Programme

In this session, we will delve into the intricate world of identity and access management (IAM), and, more specifically, how identity and access management systems can be leveraged within large organisations to cater to millions of users. The point of focus of this session will be two security building blocks from the Digitalization Agency of the Flemish Government: the Flemish Access Management System (ACM) and the Flemish Identity Management System (IDM). How has the Flemish Government managed to integrate over 2.000 applications with these building blocks and how do we manage to successfully authenticate over 15 million users every single month? Furthermore, how have we managed to achieve this feat within the well-known constraints of the public sector, i.e. with a small, dedicated team and limited resources? Join us as we uncover the origins, history and evolution of our building blocks, along with the various challenges we encountered along the way.

As an international media company we’ve been dealing with rapid digital transformation for a bunch of years now. One of the cornerstones of our strategy is authorization management in order to control access to our customer identity services for millions of users and customers. Over the last 6 years we’ve gone through many iterations of our customer identity authorization management platform; from a fully managed SaaS platform to our own custom-built solution. In this talk we’ll share our journey with you and highlight some of the challenges we’ve faced, how we’ve dealt with them and why we believe our homegrown platform has been the right choice for our company.

At the network plaza you can meet the partners of this conference while enjoying a cup of coffee or tea. In-person meetings also take place here.

In a world increasingly plagued by data breaches and identity theft, giving users—including employees and customers—the power to independently manage and share their personal information is transforming the landscape of identity management.

Join us to delve into the principles of decentralized identity, where we will:
Enable users to securely manage and control their personal data, make anonymous identity claims without unnecessary exposure, and selectively authorize data access based on necessity.
Decrease vulnerabilities and reduce the risk of breaches associated with centralized systems, thereby enhancing organizational privacy and security.

Dive into practical examples of using advanced access control and identity management for external users. External users go beyond the extended enterprise and cover employees of customers, outsourcers, suppliers, distributors, brokers, and business partners as well as consumers. Learn how managing user lifecycles in an intuitive way streamlines access governance, and improves user experience. This session, aimed at CIOs and Product Managers, shows how to balance policy-based IAM with dynamic, business-focused CIAM.

The world of cyber security is changing, with more dynamic highly connected systems than ever. With an explosion of apps, accounts and access, the battleground has shifted from traditional perimeter and endpoint security into the world of identity security, effectively meaning the hacker has been replaced by the credentials thief.

With Identity compromise common to almost every cyber-attack, distinguishing between how a legitimate user is leveraging an identity and the misuse of that identity by an unauthorized user is difficult. This leaves the door open for threat actors to use impersonated identities to access resources, compromise systems, move laterally and achieve their illicit objectives. Today this is effectively making identity the new security perimeter.

Join this discussion as Matt shares what is driving this paradigm shift, and how attackers are successfully exploiting the gaps in visibility between IAM and security tools.

The updated Network and Information Systems (NIS 2) directive demands stringent cybersecurity measures. This session will focus on practical strategies for achieving NIS 2 compliance through a unified identity security approach.

What you will learn:

• The role of identity security in NIS 2 compliance
• Risk management controls that impact NIS 2
• Planning your identity roadmap to save costs and boost ROI

We will cover four key areas:

• Identity Governance (IGA): Managing identities to ensure compliance
• Privileged Access Management (PAM): Securing privileged accounts
• Active Directory (AD) Management: Maintaining a secure identity infrastructure
• Access Management (AM): Controlling and monitoring access to critical systems.

Join us for actionable insights and clear examples to implement these strategies in your organisation.

Lunch is waiting for you at the network plaza. While enjoying a sandwich, you can discuss the morning program with fellow participants or obtain information about your issues from partners. The in-person meetings also take place here.

Gartner predicts that by 2025, 70% of access management, identity governance, and privileged access implementations will be so-called ‘converged’ IAM platforms. But:

• What does a ‘converged’ approach to Identity Management look like?
• What are the benefits?
• Where do you start if you already have certain IAM point solutions in place?
• And how can you combine PAM, IAM, and IGA functionalities to prevent a fragmented identity management environment?

Join this session to get answers to these questions.

Daniel Fett is co-authoring the new security recommendations RFC for OAuth 2.0 in the IETF OAuth Working Group. In this talk, he will walk you through the MUSTs, MUST NOTs, and SHOULDs of the new recommendations.

OAuth is the most important framework for federated authorization on the web. It also serves as the foundation for federated authentication using OpenID Connect. While RFC6749 and RFC6819 give advice on securing OAuth deployments, many subtle and not-so-subtle ways to shoot yourself in the foot remain. One reason for this situation is that OAuth today is used in much more dynamic setups than originally anticipated. Another challenge is that OAuth today is used in high-stakes environments like financial APIs and strong identity proving.

To address these challenges, the IETF OAuth working group is working towards a new Security Best Current Practice (BCP) RFC that aims to weed out insecure implementation patterns based on lessons learned in practice and from formal security analyses of OAuth and OpenID Connect. The BCP gives concrete advice to defend against attacks discovered recently (like the AS mix-up attack) and discourages the use of less-secure grant types such as the Implicit Grant.

This talk will outline the challenges faced by OAuth in dynamic and high-stakes environments and go into the details of the MUSTs, MUST NOTs, and SHOULDs in the new Security BCP.

Most IGA projects start with a limited scope, focussing on only critical applications in an initial phase. Once that project phase is closed out, the deployed IGA solution is facing several challenges, including scope expansion to gradually cover 100% of the application landscape. More applications, more use cases, non-production scopes, special accounts, extended role catalogue and/or extra populations are waiting for their on-boarding… This session is about tips and techniques to both simplify & accelerate the way IGA can cover more scope, faster.

At the network plaza you can meet the partners of this conference while enjoying a cup of coffee or tea. In-person meetings also take place here.

Trust is vital in the digital world, and certificates and so-called Qualified Trust Services seem to be the golden standard. Let’s learn from experiences of the banking world where certificates are widely used for secure communications,  Open Banking, PSD2 etc. Do all certificates provide the same trust level?  To what extent do they live up to their security promises? What are the potential setbacks, and what can be done to mitigate them?

The EUDI Wallet will change the way we interact digitally. It will allow users to securely keep their credentials (e.g. for identity, professional and educational achievements, entitlements as well as prescriptions) and use them at their discretion in a privacy preserving manner in digital and physical processes with public and private entities and other users. This will be the basis for seamless digitization and enables disruptive innovations. However, the EUDI Wallet is an ambitious and complex undertaking and the „how?” might not be as transparent as it should be. This talk will make an attempt to demystify the EUDI Wallet by shedding light on its fundamental concepts and explaining its architecture and the technical standards being employed.

At the network plaza you can discuss the sessions with fellow participants while enjoying a drink or discuss your problems with one of the partners. The in-person meetings also take place here.