Event Recording

Kim Cameron - Cloud Based Customer Identity for Enterprises

Log in and watch the full video!

Potential advantages of cloud services over on-premise solutions, like cost savings and higher resilience, are even more significant when it comes to large scale use cases like managing your customers´ identities. In this talk, Kim Cameron guides you through experiences and conclusions from a number of recent implementations and provide you with insights on how CIAM will evolve over the coming years.

Log in and watch the full video!

Upgrade to the Professional or Specialist Subscription Packages to access the entire KuppingerCole video library.

I have an account
Log in  
Register your account to start 30 days of free trial access
Subscribe to become a client
Choose a package  
Welcome back. Very pleasure to introduce skin camera, who everybody know here for those don't identity at Microsoft. So does a lot been one of the years. And I think the idea of this is really to position identity, not only from the consumer perspective, but also from the integration enterprise infrastructures, as well as concerning that the employee on their large scale is not only the citizen and the consumer also identities. Thank you very much to speak in Paris. Since I, funniest thing happens to me on the way to the rodeo, which was, I passed a guy who was operating a one of those machines that digs out dirt, you know, under the ground has shovels and everything. And he was wearing a tie and I thought this is palace. Then I wasn't wearing my tennis. I hope you'll okay. So I'm gonna talk about cloud-based customer identity.
So I'm gonna start with just a few things that I think are, are really just unbelievably important. So the first is for us to think a bit about the state of consumer identity on the internet and you know, those who heard me talk know that I've been saying this for a long time, so I won't delve into it in great detail, but basically the internet was designed with no way of knowing who anyone was or being able to know who you're connecting to. And as a result of the lack of any kind of an architecture or, or scientific approach to it or anything that was built into it, everybody did what we all do on the internet. Innovated created our own one off mechanisms to solve the problem and sort of create some kind of way of coming relationships. So it was all, everybody does what they want and everybody did different things.
And it was done by people who weren't really trained in what the issues were people without in those days, any kind of a concept of the immense security issues that would arise later, or of the problems around privacy or any of those things we were in the early days, I, everybody who was working on identity in the internet in their one off way was essentially op optimistic about what we were doing. Of course, in hindsight, in 2016, we understand we should all, we should wake up every morning and be thoroughly pessimistic about the first of all, about the same things. And secondly, about the attack surface that the internet represents and all of the dangers given the way that we implemented. And so that may sound depressing, but now gonna cheer you up.
The good news is that C you know, CEOs and, and the life now have come to understand the dangers and liabilities of the current situation of identity, consumer identity on the internet. So this is huge, you know, I'm glad I saw it before I die. I'm gonna live, you know, until 130 or something, but I still was worried. I would never see it. The fact that they see it means we can change it. It's always very difficult to do something of that scale. If you don't have the, the understanding deep within the, the entities that control our enterprises of about what's what's right, and what's wrong, wrong, the microphone, I was trying to advance the slides with my, but it didn't work. So the other to go one, one step further, not only do the CEOs know what's wrong or, or realize that there is something wrong and it has to be rise, it we're in the age of, of, of the cloud. And I spoken before about, about the cloud. Of course, it really changes a million things and just dramatically Dramat ways, just, just like the invention of the computer did one of the, one of the really significant things that happens through the cloud is that it becomes possible to treat all of the access points into the cloud as signals.
And, and basically you, you have, you have thousands of signals. Sure, sorry. I should be saying billions of signals that can be interpolated through other cloud-based technologies, like, like, you know, artificial intelligence functioning at ground scale. And so you can actually detect patterns in virtual real about the attacks that are being made on the internet through the internet. So if you, if you go back to pre-cloud periods, each of us was as Craig Burton once said from everyone else, but in such a way that we were as close to our enemies, as we were to our, to our friends, you know, on the internet structure with no way to tell who was attacking whom. And so basically that, that provided available anonymity for the attackers. Now we're in a situation where through the cloud signals, we, we can, we can detect attackers. So for example, if we have somebody who's looking for Kim Cameron's username and password, and he starts off in attacking some kind of a service, you know, one service or then another service or in another country or in another company, if we start to say, okay, let's, let's bring all of the failed authentications together, put them through an engine to see what is common in them.
You'll start to see that there is an identifier that is being attacked. Oftentimes that will be because somebody has stolen a whole set of username passwords from some entity, and now is trying, is username, password combinations across the rest of the metrics. So I'm just giving that as an example of the kinds of things that change when you can use cloud power to solve the problems that arise in the cloud period. I mean, all of these attacks are really cloud era problems and the other, yeah, I guess when you put this together, you come to the fact that through the use of the cloud technology, through the knowledge that the CEO has gained, that things have to be changed through the increasing importance of, of, of doing customer business on the internet, where we have this huge opportunity in front of us to professionalize consumer identity and to do it while cutting across. In other words, instead of having everybody create their own identity systems, you know, based on little experience and not understanding all of the threats and cryptographic issues. And so on, we're able to put together, we're able to sort of drive that down into, into a, just a basic capability of the internet through the use of cloud technology. And that's really what I'm gonna talk about.
So from the point of view, one of my premises is, you know, people sometimes chisel off customer consumer identity from the rest of the identity problem. But the truth of the matter is that consumer identity is the relationships between consumers and enterprises. And when I say enterprises, you always have to add the word government and governments in the sense that they too are, they have exactly the same issues. They call their customer citizens. But so allowing that shortcut. So we've, we've in, in the, in the enterprise world, we've always, we we've had a number of models for life cycle identity, life cycle. That arisen one is the administrative managed model. So that's the one where, you know, Harvey sits down at a console and, you know, George comes into company and Harvey creates an account for George and blah, blah, blah. That in modern systems happens constrained by policy. So it's no longer that hardly can do anything he wants. He's got a lot of controls, hopefully on what he does. And then there's this Federation managed identity lifecycle where say you federate with some other party and all the people who are managed by that party appear in your system. So this is what often happens, man, shut the door. It's ING me. I'm so easily distracted, especially from myself.
