ONE PACKED AGENDA AGENDA

FILL YOUR WEEK WITH ALL THINGS IDENTITY

AGENDA

Agenda subject to change while we add more great content!

New this year, Identiverse is pleased to be an (ISC)² CPE Submitter. Delegates holding a CISSP, CCSP, HCISPP or other (ISC)² certification can count attendance at Identiverse sessions, keynotes and masterclasses towards your annual CPE requirement.

Sunday - June 24


9:00am - 12:00pm
10:00am
Registration Desk Opens

12:00pm - 6:00pm
Room 302
3:00pm - 3:50pm
Overview: Identity and Access Management
Overview: Identity and Access Management
Brian Campbell
Distinguished Engineer & (un)official Photographer
Ping Identity
This session will give an overview of Identity and Access Management to serve as a mildly entertaining refresher or introduction to help set the stage for the rest of the week. We'll look at some of IAM's past, present, and future and cover industry standards like SAML, OAuth, FIDO, OIDC, and some other acronyms.
4:00pm - 4:50pm
What makes OpenID client software good?
What makes OpenID client software good?
Michael Schwartz
CEO
Gluu
Whether you’re a developer or security architect, you need to know the best practices for OpenID Connect client software. OpenID Connect can be used to achieve a range of security levels. Properly used, it mitigates many risks. However, OpenID Connect’s flexibility, combined with its shared ontogeny with OAuth 2.0, creates opportunities for error--developers may not use (or even know about ) certain features necessary to achieve the transaction integrity they desire. The good news is that client software and middleware services can do some of the heavy lifting. You need the best of both worlds--maximum security and developer joy.
5:00pm - 5:50pm
Countering Identity Creep in a Hybrid-Cloud World
Countering Identity Creep in a Hybrid-Cloud World
Ben Johnson
CTO
Obsidian Security
Cloud computing has exploded our attack surface area, with elasticity and a blend of on-premise, SaaS, and IaaS systems resulting in a dynamic and hard to manage perimeter. As employees are granted more access and more privileges, identity creep is real. And even with the migration to the cloud, organizations are still usually on the hook for the IAM responsibilities and maintenance. The concept of “Triple A” – Authentication, Authorization, and Accounting – has defined security for quite some time. However, we haven’t always given all three As the same level of attention. For the past several years, the industry has been heavily focused on authentication, placing a small amount of attention on authorization, and has virtually ignored accounting. In this presentation, we’ll explore how shifting our focus towards authorization and accounting can help us improve our grasp on identity in the modern hybrid-cloud world. In today’s complex environments, it’s difficult to understand what privileges are required and what activity should be considered normal, so we will discuss those topics with examples.
Room 304
3:00pm - 3:25pm
Using IoT to Improve Identity Management
Using IoT to Improve Identity Management
Mark Diodati
Research Vice President
Gartner
We often focus on providing IAM capabilities for the IoT ecosystem; capabilities like authenticating operators, analysts and devices; and limiting device management, data and analytics to authorized users. But what if we turn it around and ask if IoT can help with IAM? In this session, we will explore the question via a real technical demonstration that leverages facial recognition, mobile push authentication, user provisioning devices, along with IaaS and IoT platforms. We will wrap up the session with guidance on augmenting IAM processes via IoT.
3:35pm - 4:25pm
Beyond API Authorization
Beyond API Authorization
Jared Hanson
Chief Architect
Auth0
The era of web-based APIs has reshaped how we build software. OpenID Connect and OAuth 2.0 have made it possible for service providers to securely make APIs available to third party developers, turning businesses into platforms and ecosystems accessible across a range of devices and applications. But what if what we want to protect isn’t an entire API, but an individual document? What if the creator of this document wants to collaborate with their colleague who’s employed by another company? This session will explore the solutions and challenges to fine-grained access to individual protected resources. What standards and protocols exist, and what remains to be built?
4:35pm - 5:00pm
Microservices Security Landscapes
Microservices Security Landscapes
Prabath Siriwardena
Director Security Architecture
WSO2
The term ‘microservice’ was first discussed at a software architects workshop in Venice, in May 2011. It's being used to explain a common architectural style they’ve been witnessing for some time. The key driving force behind microservices is the speed to production. One should be able to introduce a change to a service, test it and instantly deploy it in production. Further to that, with the granularity of the services and the frequent interactions between them, securing microservices is challenging. This talk will address multiple perspectives in securing microservices: Secure Development Lifecycle and test automation, DevOps security and application-level security.
5:05pm - 5:30pm
Microservices architecture & security. How (not) to?
Microservices architecture & security. How (not) to?
Bertrand Carlier
Senior Manager
Wavestone
A micro-services architecture might be considered a goal in itself or only appropriate in some specific contexts. Either way, this path leads to new issues to be addressed and tackled : user end-to-end authentication & authorization mixed with service-to-service authentication & authorization, transaction based authorization, scope management and Level of Assurance (~authentication level) management. Some OAuth2 standards come in handy for a portion of those issues but fall (very) short for the rest or just does not address them. Should I rely on an API Gateway or is that optional? Should tokens be opaque or self-signed? Is that really mainly linked to scalability or are there other considerations? How can we overcome these limitations? What additional standard(s) could help in there? In this session we will share feedbacks from many deployments and share why some different design choices were made within different contexts.
5:35pm - 6:00pm
Threat Tolerant IAM Micro Service Designs
Threat Tolerant IAM Micro Service Designs
Rakesh Radhakrishnan
Specialist Director
KPMG
Identity & Access Management systems as processes and underlying data models - are being adapted and changed from a monolithic model to a micro service based model software model end to end (low code dev approaches as well with domain driven relevant standards based data models) that are well aligned to micro databses (blocks) and micro segmented software defined networks. These approaches for the first time create the possibility for aligning IAM micro services as "threat tolerant" services - when aligned with threat intelligence end to end and machine learning - from a design, development, deployment and run time perspective - with policy automation. This presentation will also cover a reference architecture for Conusmer IAM that is based on threat tolerant IAM microservices.
Room 306
3:00pm - 3:25pm
The Identity Ecosystem Map
The Identity Ecosystem Map
Scott David
Director of Policy Center for Information Assurance and Cybersecurity
University of Washington - Applied Physics Laboratory
The Identity Ecosystem Map has been under development for several years with funding form DHS S&T. It documents the organizations, standards, companies, pilots, projects, publications and events across the identity ecosystem. This session will be a tour through the map and and include invitation to the community contribute further.
3:30pm - 3:55pm
International Identity Standards at ISO
International Identity Standards at ISO
Andrew Hughes
Independent Analyst - Online Trust & Identity
ITIM Consulting Corp
Most conference presentations about open standards cover technology and protocol interoperability standards. Believe it or not, there are standards that cover process and practices! The ISO SC 27 working group 5 on Identity Management and Privacy currently has a very full schedule of work on Identity and Privacy standards – experts from National Body standards organizations met in Wuhan, China in April to decide on the scope of work on new or updates to ISO standards for Identity management and Privacy. Some of the current work: ISO standards will be updated to incorporate new material from the recently-published NIST SP 800-63-3; updated models for identity assurance; new approaches to incorporate identity-related risk in risk analysis. Attendees will learn about: the role and value of ISO standards in international trade; how nations work together to draft international standards; ; key characteristics of management and practices standards; specific details on the process, practice and technical scopes covered by specific ISO standards.
4:00pm - 4:25pm
OpenID Connect: Overview and Certification
OpenID Connect: Overview and Certification
Michael Jones
Identity Standards Architect
Microsoft
Mike Jones presents an overview and an update on OpenID and the OpenID Certification process.
5:00pm - 5:50pm
Risk Informed IAM, Compromised Credentials and the Future of Authentication
Risk Informed IAM, Compromised Credentials and the Future of Authentication
Steve Tout
CEO
VeriClouds
For most organizations, the ability to detect and prevent logins using compromised credentials is a transformation which fills a huge gap left by low adoption of 2FA and MFA solutions. As an industry, we debate whether this will be the year we kill passwords, or if the eradication of "passworditis" may be a more effective approach to balancing security and user experience. What can be done despite the low adoption rate of 2FA? What is the impact of increasing mobile device adoption and cloud computing on modern authentication and access governance? This panel will look at current work and future designs for how to reduce identity fraud and deliver safer online experiences. You'll hear the experiences and challenges of experts from leading companies and how they are thinking about the future of strong authentication.
Room 310
3:00pm - 3:25pm
Identity on the Frontlines: A Guide for Developers
Identity on the Frontlines: A Guide for Developers
David Lee
Identity Strategist Office of the CTO
SailPoint Technologies
What does it mean to manage identity in your application today? Just about any application, no matter the size, has some element of identity: authentication, authorization, password resets. As identity becomes more critical to enterprise security infrastructure, we should see the rise of Identity SDK's from vendors that allow developers to ease these features into their programs. This session will take attendees on a journey, showing them what strong identity looks like for developers, how to use it to improve productivity and leave with applicable best practices on improving workflow and infrastructure with identity.
3:30pm - 3:55pm
GraphQL: a new paradigm for REST(ful) integration and IRM
GraphQL: a new paradigm for REST(ful) integration and IRM
Alex Babeanu
Senior Identity Specialist
Nulli
Current Identity and Access Management protocols and specifications rely on specific/standardized REST endpoints. Building new Web/Cloud applications, Web Developers and product managers face the challenge of having to implement a very eclectic mix of web APIs, including for Identity and Access management. The implemented APIs often need to change over time, and besides, the clients that rely on these APIs sometimes find certain functionality to be lacking The new GraphQL specification turns REST on its head by providing a standardized way of making any kind of request through a single REST endpoint. This session will describe this emerging paradigm and show how it can be used to implement common Authentication and Authorization requests. A demonstration of the use of GraphQL will be included in this session. Finally, this session will explore various stacks of technologies that have implemented the GraphQL specification to show how they can help implement Identity Relationship Management.
4:00pm - 4:25pm
Securing your API beyond basic OAuth by Sender Constrained Tokens and JWT Authorization Request
Securing your API beyond basic OAuth by Sender Constrained Tokens and JWT Authorization Request
Nat Sakimura
Senior Researcher, Information Tech. Research Dept
Nomura Research Institute, Ltd.
In the mobile-first world that we live, OAuth 2.0 as in RFC6749 and RFC6750 is the de-facto method for protecting your APIs. It is very simple to use while it is a vast improvement compared to API Key or shared password approach as far as security properties are concerned. However, it has given up some security properties as well. This session explains where the weakness of the basic OAuth exists by considering the source, destination, and message authentication as well as considering the recommendation based on the formal security analysis of ISO/IEC 9798 Standard for Entity Authentication by Basin, Cremers, and Meler. Then, explains how it can be solved using JWT Authorization Request and Sender Constrained Tokens based on the Financial API Security profile developed by OpenID Foundation’s FAPI WG and deployed in UK banks and other financial institutions elsewhere in the world. Such profile should be very useful not only for financial transactions but for other higher risk APIs.
4:35pm - 5:00pm
How the H@ck R U? Take a modern identity assurance approach in an interconnected hacked out world
How the H@ck R U? Take a modern identity assurance approach in an interconnected hacked out world
Angel Grant
Director; Identity, Fraud and Risk Intelligence
RSA
Recent mass data breaches have created an abundance of stolen credentials for sale across the dark web. Even if your organization was not the target, you still may be exposed to the risk of credential replay, phishing, account takeover and many other cyberattacks. In this session, we will take a tour of the Dark Web and expose the latest types of attacks used to steal identity information, where it is being sold and how cybercriminals are leveraging it to conduct account takeover. In this session you will learn: • What are the hottest targets cybercriminals are going after and why • How to identify and monitor the most prolific account takeover indicators • Tips to embrace our interconnected world for stronger identity assurance • Ways to gain a holistic view of identity risk across islands of identities
5:05pm - 5:30pm
How do you know if your security is working? Penetration testing moves you from hoping to knowing
How do you know if your security is working? Penetration testing moves you from hoping to knowing
Chris Sullivan
Chief Information Security Officer
SecureAuth + Core Security
Attackers are present 99 days before detected, and while an improvement over previous years, 3+ months is simply too long. With a growing number of devices, applications, and regulations, security teams struggle to have enough time, resources, or tools to continually and comprehensively test their landscape for security vulnerabilities. The only true way to know the strength of your protection and your true vulnerabilities is to exploit them, and that’s better done by you than an attacker! Whether running penetration testing yourself or using a 3rd party service, there are things you should look for…
5:35pm - 6:00pm
Why is getting to the cloud so hard? (And does it have to be?)
Why is getting to the cloud so hard? (And does it have to be?)
Brian Puhl
Principal Program Manager
Microsoft
Moving enterprise services to a cloud is easy! All you need to do is have the cloud fully customized and connected to do everything your on-premises infrastructure does, without any changes, and cheaper. In this session we're going to look at some of the challenges - technical, political, usability, etc... - which are the common roadblocks to enterprises moving to the cloud. We'll dive into some of the technical solutions that can help make life easier, and find out where you really can just "check a box" and start reaping the rewards

