Event Recording

Phil Lam - It Takes a Village to Protect Your Customers Online

Log in and watch the full video!

When large-scale breaches occur, they not only hurt the impacted service but also erode the trust our customers have in online commerce as a whole. Protecting our customers online can no longer be a siloed activity but need to be coordinated among service providers to ensure customers continue to transact with confidence online. The current market of consumer identity protection solutions are limited in scope and capability. Credit checks, insurance, concierge services when things go wrong only provide mechanisms to mitigate losses after an incident has occurred. A new set of innovative services need to be developed that bring service providers together. With both technology and policy efforts working in parallel we may finally be able to successfully protect our customers online.

Log in and watch the full video!

Upgrade to the Professional or Specialist Subscription Packages to access the entire KuppingerCole video library.

I have an account
Log in  
Register your account to start 30 days of free trial access
Subscribe to become a client
Choose a package  
Good morning, everyone. Thanks for, for coming out this morning. My name is Phil lamb. I, I love showing up on time and Andrew was even much earlier than I was. I was 40 minutes early to this room back at N the, the atomic clock. So that was like our big thing where you were on time and it was clocks had like to the millisecond right. To meetings. So yeah. So appreciate you guys being here. No, it's it was, it's a little bit of a sad story. We start you guys out with just something that's telling about some markets and some misconceptions for those have, you know, at, at N we, we pride ourselves in something like the clock. It's something that everyone trusted, the topic level, us governments to small industries to, I think Microsoft even used to use it for, it was this key part of our infrastructure that we provided a service and it was essentially a set of servers in a warehouse.
And when do you guys sequestration remember that crazy government shut funding, all that good stuff? Well, it got to the point where we could not heat or sorry, could not cool our clock servers now anymore because it was too expensive. So, I mean, I can say this now, but we would actually go to Costco purchase pallets of water and surround the servers to absorb the heat from the service. And that's how we had to cool off our servers and you a cycle amount. That was how crazy things got from a funding standpoint on the federal level for something that at least internally at this we consider to be critical infrastructure is time. Right. And from the outside, I mean, it's kind of shocking. I would imagine that at that level, there is such, I'm not say competence, but the extreme measures that folks go to get the job done when they have, you know, shortage of resources.
And I think that assumption that other folks are handling it. Yeah, they're handling it, but they're just barely right. Same type effects. You know, I have things of some banks as well, get fraud. Sure. They're handling it, but they're like up to their eyes, right? So us as customers, or as rolling parties, parties in here, my talk today is about how let's, let's start helping each other because when we try to handle these things ourselves sure. We, we can probably take care of it, but we're just at our eyeballs right now with this. So, so that's my little, I don't know, sad story, but maybe informational about, about what we gotta work together. So today gonna talk about how we need to come together to work and solve this problem for, for online today. So we, we know if there's a breach, there's operational concerns.
And, and I think a lot of the folks in this room know what these are. I've heard these slides because I know that at least when I was in your seats beforehand, in the previous slide, it's not about convincing me. It's about me convincing my leadership or the other business that I have to work with, or the people team to make anything change or how we interact with people change. So this really is just an idea or slides that you can use for, for, for your other copies and folks. So there's operational losses, of course, right? There's a breach or there's some sort of loss being shut down.
There is reputational loss. And I think that's the biggest challenge that we have with our guest store. But I think what, what we aren't, we aren't looking when we look at our own businesses is that there's actual market loss. So when there is a big breach in a large brand like a, that makes everyone question, just the basic premise of group identity proofing, my God, that is, that is foundational for people in our business, right? Everyone relies on their credits. Credit is everyone, even banks provided banks. Some banks want to become that anchor, but when their foundation is, is lost and it erodes trust in the entire system. So there's, there's market applications here, not just for our own company, but for, for all of us in this space, whether we're in health, whether banking powers.