Anyway, the, in this, in this federated model, you have, you have all of these, these, these identities being coming in and synchronizing into, into a central place. So for example, when we build the cloud systems to give you some background on this at Microsoft, we have a product called office 365, which is a product for employees where they do their basically outlook and SharePoint and similar things. And instead of running it inside the local enterprise, it's running in the cloud, which means they don't have to go through all of the hassle of running it instead, Microsoft has to do that. And so therefore Microsoft has to get a lot better at making it easier to run.
The, the way that that typically works or in many cases is the enterprise doesn't create new accounts in the cloud. It just federates into the cloud. And so all of their accounts locally just materialize in the cloud. And there are many other examples of that, where you have to say multiple companies who are collaborating together. And so they create common directories by bringing them together across different things. So that's what I'm calling Federation manage lifecycle. We have this externally provisioned lifecycle. We have these nice compliance products like sale points and so on that that have ways of driving identities into other systems. And so those can, those can manage identities. And I guess what I'm saying here is that now that the world has turned from looking inside the enterprise to looking out from doing business, doing its business, just, just using computers to automate the way that what has always done business to using computers for a whole new model for doing business, this model where we're faced out towards our customers out towards our partners out towards our, our, our supply chains and the whole firewall breaks down because it's useless in a period where everything is about facing outward.
And so to deal with your customers, you need new, you can't have them all put in place by an administrator. You need to be able to have them basically take the initiative and say, I want to be your customer. And then have them be able to create all of the, all of the stuff that is part of their relationship. And so I, I call that user driven and I, I use this, this, this terminology of user journeys. In other words, we can, we can set up user journeys for our customers through which they can control how they share their identity with us. Now, you know, it is one, one really important thing is this is not a, an equal playing field in which customers, service providers and identity providers all share power and live happily ever asked there meadow in reality, the, the people that are providing services, they hold all the cards in terms of how that relationship works.
You know, the option for the, for the consumer is basically all participate. I won't participate. And identity providers are just people who, to whom service providers might at least temporarily delegate some business. So these user journeys are created by service providers in order to structure their relationships with the individuals. So that's the current state of the art. I'm not saying that's ideal. And there are parties in this room who I adore, who are gonna change that. And that, that's one of the things that I will try and bring out the, I don't know why this keep, oh, I guess there's a turn off the screen button.
It was excellent design over at tech. Weren't predicting me as a customer. So in, in order for any of this, to, to happen, this, this professionalization to happen, my view is that the essence is we need the internet to provide a safe engine. We need the, the cloud systems to provide safe engines for user driven consumer identity. So in other words, so that the people in the enterprise who are creating the user journeys, don't have to take the responsibility for ensuring the security or the privacy of the data in the, in their systems, because they are not, that is not core to their business. That's a tax on them and they're not professional at managing those things. And that has led us to the current situation where there's reach up to reach up to reach etcetera. And so, for example, in the system that I've been working on, we, we, we sort of divided very, very rigorously between what is controlled by Azure and what is controlled by the enterprise customer.
Azure controls the security of the system, the privacy of the information, the APIs and integration with enterprise infrastructure. I cannot overestimate the importance of integration with enterprise in infrastructure, because really, if you create an identity technology and it doesn't integrate with enterprise infrastructure, you have created a tree following in the forest with no one there to listen to it. If you know what I mean, it's a, it's, it's a useless thing. The whole essence of this is having things that are valuable to the service provider and then integrate into the existing infrastructure. And so you can't expect the customer to be able to handle all of that as a one off it's too complex.
And then you need the system to control the compliance and the governance and the reliability and the management of the, of the geopolitical issues. So all of that is just an off the shelf thing that you get as a commodity at a commodity super commodity price along with, and when I say reliability, I mean like four, nine. So what then is left for the enterprise customers? Well, the relationship with the consumer, the visual experience, the sources of information that they get in, where they, where they get information from what is stored, who can see it, what the APIs actually, what the content of the APIs are, as opposed to the management of the security of the APIs, be really careful. So, so what, what we've done in order to achieve that thing of making it possible to, to integrate into the enterprise, we took this stuff that's already integrated into the enterprise that handles the identity of, of, of employees and of, you know, machines and devices and everything instead.
Okay. Let's just stick this other thing. These user driven identity experiences right in there, so that the interface from outside is identical. So nobody writing an application or nobody running something inside the enterprise has to do anything. Different's just gonna pop right into what they, what they're already using. Or if somebody with a brilliant new idea comes along and creates something that fits into this framework, they don't have to go and sell the, the governance story and the, and the technology story and the reliability story. Those all come for free as part of the infrastructure. And then the innovators can just produce on top of that. And don't have to subject themselves to the horrors of compliance, proving compliance. The system can do that for them. So these user journeys, help companies create these enhanced relationships. So I'm gonna give you a few examples. And one of them is kind of fun because I just saw it this morning.
Well, that's fun for me. Somebody sent it to me and said, Hey, look, these guys have just set it up. We never heard of them. We don't know who they are. And I have no idea who they are, but it's an example of, of, of how you use this B TOC technology. So they created all this stuff, all this fluff that represents their, their, their site and, and the visuals. And they put in a few little placeholders where these things appear, like what kind of sign in you want. And for those who are, who are interested in the security, like there's no JavaScripts visible or, or usable. So that's impossible for any of the people who create the experience to accidentally create a cross site scripting attack, or, you know, inject attacks down into the rest of the infrastructure. So this is so important. It's, I mean, for security people, it is huge.
