Welcome to the KuppingerCole analyst chat. I'm your host. My name is Matthias Reinwarth. I'm an analyst and advisor at KuppingerCole analysts, I guess today is John Tolbert. He is a lead analyst with KuppingerCole and he's working with us and with KuppingerCole from Seattle. John it is great to have you back. And today we are talking about a specific flavor of identity and access management. We want to talk about consumer or customer identity and access management. You have just recently published a new version of our leadership compass, consumer identity and access management. And that means that there have been some changes. Recently we do these updates frequently, but what has changed in the meantime, where are areas of innovation, where are changes in consumer identity and access management,
Um, and there's a number of different, uh, ways in which the reports changed a bit since last time. Uh, I think probably most notably there are some new entrance in the market, or at least a new vendors that are in the report that, um, may not have been in the market that long. It's a big market and there's there's room for additional vendors to join in. I think that's why we're seeing an increase in the number of vendors and CIM, of course, many of them, some of them are small. Some of them are sort of regionally based. I think that also reflects the, the nature of, of this particular segment of identity management, that there are particular needs or business requirements that can be somewhat tightly aligned with regional differences, uh, in terms of not only things like regulations, but what, what kinds of identity management schemes may be in use in, in various countries?
You know, there may be countries where there's a strong notion of national ID or, or other, uh, common identity providers. So sometimes vendors will sort of specialize around that, but in general, yeah, there there's several key areas of innovation. First off, I guess we could talk about things like consent management and IOT device identity. Those are things that we were looking at, uh, in the last iteration of the report. Uh, and then we can also take a look at some of the things that I think are, are new compared to the last report as well.
Right. That sounds great because in the projects that I'm working at right now as an advisor, when it comes to consumer identity, I think what you just mentioned, consent management and, um, being capable of adapting to individual, uh, regulatory requirements for different countries, of course, the GDPR, and but much more, that is really an important aspect. So content management would be a really an aspect that I would be interested in. What has changed here, how mature our products right now in that area,
You know, they kind of fall across a spectrum, but I think in many ways, most of the common CIM platforms out there have built in pretty good consent management. Uh, some are completely feature rich and can handle, let's say, you know, most, any requirement around GDPR and they make it very easy for their customers to be able to utilize those capabilities. They present like, you know, consumer user dashboards for monitoring what they've given consent for being in, and also, you know, allow them to tweak that or, or request export or deletion of data. So a lot of those capabilities are pretty robust at this point. Uh, I think it will continue to be an area that we'll need further innovation as different privacy regulations come into effect in different places around the world. You know, we've talked a bit about CCPA California's privacy regulation. There's probably going to be additional evolution even there, but we expect, you know, same thing, different us states. There are the countries, uh, that have, uh, privacy regulations that now many of the CIM platforms are trying to build out. Um, the capability to kind of be the one-stop shop for a lot of the consent management, uh, uh, regardless of where their customers happen to be operating.
Right. That sounds interesting because this is really the, the, the foundation for doing CIM. If there is no proper concept management in place, actually no one is able to use these consumer identities. But what other aspects that you've mentioned? I think that is also really of interest to me as well. And I hope to the audience as well, you've mentioned devices and the, the, the connection of devices and many vendors are talking about using device identity for context information, but in real life, that is not really yet there, if it comes to consumer platforms, has that changed? Do you see device identity being important to CIM or getting more important?
Yeah, I think it is important and I think it will, uh, increase in importance for a couple of reasons. Like you were saying, it's kind of extrapolating from that, but you know, devices send in any can be another channel and other risk factor that can be evaluated. You can tie particular users to devices. I think there's an advantage in being able to do fraud reduction, but there are, I won't say we've, we've hit a peak of, of innovation here. I just think things like, oh, a device flows probably a well-accepted standard at this point. And, and some of the innovation that you see in, in let's say IOT device identity is around using IOT devices as part of a broader context for, uh, doing, uh, identity assurance. I think there are definitely some advantages to, in terms of being able to provide a consumer with a more complete experience by integrating all the different devices they have and tying that to the consumer identity for, for management. But I do think there's additional need for standardization, uh, in that space. So it'll be an interesting one to watch over the next, uh, year or two criteria
You've mentioned authentication. And I think there are already some standards around which deserve implementation. Is this also an area that you see as an area of innovation for these products, for the changes I'm thinking of phyto, for example, is that available in more products right now?
Yes. Um, you know, Fido two and web authen I think are sort of poised to take off. Uh, there there's a lot of implementations of it. There are lots of, let's say different kinds of authenticator vendors that, that are embracing this. Uh, many of the CIM platforms, uh, have support for that. Not as many as I would've expected are actually, uh, Fido certified. So I would like to see more of the, the CIM vendors get Fido certified and have, you know, like universal server implementations in the next couple of years, just to continue to build out support for the standard itself. I think that, uh, with an increased focus on things like passwordless authentication and MFA that, uh, that's kind of going to be the, the natural path forward for many of these vendors. Right.
And I think that's an interesting hint also for those who are looking at vendors just right now, uh, the difference between having it implemented and having it certified is surely something to look at, whether it's a tried and tested or a first version, one dot, oh, that's just running there without being fully tested and integrated. But what are other areas of innovation that you have seen? Where are the vendors currently investing? Where are they meeting the market needs?
