Panel | Addressing Universal Digital Vulnerability with Modern Identity

And, but we invite Adam Price from Forge Rock also to the stage. And we have a short panel. And in as an introduction for that panel, I will be half moderator, half contributor, I assume.

And we, we prepared this discussion before, and this is a topic that I first got wrong and then I learned what it really meant. And I think that's an interesting topic. The topic is called addressing universal digital vulnerability with modern identity. And usually when I invite these speakers then for, for a panelist and or the mail, when I say, please introduce yourself first quickly. Okay. That we do.

Adam, can you do quickly, You've had you guys to introduce yourself. So yeah. I'm Adam Price, I'm with Ford Rock. I've been with for, for three years, tech 12 years. Love identity.

And yeah, super excited to be here. And for anybody that just joined the room, my name's Justin Richer, I'm an independent consultant based out of Boston. Done a lot of work in identity and security standards and architecture for about two decades. Great. And then the second thing I ask for is can you give an introductory statement to the topic so that we can start the discussion, but I think we're not yet there because I don't think that we all understand the terminology that's behind that, what we are looking at.

So the, I just read out again, addressing universal digital vulnerability with modern identity. So the question first of all is what is universal digital vulnerability? If I look at my notes and Yeah. Who wants to, Adam, I'll, I'll I'll kick that off. Yeah.

So, so we've developed this concept of universal digital vulnerability for rock because frequently we've heard this term of, you know, digital vulnerability. And mostly when we think about it, we associate people who have lack of access to digital devices may have permanent or temporary disabilities, or we think of our elderly parents or grandparents. But actually the concept of universal digital vulnerability implies that it affects the soul. And that's very, very true. As our life moves online and digital, the digital world becomes ubiquitous.

We'll need to ensure that we give everybody the right means to access the right service through the right channel at the right time. So this is no longer just about a certain cross-section of the population. This is about us all at a given given point in time. Right. This is nothing really new. There are other terms for that, but it needs, it needs to be tackled right now. How do you look at that topic of universal digital vulnerability and where does it, do you come across it?

So I will say that when I first read the description for this panel, I was assuming that because this is a security conference, this is going to be vulnerabilities like zero day tl, TLS exploits and other fun stuff like that, right?

But it's actually, you know, we're really talking about more of a, a wider sociological problem of the people themselves being vulnerable because of access to technology availability or even the fitness of the technology to the person in the US We had about a year ago an executive order issued that said that all new federal regulations needed to have equitable considerations inside the document. So I highly recommend you go read that, that executive order, which is a sentence I never thought I would say to somebody, but, but honestly it's, it's really good.

Well-intentioned piece of law that says that when you're putting together these regulations, especially technical regulations, you need to figure out like are you disadvantaging some populations are you disadvantaging some groups of users? And as Adam was saying, like this is not necessarily a permanent population, you know, this is stuff that grows and changes depending on the context. So to me that's the bit that makes it universal is that it's always contextual to what the person is trying to do and where they're coming from.

And just to add to that point, so you talk about the executive board in the US it's really interesting because this is no longer just a nice thing to have for, for, for many many years this has been something that's been conceived of, of something that sits within their company, ESG or CSR agenda. But actually if you look at regulation that's coming out in the uk, we have consumer duty, consumer duty places, obligations of financial service providers to ensure they leave nobody behind.

If you look at PSD three, PSR one that the commission recently published in its policy intentions, it talks about equity of access. If you look at other regulations like the EU Disability Act, all those things come into play. So regulations driving that market and providers are kind of compelled to address it in a more holistic way than just piece me way. Right. So my next question would've been why now regulations is one reason. Are there other drivers just Now?

Yeah, I think that, I think that honestly as a whole, as a society, we're becoming more aware of the, you know, the existence and the plight of disadvantaged populations. And, you know, you guys are all sitting at a panel with three white guys up on stage telling you about equity of access. Like quite, quite frankly, you know, systems are designed for people that look like us in a lot of ways.

So like, I am not gonna notice in, in any natural setting the types of things that would disadvantage others by and large because I'm not affected by it. But I think that in general, we as a society at large are making strides. We've got a long ways to go, but we are making strides at, at being more aware of things like this and, and the need to pull in expertise, particularly when you are looking about the, particularly the equitable access of systems and things like that.

Because a lot of the times the, the equity problems in systems and in regulations really just come from the blind spots of the people that are building it. Just not realizing that that was a thing that somebody cared about. Yeah. Like so if I can give a personal example, my, my middle child is non-binary. And so when you're going out and building up an identity database, like you're probably going to have a field that says gender and it says male and female is the only options in the enum. Or if you want to get really, really spicy, have a just be a Boolean that says is male.

I've seen that once. And, and then so for them, like how, how are they supposed to get in a system like that? Like they have to pick something that doesn't actually express them. They are disadvantaged by this. And that's something that's very deeply personal to me 'cause it affects somebody that I love very much my child. But 10 years ago I wouldn't have even thought of it. I genuinely wouldn't have. 'cause it was so far outside of my personal experience.