So what happens here is they can sign in, or they can use a social provider let's suppose they decide to sign in and create your own account. While you see, you'll see this thing where it says, send verification code and so on. There's no coding, that's all just provided automatically and, and exists. So once again, it's not attackable and the security of the password storage and all of that is controlled by the system. So all of that is controlled here. You know, here's a case where it actually sends it out to email and people can validate it. And so on, they don't write any quote. There's no processing of that. That's all done. It's all vented. It's open to security Analyst from the universities and everything else to come and look and, you know, make sure that this stuff is secure and black hats and that whole, so meanwhile, when, when, when the guys at Wilson one did this, all they had to do inside their, their app, they had to design the visuals and then they had to make what's. I know this looks like Latin, but, but it's really fairly straightforward for anybody who's programming. It's what's called redirect. So it's used by all the teenagers when they're rating applications now, and then we can turn, here's another, here's another group which did exactly the same thing. This is Ray Al Madrid. Now Ray Madrid really needs security. And I'll tell you why, because like the entire industry, the ball clubs, if I may call them that not being a soccer expert, I just pretend they're baseball players.
The, the, the, the, the professional sports teams, they don't really need to go through television systems anymore. They can go directly to the consumer and they can just get, get rid of the middle man and sell everything directly. But what does that mean? That means that they're no longer running a fan club. They're running a multi, probably a multi-billion dollar commercial business in which they're dealing directly with their customers. And so I, I like this as an example, because it really shows what consumer identity ultimately becomes. It becomes a, a mechanism that completely transforms the business model of, of, of the people who are in, in that business. And turns, turns identity into something very, very tightly integrated with the, with the whole, whole business model and, and the income stream of a giant corporation.
And once again, they, they don't need to worry that any of these experiences expose them to any, any, any attacks. And all of it integrates into their enterprise infrastructure. It's uses standards to work with, you know, Unix Linux, or Microsoft's the old Microsoft systems of personnel support, Linux and Linux. And you love them. So I'll skip that. That's from the other side of the house. So that's really, that's what we have released this year, and which is being adopted, you know, even by, by very small customers, like, like the first one that I showed you, but also right at the top, by the big company, like, like, Irid, I really believe that if we could drive by driving the prices of this stuff down to near zero, if you look at the pricing, it's shocking and you're, and you're giving a very, very secure identity framework that people can hang their applications off.
You're doing something to really change the structure of the internet and enhance its, its privacy and security. Now what we're working on now, what we're gonna be releasing next is the thing which is advanced journeys. And the goal there I wanted to share with you was to include the whole identity tech ecology in these, in this journey based system. So that somebody with a new claims provider or a new idea will, will be, I, I keep trying to, I keep hoping that the, that the me to be people will see this as a, as a mechanism for being able to more easily integrate into a, a wide, a wide into enterprises without having to go through all the hoops that might otherwise be the case. And I just use that as an example, you also have people coming up with really interesting authentication systems. You, you have blockchain which can be popularized and tied into this, which we're working on very hard and, and all of those kinds of things. So it's, it is really an infrastructure for that. And you can have any kind of claims provider. You can tie in databases to the journey. You can tie in workflow engines. So you can set off, you know, things where you want customers to call people or whatever that would be. You can connect to restful providers and storage systems. Now how many have I gone over yet? That's still the common five minutes.
Okay. I, I think, I, I think I was gonna show you, this is like a government system that was in integrated building it. So, you know, governments, when they're doing stuff with citizens, this is an EU government with the name change to protect the innocent. Yeah. So that was I'm. I'm gonna show you this of trust framework you can actually have. It's no good to do these things. So they only work for one company because often you have a bunch of companies who want into work and you have, for example, in a government, you have all the different departments that want to work and you want some things to just all be the same. And, but then you have the, you know, the real serious high security agencies who some things to be the same, but then some things to be different. So you need this mechanism of having trust frameworks that tie together, but allow refinement and extension in different directions so that you can have a lot of reuse, but still have specialization.
So that is built into it. One of the things I, I liked from the government case was this one where you're linking you allow people to just go in and create a digital identity as though. So they were just going to a football club, but when it comes time to actually get serious and pick up a, a check from the unemployment insurance or something, well, then you have to go, go into an office, you get your card. They, they, they validate on their little, on their system, in the office that you, that they saw you in person, and then they use your mobile phone and they, they, they send you the, they link your digital account to the physical account because they've done an in person proof. But the, the next thing there is it isn't like on day one, when you want to deal with the government, you have to waste two days just to get no benefit at all.
You, you have the relationship with the government right away. You can use it to do a lot of things, but the day you want to get money, you, you have to go in and, and do an in-person interview. Well, I don't do that. If you guys give me money, I I'll go and do an in-person proof interview anytime. So I like the way they did that. And so this is an example of the back end dimension. And what you'll see there is they enter the card ID from the in interperson meeting, and then there's a link to the digital ID and the government. So what I'm trying to show here is this is not just a matter of having the database. This is a matter of taking all these link, these, these intricate systems and connecting them together for the, for the benefit. Well, in this case of the government or, or the service provider and the benefit of the individual person who is, who is using the system. So without all, just say let's professionalize consumer identity, and let's build a system where the, everybody in the ecology can tie into the cloud based systems and be able to be innovative and create all the tomorrow that we wanna live in. Thank you.

