Internet banking has now taken over as the main interface with banks, with of course a shift to mobile devices in the recent years. In the end, banking is adapting quite fast to technology, because customers expect them to move fast (if they don’t, customers can switch).

So, the banking ecosystem has adapted to integrate new technologies, and they do that fast. Of course, at least according to Vasco, the problem is fraud, and the solution is authentication. Vasco’s answer includes platgorm evaluation (jailbroken or not?), user evaluation (2-factor authentication), transaction evaluation (2-factor authentication again) and finally validation.

The next idea is to use NFC to improve 2-factor authentication, for instance to provision keys, to perform WYSIWYS checks. On the opposite, 2-factor authentication can benefit to NFC, by providing flexible authentication.

That all sounds interesting, but I will need a bit more technical information to undrstand what they are saying. In particular, I am always careful with solutions in which one of the 2 factors needed for authentication isnthe device on which I want to do something. This may not be very rational, bit I am not feeling good about it.

Of course, this presentation was a lot about advertising, and yiu can better understand where Vasco is going to by getting to MyDigipass. This offer sounds interesting for securing online accounts. Maybe that I will consider giving it a try.

To celebrate that, I have decide to attend the opening session this year. We started by an enthusiastic eID spporter from European Union, promising us all regulations and standards ready for 2014, which sounds interesting. After all, there are very interesting deployment in countries like Belgium and Estonia, which could be extended.

Then, we get a panel, with the question below. Speakers are Christian van der Valk, from TrustWeaver, Herrmann Sterzinger, from G&D, Massimo Cappelli, from Global CyberSecurity Center, and Marie Figarella, from Gemalto.

Why has eIAS services not been a success to date?

• Is it really the case? There haven’t been failures, there are many services ready to,use, and a lack of recognition, with a common perception that digital signature ismore difficult than it actually is.
• Citizen certificates are too expensive, and the use cases are not compelling enough. Thisis changing in some places, like in Austria, where the state pays the citizen certificate.
• Market fragmentation and lack of trust and confidence are the two main issues. They may even be linked because the fragmentation does not allow the development of global solutlons, deployed across Europe.
• Issues have been legal and societal, not technical. Fragmentation and lacking use case are the most important,

How would the new electronic identification and trust services regulation improve on this situation?

• Moving from directive to regulation is important
• Making it global would be good, but also hittin some limits, in particular regarding discrepancies in privacy requirements.
• Moving to a regulation will limit fragmentation, the scope will be larger, going beyond signatures to seals, timestamps, and more. Mobility between states will also be greatly improved. Finally, supervision should be improved.

What additional key actions would be necessary to make eIAS a success?

• Sharing identity and authentication between public and private spheres would help. Also,aligning with the global market with help, including private support, like Adobe. Also, the recognition of non-PKI solutions would be required (that sounds interesting)
• Moving beyond web authentication is required. Moving to global regulation loses things, such as already deployed eIDs, which do not comply to the new regulation, and also existing standads and existing profiles.
• Bureaucratic simplification associated to eIAS would be great help. We are also missing a common framework of expertise, with collaboration between national agencies. Thereisalso a digital and cultural divide, which hurts wide adoption. Finally, including soft identity would increase the use of strong identity, if it can be used in our everyday life.
• Associate reliable digital identity with a portable secure elemnt, to allow 2-factor authentication. Build an open and interoperale secure Internet. Privacy by design. Push digital identity on all SIM cards to benefit from NFC

Now, that’s quite interesting. The views from the panelists are quite consistent. The question that puzzles me most is the relationship between national and private identity. I am left wondering what opportunities will be given to private companies and web providers to leverage this eID. Making this happen would be a great boost to eIAS.

I also liked Gemalto’s analysis and proposals, which was short and to the point, except the last point, of course; mandating SIM-based identity for NFC is ludicrous and pure lobbying, at least because the SIM is not the only way to access NFC.

So, an interesting first panel, although there haven’t been many suprises and illuminating discussions.

74% of people are worried about security in the cloud, in particular because of the loss of control that comes from moving your applications into Software-as-a-Service, or even only when you are only getting to Infrastructure-as-a-Service. But, the worries come from the classic security approach with perimeter defense: your security is based on high walls keeping people out.

Cloud computing introduces a disruption, but it only means that perimeter defnse has become obsolete, and that other things are required. Security now needs to be secured by policies, not only based on the topology of the network.

For an SME, the perceived risks (from ENISA) include vendor/service lock-in (am I stuck forever with Amazon?), malicious insiders (who is accessing my data?), management interface compromise (could someone impersonate my IT manager?), or legal risks (where is my data stored?). Another point is that shared services can be more attractive to hackers, because they can be granted access to several actors.

Of course, according to the speaker, identity is the solution. His main idea is to extend the (Oracle) identity management system used in the enterprise into the cloud. For instance, for federation, SAML-based federations can be used to get into the cloud.

Privileged account management is very important. Cloud services come with “superuser” accounts that have the ability to completely manage a service. These accounts should only be accessible through a mechanism that can track, monitor and control access.

For other accounts, account lifecycle management can be an extension of the standard enterprise system.

Something very interesting is to use claims-based identity. Claims-based provisioning can get the necessary identity information through a single SAML token, without having to directly connect to the enterprise systems. More importantly, identity assertions (such as attributes and roles) can be used for authorization purposes. However, this is not necessarily accepted by all cloud providers. When supported, XACML allows enterprises to export their internal policies to the cloud service provider.

Ultimately, the enterprise can become an Identity Services Provider, leveraging the IAM services available internally to cloud applications, or to partner applications outside of the enterprise. The objective is here to promote a loose coupling between the services and the low-level authentication.

Then, we get into Oracle advertising, reminding that identity management is part of Oracle’s offer, and provides all the services mentioned previously.