Event Recording
Matthias Reinwarth: CIAM and the KuppingerCole Identity Fabric
A Flexible, Adaptable Architecture Framework to Meet the Accelerating Demands of a Digital Enterprise
Consumer identity and access management (CIAM) has arrived in the business processes of digital enterprises. Customers, prospects, devices, things and their relationships are becoming increasingly important. At the same time, the innovation cycles for customer-oriented applications are becoming shorter and shorter. And CIAM itself is facing continuously changing challenges.
The service-oriented paradigm of the KuppingerCole Identity Fabric provides the perfect foundation for a steady evolution. This applies both to the CIAM system itself and to CIAM as a building block of a company-wide identity infrastructure.
Thus the KuppingerCole Identity Fabric serves as the umbrella for an entire IAM architecture. It supports distinctive features for CIAM where required, while ensuring efficiency and reuse wherever possible.
So welcome also from my side, the topic of my keynote today is as Annie already said, cm and equipping a co identity fabric, which is the concept that, which we use in research and an advisory for describing, for assessing, for developing identity and access management architectures and processes. And let's have a look, whether this all fits nicely together, the subtitle is meeting the accelerating demands of a digital enterprise. And I hope I can convince you that the identity fabric, as we promoted at cooking call is really something that you might want to look at because it's a published concept. So you can just use it first of all, to start with. And maybe also as a recap, when we look at what we heard yesterday and what we will hear later on, we need to mention the D word, the digital transformation. And we need to understand that these identities, that we're we are dealing with for this event and with the cm is really the key for the digital transformation.
So we need to make sure that we understand that consumer customer identities are at the heart of marketing, advertising, and sales strategies. And with, if we mention marketing advisor, advertising and sales, we see that these are different people than they are usually in touch with IM systems with this, which is usually the it guys. So this is really something that has changed here. So we need to understand that this is really of, I importance and we have other stakeholders. This affects all industries and regions. So it's not just the customer individual customer facing industries. It's, it's basically all cause we are all now dealing with end user customers with B2B to see customers, et cetera, and our consumers or our customers. They are actually yet they're spoiled. They are used to very good user experience and they will demand the same from us when we provide these services.
So a seamless, consistent, and relevant experience, for example, for the process from registration to authentication, to authorization, because they're used to Netflix, to Amazon. So they want to have something as comparable CIM to recap that as well is far more than just the security domain. Of course, we need to make sure that everyone has access to what they need to have access to no matter whether they're an employee or a consumer, but it's much more it's user experience. And this, it is an access enabler for customers and consumers. So we need to make sure that, as I said, all identities, especially consumers slash customers have to have access to the resources and we are living in a hybrid world. So we need to make sure that they gain access to every system, no matter where this is actually deployed and where it is running. So it might be on-prem, it might be in the cloud, it might be a hybrid. It might be software as a service. And in the end, we have talked about marketing, advertising, and sales strategies. We need to make sure that we understand and monitor the user behavior as a basis for security on the one hand. And for example, for marketing automation alike. So it's the business side, it's the security side. And of course, to understand and monitor that we need to make sure that we have proper consent available.
If we look and I'm as, as an advisor. And Annie mentioned that lead advisor, I'm dealing with lots of our end user customers. Sometimes it's not that rare. We see silos in place. So having different systems in place for different types of identities, which is really something that we do not endorse and that we really criticize, but this is also due to yeah. To history. And it's funny enough that those organizations who understood IAM as a key mechanism for security for efficiency are often now organized in such a silo because they started out with such an employee IAM system, which is typically run on-prem by, by a dedicated IAM team. So that is the first silo. They deal with employees, maybe with some freelance users, some partners, if they are manually maintained in there. So this is silo one, and we will have much more silos as you can guess, when you look at the slides.
