/ Conference / Identiverse 2018 - Day 3: A recap with a Graph DB lens

Identiverse 2018 - Day 3: A recap with a Graph DB lens


Published on 16 July 2018 in Conference

Tweet Graph

Day #3 is always the harderst. We keep on digesting what you learn from the two first days while we learn new things... and this year I even tried to add the traditional bootcamp to the mix. Another exercise for the mind... through the body. Long story short:

Now I know one more thing to write in the lower/right (bad to it/everyone aware) @iglazer self-assessment grid: #Bootcamp #ThanksCarrieAnn


@andredurand started the day by describing five unforeseen forces shaping the #identity space:

  1. Mash-up and Identity Orchestration for the #identity types: Mash Up
  2. Intelligence: Intelligence 1 Intelligence 2 Ok but #Ethics ! We need to hear that too @andredurand << like the bicameral brain representation by the way
  3. Identity micro services and secure APIs: Identity Micro Services 1 Identity Micro Services 2 #IdentityInDepth let's not fall in the same pitfall by recreating "Identity firewall drawbacks"
  4. Identity is Security: Identity Security
  5. Raise of the Global Authority: Global Authority

RT @stevetout: Global Authentication Authority provides a consolidated management layer and common gateway for @pingidentity

RT @andredurand As everything becomes digital, #digitalidentity becomes a requirement. We must know who we’re engaging online. Some of the largest identity deployments in the world trust @pingidentity to secure identity and accelerate #digitaltransformation

RT @_nat_en Global authentication authority sits in the middle to connect multiple clouds and on-premises enterprise Global Authority

RT @_nat_en Digital Transformation As markets mature, traditional boundaries blur Digital Transfo

RT @andredurand The future of #authentication is becoming a mashup of identity proofing, first factor and N-factor (#MFA) authentication. Intelligence and orchestration will hold these things together

@pingidentity used this keynote to announce an important acquisition of @elasticbeam under the PingIntelligence branding:

@pingidentity is acquiring @elasticbeam specialized in AI and ML for better security @andredurand ElasticBeam 1 ElasticBeam 2

@elasticbeam features now @pingidentity Intelligence (Q3) ElasticBeam 3 ElasticBeam 4 ElasticBeam 5 ElasticBeam 6

If you want to know more, best is to check the Crunchbase.

@andredurand also insisted on the importance of IDSA (Identity Defined Security Alliance):

RT @andredurand Identity is an integration play. Which is why ensuring interoperability across a diverse set of identity security use cases is so important. That’s where @IDSAlliance comes in. IDSA

RT @andredurand The @IDSAlliance provides blueprints & best practice for enabling dozens of enterprise identity and security use cases like passwordless, conditional access & #zerotrust saving enterprises time and money.

Following-up was a panel hosted by @andredurand. Best lines? Done is as easy as spelling it but...

"Done done" is a little bit more difficult than doing a script. It is assuring it is self resilient and never touched again except if it breaks .. and: "identity professionals are from Venus and security professionals are from Mars"

Identity Experience (IX) and the role of the global Authority take the front seat:

RT @ron_miller: A bad identity experience is a bad user experience. I can attest to that having lost my Google identity last year for a time. https://techcrunch.com/2017/12/22/that-time-i-got-locked-out-of-my-google-account-for-a-month/

RT @jonlehtinen: What’s cool is that if you offer these new identity services in an easy to use, automated fashion, with constant customer touchpoints to add impactful features, the BUs grow happy to consume your new IAM service

RT @TheMarkONeill Thor Essman from @Versent_AU talking about importance of IX - Identity Experience - seamlessly recognizing the customer in a multiexperience environment whether apps, web, or voice - opposite of asking customer many questions and foisting difficult UX on the user.

...Management/Business owners have a real to play in this:

RT @_nat_en For individual applications, there is no incentive to be consolidate the identity although there are corporate needs. Management mandate needed.

"You cannot overcommunicate your mission." (Jared Meier, HP at #Identiverse)


Discovering @elasticbeam through this acquisition forced me to change my plan to understand the value proposition of the company and the product.

Rationale behind @elasticbeam ElasticBeam 10 ElasticBeam 11 ElasticBeam 12 ElasticBeam 13

The product is already deployed on AWS and pre-configured to catch what tries to fly under the radar at your API endpoints:

ElasticBeam 14 ElasticBeam 15

And when we talk about APIs... we talk about any lightweight protocol like MQTT.. And with little customization can support OT protocols (SCADA, OPC). That clearly a wonderful path and option as this part of the security spectrum is currently boiling.

