Identerati Office Hours Episode
Q: Where should you enforce your authorization policy?
A: Everywhere you can!
There are four common scenarios and enforcement points for a defense-in-depth strategy:
⚡ during the authentication ceremony
⚡ in the resource server
⚡ at the API gateway
⚡ in service-to-service communication
A: Everywhere you can!
There are four common scenarios and enforcement points for a defense-in-depth strategy:
⚡ during the authentication ceremony
⚡ in the resource server
⚡ at the API gateway
⚡ in service-to-service communication
Cedar is a policy syntax invented by Amazon. It’s used by the AWS Verified Permissions, Authz-as-a-Service offering. Gluu is working on a new product at the Janssen Project called the “Cedarling”–which leverages the Cedar policy syntax and Amazon’s open source Cedar Rust engine. The Cedarling can run anywhere–as a local agent in the browser, embedded in a mobile application, or as a cloud service. It needs no data, because it trusts the JWT tokens that are input to the request by the application. Beyond policy evaluation, the Cedarlng agent has two other capabilities: JWT validation and audit logging. In this episode, Mike will present Gluu’s current progress on the Cedarling and show a demo of the Cedarling in action!
Defending against privileged user compromise and software supply chain attacks requires newer standards that can reduce the trust in non-human (or machine) identities used by services to communicate with each other. Transaction tokens is a new proposed standard in the IETF which can effectively defend against these attacks. Learn all about it in this episode with Atul Tulshibagwale, CTO of SGNL, the inventor of CAEP and an Okta Identity 25 Listee.
Managing IAM for your own users and employees is hard enough, and with the adoption of cloud (including SaaS) it’s only getting harder. Especially when you consider the addition of 3rd parties into the mix, such as contractors, BPOs, MSPs and other kinds of vendors. In this podcast we’ll discuss the intersection of IAM with cloud (with a particular discussion of AWS cross-account access and the Snowflake incident) and with Third Party Cyber Risk Management in general.
What are the priorities and tradeoffs of certain approaches to building a national identity infrastructure? How can you build a system that enables people to assert their identity and claims, and also protects their privacy ?
What are the most pressing use cases? Voting? Healthcare? Opening bank account ? Other private sector RPs?
How to balance the tradeoffs of privacy, fraud reduction, and poverty reduction presented by a system like Aadhaar.
Do Verifiable Credentials offer a “leapfrog opportunity”?
What to put on the blockchain (if anything) ?
What did Singpass get right in Singapore ?
Whether to engage with the 50-in-5 initiative, DPGA, or Govstack
Sovereignty vs availability ?
Accessibility v. progress ?
What are the most pressing use cases? Voting? Healthcare? Opening bank account ? Other private sector RPs?
How to balance the tradeoffs of privacy, fraud reduction, and poverty reduction presented by a system like Aadhaar.
Do Verifiable Credentials offer a “leapfrog opportunity”?
What to put on the blockchain (if anything) ?
What did Singpass get right in Singapore ?
Whether to engage with the 50-in-5 initiative, DPGA, or Govstack
Sovereignty vs availability ?
Accessibility v. progress ?
Once you have obtained a JSON Web Token (JWT), the next steps involve understanding, securely storing, and effectively using it for authentication and communication within your web application. A JWT comprises three parts: the Header, Payload, and Signature. It is crucial to store the JWT securely on the client-side, often in local storage or an HTTP-only cookie, to prevent cross-site scripting (XSS) attacks. For API requests, the JWT should be included in the Authorization header using the Bearer schema. On the server-side, you must verify the token’s signature, check its expiration, and validate its claims to ensure its authenticity and relevance. Handling token expiration through refresh tokens, decoding the JWT to access user information, and protecting your endpoints with role-based access control (RBAC) are essential steps to maintain security. Additionally, monitoring and logging JWT usage are vital for auditing and troubleshooting. Proper handling of JWTs ensures the security and efficiency of your authentication processes, safeguarding your application against potential vulnerabilities.
1. Can a blockchain be made to support the many new regulations that require the “Right of Erasure”?
2. If so, how can it then remain an immutable source of truth?
3. Does a solution require a specialized blockchain or can it be applied to existing blockchains?
4. What are the issues that arise from incorporating the solution?
Immortal Passwords refers to the concept of password practices and protocols that are designed to be incredibly secure and resistant to various forms of cyber-attacks, essentially making them ‘immortal’ in the face of evolving threats. These passwords typically adhere to stringent security standards, including long character lengths, a mix of symbols, numbers, and letters, and regular updates. Additionally, they are often managed through sophisticated password management systems or algorithms that can generate and store complex passwords securely.
Vulnerable Humans, on the other hand, highlight the inherent weaknesses in human behaviors and practices when it comes to password security. Despite the availability of strong password guidelines, many individuals still use weak passwords, reuse passwords across multiple sites, or fail to update them regularly. This makes them susceptible to common cyber threats such as phishing, brute force attacks, and credential stuffing.
In the last few years, there have been a number of new browser APIs proposed and implemented that assist developers to authenticate people or establish identity. This talk will discuss a few of these, like WebAuthn, WebOTP, FedCM, DBSC and the Digital Credentials API.
The applications for Deepfake Detection are numerous, especially as generative AI has advanced significantly. The question arises: can online media and identity verification processes still be deemed reliable? Discover methods to protect your identity and systems against impersonation and learn how to identify deepfakes on your own – or is that even possible?
The increased mobility of users and their demand for personalized, unified omnichannel access experiences has stretched federated IAM beyond its limits. Meanwhile, the need for organizations to collaborate more to compete, and build communities of trust and value for those same users affordably and securely, cannot be met by existing federated IAM solutions. Learn how banks are embracing the new paradigm of decentralized identity (DCI) to improve existing experiences and create the opportunity for new, valuable user experiences and increased levels of engagement and collaboration with business partners across multiple jurisdictions, without the need to replace their infrastructure. Simultaneously, understand why starting their journey now, enables banks to future-proof their ecosystem to rapidly support the EUDI and official digital credentials that will become available. Get a glimpse into the solution architecture being deployed at banks and an understanding of the benefits and how they can be communicated to executive leadership and business partners. Learn how DCI can also solve today’s problems in a practical way, including fighting fraud from adversarial and generative AI, and work in harmony with existing IAM systems enhancing existing federation platforms, and still set the banks up for the art of the possible tomorrow.
Machine identities have been proliferating, outnumbering human identities by a considerable margin. Despite often having far more privilege than humans, they remain under governed relative to user identities. In this episode we will discuss the drivers behind this rise in machine identities and the work happening in standards working groups like the Workload Identity in Multi-System Environments (WIMSE) and OAuth working groups that will help make these environments safer and more secure.