So we have mobile device management, which is often run by a cybersecurity team. All these terms here are just examples and just experiences from some organizations. So you have the IM team, you have a cybersecurity team, which is not the same team, which might be related, which might be not. So we have the devices that are associated to a person, be it an employee, be it a consumer we have, of course, in many organizations, as they are typically windows shops. We have an active directory, which is a system, which in the worst case is maintained separately. In one of the best cases, it's a provision system out of the employee IM and other systems. So this is something that provides authentication authorization to everything windows, but there is, but there is more right now. So we need to look at much more silos. I've mentioned the hybrid world.
So there is, of course, usually a cloud directory where you have the identities maintained for end users, for customers, for employees, for partners within this system, and who is responsible for that yet depends. It depends on who actually purchased or subscribed to this platform and how mature the cloud strategy for such an organization is. And speaking of cloud strategies, many organizations have a multi-cloud strategy. So they will end up with more than one cloud directory. And it depends on who actually uses this and how mature again, this strategy is, then this is aligned or not aligned. So we end up with lots of silos. And when we talk about CIM today, we have to have a look at where we put CIM there as well. So I have left some more room for one more silo. And if you think of your own organization, maybe you have some more, there is the CIM system and who owns it.
It depends who actually is the driver behind that and how mature the CIM strategy is. It might be marketing. It might be the team that also runs the CRM system. It might be a DevOps driven development team that has to provide that shiny new app for your customers. And you understand that this is different when, when it comes to maturity and for the efficiency of having such a, such a cm deployed in that way. So I've mentioned many, many silos and you see all the issues that go with that. So if we look at the issues of yet another silo for cm, I just want to make sure that we all understand that this needs to be prevented. So first of all, if you run a cm at that manner, it's just limited benefit. There is no full return on investment. This is really not where you want to go to, because it will not end up with all the efficiency and effectiveness that you wanted to achieve by introducing such a system to yeah, take care of your consumer slash customers.
There might be some potential compliance issues because what there's one more system processing PII. Do you know when this has been purchased by the marketing department or, or subscribed to where this solution that is actually in place stores, its data, and whether that is compliant to, for example, GDPR, to CCPA, that might be an issue. It might have potential governance issues because you do not understand the full picture of your identities. Is this customer also an employee, different silos employee, IM cm, but there might be an sod and segregation of duties violation there as well. So this is really something where you have to have a look at. And finally, we might even end up with more than one cm, which is really the worst case. Then you might want, might end up with user experience issues. When we talk about more than one account for customers in different cm or customer facing application solutions.
So this is really something where we do not want to go to. And that is where we use this identity fabric for to, to improve that scenario, to get to a better solution. Just one more aspect to look at. We are in a changing environment in an IAM world, we are change in a changing environment for a CIM world. So we are really looking at hybrid architectures and we are looking at a platform world where the platforms where the individual services on these platform in this platform world provide infrastructure as a service or in general services to many applications, infrastructures. And we have of course, more and different identities. And these are also consumer related or customer related. I've mentioned Mo mobile device management. Of course my, my iPhone is an authenticator when it comes to providing a second factor for identifying lead towards any platform, for example, towards a consumer platform on the internet.
But we have more, we have partners, we have devices, we have contractors, we have software and services, which might have identities and provide identities. So we need to have a look at that and a very close look at that. And finally, this modern architecture and deployment scenarios, they provide everything as a service so we can consume identity and access management and consumer identity and access management from the cloud. And we provide services with our C I M and with our IM to the cloud to any application. So how can we do things better CIM and the identity fabric. We, we think IM as a service platform, no matter whether this there is cm or IM, this is a service platform and a service platform is not a product. We have great cm products around. We have great IM products around. They need to be understood as building blocks within a service platform.
So services in a holistic identity paradigm sounds great. Sounds like Analyst speak, but it's true. This is something where we want to aim at. We want to provide all required capabilities to all types of IAM, including cm, and there will be specific functionalities provided by a C solution, a cm building block here. This approach aims at separating architecture from technology, which makes sure that we have a, a transparent and a stable architecture while technologies and products might change over time. But the overall service is provided in an adequate manner. And that means that such a system is hybrid and interconnected by design. So this is really the approach that we want to go forward with. And if we have a quick look at this picture, we used this earlier before in other cooking our co life events, but we think it really applies here as well, because it is really a global holistic approach.
