Disruption Time? How to Approach and Embrace Decentralized Identity Inside the Enterprise

So I will be the first, apparently I'm aia. I have a PhD in computer security and artificial intelligence, and I've been working with monarchy for digital orchestration. Okay. So I think that the idea here is not to change the identity access management in a completely and radical way, but we need to adapt. We need to gradually change step by step as we presented before. And as Martin presented, now we can introduce digital identifiers and verifiable credential as part of the process in order to save costs, reduce the effort and automate as much as possible.

And that more or less is my entry endpoint. Yeah. Thank you. Okay. Hello Candace swirly with ping identity.

And I, I agree with quite a lot of what you said. I think that this is gonna be a gradual process into decentralized identity. I think decentralized identity essentially compliments the rest of IAM over time. Perhaps it becomes the dominant element in iam, but at least for the foreseeable future, it's complimentary. I think that allows individuals more control over their identity without requiring enterprises to give up completely the data and information and control that they may have today.

So I think that, as I indicated earlier in my keynote, I think the time to start considering to centralize identity is now understanding what the implications are for your organization as this evolves will be critically important in you being able to stay ahead of your competition and continue to deliver the best possible experiences for your end users, whether those be workforce or frankly your customers or partners. Thank you. So I'm Mike Jones.

I've worked on a lot of different identity systems over the years and one of the things I observe in conversations both here and abroad is that people confuse two terms, decentralized with, for instance, verifiable credentials or verifiable identity. My friend Vittorio Bucci in his keynote pointed out that, you know, we're not likely to see databases being deleted because of the blockchain. And I will quote Dave Birch who once said to me, I think at ID next, that if there's a natural source of authority, you don't need decentralized decision making.

And in fact, since this panel has the name enterprise in it, I will assert that the enterprise in its own context to use one of the words, is sovereign. Therefore, enterprise can decide what systems to use, it can decide what procedures to use, and there's no need for decentralized data structures in the enterprise. You may have distributed data structures for fault tolerance and all kinds of reasons, and you may have verifiable claims for good reasons, but I don't think decentralized has a role in the enterprise.

Well, maybe I agree with you. My name is Yako bas, I have run identity and access control functions for whole international banks during the past 20 years. And since five or six years from one of those banks, I was the identity specialist in the Dutch blockchain coalition. And their first work stream was on digital identity with help of blockchain.

Now, let alone the blockchain, I was the identity person there. So I was telling my peers in the MT for the CSO group and all the security guys and the rest of the enterprise just explaining what decentralized identity is and was and would be and could be all the benefits. That was all very clear. But you can forget about any enterprise, like a large bank who have their own bank IDs to adopt that because they already have stuff. But the question is how to integrate the yield and the new world without a complete massive boil, the ocean approach.

And I think something in between gradual small steps could do the trick, but they need to see a benefit for that. Yes. And if privacy awareness is going up, which you did in 2018 with, with GDPR becoming enforced, that is, that was a big game changer for privacy awareness in the generic audiences. And okay.

And now, good news, two months ago I was in the HAG security delta some conference. There was a guy from this bank that I was leaving years ago, and he was breaching self-sovereign identity or decentralized identity from that bank and that they were considering to look at it. That was five years after they had been completely battered with the concept when it was a bit more new. So it takes time. Yeah. So I I I think one, one important, no, no worries, also can work is two microphones or so, but I think it's sufficient. So that way first we, I think we, we we, we must be careful.

So when I use decentralized, I don't, or sometimes I think about blockchain, but rarely. So it's not decentralized equals blockchain.

Not in in, in my understanding. Surely here, I think this is, this is one and, and I think we, we, we surely have this challenge of different terminology here. Yeah.

Which, which we, we need to understand. So for, for me, it also means, you know, when you're, yes, you have a system of records and I, a while ago I, I, I created a graphic which was sort of deconstructing the, the user journey.

