Published on 16 July 2018 in Conference
Day #3 is always the harderst. We keep on digesting what you learn from the two first days while we learn new things... and this year I even tried to add the traditional bootcamp to the mix. Another exercise for the mind... through the body. Long story short:
Now I know one more thing to write in the lower/right (bad to it/everyone aware) @iglazer self-assessment grid: #Bootcamp #ThanksCarrieAnn
RT @andredurand As everything becomes digital, #digitalidentity becomes a requirement. We must know who we’re engaging online. Some of the largest identity deployments in the world trust @pingidentity to secure identity and accelerate #digitaltransformation
RT @_nat_en Global authentication authority sits in the middle to connect multiple clouds and on-premises enterprise
RT @_nat_en Digital Transformation As markets mature, traditional boundaries blur
RT @andredurand The future of #authentication is becoming a mashup of identity proofing, first factor and N-factor (#MFA) authentication. Intelligence and orchestration will hold these things together
If you want to know more, best is to check the Crunchbase.
@andredurand also insisted on the importance of IDSA (Identity Defined Security Alliance):
RT @andredurand The @IDSAlliance provides blueprints & best practice for enabling dozens of enterprise identity and security use cases like passwordless, conditional access & #zerotrust saving enterprises time and money.
Following-up was a panel hosted by @andredurand. Best lines? Done is as easy as spelling it but...
"Done done" is a little bit more difficult than doing a script. It is assuring it is self resilient and never touched again except if it breaks .. and: "identity professionals are from Venus and security professionals are from Mars"
Identity Experience (IX) and the role of the global Authority take the front seat:
RT @ron_miller: A bad identity experience is a bad user experience. I can attest to that having lost my Google identity last year for a time. https://techcrunch.com/2017/12/22/that-time-i-got-locked-out-of-my-google-account-for-a-month/
RT @jonlehtinen: What’s cool is that if you offer these new identity services in an easy to use, automated fashion, with constant customer touchpoints to add impactful features, the BUs grow happy to consume your new IAM service
RT @TheMarkONeill Thor Essman from @Versent_AU talking about importance of IX - Identity Experience - seamlessly recognizing the customer in a multiexperience environment whether apps, web, or voice - opposite of asking customer many questions and foisting difficult UX on the user.
...Management/Business owners have a real to play in this:
RT @_nat_en For individual applications, there is no incentive to be consolidate the identity although there are corporate needs. Management mandate needed.
"You cannot overcommunicate your mission." (Jared Meier, HP at #Identiverse)
Discovering @elasticbeam through this acquisition forced me to change my plan to understand the value proposition of the company and the product.
Rationale behind @elasticbeam
The product is already deployed on AWS and pre-configured to catch what tries to fly under the radar at your API endpoints:
And when we talk about APIs... we talk about any lightweight protocol like MQTT.. And with little customization can support OT protocols (SCADA, OPC). That clearly a wonderful path and option as this part of the security spectrum is currently boiling.
The deployments options are pretty standard:
To summarize... Honeypot are cool again!
IoT is really a continent by itself in the Identity space. Bringing on its own set of challenges for Identity proofing, lifecycle/governance, authentication, and access control.
Thanks to the session of @SarahKSquire, I got another chance to dive into it and to touch that OAuth 2.0 is a core toolbox to tackle these use cases:
Extension to OAuth dynamic registration for Robot ID card
It's true that:
Replacing a key deployed to a hardware chip is not a scalable attack. Replacing a key deployed to the cloud...is.
...but @SarahKSquire has a 3 Steps plan to help us here:
Today: assume compromission will arrive, PII is toxic material, throw your Root key out of device Questions to ask yourself? This week: join @IDPro_org, audit Private/PII, watch regulations/standards This year: enable bug bounty, hire a hacker, metamorphosis to microservices
Lunch break and then keynotes... Two. Different. But amazing. We started with Jonathan Zittrain aka @zittrain who explained to us the privacy conundrum thanks to the risks around everything-data.
Protecting privacy is hard... when the society stops thinking about it. Proof?
More hands up for owning/using Siri, Alexa,... than being to x.509 key ceremony someday
And it is the Identirati's role to deal with that:
As for example, the correlation of data! You should be careful of want you ask and what you want to demonstrate:
RT @JanelleCShane: One of the more striking examples I've seen of an algorithm solving the wrong problem << a great follow-up to @zittrain keynote at #identiverse https://twitter.com/JanelleCShane/status/1016448801375055872
Today’s example: https://twitter.com/zittrain/status/1017754944114311168
Even more, ML can be tricked on purpose to go to bad decisions:
Tweaking one Pixel on this image turned it into guacamole for Google machine learning
Paint a turtle (3d printed turtle) carefully and ML will recognize it as rifle
Second Keynote by @PenTestPartners was an hacker keynote... Impossible stunt you think? Even more when the stage was filled with Kettle 2.0, talking doll, and a Teddy bear:
Another crazy keynote on IoT security #Identiverse
Recipe is pretty simple, let's take a connected kettle (sic.):
From there you can access the Wifi password/having access to the local network aka the fundamentals.
The example on the doll is little bit more complex but it relies on:
It works... I swear... or at least the doll swears.
