Customer-centric Identity Management

Good afternoon, ladies and gentlemen, welcome to this KuppingerCole webinar. Consumer-centric identity management from identity management to identity relationship management, the changing relationship between IAM CRM and cybersecurity. I'll be the speaker today. My name is Ivan ly. I lead Analyst Analyst at KuppingerCole and first of all, they didn't begin with some general information about us. Kuppinger call is our global Analyst and advisory firm providing enterprise research advisory decision support and networking for professionals in Europe, Asia Pacific, and north America. We do our research on the form of various types of research documents, our flagship leadership compass series, where we compare technology vendors in various market segments, advisory notes, where we examine topics and future trends in technology cybersecurity to various vendor reports, individual product or service executive use. And so on through our advisory services, we provide advisory and strategy services to enterprises and users. Another big part of our business or events.
Our main event is the EIC, the European identity and cloud conference, which will be held in just a couple weeks. And we think it is a must 10 event with a large number of speakers and areas covered such as IM governance, compliance, risk management. It was cloud security. This will include most of the major vendors, end users and thought leaders in the areas covered. We recommend having a look at the full agenda, which is already online. As we will see this webinar identity and cloud cybersecurity today mean a lot more of them has been traditionally understood in these technology disciplines. So this webinar is a bit of an introduction to revisiting these traditional topics, but first some housekeeping guidelines you're muted centrally. There's no need to mute or unmute yourself as we control these features, we will record the webinar and it will be available online tomorrow. There will be a Q and a session at the end. You can input questions at any time using the go toe question feature in the control panel. And we will try and answer as many as we can during this period.
This is a high level outline of today's webinar topic. First, we'll take a look at traditional pre-internet conceptions of identity, access management and perimeter based cybersecurity. We will then examine what has changed significantly in the technology landscape and which signals major changes in the evolution of these disciplines. We will see how the technological and legal shifts that have taken place have major implications, not just for IAM and cybersecurity, but also for the discipline. Traditionally known as customer relationship management or CRM. Second part will be a long session in question and answers. So we'll start with IM identity. Traditionally has largely been seen mostly as a technology subdiscipline of information security IM has always been a bit of a proper child. It organizations often unsure whether to place it under the ownership of infrastructure, applications, integration, or security teams. It certainly involves elements of all the information technology disciplines with its focus on user user provisioning, access control, and request workflows governance, password management, and authentication and authorization.
In the past 10 to 15 years, the identity management was focused primarily on enterprise provisioning and on staff and employees. The IM market has gone to a number of iterations and reached a certain maturity was a number of widely adopted and mature standards being published and many solutions and vendors having stabilized and continuing to innovate traditional cyber security as well was largely defined in analogy to conventional cyber security, to conventional security. This traditional approaches assumed that like the conventional security of a physical facility or building cybersecurity is possible primarily through the limitation of the asset to be protected with a perimeter and a strong focus on maintaining a distinction between more and less trusted zone. This kind of approach with enterprise systems safely on premise and overall network traffic, primarily within the enterprise at a large focus on network perimeter protection to segmentation at network OSS two and three firewall, VLANs, cetera, and assume that militia's actors could be kept out of the safe havens of heavily guided network perimeters endpoint protection really extended this perimeter defense logic to user endpoints just as traditional IM focused primarily on internal users, such as employees, this traditional approach also primarily focused on locking down employee end devices, which were usually owned by the organization, treating these devices as just another entry point, like a door to building that needed to be locked down.
We all remember the much hated group policies and the logic was as long as the device was locked down, it could be treated as a trusted device device. This always premised on a clearly defined attack surface, which was easy when, when network links were expensive, resulting in primarily on premise client server architectures, but things however have changed significantly since perimeter cybersecurity and internal IM approaches were considered sufficient, both for mitigating security threats, as well as meeting business requirements. What happened well in short, the internet happened as bandwidth cost decreased. The age of digital transformation was ushered in this meant that many goods and services, which up until now had been offered by a traditional brick and nor to channels. We're now being delivered by digital channels, as well as the explosion of completely new digital products and services. The internet went from being a novelty technology to one which enterprise now had to consider as the primary channel for business growth and customer interaction.