Monday - June 25


9:00am - 12:00pm
Room 302
9:30am - 9:55am
Enterprise Identity: Challenges and Opportunities
Enterprise Identity: Challenges and Opportunities
Zack Martin
Specialist Senior, Deloitte Advisory, Cyber Risk
Deloitte & Touche LLP
Details coming soon
10:05am - 10:30am
Deliver Enterprise IAM at the Speed of Digital Business
Deliver Enterprise IAM at the Speed of Digital Business
Nathan Harris
Lead Identity Architect
Aetna
Two speed IT? I don't think so! Digital Business needs identity capabilities that support rapid business adaptation and growth. And this is achievable with the application of currently available identity management and IT delivery techniques. This presentation will cover how enterprise IAM program agility can be achieved in support of overall business agility goals using three critical capabilities: - Cloud identity services - Analytics & machine learning for IAM - DevOps delivery methods for enterprise IAM solution delivery (yes it is possible!) Each of these provides specific benefits to IAM program delivery speed which we will discuss along with key dependencies and real world outcomes we have achieved.
10:40am - 11:05am
What do mean, you're going to reset my password?
What do mean, you're going to reset my password?
Kelsey van Haaster
Product Owner Identity
ThoughtWorks Inc
This presentation, tells the story of an organisation which 4 short years ago, did not have an Identity product. Since 2013, ThoughtWorks, a global software consultancy has not only developed Identity as a valued organisational product but has achieved the equivalent of replacing the engines on a 747 mid-flight. From being a fairly traditional organisation using Active Directory, we have not only dismantled our dependence on on-premise infrastructure and services one piece at a time. Today we are 100% cloud-based and deliver an always available Identity service to 5000 employees in 14 countries and 41 offices. One of our goals this year is to solve a few final puzzles after which we will be able to decommission 32 Domain controllers and say farewell to Windows updates forever. This has required brave leadership, a significant education and training effort and a lot of very tricky conversations. There have been some ups and downs and a few surprises along the way. Unsurprisingly, we have learned a great deal and would like to take the opportunity to share our story.
Room 304
9:30am - 9:55am
Going from Strategy to Execution in Your Enterprise Identity Transformation
Going from Strategy to Execution in Your Enterprise Identity Transformation
Jon Lehtinen
Lead Identity Engineer
Thomson Reuters
With identity getting increasingly recognized as the perimeter of enterprise security, your organization is finally ready to begin its journey to set a holistic vision for what its IAM strategy. But once that strategy is formed, and the program charters, flow-charts, and diagrams are done, getting the enterprise through the execution of that strategy is where the real challenge lies. How will you drive adoption of the new service? How can you migrate without disrupting the business? And can you do it all quickly before the executive suite loses interest and the budget is gone? In this presentation, Jon Lehtinen outlines a framework that charts a course through the execution phase of your enterprise IAM transformation, so your organization can realize the security and business enhancements of Identity on timetable that suits the enterprise.
10:05am - 10:30am
Don't Hire an IAM Engineer, Make One!
Don't Hire an IAM Engineer, Make One!
Dave Shields
Managing Director - IAM
The University of Oklahoma
Let's face it, hiring an IAM Engineer is expensive! So is moving them from wherever they live to you (if they move at all). But did you know that the perfect resource may already be at your disposal? I'll share the key skills you want in an IAM Engineer and some lessons learned too!
10:40am - 11:05am
Moving Identity Talent Development Beyond the Basics
Moving Identity Talent Development Beyond the Basics
Olaf Grewe
Director
Deutsche Bank AG
Larger, consolidated Identity and Access teams are emerging under the CTO or CSO as organisations attempt to realise the potential of digital business processes. Their people thus receive foundational training focused on the CTO or CSO agenda, but professional development along an I&A curriculum is missing. We will start by illustrate the wider issue in a CSO context based on the recently published NICE Cybersecurity Workforce Framework. We will continue to outline how this impacts the team's delivery capability as skills shortages start to bite. We will further complement this by showing how the team is missing out on talent that could be acquired through internal mobility programmes. We will go on to suggest to crowdsource an I&A-focused curriculum and critical success factors for such an exercise. Steering well clear of any taxonomy work, we will nevertheless outline a number of dimensions and how they may resonate with those contributing to the curriculum. A suggestion on how to structure such a curriculum for delivery will close the talk.
11:15am - 11:40am
Hot Potato - Should Identity Professionals Own Security?
Hot Potato - Should Identity Professionals Own Security?
Josh Alexander
Director of Product Management
Salesforce
2018 brings more sophisticated attackers, more valuable identity data, and additional regulation. As such, an important and interesting question comes to light - Should identity professionals own security? If it's our asset to create and cultivate, should we also carry the responsibility to maintain its security? Join us for what will assuredly be a lively exchange between some of the most vocal and influential experts in identity and security. *KEY TAKEAWAYS* * What is your role as an identity professional with regard to identity data protection? * How can you as an identity professional influence security decisions within you organization? * What value-add can you drive as an identity professional with regard to the security of your data and/or organization?
Room 306
9:30am - 9:55am
Hu: The Missing Element
Hu: The Missing Element
Nishant Kaushik
CTO
Uniken Inc
When did the acronym PEBKAC become a commonly accepted trope in security? Blaming users for security failures may be a convenient out, but it is also misguided. Identity and access management, at the center of bringing people into the security equation, should be making things better. But all too often we suffer from the same bad habit of thinking technology can solve all problems - if only the users would listen and do as told. But times, and expectations, are changing. Shifting from “users” to “people” requires us to move security away from being a dark art, and transform it into something more approachable, more human. Identity has a huge role to play in this. So let's examine the contradictions that exist in the way we, as technologists, approach identity, and how the changing role of identity is going to force a change in how we “do” identity.
10:05am - 10:30am
Choosing the Right Consumer IAM Solution
Choosing the Right Consumer IAM Solution
Mary Ruddy
Research VP
Gartner
CIAM is key to enabling your digital transformation and the foundation of your customers' digital experiences. In this session, we will discuss trends in new CIAM capabilities and best practices. We will also provide guidance on which features and vendors to consider when making a CIAM vendor short list. [This session could also be offered in the longer Masterclass category.]
10:40am - 11:05am
Continuous Identity Verification - Closing the Trust Gap between Registration and Login
Continuous Identity Verification - Closing the Trust Gap between Registration and Login
Matt Cochran
Director of Product
ID DataWeb
As identity breaches continue to make headlines, several organizations are moving to continuous identity verification as a way to close the trust-gap between end user account opening and ongoing authentication. In this presentation, Matt Cochran will co-present with several industry leaders on this emerging technique, which allows existing federated identity platforms to inject 3rd party verified attributes into their federated login flows. Using this technique, organizations can detect and react to real world changes in ways not possible before.
11:15am - 11:40am
The virtuous circle of business developments and digital identity
The virtuous circle of business developments and digital identity
Renske Vermolen
Strategy Consultant Identity
PwC
Digital Identity models are driven by market developments and the underlying business models. The move from a product focus to a consumer focus has led to a migration from contracts of adhesion to contracts of trust. This change to the economic model will bring about new business opportunities and shape the future development of digital identity.
Room 310
9:30am - 9:55am
Moving Beyond the Password: The State of FIDO Standards Adoption
Moving Beyond the Password: The State of FIDO Standards Adoption
Passwords endure despite the growing consensus their use needs to be reduced, if not replaced. But even though effective PKI and two-factor authentication solutions have existed for years, barriers to widespread adoption persist. That all ends with modern authentication built by the FIDO Alliance—the cross-industry, not-for-profit consortia that provides a set of specifications and certifications for an interoperable ecosystem of hardware, mobile and biometrics-based devices. This ecosystem enables web service providers to deploy strong authentication solutions that reduce password dependencies and provide a superior, simpler and trusted user experience; eliminates the need for consumers to have multiple authenticators; and lets each service provider create its own trust relationships with individual customers and their devices. Perhaps best of all, FIDO standards protect service providers from data breach risk stemming from phishing and man-in-the-middle attacks. In this session, Brett McDowell, the executive director of the FIDO Alliance will detail the state of adoption of FIDO stronger, simpler authentication including: organizations involved the effort today; who has adopted it globally and why; what the impact has been on the marketplace; and what advancements to the FIDO specifications and certification programs will be available in 2018. Advancements include the ratification of the W3C Web Authentication standard endorsed by Google, Microsoft and Mozilla that will expand FIDO’s reach and market penetration to billions of users through leading browsers and FIDO Certified devices. It also includes the introduction of new security and biometric certification programs, which will significantly raise the trust bar for biometric and second-factor authenticators.
10:05am - 10:30am
When Standards don't Suffice
When Standards don't Suffice
George Fletcher
Identity Standards Architect
Oath Inc.
Implementing or moving to standards is rarely a straight forward effort; rather, the specific use cases of an organization require more than current standards address. In the face of this gap, it's important to have a process for evaluating when and how to extend existing standards. In this talk we will cover this process in the context of real life examples.
10:40am - 11:05am
What's Wrong With OAuth2?
What's Wrong With OAuth2?
Justin Richer
Internet Security Consultant
Bespoke Engineering
OAuth2 is a wildly successful delegation and authorization protocol, used all over the internet in a shockingly vast and diverse array of systems. It's a simple and powerful system that has proven to be incredibly adaptable to many different situations. But, like all technology, it isn't perfect. There are a lot of things that could have been done better in OAuth, many of which have been brought forward in add-on specifications. Come hear one contributor's take on what's gone wrong with OAuth in the years since its development and ratification.
11:15am - 11:40am
Token Binding
Token Binding
Brian Campbell
Distinguished Engineer & (un)official Photographer
Ping Identity
Token Binding is a new IETF protocol enabling strong cryptographic defenses against the use of stolen security tokens. This session will provide a technical overview of how Token Binding works and its application to session cookies and higher level protocols like OpenID Connect and OAuth. Bad jokes and gratuitous photography will be included to take the edge off the otherwise very nerdy content.
Room 311
9:30am - 9:55am
Identity and Access Management of Things
Identity and Access Management of Things
Robert Brown
Founder & CEO
Atakama
Things ain't what they used to be. Internet Things can change business models, bring new functions, improve products and change lives yet the connectivity can also be its downfall. Safety, privacy and usability all depend on security holding throughout the technology stack. Identity is the new perimeter - and IAM professionals the new guardians of the Identiverse. The Internet of Things needs you!
10:05am - 10:30am
The foundations for large-scale security
The foundations for large-scale security
Nicolas Devillard
Senior Product Manager
ARM
The IoT wave is spreading hundreds of billions of devices into everything we touch, creating all kinds of security-related issues at an unprecedented scale. There are no perfect solutions, but we can certainly make things better by building firmware with security designed in. Arm has built a program called PSA (Platform Security Architecture) to properly address how to build devices that can be trusted, covering factory provisioning, isolation of secure services, and life cycle management. In this talk, we will present what Arm has done to propagate security to all connected devices, starting with secure partitioning and cryptographic services as part of the foundations. Giving each device a unique identity while preserving anonymity is the first step towards secure firmware updates and long-term management of devices that sometimes live for decades.
10:05am - 10:30am
Building the foundations for large-scale security
Building the foundations for large-scale security
The IoT wave is spreading hundreds of billions of devices into everything we touch, creating all kinds of security-related issues at an unprecedented scale. There are no perfect solutions, but we can certainly make things better by building firmware with security designed in. Arm has built a program called PSA (Platform Security Architecture) to properly address how to build devices that can be trusted, covering factory provisioning, isolation of secure services, and life cycle management. In this talk, we will present what Arm has done to propagate security to all connected devices, starting with secure partitioning and cryptographic services as part of the foundations. Giving each device a unique identity while preserving anonymity is the first step towards secure firmware updates and long-term management of devices that sometimes live for decades.
10:40am - 11:05am
IoT and Identity Standards: what they are, where they intersect
IoT and Identity Standards: what they are, where they intersect
David Waite

