Written on 23 March 2019, 11:33pm
Some notes following the Identity Management Europe event, 14 March 2019, Frankfurt.
- Ever wondered which are the biggest risks that we face? According to the World Economic Forum, a massive data fraud/theft or a large scale cyber attack rank in Top 5 most likely global risks, while the large scale cyber attack has the 7th most devastating impact. Worrying, no?
- The fraud triangle: pressure (motive) – rationalisation – opportunity
- Need-to-know – has strictly limited use cases (it comes from the military). In real life, we want the information to flow – don’t kill the business. There is always a fine balance between over-entitlement (leading to security risk) and under-entitlement (business risk).
- MFA with yubikeys is the Graal of authentication – superior to everything else.
- NIH: Not invented here: the strong bias against ideas from the outside.
- Build vs buy: the main advantage of ‘buy’ is the fact that it allows the customer to concentrate on their core business.
- In the cloud infrastructure there is the concept of zero trust. Deny all by default. Never trust. Always verify. Never trust the client. Never trust the server. Never trust the network.
- Friendly reminder that the cybercrime became a 1.5 trillion business
Some emerging technologies:
- Password Authenticated Key Exchange (PAKE)
- Lightweight cryptography to protect the IoT
- Zero Knowledge proofs (Authentication and Transparency): the example with the colorblind friend is so good
Finally, some notes on automation:
- Robotic process automation can be used for automatic testing (auto-filling of forms)
- DevOPS (combining responsibilities of DEV, Q&A and OPS) – only possible if a big chunk of the work is automated
- Workflow: Code > Build > Test > Deploy > Monitor – all of this automated (maybe except for the coding part 🙂 )
- Remediation using automation: service not responding: auto-restart; load spike: auto scale instances; service fail: redeploy a new instance
- Use automatic monitoring tools to detect bugs before your users (Splunk)