And I think that we're starting to see more and more of this in systems where, you know, teams are becoming more diverse, at least good teams are becoming more diverse because it makes better, more robust systems. It's interesting to say that ultimately until we experience it ourselves, we don't fully understand it.

I, I have an interesting example as well that really kind of spurred this kind of thinking on my end. A a very close relative of mine had a critical brain injury and overnight went from being the most tech savvy person to being completely unable to engage with any form of digital device, completely shut out the banking system, shut out the tax system, the healthcare system, good luck. Unless you've got somebody caring for you, you're stuffed. And the the thing is that technology exists and identity is there to provide solutions to these problems.

So it'd be interesting to me that connection as well. But I'm jumping a gun here, so Yeah, Absolutely. But I think also just inviting all of you to contribute questions and to, to the discussion. But first of all, you already said, okay, there's an identity database, an identity record that says male, female, something else, and how do I address this person? Maybe we need more than one dimension to look at that.

And the, the, the title of this panel is to address this UDV universal Digital Vulnerability. I will use UDB to be faster with modern identity. And you've mentioned identity and you've mentioned identity already. So where comes identity into play and how can we use technology to maybe address this, this vulnerability at all? Maybe starting with you Justin.

I, I think one of the first things that we can do is admit that the sort of traditional schemas that we have written around people in our identity systems are not really sufficient because they're written for specific contexts and they capture things that people thought that they needed at the time. And, and we get kind of stuck on those schemas. And I think that modern identity systems have a lot more, have the potential to have a lot more space and flexibility with how we're actually describing people.

And I mean, just look at the difference between like an, you know, an an INET org person record versus like the blob of JSON that you get back from an open ID server that can have literally anything in it. Yeah, just, just a sec, just, just let, let Adam add to that and then I I invite you to the question. Sorry.

Yeah, it's say, you know, we have ForgeRock, we kind of live, breathe and eat identity kind of for want of a better phrase, identity junkies. So we're thinking about this and how do you address this problem?

And, and, and for us it's fundamentally about three things. Identity has to be adaptive, it has to know the context. It has to know what channel the users living in, what their needs are, what the constraints are.

That's, that's the first thing. The second thing is identity has to be connected, right?

We, you talked about trust in your previous presentation within our network or bubble of trust, we have a number of individuals in the professional world, you know, in our personal world who can vouch for us and give access to us when we're unable to access that. So identity has to be connected to enable those connections. And the third thing we would like to say is that identity needs to be balanced. And our principally mean here about security. When my mom is trying to transact 20 pound sterling into to pay for her internet, she shouldn't have to be compelled to do SCA, right?

Or if she does, if she is, she should be able to be compelled to do that for a choice and a device off her choice rather than being given one standard size fits all kind of, you know, approach. So I was interesting.

I was, I was an open banking expo in London a couple of weeks ago talking about this and people were saying, how do you scale up open banking adoption, ultimately giving users the choice to be able to more easily access the service at the right time for the right channel. So, so that's, that's kind of our solution to that. Right. So you're saying open banking should be open. Exactly. That's a novel concept. Exactly. Yeah. Novel Concept Co coming back to the identity systems and having them flexible.

I, I don't know if this is also a problem, which is there in Germany, but in the Netherlands it's, we have a thing with last names that if we would do it the same way that it is done in the US then 70% of the, our country would be stored under the V because of fund there, et cetera. And then we would have the rest of the names. So there's, there's always already some customization happening there.

So I, I think that the possibilities from a technical perspective are there, but it, it needs to be, let's say, need people need to give priority to it. And I think that is more of a challenge than the, let's say the underlying technology. I think that that's, that's a great, that's a great point and it's a wonderful example because I had never thought of that. But I will say something, a corollary to that I worked, I consulted with a company a few years ago that worked in healthcare in south southwestern Texas, and they had what they lovingly called the Maria Rodriguez problem.

And so in most of the US we do not have universal, you know, we don't have federal IDs, we don't have universal identifiers for people and stuff like that. So a lot of times when you look for a medical record, you give the first name, the last name and the birthdate. And in much of the US that's good enough. But in this particular community, certain names are so overwhelmingly common that searching for Maria Rodriguez in that community is going to give you thousands of entries.

And so it is not a sufficient disambiguate because in the local communities that these people live with every day, it's the relationships between the people and all of this that actually act as the disambiguate. And our digital systems are not designed to express that or capture it. And just, just to add to that as well.

Yeah, it's interesting. I, from my perspective, I think, I think the technology exists to solve this problem. Yet why is the problem not solved? It's like passwords, right?

We, we've got technology solved and kill off passwords, but we don't. And fundamentally, I think it's about, you know, people and process. There were very compelling conversations this morning, the, the panels where CISOs were up on stage and they were talking about, you know, before you can start reaching out to CISOs across the network, you need to figure out how to make your whole security team work and talk to one another.