This session provides an overview of the standards landscape for identity and for things.
Room 312
9:30am - 9:55am
Optiv Presents: Holistic Identity Management (1)
Optiv Presents: Holistic Identity Management (1)
Details coming soon!
10:05am - 10:30am
Optiv Presents: Holistic Identity Management (2)
Optiv Presents: Holistic Identity Management (2)
Details coming soon!
10:40am - 11:05am
Virtualizing Identity for Business Agility
Virtualizing Identity for Business Agility
Marius Wrodarczyk
Systems Architect
R.R. Donnelley & Sons Company

Reorganizations, Mergers & Acquisitions, and Divestitures present a very unique set of IAM challenges. Having the right IAM infrastructure in place when these business decisions are made can be the difference between the IAM team being a bottleneck or an enabler.

Mariusz Wrodarczyk, Identity Architect at RR Donnelley & Sons, will review how his organization with 50K employees, multiple businesses, geographically dispersed around the globe, with an average of 5-6 acquisitions per calendar year was given 12 months to fully divest into 3 separate Companies. RR Donnelley faced a number of challenges:

  • Each newly spun-off entity had separate security requirements, such as password, naming standards, and retention guidelines.
  • There were legal and contractual rules prohibiting account/password/group synchronization across the newly created entities.
  • We had to present compounded authorization attributes from multiple stores while maintaining physical separation—which also meant we could not use a global store to sync the attributes/identities from spun-off entities.
  • Because of the extremely aggressive schedule coordination between Application migration and underling Identity Stores migration was impossible. This single challenge by itself influenced the design the most.

As the result of these constraints, the solution needed to be able to allow (for limited time) Anybody to Access Any Systems from Any entity (Spun-off company). This combined with strict rules prohibiting password synchronization and full scale real time identity sync, limited our choice to some kind of Virtual Identity layer.

This presentation will discuss how RR Donnelley leveraged a virtual directory to create a global store which gave us that single point of access/authorization/authentication we needed, then built separate “views” of identity for each company, maintaining the physical/logical separation required to satisfy a myriad of technical and legal requirements.


Keynotes

Welcome to Identiverse!
8:00am - 8:15am | Ballroom
Join Andre Durand, founder of Identiverse, as he sets the context for our 9th annual gathering.
Business Advice We Shouldn't Believe Any More
8:15am - 9:00am | Ballroom
Andrew McAfee's new book (coauthored with Erik Brynjolfsson) is Machine | Platform | Crowd: Harnessing our Digital Future, which The Economist called "An astute romp through important digital trends." In this talk Dr. McAfee uses insights from the book to show how technology is rewriting the business playbook, and how a great deal of standard business advice is now dangerously out of date. Best practices are changing rapidly in this time of astonishing technological progress. This fast-paced, lively, and content-rich talk explains why this is, and delivers smart guidance for the next generation of business leaders.
Our Secret Strengths: The Skills of an Identity Professional
1:15pm - 1:45pm | Ballroom
An identity and access management professional is more than just her knowledge of federation protocols, her ability to build user provisioning policies, or her talent in deploying social sign-up. Although we inherently know that it takes other skills to be a successful identity professional, we don't often identify them, nor do we consider how to grow them. Join Ian Glazer for an exploration of the secret strengths of our identity profession and pick up some pointers for your own development.
Monday Evening Keynote - Details Coming Soon!
5:30pm - 6:00pm | Ballroom
Details coming soon