Uh, several different ways. I think that many of the vendors have mobile SDKs can be good at helping to integrate, uh, MFA into customer apps. And they also allow, uh, the CIM vendor to collect different risks signals from the device that can then be used for, you know, adaptive, authentication scenarios. I think that's, um, going to be sort of a, a minimum requirement, uh, of CIM solutions, uh, in the very near future. Those that do not have a good mobile SDKs are going to have to provide them
Right, right. Another aspect that's interesting to me as I'm doing advisory and various areas, and we are more or less really focusing and preaching the identity fabrics approach when it comes to creating modern architectures. And one key aspect is defining well-defined services, um, and implementing them as individual services with clear-cut API APIs. You've mentioned that already, but also in an adequate technology paradigm. So, um, are vendors more moving now towards microservices containers to implement these solutions so that you can scale them so that you can orchestrate them? Is this a thing?
Yes, absolutely. I, um, was looking back at, uh, some of the data just yesterday and I found that, uh, uh, roughly around half of the vendors are moving in the microservices direction, which as you say is a great way of getting to identity fabric. And I think that this is going to become more and more of a necessity as different kinds of customers probably have, I am stacks, and yet they need to be able to sort of modularly upgrade capabilities within those. So if you're delivering a service as, you know, a container, um, and then being able to run that in a variety of different places and then very granularly upgrade those services as needed. I think there's going to be a real advantage, uh, for the vendors that take that approach and then also at advantage for their customers and being able to deploy an update services in an agile way. It really reflects how the world is doing business in the era of digital transformation.
Absolutely. And then you really can scale up when required. But another aspect that you've mentioned before that is quite interesting to me as well. You've mentioned that there are countries that there are regions where you have reliable identities already in place being provided by say, countries like Denmark or the Netherlands or Canada, where you can really benefit from existing identity sources, existing IDPs, which are trusted. Um, what, what do these services these vendors provide when it, when there is nothing in place. So is there proofing of identities, identity vetting in place and how is it done?
Yeah, you know, that was also a very, um, pleasant development of this time. I see far more interoperability with third party identity vetting and proofing services in different products now. Um, and you're right, you know, it's, it's often tied to particular countries, countries that have good national ID systems in place where, uh, you know, maybe information is available over API. So there, I would almost call them like third-party aggregator services that can pull in a different identity attributes. And sometimes it's outside the scope of government too. There are, you know, financial records, uh, in the U S you know, the credit rating agencies have information. Um, so yeah, we're seeing an evolution of this ecosystem of identity vetting, uh, service providers and the CIM companies are providing, uh, more and more direct connectors integrations with those services. And I think that's a really good thing for both the consumer side and on the enterprise side as well, being able to do, especially like remote identity proofing, you know, during the times of the pandemic is, uh, a real business advantage in a way of reducing fraud.
Exactly. And I think that's really important. Anything that reduces friction on an, in an onboarding process or in an upgrading process for an identity from being just a consumer and transforming them to a, um, to a customer who wants to spend money on that. I think also this update when it comes to understanding how trusted is such an identity that is really of importance, are there some more emerging functionalities, something that is new that has been added to the portfolio of CIM functionalities capabilities?
Yeah, I would say that sort of along the lines of identity proofing services, overall, there's integration with what we are calling fraud reduction intelligence platforms of which identity vetting services, uh, are a part. Uh, and the idea there is simple it's to try to help reduce the different kinds of attacks, generally account takeover attacks and, and new account fraud, uh, where, um, where fraudsters will collect bits of information about a real person, and then use that to assemble a fake account, um, you know, so that they can, you know, commit some, generally some sort of financial fraud, but yeah, there's, there's about five or six major, uh, components to fraud reduction. Credential intelligence is another important piece of it, you know, as a CIM solution provider, you would want to help your customers prevent fraud. Uh, so knowing if, if a credential like an email address or username has been used elsewhere for fraud, very recently, you'd want to be able to lift that up as a risk signal to tell your customer there's an increased chance that this, this particular transaction is risky. Do you want to proceed with it? So anything that the CIM solution providers can do to help, uh, improve the, uh, the risk landscape for their customers is, is definitely welcomed at this point. So I think, yeah, identity proofing, credential intelligence as an overall part of fraud reduction intelligence, we're seeing more and more of the CIM vendors making this available over API, maybe packaging this up, uh, having subscriptions and connections so that, uh, if a potential customer wants to build that into their, uh, solution, then, then it's easy for them to do so.
Yeah. Great. So it's definitely worthwhile reading this updated version of that document also for those who have been reading the earlier additions of this document, because things have really changed. I understand this it's already published, right? Yes. Perfect. Um, so I would highly recommend of course, to the audience, to head over to KuppingerCole dot com and, um, have a look at that document, but also for those who are interested in more information, um, I would highly recommend we are recording this episode, uh, in December close to the Christmas break. And as we are not allowed to leave home anyways, there are great videos available on the KuppingerCole side, which are the results of our online events that took place over the course of the year. And there have been several really interesting events, also in the, in the space of consumer and customer technology, consumer, uh, and customer identity and access management, great talks by end users, by vendors, by analysts and highly recommended. And you just can watch them when having registered at our website and they are really worth watching. Uh, I would really recommend these as well. Um, any other recommendations from your side when it comes to consumer identity information, um, and some resources you would recommend,
Um, for those that are interested in the fraud reduction piece, we have another report that published back in February, and I'll be starting the update to that, uh, in first quarter. So I do think these are very related areas and, uh, we'll probably continue to grow even more related in the months and years. Yes.
Great. I think that it's really a great hint as well, because as you said, they are really closely related and, um, when it comes to real life solutions, they most probably will work together to get to a proper consumer identity and access management while protecting fraud and other types of risk. So thank you, John, for being my guest today. I could talk about that topic for hours actually. Um, but, but we have only a limited amount of time. So thank you for being here today. Thank you. And I'm looking forward to talking to you soon. Bye-bye