So, so what, what can we do, right? We, we, as we, as hopefully rely on parties out here, we know our customers probably best. There are certain things that we've always trusted. You know, our, our digital identities are rooted in our physical identities, such as driver's licenses, such as social security numbers and things like that. And that's how historically we've always done it. That's how we published as missed. The latest specs are all rooted in these identity documents. But as you guys know, you touch your customer a lot more often than the government does. So you probably actually know a lot better where your customer is, where their actual current addresses, you know, people were talking about geolocations and things like that, patterns of behavior that can better identify the customer. Now, you guys keep it yourselves for obvious reasons, for privacy security reasons, to just your, that is your competitive advantage perhaps to other competitors, but that type of knowledge and that type of information can really hopefully be used to better do these things. And so I'm gonna talk more about that and how we can, how if we were to start sharing that we can actually do this.
So I'm gonna take a step back a little bit back in time to 2011. When the president signed this initiative for trusted identities, the, the premise was the whole idea that if there is an erosion of trust of who we are online, that arose the entire market for eCommerce. So if, if we are to ensure that we can continue to buy and sell things online, to interact with a customer and citizen online, we need to first do a good job, identifying the customer now to do that. You, you could go the European route there's that, that, that works and kind of works in Europe. It kind of worked in Canada as well, but from internally in the us, there is this idea, this trust of sort of large organizations that we don't understand. We, as in, in the us space, we value our individuality and of the ability for us to make decisions and choices.
So how do we create identity systems and also have choice and also have trust? It seemed to be contradictory, right? So the idea was multi-prong that we would invest in private industry sort of seed fund startups to innovate in this space. That's one thing. And that's, that's, that's what another part was to create an identity ecosystem steering group. It is a private led steering group, folks who come in and they would come together with what were, what is that trust level? What are the requirements needed that we can all trust each other in that sort of identity that will start it up. Andrew can talk to a lot more. And then finally that the government has to be a, they have to be an early adopter because this is back in 2011 and identity solutions and things like that. I don't care. You know, they, the idea of a citizen identity, people just thought, you know, am I an issued pit cards?
I dunno, cards. They are highly secure cryptographic cards, chips on them. I think the issuance cost was around 150 to $200 at the time, which is crazy to think of that will issue these cards to citizens. So how do we do in a cost effectively? So we knew that government had to beat innovators and actually purchase systems first and sort of see how the market evolved. So since then we've had a bunch of pilots. They've had a lot of successes. There are some folks that are in this room that were pilot recipients of this funding, or were indirectly affected by, by our funding. And we're happy to, to work. I was happy to work with all of them as they move this forward. So it's a mix of private industry, local government, federal government that are now adopting these solutions. So the ideas of Federation, the idea of identity assurance authentication assurance.
Now that makes sense to people and they're, they're moving this forward, but honestly, we're, we're not there yet. We're not there yet. And, and now we're at this point where federal funding and federal dollars that are being allocated towards us are quickly diminishing, or they might be shifting into another direction. So it it's now the holding on us as the private sector to sort of take the mission that will started before of hang. If we are going to interact with each other online, we gotta do and address it way. We gotta do it. So it's easy for the customer, but we can't let the fed do it anymore. There, that effort has mom down. It's on us as a community, as experts in the field, as those who feel passionate, that you know, online den could really happen in a good way, it's on us to help move this forward and how we move this forward in our problems. And why does that, why does that matter?
So this whole, so the, there has been efforts from a consumer side around identity theft protection. And I don't know if there are LifeLock fans here or fans of so many other services that are spun off, but I'm not one of them. I, if you know, or not know, it's, it's very retroactive, right? It's if you have identity theft and hopefully you haven't, my wife had, and it's mess from, from the fact, if people open up wrongful accounts in your name, now, if the account it does get opened, now your profile gets updated with wrong information. It gets populated with all this information. That's actually fraudulent from an imposter and fixing that takes months, hours of time that you as a citizen, you're not an expert. My work is not, and there's a lot of frustration there to the point where a friend of mine actually was stopped by border patrol because someone stole her identity.
They committed a bunch of crimes under her name, and then was arrested, held in Cancun. Thankfully, we had a lawyer that is a friend of ours and she got out. But, but these are the, these are the challenges that identity theft has for us, but they're always retroactive. You always have to solve things after the fact. So, so what can we do with identity and identity theft and, and, you know, in a panel previously, I talked about, you know, how the FTC, it's hard to actually stop it from happening. Perhaps we could devalue the data. And that's one way now another way harder way, but a, a potentially interesting way. And if there's innovators in the space is that is, is can we use these sorts of, or, or previous models where there has been some challenges from the federal government with terror attacks? Are there ways that we can look at them as how we can help solve debt?
