This week I attended one of the Whitehall Conference events on their Amsterdam stop. The IDM series they run has been going for well over a decade in cities like London, Madrid, Stockholm and Amsterdam. The audience are experienced identity practitioners and consultants focused on zero trust, identity governance and administration, privileged access management and customer identity.

Attendance this week in Amsterdam was roughly 150-180 I would estimate with a range of sponsors including Omada, Ping Identity, iProov, Radiant Logic, Sailpoint and ManageEngine.

I was purely in “listen only” mode this week and was not presenting. Presenters were a healthy mix of vendor sponsors updating the market on their latest visions and practitioners within industry deploying software and architecting for modernization.

Aditya Kumar from Vodafone presented in the morning on their internet of things strategy. Some health numbers including 60,000 users and 200 million devices under management required a modern approach that could scale and perform authentication and authorization functions under pressure.

Cloud IGA vendors Omada updated the market on a recent “state of IGA report” that they released this year. Field Strategist Paul Walker walked through the content which provided a vendor-agnostic way of both understanding market capabilities for modern identity governance as well as uncovering some results from a survey of over 500 professionals to understand where IGA under-performs and the areas that require modernization.

IGA veterans Sailpoint presented on their view of how IGA needs to play a greater role within the cyber security field. They argued that the security operations centre requires a bidirectional integrated with the identity and access management suite of capabilities to both enrich but also consumer identity data signals.

IAM (and IGA especially) has traditionally been seen as an “offline” technology in the sense that provisioning, de-provisioning, JML and access changes are performed asynchronously and using a connected/disconnected model. Even the “connected” applications (which often only happen to be a subset of all applications anyway) are integrated with a push/pull data model integrated with ticketing and events.

However the modern security-focused infrastructure is more fast moving - with subtly different requirements for things like continuous discovery, threat informed defence and the ability to respond in-flight to attacks before the attack has completed.

To that end the presentation updated the audience on an initiative that has been running for several years - that of the OpenID Shared Signals group. The concept being that risk signals from a variety of different sources should essentially be made available and shared across the identity fabric in a more real-time fashion - allowing threat and risk information to be dynamically in-sync with business change and tolerance.

Anders Askasen (author of Cybersecurity Explained) delivered an update on a case study of Delta Airlines who had deployed Radiant Logic as part of an “identity hub” that helped deliver a centralised way of distributing authorization data. An interesting aspect of organisations like Delta in the transportation space, is that safety is the primary objective - closely followed by availability.

If we remember our security 101 training when we were all green and eagle-eyed, security was built on the CIA-triad of confidentiality, integrity and availability. Everyone focused on the “C” firstly - thinking cryptogrpahy and encryption was all we needed. Alas, that idea quickly evaporated as we got into the real world and understood the need for integrity protection as well management of availability due to denial of service attacks and other. Safety in transportation and manufacturing can readily alter how security and governance are deployed.

Ultimately though the Radiant Logic “identity hub” project helped improved access management productivity and compliance.

Mike Alders, UX Design Lead, Gemeente Amsterdam provided a fascinating update on some user experience design tips that he worked through when deploying wallet based infrastructure in Amsterdam. He explained how the original design focused on mimicking the cards we have in our physical wallets - and looked to make the same UI impression via the app, with tabs and card headers. The idea then being that the attributes and data visibility on the card front, would be blanked out and redacted based on the sharing requirements the end user wish to implement. However he argued this became quite confusing for the user who didn’t realise the impact this had on sharing and which services actually had access to what data.

He also explained some difficulties that were encountered during the ID document (think passport and driving license) on-boarding process against the mobile application. This typically involved taking a picture or perhaps an NFC scan of the document. However things like lighting and picture quality often hindered this.

One final interesting detail he explained was the ability to perform mutual authentication against a verifier wanting information from the app owner. For example he explained how the app could perform authentication against for example a policeman wanting to verify the age of a user. Before the user would share a verified credential that could prove this, they could in fact verify that they were a real policeman. I have not seen that use case implemented in the real before - albeit of course mutual authentication is something we reference with ease in the digital world for the likes of TLS and machine to machine communications.

Payment network provider Swift delivered a fascinating presentation taking us through their journey to zero trust. Fadi Daood, Zero Trust Strategy Lead and Ajin Man Tuladhar, Security Architect at Swift talked through a view of a matrix of maturity they have worked through that articulated the various different identity types (or personas in their terminology) and the various stages they go through - and how that required subtly different capabilities and technology. Each persona would require a directory or repository, as well as different needs for authentication, authorization and the like - whether that was a standard user, privilege user or machine identity.

The ultimate end goal was to deliver “continuous” authentication and authorization which required more upfront contextual information during token issuance time - with a strategic view of using technologies like Shared Signals and SOAR (security orchestration automation and response) based on real time risk and threat information.

Ratan Shetty, Senior IAM Product Lead, Odido Nederland. Odido Netherlands is the largest mobile phone company in the Netherlands and the presentation discussed how they needed to deploy IGA for a multi-cloud environment.

This required different approaches for both connectivity and application on-boarding - but with a strategic driver being audit and compliance improvements, that also helped improve productivity for staff on-boarding and access request fulfilment.