Event Recording
What is CIAM and why do we need it?
Panel discussion at the Kantara Workshop
Log in and watch the full video!
Upgrade to the Professional or Specialist Subscription Packages to access the entire KuppingerCole video library.
I have an account
Log inRegister your account to start 30 days of free trial access
RegisterSubscribe to become a client
Choose a package
The first crack between even yourself for, for rock you welcome to. Right. Okay. So that's great. Well, of course we didn't know that we were gonna have Pam here. Well, you know, I mean the, the option is open just to, just to mix it up a bit, if you would like to sure. Okay. Opportunities. Absolutely. That's right. I predicted that would be absolutely perfectly predicted. Right. Right. Okay. So for gender balance, gen, can we, how can we happy that that's Andrew David to, to think given the fact that consent is a bigger part of what we're doing here, who's going to rock up on the panel to represent consent receipt
Today.
It's David then. Thank you, Helen this morning. That's it? Well, this is a way that, yeah, absolutely. So after the event, of course you, you can, you can say what you like, but now you've got to be nice. Okay. Can we, can we do one more? Can we find another panel? Participant for Barbara's questions? Design rules.
What about different? I would've asked Heather.
You would've asked Heather. Okay. Well then I would've let's make it. So
Question
Heather. It is. There you go. How easy it is to choose a panel, put people on the spot. I'll leave you with it.
Well, first of all, thank you for helping me out. We didn't have, this is quite interesting because I was thinking of these people with my questions and I'm really happy that I'm on the other side. Now I'm not on phone the whole time looking whether myself is breaking or everything is gone between us. And I can relax and ask questions. So my first question, so I'm a designer, right? That I'm not just techie I'm I'm. I would call myself a designer. Now with those four years, you've just mentioned, what have you learned your panel? What would be the most crucial design role? If I'm a company I'm little company starting Z, what would you tell me to watch out person? That's my question to my persons have changed I'm but if you have an idea, if somebody of you has an idea, push,
Push it up. Look, I can manage technology. Probably the one thing that that pops into mind is when I see companies starting in the identity field, they're focused on a sector they're focused on, on consumer identity or academic identity or government identity. And those silos are really fictional. There. There's so much more overlap in terms of, if you actually look at the requirements of what you need, it's the same darn thing. So while it may be comforting to, to tighten your lens in such a way it's worth looking at that big picture, because what you're solving for is, is more than anyone given silo. Thanks. That's
Excellent.
There's one. Yeah. One thing that I discovered, and it dawned on me slowly, and this was, I think actually when I was Forester Analyst, but also over time as I've worked with customers in, in my current role, single sign-on means something completely different in a consumer environment. And it does in an employee environment, it literally means something different. And that's why I was gonna ask Dean to come up here. He's with Amazon, you answer Chris. He can answer to, yeah, lawyers have to, but like, what I finally realized was literally the phrase single sign on means when you're responsible for a business unit or maybe even these days, there's like digital transformation officers, right? Yeah. It literally means a kind of an omnichannel experience. It does not mean, you know, go here and then get in there, which is what I think the technical meaning of single sign on sort of boils down to, or like when we were working on SAML, you know, in SAML one, we went for IDP initiated single sign on flow. And then in SAML two, we went for SP initiated single sign on. It literally means that kind of omnichannel experience it's experience oriented. And in a nutshell that's kind of what Siam or Kayam or cm or whatever it is, the phrase it is. It's, it's, you're doing it for them. You're not doing it to them. Right.
I certainly agree that from a technology standpoint, the notion of the silos is generally a mistake that, that those lines blur on a regular basis, that the same user logging into an enterprise account may also be logging into their staples account. And so at which point they're sort of a consumer-like person to staples. So it it's important that certainly from a technology standpoint, we, we, we don't create false barriers. Having said that there is, and, and has been for, for a long time in my mind, a very important distinction, which I think many of you have encountered, which is the economic model in the enterprise pace, the companies pay full stop, right? You know, where your money's coming from, and they will pay to get products and services. And from a design and user experience standpoint, they don't care so much. Yeah. They may want accommodate their, their, their employees, but frankly they can enforce whatever kind of, you know, multifactor authentication with hardware, keys and all sorts of crap.
And they can just do it, you know, by fear consumers. On the other hand, we all know, well, disappear on the heartbeat. If things get hard and at the same time they will, they won't, they won't tolerate complexity. And at the same time, they won't pay a penny for this extra security stuff. And so the economic model, as we found that, you know, the business of being identity provider by itself is not a viable one, cuz who's gonna pay you. So there are still some differences. But I think from the standpoint, the key standpoint of I'll say the more the technology aspects, we definitely want to avoid those artificial barriers.
Yeah. I would say for me it, I think of it as sort of this evolving importance of preferences. So when I started, you know, I've started in the enterprise world, of course, and you know, employees don't have preferences, they just don't right. You just, you know, you dish and out a dish and they take it right. But this idea of
Maybe some companies,
But this idea that, that a preference, isn't just something that you can ignore when convenient, right. That it's in fact, a way to set policy. And that, that, that is as valid, a way to set policy as some fancy line of business manager or compliance officer making decisions, you know, that, that, it's all part of an important intersection. That's been my big, my big,
Yeah. I I'm really happy cuz this was something I had the feeling when, when I started with my travel and see, there were few people out of the old industry from my access management. I went like, no, is this not gonna work this way? Yeah, I have to. So I like you have any other son, you, I forgot your name. I'm sorry.
Sorry. My name is deans. I was Amazon. Unfortunately I can't, I can sit and listen, but I can't really participate in illegal. So I'd
Have, have, I'd have to be clear. I know. I know. No. See I am out of that. Now. I can say things now. I, I said like you there's dark side. It's very comfortable.
No, it's it is interesting. Cause I mean, I can say something. You can see how Amazon evolved as well. You guys evolved because a couple years ago, I like, no, you can't do it this way. You know, when I was a user there myself, but I see guys and there's good to understand, but I think this is so important what we are just discussing. And so what does this tell you about now you have more somebody else in the, in Azure, you have any opinion about this. Now you were not coming on panel. So maybe you have something dear calling. When do I have to stop?
You have little more time. You have got another.
Yeah.
Okay. That's why, that's why I, I can have you engage. I was just making sure, because I wasn't Andrew, let me think. No, any, otherwise I'd move on to the same
For,
Oh, I'm sorry. Yes,
No, no. It was just, and, and it's the same thread throughout each four, all four of the, the panelists was the issue of the, the, and, and I'm surprised you didn't go further into this one about the, the ownership of the underlying data, right? It, it really is an aspect now that we are collecting more and more data about the actual users and it's not outdated, it's their data. And that sort of, again, very different than in an enterprise space
Because officially they belong
To us. They belong to us. They are slave
Also the customers, the real customers, the procurement people, they belong to us. They're so legal. But with the users, the end consumers, we don't know them own them. And that's really, that's, that's a very simple thing actually, right? It's a very simple, small thing which changes
A lot. I'm gonna say it's complicated.
If you understand a company that these data are not yours, that's an easy concept for board of mention to understand
It. Is it absolutely. Especially with GDPR and here we get into GDPR, right? And it makes it simple. You cannot slough off responsibility for data subjects, information. You are a custodian of the data and you must see yourself as a custodian and it's your responsibility to do right by their data. Philosophically, as you peel the layers away, you have become a mediator in their communications. And yet you have contributed to some of the value of those communications. And I don't know if all of you have taken a look at a really interesting paper called a taxonomy of privacy. I wanna say it. Yes. It's an amazing paper. And it goes into an analysis of the ways in which effectively the digital services have in fact added value. And the reason why I think that paper is so important in getting to that analysis is it shows the ways in which the organization has contributed to the data.