So back in, I guess it's fitting, I didn't even think about this, but, you know, nine 11, you know, there was, there was a lot of different federal agencies with a lot of information that they never shared, CIA things, things, but they didn't pull it together. So after all of that, they decided that, Hey, we, as large institutions with knowledge of expertise, we need to start working together. And they set up these national center centers for account intelligence. They physically have a representative from each of the branches of, of, of the intelligence community, sit in the same room. I'm not saying it's perfect, but they sit in the same room. They have their own systems attached to their own databases, and they can verbally share information to each other. It's a, it's a coll, but they set it up and it's been, it's been helpful right now. Well, helpful to the, to the point where there hasn't been a major, at least international terrorism in the us long time.
Can we do something like that for identities and for consumer identities? I think I would say yes. I say we can. I think our folks from Facebook that were here yesterday, I dunno, we're here today. Yet. They shared that they do share information, but as some of the, your, some of our colleagues here mentioned, they only shared with Microsoft or to Twitter or to snap, right. Some of the major players in their space. And that's it, is there a way that we can start sharing account data and customer data in a more democratized fashion that we can all benefit and, and, and sort of see these, these signals from the different parties of saying, Hey, you know, this email address we just found on the, with a password on it, if your accounts have that same email address, as the, as the reset capability, think about triggering a risk based decision on your end, whether you want to, you know, lot that person out of your account and force them to reauthenticate or, I mean, if you're more advanced step up and do some sort of second authentication through authentication factor, maybe trigger some behavioral that you guys are currently collecting and just double check.
So these sorts of signals could be something that could be, you know, I think revolutionary for us in terms of consumer identity.
So I, and you can, there's a lot of different things that we can share from, from my privacy hat. When I put this on this stuff scares me, right? When you start sharing G when you start sharing habits, how you hold the phone, right. I don't know if you guys are into behavioral, but there are some very unique things about us that can identify us now, is that a bad thing? It could be, I guess, maybe in the wrong hands, but if you can do it in a privacy preserving way, in essence and anonymizing it, you get uniqueness and that's all we really need. Once we get the proofing, we just really need uniqueness. And that's what we can help provide the different types of, of information that we're all collecting their different ways.
Now, once we have that, then can we do in a way that's transparent to the user. I was writing this without even thinking about GDPR, but I guess this is very, almost GDPR. We have this construct where we all collect data on the user, but the user has no idea what, what the is collecting. Is there a way as well, that if we go about sharing this information amongst each other, that can keep the user in the loop so that it's transparent tonight. So they know what data they're collecting. Maybe they can say, Hey, you know, I'm not quite sure about this, that wasn't me and the user can actually help you in your, in your fraud or respect as well. Is there a way that we make that transparent? I'm, I'm making these questions because I'm not a product in, but I see a lot of you guys are, and I want to sort of project ideas, sorry.
You could bring the user into the loop and the customer to the loop say, would you, it's a preference, allow us to use your information to better
View our security and privacy. Yes. And then stop there. Exactly. Exactly. We, we empower the user with information and we allow them to make an educate decision on how to use it. And that's something that I don't think I've seen done well. And if you've seen it, let me know because, right, right, right. Because when I talk to say government, this, all this stuffs just way over their head, but if they had a way to help manage this for the customer, that really
You, that would not see the government doing it anymore. That's why initiative amongst companies,
Right? Yes. Because we also don't
Do the government. They want our information, not government's information. That's fine. So,
Right, right. And I think that's, that's the value of us coming together and sort of some of these, these gatherings, and if we can have enough like-minded individuals that can actually, you know, sit down for pen to paper, make real, real products we can.
So this slide is that we know it's not just about technology. The technology for this is, is I would say trivial in the sense of the Microsofts and the apples of the world, right. We're just talking about data. We're talking data sharing at, at the maximum, we're talking about hashtag tables and comparing that so that, you know, the actual, I mean, this is not brain surgery type technology. The hard part that I found in my work with federal government is that it's a whole about the lawyers and it's about sharing. It's about multilateral agreements. And how do we, and is it, is it worth the pain of invoking all my lawyers? Or should I just go as status quo as we, and that's, I think that is the one of the big challenges. So we've invested a lot of time in things called trust frameworks, where we thought, Hey, okay, if we were to outline every responsibility, your organization would have audit you to ensure that you are meeting your responsibilities, that would enable trust across the ecosystem.