So we look at the identity fabric, we look at an identity API layer, providing all the services that we need for all types of identities, including customers and consumers. So if we look at the identities to the left, we have the consumer, the customer on the top, and I've circled it with a pink frame just to make sure that we see where this all comes into play. So there will be a consumer. I am providing these identities. There might be something provided through other channels. Consumers come in with their own device. They come with their own external identity and that needs to be handled adequately and they want access to our systems. And we want to use this information for our purposes. So we need to make sure that all the identities to the left gain, access to all the services that they should have access to, to the right.
And that means we need an, a platform in the middle, which provides the capabilities and the services on a technical architecture that makes sure that all this takes place in a uniform manner. So you don't, we don't want to necessarily build everything for every type of identity again and again, but we aim at a platform approach at a building block approach at reuse. And as you can see the registration of verification and the concept management again, is circled in pink because this is something that is typically something that we expect from a cm solution. But so the cm solution is something that provides capabilities in such an identity fabric to the identity fabric. And the glue in between is the identity API layer. And if we take these services for these consumers and bundle them together, we might end up with a service still an abstract service that needs to be then mapped to a per, to a product, to a actual yeah, to a piece of software that we have something like a consumer onboarding service and reuse is good at that point, because we need to make sure that we understand that such a registration verification is not necessarily only for consumers, but we might want to use that also, for example, for a, for a partner onboarding process as well.
So we need registration verification and concept management there as well. And we deploy this all in a technical architecture, as modern as possible between a local data center and the cloud all within microservices, all encapsulated and then exposed through APIs. So this is the ideal world that we are looking at and what we do we want to achieve with that. We want to use that for integrating into our existing platform. And that might even include a legacy IM legacy applications, even applications that consumers should have access to think of a, an insurance providing services in highly critical systems to end users via an app. That might be something we want to integrate that through standards and custom integration, if necessary to existing digital services and software as a service. So we provide data to these services and we need to make sure that we provide the information that is required by digital services from the outside, through our ADA identity API layer.
And we need to make sure that this is well done here as well. Like you see this one thing missing, and that is actually one of the examples that I've mentioned before. If we think of marketing automation, which is closely related again, a pink frame around that, if we want to think of marketing automation being provided, for example, from the cloud, this identity API layer will provide information to the marketing automation. And we need to make sure that we can, for example, authenticate via our identity fabric here. So we make sure that we have the agility that we need to have to provide efficiently the digital services as required as it said in my subtitle for this keynote. And we need to make sure that we are well integrated within our own infrastructure and have the hybrid support. And this completes our identity fabric that we yeah.
Think is also perfectly suitable for creating an overall IAM platform with the specifics provided by a cm solution and providing services across the complete organization for all types of identities, to summarize that my summary and my takeaways for today, first of all, we really think it makes perfect sense to align CIM at IAM. So we really need to understand that we have to meet all these requirements, which might be the same and which might be different, what we don't want to have as a single infrastructure. This is not what we are talking about. We are, we are talking about well aligned services that are provided and orchestrated and governed within an overall IAM architecture, a model to think of it's not one system. So really the specifics of a cm system can really demonstrate its strength within such a platform. But we want to provide services for all types of identities, as I mentioned, and to understand them across all systems that we are working with, if we think of the identity fabric as I've presented it just in the slide before, I think that makes perfect sense for evolving your identity and access management with CIM being a part of that.
