Seamless Connectivity: Why You Need It and How to Get It Right

Welcome everyone to our KuppingerCole webinar "Seamless Connectivity: Why You Need It and How to Get It Right, access control and the digital era". This webinar is supported by Symphonic Software. The speakers today are Tim Johnson who is strategy director at RaidIAM, and Derek James, CEO of Symphonic Software. And in addition to me, Martin Kuppinger, I'm principal analyst at KuppingerCole. So before we start out quickly give you some time current information and upcoming events and guide you through the housekeeping slide.

And then I'll do the first part of the presentation, but I'll touch this in a minute when I talk about yet. So as you, I probably already know it's just, we are critical doing a lot of live events these days and side of our webinars. We have some upcoming lottery wins. We have also a number of KCLive events to draw one day, he went and the next one would be, IGA for servicenow infrastructure's running next week. Then we have the customer technology world, an event focused on consumer identity and related aspects and such as marketing automation, et cetera.

And then we do in November, our cyber security leadership summit. And so that will be an onsite element that that will be a remote element. So you can petition to debate in whichever way life in Berlin or remotely as you want. That's it on that end audio control and our housekeeping aspects. You are muted centrally, so you don't need to care about these aspects. We are recording the webinar and we will provide a slide X as well as the webinar recording short term for download.

So you will get access to the slides full speaker, and there will be a Q&A session by the end of the webinar I'm hybrid. You'll find the go to webinar. Well penalty, usually at the right side of your screen, you'll find an option questions and you can enter questions at any time so that we can run a sort of lively and interesting Q&A session by the end. So don't miss to enter questions once they come to your mind. So let's at least let's have a look at the agenda. I'll talk about examining dynamics or sort of station management and policy based on summarization.

I also look at w why these technologies are, and as widely deployed a state from my perspective should be, but also why did me be about to change and how this relates to the digital transformation at the end of the day? And second part, then Tim Johnson and Derek shames will give you a deep dive. You two on 100 or 8:00 AM. I've helped them to process to sign them up their digital connections.

On the other hand, Y platforms for policies based on conversation, flipped dynamical, cessation management, help, and achieving Cronulla, access management, governance control, and visibility, enabling Reddit, product innovation of digital services and products, but also keeping the regulatory compliance. So it's the blend for today. Follow that stuff already mentioned by the Q&A session. So let's get started. And why don't we talk about identity and access management. We see a lot of elements within identity access management.

So what I brought up here, KuppingerCole reference architecture for identity and access management and identity access management is Todmorden ITA, which is the identity life cycle management, the access governance. And it's far more than access management and privileged access management. So these are clearly the ones highlighted in the dark flu are clearly key elements, which are, I would say essential in every I am deployment, but they are not the only ones.

And so when we look at this picture where we have the four pillars of administration audit that help us analyze this authentication authorization, yes, we need to administer the accounts, the identities we need to audit. We need to analyze professor ever seeing us correct, and was for us at least brilliant principles and forest. We need to also educate at runtime, but we also need to authorize. And some technologies such as access management and identity Federation to help us with certain extent and authorization, but it's really a more cost grained authorization at the point of access.

And then we have at the system level, if you look at access control lists and windows servers and all the other types of entitlements, we have a lot of these things for which are useful as forestation. However, there's a logic in having something more, which is really based on policies that act on runtimes.

That is what we call dynamic authorization management, a term used in this context, very frequently APEC for attributes based access control, which is related to that set of technologies where APEC is more the concept of doing it and dynamic conversation management, this smarter type of technology. The other term, which is increasingly hot these days is piggyback for policy based access control, which I believe is the better one than APEC, but that is not the core of our discussion today.

So what, what, what is it about you, you're talking about dynamic authorization management, this about authorization at run time, external from the applications does this, the basic concept. So by standards you say, okay, I set these entitlements. So I have groups on my windows on my active directory that I have a sales on the fastest. I'm a windows server. And then the windows server uses the Kerberos ticket was to group information on the order ID.

So as IDs, et cetera, checks the access entitlements when accessing a file at runtime, but it's done at the level of the system. And then you have a lot of systems where you need to create groups and users and manage the titlements locally dynamic or authorization management is different because it is a system that authorizes makes the decisions on behalf of applications in a central manner. So an application in some way, requests, an authorization decision at runtime.

