B2B IAM: A Gap Between Modern Demands and Current Practices

Good morning everybody, and thanks for joining this session. I do realize we are right at the end of the event, so very much appreciated that you're still here before probably flying home. We switch indeed subject quite a bit. We move on to something which is more on the business user experience side and well, I'm glad already that you are in the right place, meaning that the way the session is named b2b, something is already intrinsically not easy to be matched. That for some of you to what you might be interested about, I will be more specific on that.

But first, maybe a few words about myself. I'm now in the third decades of as a practitioner in the identity space for different, different companies, for different identity related solutions and have assisted to a lot of changes in the way we approach and solves identity related problem in the always evolving business context. I'm currently serving at Tallis, which is a French based company with a worldwide presence and a broad spectrum of identity related capability, one of which is the subject for today's session, but is not limited to that.

First things first, why are we talking of this subject? Well, because again, the the mantra, the underlying reasons why all this is happening is the digital transformation, which is a keyword you probably already gathered 15 times over the last three days, right? One presentation or another. I came to the conclusion that probably is even illegal to deliver representation at this session without mentioning at least twice digital transformation and probably even zero trust, which is the other reason why we're talking of these sort of things, jokes apart.

What are the implication of the digital transformation is that on the identity side, the attention shifted from the inbound identity constituents, which were the reasons for improving security or reducing cost or improving compliancy and progressively moved out of that more and more to embrace other types of constituents. So introducing a notion of identity diversity, which is now the new normal diversity, meaning not just internals, somebody else which is outbound originated and each of them with specific life cycle and interactions required. That's why we're having this conversation.

So what are those types of constituents? Of course the employees goes without saying that's where everything started, but a few years ago the tension went onto the way we deal with the consumer identity. More and more consumer or citizen or students of course, depending on, on the kind of scenario, there is an in between here and the in between is made out of two incremental categories, which only recently gain incremental attention. Those are the so-called gig workers, which are still person individuals. So though not belonging to the company and not a customer, okay?

And it's different in the way I need to list with them and the b2b. Finally, that's where we get constituents, which are company made of people are not individual, are company. So it's a company to company thing.

Again, a different animal. So again, this defines the spectrum of what we call identity diversity. Answer the questions, why is B2B different in the first place? Question that I hope to be answering in this short training minute-ish sessions. Second question, do any other identity solution over the one I already have to properly address them? And maybe the third one is there, are there solutions already that does it all at all meaning cover all sorts of flavors of identity diversity types?

Well, that's what I will try to answer. Of course, different scenario implies different chains of employee to business to consumer, or again, maybe even longer employee to business, to business to consumer. And maybe you don't call that business, you call it some other way you might call it, I don't know, brokers if you're in an insurance company for this, dealers if you're in a manufacturing company, but those are types of bees in in this, in these pictures. Let's pick an example just one in the interest of time.

It could have brought up more than that in this case is a is a bank, is a, is a banking group. So that recently moved into the real estate market and as such they have a go-to-market approach, which is indirect, meaning that they don't talk directly to their customer base. They'd rather talk to dealers which are reaching out to customers. And by the way, in two different ways, they might have dealers in a contractor relationship with them with the master bank directly or maybe through other banks of the same group.

So the chain of bees in this in back to life before is, is at the same time present in two flavors already. And what do they need in this scenario?

Well, they need to provide those dealers with access to applications to support the execution of their business model. So they want to be flexible in onboarding a new dealer and delivering to those dealers employees access to the application they manage centrally. This is a classical B2B scenario that implies delegation. Looking at those type of customer we get as usually as that's what we do for a living, right? Listen to customer and gather question for them very often in the form FP or an rfi. Now this is small phones and the room is too, too big probably for you to read.

The key thing is that if I, if we get more and more interesting questions that are very much in line with what I just summarized, of course not incidentally and those questions sounds like I'm just reading for those of you in the back, does your solution allow to manage user and is hierarchy? Hierarchy is an interesting word here of sales point. Second question, do you support multi-layered user management?

Again, interesting, right? But then we get into some variation of that, don't you solution? Does your solution allow to create your own registration process? Why do you need the registration process? Because the user is not coming from the HR system, it's coming from somewhere else, so you need to onboard them, right? Along the same line, is there an account validation process included? Interesting.

Again, why do you need an account validation? Because I cannot be sure that that person is really who claims to be in terms of belonging to the right organization, right? Or being a legit B2B users. My point here is that looking at the sort of requirements, and this is just an excerpt of maybe 50 requirements, what we see here in jargon coming from a vendor, it's a combination of what traditionally we would call workforce identity and consumer cases. There are two at the same time, okay?

Because about is about providing access but also onboarding and also a combination of identity management and access management requirements. So there's the two dimensional hybrid types of things that are factor any in the same case. If we look at what again is the classical response from vendors to this sort of requirement, which brings me to a very short history of what the market and the offering from people like me that has been in the space for the last 20 something years has been assisted. Back then we started looking very focused on the B2 e reel. Okay? Reason for that?

