KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
Good afternoon, ladies and gentlemen, and welcome to this KuppingerCole webinar, consumer centric, identity management. It's all about context from identity management to identity relationship management. I will be the speaker today. My name is Ivan ly, a lead Analyst Analyst at KuppingerCole for some general information about taping Cole. We provide enterprise it research advisory, decision support, and networking for it professionals.
We do our research by providing various types of research documents, leadership compass, where we compare vendors in various market segments, advisory notes, looking at various topics and trends, vendor reports, executive views, and so on through our advisory services, we provide advisory services to enterprises and end users and to our events like webinars and seminars, our main event is the European identity and cloud conference, which is being held in just a few weeks in Munich.
We think this will only must attend event with a large numbers of speakers and areas covered such as IM governance compliance, risk management, as well as cloud security to include most of the major vendors end users. And thought-leaders in the areas covered. We recommend having a look at the full agenda, which is already online. We are also working on our upcoming conference on strategy and solutions for the financial industry in today's digital transformation era. This will be held in September in Munich.
I mean, sorry, in Frankfurt, just some housekeeping rules for the webinar. You are muted centrally. You don't have to mute and mute yourself as we control these features. We will also record the webinar and the podcast recording will be available tomorrow. At the end, there will be a question as the ends and answer session. You can enter the questions anytime using the questions feature of the go-to webinar control panel and at questions, period, we will select some questions and we will respond to them.
So this is a brief outline of the webinar, and I will go forward to how the landscape has changed in the last 10 to 15 years, I am is relatively younger compared to the other major enterprise disciplines, such as E R P and CRM and so on. And traditional IM as we, as most IM professionals know, it's focused around employee identity, life cycle, the management of the relationship between a user and a single organization.
However, it has evolved very rapidly over these past years, as well as it has achieved a high level of maturity standard maturity. And this is leading to several major trends. First of all, there's a recognition of the fundamental importance of identity, which goes beyond the traditional enterprise perimeter for any form of service provisioning, be this on premise cloud, be this consumer service, be this an enterprise provision service identity is always the glue that provides everything together. It go so far as to say identity is like the new perimeter.
Also, I am being much younger today and with this move towards identity or pervasive identity across the cloud, we could almost see that I am is really fusing with CRM today and he's becoming of seminal importance. And another trend we are seeing as well is it is the, the rise of what's called in many cases, consumer identity, vendor, relationship management, identity, relationship management, user managed, access, life management platforms, user empowerment.
All of these various forms describe primarily a, a big concern users have with privacy and the, the use and dissemination of their private information that they share with an organization, as well as from an organizational's perspective, the difficulties and complexities that organizations have in ensuring compliance in ensuring and not in ensuring that a data breach does not occur where this private information is leaked, because it can absolutely destroy an organization's reputation and brand. So users more and more are very conscious of where their private information is used.
We saw in Australia, we saw that the low adoption rate of digital health records, for example, in Europe, there is some upcoming, very strong, strong data breach protection laws in Australia. It's also being discussed. All of this is leading to us to think of identity as more than just employees, but as an entire relationship across which spans, which spans everything. And it's not just about users anymore, briefly as well. There I've mentioned life management platforms.
So I'll briefly discuss the definition as this is the definition Kuppinger call has put together a years ago, recognizing this growing trend towards the importance of user control and user self-determination when it comes to personal information.
So a life management platform allows individuals to manage and access all relevant information from their daily life and contextualize it, be it medical data, be it banking or financial data, be it less, less sensitive data, or even government data and the ability to, to selectively share it with third party organizations and always know which organizations are having access to that data and be able as well to revoke it at any time. This is a trend which it's, it's a trend, which is for, is driven by consumer demand.
Although we are not yet seen for the implemented solutions for this, because there are a number of complexities. We have quite a few other research papers, which discuss the complexities around the, the implementation of a life management platform solution.
Another example would be, this is an example of how a life management platform could work, where third party organizations can request data and the user can see that request and can see specifically what is being requested to, to some extent, we can see this with, with social logins where when a user selects to log in with a social networking platform or with Google, they are, they are told what they will be sharing and what sort of access they will be granted.
