/ Conference / Identiverse 2018 - Day 2: A recap with a Graph DB lens

Identiverse 2018 - Day 2: A recap with a Graph DB lens


Published on 10 July 2018 in Conference

Tweet Graph

On Day #2 we finally got the real kick-off the conference and the Twittershpere that had to warm-up with intense Sunday sessions was on duty to share all the most important moment of the day.

Day 2 Keynote

It's been 9 years that @Identiverse (formerly Cloud Identity Summit) is touring the US and educated legions of Identirati to be on the good side of the news, and not the next Ashley Madison, Equifax, or Facebook.

Good side

To adapt to the "new" risks and threats, we must comprehend the state our "new" reality: architectures are hyper distributed and so increases the attack surface.

Nothing is so NEW, distributed architectures were taught at university 15 years ago through CORBA courses and attacks still relies on the same OWASP Top 10. What is new is the complexity of the interactions between the components that create plenty of new sides (soft underbelly?)

@andredurand posed then two objectives:

  • Ensuring the creation of a strong Identity Control plane
  • Ensuring that true CSO (CyberSecurity Officer) replaces the traditional CISO even if the first priority stays #identity

#identity is experiencing its own Cambrian moment. Today’s favorable conditions: a changing perimeter, increasing CIO priority, ubiquity of mobile, #biometrics advancements & user behavioral algorithms...(pt 1/2) #identiverse tps://t.co/IsfU1Hv3Rn

Some quotes brought us back to the reality of the technology and the abuses that can rise from it:

Every convenience we enable today has a future unintended consequence." #identiverse


The next keynote was hosted by @amcafee from @MIT who challenged decisions made by the Business.... starting with the HiPPO or the Highest Paid Person Opinion:

HiPPO

And what's great is that:

HiPPO has a nemesis: the geek. Who starts with gut feeling and then find proofs to its point. Number shows that HiPPO are an endangered species #identiverse

HiPPO trend

Integration of the Geek in the equation is fun but the presentation diverged in two paths:

  • The Power of the Human Crowd
  • the Power of the Artificial Crowd (aka the #AI, #ML, and other Neural Net

Where the former is clearly an interesting movement (we just have to look at the disruption of the Bug Bounty market), it relies on a strong pre-requisite:

The power of the crowd in problem solving... If you can translate a problem in an agnostic language / code. Overpass the experts proposals #identiverse

Power Crowd

As for the latter, we were all amazed by the progress of AlphaGo in the competition to demote all the human champions. @amcafee explained that the famous Move 37 of AlphaGo would have been considered as a juinior/non expert move by any serious Go Player standards. It later revealed to be an initiative from the Machines to reach the fixed goal: winning the game. Can't we conclude that one #AI will then be able to solve any problem? The same prerequisite applies: If you can translate a problem in an agnostic language / code.

But @amcafee and other Identirati saw a line between the two:

Let machines handle the routine work; let people make the judgment calls

RT @adfskitteh : When evidence and gut diverge - the Geek will abandon their gut and go where the evidence leads. The HIPPO will abandon the evidence and go where their judgment leads.

RT @NishantK : Uncomfortable with the assertion that machines are displaying excellent judgment. Yes, they may be able to see all the possibilities in a game to play strategically. But @andredurand just talked about the unintended consequences of today's convenience based decisions

RT @NishantK : I've come to the conclusion that any talk on the power of machine learning to transform business that doesn't talk at least a little about #AlgorithmicAccountability and #EthicsInAI is incomplete and skewed.

For me:

Crowd of Minds over Machines ! That's my takeaway of the keynote... Not sure it was the conclusion we were lead to but.... #FreeWill eh? #identiverse


As a starter for the session, I went then to @jonlehtinen session on how to go from strategy to Execution... I was in need for such a speech and I was not deceived because that was great:

Strategy is easy and fun but execution .... That s a lot harder. You need a framework @jonlehtinen #identiverse

Execution Framework

The Framework is defined as follow:

  1. define the baseline IAM service
    • What is your catalog?
    • Who are your customer?
    • How will you consume it?
  2. Amends offerings with capabilities
    • Aim for highest impact services first
    • Ensure consistent execution with outcomes
  3. Design around automation and self-service
    • Reduce friction and shadow IT
    • Old process for old, Self-service for new
    • Follow the leaders AWS, Google: Afraid of the head count
    • Automation is not solving everything : How to manage the CRUD secret -> think about the Lifecycle
  4. Containerize
  5. Decomission

Three key takeaways:

Charge for the manual IAM process per usage, free if you use the Self-Service interfaces is a strategy that helped transformation @jonlehtinen #identiverse

Self-service is tempting but it needs guardrails @jonlehtinen https://t.co/f9DMHpa8cc

Any IT transformation should be through a true partnership with Business @jonlehtinen << IAM [and Cybersec] can bring value, reduce friction... And yes we put controls too on top but that's the cherry #identiverse

Partner business


The next session was a kind of a trap... "Can't hire IAM engineer, make one" spend too much time on explaining that the market advantages the candidates but that the funnel is depleted. I did not get what I was looking for on how to really make one IAM engineer.

