On Identity standards:
RT @bertrandcarlier: All those standards don't yet suffice. Do we need other ones to do everything we need or is there another approach? @gffletch seems to have an opinion on the matter https://t.co/m6V0udWYdi
Technology adoption follows the stages of grief - @adfskitteh
On Consent Receipt:
@KantaraColin does consent receipt create a durable log of receipt insurance?
At the same moment on the other side of the planet:
RT @bbw1984: BREAKING: Big Brother Watch investigation reveals HMRC has taken 5.1m voice IDs. Read the exclusive: http://www.dailymail.co.uk/news/article-5878701/Taxman-secretly-records-five-million-callers-tax-hotlines-controversial-ID-scheme.html#article-5878701 #identiverse # privacy Know your rights: https://bigbrotherwatch.org.uk/2018/06/hmrc/
Privacy group EFF announces STARTTLS Everywhere to secure emails with hop-to-hop — but not end-to-end — encryption https://betanews.com/2018/06/25/eff-starttls-everywhere/
Today, we’re excited to announce the certification and availability of our #YubiKey FIPS series, the first multi-protocol #FIPS 140-2 validated security keys: https://bit.ly/2KgGRsF #infosec #Identiverse https://t.co/YrgSfYZwNQ
RT @axiomatics: Axiomatics and Saviynt Unite to Offer Integrated Externalized Dynamic #Authorization and #Identity #Governance and Administration Solutions, an Industry First #Identiverse @saviynt #IGA #ABAC http://bit.ly/2IqZeWR
Still here? Now is the third part of the recap from my notes and some analysis of the #identiverse hashtagIdentiverse 2018 - Day 1: A recap with a Graph DB lens
Identiverse is a conference where a lot happens on-site but also on Twitter. Here is a small recap from my notes and some analysis of the #identiverse hashtag