@TemperedNWis a fast growing company in this space https://www.temperednetworks.com/

The deployments options are pretty standard:

ElasticBeam 16

To summarize... Honeypot are cool again!

ElasticBeam 17


IoT is really a continent by itself in the Identity space. Bringing on its own set of challenges for Identity proofing, lifecycle/governance, authentication, and access control.

IoT 2

Thanks to the session of @SarahKSquire, I got another chance to dive into it and to touch that OAuth 2.0 is a core toolbox to tackle these use cases:

Extension to OAuth dynamic registration for Robot ID card IoT 1

It's true that:

Replacing a key deployed to a hardware chip is not a scalable attack. Replacing a key deployed to the cloud...is.

RT @adfskitteh In Fall 2016, a horrible thing happened: Reddit and Netflix went down at the same time. - @SarahKSquire protecting us from the robots.

...but @SarahKSquire has a 3 Steps plan to help us here:

Today: assume compromission will arrive, PII is toxic material, throw your Root key out of device Questions to ask yourself? IoT 3 This week: join @IDPro_org, audit Private/PII, watch regulations/standards This year: enable bug bounty, hire a hacker, metamorphosis to microservices

RT @justin__richer In which @SarahKSquire teaches us how to keep the robots from deleting us. Root Key


Lunch break and then keynotes... Two. Different. But amazing. We started with Jonathan Zittrain aka @zittrain who explained to us the privacy conundrum thanks to the risks around everything-data.

Protecting privacy is hard... when the society stops thinking about it. Proof?

More hands up for owning/using Siri, Alexa,... than being to x.509 key ceremony someday

And it is the Identirati's role to deal with that:

RT @bertrandcarlier‏: Identity experts at #identiverse have a responsibility to design tech in a privacy preserving way says @zittrain

As for example, the correlation of data! You should be careful of want you ask and what you want to demonstrate: Zittrain 1 Zittrain 2

@zittrain went even farther in the days following @Identiverse

RT @JanelleCShane: One of the more striking examples I've seen of an algorithm solving the wrong problem << a great follow-up to @zittrain keynote at #identiverse https://twitter.com/JanelleCShane/status/1016448801375055872

Today’s example: https://twitter.com/zittrain/status/1017754944114311168

Even more, ML can be tricked on purpose to go to bad decisions:

Tweaking one Pixel on this image turned it into guacamole for Google machine learning Guacamole

Paint a turtle (3d printed turtle) carefully and ML will recognize it as rifle


Second Keynote by @PenTestPartners was an hacker keynote... Impossible stunt you think? Even more when the stage was filled with Kettle 2.0, talking doll, and a Teddy bear:

Another crazy keynote on IoT security #Identiverse Pentest 1

Recipe is pretty simple, let's take a connected kettle (sic.):

  1. Unwrap, unbox, unseal
  2. Get component id/part number
  3. Find technical documentation... the only documentation that describes everything like default password
  4. From there it is bad Applicative Security

Pentest 2

From there you can access the Wifi password/having access to the local network aka the fundamentals.

The example on the doll is little bit more complex but it relies on:

  1. Obfuscation of security token in Native App
  2. Tampering of local words
  3. Unsecure API call allowing MitM

It works... I swear... or at least the doll swears.

Pentest 3 Pentest 4

It all comes to developer (and business) thinking their code will never be opened and seen without Front-End:

Case of the unhandled SSL shit status Pentest 5

To find those, @PenTestPartners admits he breaks things... But to repair it afterwards... We can learn a lot from those small technical workshop like:

Wow... Attacking the grid by requesting an additional spike of energy on a hot day... Only cause of a custom firmware uploaded to an unsecured thermostat. A nightmare scenario proposed by @PenTestPartners

This is problematic:

It is possible to Weaponize IoT. Poor security IoT should be Banned

US Senate draft IoT security bill. Read it.


My first session was with @auth0 on implementations details for a good CIAM-X (CIAM eXperience) thanks to the brokering of authentication.