12:00pm - 6:00pm
Room 302
2:00pm - 2:25pm
Privileged Access Management 201 - Beyond the Basics
Privileged Access Management 201 - Beyond the Basics
Ken Robertson
IAM Architect
General Electric
Are you ready to move beyond managing passwords for shared accounts? Let’s explore options that you may want to add to your Privileged Access Management toolset. From privileged sessions, to application credential management, to privilege escalation, this will cover what should be included in your budget and what should be avoided. Get more from the tools you already own. This presentation is vendor neutral, but will cover solutions at a high level that are commonly available from many sources.
2:35pm - 3:00pm
Adopting BYOID to the organizations with CIAM technologies
Adopting BYOID to the organizations with CIAM technologies
Naohiro Fujie
Deputy General Manager
ITOCHU Techno-Solutions Corporation
By recent identity flood, end-users in organizations do not wish to have additional identities(especially username and password) for their companies or universities anymore. This makes them to reduce their end-user satisfactions and royalities and sometimes make them to use shadow IT which may have security risk for the organizations. In addition, for many organizations e-mail is not suitable communicating tool anymore especially for younger age, because they are used to use social network tools like twitter/facebook to communicate each other. But in the same time, it is true that IT admins are still required to manage employees' or students' identities in organizations for internal audit and security. In this talk, I would like introduce possibilities to solve this dilemma for organizations by BYOID(Bring Your Own Identities) with CIAM technologies with some demo using Microsoft Azure Active Directory B2C.
3:10pm - 3:35pm
Inside and Out: Make Your App Finally Work for You
Inside and Out: Make Your App Finally Work for You
Tomasz Onyszko
CTO
Predica Sp. z o.o.
Application access was always a problem. VPNs, Remote desktops - we've seen it all. With cloud and identity right now we can finally make it work. See how Azure AD Web Application Proxy makes on-prem apps work for you regardless of place and if you are on-prem, cloud or business guest user in the organization. With the ascent of identity providers and solutions like Azure AD Web Application Proxy, organizations can modernize its applications environment. Sessions will include case study and lessons learned from moving enterprise SAP apps to the cloud environment and enabling mobile access to it using Azure AD Web Application Proxy. Topics covers: Azure AD WAP, B2B, Ping Access, on-prem and Kerberos applications, modernising legacy apps (SAP, Oracle) access.
3:50pm - 4:15pm
Identity in the Life Sciences
Identity in the Life Sciences
Lance Peterman
IAM Strategy & Platform Lead
Merck
Details coming soon!
4:25pm - 5:25pm
The CARIN Alliance - ID Proofing and Authentication in Healthcare
The CARIN Alliance - ID Proofing and Authentication in Healthcare
Ryan Howells
Principal
Leavitt Partners / CARIN Alliance
The CARIN Alliance is a non-partisan, multi-sector alliance formed in 2016 to unite health-care leaders in advancing the adoption of consumer-directed exchange across the U.S. Working collaboratively with government leaders, the group seeks to rapidly advance the ability for consumers and their authorized caregivers to easily get, use, and share their digital health information when, where, and how they want to achieve their goals. With a membership composed of patients and caregiver organizations, health care entities, health information technology vendors and others, the CARIN Alliance is uniquely positioned at the intersection of public and private organizations to advance the development of person-centered, value-driven health care through the adoption of consumer-directed health information exchange. We have organizations representing over 50,000 providers, 300 hospitals, and 100 million individuals. The CARIN Alliance is seeking to answer 5 core questions to resolve ID proofing and authentication in health care: How do we user proof individuals outside of a provider's portal using a federated identity structure and open standards? How do we securely authenticate individuals using multi-factor authentication without the need for a UN/PW? How do we record electronic informed patient consent in a consistent way to facilitate the delivery of patient health information to a third-party application of the patient’s choosing? Once we ID proof an individual, how do we match their health records to their certified credential both within and across systems? How do we create a trust framework that allows for a marketplace of credentialing organizations, application endorsements, and application endorsing organizations?
Room 304
2:00pm - 2:25pm
SSO as both a Security AND Business tool
SSO as both a Security AND Business tool
Grant Reveal
Manager, Information Security - IAM
Alliance Data Card Services
Single Sign On (SSO) has been leveraged for years to provide users with the ability to access sites without having to remember multiple, separate usernames and passwords. As a security tool it can be leveraged to ensure appropriate authentication and even access but as a business tool it can be used to shorten logon times and improve productivity. This presentation provides an overview of how SSO can be leveraged within an organization not only as a security control to assist with meeting regulatory compliance (think SOX) but also as a business tool to provide a more streamlined end user experience while providing quantifiable cost savings within the business. The purpose of this session is to show how risk crosses business and IT lines and that is it possible to leverage a security tool to deliver both risk reduction, provide security controls and deliver business value all at the same time. This presentation will pull together the various ways SSO can be viewed and presented as a value proposition for executives and will include real world examples of cost savings and deployment of SSO as a security control.
2:35pm - 3:00pm
What You Need To Know To Make Your IAM Program A Success: Lessons Learned From The Field
What You Need To Know To Make Your IAM Program A Success: Lessons Learned From The Field
Paul Bedi
CEO
IDMWORKS
After 650+ IAM engagements, IDMWORKS has compiled what organizations need to know before, during and after implementing an IAM program. We polled our 150 IAM engineers, architects, and PMs to draw from what they see on the job every day and boiled that down to a series of lessons learned. Every organization in any stage of IAM maturity will find value in these highly-accessible, technical jargon-less, universal rules-to-live-by to make your IAM program successful.
3:10pm - 3:35pm
Best Practices for IAM Assessments, Blueprints & Roadmaps
Best Practices for IAM Assessments, Blueprints & Roadmaps
Todd Rossin
CEO & Chief Strategist
IDMWORKS
Organizations process and store huge volumes of sensitive information that belong to their customers and employees – from financial information to medical records to personal identifiers, like social security numbers and birthdates. Inadequate controls in IAM processes and technology can lead to breach, involuntary exposure of this data, and non-compliance issues. But you cannot correct what you don't know, so the first step in any IAM program is Assessment. IDMWORKS CEO & Chief Strategist, Todd Rossin, will address the most common questions around IAM Assessments & Roadmaps - Why Should We Assess? What Should We Assess? and When Should We Reassess?
3:50pm - 4:15pm
Mobile Identity
Mobile Identity
Andy Zmolek
Android Enterprise Evangelist
Google
Mobile devices bake mobile identity more directly into the user experience in ways that aren't always obvious from the outside. Android, iOS, and other mobile operating systems each have different capabilities when it comes to the identity protocols that are supported and solutions which are possible in each. Understanding the tools, libraries, and considerations for mobile identity can be challenging, and getting it right can require mastery of several subtle and complex concepts. This session will tackle the current state of mobile identity, provide updates on major initiatives like AppAuth that help developers make better OAuth-based single sign-on experiences in native mobile apps and related cross-platform efforts like AppConfig, and highlight key concepts needed for building successful mobile identity solutions in 2018.
4:25pm - 4:50pm
Identity considerations for shared and dedicated mobile devices
Identity considerations for shared and dedicated mobile devices
Andy Zmolek
Android Enterprise Evangelist
Google
Mobile devices are increasingly being utilized far beyond the traditional consumer and knowledge worker use cases that drove their initial success and the identity models that drove their initial success often prove to be problematic when a device is shared among an arbitrary number of users, whether for use during a shift or a few minutes at a time. In fact, there are few obvious ways for native apps to handle coordinated logout (which can be harder than single sign-on), shift user context, and show user state, and often the concept of OS login doesn't exist like it does on the desktop. We'll review the current state of standards, best practices, and real-world considerations of shared device identity on mobile, look at what's solved and what work remains to be done across the identity, mobility, security and device management ecosystems that will all play a role in enabling the sophisticated mobile solutions that are now required for verticals like retail, transportation and logistics, public safety, and others who are discovering just how much of a departure mobile platform identity is from the desktop when a device is shared among multiple users.
5:00pm - 5:25pm
SMS Vulnerabilities in Identity Management
SMS Vulnerabilities in Identity Management
Rod Soto
Director of Security Research
JASK
This presentation will show how malicious actors are actively taking advantage of the use of SMS as second authentication factor to prove identity. These vulnerabilities enable malicious actors to obtain SMS messages, then proceed to reset and take over all users’ accounts, starting with email accounts with access to financial, social media and corporate accounts. SMS should be discarded as a second form of authentication. This presentation will also provide alternative authentication methods to compensate SMS deprecation.
Room 306
2:00pm - 2:25pm
Building the NextGen Customer Experience at General Motors
Building the NextGen Customer Experience at General Motors
Andrew Cameron
Enterprise Architect IAM
GM
The Customer IAM (CIAM) platform at General Motors is the core element in building a common set of user experiences across all customer touch points. Join this session to learn 1) how the company selected its CIAM platform; 2) the importance of building the platform based on industry standards and cloud technologies; and 3) how GM has addressed some of the key challenges in enabling solutions for customer identification, customer interaction and preference management.
2:35pm - 3:00pm
Designing Identity Solutions Customers Will Love and Use
Designing Identity Solutions Customers Will Love and Use
Frank Villavicencio
PM, Security Management Services
ADP
The quest to increase security and confidence in the identity and access solution at many organizations has often shifted the focus away from usability and user experience. While there are foundational tenets in terms of privacy and security that need to be met for the identity solution to be effective, these should not be met at the expense of the end user. Through a joint effort aimed at streamlining employee identity verification during registration for ADP, ADP and Capital One conducted substantial user research to innovatively simplify and reduce the friction we place on our customers. This session will cover insights from our research, our collaboration and share strategies for enabling higher trust identity proofing while reducing the impact on customers.
3:10pm - 3:35pm
Privacy-Preserving Authentication: Another Reason to Care about Zero-Knowledge Proofs
Privacy-Preserving Authentication: Another Reason to Care about Zero-Knowledge Proofs
Clare Nelson
CEO
ClearMark Consulting
If the concept of privacy-preserving authentication is new to you, come learn about solutions that rely on a breakthrough in cryptography that garnered the Turing Award, including a female recipient, Shafi Goldwasser. In the words of Johns Hopkins professor, Martin Green, "Zero-Knowledge Proofs are one of the most powerful tools cryptographers have ever devised."
3:50pm - 4:15pm
Dissecting Blockchain for the Practical Application to Identity
Dissecting Blockchain for the Practical Application to Identity
David Thomas
CEO & Founder
Evident
Distributed ledgers are a revolutionary approach for the peer-to-peer management of digital assets. As their application has grown and the excitement around cryptocurrencies has skyrocketed, many believe that a digital identity is the ultimate asset to be managed on a distributed ledger. In this session, we will descend from the stratosphere to look at the details of distributed ledgers for identity. We will dissect digital ledger technology into core aspects and examine how each of these benefits specific identity use cases. We will also look at the areas of digital ledgers that present challenges and discuss workarounds. Finally, we will review practical customer use cases where ledger technology and identity information have been productively combined. We will walk through real world applications of distributed ledger technologies solving identity problems, shifting the discussion of the pros and cons of blockchain from theoretical to actual.
4:25pm - 4:50pm
A Holistic Risk Assessment of Blockchain for Identity
A Holistic Risk Assessment of Blockchain for Identity
Adam Migus
Owner and Principal
The Migus Group
Blockchains for identity use cases have been a hot topic across many sectors. This panel of experts will present a holistic assessment of the business, privacy and security risks associated with using blockchain techology for identity.
5:00pm - 5:25pm
Identity and the Blockchain
Identity and the Blockchain
Dan Ellis
Founder
Clear.me
How can the blockchain and cryptographic zero-knowledge proofs solve individual’s privacy concerns and mitigate corporate risk? 'Identity' can commonly be confused with ‘identifiers’ used in technology to authenticate the same ‘persona’ or ‘user’. However, your Identity is you, and you have many attributes that define you, and 3rd parties who can agree and validate those attributes. Requestors of your identity don’t need to know everything about you, nor want to inherit the risk associated with holding or transferring a lot of PII data. I’ll explore how blockchains and a cryptographic technology called zero-knowledge proofs can change the way we think about permissions in data, and can prove your identity to a 3rd party without disclosing the underlying data.
Room 309
3:50pm - 4:15pm
IAM in Higher Education - A Different Kind of Enterprise
IAM in Higher Education - A Different Kind of Enterprise
Dedra Chamberlin
CEO
Cirrus Identity, Inc.
Identity Management leads at colleges and universities have unique challenges that are often not understood by commercial identity management vendors or by CISOs that have an enterprise background. This presentation will be of interest to: 1) IAM vendors interested in learning how to better serve the higher education market, 2) Higher Ed IAM leads who can use more ammunition for conversations with managers who come from the private sector and who don't understand why identity isn't managed the way it was at their previous corporation, 3) University CISOs and audit leads who think their IAM leads are speaking a foreign language The presentation will cover key characteristics of Higher Education identity management, such as: an emphasis on openness and collaboration as opposed to competition, users who come and go over many lifecycles, multiple Systems of Record, multiple simultaneous affiliations, and Identity Federation leveraging SAML metadata aggregates. The presenter will include common higher ed identity governance issues, user scenarios, business use cases, and architectural integration patterns. Attendees will leave the session better prepared to tackle IAM challenges in the Higher Ed space.
4:25pm - 4:50pm
IDaaS in Higher Ed: Is the cloud ready?
IDaaS in Higher Ed: Is the cloud ready?
Scott Weyandt Ph.D.
Director, IT Security & Infrastructure
Moran Technology Consulting
The cloud presents new challenges and new opportunities for identity governance. Higher education (higher-ed) is a unique environment with its own set of complexities. In this presentation, the authors will examine current cloud vendors and options for identity services (IDaaS) to determine the readiness of these services to meet the needs of higher-ed. Approach: Today’s identity governance market provides a diverse range of solutions and services. While many vendors claim to provide a complete identity and access management cloud solution they differ dramatically with regards to core service offerings, maturity, and costs. The first step will be to review the current IDaaS vendor landscape. Second, we develop a classification of higher-ed institutions into several categories based upon their size, needs, and budgets. While many institutions share core business requirements, they differ significantly regarding scale, complexity, budgets, proficiency, as well as compliance requirements. In the final section, we will examine the readiness of IDaaS (in its various service offerings) to meet the needs of each higher-ed category. Drawing on case studies, the authors will use recent client experience assisting institutions with selecting identity solutions at: a small private college; a large Tier 3 state university; and a leading private research university.
5:00pm - 5:25pm
Case Study: IAM in Higher Ed, One Year Later
Case Study: IAM in Higher Ed, One Year Later
Dave Shields
Managing Director - IAM
The University of Oklahoma
Starting a new IAM Program is great, but what's it like after a year in the trenches? Come join me as I give you a look at the ups (and downs) of building IAM in higher education. Learn from our mistakes and build off our successes!
Room 310
2:00pm - 2:25pm
The Cake Is Not a Lie – Using Cloud Services to Improve Your Security Posture
The Cake Is Not a Lie – Using Cloud Services to Improve Your Security Posture
Laura Hunter
Principal Program Manager
Microsoft
For security-conscious organizations, a move to adopting cloud services is often met with trepidation and skepticism. How can we secure a service that we don’t operate? How can we maintain visibility into the security of the platform? How can we be sure that our data is safe? As cloud services have matured, Cloud Service Providers have begun to focus extensively on the security of their offerings, including creating new services that can help you to increase the security of your organization’s data, not just struggle to maintain parity with on-prem mechanisms. In this talk, we’ll hear some real-world examples of how Cloud Computing can act as a true security differentiator for an organization who are in the process of, or perhaps even still considering how to begin, moving towards Cloud adoption.
2:35pm - 3:00pm
Building MFA/SSO Into Your IaaS Services and Apps
Building MFA/SSO Into Your IaaS Services and Apps
Mark Diodati
Research Vice President
Gartner
As organizations accelerate the migration of crucial workloads to AWS and Azure, they are looking to integrate single sign-on and MFA. With hundreds of services in a typical IaaS, integration can be a challenging endeavor. We will explore the MFA options of each platform; how OAuth, SAML and OpenID Connect integrate into IaaS services; the role of API gateways in an IaaS, and how on-premises Windows Active Directory can be extended into the cloud. We will wrap up the session with proven guidance on implementing MFA and SSO with your IaaS.
3:10pm - 3:35pm
Intelligent Authorization-Risk mitigation in real time
Intelligent Authorization-Risk mitigation in real time
Nathanael Coffing
CEO
Cloudentity
Authorization has come along way since setting bits in the file system. With the advancements in Machine learning, big data and behavioral profiling its time for authorization to take its next generational leap and move into a flexible risk based access control model that works in concert with legacy access control policies. Cloud Authorization engines must focus on adding intelligence to the authorization process with validators that query external platforms for consensus during transactional processing and merry that with emerging threats to any of the entities (users, services, things, locations, etc) present within the transaction. Threat mitigation options must be designed to rebuild the trust within the transaction or to mitigate the emerging risk by providing consensus via the leveraging of traditional methods ABAC, RBAC, entitlements, scope and respond during the transaction with transactional step-up Auth, degradation of Entitlements, reduction in data attributes returned, etc. Learn how to create architectures and UX flows that support real time threat mitigation for transactions involving any user, service or thing.
3:50pm - 4:15pm
Deployment in Practice: Radiant Logic (1)
Deployment in Practice: Radiant Logic (1)
Details coming soon!
4:25pm - 4:50pm
Deployment in Practice: Radiant Logic (2)
Deployment in Practice: Radiant Logic (2)
Details coming soon!
5:00pm - 5:25pm
Deployment in Practice: ProofID
Deployment in Practice: ProofID
Details coming soon!
Room 311
2:30pm - 2:55pm
GEs IoT Use-cases & Platforms
GEs IoT Use-cases & Platforms
Phil Schneider