And think of your IAM service as a portfolio of well defined and segregated services. I've mentioned the APIs as the glue between all these services that we provide. So we have a secure, a standardized and a scalable interface for providing and consuming IAM functionality. That is really of important because that also is enabler for the next takeaway. We have changing deployment and operating models. So we need to make sure that we use these APIs that in use standard protocols for evolving over time for maybe moving one service from on premises, into the cloud, without losing functionality, while being compliant to all the requirements that we have and while exchanging data via standardized protocols, even in various systems. And maybe we can also think of providing the same type of service, the same building block from the identity fabric within different incarnations for different types of identities. So access management might be something different for internal users, employees, and for external users, for example, consumers and customers. So to sum it up cm and the identity fabric is really something that we would like to recommend thinking of thinking of the identity fabric concept and thinking of cm, being a part of that. So we can support the distinctive features for cm, wherever required, and we can ensure efficiency and reuse wherever possible. And that's it for my presentation. And I'm happy to take your questions.
So we need to make sure that we understand that consumer customer identities are at the heart of marketing, advertising, and sales strategies. And with, if we mention marketing advisor, advertising and sales, we see that these are different people than they are usually in touch with IM systems with this, which is usually the it guys. So this is really something that has changed here. So we need to understand that this is really of, I importance and we have other stakeholders. This affects all industries and regions. So it's not just the customer individual customer facing industries. It's, it's basically all cause we are all now dealing with end user customers with B2B to see customers, et cetera, and our consumers or our customers. They are actually yet they're spoiled. They are used to very good user experience and they will demand the same from us when we provide these services.
So a seamless, consistent, and relevant experience, for example, for the process from registration to authentication, to authorization, because they're used to Netflix, to Amazon. So they want to have something as comparable CIM to recap that as well is far more than just the security domain. Of course, we need to make sure that everyone has access to what they need to have access to no matter whether they're an employee or a consumer, but it's much more it's user experience. And this, it is an access enabler for customers and consumers. So we need to make sure that, as I said, all identities, especially consumers slash customers have to have access to the resources and we are living in a hybrid world. So we need to make sure that they gain access to every system, no matter where this is actually deployed and where it is running. So it might be on-prem, it might be in the cloud, it might be a hybrid. It might be software as a service. And in the end, we have talked about marketing, advertising, and sales strategies. We need to make sure that we understand and monitor the user behavior as a basis for security on the one hand. And for example, for marketing automation alike. So it's the business side, it's the security side. And of course, to understand and monitor that we need to make sure that we have proper consent available.
If we look and I'm as, as an advisor. And Annie mentioned that lead advisor, I'm dealing with lots of our end user customers. Sometimes it's not that rare. We see silos in place. So having different systems in place for different types of identities, which is really something that we do not endorse and that we really criticize, but this is also due to yeah. To history. And it's funny enough that those organizations who understood IAM as a key mechanism for security for efficiency are often now organized in such a silo because they started out with such an employee IAM system, which is typically run on-prem by, by a dedicated IAM team. So that is the first silo. They deal with employees, maybe with some freelance users, some partners, if they are manually maintained in there. So this is silo one, and we will have much more silos as you can guess, when you look at the slides.
So we have mobile device management, which is often run by a cybersecurity team. All these terms here are just examples and just experiences from some organizations. So you have the IM team, you have a cybersecurity team, which is not the same team, which might be related, which might be not. So we have the devices that are associated to a person, be it an employee, be it a consumer we have, of course, in many organizations, as they are typically windows shops. We have an active directory, which is a system, which in the worst case is maintained separately. In one of the best cases, it's a provision system out of the employee IM and other systems. So this is something that provides authentication authorization to everything windows, but there is, but there is more right now. So we need to look at much more silos. I've mentioned the hybrid world.
So there is, of course, usually a cloud directory where you have the identities maintained for end users, for customers, for employees, for partners within this system, and who is responsible for that yet depends. It depends on who actually purchased or subscribed to this platform and how mature the cloud strategy for such an organization is. And speaking of cloud strategies, many organizations have a multi-cloud strategy. So they will end up with more than one cloud directory. And it depends on who actually uses this and how mature again, this strategy is, then this is aligned or not aligned. So we end up with lots of silos. And when we talk about CIM today, we have to have a look at where we put CIM there as well. So I have left some more room for one more silo. And if you think of your own organization, maybe you have some more, there is the CIM system and who owns it.