That reminds me something: IdentityNorth Montreal - Furture Proof your Digital Identity strategy

Code and to-do tidbits:

CIAM-X 1 CIAM-X 2


A CIAM-X (CIAM eXperience) that was also presented as part of @Netflix strategy and feedback. But first a life lesson:

A shared message from @Netflix culture Netflix 10

@Netflix Identity strategy can be summarized in 4 goals. Even if it is dedicated to employee and partner, it can serve the other Identity purposes (Customers, Things, A2A):

Netflix 1

A strategy that improved the Identity lifecycle processes:

Netflix 5

To sustain their new perimeter less architecture, @Netflix used Automatic health pulsing check for device:

Netflix 2 Netflix 3 Netflix 4

A tool available on Github https://github.com/Netflix/stethoscope

Objectives at @Netflix in a nutshell:

Netflix 6


To close my day, I took a last session of BeyondCorp strategy... a Rinse and Repeat self moto. And that's OK cause:

BeyondCorp is simple: Attributes, Policies, and App/Data. Now implementation... You may not get it right on the first try Beyond 1

To thrive, here are the risks and their mitigations:

Beyond 2 Beyond 3

The Risk engine aka ABAC central PDP must be at the core of your strategy.

Beyond 4

Asking a question to @Google on how they can ensure the latency stay low during the evaluation of the request, from their point of view, the number of policies to evaluate is on a 10-100 range max. And it should be kept under the 100. Even if the answer was clear, I find it disturbing as with the evolution of APT the necessity for fine tuned policies might lead to an explosion of policies as some other speakers noted.

To bootstrap such strategy? Try and learn in 3 steps:

Beyond 6 Beyond 7


I did not attend the closing keynote but here are some interesting facts:

In Estonian information can be only asked once from a citizen @taavikotka

When systems are fully digitally connected, and having control over data, always better for privacy @taavikotka

RT @jonlehtinen: @taavikotka wonders why we waste time with e-signatures devoid of non-repudiation, inability to check who reads our HRs. Hint- it involves money, and making sure incumbent parties continue to profit off of this privacy imbalance.

@taavikotka explaining Estonia’s digital ID system allows people to see how their data is being accessed and by whom Estonia 10

Infineon scandal was a huge problem for Estonia https://t.co/91HLtC6hM2

99.99% services in Estonia are digital and connected @taavikotka


Third day ended at @Identiverse so let's re-run our Graph DB to learn what happen in the other tracks I did not attend:

RT @bertrandcarlier‏: So many precious tips provided by @iainmcgin on the use of @AppAuth. So much wisdom in the design of the pattern/lib. The devs are grateful for the work accomplished! Tips

RT @andredurand: Top 5 themes we hear from Ping customers. @pingidentity](https://twitter.com/pingidentity) Customer Feedback

RT @prabath: Identity Security Automation https://t.co/FIV24sutKg ISA 1 ISA 2 ISA 3

RT @topperge Extend your policies beyond users and down to their devices as well based on history https://twitter.com/topperge/status/1011713254341644288/photo/1

Less than 10% of active Google accounts have MFA enabled. We need to do better on those numbers - seems to be consistent across what vendors are saying about it SMS as the 2nd factor is vulnerable

"Identity needs to think defense in depth- we need to get out of a layer 7 mindset" - @lpeterman -Excellent!

Hire a hacker." I will tell you a true thing: your Red Team can't get in...you need a new Red Team.

RT @prabath: Spot the difference in scale of customer IAM and employee IAM Differences

@Yubico ‘s Jerrod Chong: it’s super important to remember that we’re moving away from shared secrets [with W3C Web AuthN]

RT @prabath: 81% confirmed breaches in 2016 involved stolen valid credentials Breaches

On the other side of the world:

RT @verge: This Japanese AI security camera shows the future of surveillance will be automatedhttps://www.theverge.com/2018/6/26/17479068/ai-guardman-security-camera-shoplifter-japan-automated-surveillance

We're Baking Have I Been Pwned into Firefox and 1Password https://www.troyhunt.com/were-baking-have-i-been-pwned-into-firefox-and-1password/

Med Associates hit by hack, data of 270,000 compromised https://t.co/yIgnXbJRct by @HDMmagazine #iam #CredVerify

...and on the Funny side:

Speaking correlation... Since the #bootcamp it seems my clap at keynote are more powerful... Don't know why

definition: #GDPR aka God Damn Privacy Rules / @zittrain

How to disrupt a #SDC at Halloween / @zittrain Zittrain 3

I forgotten that it is only in #Boston that French National Day is celebrated as strong as in France Bastille Day

I may have contributed to next tee shirt contest a little bit too early:

"My IAM is ruled by entropy but I don't have a phd in physics" a proposition for #identiverse '19 tee shirt contest @paulmadsen

...and for this year one:

If you liked the #identiverse tee shirt on Block and Chain? Now you can make a cubicle poster of it. You're welcome. https://t.co/jK2SUOiYEF


AUTHOR: JF Lombardo