GE
Details coming soon!
2:35pm - 3:00pm
Applying Digital Identity in the IoT world of Automotive New mobility
Applying Digital Identity in the IoT world of Automotive New mobility
Ashley Stevenson
Identity Technology Director
ForgeRock
The rapidly growing world of the connected vehicle has yet to realize the business advantages that digital identity can bring to its vast ecosystem; but that’s about to change. The new mobility paradigm includes monetizing new services through connected vehicles, including vehicle sharing, in-vehicle commerce, fleet management, autonomous driving, vehicle-to-Infrastructure, and many others. To provide the necessary levels of security, privacy and user experience required by these use cases, the digital identities of people, and of the vehicle itself must be managed and integrated. Establishing trusted identities of the vehicles themselves is also at the core of securing vehicle connections to clouds, other vehicles, and connected infrastructure, such as smart parking, and other smart city or smart home devices, and is a critical piece of ensuring end-to-end data security and privacy. Within the vehicle, devices that manage critical safety systems, such as engine control, braking and steering--even the software modules that control these devices--must also have trusted identities and be authenticated in order to secure use case like autonomous driving. Join this talk to learn how modern digital identity can meet the broad spectrum of new requirements for connected vehicles, including a live demo of in-vehicle authentication for personalization and vehicle authentication with real-time authorization for vehicle-to-cloud data management.
3:10pm - 3:35pm
Innovation: Lord Admiral Nelson, Identity, and the Internet of Things
Innovation: Lord Admiral Nelson, Identity, and the Internet of Things
Mike Kiser
Senior Security Strategist
SailPoint Technologies
Admiral Nelson's innovative use of identity in his strategy at the Battle of Trafalgar provides the foundation for a new identity model to empower and govern the Internet of Things. This presentation takes its cues from the events of October 21, 1805. At the Battle of Trafalgar, British Admiral Horatio Nelson introduced a new identity-based strategy for naval warfare that enabled his entire fleet—every ship, every sailor—to act instantly and independently in the pursuit of victory. The British Navy won a decisive victory, and naval warfare would never be the same. (Along with the retelling of this narrative, historical maps of the battle will be used to illustrate the tactics used.) The talk then applies Nelson's identity-based strategy to governing the looming Internet of Things (IoT). A stock identity architecture and identity model is used to describe modifications made as part of the application of this new strategy.
3:50pm - 4:15pm
Deployment in Practice: Auth0 (1)
Deployment in Practice: Auth0 (1)
Details coming soon!
4:25pm - 4:50pm
Deployment in Practice: Auth0 (2)
Deployment in Practice: Auth0 (2)
Details coming soon!
5:00pm - 5:25pm
Deployment in Practice: ForgeRock
Deployment in Practice: ForgeRock
Details coming soon!
Room 312
2:00pm - 2:25pm
Optiv Presents: Securing Digital Transformation (1)
Optiv Presents: Securing Digital Transformation (1)
Details coming soon!
2:35pm - 3:00pm
Optiv Presents: Securing Digital Transformation (2)
Optiv Presents: Securing Digital Transformation (2)
Details coming soon!
3:10pm - 3:35pm
Optiv Presents: Securing Digital Transformation (3)
Optiv Presents: Securing Digital Transformation (3)
Details coming soon!
3:50pm - 4:15pm
Optiv Presents: Identity and Insider Threats(1)
Optiv Presents: Identity and Insider Threats(1)
Details coming soon!
4:25pm - 4:50pm
Optiv Presents: Identity and Insider Threats(2)
Optiv Presents: Identity and Insider Threats(2)
Details coming soon!
5:00pm - 5:25pm
Threat Mitigation Through Identity Intelligence
Threat Mitigation Through Identity Intelligence
Josh Davis
Solutions Catalyst
UberEther
As the risk profile of insiders are continuously evaluated and rescored, the identity-centric data generated has historical and behavioral significance in the organization's overall threat mitigation plan. What can be interpreted from the changing trend of an insider's score in regards to being an actual threat to the organization? Does the frequency of the change, higher or lower, matter? What can be gained from analyzing the decisions behind the rescoring? Did an insider we trust performing a legitimate action of their role too frenquently, from an undesired network segment, or in an undesired location in the office building? If these and related questions matter, or could matter to an organization, what can the organization do to realize the power of the data? One approach is to develop or procure an identity intelligence system, implementing it in such a way to provides the organization with nearer-realtime situational awareness and lends to their ability to act accordingly prior to, during, and following insider threat events. The information provided to the organization by the system is in the form of on-demand reports, OPSEC dashboards, triggers to reactive processes that mitigate threats, and alert messages. The identity-centric data leveraged by the system must be captured in raw form as it is generated, stored with integrity and access control measures, available for continuous analysis, and available for reanalysis during post threat investigations or as analytic strategies and capabilities of the intelligence system improve. An organization's leveraging of an identity intelligence system in their insider threat program avoids the organization being blind to their continuously changing threat posture. It alleviates the human element from being bogged down manually or reactively identifying risks, or only performing post incident analysis. Leveraging the right technical implementations for continuously analyzing, reassessing, alerting, blocking, or deprovisioning access and authorizations provides the organization with nominal assurances of their threat landscape.