So is this user allowed to perform the transaction it's just use are allowed to debt or that, or that use that printer, access, that network, whatever else these are decisions made. And they are made by a central component. And by the way, this is not really new. IBM introduced req F they're a resource access control facility back in 1976, which is 44 years ago has been 44 years ago. So it's not entirely new, but as soon that wide spread, it's still hasn't reached widespread adoption beyond certain environments, such as mainframe.

And so D let me go sort of station management that's information uses the policies. And if you have a policy and change, the policy to change becomes effective immediately. So there are a couple of ways to integrate them. And you look at the left-hand side of this picture, and this left hand side of the picture, you will observe a couple of components, which is the policy administration. So where police are defined is a policy repository where policies are stored.

It's the decision point policies, policies are, so decisions are made, then we have to enforcement and we have policy information points. Well, additional information is Rick can be requested from such as I don't know, databases and systems, et cetera. So this is basically a model of consisting of various elements, and it helps us to make such decisions.

So again, here to read through the various types of things, and there are, there's a standard support such as exceptional, but there's also a lot of, I would say more specific and more likely to implementations today. So it's not necessarily that you need a support for that type of standard, such exact model. So it's more about the API support for integrating applications. You have her does, and they have very high level the concept, and this is based on access policies. And I believe that access policies, maybe the, the, the most underwhelmed element was in identity and access management.

So we don't use it as much as we can. We do a lot of things where we in fact build on that it's his policy, but we don't talk about excess policies. So we have to find, we look at identity Federation, lessor and web access management, traditional ones, more, there's some sort of policy which says, okay, this person is allowed. Or this group of people is allowed to access this a web server. That is one area. The policies are explicitly the defiant, but they have usually very cost green.

Then we have also a station level such as dynamic authorization manager with very detailed policies, which are explicitly defined, but not as much use as they could be. Dennis, when you do it externally, it makes a lot of sense. And then we have as a fine grain policies, which are not really reasonable to, to anyone. So yeah. To create groups and assign ACL's in active director. So groups in ICS on a windows server, the point is that you, it, we use excess policies to say, okay, that group of people is allowed to do what, but you rarely document that. And that is what you should chase.

So it is a bug defining the policies about implementing about enforcing, and we should use policies more intensively, more consistently. So, and policies are something which is relatively simple. So at the end, it's about a subject that can do a certain action on a resource. In a certain context, Martin Kuppinger is allowed to access this team's room. That would be access would be the action teams room would be the resource. And then that might be a context, for instance, only if he accesses from a secure network and then despite be applied in a certain manner, maybe across a couple of systems.

So we might split it for four different types of targets, systems and technologies. But basically that is the, the thing we we are looking at. So that is, that is the basic concept and perspective makes a lot of sense. Trust was policies because everyone understands the policy. Martin Kuppinger is allowed to do that. Every employee is allowed to access that people that are in the bookkeeping department, responsible for these activities can do data on that and can be expressed.

And then we can define what we do insecurity based on policies makes our life easier because this is used to understand policies, rules that looks at fairly different because rules are not effecting very artificial concept. So when proceeding from here, one of the things we recently published, a grant compass on identity and access management, you also look at the area of dynamic authorization management. And so the strand concept compass has to access to want us to sort of vertical axis is the highest level. The horizontal axis is the maturity levels.

So established technologies that has still some level of hype. I'm more into upper-right edge. Nisha's no hype, not very mature on lower left, et cetera. So we have niche hype established on legacy.

And, and in fact, it, from our perspective, we expect this market to grow again and to sort of a richer higher level of hype again, over the next few years, because we believe that it's a super essential technology for balancing the, the need of, of being very agile in, in, in, in our digital transformation, on the one hand, and on the other hand, fulfilling regulatory compliance requirements, fulfilling the security requirements. Why is this?

So, and this is where I'd like to introduce another concept we had KuppingerCole left developed, which is our identity fabric. So, which is our paradigm for, for a modern identity management. And to start, we said, in a nutshell, basically the starts were saying, okay, let's step back and think about what is it, what we really need to do in identity management. That is fairly simple. The trouble of identity management is to give everyone and maybe also every thing.