And, and that starts with that you have an onboarding journey and that you have a recurring authentication journey. So it's that one user journey, but it are at least two very essential ones. And when you then, then look at this, then, then it means that you have a lot, lot, lot of different areas there where you may say, I, there's someone who comes in with a wallet, et cetera. And then at some point it maps to something which you have internally in your system of records.

And so there is this central part, but there may also be something which is from, from the perspective to use way more decentral. And I think we don't have the time to to paint this down, but I think deconstructing all these things and looking at what are the elements and how can you, where can you use different things? So a standard authentication versus something where you come in with, with a social login or with, with any other type of login.

There, there are then points where you have different options, but they all go at the end. It's one system of records. And I think when we, when we look at it as a series of, of, of many steps and, and many faces, then it becomes clear that in, in the enterprise world, there are always things which are in a database which are central and there are things which are rather flexible in the way we can handle them. Even it's not in one central database. There were five or six or seven yes customer repositories that couldn't even be correlated to the same natural person. And that that's legacy.

And companies are struggling to settle that internally, already internally using federation software just to make one user journey internally, let alone externally with customers. So that, yeah, there's a long way to go.

Okay, this, this was the first CHA panel that run 10 minutes without a single question. This is good. We might have a lot to say. Let me throw a question in. So when we are talking about enterprises, Martin told us in in his last presentation already a little bit about that, but what are the most compelling use cases there? What are the most interesting use cases for enterprises in, in your personal opinion?

Martin, may you start as a, as a summary from your presentation. I think for me one of the most compelling things to start with is looking at where can you reduce over where have your process cost savings? Because that is something that the business understands. There was more I talked about, but I think this is a good starting point.

Well, if I'm looking from the banking perspective, knowing your customer is the most expensive process. They have millions and millions per year per bank and then all doing the same person in three banks each again after three years, they have to repeat the process or if there's a trigger reason to re validate the customer's background. Not just the identity, but the whole background checks. And there have been initiatives to try and consolidate that or look, but there's regulation in the way. But that would be a very good use case if they could save project cost, process costs.

There Any additions to that? Otherwise we jump to the next question.

I think, oh, go ahead. No, no, please.

So, you know, having recently released credentials, which are a part of decentralized identity, at least from our perspective, we're seeing a lot of interest in healthcare where oftentimes, you know, they're struggling to maintain the identities of their, their patients without having challenges around privacy, right? So that privacy know your customer privacy thing in healthcare is especially challenging. And then in the second places with remote workforce, you know, I, I, I am a great example of that. I joined Ping two weeks after the world shut down.

And the way I proved I was who I said I was, was on a zoom call with my passport held up against the camera. There is probably a better way to validate that I am who I say I am than, than that. And so I think even in the workforce world, there's an opportunity for verifiable credentials and decentralized identity to kind of change the way we're approaching workforce identity as we kind of evolve. And it's very early and we're gonna see a lot of evolution in this space and I think we're gonna learn a lot about what those use cases are over time. Good.

I want to connect to what you said because let's take it from the other perspective. If I'm a citizen, I need to apply to work, I need to fill their data every single time. And perhaps in two weeks I will change and perhaps in two months or perhaps in a year, but I will definitely at some point change. So what if I can bring with me all the different information and you can trust them. The second enterprise will not have to pay the costs and will not have to take all the different measures and steps that the previous employers actually had to do.

And if the government can actually do that information, which means that, sorry, it implies that the subsequent companies and sub subsequent enterprises won't have the, won't have to deal with the burden of actually verifying all the information, which also connects to the know your customer information at the beginning. Think about validating contractors. Indeed. Oh my goodness. Right? It's crazy. Yeah. And think about, so staying in the enterprise, you touched healthcare environments, pharmaceuticals, et cetera, b2b, two C et cetera, researchers, clinical trial patients, et cetera.

Super complex, highly regulated processes, very costly. And that is you, you brought up one point I say say, okay, the one enterprise does it, then the next don't need to do it. And then I again and again here this, oh, but why should we pay for something where the other benefits from my analogy goes back to 1875 where the World Postal Agency was created until then when you had sent, been sending a letter from let's say Stuttgart to Vienna, it passed at least two borders in between and the recipient had to pay because the cost was calculated at the end.