In fact, and the way I would see that is not to like go into total philosophy land with you. But information about a person is theirs. If they are interacting with the digital service, the digital service is now a kind of a joy creator of something. And that's something that GDPR is they're trying to reverse the inherent power imbalance, but some digital service that actually helps you do something like mediates your finding your old high school friends as Facebook does helped you find your old friends and they are a co-creator of something, whatever it is. So how do you recognize the value they gave? The way that GDPR does it is of course they have six legal bases for digital processing for da data processing. And one of them is consent and one of them is legitimate business interest. And then there's four others. And as was recently blogged on the UK information, commissioner's office was consent is not a silver bullet.
Now I love consent as a basis for data processing. It unlocks rights that the organization has it unlocks responsibilities that the organization has. It's my mission in life to remove friction from those responsibilities so that you will choose to get the goodies, the rights as an organization, but still consent is not a silver bullet. And there's sometimes reason to choose legitimate business interest there's monkey business. You can get into if you choose it, but okay. That was it. One of the fun things about working in, in largely in academia is that it's, it's like a Petri dish, a small microcosm of what's possible. I've noticed that in the commercial world, people look at academia and go, oh yeah, special snowflakes. That's not, that's not valid, but it really is because you can see all the use cases down in a, a simplified format and you have in a way more freedom to manipulate them and, and see what you can do. For example, what he was talking about. Institutions, even, even research groups, virtual organizations, they decorate the data, such that, you know, the data about the individual. This is their name. This is their phone number. This is their date of birth. Yes, that's theirs. But the role this person has who owns that, you know that this is a student that this is, you know, you talk about the phone about this. We did talk on the
Phone about yeah, because, because there's a, I always find this a remarkable thing. We're obviously ahead of it because we, we had a big exception officer in, in Germany. Everyone had one, a big company, but we had a long discussion. And this was one of the most important things for the automotive, for the, the cars, which can drive by themselves is the question we need one. Not I'm not automotive anymore, but one needs the information about the car or this person, if he owns a car and the information is only unique, which is called the vehicle ient number. Now you cannot believe what shitstorm started that. I started asking the question, Hey guys, is this a personal attribute or person customizable attribute or not? It went all the way to the EU. And it is a personal, it is now. So you cannot, you have to take care of that too.
So it's easy when we think hard to say that it's the username and maybe my person, I don't think that's not known anyway, but not the most important anymore for me. But that was for me the moment when, oh God, I'm so glad I'm going leave soon because this is, this is something I can't do anymore. I mean, this is ridiculous, right? So we're gonna have, what's your question, these things, luckily I did it right, because I was always already like, no, they're gonna say that. And other people were shooting at me, the, the people from research research, the researcher, and they would shoot at me because of, but do you agree or agree? Not with me, but with somebody that this is also to be, and that's something which I find very difficult. And that's why I think we, we all agree that these are the questions, but the desire you have to think about in the beginning, any of these formats can be as personal customizable. I don't know what for this, we
Maybe not personally identifiable personal or, or with correlation personal
Customizable, something like that. It in the EU, and this is very important. And you don't know. And so,
Yeah, so, so, you know, we do a lot with T so there's, there's a notion of like device data. And then if
The devices,
If the device gets correlatable with a person, person identity through relationships. So we do a lot of, okay, IM right. Identity, relationship management. This is a thing guys. Yeah.
But this decision you, that it's going that's right. So
We assume that any device data just assume that it's personal data to, to, you know, yeah. First ordered magnitude, right. Because the second you put it in a relationship with a human identity. Yeah. It is now personal data. Yeah. So you must protect it as if it were personal data, because the relationship with a human identity puts it in contact with it's it's toxic now in terms the DPO would understand. Right. So the device itself might not be, you know, a serial number all by itself may not be personal. So it is customizable as a great, yeah. I haven't seen customizable in GDPR English, but yeah, it's a great word. It is by virtue correlation. So the relationship makes it personal. Exactly. And ever after if you stored the relationship and for retention requirements, right. Stored the, the relationship information, it is personal data. So that's my assumption. Yes. For, for privacy. So we take as simple reasons, which is very complex to build. Yeah. But it's, that's much easier to, to do that because at hindsight, you can't do that. That's right. They're gone. You've lost two. It's lost.
So I worked on a, a spec at ISO with probably one of the most horrible names ever. It was requirements for partially anonymous, partially unlikable identity.
What is that partially?
What's that you made, that's funny all this time, I've been blaming to blaming Tony in Lin.
That's perfectly
That yeah, I know. Yeah. People will go with that. Understand. Anyway, the notion fits well with these concepts in, it ended up becoming, becoming partially this and partially that, because if you, if you look at the model, it isn't an absolute anonymity. Isn't at absolute unlink ability, but in, in the way it was intended to be used, it is mostly so, so the idea is that one of the examples given was a tolling system where every time you get on, you've got your transponder, a unique code is generated. And, you know, in a, in a protected way with your, you know, wrapped up in your own little key or some such, and it figures out when you get off. Exactly what you're told is, so the tolling system itself has no idea who you are, no data, no information can't be found out, but then you gotta pay for it.
That information's then transferred to a very discrete system, which is the billing system. It knows how to discover who you are and then go off and do the billing. So of course it requires good security between those systems firewalling or, you know, putting walls and so on between them. Pardon me? And there's a whole raft of similar types of situations where the, the primary system has no need at all to know who you are, but there are reasons why you'll want to be able to identify that person in some situations. And so this helps address some of those problems where the data is being collected. And in the environment, the, the company collecting the toing data can do all kinds of processing on it and they can never tie it back to any one. Commuter,
You know, I have, this is an interesting topic because we built this in the system and it was exactly these questions you don't help actually were the consumers themselves. So before we started building, they were angry, the truck driver, they didn't pay first point, but they were afraid that we could figure out which route they would take. As you know, there's certain parking areas where they all stay at night. For certain reasons, there are lots of males around with drive truck driving. Okay. So I found that very helpful. Yeah. When they started, that was 10 years ago, 12 years ago, we're not talking about C I'm at that time. But from, I found it very helpful because these truck drivers are board of managed my, my former would've manage tomatoes thrown at them because they were afraid that they would lose this. We were always telling them exactly your story. They were not sure. Yes. And that's the question, but consumers help a lot. They're the ones who say what's gonna happen. That's yeah. Yeah. That's, that's exactly the situation. And that's what, what you just said for the internal ones will sometimes you don't ask all the MP like green, or would you like about it this way or that way? The only problem is most question, question about, I didn't see. I don't see that Martin. Sorry. No worries.
It seems like we're making the assumption that we can treat employees
Badly.
Exactly. Employees badly. Well that, but it seems like a growing number of companies are, are taking the opposite trip, which is we treat our, our employees a bit like customers. Like we want to make this easy and fast. And in fact, by doing so, you know, employees are taking five minutes, several times a day to go do whatever identity we need to do, then that's time that's could otherwise, otherwise have been spent doing productive things. And I think from a speed perspective, that's obvious, but from a frustration and emotional engagement perspective, that's also a thing to consider. I think
You're absolutely right. And, but, you know, I, I noticed also something else, because the problem is now we really have to talk business because very frequently for internal stuff, you do not get the funding for a cm product because it's part of the, like with Amazon, well, you won't sell anything. Yeah. Without that. So I found my experience. It was because I thought the consumers as well, I SU certainly had a lot of budget. So I could also use the gain of knowledge and some technology I could use for the internal people. And then they would say, but Barbara, why do I have this nice and fancy thing on the cm side? And not internal? I agree fully. It's very important and the employee should be happy. And they shouldn't. The point of the matter is you can say that you have to take a second win of authentication, which I cannot say to Chinese and consumers, there is no way in hell I can do that. Right. So that's a bit, I think, but I thought, I also think it helped, it helped to understand for the, the employees. Cause that's a really tough question actually
Also. Yeah. I mean, you're talking about the F word, right? Friction.