Tuesday, June 26


9:00am - 12:00pm
Room 302
9:30am - 9:55am
Extend Microsoft Azure AD to Everything On-prem with Ping Identity
Extend Microsoft Azure AD to Everything On-prem with Ping Identity
Mark Bostley
Senior Technical Product Manager
Ping Identity
Learn how to extend SSO and Access Security from Azure AD to on-premises applications using PingAccess for Azure AD, and more recently PingFederate as a Microsoft supported alternative to ADFS. Today's mobile workforce demands tools for greater productivity including access to all their apps on-prem and in the cloud. PingAccess extends Azure AD to the legacy on-premises world, and PingFedereate provides many value added features beyond ADFS.
10:05am - 10:30am
Going Beyond SSO to Global Authentication Authority
Going Beyond SSO to Global Authentication Authority
Eric Fazendin
Sr. Product Manager
Ping Identity
PingFederate has long been a leader in federated SSO and adaptive authentication. With PingFederate v9.1, the role of global authentication authority has now expanded with a range of new features to support multiple identity types.... workforce, customers, and partners. Learn how you can leverage PingFederate for a range of new use cases such as social account linking, self-service profile management, and much more.
10:40am - 11:05am
Faster Application Development with Identity and Developer Self-Service
Faster Application Development with Identity and Developer Self-Service
Ishan Kumar
Director, Product Management
Ping Identity
As organizations increase the pace and frequency of application releases, a more agile approach is needed to embed cloud-based identity services into applications. Engineering teams want the convenience of developer self-service, while IT teams need a platform that can provide centralized security and control. Learn how Ping can help you overcome both these challenges and speed up the process for engineers to onboard and maintain applications.
Room 304
9:30am - 9:55am
Google Presents (1)
Google Presents (1)
Details coming soon!
10:05am - 10:30am
Google Presents (2)
Google Presents (2)
Details coming soon!
10:40am - 11:05am
Google Presents (3)
Google Presents (3)
Details coming soon!
Room 306
9:30am - 9:55am
IDMWorks Presents (1)
IDMWorks Presents (1)
Details coming soon!
10:05am - 10:30am
IDMWorks Presents (2)
IDMWorks Presents (2)
Details coming soon!
10:40am - 11:05am
IDMWorks Presents (3)
IDMWorks Presents (3)
Details coming soon!
Room 309
9:30am - 9:55am
Microsoft Presents (1)
Microsoft Presents (1)
Details coming soon!
10:05am - 10:30am
Microsoft Presents (2)
Microsoft Presents (2)
Details coming soon!
10:40am - 11:05am
Microsoft Presents (3)
Microsoft Presents (3)
Details coming soon!
Room 310
9:30am - 9:55am
Practical W3C Web Authentication
Practical W3C Web Authentication
Jerrod Chong
Vice President, Products
Yubico, Inc.
This session will explore the practical applications of the W3C Web Authn API, which allows modern web applications to create and use public key-based strong authentication. We’ll test the demo gods with some live looks at WebAuthn in action from app dev, to what happens behind the curtain, to simple, strong user authentication. What does Web Authn do? How do relying parties and developers make use of this API? Which browsers are adapting to these new strong authentication options and how are they accessed? After a through development process, including all the major browser vendors, there are now strong, attested, scoped, public key-based credentials for web applications. Goodbye phishing, hello secured web-based access.
10:05am - 10:30am
The future of identity standards
The future of identity standards
Paul Grassi
SVP of Cybersecurity and Identity
Easy Dynamics Corp
The release of 800-63-3 in the summer of 2017 marked a significant shift in federal guidance. Yet, this revision was just the beginning, and is certainly not the 'only game in town' given great work being performed in other countries and standards organizations. This session will explore: - Current state/landscape of identity standards - Level setting on the scope of 800-63-3 - Gaps in USG and other competing/complementary standards - Can/should the private sector take ownership of 800-63?
10:40am - 11:05am
Life after Passwords
Life after Passwords
Details coming soon!
11:15am - 11:40am
MFA 2.0
MFA 2.0
Jeremy Palenchar
Principle
Orcas Consulting
Multifactor Authentication by using email or SMS is now table stakes in most Enterprise, Financial, and SaaS solutions. Unfortunately, these patterns provide the bare-minimum protection for users and solution providers. You will learn why most MFA solutions only provide the lowest level of Authenticator Assurance and completely fail to address Identity Assurance Levels. Attendees will be provided with a solid methodology to evaluate current and future MFA solutions and will provide strategies to increase the security in any MFA implementation. This will be a vendor-agnostic session providing tools and strategies to evaluate and improve MFA implementations based on any MFA product suite.
Room 311
9:30am - 9:55am
Revisiting Privileged Access in Today's Threat Landscape
Revisiting Privileged Access in Today's Threat Landscape
Lance Peterman
IAM Strategy & Platform Lead
Merck
If identity is indeed the new perimeter, then privileged access is its primary attack vector. Weak credentials and privilege misuse are consistently identified as the dominant pattern in data breach reports. Approaches to managing privileged access are struggling to keep pace with the changing threats. In this session, we'll examine recent attacks that exploit privilege misuse, analyze some of the specific methods used (like mimikatz), then examine new approaches that can mitigate this risk to the enterprise. Emphasis here will be vendor agnostic, but we will discuss specific technical approaches as well as some technologies that can assist in managing privileged access and adopting a program of least privilege. In addition, we’ll explore differences in approach between on-prem PAM approaches compared with various cloud technologies. We'll also discuss common roadblocks in PAM programs and potential methods to resolve them. Finally, we’ll look at the role that identity & user behavior analytics (UBA/UEBA) can play in providing an active defense against privilege misuse.
10:05am - 10:30am
I’m sorry Dave, I’m afraid I can’t do that: a harm-reduction plan for cloud applications
I’m sorry Dave, I’m afraid I can’t do that: a harm-reduction plan for cloud applications
Sarah Squire
Senior Technical Architect
Ping Identity
Unlike traditional local network applications, cloud applications are both more powerful and easier to compromise. Fortunately, many emerging technologies and standards are focused on allowing applications to access only what they need, and only when they need it. This reduces the amount of harm a compromised application can do without reducing its power to help your team get work done. Take home an actionable game plan for the next six months, the next year, and beyond. With great cloudiness comes great responsibility.
10:40am - 11:05am
Learning Machine Learning's Place in Identity & Security
Learning Machine Learning's Place in Identity & Security
Jonathan Sander
CTO
STEALTHbits Technologies
Machine Learning is the latest in a long line of technologies offered as the “savior” for security teams flooded with events and data. We have watched many organizations – our customers, our technical alliance partners, and even ourselves – struggle with the place where Machine Learning can have the most effective and practical impact. It seems that now there are architectures emerging that use it well. It moved from the top of the pyramid to become a part of several layers below. In this session, we will explore the journey Machine Learning has taken from messiah to workhorse. We will discuss the ways it has and is now being applied in security and identity use cases, and we will illustrate those with examples from real world deployments. The audience will leave with a basic understanding of how Machine Learning works, how it is applied to Identity and Security, and starting points for applying that knowledge in their own organizations.
Room 312
9:30am - 9:55am
Privacy: the next frontier for Identity
Privacy: the next frontier for Identity
Giles Watkins
CEO
Pridium
Details coming soon!
10:05am - 10:30am
Rendering the Value while Demonetizing Identity
Rendering the Value while Demonetizing Identity
Adam Migus
Owner and Principal
The Migus Group
Identity is a commodity. The data attributes, the claim sets, the authentications and the authorized access are increasingly valued for organizational transactions, for company market position, to maximize performance and efficiencies, for network effects. Simultaneously, the currency of identity information is escalating on the black market and for malicious actors. Organizations are increasingly required to negotiate risks based on the business rationale for collecting and processing PII with the likelihood of exfiltration or other nefarious acts to harness the monetary value of the data used to perform, in addition to black market subterfuge. This session will compare and contrast the business and monetary values of identity, and provide tactical lessons on utilizing privacy and security controls in both the policy and technology stacks to make the value of the data used by the company as close as null as possible to any malicious actor without rendering the information useless by the company.
10:40am - 11:05am
Spotlight on Europe: What PSD2 and GDPR Mean for Strong Authentication Adoption
Spotlight on Europe: What PSD2 and GDPR Mean for Strong Authentication Adoption
New policies in Europe are having a notable impact on the authentication market - in some cases imposing new requirements for use of authentication; in other cases, influencing what kinds of authentication should and should not be used. In this session, FIDO Alliance executive director Brett McDowell will look at two new regulations -- the EU General Data Protection Regulation (GDPR) and Payment Services Directive 2 (PSD2) -- that are having significant impacts on the adoption of modern strong authentication. He will detail the kinds of modern authentication methods (like phishing-resistant security keys and on-device biometrics) that these regulations are embracing and how they can help organizations achieve the right balance of security and usability in their compliance programs. The session will cover: - The evolution of strong authentication - GDPR and PSD2 and their requirements for personal data privacy and strong authentication, respectively - GDPR requirements concerning biometrics - The role of FIDO authentication standards in GDPR and PSD2 compliance - How PSD2 requirements can be met in a user-friendly way by leveraging a rapidly growing install base of laptops, mobile phones and security keys - How standards-based modern strong authentication solutions can help organizations comply with the data minimization goals of GDPR

Keynotes

Identity's Cambrian Moment
8:00am - 9:00am | Ballroom
After a few years of status quo, we are at a moment of tremendous change in the Identity world . Identity is evolving at high speed and in great profusion, becoming more strategic for enterprises; for Governments; and even eliciting interest at a consumer level. Novel standards and techniques are emerging; new experiments; evolution and revolution. We have 'identity everywhere' with IoT and open banking (and open 'everything'!) and mobile. Andre Durand, CEO of Ping Identity, unravels the genesis of this Cambrian Explosion of Identity, and explores the future of our digital identity ecosystem.
The Privacy Conundrum: Rights or Rewards?
1:00pm - 1:30pm | Ballroom
The 'open' internet is under threat like never before. On the one hand, a growing pressure for surveillance and restriction; on the other, a push by governments and individuals to protect privacy as much in the digital world as the physical. Jonathan Zittrain helps us navigate this changing landscape - and points to a path that might lead to a better outcome for everyone.
The Insecurity of Things: Identity to the Rescue!
1:45pm - 2:15pm | Ballroom
Car hijacking? Building takeovers? Revenge attacks? The bad guys used to have to be physically present to do physical harm - but in our increasingly connected world, that's no longer true. Device manufactures lack in-depth understanding of security and identity; and the identity industry needs to understand how work within the limitations of the device. In this compelling talk, Ken Munro of PenTest partners will describe - and demonstrate - the woeful insecurity of connected devices and explore how the identity industry can help make things better.
Estonia - An Identity Republic
5:30pm - 6:00pm | Ballroom
Taavi Kotka, former Estonian Government CIO, discusses the past, present and future of the Estonian Digital Identity initiative - and draws key lessons that we can apply to all our identity projects.

12:00pm - 6:00pm
Room 302
2:30pm - 3:20pm
What's New In PingFederate 9.x?
What's New In PingFederate 9.x?
Scott Tomilson
Director, PingFederate Product Development
Ping Identity
Love PingFederate? New to PingFederate? Either way - this session is for you! Hear directly from the PingFederate product team about the latest enhancements to the industry’s most powerful federation server. They’ll cover new capabilities that will help you deploy PingFederate for consumer facing applications (with account account registration and self-service profile management), get more out of modern identity protocols and take advantage of IaaS compatibility improvements (such as adaptive clustering) to lower deployment costs.
3:30pm - 4:20pm
PingID Demo: Offline MFA and SDK Enhancements
PingID Demo: Offline MFA and SDK Enhancements
Dana Weinbaum
Technical Product Manager, Mobile
Ping Identity
This session will help you to understand how you can use PingID in different offline use cases. You'll get a close look at the newest features and SDK capabilities that were introduced over the past year. Our live demo will show you what PingID looks like from the user side as well as the administrator side.
4:30pm - 5:20pm
PSD2 & Open Banking with Ping Identity: a Live Demonstration
PSD2 & Open Banking with Ping Identity: a Live Demonstration
Federico Carbone
Regional Solutions Architect
Ping Identity
In 2018, PSD2 and GDPR come into force across the European Union. These regulations will define and govern the use of open banking APIs to enable third parties to access a Banks' customer account information, when the customer has given their explicit consent. In the session we will demonstrate how Ping Identity can address the technical challenges of securing access through open APIs to process financial information and transactions and discuss the technical configurations needed on the Ping products. The demonstration will step through both the Payment Initiation Service Provider (PISP) and Account Information Service Provider (AISP) use case, showing how the Ping Identity Platform: Utilises OAuth 2 and OpenID Connect token services to support financial institutions and third parties to complete a direct payment transaction and account information aggregation. Gathers, manages and enforces customer-driven consent. Enforces Strong Customer Authentication (SCA).
Room 304
2:30pm - 3:20pm
Google Masterclass (1)
Google Masterclass (1)
Details coming soon!
3:30pm - 4:20pm
Google Masterclass (2)
Google Masterclass (2)
Details coming soon!
4:30pm - 5:20pm
Google Masterclass (3)
Google Masterclass (3)
Details coming soon!
Room 306
2:30pm - 3:20pm
IDMWorks Masterclass (1)
IDMWorks Masterclass (1)
Details coming soon!
3:30pm - 4:20pm
IDMWorks Masterclass (2)
IDMWorks Masterclass (2)
Details coming soon!
4:30pm - 5:20pm
IDMWorks Masterclass (3)
IDMWorks Masterclass (3)
Details coming soon!
Room 309
2:30pm - 3:20pm
Microsoft Masterclass (1)
Microsoft Masterclass (1)
Details coming soon!
3:30pm - 4:20pm
Microsoft Masterclass (2)
Microsoft Masterclass (2)
Details coming soon!
4:30pm - 5:20pm
Microsoft Masterclass (3)
Microsoft Masterclass (3)
Details coming soon!
Room 310
2:30pm - 3:20pm
Radiant Logic Masterclass (1)
Radiant Logic Masterclass (1)
Details coming soon!
3:30pm - 4:20pm
Radiant Logic Masterclass (2)
Radiant Logic Masterclass (2)
Details coming soon!
4:30pm - 5:20pm
ThreatMetrix Masterclass
ThreatMetrix Masterclass
Details coming soon!
Room 311
2:30pm - 3:20pm
Auth0 Masterclass (1)
Auth0 Masterclass (1)
Details coming soon!
3:30pm - 4:20pm
Auth0 Masterclass (2)
Auth0 Masterclass (2)
Details coming soon!
4:30pm - 5:20pm
ProofID Masterclass
ProofID Masterclass
Details coming soon!
Room 312
2:30pm - 3:20pm
KPMG Masterclass (1)
KPMG Masterclass (1)
Details coming soon!
3:30pm - 4:20pm
KPMG Masterclass (2)
KPMG Masterclass (2)
Details coming soon!
4:30pm - 5:20pm
SecureAuth Masterclass
SecureAuth Masterclass
Details coming soon!