And then someone came to the great idea saying, okay, on average probably as many letters go in and out, so let's pay the sender and we are done. And it worked out since almost 150 years. So it will work in our identity world as well. We just need to look at proven cases 150 years almost. It works 148 to be exact. Good. Okay.

Michael, next question to you, maybe because you are the silent one right now in, in the round. So what needs to be done to make those d i d success and enterprise use cases from your perspective? Data DIDs are so many different things. I was in the DID working group and one of the fights there that I consider that the group, excuse me, my goodness lost was can we define a few did methods that are mandatory to implement such that it would be possible for iteration to be assured.

And there were some proposals, but there were two camps of DID methods, those that were living on blockchains, which some people were avid supporters of. And those that used sort of more conventional data structures such as the web were just keys. And the some in the DID working group were saying, well, but those aren't decentralized. They would've solved problems, they do solve problems.

But that world is full of idea ideologues and consensus doesn't necessarily seem to be a core value in either the did working in Cooper for that matter, in the W three C verifiable credentials working group where I'm an editor, it it's a strange world. So I don't have a solution for you. I am working to create things that will get used, but it's a work in progress. Good. I mean you see the timer, we are already running out of time. Right. And I'm actually gonna excuse myself cuz I'm running a session on main stage in four minutes, so You, you're excused. Yep. Good. Thank you.

Thank, thank you for joining. Thank you. For the others to wrap up our panel, I would like your, would like to ask you to have your closing statements 30 seconds each. Are we able to do that?

Yes, Definitely. Actually before that I'm going to launch a provocation to everybody because what stops me from saying, okay, my company will use decentralized identifier and there will be, did mathia U I d what stops me from using that? It's something that you do not need to trust. And this will connect to my closing statement, which will be, if we are going to introduce and actually move to a decentralized word. The issue is not technological, it's not on how can we do it.

The issue will be on how can I trust that you do, you did actually your due diligence and I can trust that you made everything as per my standards. That will be the real deal. So to your point, I think the ability for us as a, as an industry and the individuals that are, are implementing identity programs to agree on standards that we can all use as we're identifying whether or not a credential is is valid or something that we'll trust is gonna be critical Yeah. To this.

I think the other thing is, you know, there are problems in identity that we haven't solved with traditional IAM Pro products. And so I think we need to be looking at those problems and saying, can decentralized identity be a path to solving some of those problems? It's a new approach, it's a disruptive approach. I don't think anybody should dive in the deep end of that pool, so to speak, you know, without due consideration. I don't think a rip and replace of IAM is the right approach, but I do think there are use cases where this could be very applicable and very successful in the short term.

Oh, five seconds, three seconds. Well, I think that there are a lot of problems in the classic identity and access management world, which haven't been solved, like delegation, delegated authorities and so on. They also need to be solved in the decentralized world.

And I, I've seen a lot of innovations on SF lab projects wanting money from the EU to fund these innovations. I've seen 60 projects reviewing them to hand out the money and a lot of them were about solving classic IAM problems to work in the decentralized world.

And so it, it will be small, gradual steps, but gradually with slowly I think years it could help. The use cases are not the problem. The governance could be the problem and, and settling all these old existing problems. Yeah.

Well, I think my, my most important point is don't be to go step away from fundamentalism in this entire discussion. So don't go for 100% security, don't go for the perfect thing, but look for pragmatic solution. There's so much in we can do, this can be a game changer. And as I've said, it's not disruptive in the sense that it can enhance what we do. It's disruptive and that it finally can solve a ton of problems we haven't solved well and a lot of new things and this is what we should, how we should look at it.

Not, you know, I I I really get Matt, when, when, when all these, oh, you should call it, not verified, but verifiable discussions start. Why, why do we talk about these things? Let's make it work. Good. Thank you. Thank you Martin. Thank you to all panelists.