It depends who actually is the driver behind that and how mature the CIM strategy is. It might be marketing. It might be the team that also runs the CRM system. It might be a DevOps driven development team that has to provide that shiny new app for your customers. And you understand that this is different when, when it comes to maturity and for the efficiency of having such a, such a cm deployed in that way. So I've mentioned many, many silos and you see all the issues that go with that. So if we look at the issues of yet another silo for cm, I just want to make sure that we all understand that this needs to be prevented. So first of all, if you run a cm at that manner, it's just limited benefit. There is no full return on investment. This is really not where you want to go to, because it will not end up with all the efficiency and effectiveness that you wanted to achieve by introducing such a system to yeah, take care of your consumer slash customers.
There might be some potential compliance issues because what there's one more system processing PII. Do you know when this has been purchased by the marketing department or, or subscribed to where this solution that is actually in place stores, its data, and whether that is compliant to, for example, GDPR, to CCPA, that might be an issue. It might have potential governance issues because you do not understand the full picture of your identities. Is this customer also an employee, different silos employee, IM cm, but there might be an sod and segregation of duties violation there as well. So this is really something where you have to have a look at. And finally, we might even end up with more than one cm, which is really the worst case. Then you might want, might end up with user experience issues. When we talk about more than one account for customers in different cm or customer facing application solutions.
So this is really something where we do not want to go to. And that is where we use this identity fabric for to, to improve that scenario, to get to a better solution. Just one more aspect to look at. We are in a changing environment in an IAM world, we are change in a changing environment for a CIM world. So we are really looking at hybrid architectures and we are looking at a platform world where the platforms where the individual services on these platform in this platform world provide infrastructure as a service or in general services to many applications, infrastructures. And we have of course, more and different identities. And these are also consumer related or customer related. I've mentioned Mo mobile device management. Of course my, my iPhone is an authenticator when it comes to providing a second factor for identifying lead towards any platform, for example, towards a consumer platform on the internet.
But we have more, we have partners, we have devices, we have contractors, we have software and services, which might have identities and provide identities. So we need to have a look at that and a very close look at that. And finally, this modern architecture and deployment scenarios, they provide everything as a service so we can consume identity and access management and consumer identity and access management from the cloud. And we provide services with our C I M and with our IM to the cloud to any application. So how can we do things better CIM and the identity fabric. We, we think IM as a service platform, no matter whether this there is cm or IM, this is a service platform and a service platform is not a product. We have great cm products around. We have great IM products around. They need to be understood as building blocks within a service platform.
So services in a holistic identity paradigm sounds great. Sounds like Analyst speak, but it's true. This is something where we want to aim at. We want to provide all required capabilities to all types of IAM, including cm, and there will be specific functionalities provided by a C solution, a cm building block here. This approach aims at separating architecture from technology, which makes sure that we have a, a transparent and a stable architecture while technologies and products might change over time. But the overall service is provided in an adequate manner. And that means that such a system is hybrid and interconnected by design. So this is really the approach that we want to go forward with. And if we have a quick look at this picture, we used this earlier before in other cooking our co life events, but we think it really applies here as well, because it is really a global holistic approach.
So we look at the identity fabric, we look at an identity API layer, providing all the services that we need for all types of identities, including customers and consumers. So if we look at the identities to the left, we have the consumer, the customer on the top, and I've circled it with a pink frame just to make sure that we see where this all comes into play. So there will be a consumer. I am providing these identities. There might be something provided through other channels. Consumers come in with their own device. They come with their own external identity and that needs to be handled adequately and they want access to our systems. And we want to use this information for our purposes. So we need to make sure that all the identities to the left gain, access to all the services that they should have access to, to the right.