Stay Connected

KuppingerCole on social media

Related Videos

Analyst Chat

Analyst Chat #135: Can DREAM Help Me Manage My Multi-Hybrid Infrastructure?

The IT environments have become complex, and this will not stop as more technologies such as Edge Computing start to take hold. Paul Fisher looks at the full scope of entitlements across today's multi-hybrid environments. He explains how this new market segment between the cloud,…

Webinar Recording

Multi-Cloud Permissions Management

Most businesses are adopting cloud services from multiple providers to remain flexible, agile, efficient, and competitive, but many do not have enterprise-wide control over and visibility of tens of thousands of cloud access permissions, exposing the enterprise to risk of security breaches.

Webinar Recording

Prediction #2 - The Convergence of IAM and how to Manage Complexity in a Multi Cloud, Multi Hybrid, Multi Identity World

It is the same set of drivers – first and foremost remote workforce requirements and seamless customer interaction, that make our infrastructure and service even more complex as they used to be, with multiple public and private clouds, on-site IT, all of them with identity silos. In…

Webinar Recording

Meeting the Identity and Access Challenges in a Multi-Cloud World

Multi-cloud deployments are becoming increasingly common as organizations seek to remain competitive in the digital economy and address demands for increased remote working. But while cloud migration is enabling business success, it is not without its identity and access challenges.…

Webinar Recording

Explore the Cutting Edge of Data-Driven Customer Experience

To accomplish complex and critical missions, market leaders are turning to a new generation of customer data platforms (CDPs). They uncover hidden revenue opportunities by unifying all sources of customer data into comprehensive and actionable profiles.

How can we help you

Send an inquiry

Call Us +49 211 2370770

Mo – Fr 8:00 – 17:00