Identerati Office Hours Episode

Managing privileged access is one of the most critical aspects of cybersecurity, yet organizations often struggle with implementing it effectively. In this episode of Identerati Office Hours, we’re joined by Rainer Hörbe, Senior Manager at KPMG, to explore the key patterns and anti-patterns in Privileged Access Management (PAM). We’ll discuss: 🔹 Common PAM pitfalls and how to avoid them 🔹 Best practices for securing privileged accounts 🔹 Strategies for balancing security, usability, and compliance 🔹 Real-world insights on what works—and what doesn’t—in PAM Join us for a deep dive into the do’s and don’ts of PAM with one of the industry’s leading experts. Whether you’re designing a PAM strategy or optimizing an existing one, this session will provide actionable takeaways to strengthen your security posture.

Continuous identity requires new enterprise infrastructure to publish events related to a login session and token lifecycle. One solution could be Shared Signals Transmitters (SSTs) based on the OpenID Shared Signals Framework (SSF) and the Continuous Access Evaluation Protocol (CAEP). Another solution could leverage recent OAuth drafts for global token revocation and OAuth Status List JWTs. Join us as we discuss why continuous identity is the future and if it fits into a token based access control model.

The iShare ecosystems have been leveraging Token-Based Access Control (TBAC) for years to address the complex challenges of secure and seamless data sharing across enterprise boundaries within the European Union. This innovative framework enables organizations to establish trust, enforce fine-grained access policies, and ensure compliance while facilitating interoperability between different entities. Join this discussion to gain insights into how iShare’s approach works, the benefits it offers for cross-organizational data exchange, and how it compares to other access control models. Whether you’re a security professional, developer, or business leader, this session will provide valuable knowledge on the future of data sovereignty and access management in the EU.

TBAC is a new access control model that leverages the rich context encoded in tokens, such as JWTs, to make dynamic, fine-grained access decisions. Unlike existing models like RBAC, ABAC, or ReBAC, which rely on roles, attributes, or relationships, TBAC evaluates access based on the information embedded in a bundle of tokens, providing unparalleled flexibility and contextual awareness. But is a new access control model needed? Is TBAC a re-hashing of other access control models, like ABAC or PBAC? Can tokens contain the context necessary to make decisions without access to other data sources? Could enterprises implement “Zero Standing Priviledge” using a TBAC approach? In this episode of Identerati Office Hours, three of the leaders in modern enterprise identity will discuss the merits of TBAC and the arguments for and against the approach.

Relying on data in token claims for authorization is a slippery slope that can lead to unexpected failures and painful debugging sessions. JWT bloat—caused by excessive claims—can run into header size limitations, triggering intermittent outages due to constraints on proxies, load balancers, and firewalls. Beyond sheer size, data encoding schemes introduce additional complexity, especially when dealing with binary-encoded claim values. Dynamic claims in tokens can also risk inconsistency if not handled properly. And then there’s the issue of revocation. In this episode, we’ll break down the hidden dangers of overloading JWTs, consider real-world horror stories, and discuss best practices for keeping your tokens lean or when you should consider reference tokens instead.

Continuous identity requires new enterprise infrastructure to publish events related to a login session and token lifecycle. One solution could be Shared Signals Transmitters (SSTs) based on the OpenID Shared Signals Framework (SSF) and the Continuous Access Evaluation Protocol (CAEP). Another solution could leverage recent OAuth drafts for global token revocation and OAuth Status List JWTs. Join us as we discuss why continuous identity is the future and if it fits into a token based access control model.

IPSIE (pronounced “ip-see”) stands for Interoperability Profiling for Secure Identity in the Enterprise. Its mission is to develop interoperability and security profiles of existing specifications. The current situation is that the enterprise deployments of OpenID, OAuth, passkeys and other identity technologies are so varied, two implementations are NOT guaranteed to work together. For example, is it acr or amr that shows how the user was authenticated? Can re-usable IPSIE profiles enable much sought after IT consolidation? In this epsiode with working group contributors… we’ll see!

As identity-based attacks grow more sophisticated, traditional IAM solutions need a boost. In this episode of Identerati Office Hours, we dive into Identity Threat Detection & Response (ITDR)—a critical enhancement for modern IAM strategies. How can ITDR go beyond access management to detect, mitigate, and respond to identity threats in real-time? Will a ITDR become essential for security teams to stay ahead of evolving threats? Tune into this IOH episode to learn more!

MOSIP requires a foundation of complementary technologies and human expertise–no one company or firm can deploy robust digital public infrastructure for a nation. In this episode, we’ll explore how MOSIP is building an ecosystem of software vendors, infrastructure providers, IT integrators, custom development firms, and other domain experts who provide the business, legal and cloud technology capable of delivering their solution to diverse markets. We’ll also discuss how this collaborative approach positions nations to expand MOSIP’s reach by linking identity credentials to critical public and private services.

APIs are the lifeblood of modern digital ecosystems, driving 80% of internet traffic and enabling seamless integration between applications, services, and devices. The gap between API specifications and production behavior—known as “API drift”—is a major source of inefficiency and friction in the API ecosystem. Drawing insights from APIContext’s recent white paper, this discussion will explore the state of API specifications, their critical role in ensuring interoperability, and why keeping them up-to-date and accurate is essential for robust API governance. Join us for Identerati Office Hours to uncover insights on: 🚀 The Role of APIs: Powering 80% of all internet traffic, APIs are the backbone of modern digital applications. 📉 The Problem of API Drift: 25% of APIs don’t conform to their specifications. What is the impact to performance and reliability? 🛠️ Best Practices for API Governance: Explore actionable strategies to mitigate API drift, from publishing clear OpenAPI Specifications to proactive monitoring. 🤖 Agentic AI: Amplifying API Drift: The rise of autonomous AI agents adds a new layer of complexity to the existing challenge of API drift. Managing agent interactions and ensuring they adhere to evolving API specifications makes maintaining accuracy and preventing drift even more critical.

ZTAuth* redefines authentication, authorization, and trusted delegation to address the challenges of disconnected systems in edge and IoT environments. By leveraging transferable, versionable, and resilient models, it aligns with Zero Trust principles while embracing CAP theorem constraints and eventual consistency. PermGuard is actively implementing this architecture to deliver scalable and secure policy-driven solutions for distributed systems. The Permguard Auth* Provider allows enterprises to specify who or what can access resources by the means of fine-grained permissions: Who: Identities (Users and Actors) authenticated in the application Can Access: Permissions granted by attaching policies Resources: Resources targeted by permissions Developers use implement the Permguard Policy Enforcement Point using available SDKs, and call the PermGuard Authorization API, sending the principal with its JWT token–to protect against types of attacks such as: Authorization Inference Attack Excessive Data Exposure Side-Channel Attack on Authorization Privilege Escalation Passing the token JWT in the PDP authorization request can avoid sharing information with the PEP, adding a mechanism for trusted delegation. The Permguard PDP can run as a “remote service” or a “proximity service”, the latter of which achieves low network latency by operating on an eventual consistent basis for policies. In this livestream, we’ll discuss PermGuard and how why systems like this are causing enterprises to re-think authorization.

OpenID for Verifiable Presentations (OpenID4VP) is an implementers draft specification that defines a mechanism on top of OAuth that enables presentation of Verifiable Credentials (in any format) as Verifiable Presentations. Kristina, Torsten and others have been presenting OpenID4VP at conferences and IIWs for years. Where is it now? What can we expect in 2025? What is the feedback from early adopters? Join us for this discussion, and bring your own questions for two of the spec authors.