Again, oof is an example of how mature and how rapidly mature identity and access management has become due to the widespread use of this, of this standard. However, we all know that Google or Facebook make money off of users data. So there is in no way we are saying that Google or Facebook are examples of life management platforms.
In fact, these are the companies that are really leading this demand by users to have greater control over data, their data, which is being monetized, for example, and in, or in the case of very seriously sensitive data, such as medical health records. This is something where users, there's generally a low adoption because users are so concerned about the sensitivity of this data here. We see how a life managing platform could empower the individual through the concept of control, push, or informed pull either a user consents to pushing their data to a third party organization.
Or they know when an organization they previously allowed is pulling their data from their store. This is one trend. Another trend we are seeing beyond the need for privacy is the growing connectivity of everyone and everything. This is not anymore about just simple users and organizations. It's about users, devices, things, and people. And this is where relationships are exponentially growing. It's.
This is, this is with the upcoming internet of things, but the internet of things is not is, is already here. In many cases, people have smart watches, smart, smart phones. They have com they have cars which can actually be remotely hacked, which connect to their home networks. And these relationships also change. People are no longer just an employee. They may just be a single identity to a single organization such as an employee, but the minute they exit that perimeter, they are multiple identities. And there's multiple contexts, which must not get mixed up just as we can see here.
So when thinking about consumer identity from an organization's perspective, what needs to be aware of this reality that users have many other contexts and many other contextual identities, which would be, would be considered extreme privacy breach. If those identities would become intermingled, as everyone has been aware from publicized stories of an employer, getting a, of a, a users, Facebook and seeing, and seeing them being less of a exemplary employee, or perhaps criticizing the organization they work for and the ensuing consequences.
However, this is something that we need to be aware of and a customer could become an employee or vice versa. A former employee could become a customer or could be both. So this is, this is the, the, this leads us to what we have defined as some seven fundamental principles for the future of identity and access management, a customer-centric identity and access management. So a fundamental one is, as we mentioned, it's more than Newman. It's about identities, things and devices. And also there will be multiple identity providers.
No, there there's no simple solution. We've often there's been much discussion in various nations about some national identity provider, but given these contextual complexities, we just don't see this happening. And people don't want to be, don't want the identity. They displayed a bank to be the same one that they displayed to their government or to their friends and family or to their employer.
So we, there weren't this, this up, this hope for this dream that was espoused several years ago, you know, identity access management. We don't see that happen. There will also be multiple attribute providers. This comes back to life management platforms where not just will the identities provide different context, but various various attributes about a user will come from different sources.
Again, due to data classification, due to privacy concerns and fundamental fors, there will multiple identities. There will that. We just have to deal with the reality that there will be multiple identities because the very notion of a human identity is complex and users are entirely contextual users do not.
We, none of us behave the same way in front of an employee or in front of our partner. And that is just a fact of society of life. And there will be multiple authenticators. This is fundamental five. There will not be a single magical single sign on Federation protocol that allows a user to log in anywhere to any device across the world to any access any system. And again, citing the importance of identity relationships. We do really have to start to treat identity, not just as identity, not just within our previous scope of I IAM as access management, web access management provisioning.
We really have to start to think about IAM as the new CRM, and really have to begin to, to map these relationships, because this is how this is how user data can be. This is how business can grow. This is how opportunities can grow. We need to really start to think about how similarly important and central IM is becoming and how it needs to start to record all of these relationships where possible with data concerns in place yet IM is essentially now a CRM in many cases. And the final one is identity access risk varies in context.
So this is, this is of interest to security professionals, where we are seeing the rise of adaptive growth, authentication, and adaptive authorization. And this doesn't need to be onerous to the user. As we're seeing with various solutions providing multi-factor authentication or step up or step down based on context and risk.
Again, this can be completely transparent to the user. They should use a form of security intelligence. So it should not only be set by static policies.
Get, we need to deal with the fact that when a user needs to access a low risk piece of information on our systems, they, they should not be the user experience should again remain key because here we're dealing with it's often the first interaction with a digital organization is when someone signs up or when they log in to access that service. And if upon that first login, it's very difficult. They have to use a very complex password or, and the user experience is not, is not one that they enjoy.
