Episode 71: ConnectID – one year on
Building a new ecosystem is not for a faint hearted but it is possible if you work with the industry, international standards bodies, and global identity community. The conversation will cover what worked and what didn’t; what is next for ConnectID?
Episode 70: Removing Cloud Providers From the Zero Trust Equation
SPIFFE is a framework to generate identities for software systems in dynamic and heterogeneous environments. SPIFFE Verifiable Identity Documents (SVIDs) enable us to be explicit about the trust we place in systems. However, the degree of trust we can place in SVIDs relies heavily on the soundness of the data gathering and verification process during node attestation. By leveraging confidential computing technologies, specifically Confidential Virtual Machines (CVMs) we can track platform information directly in hardware, including firmware, boot loader, and kernel images, which are then signed with a key rooted inside the CPU itself. By incorporating hardware-protected platform information directly into the SVID generation process, we can significantly enhance the confidence placed in the resulting identity documents. Additionally, consumers of these SVIDs will be able to assert these properties before placing trust in a system.
Episode 68: UN and OpenWallet Digital Public Infrastructure Collaboration
The UN sees public sector adoption of open source software as playing a key role in governments’ digital transformation. The OpenWallet Forum, building on the success of the OpenWallet Foundation, will offer a platform for multistakeholder cooperation to integrate wide-ranging requirements from governments and companies into coordinated policies and technical standards for digital wallets. The forum will also be supported by the UN International Computing Centre (UNICC) and the Government of Switzerland.
Episode 67: Unraveling the 6Ws of Identity Security with ObserveID
Traditionally, identity security has primarily focused on addressing three of the six Ws – Who, What, and Why. However, ObserveID takes identity security to the next level by delving into the When’s, the Where’s, and the What’s. By considering not just “Who” has access and “What” actions they perform, but also “When” these actions occur and “Where” they take place, ObserveID employs a comprehensive approach that significantly reduces the surface attack area and enhances overall security. This thorough examination of the timing, location, and specific activities associated with user identities enables a more precise and dynamic implementation of access control and monitoring, strengthening an organization’s defenses against both external and internal threats, and ensuring a more resilient and adaptive security posture.
Episode 66: Demystifying Non-Human Identity Management
In today’s digital landscape, the rise of Cloud, SaaS, Generative AI, and data-driven automation has led to the proliferation of Non-Human Identities (NHIs) within organizations. These digital entities—such as service accounts, access keys, and API tokens—play a crucial role in driving business operations, but also introduce a growing attack vector. Mismanaged NHIs have contributed to 85% of security breaches, including ransomware attacks, where weak NHIs are exploited to access critical data. Organizations need an enterprise-wide Non-Human Identity strategy, without which they risk exposing themselves to security breaches or outages originating from inefficient administration of NHIs. Join the conversation to discuss best practices for discovering, securing, and managing the Non-Human Identities in your environment.
Episode 65: Improving bank mobile security
Identerati are excited about the potential for EU identity wallets. But less obvious is what the proponents intend to do to enable PAYMENTS. Identity and payments have different functional requirements, making it challenging creating a “unified” standard without ending up with an unimplementable “frankenwallet”. This episode will discuss an idea for a different kind of Payment Authorization Wallet, uniquely targeting payments, that it is based on Deterministically Encoded CBOR rather than JSON.
Episode 64: Amazon’s Cedar Open Source Strategy
Amazon released Cedar as an open source project on May 10, 2023. Why? The open source strategy will shed light on what AWS is expecting to accomplish with Cedar. Are they expecting open source contributions? Does AWS believe open source will increase the rate of developer adoption? Why did AWS chose to open source both the policy syntax and the Engines (Rust, Java, Go). Why choose the Apache 2.0 license? What was the business case the Cedar team made to AWS management? What are some of the metrics that AWS will use to measure the success of Cedar adoption? What other open source projects does Cedar resemble at AWS? Join this episode for a deep dive into the Cedar open source strategy!
Episode 63: Beyond Whack-a-Mole: Future-Proof Against Tomorrow’s Threats
Heather Vescent takes us beyond the endless game of reactive cybersecurity—whack-a-mole style—to understand how strategic foresight can future-proof against tomorrow’s threats. Discover how to shift from a defensive stance to an anticipatory strategy that stays ahead of emerging dangers. Learn how to outsmart future threats before they hit your systems.
Episode 62: Reflecting on FIDO’s evolution to passkeys
What were passkeys before 2022? What are the passkeys today? What is missing?
Episode 59: Product Manager Strategies for Trust and Safety
When it comes to preventing bad actions on online platforms, the goals are different. Priorities are set… and then change. And measuring success is often “inverted”. What are tactics that accomodate these differences to enable trust and safety issues on a platform? How can product owners or similar leadership roles support these differences?