Yes.
And yeah. I mean, reducing friction on the consumer side is required. Reducing friction on the employee side is smart. Yeah. Right. Smart. Yes. But, but it is changing, right? I mean, all of these things as profile management and all this sort of stuff becomes more commoditized, then what happens is the employee side starts getting it for free instead of them having to budget for it. And,
And well, the, in the second question, going back to you, which company did you work for? Okay, thank you. Because there, the second question I have this stops for nothing that I put the second question in, is there a difference in technology? I don't know how Amazon, I'm not gonna go involved just because you're not allowed to talk about it. So there are very many corporations who have loads of shitloads of technology, old technology in there. Now when I built cm system, lucky me, I didn't have an old mainframe of 30 years ago. So I could use all the stuff we, we know Blackboard five years ago, I could do all that because I could use that. But my problem with also with lots of longer existing corporations, they have all these old technology, which you can't get rid of. I don't, I'm not allowed to ask questions to you. So I don't, but you're not that old company yet.
We're not. So we don't have that problem. Right. Right. It doesn't mean problems didn't get created 20 years ago.
I agree. Right. But, but you understand that, that, that from a technology point of view, and that's why I wanted to lead to this next question that I found it easier. I think to find C much easier because the internal part is really a struggle. If you're an old, like at, I wouldn't want to think about, I did do it there, but it was terrible. And, and so in many customers I'm seeing if you, like, I was at Microsoft years ago and it was some very smart person telling me life is so simple. You just do it all with this technology. I go like, alright, this is, you know,
I said, damn vendors. I mean,
No, but so this that's what, so yeah. So what do you think you guys about the technology put more into the, okay,
So the question is, you know, is the technology different between sort of enterprise and consumer in
Between?
Well, here's, here's maybe one difference. I'll observe by analogy. Say you go to Costco and you wanna buy a coffee maker or microwave oven for your house. And notice, it says, do not use in an office setting. You have to buy a totally different thing. If you wanna put this, you know, in the coffee break room versus in your home, why is that totally different regulations? Not that it's not robust enough necessarily. And the coffee break room one would be more robust. You'd be like, well, maybe I should get that one for my home. There's just different regulations and compliance to electrical standards. And meantime between failures and stuff, it's different use cases. And you do actually have that with, I am because in an enterprise you have join or move or lever stuff. You don't have. Self-registration people have to proof themselves in a certain way for an enterprise.
And you might have use cases where you do have some self-registration, but then in other cases not self-registration. So an example might be you have parental consent required. And so you have a captive account that has to be created for a child by a parent. So you're not gonna have that in an enterprise. So there are different use cases. There's also the cost center, profit center thing we just talked about. So you have different use cases, different money, economic things floating around who wants to pay and who wants to be paid. That does reflect itself in some kinds of different tools. And I think sometimes that's a marginal difference. And sometimes that's a substantive difference. Like, you know what you're doing with privileged access management or something. But a lot of the times I think the Venn diagram has a large intersection, says the queen event, I'll go back.
I got a quick one, but so from a complete techy weeds perspective, there are different teams doing these things. And you know, those teams drive unbelievably bad practices. I mean, unbelievably had practices. You know, we, we kind of live in a clean world of identity management where everything's in the directory and we have these rules and all these policies, but the realities of these teams, at least the ones that I visit in both worlds are equally dirty. And you know, a lot of it is batch processing, right? It's moving identity data by CSV export by, you know, crappy, UN insecure Telenet, you know, with files, you know, we, it's a lovely idea to have everything in the directory. And if we can get there, GDR pushes us towards that rigor. That's great. But first we have to change that whole culture of, of getting stuff done by whatever means necessary that exists today. No,
Not to you, you were saying you're a tech, so I'm calling you a tech. So if a customer has so not like, like an Amazon, because their product was different from the beginning. But if you have a product which is not first of all, online internet or whatever, or OT in the beginning, you have your internal etcetera. Now, now you start doing C would you now say, stay on the same, use the same, you know, port rock, obviously you should stay there. But if it's another companies and so with all these different technologies you have in place, would you tell this person to build a new environment or would you let him stay on the old environment and build up onto that?
It depends.
Depends.
So let's say on what does it depend to make life easier to have a simple answer to that exact possible? No. No.
Were they, who are they connecting with? Volume scale?
How silent was it?
Yeah. How partition was it?
It was a silo then technology refresh take the
Opportunities. Right?
Well also, but, but it's not two worlds, it's an ecosystem. That's the thing. Right? So for example, you know, probably this simplest one to pick on would be active directory, right? Probably don't wanna put your consumers in active directory and you probably have, and active directory is extremely great for other uses, right? So, but you, what you shouldn't be doing, if you can possibly avoid it is having your employees have to sit in your consumer directory as well as in your active directory. Right? So ultimately the, the motherhood in apple pies that you use, the best thing, you know, there are different things that are targeted for different scales and for different security models, but they should all talk to each other and they should refer to each other rather than being glass bubbles that you can never Pierce. I don't, I mean, Heather, you've got the most, like you said, the Petri dish is, is the perfect example. Yeah.
So what I've been thinking of is, I don't know how many of you recall earlier this year, the, the grand scientific discovery of gravitational waves. Does anyone remember that that was the laser interferometer gravitational wave observatory folks. And they are a bunch of academics from institutions around the world. And they have that, that challenge of on the one hand, they need identity and access management to access those observatories. That's really highly sensitive, critical data that millions upon millions upon millions of dollars has been spent on. And yet they're just academics. They also need to access the email. These are slightly different things for the same person, slightly different levels of access that they need to, to get into. And so, yeah, we are looking at that Petri dish of look, they just wanna get their email and update a Wiki and they have to access it highly, very expensive, very specialized, scientific equipment, but it's all the same person, right? So the technology does have to, I don't wanna say it has to vary, but it has to take
Into it's a question. I mean, so yes, one answer should be, but you just said thing. You could take the advantage to take new technology on which is an advantage, but you are. So you could be in a, in a situation that it gets really dangerous. So consumers in the IOT realm, please don't touch the safety features of, I will not talk about a car, but of any other IOT, you have to get them apart in some way, because everybody makes mistakes. Every operator can make a mistake and then this guy without maybe stupid and doesn't notice it. But if you would notice it, he gets into the safety system of ant system. And that's what I'm scared of. So you're sorry,
John's gonna go after me. He's come up for the mic.
John's gonna kill you.
Go after mic. So in your experience, working with your customers from the paying four drop points of view, are they willing to accept that the consumer is a shared common resource or a shared common entity? Because from an enterprise point of view in turn with the employee is the enterprises, but the consumer will be everywhere, not just interacting with their company. So
You mean kind like doing vendor relationship management.
Well, does the customer to enterprises, does the customer exist with rights to go wherever they want to? And if one enterprise sets up certain consumer oriented features will other enterprises ignore it or accept it because you're pushing out
There's apart from that organizational entity. Yeah.
If, if, if I'm selling products, my customer has other personas of
Do care. You know what I'm gonna say a little bit about that in, in my 11:00 AM thing about GDPR and PST two and C anda. So I'm gonna just hold off on what I'm gonna say about that. Put in a little bit more context. I can chime in a little bit. Speaking from scholarly publishers is one, one of my set of clients. One of the hats that I wear is working on identity discovery in the scholarly publishing space. And the publishers are considering how to, if it's possible to, to in a way, have the consumers be that shared resource, such that if there's a browser cookie, that indicates that this person is, is a faculty member at Harvard, does each publisher have to yet again, ask the same question? Where would you like to authenticate? You know, or can they just say, okay, we all know because of a browser cookie that you're at Harvard. So they're, they're working on that in a technical sense. I mean, if you're talking about that there's is it Adobe connect that has that sort of permission cookie system in marketing sense that lets you sort of be recognized? I mean, if you're just talking about in the technical sense, it lets people have that cookie follow them around, but they get to say that they're part of the system.