And they're now used to the Facebooks and the Googles of the world in which who make this user experience very simple. This will be a lot of business. This will be a lot of customers yet. This does not mean a, a lack in security. This means that we need to very carefully establish a data classification and risk and contact risk context based risk scoring as well. This is to ensure both better security and a better user experience. So this is the way we, we should see this is this. This is the way that future identity works within our organization.
Social logins were just are just a fact of life. And the fact that we have contractors, we have partners, we have consumers, we have employees. They will be logging in from any form of devices. They will be accessing any form of, of system or application be this on-premise or the cloud.
In fact, we see on-prem as, or cloud as nearly something which needs to be managed from a risk perspective. We have some, we have some advisory services we offer for risk scoring in the cloud. And the cloud ultimately is an infrastructure detail, risk, some risk changes, but ultimately as with any service provision, if, if, if one purchases some hardware, there is then a service contract with a vendor, the same thing happens with cloud. And it's about managing those, those contracts, managing that risk and ensuring uptime, managing SLAs.
So legal is well isn't becoming increasingly important and legal or not just the no Sayers, because most laws across the world, including Australia or New Zealand, don't explicitly specify too much about where data should be stored. Exceptance exceptional circumstances.
So, and ultimately from a compliance perspective, if, if one does not follow, if there's not one, one is not legally compliant, that's where the big fines come in. That's where directors go to jail. And so therefore that's what the board is concerned about.
So all of this mention of identity relationship management ties to the digital transformation, to the fact that most citizens expect most services, be they government banking, insurance superannuation most expect these services now to be online and to be available to them along with identity relationship management, where we see identity as a CR, as the new CRM, we are able to extract valuable usage patterns and data, and maintain an ongoing relationship with the users, the devices, the user users, the service that's interested in.
And with this adaptive risk scored risk scored approach, we can provide better security, which is not a static security, which is not too focused on prevention, which means, which is the typical security by saying no default denying policy, but rather it should be adaptive. And user experience should really be key to this to ensure that in the future, whatever organization is has to manage customer identities will be at the forefront and people will enjoy using their services because this is key to, to the success of, of most enterprise industries.
So now there have been some questions, some questions and answer, period. I'm seeing a few interesting ones. There's an interesting question here, which is mentioning the ID relationship to devices. Would this be viewed as trusted devices, hence the death of the password? Okay.
That's a, that's a very good question. There's been a lot of discussion about the death of the password, and we also believe it should die. We believe that the password on its own is not a sufficient form of protection. And often in order to have a secure password, it means a terrible user experience. As most of you who in APAC have online banking, we'll realize that passwords don't change. They don't expire automatically. So we mentioned authentication and adaptive authorization.
So based on what a user is trying to do with a service that's offered by organization, there should be potentially a step up authentication, two factor, various forms of two factor or multifactor. However, this should be this should, this should not just be statically. This should also be contextually. So for example, geolocation device fingerprinting unusual times of night or day, or even in a very, this is coming up a lot security intelligence.
So this is no predefined rules, but just machine learning that if a user usually does these op, these performs these operations at these times of day on this device. And all of a sudden there is a change they're in another part of the world, they're using a device they've never used before a different operating system. Then that should flag something that would step up authentication. This is done very dynamically, however, trusted devices alone, as the question asks it, it's not just about trusted devices. It's about context and context is a range of factors.
A trusted device could be just the device. The user always logs into that device could one day be compromised. And that means that then the user is logging in performing operations. They don't usually perform so because we don't believe in anything such thing as a hundred percent security of preventative security, there, there really is no such thing as a trusted device. There just other device are usually usually users. Another question is, are we seeing any future for integration of IM with robots and neural networks?
That's a very, that's a specific question, and we're not seeing specifically IAM as in traditional IAM vendors. There's a few of them, actually. It's not specifically under IAM often. It's all what we refer to as realtime security intelligence. Some do there, there are some vendors that do offer what we call dynamic policy.