I will refer to the post-conference article at TechTarget to which @SarahKSquire contributed to.


As to finish the morning, I attended to session on Advanced IoT. A very deep dive into JSON and the world of data exchange within constrained devices by @dwaite. I learned about CBOR and JCOR to allow:

  • Compliance with OAuth flows
  • Local device-to-device communications


After the lunch break, we resumed the keynotes with @iglazer from @IDPro_org who has done a difficult and personal skillset introspection to correctly define where the imposter syndrome lies and how we can improve ourselves. And also how Identirati can explain to their families what they do all day long.

Here at last we are talking to #canadian #identity folks #identiverse @iglazer

Imposter syndrome

To do so, @iglazer to fill a grid.... twice. The second to be transparent with ourselves and to correct the emotional answers we have given on the first try.

@iglazer now presenting in front attendees -and his parents- on @IDPro_org on its 1st birthday

Skill

Do the survey at the link below:

IDPro

@mydiacc and @IDPro_org partnering for the Voice of the Practionner! Thrilled!


Small but important intervention of Kaliya-IdentityWoman (@IdentityWoman) who finished her thesis on Digital Identity and shared with all of us the results of her study over 16 domains. The document can be downloaded at https://identitywoman.net/domains-of-identity/

Domain identity


First track of the afternoon was Steve "Hutch" Hutchinson @IdentityHutch from General Electric. A different kind of track oriented more on data generated by the IoT. Knowing that GE is the oldest faithful startup in the World:

GE 1

In GE IIoT, Edge / Hub get the identity and connected devices are just attributes. Clever @IdentityHutch

GE 2

Certificates are one of the best things we have for IoT security @IdentityHutch

On top of that, for every take off

Every plane triggers a motor a digital twin is created at GE allowing simulations, training and testing on real information and context

Impressive!


Second track was also oriented on the transportation: the car industry. An Industry that had and still has its amount of digital disruption:

Lots of change in the automotive industry : trying to sell services through cars see BMW parkNow, DriveNow, etc.

Auto 1

Identity is everywhere within and around the car ecosystem:

Auto 2

... in desperate need of managing relationships:

Auto 3

A simpler User-Watch-Car-GPS-GMaps-Google_profile identity propagation and relationship model

... that generates a lot of data... Auto 4

... and that needs Identity Propagation for better security Auto 5


Afterwards, I choose the DID track and it all started with Zero Knowledge Proof thanks to Clare Nelson aka @Safe_SaaS. A straightforward presentation even if the subject is far from easy (PhD in Mathematics welcomed). Those 3 slides summarized the situation:

ZKP 1

ZKP 2

ZKP 3

I will add a slide from a latter session but which also help understand ZKP

ZK ZKP

ZKP for sure can help to improve privacy for the claim exchange in #SSI and #DID and there were interesting questions in the audience:

Zero Knowledge Proof when the operation is compare and not match... (Like for a photo) interesting question

How to emit a ZKP for a group of verifier without emitting one ZKP per verifier... it seems that we need to onboard another set of keys....


As a penultimate session for the day and before the B__ session, I came to see Martin Lapointe from ATB Financial talking about there CIAM project. The numbers were interesting for any one that wants to improve relationships with its customers.

ATB 1

ATB 2

ATB 3

ATB 4


Not an easy way to finish the day but.... here came the B__ session and as it was duly noted:

I m not sure a 5 gallons jug will be big enough for the Blockchain and Identity session in room #306 , it will be like OktoberFest in June #identiverse

RT @jonlehtinen: .@amigus points out the 51% attack as a weakness in #blockchain. This attack is increasingly common, btw https://www.coindesk.com/blockchains-feared-51-attack-now-becoming-regular/

#DID by supporting only #blockchain oriented method to store the documents becomes tied to the whole #blockchain debate around immutability, private data in a public ledger, and independence conundrum.