It all comes to developer (and business) thinking their code will never be opened and seen without Front-End:
Case of the unhandled SSL shit status
To find those, @PenTestPartners admits he breaks things... But to repair it afterwards... We can learn a lot from those small technical workshop like:
Wow... Attacking the grid by requesting an additional spike of energy on a hot day... Only cause of a custom firmware uploaded to an unsecured thermostat. A nightmare scenario proposed by @PenTestPartners
This is problematic:
It is possible to Weaponize IoT. Poor security IoT should be Banned
US Senate draft IoT security bill. Read it.
My first session was with @auth0 on implementations details for a good CIAM-X (CIAM eXperience) thanks to the brokering of authentication.
That reminds me something: IdentityNorth Montreal - Furture Proof your Digital Identity strategy
Code and to-do tidbits:
A CIAM-X (CIAM eXperience) that was also presented as part of @Netflix strategy and feedback. But first a life lesson:
A shared message from @Netflix culture
@Netflix Identity strategy can be summarized in 4 goals. Even if it is dedicated to employee and partner, it can serve the other Identity purposes (Customers, Things, A2A):
A strategy that improved the Identity lifecycle processes:
To sustain their new perimeter less architecture, @Netflix used Automatic health pulsing check for device:
A tool available on Github https://github.com/Netflix/stethoscope
Objectives at @Netflix in a nutshell:
To close my day, I took a last session of BeyondCorp strategy... a Rinse and Repeat self moto. And that's OK cause:
BeyondCorp is simple: Attributes, Policies, and App/Data. Now implementation... You may not get it right on the first try
To thrive, here are the risks and their mitigations:
The Risk engine aka ABAC central PDP must be at the core of your strategy.
Asking a question to @Google on how they can ensure the latency stay low during the evaluation of the request, from their point of view, the number of policies to evaluate is on a 10-100 range max. And it should be kept under the 100. Even if the answer was clear, I find it disturbing as with the evolution of APT the necessity for fine tuned policies might lead to an explosion of policies as some other speakers noted.
To bootstrap such strategy? Try and learn in 3 steps:
I did not attend the closing keynote but here are some interesting facts:
In Estonian information can be only asked once from a citizen @taavikotka
When systems are fully digitally connected, and having control over data, always better for privacy @taavikotka
RT @jonlehtinen: @taavikotka wonders why we waste time with e-signatures devoid of non-repudiation, inability to check who reads our HRs. Hint- it involves money, and making sure incumbent parties continue to profit off of this privacy imbalance.
@taavikotka explaining Estonia’s digital ID system allows people to see how their data is being accessed and by whom
Infineon scandal was a huge problem for Estonia https://t.co/91HLtC6hM2
99.99% services in Estonia are digital and connected @taavikotka
Third day ended at @Identiverse so let's re-run our Graph DB to learn what happen in the other tracks I did not attend:
RT @andredurand: Top 5 themes we hear from Ping customers. @pingidentity](https://twitter.com/pingidentity)
RT @topperge Extend your policies beyond users and down to their devices as well based on history https://twitter.com/topperge/status/1011713254341644288/photo/1
Less than 10% of active Google accounts have MFA enabled. We need to do better on those numbers - seems to be consistent across what vendors are saying about it SMS as the 2nd factor is vulnerable
"Identity needs to think defense in depth- we need to get out of a layer 7 mindset" - @lpeterman -Excellent!
Hire a hacker." I will tell you a true thing: your Red Team can't get in...you need a new Red Team.
RT @prabath: Spot the difference in scale of customer IAM and employee IAM
@Yubico ‘s Jerrod Chong: it’s super important to remember that we’re moving away from shared secrets [with W3C Web AuthN]
RT @prabath: 81% confirmed breaches in 2016 involved stolen valid credentials
On the other side of the world:
RT @verge: This Japanese AI security camera shows the future of surveillance will be automatedhttps://www.theverge.com/2018/6/26/17479068/ai-guardman-security-camera-shoplifter-japan-automated-surveillance
We're Baking Have I Been Pwned into Firefox and 1Password https://www.troyhunt.com/were-baking-have-i-been-pwned-into-firefox-and-1password/
...and on the Funny side:
Speaking correlation... Since the #bootcamp it seems my clap at keynote are more powerful... Don't know why
definition: #GDPR aka God Damn Privacy Rules / @zittrain
How to disrupt a #SDC at Halloween / @zittrain
I forgotten that it is only in #Boston that French National Day is celebrated as strong as in France
I may have contributed to next tee shirt contest a little bit too early:
"My IAM is ruled by entropy but I don't have a phd in physics" a proposition for #identiverse '19 tee shirt contest @paulmadsen
...and for this year one:
If you liked the #identiverse tee shirt on Block and Chain? Now you can make a cubicle poster of it. You're welcome. https://t.co/jK2SUOiYEF
Identiverse is a conference where a lot happens on-site but also on Twitter. Here is the second part of the recap from my notes and some analysis of the #identiverse hashtagIdentiverse 2018 - Day 1: A recap with a Graph DB lens
Identiverse is a conference where a lot happens on-site but also on Twitter. Here is a small recap from my notes and some analysis of the #identiverse hashtag