Can I take a shot at Andrew's question? I have a very cynical view on the enterprise.
That's on
What's
Going on. You, we can hear you. You have a cynical view.
I do. Hello? Hello. Yes, I am. I have a very cynical view on the enterprise and that is that they don't actually care what those users do if they're not spending money with them. And so if there is a way for them to get additional value by working with somebody else, they will, but they won't do it unless it does. Unless it builds either short term or long term revenue for themselves, period, they're in, they are an, is the
Nature of my
Question. That's pretty much my answer, but I'll give an answer to like what you should do about it. But there are some obvious counterexamples like healthcare, right? I mean, competing hospitals have to in while they have to, at least of course they are. I'm not saying they're not profit driven. They're not profit driven, but they are forced to collaborate. Right?
So they, they are forced to, and they will do the legal minimum necessary to get
Beyond. Absolutely. And there's something called data blocking. Sure. But, but I mean, that's not a bad thing, is it? I mean, honestly, if I'm a business and I'm trying to make money and I'm going to do the things that make sense to my business, you
Know, know, I don't think that's a bad reason actually. I think it's a good, I could tell you stories that would curl your hair, working on heart.
The
It's not curl hair.
The point I would say is actually because they are really easy to understand. They, their motives are very clear. It's like an alligator, right? They, they, alligator goes for food.
I think you are a bit cynical now. No, I'm not. I'm really serious because, because this is, this is not good. There are companies like that, but now I have to really say that I've been now in the, so I come from in you like you, but I've been in this world has in 10 years in one in one go and I disagree heavily because the whole idea of mobility of the large corporation now. So we're trying to get these things together. So I'm not anymore, but I hold it's my holy grail to, so I, I don't think that it's, I've noticed it with all the other scissors I was together with in the us. And in Germany, we talk about these things and they are not non acceptable. You only have to watch out for another law, the law that you and I are, two different companies. We attach each other. So we think it's nice for our consumers. We get other law from, from all in the us collusion. Yeah. So, yeah. So we've had one of those and then, and then, then you get these problems. So let's try to get away from a cynical problem.
I think you have your mic in your hand forever. Well,
I go back to your
Question,
Question about, you know,
There we go to your question about, you know, enterprise versus consumer and when do you build something new, as opposed to try to modify the old Eves of fan of VIN diagrams, always like analogies, you know, let's think of it like a car, let's say you've got a nice 1999 enterprise. I am product that, you know, at a certain point you decide it's probably not the most efficient way of doing something. So, you know, you're not gonna put a new stereo in, it might not be tied for new tires. So same thing with your IM system, you know, it's how extensible is it? Does it actually meet the requirements or does it take such significant effort that it may be better to either build something new or use one of these many SAS services that do that? And I think one of the biggest differentiators we haven't talked about yet, but I'm really hoping to cover some in the next couple of days is, you know, on the enterprise side, in the old days we had user day password and we know that's still way too common. And then if you really want to do security, there's smart cards, but consumers want to use this. Right. And I think this is probably one of the biggest differentiators between consumer and enterprise IAM. And what can you do with regard to mobile authentication and mobile authorization and transaction approval, things like that.
That's really a really good point because that's, you cannot do that with your please.
I had a comment about interoperability and portability the way that I think it's most effective to sell that is to talk to people about shipping containers. And the way that global manufacturing works is that they have this infrastructure that everyone uses that is literally physically portable and it works right. Competing companies use it, competing companies, service it, right? And we need to talk about identity in that way. We need to talk about how we need an interoperable infrastructure layer, just so that we can get things shipped around the world securely and make sure they get to the right place without getting lost without getting stolen. Right. So that's what we need. And that's how we need to talk about it with people. Yes. Not about technology, just about literally a physical infrastructure. And I think that's a really effective way of selling the interoperability and portability piece of the, of the puzzle.
You know, we, we've got to a point where a lot of that is starting to work. You know, I, I had talked about zero trust identity stealing the concept of zero trust security from my colleague when I was a Forester. And it was basically that it was standard interfaces standard, you know, packets, which we didn't have jot at. I don't think we were starting to have jot at the time I was talking about it back then. And you can do defense in depth and kind of identity security in depth. Once you have those standard interfaces, if everybody, you know, works the protocols and works the, the packets and that's what our shipping containers are starting to be. And as long as you have, I would say restful interfaces and beginning to be talking to the IOT side in the same fashion, it can really start to work and it's getting to be that you can plug out and plug in that sort of thing. It's it can be successful. And, and, and that's, and if your infrastructure doesn't do that, it's failing for enterprise use cases and for consumers, right.
Is that a bit of a two edge sword having such uniformity? I mean, nobody's trying to act the intermodal system, right? Like I'm gonna make this container slightly different, but you can imagine easily the flip side of that, which is, wow, everybody's using this technology. Well, if I'm gonna put my hacking efforts into something, I'll put it into that as opposed to today where you've got sort of a, I mean, there's the trade off, right?
Fair enough. That's actually true that that can be seen as a monoculture. Like, so for example, Brad hill work on the delegated account recovery for Facebook, not using oof. And there's a technical reason why it doesn't use oof, but it's probably also good that it's not a monoculture, right? So I actually respect that and having just had to set up account recovery for my apple ID and being very, very glad that my Dropbox based to do app you don't use to do it's awesome. Uses Dropbox and not anything apple connected. I'm very, very grateful that it wasn't a monoculture of using my apple ID right now. Cuz it's gonna take till September 22nd for my account to be recovered, swear to God. Oh
My God. Yeah.
Don't ever forget or lose your apple ID
Password. And this is what I was talking about before. And I will talk tomorrow about, because this drives nuts, large corporations who are internet, you know, let's forget before price like car, they have an internet company. So if they don't get it right, mind you, but you know, with apple, I think you wouldn't believe. And they still it's really bad. I respect that. They don't set it. We said it right away. But we, we do. I can't. I know because I, I, luckily I knew it back. Good. It, it was terrible. Well using, using
Standards doesn't guarantee your
Security there. No, it doesn't know. I mean, there was and would like to answer your question for a second. So this is actually the problem I was facing as well. And I still think we are facing, like you said, with the policy policy, that people are sloppy, that the operators are sloppy and they are now there are very good systems. And so if you're a rich company, you can buy very good systems, which watch their lop. So maybe patch it in time that they're now opening. Even if I do O whatever security, well done thing, the worst, the biggest distinct that. So media open support, we all know that that's so many goes around. I love today for testing. We're testing for testing the boards.
That's exactly. That's that's exactly what happened. INAX right. That's exactly the
Problem was, are you sure? Because we were discussing this morning, it
Was a site. Someone had set up new web server.
Wasn't so far up
That got, and that gave a door in which
Suggests that they're system. That's why I am a bit more, I would say if customer has money, let's assume the customer has money. We'll make money because of the cm set them apart. Because as soon get into, if you have this opening, you gets into the more secure areas of your company, whatever it is, you just, by such a small mistake, this happens. It's awful. And obviously this is what scared me to death with my cars. And so will open that corner, but
It is awful. But you know,
We have to have fine
Ways to cope. Yes. Right? I mean, bad things will happen. Bad. People are trying. I think though, that, to me, we've, we've kind of moved away a little bit from the verify part of trust and verify, right? So to me, the assumption should be, you never assume, you never assume that something works. And the hard part about, you know, the, the authentication or the SSO side identity is that people think that as soon as you can send an assertion from point a to point B, that that it's working. Right. And that's exactly wrong. The measure of success is not by what, who you can connect it's by who you reject. And unfortunately, we, you know, we tweetable people. Yes. That was a soundbite just in case pet personal pet, peeve that to this day, people don't understand the difference between authentication and authorization drive me.
