Zero Trust Identity

When moving to the Cloud, and especially AWS, common Identity Management functionality as found in on-premise tools have limited impact on securing your AWS environment, as many new types of access to a plethora of AWS resources for an overwhelming number of users need to be managed. Luckily, AWS provides a very detailed and granular model of roles and predefined policies to define who (or which entity) may be granted to access to which object. All done - right? Unfortunately, either through lack of insight to actual role entitlements or by large number of relations, control over the infrastructure is easily lost. The talk introduces a new way to quickly gain back overview and identify threats lingering deep inside this jungle and how to mitigate them quickly!

The face of customer identity has changed completely over the years. While legacy systems such as password-based authentication and SAML continue to be present in the market, more modern specifications such as OpenID Connect and FIDO2 are quickly gaining ground and powering unique use cases that enterprises require today.

In this session, Descope Co-Founder Meir Wahnon will:

• Highlight the changing customer identity needs facing today’s enterprises
• Share popular use cases of modern protocols like OIDC and FIDO2
• Provide tips on how customer identity can be an enabler for business teams

In this talk, we will dive into a common headache for identity teams: shadow admins. These are users who, thanks to some mix-ups in permission settings, end up with admin powers they shouldn't have. The “traditional way” of dealing with shadow admins is mapping all of them and letting the identity team decide what to do with it. This approach can work only if the number of shadow admins is small, however, our research, that is based on data of more than 50 organizations, reveals that in most of the big organizations there are hundreds of shadow admins and sometimes even more.

We will present a novel method that not only finds the shadow admins, but also recommends the identity team which permissions should be revoked to mitigate as many shadow admins as possible. For instance, we discovered that in most organizations more than 70% of the shadow admins can be resolved by revoking one single permission. Our method is based on algorithmic tools and AI. We will share the core concepts of it and show a few real-life examples.