Wednesday - June 27


9:00am - 12:00pm
Room 302
9:30am - 9:55am
Ping Identity Presents (4)
Ping Identity Presents (4)
Details coming soon!
10:05am - 10:30am
Ping Identity Presents (5)
Ping Identity Presents (5)
Details coming soon!
10:40am - 11:05am
From SSO to PingAccess - Journey to the Center of the Identiverse
From SSO to PingAccess - Journey to the Center of the Identiverse
Rob Davis
Director
TIAA
The session will cover TIAA's journey migrating from SiteMinder to PingAccess and the lessons learned along the way. I will discuss: - Why TIAA made the switch to PingAccess - Challenges of the legacy environment - Defining the appropriate migration process - Lessons learned and feedback/enhancements recommended - Timeline from initiation to completion - Q & A
Room 304
9:30am - 9:55am
FIDO and Mobile Connect - Integration of FIDO and Mobile Connect to deliver authentication globally
FIDO and Mobile Connect - Integration of FIDO and Mobile Connect to deliver authentication globally
Bjorn Hjelm
DMTS
Verizon
This presentation outlines how the FIDO standards can be integrated with Mobile Connect to offer authentication services within the Mobile Connect framework. This presentation is an output of the collaboration between FIDO Alliance and GSMA and covers an overview of the architecture, FIDO authentication, handling of assurance levels, authentication context for an OpenID Connect profile, and security guidelines.
10:05am - 10:30am
Mobile-based Identity and Access Management - A NSTIC Pilot
Mobile-based Identity and Access Management - A NSTIC Pilot
Bjorn Hjelm
DMTS
Verizon
Mobile-based Identity and Access Management is a newly completed the NSTIC pilot that demonstrated a common approach to enable consumers and businesses to use mobile devices for secure, privacy-enhancing identity and access management. By allowing relying parties (RPs) to more easily accept identity solutions from Mobile Network Operators (MNO), the solution is intended to reduce a significant barrier to online service providers accepting mobile-based credentials. The pilot included the four major U.S MNOs, GSMA, and several Service Providers (SPs). This panel session will provide the background the pilot, architecture and pilot setup, describe the use cases, experience (from both MNO and SP perspective), and lessons learned.
10:40am - 11:05am
Mobile Driver Licenses - Not just in a galaxy far, far away
Mobile Driver Licenses - Not just in a galaxy far, far away
Geoff Slagle
Director, Identity Management
American Association of Motor Vehicle Administrators
The topic of “putting a driver license on a cellphone” has enjoyed much attention in the recent past. Various initiatives are being undertaken in this area. At this time most appear to be proof-of-concept or exploratory in nature. Interest is being expressed by a variety of stakeholders, including driver license administrators, legislators, vendors, and the general public. AAMVA, through its members, are pursuing the implementation of this with great vigor. The actual entities leading this within AAMVA are the AAMVA Card Design Standard (CDS) committee, supported by the AAMVA Electronic Identity (eID) WG. Working with the ANSI and ISO committees responsible for driver license standardization they identified what are these committees’ understanding of the conceptual framework and functional requirements associated with a “driver license on a cellphone”, or mobile driver license (mDL). The work also explores ancillary topics stakeholders may want to consider in connection with mDLs. This work states requirements, but also formulates questions on issues that require further investigation, analysis and discussion. In addition to standards AAMVA has also done work on model legislation for mDL.
Room 306
9:30am - 9:55am
Deployment in Practice: KPMG (1)
Deployment in Practice: KPMG (1)
Details coming soon!
10:05am - 10:30am
Deployment in Practice: KPMG (2)
Deployment in Practice: KPMG (2)
Details coming soon!
10:40am - 11:05am
Deployment in Practice: ThreatMetrix
Deployment in Practice: ThreatMetrix
Details coming soon!
11:15am - 11:40am
Deployment in Practice: SecureAuth
Deployment in Practice: SecureAuth
Details coming soon!
Room 309
9:30am - 9:55am
Don't Pave Privacy Cow Paths: Build Consent Intelligence
Don't Pave Privacy Cow Paths: Build Consent Intelligence
Eve Maler
VP Innovation & Emerging Technology
ForgeRock
Classic AdTech and MarTech approaches are breaking down fast. Privacy regulations like GDPR are making traditional “cookie-stalking” a poor strategy when consent or another clear legal basis for personal data processing is required. And consumers are tired of all the big data mind-reading and the years of headlines like “How Target Figured Out A Teen Girl Was Pregnant Before Her Father Did” and and “Facebook knows you’re gay before you do”. Guidance from regulators calls for the creation of privacy dashboards, and it’s easy to imagine tools to assist with the privacy tasks we’re already familiar with today. But a faster way to read legalese and view previous consents doesn’t let users apply controls to ever-increasing data sources and destinations -- given fintech, the Internet of Things, precision medicine, and many other innovations that give rationales for enabling humans to mediate personal data flows. This session looks at how to combine Identity Relationship Management (IRM) and solutions from the big data and artificial intelligence worlds as a way to build “consent intelligence” experiences that are smart, scalable, and trustworthy for both people and organizations.
10:05am - 10:30am
Legal rules that regulate identity systems; their role in facilitating trust and interoperability
Legal rules that regulate identity systems; their role in facilitating trust and interoperability
Thomas Smedinghoff
Of Counsel
Locke Lord LLP
What are the legal rules that regulate identity systems, where do they come from, and how do they affect the IdPs, RPs, and other participants in the system? This session will begin by addressing those threshold questions to provide a basic overview of the law governing identity systems, the manner in which it operates, and its impact on the liability of the parties. From there, the session will examine how applicable law does, or in some cases does not, facilitate trust and interoperability between identity systems. The session will also examine existing and newly emerging laws and legal initiatives at a global level, the directions they are taking, and the impact they are likely to have on shaping the identity ecosystem.
10:40am - 11:05am
When Identity Attacks – A Tale of Two Breaches
When Identity Attacks – A Tale of Two Breaches
Josh Alexander
Director of Product Management
Salesforce
With the confluence of more sophisticated attackers, more valuable data, greater consequences, and additional regulation increasing both access and responsiveness to breaches, the inevitability and quality of a response to a breach has never been higher. From this practical, not nihilist, point of view, we will explore the case study of two modern breaches. While both attacks occurred within the same year and in the same industry, the two outcomes could not have been more different. We will study the key drivers that resulted in economic, reputational, and personal consequences. *KEY TAKEAWAYS* * What are the reasons that drive the need for a high-quality data breach response plan in 2018? * What are the variables that lead to a good or poor data breach response? * What can you do today to ensure your enterprise is positioned to respond well to a data breach?
Room 310
9:30am - 9:55am
Using IoT and Identity to Restore Freedom
Using IoT and Identity to Restore Freedom
Matt Topper
President
UberEther
With the continuous lowering of hardware costs, it’s becoming more and more cost effective to use contextual factors to increase the security of our facilities and applications. In an unusual way, we applied the same contextual concepts we deploy in the enterprise to give the freedom back to residents of a retirement home. This presentation will demonstrate how our team built a Bluetooth Low Energy (BLE) network to help the care personnel to keep track of the residents. Most importantly, our solution allowed the residents to be reminded and directed to their daily activities independently without the assistance of the staff. This presentation will cover how we planned the network, the registration and management of staff and patients, the technologies we used and policies that were put in place. We will expand upon this use case and how it’s extension can be directly applied to every enterprise’s identity and access management platform to provide some of the most powerful factors in contextual based authentication and use this as another approach to their organization’s digital transformation.
10:05am - 10:30am
Emerging Identity Standards in Healthcare
Emerging Identity Standards in Healthcare
Eve Maler
VP Innovation & Emerging Technology
ForgeRock
Details coming soon!
Room 311
9:30am - 9:55am
Deployment in Practice: Saviynt
Deployment in Practice: Saviynt
Details coming soon!
10:05am - 10:30am
Deployment in Practice: SailPoint
Deployment in Practice: SailPoint
Details coming soon!
10:40am - 11:05am
Deployment in Practice: TBC (1)
Deployment in Practice: TBC (1)
Details coming soon!
11:15am - 11:40am
Deployment in Practice: TBC (2)
Deployment in Practice: TBC (2)
Details coming soon!
Room 312
9:30am - 9:55am
Optiv Presents: Identity and Data Security (1)
Optiv Presents: Identity and Data Security (1)
Details coming soon!
10:05am - 10:30am
Optiv Presents: Identity and Data Security (2)
Optiv Presents: Identity and Data Security (2)
Details coming soon!
10:40am - 11:05am
Optiv Presents: Identity and Data Security (3)
Optiv Presents: Identity and Data Security (3)
Details coming soon!

Keynotes

Out Gunned, Out Manned, Out Manoeuvred: Why Identity-Centric Security Is The Only Way to Win
8:00am - 8:30am | Ballroom
Corporations have spent millions, and collectively, billions of dollars on security programs in the last decade. Hackers, with far less money and far fewer resources routinely defeat these defenses. Not because the solutions are bad, but because companies refuse to put identity in the core of their security framework. We aren't being out-spent; so why are we always a step or several behind our enemies? Identity-centric security is the only way to win in a world where every information security organization is already out-manned, out-gunned and out-maneuvered by the enemy. It is critical to understand that while we are out-spending the enemy every single year, money is not solving the problem. Only re-establishing the core principle of identity as security in your organization will give you a fighting chance. Richard Bird is a widely recognized expert in identity management and control. In this presentation, he will address not just technology solutions for identity, but the changes and improvements you must make in governance, process, design and architecture to truly make identity the center of your secured enterprise.
An Identity Journey at GE
8:30am - 9:00am | Ballroom
Informed by her personal experience, Deneen DeFiore charts the evolution and increasing strategic importance of Digital Identity at GE.
Protecting the Cloud
1:15pm - 1:45pm | Ballroom
Details coming soon!
The CISO Conversation
1:45pm - 2:15pm | Ballroom
Details coming soon!
Closing Address
5:30pm - 6:00pm | Ballroom
Details coming soon!