That's true. Okay. So I think we have a lot of questions at the end, in, in, in my last panel in two days, I will ask people, these are the questions I see and, and we can discuss more. So did I do my job? Collin?
You, you have done your job. Marvel. We have 10 minutes left. We can just go and break. And I think you have some, your coffee, coffee, and have some coffee
And maybe discuss some more
Question.
Today.
It's David then. Thank you, Helen this morning. That's it? Well, this is a way that, yeah, absolutely. So after the event, of course you, you can, you can say what you like, but now you've got to be nice. Okay. Can we, can we do one more? Can we find another panel? Participant for Barbara's questions? Design rules.
What about different? I would've asked Heather.
You would've asked Heather. Okay. Well then I would've let's make it. So
Question
Heather. It is. There you go. How easy it is to choose a panel, put people on the spot. I'll leave you with it.
Well, first of all, thank you for helping me out. We didn't have, this is quite interesting because I was thinking of these people with my questions and I'm really happy that I'm on the other side. Now I'm not on phone the whole time looking whether myself is breaking or everything is gone between us. And I can relax and ask questions. So my first question, so I'm a designer, right? That I'm not just techie I'm I'm. I would call myself a designer. Now with those four years, you've just mentioned, what have you learned your panel? What would be the most crucial design role? If I'm a company I'm little company starting Z, what would you tell me to watch out person? That's my question to my persons have changed I'm but if you have an idea, if somebody of you has an idea, push,
Push it up. Look, I can manage technology. Probably the one thing that that pops into mind is when I see companies starting in the identity field, they're focused on a sector they're focused on, on consumer identity or academic identity or government identity. And those silos are really fictional. There. There's so much more overlap in terms of, if you actually look at the requirements of what you need, it's the same darn thing. So while it may be comforting to, to tighten your lens in such a way it's worth looking at that big picture, because what you're solving for is, is more than anyone given silo. Thanks. That's
Excellent.
There's one. Yeah. One thing that I discovered, and it dawned on me slowly, and this was, I think actually when I was Forester Analyst, but also over time as I've worked with customers in, in my current role, single sign-on means something completely different in a consumer environment. And it does in an employee environment, it literally means something different. And that's why I was gonna ask Dean to come up here. He's with Amazon, you answer Chris. He can answer to, yeah, lawyers have to, but like, what I finally realized was literally the phrase single sign on means when you're responsible for a business unit or maybe even these days, there's like digital transformation officers, right? Yeah. It literally means a kind of an omnichannel experience. It does not mean, you know, go here and then get in there, which is what I think the technical meaning of single sign on sort of boils down to, or like when we were working on SAML, you know, in SAML one, we went for IDP initiated single sign on flow. And then in SAML two, we went for SP initiated single sign on. It literally means that kind of omnichannel experience it's experience oriented. And in a nutshell that's kind of what Siam or Kayam or cm or whatever it is, the phrase it is. It's, it's, you're doing it for them. You're not doing it to them. Right.
I certainly agree that from a technology standpoint, the notion of the silos is generally a mistake that, that those lines blur on a regular basis, that the same user logging into an enterprise account may also be logging into their staples account. And so at which point they're sort of a consumer-like person to staples. So it it's important that certainly from a technology standpoint, we, we, we don't create false barriers. Having said that there is, and, and has been for, for a long time in my mind, a very important distinction, which I think many of you have encountered, which is the economic model in the enterprise pace, the companies pay full stop, right? You know, where your money's coming from, and they will pay to get products and services. And from a design and user experience standpoint, they don't care so much. Yeah. They may want accommodate their, their, their employees, but frankly they can enforce whatever kind of, you know, multifactor authentication with hardware, keys and all sorts of crap.
And they can just do it, you know, by fear consumers. On the other hand, we all know, well, disappear on the heartbeat. If things get hard and at the same time they will, they won't, they won't tolerate complexity. And at the same time, they won't pay a penny for this extra security stuff. And so the economic model, as we found that, you know, the business of being identity provider by itself is not a viable one, cuz who's gonna pay you. So there are still some differences. But I think from the standpoint, the key standpoint of I'll say the more the technology aspects, we definitely want to avoid those artificial barriers.
Yeah. I would say for me it, I think of it as sort of this evolving importance of preferences. So when I started, you know, I've started in the enterprise world, of course, and you know, employees don't have preferences, they just don't right. You just, you know, you dish and out a dish and they take it right. But this idea of
Maybe some companies,
But this idea that, that a preference, isn't just something that you can ignore when convenient, right. That it's in fact, a way to set policy. And that, that, that is as valid, a way to set policy as some fancy line of business manager or compliance officer making decisions, you know, that, that, it's all part of an important intersection. That's been my big, my big,
Yeah. I I'm really happy cuz this was something I had the feeling when, when I started with my travel and see, there were few people out of the old industry from my access management. I went like, no, is this not gonna work this way? Yeah, I have to. So I like you have any other son, you, I forgot your name. I'm sorry.
Sorry. My name is deans. I was Amazon. Unfortunately I can't, I can sit and listen, but I can't really participate in illegal. So I'd
Have, have, I'd have to be clear. I know. I know. No. See I am out of that. Now. I can say things now. I, I said like you there's dark side. It's very comfortable.
No, it's it is interesting. Cause I mean, I can say something. You can see how Amazon evolved as well. You guys evolved because a couple years ago, I like, no, you can't do it this way. You know, when I was a user there myself, but I see guys and there's good to understand, but I think this is so important what we are just discussing. And so what does this tell you about now you have more somebody else in the, in Azure, you have any opinion about this. Now you were not coming on panel. So maybe you have something dear calling. When do I have to stop?
You have little more time. You have got another.
Yeah.
Okay. That's why, that's why I, I can have you engage. I was just making sure, because I wasn't Andrew, let me think. No, any, otherwise I'd move on to the same
For,
Oh, I'm sorry. Yes,
No, no. It was just, and, and it's the same thread throughout each four, all four of the, the panelists was the issue of the, the, and, and I'm surprised you didn't go further into this one about the, the ownership of the underlying data, right? It, it really is an aspect now that we are collecting more and more data about the actual users and it's not outdated, it's their data. And that sort of, again, very different than in an enterprise space
Because officially they belong
To us. They belong to us. They are slave
Also the customers, the real customers, the procurement people, they belong to us. They're so legal. But with the users, the end consumers, we don't know them own them. And that's really, that's, that's a very simple thing actually, right? It's a very simple, small thing which changes
A lot. I'm gonna say it's complicated.
If you understand a company that these data are not yours, that's an easy concept for board of mention to understand
It. Is it absolutely. Especially with GDPR and here we get into GDPR, right? And it makes it simple. You cannot slough off responsibility for data subjects, information. You are a custodian of the data and you must see yourself as a custodian and it's your responsibility to do right by their data. Philosophically, as you peel the layers away, you have become a mediator in their communications. And yet you have contributed to some of the value of those communications. And I don't know if all of you have taken a look at a really interesting paper called a taxonomy of privacy. I wanna say it. Yes. It's an amazing paper. And it goes into an analysis of the ways in which effectively the digital services have in fact added value. And the reason why I think that paper is so important in getting to that analysis is it shows the ways in which the organization has contributed to the data.
In fact, and the way I would see that is not to like go into total philosophy land with you. But information about a person is theirs. If they are interacting with the digital service, the digital service is now a kind of a joy creator of something. And that's something that GDPR is they're trying to reverse the inherent power imbalance, but some digital service that actually helps you do something like mediates your finding your old high school friends as Facebook does helped you find your old friends and they are a co-creator of something, whatever it is. So how do you recognize the value they gave? The way that GDPR does it is of course they have six legal bases for digital processing for da data processing. And one of them is consent and one of them is legitimate business interest. And then there's four others. And as was recently blogged on the UK information, commissioner's office was consent is not a silver bullet.