So you could add devices and things, as you will see in the next slide when seamless, but controlled access to every application, to every service, regardless of where it runs, regardless of the ID and the technical integration to the service, it is about managing the access, the governance, the authorizations, constant privacy, and more does this, the idea behind it. And based on that, when we go a little bit more into detail, then it means we need a set of capabilities such as an etc. It's API.

So we can work against such as dynamic our sister organization, such as privileged access and so on. Be put together in a set of services, which allow us to manage on one hand our existing infrastructure.

Yes, there's a need to manage the existing infrastructure, but on the other hand, and this is where I put on the red circle, which enabled digital services. What is the problem? And we look at digital services. The point is digital services meet. When I think there's some good reason for that need to be developed fast, they need to be developed an agile manner, and that there will be a lot of initiatives within an organization. What do you ask the widest?

That'd be ended up with all this digital services, several digital services, using different identity concepts, different registration flows, whatever else, different types of, of handling security in whichever way. So we need to expose some layer of services to help these applications, to use standardized services. And from my perspective, one of the essential services there is that we have on policy-based X study, externalize the authorization. So it makes development of digital services far simpler.

If that service trust kind of request an authorization decision based on a policy that does manage centrally, that service will be far more flexible, far more efficient to develop. And it's interesting. When I go into discussions with the digital teams that people run guiding the digital transformation development, the applications, then I walked through open doors, they understand it.

They say, yes, that's what we need, because then we can concentrate on the user experience, the user journey. We can kind of concentrate on the functionality on the business, the service, then you district service, we want to deliver instead of doing security. So what we strongly recommend is revisit your identity management, think about delivering identity service. So not just manage so identity management going out to the applications, but having insight channel, which allows the services to request something from identity management and as part of the services do it softly.

And if you do, it's roughly it's not just a registration and authentication, it is more and that more is authorization. And that is where the entire policy management comes into play. And this is why we strongly believe that we need to have such services as part of our Dante fabric to enable the rapid or to, to, to improve the time to well you into digital transformation. That's this way we really have a business benefit from identity management. And so then in the courses or station management, policy management, that delivers it, that delivers a business benefit.

And where do we go back to this initial picture? Then the question is where's the place of policy management and the place of Polish management is at the very core of the set of services, because it affects the access management because of affects the administration governance and other capabilities such as concept privacy, et cetera. Privacy can perfectly, will be expressed by a set of policies.

So Dennis, what we see here and strategically seen, we even would say, go, go for it or develop your policies at the business. And DIT level of managed them well, applied them for applications as I have discussed, but also for other types of technologies, policies are required everywhere and we need to shift to that to be more agile and to be more secure and more compliant. That is what I want to share with you with that. I hand over to Derek and Tim and Derek Hoover, whomever, you will be the presenter, Tim we'll start. Okay.

Then I'll hand over to Tim and to have you trust, tell me when I would make you Derrick the presenter, Tim, it's your turn. Well, thank you very much, Martin, further that really comprehensive overview if I am. And Dan and Keith knew factor for me was that you said it's been around since 1976, so it's not exactly new, but I think you really highlighted how complicated identity and access management can get, but also what can be achieved by getting it right.

So before we dive into the technology detail of what it is, I want us to take a couple of minutes to look at why you need it and how and why you're getting it right, is getting even more complicated due to some current social and regulatory developments, Elaine, to bring all of the concepts around dynamic access management, the Martin covered to life. We can then look at the enabling technologies and cover how radium and symphonic and help to deliver on that seamless connectivity. So here we are in our company, our castle, and we're very safe at the moment.

We're surrounded by a very solid perimeter. And the only access point is that small gate right in the center. So naturally we want to control who can come in. And so we have a staff policy handbook that the gatekeeper will consult for every potential entrant. This will cover the process of validating each individual's identity and of checking that it's an appropriate time for that particular entrant to come in, to carry out that particular activity.

For example, no one will thank you for letting someone in to empty the bins at midnight, but it turns out as we've heard from Martin that keeping that staff handbook updated, validating all and any identity documents and checking everyone's authorization, each time is quite complex. Now, historically, at least if it all becomes too much, we still have full control of when and to whom we choose to open that gate. We can effectively button down the hatches, but the landscape is now changing.