So it can, there is often a subscription service to, to say to the vendor, which will update both signature based attack vectors, and as well, often vendors use machine learning that they say, or analytics BI tools from BI to, to detect unknown, unknown. So anomalous behavior. So there have, there are a lot of very interesting vendors in this space, but they're not specifically IAM vendors. For example, I just recently had a presentation with a vendor called dark trace, which does security, intelligence, only detection. And it has no signatures.
It doesn't know the concept of signatures or like an antivirus. It just uses a new form of Basian statistics to detect anomalous behavior. But this is not again, they can be device centric, they can be user and identity centric.
It's not, it's not anymore. Just in the area of the typical identity and access management vendors. It's actually more, a more broader approach to security known as real time security intelligence. And some other vendors tend to focus more on privileged management. So privileged system, administrator credentials, SSH certificates, and the like other one is a question. Is there a tool which covers all those functionalities are the vendor up to date? Okay.
I can't, there are some vendors which are more up to date than others. Again, there in the mention of identity relationship management. What we're more seeing is a fusion of some very clued up CRM vendors who are thinking more about identity. And we're also seeing vendors who are thinking about a lot more than just provisioning deprovisioning, web access management. But they're thinking about identity of devices. They're thinking about security analytics.
So no there is, we're not yet seeing any single one stop shop, which is providing everything to do with first traditional IAM, as well as all of the security intelligence. So no, but we do have some leadership compass research, which is which deals with various topics, a big topic of importance. And as I mentioned since the user experience is key. It's key to focus on the crown jewels, not we, we can't anymore live by the default denied policy.
If we want users to have a great experience, what we need to do is data classification start from the, the, the importance of the data, not from which device it's accessed on when or where, because there is no real perimeter anymore. And often that means that there there's a large growing market for privilege management vendors, such as dichos such as cyber a again, they, they don't offer everything. They specifically focus on privilege management on the abuse of administrative credentials and as well detection and analytics surrounding anomalous use of those credentials.
But there's no, there is no single vendor that provides everything we've mentioned so far. Okay. A very interesting question here is, do you think customers are likely to pay for identity, for instance, pay subscription for a life management platform, or are we too used to being free? Okay. A life management platform it's been defined by Kuppinger call due as almost an ideal world scenario. We have some research on it, but as we all know, if in fact some people have gone so far as to say private information is toxic waste storage, it's toxic waste because it's so risky.
The more sensitive information you have about a user, the more risk you have to deal with, should that information be breached so far today, we have no perfect solution for both allowing a good user experience, say if a user loses their keys versus the possibility of centralized keys, and yet there's a risk of insider abuse. So life management platforms are what we define as what would need to happen for users really to once again, feel in control of their data. But another thing about is, is customers are likely to pay for ID.
And this is an interesting one again, with the, the need for a death of a password. There's a very, there's a very interesting thought leader, Ian Glazer, and he thinks the opposite. He thinks users, if you, he thinks that the password should go as much as possible, as much as possible organizations would externalize the risk of passwords. So social logins, as an example means that risk of storing password data is externalized to a very known provider, such as the Googles or the LinkedIns or the Facebooks of the world.
He actually thinks user should pay if they want to use a regular username and password, if they, if they insist on using a username and password and that you have to store the password, they in theory should pay.
Now this, this is not always appropriate advice for every sector or in the industry, but it's, it's an interesting way of thinking of user storage of user data and not, not just thinking and thinking very carefully about the risk appetite one has when one decides to store personal information or login credentials, as we've seen with later hacks, even, even unless salts and rainbow tables are used and very good hashes, even, even losing the hashes of passwords can be a huge disaster. Okay. I'm not seeing any more questions.
I wanna thank you all for those very interesting questions that have been raised. Just wanna give you one more minute or two, if there's anyone else who wants to ask an additional question and I want to remind you of our upcoming events, U I C I cannot recommend it enough because identity is becoming very interesting. And it's a lot more, as I am professionals, we, we need to change our skillset. We are becoming the identity platform of the internet. It's been said, internet is like, the TC is gonna become the T C P I P of the internet.
And we need to be there to, on that bandwagon and change our skill and change the way of thinking about identity to really gain those benefits. I want to thank you all for attending. Thank you all. And goodbye.