And that's how we could solve this. So after embarrassingly millions of dollars of federal funds towards this trust, because our two complex, even too complex for the lawyers, because then you have to teach all the lawyers all about IAM, which is something that they, they don't care or know. And Barbara has other experiences, well, we trust, right, but we still need to engage them. So I would, I would encourage restarting that dialogue. I think the legal teams are becoming more and more advanced as well. There are, there are, there are actually cyber specific legal teams up there that are specializing in this field. And if we can come together with a sort of multilateral agreement that can at a high level, make sure we understand what our liabilities are or aren't, and there's a lot of models that there is no liability, even for identity providers and make that clear to the different organizations that can really help with data sharing.
I would like to, my thing is even a little more Phil. My dream is not just us or Europe. So we've been talking to international legal people and we, and the good thing about the, the data protection laws now that a lot of lawyers I have met in, in us and working for international companies are starting really to understand. And it's, it's really good. So it sounds good, but it's, it helps. But so my dream was, so any questions we could have two, at least, and otherwise you can speak to Phil afterwards. Yeah.
If my experience is also good that the corporate attorneys are often ones safeguarding brand protection, right? So what would be some takeaways for the group if they have to educate legal offices on what they can share and why, what and how? Cause that seems to be the biggest challenge in the community.
So, so the first part of question about brand and what we were just wanting to correct our brand, and I completely agree with you. That's a lot of, that's a lot of maybe, maybe 40% of their concern, right? I would say that we are now entering a phase where our consumers are demanding more from us, and they're expecting that from us. And I forgot the gentleman's name, but I loved his presentation yesterday. That expectation of utility I think, is rising in terms of as cybersecurity professionals and cybersecurity companies or larger companies with complex and robust cyber capabilities, our customers are expecting a higher level. So by investing in these types of opportunities where data sharing is used in a way that protects that and protects that brand, I think is a, could be a more compelling argument than it was maybe five years now, in terms of what types of data we had a term called meaningless, but unique numbers and bonds, where you can have very specific data about somebody when you anonymize it.
So I think that that is one easy way to sort of strip the personal out of the PII. That could be helpful from the data sharing. If there is a breach or cetera that both parties can say, Hey, you know, I will share information that de anonymized that I'm not sort of collecting pool, but that's, that's
Approach. Yes.
Why, what I said, that's ours. We have to have legals also here, you know, in USA businesses, we used to have here, we still have the legal people there. There's another approach you can try to get them interested is because it's not just the brand. It's also, especially in the United States, the liability you have and you get sued for anything, you know, let's get yeah, no, that's no, no, no. And that's why a lot of legals will help you because that's something they're concerned about. Well, that's what I felt. They were all working with me in the us. So not just in Europe. So it is possible. I mean,
But it is,
It is it's but you have to be lucky. The legal people must be very smart.
Well, think about the, the agreements that Microsoft had to
Have. Yes. Basically,
If those guys can work through their own
Organizational issues, did you ever see the crime lab, the Microsoft's crime lab I'm serious, you know, that you have never been there. You know, I'm the biggest Microsoft fan in the world because they have crime lab. Did anyone ever see the crime lab? What they're doing yeah. In that cool. That's the coolest place to go to and that you can see how well these legals are because that's part, they take down terrorist and, and, and also what call drug courts and all that kind of stuff. Maybe many people are not allowed to get in there. But so, and they went through all this legal stuff, this information, they get out of the crime lab, they push it to their customers as well. You don't pay for it. So there's a lot going a lot more. If you're in the real cybersecurity space that you figure out also intercourse gives you a lot of information. So they call me if they find one of my S in the past, but what you're asking for that was your point that doesn't help the small. And that's the point.
Yeah. Gradually. Right. But it's, it's a beginning, you know, it's not a big ones maybe, but maybe we'll trickle out not
Two years. Right. We'll
Solve we'll. Thank you very much, Jill. It was a joyful help.

Stay Connected

KuppingerCole on social media

How can we help you

Send an inquiry

Call Us +49 211 2370770

Mo – Fr 8:00 – 17:00