What did this mean for IM the explosion of digital services resulted in the explosion of identities and relationship context as any organization will attest to the number of customer identities has to manage is generally orders of magnitude larger than a number of managed employee identities. Relationship context are of no less importance with a loss of the perimeter use cases where a single user can be an employee supplier and a customer of the same organization is now extremely common. The perimeter distinction also disappeared. And with that, the illusions of defensive prevention focused security, this can be noted by the choice in deployment options of technology solutions and services cloud on-premise hybrid, and by the large variety of service delivery agreements with third party providers that most organizations currently engage in today, software as a service platform, as a service infrastructure service outsourcing managed services, not to mention B Y O D and the growth of publicly available enterprise services last, but by no means least here are the changing customer experience.
Expectations users have become accustomed to free services born on the internet with seamless, easy and intelligent user experiences. Customers could no longer tolerate the user experience. Enterprise employees had long become accustomed to what does that mean for IM and CRM as KuppingerCole had long predicted customer centric, IM is not merely IM as we have known it, but for external users, it is fundamentally a new discipline that fuses the best elements of CRMs, rich information about a user's relationship with the, with the enterprise and IMS mature and reliable standards and frameworks for ext exchanging user information across enterprise boundaries.
As we have seen from the dominant internet services today, that shape user expectations, these free services, the personal information gathered by the customer as their most valuable source of data. Of course, this new money is not without its own set of concerns as are increasingly aware of both the value of their personal data and the increasing amount of their most private lives, which is lived online. Customer concerns have given way to new compliance requirements, which will, we will examine shortly in a section dedicated to the upcoming EU data protection laws with the digital transformation brought on by the advent of the internet. We can see the concerns of cybersecurity becoming broader in scope and much less focused on preventative protection of perimeters. The central concern today, and in the future of cybersecurity is data stewardship or information, rights management, regardless of how the system's hosting the data are deployed from which channel they accessed or the type of relationship between an organization and a user, which requires a storage or processing personal and or sensitive information of primary importance in this broadened non perimeter focus of cybersecurity is data stewardship across the entire third party service provider supplies and partners, especially when this involves customer data with customer centricity and data stewardship firmly mine.
The scope of identity management has also significantly broadened these three columns that play the past present and very likely future of customer focused identity management. The first column is the traditional IM we all know, and are intimately familiar with. The second column is where identity management begins to get interesting as identity as a service is not widely available either as a cloud on premise offering and reflects the wide variety of agreements that enterprises enter into today with identity relationships over static, organizational identities, with the wide produce of standard O for federated authorization. This is a key point which traditional IM has long struggled to address using a simple, effective approach, the rise of identities with multiple relationships to an enterprise or organization. It is also where we begin to see the benefits of consumer focused identity management, which focuses on the reality of many identities, many context, and many relationships, the consumer demands control of their personal data, and also a seamless consumer experience.
It is only by putting the customer and the stewardship of the per their personal information at the center of this landscape that systems practices and security approaches can be developed. That can be both effective and improve rather than hinder the user experience volumes, all computing and social computing. But these changes are just the tip of the iceberg users, accessing services to apps, access management for operational it, the internet of things with billions of devices, of things that all have identities and belong to someone or something are making context and relationships of fundamental importance. It's more than humans. It's also about the identity of devices and things.
We must also map use devices. They might be part of bigger things. Just think about the connected vehicle. Humans use devices with apps to access services, the apps act on their behalf. What this means is that there are complex relationships between identities. There will also no longer be a single, we cannot ever assume that there will be a single sort of truth about information anymore, and nor will we manage and trust will very greatly. Many users will use many different identities or personas, which flexibly switch between these there's no one-to-one relationship between persons and their digital identities. A person might have different relate identities at a higher abstraction level. A person might be an employee, a freelance contractor, a consumer of the same corporation, all at the same time, one person, multiple identities on a more concrete level, a person might switch from their Facebook to Google plus to self-registration on the type of account we do not even know yet trends are changing rapidly on the internet.