There's a global movement to facilitate open data sharing, albeit with consent and with appropriate security, but consumers and regulators are demanding ever more flexibility, visibility and control, which provides an additional layer of complexity for any company that is required or wants to enable data sharing. So what does this mean?

Well, in reality, it means we go from this. So this, everybody is welcome. It throws open the gates for entrance, whom you may not have a direct relationship with. It allows third parties to turn up at the gates unannounced, but then to come in and carry out activities that someone else has consented for them to do. In the case of open banking across Europe, any bank is required by PSD two to share data with any authorized third party, to whom the consumer guards, their consent, that consent could also be in one of two flavors.

It can be read only to read bank statement, information or more powerfully to initiate a payment from the consumer's account as if they were the consumer. So it's no longer enough or potentially even actually an option to close the gate. In case of any problems, you really need the granularity and the modern, flexible dynamic access management capability, which would then of course, needs to be implemented seamlessly across all parts of your business. But at the core of any data sharing exchange, there are three questions who, what and how, who are you, or who am I talking to?

What are you allowed to see? What data am I allowed to share with you? And how should we actually pass that data to each other? How sure am I that all of this is okay, that needs to happen before any data is transferred, the identity and access management challenges that any two data sharing participants can agree on which standards they will trust for identification, communication, validation, and data security, but it's moderately complex when it's a one-to-one connection.

So it becomes exponentially more complex when expanded to an open data ecosystem, sharing data between multiple participants across an ecosystem will still require those same agreements on standards, but data security, communication, validation, and identification to be reached and confirmed and validated for each and every connection in the open banking world. We've seen this lead to two very different results in terms of implementation. Although PSD two is the same requirement for all member states across Europe, the majority haven't specified a central trust framework.

So participants in the model on the left need to carry out many repeated background and validation checks before they can even bring their IAM and dam capabilities to bear in the UK under the strip to watch at the CMA order, the UK was able to reduce that complexity for participants onboarding by mandating the full common centralized trust framework, which radium is proud to have been involved in designing.

But the key and common point here is that a matter the model, no matter the implementation, and indeed no matter the sector, all participants need to be confident that their IAM and dam capabilities can accommodate multiple new requirements and additional players that will be demanded of them in the coming years. So you don't actually know who you may need to share data with tomorrow, or indeed what data you might need to share. So you need to have that framework to be able to adapt to all of them. So seeing what it's complex and why it needs to be dynamic, but what does it actually look like?

I'll hand over to Derrick now to talk to show what this means in reality. Okay. Thank you.

Thank you, Tim. I guess from a technology perspective, we, we all know that I, it systems architecture has changed enterprises, as you say are no longer controlling a traditional walled garden architecture surrounded by a perimeter of network security. And that perimeter moved out to the cloud for all sorts of things, data management, processing, and delivery. And also from our hardware point of view from managed what stations to, you know, independently held consumer devices.

So it's necessary for enterprises to tell consumers connect information and a much more complex landscape and to orchestrate the flow of information and a much more secure and managed way. And the reality is that configuration of connectivity as monies, no via business policies expressed via a set of rule rules, controlling those systems and integrations. Historically those rules will embed it in court as Martin alluded to, but that's no longer sustainable as we moved to much more distributed architectures and the inherent complexity that comes with it.

And as consumers interact across multiple devices, webs, mobile and API channels, the acquirement of what data is needed, what can be shared and how to share it is often very conditional on the consumer and the device context. And we developed the symphonic platform to deal with these challenges. So let's look at an example, a banking client of some phonics users or platform as a central authorization and orchestration engine. And it's PSD two program. And the PSD two regulation itself requires that our users or users activity undergoes dynamic risk assessment, unless the activity is exempt.

And of course the bank will have its own security policies. And these require seamless connectivity in real time, the data which sits in many different places. And if we look at how complex that becomes, we have different accessing data and different locations and all of that needs to be controlled as Martin said, in a single place and that symphonic.