RT @jonlehtinen: Thinking immutability- So what happens when the trolls start putting toxic material (think cp) on a blockchain for the lolz, or to sabotage any other blockchain but their preferred one? #identiverse

In any case, the independence is not guaranteed cause to retrieve information (or at least to search it) we seem to be in need of a resolver which browses all the supported #blockchain.

ClearMe DLIT for #DID integration #identiverse ClearMe

ClearMe stack

Questions:

  1. What if not all the blockchain are referenced in the resolver I use? the information may be inaccurate as it is incomplete or maybe not at the last version.
  2. Do I need to write in every system? But then what will be the impacts on the latency/performance?
  3. What if the resolver is down?
  4. What if the resolver changes the data on the fly? Does not present the last version of it deliberately?

Responses are scarce and any Security debate bring us back to the Zero Knowledge Proof topic, so let's accept it and let's focus on another problem that must be improved: Loss of keys or of the associated wallet. How can we get out of this situation with DID? By putting the wallet on the #blockchain protected by a #DID AuthN (or I should say a Self-Service DID AuthN Reset).

So blockchain does not need to store identity and attribute on it... But if I lose my wallet though DID I can retrieve my identity from the blockchain... I have a question there

If the recovery involved disclosing my real ID then my #DID is associated to me... So how #DID can protect my privacy?

The solution maybe a hardware module as through @Yubico... but there is so much to solve before going there.

As for a conclusion, risks were identified... but I'm not sure those are the real ones we must focus on: SSI-risks

And from another Blockchain session:

@paulmadsen is dropping massive truths about blockchain and identity! Truthfulness not magically added. Trust not magically added.

@paulmadsen states... we should be careful/thoughtful to layer identity on top of these nascent technologies. Especially as many solutions are being tried. How does this impact the network effects?

RT @BCIdentity: The best part about using a #blockchain is it's #immutability ... The worst part about using a #blockchain is it's #immutability ...


This is how ends the summary my second day at @Identiverse so let's re-run our Graph DB to learn what happen in the other tracks I did not attend:

Being a Go player is the definition of Geek, for who Chess is a just a warm-up #identiverse

Ok I understand that AlphaGoMove37 is a secure default password for my new Website [the HiPPO] #identiverse

I did not get the chance to assist to @NishantK on UX but:

RT @lpeterman: Per @NishantK , having a UX researcher on staff was transformative for @Uniken_Inc > THIS. Some identity companies today get this, many, unfortunately. still don’t. #identiverse #uxmatters https://t.co/IOqVNgJEQ2

RT @bertrandcarlier‏: There are the heroes that will save us! https://t.co/bkdXxEj6MC Heroes

Hackers break security by exploiting human nature" says @NishantK

On OpenBanking:

RT @prabath: Open Banking timeline OpenBanking

Open Banking Adoption #identiverse https://t.co/yVoL5bFuGM

UK Open Banking panel #Identiverse "Some banks looking to provide a monetised API above and beyond the standard OB APIs"

UK Open Banking panel #Identiverse "Some big global banks still think of this as a compliance exercise. If that's your attitude, you should just pack up and go home." @cjemichael

On Identity standards:

RT @bertrandcarlier‏: All those standards don't yet suffice. Do we need other ones to do everything we need or is there another approach? @gffletch seems to have an opinion on the matter https://t.co/m6V0udWYdi

On Technology:

Technology adoption follows the stages of grief - @adfskitteh

On Consent Receipt:

@KantaraColin does consent receipt create a durable log of receipt insurance?

At the same moment on the other side of the planet:

RT @bbw1984: BREAKING: Big Brother Watch investigation reveals HMRC has taken 5.1m voice IDs. Read the exclusive: http://www.dailymail.co.uk/news/article-5878701/Taxman-secretly-records-five-million-callers-tax-hotlines-controversial-ID-scheme.html#article-5878701 #identiverse # privacy Know your rights: https://bigbrotherwatch.org.uk/2018/06/hmrc/

Privacy group EFF announces STARTTLS Everywhere to secure emails with hop-to-hop — but not end-to-end — encryption https://betanews.com/2018/06/25/eff-starttls-everywhere/

Today, we’re excited to announce the certification and availability of our #YubiKey FIPS series, the first multi-protocol #FIPS 140-2 validated security keys: https://bit.ly/2KgGRsF #infosec #Identiverse https://t.co/YrgSfYZwNQ

RT @axiomatics: Axiomatics and Saviynt Unite to Offer Integrated Externalized Dynamic #Authorization and #Identity #Governance and Administration Solutions, an Industry First #Identiverse @saviynt #IGA #ABAC http://bit.ly/2IqZeWR


AUTHOR: JF Lombardo