Now I love consent as a basis for data processing. It unlocks rights that the organization has it unlocks responsibilities that the organization has. It's my mission in life to remove friction from those responsibilities so that you will choose to get the goodies, the rights as an organization, but still consent is not a silver bullet. And there's sometimes reason to choose legitimate business interest there's monkey business. You can get into if you choose it, but okay. That was it. One of the fun things about working in, in largely in academia is that it's, it's like a Petri dish, a small microcosm of what's possible. I've noticed that in the commercial world, people look at academia and go, oh yeah, special snowflakes. That's not, that's not valid, but it really is because you can see all the use cases down in a, a simplified format and you have in a way more freedom to manipulate them and, and see what you can do. For example, what he was talking about. Institutions, even, even research groups, virtual organizations, they decorate the data, such that, you know, the data about the individual. This is their name. This is their phone number. This is their date of birth. Yes, that's theirs. But the role this person has who owns that, you know that this is a student that this is, you know, you talk about the phone about this. We did talk on the
Phone about yeah, because, because there's a, I always find this a remarkable thing. We're obviously ahead of it because we, we had a big exception officer in, in Germany. Everyone had one, a big company, but we had a long discussion. And this was one of the most important things for the automotive, for the, the cars, which can drive by themselves is the question we need one. Not I'm not automotive anymore, but one needs the information about the car or this person, if he owns a car and the information is only unique, which is called the vehicle ient number. Now you cannot believe what shitstorm started that. I started asking the question, Hey guys, is this a personal attribute or person customizable attribute or not? It went all the way to the EU. And it is a personal, it is now. So you cannot, you have to take care of that too.
So it's easy when we think hard to say that it's the username and maybe my person, I don't think that's not known anyway, but not the most important anymore for me. But that was for me the moment when, oh God, I'm so glad I'm going leave soon because this is, this is something I can't do anymore. I mean, this is ridiculous, right? So we're gonna have, what's your question, these things, luckily I did it right, because I was always already like, no, they're gonna say that. And other people were shooting at me, the, the people from research research, the researcher, and they would shoot at me because of, but do you agree or agree? Not with me, but with somebody that this is also to be, and that's something which I find very difficult. And that's why I think we, we all agree that these are the questions, but the desire you have to think about in the beginning, any of these formats can be as personal customizable. I don't know what for this, we
Maybe not personally identifiable personal or, or with correlation personal
Customizable, something like that. It in the EU, and this is very important. And you don't know. And so,
Yeah, so, so, you know, we do a lot with T so there's, there's a notion of like device data. And then if
The devices,
If the device gets correlatable with a person, person identity through relationships. So we do a lot of, okay, IM right. Identity, relationship management. This is a thing guys. Yeah.
But this decision you, that it's going that's right. So
We assume that any device data just assume that it's personal data to, to, you know, yeah. First ordered magnitude, right. Because the second you put it in a relationship with a human identity. Yeah. It is now personal data. Yeah. So you must protect it as if it were personal data, because the relationship with a human identity puts it in contact with it's it's toxic now in terms the DPO would understand. Right. So the device itself might not be, you know, a serial number all by itself may not be personal. So it is customizable as a great, yeah. I haven't seen customizable in GDPR English, but yeah, it's a great word. It is by virtue correlation. So the relationship makes it personal. Exactly. And ever after if you stored the relationship and for retention requirements, right. Stored the, the relationship information, it is personal data. So that's my assumption. Yes. For, for privacy. So we take as simple reasons, which is very complex to build. Yeah. But it's, that's much easier to, to do that because at hindsight, you can't do that. That's right. They're gone. You've lost two. It's lost.
So I worked on a, a spec at ISO with probably one of the most horrible names ever. It was requirements for partially anonymous, partially unlikable identity.
What is that partially?
What's that you made, that's funny all this time, I've been blaming to blaming Tony in Lin.
That's perfectly
That yeah, I know. Yeah. People will go with that. Understand. Anyway, the notion fits well with these concepts in, it ended up becoming, becoming partially this and partially that, because if you, if you look at the model, it isn't an absolute anonymity. Isn't at absolute unlink ability, but in, in the way it was intended to be used, it is mostly so, so the idea is that one of the examples given was a tolling system where every time you get on, you've got your transponder, a unique code is generated. And, you know, in a, in a protected way with your, you know, wrapped up in your own little key or some such, and it figures out when you get off. Exactly what you're told is, so the tolling system itself has no idea who you are, no data, no information can't be found out, but then you gotta pay for it.
That information's then transferred to a very discrete system, which is the billing system. It knows how to discover who you are and then go off and do the billing. So of course it requires good security between those systems firewalling or, you know, putting walls and so on between them. Pardon me? And there's a whole raft of similar types of situations where the, the primary system has no need at all to know who you are, but there are reasons why you'll want to be able to identify that person in some situations. And so this helps address some of those problems where the data is being collected. And in the environment, the, the company collecting the toing data can do all kinds of processing on it and they can never tie it back to any one. Commuter,
You know, I have, this is an interesting topic because we built this in the system and it was exactly these questions you don't help actually were the consumers themselves. So before we started building, they were angry, the truck driver, they didn't pay first point, but they were afraid that we could figure out which route they would take. As you know, there's certain parking areas where they all stay at night. For certain reasons, there are lots of males around with drive truck driving. Okay. So I found that very helpful. Yeah. When they started, that was 10 years ago, 12 years ago, we're not talking about C I'm at that time. But from, I found it very helpful because these truck drivers are board of managed my, my former would've manage tomatoes thrown at them because they were afraid that they would lose this. We were always telling them exactly your story. They were not sure. Yes. And that's the question, but consumers help a lot. They're the ones who say what's gonna happen. That's yeah. Yeah. That's, that's exactly the situation. And that's what, what you just said for the internal ones will sometimes you don't ask all the MP like green, or would you like about it this way or that way? The only problem is most question, question about, I didn't see. I don't see that Martin. Sorry. No worries.
It seems like we're making the assumption that we can treat employees
Badly.
Exactly. Employees badly. Well that, but it seems like a growing number of companies are, are taking the opposite trip, which is we treat our, our employees a bit like customers. Like we want to make this easy and fast. And in fact, by doing so, you know, employees are taking five minutes, several times a day to go do whatever identity we need to do, then that's time that's could otherwise, otherwise have been spent doing productive things. And I think from a speed perspective, that's obvious, but from a frustration and emotional engagement perspective, that's also a thing to consider. I think
You're absolutely right. And, but, you know, I, I noticed also something else, because the problem is now we really have to talk business because very frequently for internal stuff, you do not get the funding for a cm product because it's part of the, like with Amazon, well, you won't sell anything. Yeah. Without that. So I found my experience. It was because I thought the consumers as well, I SU certainly had a lot of budget. So I could also use the gain of knowledge and some technology I could use for the internal people. And then they would say, but Barbara, why do I have this nice and fancy thing on the cm side? And not internal? I agree fully. It's very important and the employee should be happy. And they shouldn't. The point of the matter is you can say that you have to take a second win of authentication, which I cannot say to Chinese and consumers, there is no way in hell I can do that. Right. So that's a bit, I think, but I thought, I also think it helped, it helped to understand for the, the employees. Cause that's a really tough question actually
Also. Yeah. I mean, you're talking about the F word, right? Friction.
Yes.
