Episode 52: Canada’s 103-1 Digital Trust and Identity Certification
While identity and risk can be largely mitigated by default in the physical world through closed and fragmented systems, established standards, and regulatory safeguards, the same cannot be said in an online world. In the absence of a national standard, public and private sector organizations are continuing to rely on organization-specific, vendor-driven and ad-hoc document-based identity management processes, impacting integrity, security, privacy, trust, and service delivery
Canada’s 103-1 Digital Trust and Identity Standard specifies minimum requirements and a set of controls for developing, implementing, operating, monitoring, and governing trust in systems and services that consume and assert digital identity within and between organizations. The requirements in the standard ensure that digital systems and services are safe, secure, reliable, and protected. It has a super-detailed assessment process, and several juristications have been certified.
What is it? And how can those outside of Canada benefit from the work?
Episode 51: Digital Insanity: Flexibility of NIST Digital Identity Assurance Levels
NIST Special Publication 800-63-3 base volume is all about digital identity risk management including conducting a risk assessment. How do you conduct a digital identity risk assessment? Tune into this episode of the identerati office hours to learn everything you need to know.
Episode 50: Universal Online Identification
There is no safe haven of anonymity for internet users. Users are being universally identified for marketing purposes as a matter of practice. Identity resolution and customer data platforms are the evil twin of identity and access management. These are mature industries that are highly interconnected with hundreds of publishers (i.e. brands) AND amongst themselves. Moreover, nearly 40% of companies that perform identity resolution are registered data brokers. There’s insufficient awareness and regulatory oversight of these industries, and privacy policies are inadequate to explain the worldwide networks of marketing entities sharing and selling user data.
Why is privacy important, why is it so hard to be private in the digital world, what can you do to maintain a little privacy and how is AI making it even harder!
Episode 49: Latest News on EU Wallet Initiatives
Currently, the EU Digital Wallet Consortium (EWC) is testing digital wallets across four critical scenarios:
🔹 Payment Use Cases
🔹 Completing a Flight Online Check-In
🔹 Buying a Ticket for a Tourist Tour
🔹 Purchasing a Domestic Ferry Ticket
The idea is that citizens will present verifiable credentail presentation from their wallet, presumably online. Where does this effort fit into the other EU initiatives, pilots and organizations. What are the currently anticipated gaps in the technology, business and legal landscape that would present challenges to scale the EU wallet identity ecosystem? And where should identerati go to stay current on progress?
Episode 48: Apache Fortress: ANSI RBAC with OpenLDAP
RBAC is battle tested. Its properties and limitations are well understood. It aligns perfectly with existing enterprise security governance tools. Join us for a deep dive into Apache Fortress, a Java framework which implements ANSI RBAC and leverages OpenLDAP for persistence. In this livestream, we’ll explore the architecture of Apache Fortress and discuss how enterprises can use it develop applications that align with centralized access management controls. And we’ll consider RBAC’s history: what have we learned?
Episode 47: Is IAM asleep at the wheel?
In the past year AI has hit center stage – the tech world is talking about the future potential and organizations are implementing first projects. But the identity world…crickets! In this chat we will discuss the biggest opportunity no one is talking about – the importance of trustworthy and secure data for the AI revolution. Join us as we challenge the industry to think beyond their typical silos and become active participants in the future of enterprise.
Episode 46: Multi-layer authz? Yes please!
Q: Where should you enforce your authorization policy?
A: Everywhere you can!
There are four common scenarios and enforcement points for a defense-in-depth strategy:
âš¡ during the authentication ceremony
âš¡ in the resource server
âš¡ at the API gateway
âš¡ in service-to-service communication
Episode 45: Intro to the Cedarling
Cedar is a policy syntax invented by Amazon. It’s used by the AWS Verified Permissions, Authz-as-a-Service offering. Gluu is working on a new product at the Janssen Project called the “Cedarling”–which leverages the Cedar policy syntax and Amazon’s open source Cedar Rust engine. The Cedarling can run anywhere–as a local agent in the browser, embedded in a mobile application, or as a cloud service. It needs no data, because it trusts the JWT tokens that are input to the request by the application. Beyond policy evaluation, the Cedarlng agent has two other capabilities: JWT validation and audit logging. In this episode, Mike will present Gluu’s current progress on the Cedarling and show a demo of the Cedarling in action!
Episode 44: Securing identity and context in microservices
Defending against privileged user compromise and software supply chain attacks requires newer standards that can reduce the trust in non-human (or machine) identities used by services to communicate with each other. Transaction tokens is a new proposed standard in the IETF which can effectively defend against these attacks. Learn all about it in this episode with Atul Tulshibagwale, CTO of SGNL, the inventor of CAEP and an Okta Identity 25 Listee.
Episode 43: Intersection of IAM with cloud
Managing IAM for your own users and employees is hard enough, and with the adoption of cloud (including SaaS) it’s only getting harder. Especially when you consider the addition of 3rd parties into the mix, such as contractors, BPOs, MSPs and other kinds of vendors. In this podcast we’ll discuss the intersection of IAM with cloud (with a particular discussion of AWS cross-account access and the Snowflake incident) and with Third Party Cyber Risk Management in general.