And that means we need an, a platform in the middle, which provides the capabilities and the services on a technical architecture that makes sure that all this takes place in a uniform manner. So you don't, we don't want to necessarily build everything for every type of identity again and again, but we aim at a platform approach at a building block approach at reuse. And as you can see the registration of verification and the concept management again, is circled in pink because this is something that is typically something that we expect from a cm solution. But so the cm solution is something that provides capabilities in such an identity fabric to the identity fabric. And the glue in between is the identity API layer. And if we take these services for these consumers and bundle them together, we might end up with a service still an abstract service that needs to be then mapped to a per, to a product, to a actual yeah, to a piece of software that we have something like a consumer onboarding service and reuse is good at that point, because we need to make sure that we understand that such a registration verification is not necessarily only for consumers, but we might want to use that also, for example, for a, for a partner onboarding process as well.
So we need registration verification and concept management there as well. And we deploy this all in a technical architecture, as modern as possible between a local data center and the cloud all within microservices, all encapsulated and then exposed through APIs. So this is the ideal world that we are looking at and what we do we want to achieve with that. We want to use that for integrating into our existing platform. And that might even include a legacy IM legacy applications, even applications that consumers should have access to think of a, an insurance providing services in highly critical systems to end users via an app. That might be something we want to integrate that through standards and custom integration, if necessary to existing digital services and software as a service. So we provide data to these services and we need to make sure that we provide the information that is required by digital services from the outside, through our ADA identity API layer.
And we need to make sure that this is well done here as well. Like you see this one thing missing, and that is actually one of the examples that I've mentioned before. If we think of marketing automation, which is closely related again, a pink frame around that, if we want to think of marketing automation being provided, for example, from the cloud, this identity API layer will provide information to the marketing automation. And we need to make sure that we can, for example, authenticate via our identity fabric here. So we make sure that we have the agility that we need to have to provide efficiently the digital services as required as it said in my subtitle for this keynote. And we need to make sure that we are well integrated within our own infrastructure and have the hybrid support. And this completes our identity fabric that we yeah.
Think is also perfectly suitable for creating an overall IAM platform with the specifics provided by a cm solution and providing services across the complete organization for all types of identities, to summarize that my summary and my takeaways for today, first of all, we really think it makes perfect sense to align CIM at IAM. So we really need to understand that we have to meet all these requirements, which might be the same and which might be different, what we don't want to have as a single infrastructure. This is not what we are talking about. We are, we are talking about well aligned services that are provided and orchestrated and governed within an overall IAM architecture, a model to think of it's not one system. So really the specifics of a cm system can really demonstrate its strength within such a platform. But we want to provide services for all types of identities, as I mentioned, and to understand them across all systems that we are working with, if we think of the identity fabric as I've presented it just in the slide before, I think that makes perfect sense for evolving your identity and access management with CIM being a part of that.
And think of your IAM service as a portfolio of well defined and segregated services. I've mentioned the APIs as the glue between all these services that we provide. So we have a secure, a standardized and a scalable interface for providing and consuming IAM functionality. That is really of important because that also is enabler for the next takeaway. We have changing deployment and operating models. So we need to make sure that we use these APIs that in use standard protocols for evolving over time for maybe moving one service from on premises, into the cloud, without losing functionality, while being compliant to all the requirements that we have and while exchanging data via standardized protocols, even in various systems. And maybe we can also think of providing the same type of service, the same building block from the identity fabric within different incarnations for different types of identities. So access management might be something different for internal users, employees, and for external users, for example, consumers and customers. So to sum it up cm and the identity fabric is really something that we would like to recommend thinking of thinking of the identity fabric concept and thinking of cm, being a part of that. So we can support the distinctive features for cm, wherever required, and we can ensure efficiency and reuse wherever possible. And that's it for my presentation. And I'm happy to take your questions.
Video Links
Stay Connected
How can we help you