So if we go and look at some of those transactions and we can see how the complexity starts to build and dynamic authorization can be used to deliver on those business policies, firstly, and the payment system or user is requesting a money transfer by via a web application. And previously that transaction was directed straight to the backend system, but PSD two regulation no requires that our dynamic risk assessment and step up authentication is considered as part of an authorization flow. So that request is passed to symphonic.

And then in the web, the payload contains minimal information about the transaction, the peer to peer account identify a payment value, but nothing else or our bank's mobile apps use the platform with a modern API backend. The web system has yet to be conditioned and talk to the legacy and backend, but the modern mobile apps can come. You can securely communicate with backend systems.

And what that means is that the mobile apps can easily be adopted, need to be adopted to provide that additional information as requirements evolved and that the legacy weapons system, which is more rigid and requires an enhancement. Sorry, Tim, can you move forward by one slide? Thank you. That's okay.

So some phonics receives requests, Lords that contain varying amounts of information depending on the channel being used and based on that channel and the type of transaction being performed, some phonic retrieved different information from different API APIs and legacy systems to augment that. And in this case, the requests being made via the web platform and minimum information is contained in the PSD two regulations permit exemptions.

If the beneficiary is already a trusted by the payer from previous transactions, if the beneficiary is trusted, then there is no need to run the checks again, the streamlines, the customer experience and avoid the cost of unnecessary risk assessments. So symphonic receives details about the P from an API service as required. And the list of trusted beneficiaries is provided for interrogation and being compared against. And if the pay is on that trusted list, the payment is exempted from that risk assessment.

So we have no provided an authorization service for two different channels, but of course through time regulations change, and this year a confirmation of pay check was introduced into that regulation, phonics easily extended. And you know, when we talk about agility, it's important that we can easily extend our policy sets. So symphonic is easily extended to reuse that contextual information about PS wisely are already available to it by adding a service call to satisfy the confirmation of paycheck. And of course the bank has different policies.

If it can move on to them, the bank has different policies and checks and place. When the payment is a balance transfer to a credit card or a faster payment for a current account, symphonic can retrieve information from a second API service containing details of the payer account to determine what kind of request is being made is a payment, a credit card, or a com account is at a high or a low volume balance transfer. And so phonic can use that information to continue to, to determine, sorry, which policy to follow, move on templates.

So the, the bank's dynamic risk assessment provider third-party cloud service, I'm sure you know, many of these, so that matrix and, and so forth is it is used to, to make a real-time cloud-based determination of risk. And of course that needs to be fed with the attributes and the context of the transaction of the transaction that's required. They need to be retrieved from various services, enter requests that can be sent to the risk assessment service for a result.

And if necessarily symphonic can transform that data from the format in which it's stored in inside the organization to the format that the risk assessment provider expects or combines multiple data points to compute your information. And then finally symphonic uses the risk assessment score and all the other pieces of information that has been assembled to compare against its policy sets and determined whether we need to permit, deny or retelling instruction for the user to step up that authentication.

So that simple example demonstrates one use of John the floor and the bank is using symphonic for over 120 different floors across its web mobile and API channels. And all of that is made possible by deployment of a modern dynamic authorization management solution. So let's look at some of the capabilities that's needed and why we're looking at we're processing in this bank 140 million transactions a week, and we're doing that at very low additional latency.

So that's a key requirement of dynamic authorization that we do not add to the, to the latency and transactions and, and, and key and key industries. So if we look at the four aspects that we think are modern dynamic and authorization management solution needs to have, I think the first thing is there is the capability to integrate to all of those underlying user identities, data attributes, and services. And that needs to be a comprehensive capability from a technical perspective, but it also needs to abstract that complexity because we know architectures are complex.

We need to abstract that into business terms so that the meaning comes away from the underlying detail and that those business terms are made available to subsequent policy authors and the language that they understand. And we also need to support the conditionality mentioned in the, in the banking example, for example, our account balance can have one technical end point on their one set of conditions, perhaps a channel and another end point in another set of conditions and other transformations need to be accommodated to commentate it, to provide a clean and clear set of business concepts.

So that policy management can be a clean process. So if we look at policy management, having defined a consistent and easily understood set of terms, our modern solution needs to be able to be driven by business users and not implies, you know, I agree a friendly interface with your perhaps drag and drop capabilities, but one that's able to work at the level of business terms.