Cost compliance, risk reduction, right? Then we realized that there was a wealth of users out there, consumer customer, that required specific use cases and that determined the creation of a bunch of solution different from the B2 one totally devoted to the C space to later realize that the consumer, the CM was wrongly named. It's not just customer wrong acronym for the job. It was indeed maybe should have called external aam, okay? Because it entails at least three different flavors of externals, the b2b, the gig workers and the customers. Now it took us just print something here.

We understand that we should look at holistically with a single solution, okay? And we call that converge identity and access management, which are types of solution that are meant to do it all. That's what we do and we're not alone, but this is where lately the market clearly goes for reasons that I hope I summarized. Then what are the new conversation that out of this history we now have, the conversation we have typically can be split in three types of major sub conversations. Conversation number one is, well is what we call the customer first.

It sounds like talking to the head of digital, the chief marketing officer and they say we need to delight our customer, we need to improve the retention rate, we need to make them happy, we need to differentiate through them, right? It's about onboarding and giving them smooth experience. This is the classical cm, proper CM originated conversation. The customer first conversation is not the only one we have. There's another one which is what we call the extended team conversation. The extended team conversation very often comes from the COO or again the ad of digital.

It sounds like we need to streamline the way we manage the ever increasing number of external user or gig workers. This is about making efficient onboarding and serving and serving those users with the right access or withdrawing that there is a third conversation, increasingly important, which we call the contextual authorization. That goes well we have a bunch of application, a lot of them are cloud, some bespoke, some out of the box or we buy them yet we need to consolidate and make a better job in the way we authorize users on those applications, right?

So we we do that, but again, there is room for improvement. This conversation is for the cso, for the enterprise architect and it's about having a flexible way to model policies.

Now, what is the gist of this slide? Those are pre-conversation conversation. It doesn't mean that we get one at a time.

Most, most, most of the time we get at least the two of them pick any combination. Increasingly, often the three of them. At the same time when we talk b2b, you get the three of them at the same time. All of these three pillars matter. So what's my point is that if you do b2b, you can do also consumer identity management or gig workers. It's not working the other way around. If you just do cm, you cannot do B2B properly.

Let me be a bit more specific why that statement because if we split what is required by this different constituents in what you need to care about, along three lines, the onboarding, the assurance and the access customers is now well served by a very well established set of capabilities and entails things such as while the onboarding is self-initiated, the customer is initiating himself. The enrollment goes with the notion of also progressive profiling and frictionless onboarding, et cetera, et cetera. On the identity assurance it goes with the service.

If you enroll yourself as a customer to download a brochure, you just need your maybe your email address. Email address. If you purchase an insurance or a contract or some sort of course there's maybe they know your customer banking grade approach in terms of access again, of course goes with the service a customer is signing up for. So the customer side is relatively well defined and simple. When we get to gig workers in my diversity is one of the middle ones is already a bit different.

The onboarding is centrally managed, centrally meaning by the mother company where the gig worker is working for, right? Can be enrolled by them or can be invited by them in the insurance side. I still need to validate them because very often the the, the gig worker doesn't even show up at the office a single day, okay? Their contractual relationship is totally remote, which implies a notion of validation to be performed online in terms of access are very standard. They are predefined set of roles or capabilities that need to be given.

Each of them is pretty similar to one another in terms of what they're given access to. And then we get to the B2B where the is the highest peak of complexity and that's where my story lands onboarding different animal. You don't just onboard user, you onboard an organization and then the organization onboards user. So it's a multi-step thing. Totally different, more complicated, more capability required to deal with that. That's my ends my statement. If you do that, you also do the other two is not working the other way around, right?

So you onboard an organization and then the organization to a notion of delegation can onboard users themself. Okay? If you want to delegate that as often, if not all the time you want to assist in terms of assurance, you might have a notion of organization validation that would spin another conversation, but you might still have a notion of user validation though if you delegate that to the delegated manager in that organization, most likely they know the people in person and the validation is no longer required sort of proximity benefit that the delegation entails. In terms of access.

Again, you need the lounge party to let the user access the application they need to get access to, but maybe it's not as simple as the gig workers scenario. You have different flavors of users, so there is a catalog of service that they need to be available. There is a request and approval flow involved, okay? So you range within the same case from onboarding, validating and delivering access. That's again a combination of identity and access governance and access management to me.

Okay, so all in all what I just described is what still probably lack a proper name as my lie lost in translation. This is just a summary of the way I found in different webinars, papers, things to refer to what I just summarized and probably it's not a complete list. I asked Judge PT came up with another 15, but that was making this light too busy okay? For for being projected here. Okay as well. So pick your favorite name. We call it delegation management, b2, even ourself, we call it delegation management primarily, right?

Which is limited because it's not just that, it's way more than that as a hopefully I I I expressed now back to the question I started with, why is B2B different? I hope now you understand what I mean with that. It's because it requires also organizational onboarding and delegation management, which are unique to the B2B scenario, but are not just that. They also require everything you need to do on the CM space, right?

Second, do I need another identity solution to deal with that? Well, me, you might already be running an a CM solution and maybe an identity governance solution. If the identity governance one does a nice job in terms of business usability, business user friendliness, which is absolutely not all the time the case rather the opposite, then yes.