Main organizations have to understand that it is still the same person. Otherwise they will lose former relationship. Here is how we redefine customer relationship management, new ways deal with customers. It's a foundation for business. It's also foundation for business decisions. And it's also key for big data about know your customer KYC. It also signals the importance of long-term multi-faceted customer relationships, and it starts with customer information, basic processes, such as onboarding logins from social social logins, behavior, profiling, preferences, location, contextual information. And then we have the identity relationship. And this is an area of additional nuance, which composes, which is the types of relational information, linked identities of the users. All of this enables a better understanding of the user's interest and needs and avoids nonsense, email marketing over more direct mechanisms, such as specific push notifications to apps or devices or by the consumer. We're coming now to see graphical data provided by the use of during first contact, such as registration or subscription or purchasing information
Data about online browsing proclamation has given rise to increasing privacy concerns. Then we have contextual data, contextual data adds contents to the behavioral and base data by including information about the location time devices or origins of the customer interaction. Social data is the unified human view of the customer across the various persona and relationships. It's what tells us story about the user external knowledge from third party sources. This could be a government credit rated agency or the third party service, which provides necessary information for an enterprise to do business with a customer. So we're seeing I am as an evolution as a basis for digital innovation, custom satisfaction, ease of use intuitiveness and time to market is key as well as an adequate data data model for customer identities must be dynamic and adaptable. It must store only what is needed for enabling business today and tomorrow social historical preferences, context data, it needs to be adequately scalable.
It needs to support numbers, orders of magnitude higher than what we're used to with traditional employee IM systems. It needs to have good integration that needs to be standards based integration, both in what bound with other service providers and outbound as an identity provider, as well as API access for full functionality, tobacco systems, as the data stored, accessed or processed by the enterprise is increasingly more personal security and due diligence in the stewardship of this data remains of key importance. We need adequate security identity is the new perimeter that must be protected. Data stewardship here is key customer protection in a highly hostile environment. We have to assume there is no trusted perimeter zone or everything is public. Everything is potentially breachable. Nothing can be trusted, must use risk based authentication authorization, multifactor authentication. This these last two actually often end up improving a user experience because they are only challenged with more onerous authentication methods. As the risk scores increase. Next, we have platform security, cloud security, strong and reliable features built into all levels of the CIM systems, storage APIs, transport authentication, authorization UI. Then we have data protection. This is key here. This is data rights management, national legislations, individual data protection laws, and the upcoming European data protection regulation, which is coming in the spring of 2018.
The EU some, a brief mention of this law EU legislation focuses on customer control on personal data and the requirement that the customer provide explicit consent relating to the uses or storage of their personal data. The, the, the key text here is any freely given specific informed, unambiguous indication of his or her wishes by the data subject, either by a statement or a clear affirmative action signifies agreement to personal data related to them being processed processing profiling as well is any form of automated processing or personal data consisting of those data to evaluate personal aspects relating to a natural person in particular to analyze or predict aspects concerning that person's performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location, or movement. So we can see how this can mean almost anything to do with what we just spoke about profiling a customer's identity and building those relationships consent and privacy need to be balanced.
It is a very key aspect. And what changes with the European data protection regulation. It has an extra territorial effect why didn't its scope of application to non-EU controllers and processors where the processing activities are related to offering of goods and services to individuals located in the EU or the monitoring of their behavior by organizations within the EU. And very important key is the individual's consent and the purpose limitation principle, which means that data stewardship again, is key. Any additional use that will be made of personal data internally or externally or shared with her parties must be carefully evaluated. And user consent must always be sought. There is a key focus on the right of individuals, the right to notice obligations in the event of a data breach, right to eraser and right to be forgotten and right to be restriction of processing, right to data flexibility to the user, being able to exploit their data if they so request it. And as you mentioned about profiling, automated processing or personal data must also be subject to these consent rules, decisions based. So automated processing that produce legal effects or significantly affect individuals require suitable safeguards.
So here, as we see this picture, we see a big shift between user trust and the need to collect more information about the user. So there's the to balance security, data protection and privacy components, and always ensure that the customers in mind that data stewards is key and central. And that security is seen with identity as the perimeter with data stewardship at the core. And this provides to find the right balance between business enablement, agility, evolving business models, user experience, satisfying market means as well as private insecurity. This means user consent. This means compliance. This means reputational risk in the event of a data breach. This means data stewardship. This means that the user feels that their data is safe with the organization. They trust it, and they have a long term relationship with that organization that will shift over time. It must be thought of always in the long term, the online world is no more, no longer a novelty. It is, it is now the primary channel and must be treated as such with just as much just as much of a focus on both as in the physical world, on user experience, as well as compliance legislation.
So now it's question and answer time. This webinar is a bit too a bit, the purpose of which was to demonstrate how the EICs topics of identity and cloud incorporate a lot, a much wider context than we currently imagined traditional IAM or cloud security to be. So I will look if there's any questions. Okay. Well, there's no, no questions. So I thank you all for attending, and I hope to see you all at the upcoming EIC, which is up in the second week of may. Thank you all for attending goodbye.