12:00pm - 6:00pm
Room 302
2:30pm - 3:20pm
Directory Migration: a Use Case
Directory Migration: a Use Case
Tim Skinner
Information Security Manager
BlueCross BlueShield of Tennessee
In this session you will here the challenges for migrating from one directory to PingDirectory and how those challenge were addressed by Blue Cross Blue Shield of Tennessee followed by a demonstration of an actual migration. The presentation will focus on the steps to minimize business disruption by successfully migrating identify information without require a force reset of user passwords. The goal was to provide a seamless move of data with no disruption, users would not even be aware that there identity information was moved.
3:30pm - 4:20pm
Scalable Identity: Deep Dive into Ping AWS Deployments
Scalable Identity: Deep Dive into Ping AWS Deployments
Mark Bostley
Senior Technical Product Manager
Ping Identity
Learn how to use AWS Services and Ping Identity Automation to implement a production-ready scalable deployment of PingAccess to secure your APIs and Applications. This Masterclass will go into detail on the process, tools, and scripts provided by Ping Identity to deploy and elastically scale your PingAccess cluster in AWS. We will demonstrate the ability to integrate an automated deployment of PingAccess with an existing PingFederate solution as well as how to customize Ping Identity Automation to meet your specific architecture and environmental requirements. We’ll show how to troubleshoot your deployment and monitor your solution utilizing AWS CloudWatch and answer questions from the audience.
4:30pm - 5:20pm
Use PingOne Enterprise to Federate Partners to Your SaaS Applications
Use PingOne Enterprise to Federate Partners to Your SaaS Applications
Kirk Hamilton
Senior Technical Support Engineer
Ping Identity
This session will cover how you as a SaaS provider can leverage PingOne for Enterprise to help your partners/customers Federate into your SaaS offering. You will be given the opportunity to setup a PingOne environment and walk through the configuration of enabling a SAML SaaS application to be integrated into PingOne Enterprise. In the process you will learn how you can assist your partners/customers in their efforts to leverage the latest in secure Single-Sign On. This session is a hands-on session where you will be walked through the configuration steps of setting up PingOne or if you wish you can watch, learn and do it at a later time.
Room 306
2:30pm - 3:20pm
Sailpoint Masterclass
Sailpoint Masterclass
Details coming soon!
3:30pm - 4:20pm
ForgeRock Masterclass
ForgeRock Masterclass
Details coming soon!
Room 310
2:30pm - 3:20pm
UMA 2.0 Deep Dive: Applying User-Managed Access
UMA 2.0 Deep Dive: Applying User-Managed Access
Eve Maler
VP Innovation & Emerging Technology
ForgeRock
User-Managed Access has important implications for those facing regulatory pressures around data protection, market pressures around consumer trust, and architectural pressures around API protection. This masterclass will explain the purpose, structure, and flows of the UMA 2.0 protocol, including its OAuth2 extension grant and its federated authorization API. We will demonstrate implementations, explore how UMA is being profiled and extended for different sectors and use cases, and answer your questions.
3:30pm - 4:20pm
Masterclass on the DID Universal Resolver
Masterclass on the DID Universal Resolver
Markus Sabadello
Founder/CEO
DanubeTech
The DID Universal Resolver is first major project of the 30+ members of the Decentralized Identity Foundation (DIF). DIDs (Decentralized Identifiers) are a foundational standard for decentralized, blockchain-based identity. A DID method is a spec that defines how DIDs are created, read, updated, and deleted (revoked) on a specific blockchain or distributed system. DID methods have been implemented for Bitcoin, Ethereum, Sovrin, IPFS, Veres One, and Blockstack. The Universal Resolver uses Docker-based modules to plug different DID methods into a single codebase. This session will cover the W3C DID specification, the architecture of the Universal Resolver, the primary features of different DID methods, and where the Universal Resolver fits in the fast-moving decentralized identity ecosystem.
4:30pm - 5:20pm
Privacy 2.0
Privacy 2.0
Eve Maler
VP Innovation & Emerging Technology
ForgeRock
The privacy notices and rights information, or lack of it, comprise what is becoming the public profile of an organization's privacy transparency or Public Privacy 1.0. The GDPR, coming into force on May 25th 2018, is the Y2K of privacy transparency, as services ‘data controllers and processors’ need to be transparent over data processing or risk being liable for non compliance, less trustworthy and less competitive. This presentation proposed to cover Privacy Transparency & Consent. It will cover how IdM systems need to be transparent. Delving into the standards and data sources that are used to make privacy and notice systematically, usable, transparent and public. Privacy notices and rights information, or lack of it, by default comprises an organization’s public privacy profile. How to build, measure and leverage organizational privacy transparency is the goal and critical outcome of Public Privacy 2.0. Privacy 1.0 is self regulation based on privacy policies. Privacy 2.0 is transparency at a machine readable and granular level, along with options for control. The GDPR (New EU LAW) sets the stage for the ongoing performance of privacy transparency. As services ‘data controllers and processors’ need to be transparent about data processing. The risk is that their privacy transparency and organizational performance is deemed non compliant, untrustworthy and less competitive, translating into fines, lost customer and revenue and brand equity. Join this session to learn about privacy, transparency, consent, and control as they relate to identity systems, standards, and interoperability. We will discuss how the Consent Receipts and User- Managed Access (UMA) standards from the Kantara Initiative and the Open Notice project from MIT can play a role in solving these key challenges.
Room 311
2:55pm - 3:50pm
Panel: The Emerging Trust Services Market
Panel: The Emerging Trust Services Market
Rachelle Sellung
Senior Scientist
Fraunhofer
Details coming soon!
Room 312
2:25pm - 2:50pm
User Behavioral Analytics & Identity Data Analytics – What works, what doesn’t; Lessons Learned
User Behavioral Analytics & Identity Data Analytics – What works, what doesn’t; Lessons Learned
Kurt Lieber
VP, CISO IT Infrastructure
Aetna
For decades, Identity & Access Management has been rooted in the creation, maintenance and deletion of usernames and passwords. However, with the emergence of User Behavioral Analytics and Identity Data Analytics, we are now seeing IAM be positioned as one of the cornerstone key controls for any security program, critical in both providing early detection of advanced threats and also preventing malicious behavior by both internal and external attackers. This presentation will focus on the reasons behind the shift and ways you can take advantage of the new capabilities offered by these emerging technologies to dramatically improve your security program. Specific examples will be shared, along with real-world lessons learned from implementing this program at a Fortune 100 company.
2:55pm - 3:20pm
More than you think: Cyber supply chain risk management
More than you think: Cyber supply chain risk management
Ulrich Lang
CEO
ObjectSecurity LLC
Supply chain risks (SCRs) are a major source of IT vulnerabilities, and the different risks are highly interrelated, including cybersecurity risks. In this presentation, I will present a current case study of innovative solutions – based on data aggregation, data analytics & AI – we are researching (SBIR Phase II) for a defense agency around managing SCRs, incl. malicious intent by adversaries. SCR relates to identity in many ways, including identities of supply chain participants, identities of items, etc. Session flow: (1) SUPPLY CHAIN CYBERSECURITY: how SCRs and cybersecurity relate and impact each other (2) SUPPLY CHAIN DATA SOURCES: Data about the supply chain is the critical precondition for being able to determine supply chain risks. (3) RISK ANALYTICS: overview of the risk analysis approaches and tools, and identity challenges (4) RISK MANAGEMENT: overview of risk management approaches, including obvious - usually adopted - ones such as debarring vendors and/or shippers, and vendor management systems. (5) CASE STUDY: military case study where an advanced SCR analysis/management solution within the context of IT hardware/software and cybersecurity is currently being developed. (6) CONCLUSIONS & RECOMMENDATIONS: actionable recommendations to help them to cover this broader, cybersecurity relevant scope of SCR for their own organizations.
3:25pm - 3:50pm
Assure your digital channels cost-effectively: Embrace Industry Standards
Assure your digital channels cost-effectively: Embrace Industry Standards
Colin Wallis
Executive Director
Kantara Inititiative
Your brands are globally accessible to anyone with a smartphone and an electronic payment mechanism. But your digital and eCommerce channels tread an increasingly precarious path through multi-layered and incompatible regulations, rising customer expectations and cultural sensitivities. Compliance costs to verify identity, manage consent, handle personal data & preferences, and deal with seemingly unsolvable problems of delegated authority can easily spiral out of control. Leveraging industry standards and specifications offer cost effective ways through the compliance minefield as well as deliver both strategic and marketing side benefits. But only if you choose the right ones. Learn how to strategically evaluate and adopt standards applicable to the industry context in which your business operates.
4:00pm - 4:25pm
Recognizing Customers At A Distance: An Industrial Age Company's Journey Toward Trusted Identity
Recognizing Customers At A Distance: An Industrial Age Company's Journey Toward Trusted Identity
George Dobbs
Architect
Massachusetts Mutual Life Insurance Company
This is the story of how a major life insurance company came to understand that the old ways of doing business are no longer sufficient to address the risks of the digital age. Decades-old processes using paper forms, web portals and call centers and even agent-mediated contacts are under attack. This talk will describe how the problem became known, how awareness spread through the organization and alignment was generated between various teams. We will discuss the techniques that will address call centers and portals as well as strategies for paper and agent-mediated encounters with customers. The journey is expected to be long. The talk will wrap up with a progress report.
4:30pm - 4:55pm
Customers--Who are these people???
Customers--Who are these people???
Diane Schlegel
Global IT Analyst
Caterpillar
Customers--Who are these people??? We used to define customers as those people who were part of our dealer network, removed from us by at least one layer. Now, we are working to redefine who our "customers" are and what we need to do to provide them the best possible user experience while maintaining our security requirements. The struggle is real!
5:00pm - 5:25pm
Automated Identity Management with the Ping Admin API
Automated Identity Management with the Ping Admin API
Jack Hart
Sr. Enterprise Architect
Entertainment Partners
Automated Identity Management with the Ping Admin API We will present our work using the PingFederate Admin API to manage identity configuration across 6 completely independent, continually used identity environments in the day to day operations of our business. In our customer facing environments we have the typical DEV, QA, UAT and PROD environments common to software development. As we've been bitten by sharing identity components in development before, these environments are completely autonomous. We also manage our own internal corporate identity for employees and have both a PROD (production) environment and a UAT or Test environment for trying out software from various vendors to be used internally. Our first goal was to be able to create a new environment via pushbutton control using an existing environment as a template, useful for standing up new environments quickly and also relevant for correcting broken identity configuration. Additional goals include more fine grained activities such as rolling out identity features like 2FA or a federation with a business partner. Once creating an environment with a specific configuration becomes pushbutton fast and easy we discovered new potential capabilities like taking a problem found in production, replicating the production configuration to an offline test environment and re-creating and resolving the problem away from live users. The solution is a lightweight python API that wraps and simplifies use of the more complex Ping Federate Admin API. As configuration objects in Ping Federate represent a dependency tree, the python API uses hypermedia to lead the client through the critically important sequence of API calls. ​As identity configuration demands a significant amount of systems work, the use of the ping federate admin API is interleaved with systems level infrastructure and file operations driven by SALT stack snd jenkins. ​ ​ The solution is deployable via a command line client integrated with jenkins, as well as various other front ends, easily accessible from various mobile and web apps via the API. Future work inlcudes development of more fine grained procedures, the addition of a NoSQL data store for use with canonical configuration management, audit trails and a variety of similar concerns and integration with jenkins automation and user interfaces.