Okay, because that's pivotal increment. Very important. It would require a deeper conversation. Are there solution that does it all? Well I'm therefore of course for that reason, yes there are such as what we do because this kind of scenarios while we designed the solutions for starting four and a half year ago, okay?

Again, what is the design thinking is that if you do that properly, the B2B thing, you do a nice job already on the other scenario, not the other way around. Okay. Which is indeed my key point in this session. If you wanna know more, given that we are at the top, well, I'm doing pretty well on time, so I'm glad about this. I will be running an extended session on this very subject will maybe a slower paced delivery and a few more aspects cover in a few weeks along with Martin.

Kuppinger again is the same subject with a bit more to say around how it does, how it works, the way it looks and so forth. I realize we are at almost at the end of the conference, if you also, again, you wanna know more today where you find us, the tall boat is in the central, in the central, central part of, of the middle floor.

With that, again, we started from why we're having this conversation. The digital transformation is the underlying reasons why all this is happening. There are solutions such as the one we have which are addressing that hopefully in sustainable and reasonable fashion. Thank you for your attention and happy to get questions. Thank you. Well thank you very much Marco. That was indeed a very educational presentation. It's great. I learned something today. That does not happen at every presentation. Thank you. So do we have any Yeah, we have actually a question.

Hello, my name is Martin. I'm a deputy architect. I always dealing with the same thing, having B2B for also workforce and so if I understood properly, you're saying that we have to be a different IM solution or B2B space or, or the same? I I don't quite follow that part because okay, Well maybe NTT could be the same. I'm Martin. I could be belong to b2b. I also belong to perhaps workforce. I could be a customer. So identity is the same, the framework is the same, but perhaps the use are little bit different. So this is my mind question.

Yeah, Great question. Thanks for that. Maybe I should have clarified that indeed of you, my indeed will be be in a different relationship depending on the identity con identity and access context. You are participating in a given moment. Maybe that should have been a premise. Good question because maybe I will qualify that in my next session. Okay. That running in a few, in a few weeks. Of course I'm talking and I'm starting this conversation looking at how do I deal as a company running my business now entering a deeper step of a digital transformation.

I already started before, but still selfishly starting from me dealing with my way I manage the go-to market to reach my customer. Okay? So when I talk B2B and when I talk the, you might be belonging to the B part of the identity diversity sets is because you are not an employee, you are not a customer. You are maybe if we're, say we talk of an insurance company, you are a broker, which is a company of brokers like Hug or colleagues, which are in a business relationship as a company, which is in a business relationship with the model company. So that's what I mean.

Of course maybe you are a broker, you are at the same time a customer of any service online. Indeed. And in that case you are a C or a B. Okay? So I'm now looking at a single flavor of it that clarifies And thanks for and having the first question.

Okay, we have one more. Hello, Ali Netherlands.

Where, where do you see the, the added value of federation in B2B collaboration instead of providing identities to the business where you collaborate with, yeah. How do you see the role of federation coming in this topic? Good question because I haven't mentioned that. Indeed. I do realize that in the presentation I just delivered, I totally skipped the usual suspects of identity and access management such as the provisioning, the access, the federation, the single sign on I was not even mentioning there. My point here is being that it's more around what is the business user experience. Okay?

And the point that whenever you talk b2b, you now have a need for, yes, the launch part with the single sign on the idc, the saml, maybe you need to enrich because of the authorization with some token injection. What you can allow a user to be able to do. Those are indeed extremely relevant for the authorization scheme and enforcement you want to have. But my point is that you can find this kind of capability in many solutions, right? Pretty much all solution.

What you don't find, and that's where my case lands, is the business user friendliness of the way you manage that organizational onboarding and user onboarding downstream. Okay. That's why maybe I've been not touching at all, not even lightly on those still extremely important aspects of protocols and standards that are supporting.

Well, one more notes even on the federation case of, of course, if you now enter a relationship with the business part, with the business entity, you might be well federating with their identity provider. In that case, you now no longer need any else to have a user validation because you trust not just the authentication but also the belonging of the user to the organization in the first place, right? So that's another variation of why is relevant what you just rise. So thanks for the question. Great. We actually have one minute left and one question from our online audience.

How, how can you control the lifecycle management of converged identities, especially gig workers? Converge the identity mean, oh, okay. How can I control meaning the genre mover, lever equivalent in this scenario, right?

I, I can control that. Of course there are, and this is similar to what we just discussed.

Yes, there are life cycle rules that applies to the, to this scenario as well. Okay. Though much easier than what we usually assist in the B2 space where you have the mover, which has profound implication on the authorization you need to deliver. This case is more standardized. Why that? Because you categorize more, more often than in the B two scenario, specific types of access the user can be delivered. Yes. In the B2B you have a service catalog, but it's not as complex.

It's not as fine grain as what you would assist usually in a B2 case, I'm not sure to answer the question, but then again, happy to maybe have a follow up conversation with whoever Resner. Right. Great. Well in terms of time, let's just wrap up the session. Thank you very much, Marco.

Again, you Very much and.