And it's also important for the interface that we can share the responsibility for policy between business and I, it, but also to remove it is a blocker phalangeal change and consider carefully consider the separation of duties that's required for managing policy. We need to reflect the organization's operating models so that we can respect that. And the policy authors can be restricted and are only allowed to modify policies relevant to their own domain under an overarching governance model that reflects the organization's preferred operating model. And that can be a tested.

So if we look onto deployment, we understand the complexity of enterprise organization, software architecture, and the risk of change within that. So once we have a set of policies that can take advantage of that real time context and data points, we need to deploy these into production that we can deploy. We can deploy on premise or in the cloud or in a hybrid set situation.

And it's important to easily integrate into your best practices from dev ops pipelines to approval processes and saw that administrators can centrally manage the deployment of policies across tests and pre-production and production in prime environments deployment should be painless. And if needed access control policy changes can be deployed in minutes rather than having to wait for the next it production release.

And moving on to slide four, in terms of proving an important part of this, given that we're talking about authorization is the need to be able to understand how policies interact under given conditions, both to prove in advance that that truly reflective of our intent before the deployment, but also afterwards, so that we are able to audit the authorized authorization decisions that are made not only in the terms of what decision was actually taken, but also in terms of how the contextual data that used to support that transaction, how that was at the time of the transaction, and that can fully support diagnostics for subsequent policy improvement, but it can also satisfy regulators that decisions that were taken while justified.

So as data and services continue to open up to partners, customers, and regulators, the need to develop that seamless conductivity only grows. And by implementing a dynamic authorization solution, we see clients reducing costs, gaining that agility by moving that dependence on it, departments and their production cycles, or an external ox to external software packages providers and their slow rates of change. So they can be much more instantaneous and they're changing policies. We've talked about banking, but it's important to stress that, that opening up of data.

And it's accessed by third parties and consumers is not only in banking. We're also seeing other sectors like health and government insurance, pensions, energy, and others interacting more deeply with consumers and partners. And that drives complexity into designing the right approach to support future needs. And that requires an experience view to ensure that digital enablement is aligned with the needs of the business and continues to be aligned. So I'll hand back to Tim though, to outline how really I'm ensures that that alignment happens. Thank you, Derek.

So in today's world organizations depend on technology for all aspects of their business, but we see the most successful companies have moved from using technology simply as a tool to enhance their existing processes, to embracing technology as a catalyst for doing things differently, for excelling for their customers, both the internal and the external ones through a truly digital business model. However, that journey is not always smooth.

The pace of change, technological development, consumer and employee expectations plus ongoing regulatory compliance can mean that the way is not always clear, prioritization is required to avoid significant uncertainties. Now we understand that not everyone is ready to jump straight through to launch. You may need to confirm your overall business strategy to agree the prioritization on scope for your digital transformation. Then look at options for implementation and delivery before you validate your hypothesis and pressed that big red button.

As you heard earlier with our open banking example, radium has unique experience in applying identity and access management principles to new requirements. So we can bring that same approach to help you review, analyze, prepare, implement, and launch the best solutions for your business.

In fact, think of us like your personal trainer, when you first go to the gym, you're faced with a buildup well during an array of machines and classes. And the first thing a trainer will ask is what are you trying to achieve? Only once you've got an agreed and answer to that? Do you get the second question, which is how do you want to achieve it?

So this one as a trainer to take into account your preferences for in that case, running rowing, or cycling, or for solo activities or group classes, and then to design a program around you only then will it start to get you active, but they will keep you active. They can change the program if it's not producing the required effect, but even more importantly, there'll be able to introduce you to functional specialists such as physiotherapists at the right time, but back in the business world, what do we do?

Well, radium offers full suite of consultancy, technical design and delivery services to drive your business forward. Typically initiated by our digital enablement assessment. This is a short engagement.

We live as a comprehensive view of all your IAM dam and provide options for delivering against them over the course of just it's a couple of days, we will work with you first to understand what digital enablement can mean for your business, and to confirm your strategic objectives, we will then dive into understanding what your existing infrastructure is, how you use those capabilities to fulfill your strategic yeah objectives.