And yeah. I mean, reducing friction on the consumer side is required. Reducing friction on the employee side is smart. Yeah. Right. Smart. Yes. But, but it is changing, right? I mean, all of these things as profile management and all this sort of stuff becomes more commoditized, then what happens is the employee side starts getting it for free instead of them having to budget for it. And,
And well, the, in the second question, going back to you, which company did you work for? Okay, thank you. Because there, the second question I have this stops for nothing that I put the second question in, is there a difference in technology? I don't know how Amazon, I'm not gonna go involved just because you're not allowed to talk about it. So there are very many corporations who have loads of shitloads of technology, old technology in there. Now when I built cm system, lucky me, I didn't have an old mainframe of 30 years ago. So I could use all the stuff we, we know Blackboard five years ago, I could do all that because I could use that. But my problem with also with lots of longer existing corporations, they have all these old technology, which you can't get rid of. I don't, I'm not allowed to ask questions to you. So I don't, but you're not that old company yet.
We're not. So we don't have that problem. Right. Right. It doesn't mean problems didn't get created 20 years ago.
I agree. Right. But, but you understand that, that, that from a technology point of view, and that's why I wanted to lead to this next question that I found it easier. I think to find C much easier because the internal part is really a struggle. If you're an old, like at, I wouldn't want to think about, I did do it there, but it was terrible. And, and so in many customers I'm seeing if you, like, I was at Microsoft years ago and it was some very smart person telling me life is so simple. You just do it all with this technology. I go like, alright, this is, you know,
I said, damn vendors. I mean,
No, but so this that's what, so yeah. So what do you think you guys about the technology put more into the, okay,
So the question is, you know, is the technology different between sort of enterprise and consumer in
Between?
Well, here's, here's maybe one difference. I'll observe by analogy. Say you go to Costco and you wanna buy a coffee maker or microwave oven for your house. And notice, it says, do not use in an office setting. You have to buy a totally different thing. If you wanna put this, you know, in the coffee break room versus in your home, why is that totally different regulations? Not that it's not robust enough necessarily. And the coffee break room one would be more robust. You'd be like, well, maybe I should get that one for my home. There's just different regulations and compliance to electrical standards. And meantime between failures and stuff, it's different use cases. And you do actually have that with, I am because in an enterprise you have join or move or lever stuff. You don't have. Self-registration people have to proof themselves in a certain way for an enterprise.
And you might have use cases where you do have some self-registration, but then in other cases not self-registration. So an example might be you have parental consent required. And so you have a captive account that has to be created for a child by a parent. So you're not gonna have that in an enterprise. So there are different use cases. There's also the cost center, profit center thing we just talked about. So you have different use cases, different money, economic things floating around who wants to pay and who wants to be paid. That does reflect itself in some kinds of different tools. And I think sometimes that's a marginal difference. And sometimes that's a substantive difference. Like, you know what you're doing with privileged access management or something. But a lot of the times I think the Venn diagram has a large intersection, says the queen event, I'll go back.
I got a quick one, but so from a complete techy weeds perspective, there are different teams doing these things. And you know, those teams drive unbelievably bad practices. I mean, unbelievably had practices. You know, we, we kind of live in a clean world of identity management where everything's in the directory and we have these rules and all these policies, but the realities of these teams, at least the ones that I visit in both worlds are equally dirty. And you know, a lot of it is batch processing, right? It's moving identity data by CSV export by, you know, crappy, UN insecure Telenet, you know, with files, you know, we, it's a lovely idea to have everything in the directory. And if we can get there, GDR pushes us towards that rigor. That's great. But first we have to change that whole culture of, of getting stuff done by whatever means necessary that exists today. No,
Not to you, you were saying you're a tech, so I'm calling you a tech. So if a customer has so not like, like an Amazon, because their product was different from the beginning. But if you have a product which is not first of all, online internet or whatever, or OT in the beginning, you have your internal etcetera. Now, now you start doing C would you now say, stay on the same, use the same, you know, port rock, obviously you should stay there. But if it's another companies and so with all these different technologies you have in place, would you tell this person to build a new environment or would you let him stay on the old environment and build up onto that?
It depends.
Depends.
So let's say on what does it depend to make life easier to have a simple answer to that exact possible? No. No.
Were they, who are they connecting with? Volume scale?
How silent was it?
Yeah. How partition was it?
It was a silo then technology refresh take the
Opportunities. Right?
Well also, but, but it's not two worlds, it's an ecosystem. That's the thing. Right? So for example, you know, probably this simplest one to pick on would be active directory, right? Probably don't wanna put your consumers in active directory and you probably have, and active directory is extremely great for other uses, right? So, but you, what you shouldn't be doing, if you can possibly avoid it is having your employees have to sit in your consumer directory as well as in your active directory. Right? So ultimately the, the motherhood in apple pies that you use, the best thing, you know, there are different things that are targeted for different scales and for different security models, but they should all talk to each other and they should refer to each other rather than being glass bubbles that you can never Pierce. I don't, I mean, Heather, you've got the most, like you said, the Petri dish is, is the perfect example. Yeah.
So what I've been thinking of is, I don't know how many of you recall earlier this year, the, the grand scientific discovery of gravitational waves. Does anyone remember that that was the laser interferometer gravitational wave observatory folks. And they are a bunch of academics from institutions around the world. And they have that, that challenge of on the one hand, they need identity and access management to access those observatories. That's really highly sensitive, critical data that millions upon millions upon millions of dollars has been spent on. And yet they're just academics. They also need to access the email. These are slightly different things for the same person, slightly different levels of access that they need to, to get into. And so, yeah, we are looking at that Petri dish of look, they just wanna get their email and update a Wiki and they have to access it highly, very expensive, very specialized, scientific equipment, but it's all the same person, right? So the technology does have to, I don't wanna say it has to vary, but it has to take
Into it's a question. I mean, so yes, one answer should be, but you just said thing. You could take the advantage to take new technology on which is an advantage, but you are. So you could be in a, in a situation that it gets really dangerous. So consumers in the IOT realm, please don't touch the safety features of, I will not talk about a car, but of any other IOT, you have to get them apart in some way, because everybody makes mistakes. Every operator can make a mistake and then this guy without maybe stupid and doesn't notice it. But if you would notice it, he gets into the safety system of ant system. And that's what I'm scared of. So you're sorry,
John's gonna go after me. He's come up for the mic.
John's gonna kill you.
Go after mic. So in your experience, working with your customers from the paying four drop points of view, are they willing to accept that the consumer is a shared common resource or a shared common entity? Because from an enterprise point of view in turn with the employee is the enterprises, but the consumer will be everywhere, not just interacting with their company. So
You mean kind like doing vendor relationship management.
Well, does the customer to enterprises, does the customer exist with rights to go wherever they want to? And if one enterprise sets up certain consumer oriented features will other enterprises ignore it or accept it because you're pushing out
There's apart from that organizational entity. Yeah.
If, if, if I'm selling products, my customer has other personas of
Do care. You know what I'm gonna say a little bit about that in, in my 11:00 AM thing about GDPR and PST two and C anda. So I'm gonna just hold off on what I'm gonna say about that. Put in a little bit more context. I can chime in a little bit. Speaking from scholarly publishers is one, one of my set of clients. One of the hats that I wear is working on identity discovery in the scholarly publishing space. And the publishers are considering how to, if it's possible to, to in a way, have the consumers be that shared resource, such that if there's a browser cookie, that indicates that this person is, is a faculty member at Harvard, does each publisher have to yet again, ask the same question? Where would you like to authenticate? You know, or can they just say, okay, we all know because of a browser cookie that you're at Harvard. So they're, they're working on that in a technical sense. I mean, if you're talking about that there's is it Adobe connect that has that sort of permission cookie system in marketing sense that lets you sort of be recognized? I mean, if you're just talking about in the technical sense, it lets people have that cookie follow them around, but they get to say that they're part of the system.
Can I take a shot at Andrew's question? I have a very cynical view on the enterprise.
That's on
What's
Going on. You, we can hear you. You have a cynical view.