It's, it's that problem around having the right organization, the right communication, and the right profile. You talked about this in the scrums in the product, product design lifecycle, in the deployment life cycle. People who understand that rather than just piss me, you know, I work in marketing and a lot of people say, well, this is a great marketing banner, let's run this for it to be done properly. And for that problem to be addressed, we've gotta go deep down, In my opinion, as long as there is the, the demand is big enough and the pressure is big enough, there is always a solution.

And I can give you an example from my home country. I'm from Bulgaria and everybody who is born in Bulgaria gets a 10 number unique identifier. And this is a part of your identity. This is even the part of the, the, the identity.

So now, well, not now, but in the last 40, 40 years, a lot of foreigners come and want to use the, the services, but they're not born in Bulgaria. They do not have this identifier. So what did the government do?

Well, they made a new identifier, unique identifier for foreigners. So everybody who is registered gets this identifier and gets access to all the services. So in my opinion, they just be in enough demand and enough pressure. So I'm actually really glad you brought up the question of demand because there have been, you know, it's, I think it's really tempting to approach this as like, oh, well, you know, market pressures are gonna solve this because if I leave certain customers on the floor, and I'm picking on Adam A.

Little bit here from a previous conversation, you know, if I leave too many customers on the floor, then all my competitors are gonna snap them up and then that's bad for me as a business. That's not the type of capitalism we're in though, is it?

Like, if they're not make, if that margin community is not gonna make me a lot of money, then it's gonna cost me more to deal with that than it is to just let them go to the competitors and just, or just let them fall out of the system. And so I really think that this is where larger pressures to use your term pressures like regulatory pressure or other types of pressures can really help to push this.

This is why even though the executive order made my job as I'm working with NIST in the US more difficult because I had to now go write a bunch of equity considerations for the documents I was working on. It was, i it is absolutely, ultimately a good thing because it is forcing us to go and actually address these things at that level.

But we, we had this conversation, didn't we beforehand, right? And, and here's an interesting stat for you.

In the uk, 27% of the UK population are what's classed as digitally vulnerable, right? That means they haven't got access to the internet, they haven't got access to digital devices. That's 27% of the population. There's a significant market there that we cannot ignore. So I think when we talk about this in, you know, I talked about this different conferences, people talk about regulation, they talk about technology, but also there's a commercial sense in this somewhere as well, and it's, we're not talking about marginalized cohorts anymore.

If we apply the concept of universal digital vulnerability, the number grows all of a sudden. And if you lose 20%, 30% of your business, that could be a game changer in a competitive market that we're in.

So, Right, I think that's possible. But if 73% of the British population gave me 10 pounds, I'd be okay with that. Wow. I mean that, that's why British banks like Lloyd's Bank, Nat West, are investing heavily in this. Absolutely. Yep. Not just because it's ESG, it's commercial sense, right? We think it has to be both.

We now, at that point in this discussion that I hated to have, we have three minutes left, I had to cut off and I'm, I I just want to, we, we've described, we have a problem statement in the room and not much more. So if we, if we try to, to turn this around and say, okay, we need to go towards the concept of inclusiveness when it comes to dealing with our identities. And if you look at the reality, are organizations already well prepared to go on that mission to be more inclusive?

Are they doing it that, and if people here try to take that home with themselves, what would be good first steps to take? Or are we far, far, far than just the first steps? Maybe just a quick statement, maybe a good thought for the future, starting with Adam.

Yeah, I think, I think ultimately the key takeaway is to really look at the cohorts that you're engaging with. It's, it's going back to this very simple concept of user centered design, understanding what cohorts and demographic you're engaging with and understanding, you know, getting data points on where those users are seeking to access services, where those requests are, timing out and connecting that with where those customers either leaving or going to alternative access flows. So that's the first step.

But I think the next step in the journey has to be to really map the technology against those needs and those cohorts. And like I said, modern identity access management already provides the tools that needed to address this problem. So you need To want, you want to, you need to do it just, you need to want to do it.

The, the, the inclusiveness. You need to build it into the system just to, by configuring it. So Go ahead, Go ahead. So I think it actually goes deeper than that. I think that we need to build the inclusiveness into the system in before we are even looking at deploying it, when we're designing it, when we're building it, the people that are in the room, when they're making the decisions of what makes sense about what data type is the gender field in this database, those are the people that are going to make the important decisions that have this long running effect.

That out of generally speaking, no malice is going to negatively affect a lot of people without the designers of these systems knowing about it. So I think we need to act not just embrace, but actively pursue diverse engagement in our systems.

And again, three white guys are up on stage telling you to go be more diverse. We could have done a lot better with this panel. And I hope that co Nicole takes that, takes that note away because this is something that we as an industry aren't very good at yet. We're getting better. A lot of the tooling is there and I think that ultimately it's going to be the fundamental culture shifts both in the technology space and in the regulatory space that drive not only the capability, but the social desire to actually address these things. Great. Thank you.

I hate to cut down this discussion right now. And you're right, we need to be better in that also for us starting that is just starting that discussion in that real absolutely round. But first of all, thank you Adam for bringing up the topic. Thank you Justin for providing your insights and thank you for yeah, giving these these thoughts into a more inclusive future. Thank you. Thank you. Excellent. Thank you.