We will look into all the areas shown here to understand the activities, the functions, and the technology that you already have in place and help to identify any gaps or potentially even how you can use some of the additional features you didn't know. We already had. We will then be, be able to provide options and recommendations for the most appropriate solution for your situation, for your functional requirements, your time scales, your budget, which will fit with your existing architecture.

So we'll round it out the assessment with a proposal for a delivery, which we of course would hope is the start of a much longer, stronger working relationship. So radium works across the entire market of specialist solution providers, the physiotherapist in our gym example. So we can and will recommend different specialist solution providers, depending on your specific situation.

A multinational company with multiple legacy systems is likely to need a very different solution to a fully cloud based or startup company, but we can advise and more importantly, drive the implementation of whatever solutions are needed. We've successfully implemented products from multiple different providers into the same client to allow for true flexibility.

Now, of course, we do have a number of great experiences and good reference lines where radium and some font symphonic have provided complementary excellence in products and delivery services. So delighted to be talking together on this platform today. So if you already know what you need, and just want to know more about the art of the possible around access management, then contact symphonic. We can provide you a live demonstration of how and what this can enable.

If on the other hand, you're at the very beginning of your journey, I want to discuss what it all means for your business, or if you already know what it means, but don't quite know where to start. Then come and talk to radium. There are a number of ways to achieve your end results and we'll help you work at the right one for you to deliver on truly seamless connectivity in pursuit of your goals. Thank you very much, Derek and Tim mentioned earlier, we're looking at the agenda. Our next step is that we, that we look at a Q&A session and we are receiving already first few questions.

So let's have a look at the first question. So I'm not sure whether it's more to Derek or Tim, you decide who answers, how does this approach extent the, the existing I am and specifically adaptive authentication capabilities. I'll maybe take that Martin.

I think, I think we need really to separate the authentication and authorization concepts. And we see that, you know, adaptive authentication is, is really about getting some certainty around the identity. And from our perspective, you know, that's a very important step and, you know, and consequently, there are many, many good adaptive authentication products in the market, but we, we see that, you know, no that those barriers have come down and, and you know, that the castle is a more open place.

As Tim said, that we really need to be checking much more outside of the context of identity and maybe an example from health. So a clinician may wish to access our patient record. It's not enough really to assure the identity of the clinician. We need to also understand you has the patient given consent. Is that a legitimate relationship for that clinician, perhaps from that organization to access a patient's data, which may be kept in a different organization?

So, so what we're doing is we're extending that authentication piece by looking at a much broader set of context and, and taking that into consideration as, as it is expressed through policy. So for me, it's all about being much broader in its scope. Okay. Thank you. Next question. How does this approach on attribute or policy based access control and cooperate with existing rusty existing, our Beck world. So all that stuff around roads, et cetera, if do traditionally We're both stepping back from that, I guess, sorry, Tim. No.

Well, I was going to say the answer is it sort of depends on what your existing system is, but I guess the, the answer from radium is that we have extensive experience across the entire market of making sure and proving that it works very well together, but maybe from a more technical effective, sorry, Derek, and you, you may have some thoughts about exactly how it implements. Yeah.

I mean, I think to some extent, you know, w we, we see it really as a, again, pretty much like my, my first response, we, we, we see are really being expressed really as the relationship between the, the user and perhaps some small amount of attributes related to that user on under resource. And, and we, we see that with, with modern dynamic authorization, that, that, that traditional approaches are very static model.

And we, we are sort of making the model more dynamic by being able to in the middle of the transaction, alter that model by taking consideration of, of other factors that need to be analyzed if you like, and before we determine the validity of an access, that's a sort of conceptual response, but, you know, I think that's the right one. That's, it's really being able to step away from the organizational structures and the rules that have been given to, to take a much wider, a much wider context. Okay. One more question, and then I'll have fun.

I think the plus one which works, he goes, do you see adapt, adapting, dedicated dynamic authorization? I think you touched the financial financial services, which autos what you see here. Yeah. I'll take that one. And I think the short answer, is it any sector that shares data or engages in any form of digital business? So I think th the key movements that we're looking at at the moment, you said financial services driven by open banking and consented data sharing, certainly in the UK and across Europe, but also around the world.