I do. Hello? Hello. Yes, I am. I have a very cynical view on the enterprise and that is that they don't actually care what those users do if they're not spending money with them. And so if there is a way for them to get additional value by working with somebody else, they will, but they won't do it unless it does. Unless it builds either short term or long term revenue for themselves, period, they're in, they are an, is the
Nature of my
Question. That's pretty much my answer, but I'll give an answer to like what you should do about it. But there are some obvious counterexamples like healthcare, right? I mean, competing hospitals have to in while they have to, at least of course they are. I'm not saying they're not profit driven. They're not profit driven, but they are forced to collaborate. Right?
So they, they are forced to, and they will do the legal minimum necessary to get
Beyond. Absolutely. And there's something called data blocking. Sure. But, but I mean, that's not a bad thing, is it? I mean, honestly, if I'm a business and I'm trying to make money and I'm going to do the things that make sense to my business, you
Know, know, I don't think that's a bad reason actually. I think it's a good, I could tell you stories that would curl your hair, working on heart.
The
It's not curl hair.
The point I would say is actually because they are really easy to understand. They, their motives are very clear. It's like an alligator, right? They, they, alligator goes for food.
I think you are a bit cynical now. No, I'm not. I'm really serious because, because this is, this is not good. There are companies like that, but now I have to really say that I've been now in the, so I come from in you like you, but I've been in this world has in 10 years in one in one go and I disagree heavily because the whole idea of mobility of the large corporation now. So we're trying to get these things together. So I'm not anymore, but I hold it's my holy grail to, so I, I don't think that it's, I've noticed it with all the other scissors I was together with in the us. And in Germany, we talk about these things and they are not non acceptable. You only have to watch out for another law, the law that you and I are, two different companies. We attach each other. So we think it's nice for our consumers. We get other law from, from all in the us collusion. Yeah. So, yeah. So we've had one of those and then, and then, then you get these problems. So let's try to get away from a cynical problem.
I think you have your mic in your hand forever. Well,
I go back to your
Question,
Question about, you know,
There we go to your question about, you know, enterprise versus consumer and when do you build something new, as opposed to try to modify the old Eves of fan of VIN diagrams, always like analogies, you know, let's think of it like a car, let's say you've got a nice 1999 enterprise. I am product that, you know, at a certain point you decide it's probably not the most efficient way of doing something. So, you know, you're not gonna put a new stereo in, it might not be tied for new tires. So same thing with your IM system, you know, it's how extensible is it? Does it actually meet the requirements or does it take such significant effort that it may be better to either build something new or use one of these many SAS services that do that? And I think one of the biggest differentiators we haven't talked about yet, but I'm really hoping to cover some in the next couple of days is, you know, on the enterprise side, in the old days we had user day password and we know that's still way too common. And then if you really want to do security, there's smart cards, but consumers want to use this. Right. And I think this is probably one of the biggest differentiators between consumer and enterprise IAM. And what can you do with regard to mobile authentication and mobile authorization and transaction approval, things like that.
That's really a really good point because that's, you cannot do that with your please.
I had a comment about interoperability and portability the way that I think it's most effective to sell that is to talk to people about shipping containers. And the way that global manufacturing works is that they have this infrastructure that everyone uses that is literally physically portable and it works right. Competing companies use it, competing companies, service it, right? And we need to talk about identity in that way. We need to talk about how we need an interoperable infrastructure layer, just so that we can get things shipped around the world securely and make sure they get to the right place without getting lost without getting stolen. Right. So that's what we need. And that's how we need to talk about it with people. Yes. Not about technology, just about literally a physical infrastructure. And I think that's a really effective way of selling the interoperability and portability piece of the, of the puzzle.
You know, we, we've got to a point where a lot of that is starting to work. You know, I, I had talked about zero trust identity stealing the concept of zero trust security from my colleague when I was a Forester. And it was basically that it was standard interfaces standard, you know, packets, which we didn't have jot at. I don't think we were starting to have jot at the time I was talking about it back then. And you can do defense in depth and kind of identity security in depth. Once you have those standard interfaces, if everybody, you know, works the protocols and works the, the packets and that's what our shipping containers are starting to be. And as long as you have, I would say restful interfaces and beginning to be talking to the IOT side in the same fashion, it can really start to work and it's getting to be that you can plug out and plug in that sort of thing. It's it can be successful. And, and, and that's, and if your infrastructure doesn't do that, it's failing for enterprise use cases and for consumers, right.
Is that a bit of a two edge sword having such uniformity? I mean, nobody's trying to act the intermodal system, right? Like I'm gonna make this container slightly different, but you can imagine easily the flip side of that, which is, wow, everybody's using this technology. Well, if I'm gonna put my hacking efforts into something, I'll put it into that as opposed to today where you've got sort of a, I mean, there's the trade off, right?
Fair enough. That's actually true that that can be seen as a monoculture. Like, so for example, Brad hill work on the delegated account recovery for Facebook, not using oof. And there's a technical reason why it doesn't use oof, but it's probably also good that it's not a monoculture, right? So I actually respect that and having just had to set up account recovery for my apple ID and being very, very glad that my Dropbox based to do app you don't use to do it's awesome. Uses Dropbox and not anything apple connected. I'm very, very grateful that it wasn't a monoculture of using my apple ID right now. Cuz it's gonna take till September 22nd for my account to be recovered, swear to God. Oh
My God. Yeah.
Don't ever forget or lose your apple ID
Password. And this is what I was talking about before. And I will talk tomorrow about, because this drives nuts, large corporations who are internet, you know, let's forget before price like car, they have an internet company. So if they don't get it right, mind you, but you know, with apple, I think you wouldn't believe. And they still it's really bad. I respect that. They don't set it. We said it right away. But we, we do. I can't. I know because I, I, luckily I knew it back. Good. It, it was terrible. Well using, using
Standards doesn't guarantee your
Security there. No, it doesn't know. I mean, there was and would like to answer your question for a second. So this is actually the problem I was facing as well. And I still think we are facing, like you said, with the policy policy, that people are sloppy, that the operators are sloppy and they are now there are very good systems. And so if you're a rich company, you can buy very good systems, which watch their lop. So maybe patch it in time that they're now opening. Even if I do O whatever security, well done thing, the worst, the biggest distinct that. So media open support, we all know that that's so many goes around. I love today for testing. We're testing for testing the boards.
That's exactly. That's that's exactly what happened. INAX right. That's exactly the
Problem was, are you sure? Because we were discussing this morning, it
Was a site. Someone had set up new web server.
Wasn't so far up
That got, and that gave a door in which
Suggests that they're system. That's why I am a bit more, I would say if customer has money, let's assume the customer has money. We'll make money because of the cm set them apart. Because as soon get into, if you have this opening, you gets into the more secure areas of your company, whatever it is, you just, by such a small mistake, this happens. It's awful. And obviously this is what scared me to death with my cars. And so will open that corner, but
It is awful. But you know,
We have to have fine
Ways to cope. Yes. Right? I mean, bad things will happen. Bad. People are trying. I think though, that, to me, we've, we've kind of moved away a little bit from the verify part of trust and verify, right? So to me, the assumption should be, you never assume, you never assume that something works. And the hard part about, you know, the, the authentication or the SSO side identity is that people think that as soon as you can send an assertion from point a to point B, that that it's working. Right. And that's exactly wrong. The measure of success is not by what, who you can connect it's by who you reject. And unfortunately, we, you know, we tweetable people. Yes. That was a soundbite just in case pet personal pet, peeve that to this day, people don't understand the difference between authentication and authorization drive me.
That's true. Okay. So I think we have a lot of questions at the end, in, in, in my last panel in two days, I will ask people, these are the questions I see and, and we can discuss more. So did I do my job? Collin?
You, you have done your job. Marvel. We have 10 minutes left. We can just go and break. And I think you have some, your coffee, coffee, and have some coffee
And maybe discuss some more
Question.
Stay Connected
How can we help you