We've seen moves towards smart data sharing more generally the Australians have their consumer data, right? Canada has called it consumer directed finance, moving into consumer directed data in Australia. The consumer data, right, is starting with being able to share financial data, but moving very quickly into energy, closer to home for us in the UK. Although following open banking's implementation success, the FCA is looking at open finance. There is also a significant amount of work being done on smart data more generally.

So open energy, open pensions, open telecoms, I think at least three of those are under active discussion and a consultation at the moment in the UK. And so we're looking forward to being engaged with any sector that shares that data and needs to adopt that type of dedicated dynamic authorization. So in short it's everywhere. Yeah. I would agree with that. And I believe clearly it is becoming more, more ubiquitous with just as part of digital transformation, wherever you really also see from our perspective auto businesses rate trumping on the train.

So what it has been banking while it has been insurance for various, for very early and sometimes governmental and, and defense organizations, it's far more use cases. And I think th th that really relates quite well to another question, which, which is targeted or ask to me, but I think we can all bring in our perspectives on that. And this is about how would we such as to best influence enterprise leaders to overcome the habits of dispersing security policies around technology, let's get the already hash.

So how can we convince them that use distributed dispersed approaches, but when you go to a centralized policy based access control system, and maybe let me start. And I, so from the conversations I had over the past months or the, the, the recent time, I think one of the most important factors and arguments here is really trying to get in touch with TD of the digital transformation team, including the architects and focusing on the time to, well, you can bring to new digital services, terrorist speaking, it's easier to implement new technologies for new services.

And given that a lot of money, and a lot of effort is flowing into these services. This is a very logical starting point. And if you have your success story here, I think it's, it's more straightforward to shift to the next use case. So that would be my pretty condensed, and we can clearly elaborate such a conversation, but that would be my starting point, what conversation and for convincing the enterprise leaders. There you go, Tim, do you want to add, I, I think, I think Martin, that that's, that's absolutely right.

I think what we see is a lot of industries, which are subject to some fairly onerous regulatory or compliance regimes. And of course the, you know, the GDPR in itself has made that a fairly ubiquitous challenge across all industries. So th there is as well as time to value that that is always the sort of traditional, what do we need to do to comply? And I think being able to protect our citizens data or, or any data, in fact, at that sort of granular level of detail is an important component of, of getting that compliance.

But I think in relation to the time to value and particularly the, the second project, which is, is always adopted on the dynamic authorization, it's the ability to very, very quickly change, as you said, and to get that agility in terms of driving your, you know, you, your ability to react to circumstances. And of course that agility also comes with other benefits because the centralization concept of dynamic authorization management provides another to, you know, key important key benefits.

And, and that is consistency by moving away from everything being coded at the individual application level, we're able to deliver a much more consistent stance against compliance. And we're also able to give a much more auditable stance against compliance, which is important. But I think the key one is, is, is, is a site from those sort of softer benefits. Absolutely. The agility is tied very closely to cost of ownership. And as we moved forward, being able to make policy changes quickly and consistently, and safely is a tremendous asset to providing that agility and time to value. Okay.

Thank you. We're not a final question for today would be an integration question, which is how does it integrate specifically with API gateways?

Okay, Tim, I've done a lot to speaking to you. Do you want to pick that one up? You've used it, or do you want me to pick it up?

I mean, So I guess the, the point is that it allows your API gateways to work properly, the API gateways in effect expose, but secure the API APIs that allow third parties to consume whatever data is that you have, what the access management does is confirm that you're letting the right people have that data, that you know who they are, you know, how they, how you're transmitting that. And you can confirm that they're allowed to certainly in the wider context of an open data sharing ecosystem, there may not be people that you've got direct relationship to.

So I think in short, it, it integrates hopefully seamlessly, certainly with the, the focus that we've had today, it ensures the functionality of the API gateway and make sure that you can manage that you can control the access who comes in and exactly which of those APIs they are allowed to see. And at what point idolize you to control it dynamically. Yep. Perfect. That's right. Yes. Thank you very much. And was that we are through the questions we have received. We are at the end of today's webinar. Thank you for everyone listening to this KuppingerCole webinar.

Thank you for symphonic software to supporting this. Thank you, Derek and Tim talks and information you provided to us. Thank you very much. Thank you.