Mastering the Digitalization of Business: Digital Identities and the Cloud

Hello, everybody. Welcome to our webinar. Mastering the digitalization of business, digital identities, and the cloud. How to make use of cloud service, digital identities of employees, partners, customers, and things to leverage your business to the next level. This webinar is supported by IBM. The speakers today are me Martin Kuppinger I'm found and principal Analyst at KuppingerCole Rin strategy in product management at IBM and Eric mass director identity and access management strategy at IBM.

Before we start some short information on Ko Cole, before we directly move into the webinar topics could be a call. We are an Analyst company providing enterprise it research advice for services, decision, support, and networking for it professionals, primarily focusing on information security. And within that area, we have a strong focus on and access management. We run a number of events. These include conferences. There's an upcoming conference in January in China, the digital risk and security summit.

And then there's our main conference, which will be held next time again in may the European identity in cloud conference every year in Munich with some 600 attendees don't list dis conference, the agenda for today as, as always split into three parts. In the first part, I will talk about the digitalization of business and the new scope for identities in the second part, then Ravi Seren, VA and Eric mass will talk about enabling digital business was identity service, cloud services, mobile support, building your infrastructure for the future.

We then afterwards we'll do some Q and a as the third part. And right now let's directly go to the presentation, the digital digitalization of business. I think this is one of these passwords clearly, but it's one of the big themes also in these days, not only for it, probably even more for the business side of our businesses who are thinking about what does it mean? How do we have to change our business? And when we look at the reality, there are a lot of changes. So we see new payment systems challenging the finance industry. So the way the finance industry has to work is changing.

Fundamentally. We see online commercial driving, catalog sales out of business in some cases. So in look at Germany, we have some of the very large and prominent ones seeing going out of business right now. Stationary retail also is challenged by online co we see a lot of changes, a lot of discussion on how this is going and all this means the type of business is changing. It's a far more, let's say digital business than it ever has been before.

If you look at things which where it's not about that much about challenge in the sense of being driven out of business, but reinventing the things you have done, then I think the automotive industry is a good example.

It needs to master the connect connected vehicle, a vehicle where instead of the traditional gasoline entrance, we see electrical vehicles and we see far more connected technology in these vehicles, which changes a lot of things with the organizations that need to redefine the supply chain was connected factories, far more information, the manufacturing area, which is exchanged and also integrating the customer into the supply chain for last minute change.

So they're not saying okay, six weeks before your car is already, you have to have to last change last chance to change the color of the car. No, this will be far more far closer to the final production delivery. Things are farmer integrated and maybe customers can see where it is in many areas. We have such such things. So we have package tracking etcetera for a while, smart metering and decentralized power generation. Another very interesting area where things are changing. We have far more producers of power, which are part of the large grids, very small entities.

On the other hand, we have the smart meters of the consumer side, etcetera, all these businesses are changing. They're changing because we are facing the digitalization of business. And there's nothing that remains untouched. All industries have to master the digitalization of business. There is no single industry that remains untouched. At least I'm not aware of single industry. And I've thought about it a lot. What we really are facing is sort of the number four in the history of industrial revolution, sort of the digital revolution.

So the first industrial revolution has been around 1780s and later the transition from agricultural societies into industrial societies and the second industrial revolution. Then around 1900, we've seen the intensive use of electrical power, mass production tailorism and farthest mass. Some of the more academic terms around it in the certain industrial revolution, the mid 90 seventies, we've seen the mass adoption of computers and micro electronics.

And right now we are seeing this shift, this digital revolution, where we connect things in humans, where we connect business partners, consumers, etcetera, where we have this everywhere, every time notion. And this is fundamentally changing the business models of organizations today, while in the third revolution, a new group of businesses entered the market. We are really seeing all of the traditional industries being affected by the digitalization and by this in fact digital revolution, and this it's quite well to a drawn a while ago, we called the computing TRIK.

So the new scope of information security, and in fact, the ma major trends, which are affecting not only information security, but the entire it and information management. So we have cloud computing with more types of deployment models. We have social computings with other usual populations. So it's not only the employee who's using his computer in the organization to access some internal service anymore. The server might be in the cloud. The service might be in the cloud. There might be a customer who's fully integrated, might be even more than a customer.

People are accessing these systems with a multitude of devices. They are far more frequently switching between the various devices. So things are fundamentally changing here. And this is in fact something which is very closely aligned to this digitalization of business. We have trans clouds, social mobile, which are just some, yeah.

In fact, results of digitalization. On one hand, on the other hand, the drivers for organizations that on businesses that need to digital digitalize their businesses. So what do we need to master that? So mastering this organizational challenge, I think from an organizational perspective, we need to rethink our organizations. One of the ideas we are currently discussing and proposing is what we call the CDO, this chief digital business officer. So a new person, a new office.

In fact, at a board level, it must be at a board level, which has the drop of linking business and it, but not only of linking business and it, but really fostering innovation, pushing things forward, supporting and mastering the digitalization of business. So it's business development, business development by making the business digital, it might be the CIO in a redefined role.

It might be another role depending on whether CIO is more on this business and business development side of things, or more in a technical side, it's about understanding the challenges and the opportunities, because there are challenges, privacy, security, a lot of other things, there are challenges in the traditional business and there are opportunities, both technical opportunities. There are a lot of things which can be done now, which couldn't be, have been done a few years ago.

And there are a lot of opportunities in business, new business models, understanding how it can foster innovation, a business, understanding that it must become far more agile to support business agility. And that means we need new deployment models. We need more elasticity, more agility, which automatically leads to the topic of cloud computing. And it's enabling new business models while balancing the digital risk. That's the other side of the equation. So we clearly have to understand what does it mean? And that run into traps of security risk, which put the entire organization at risk.

Imagine an attacker hacks all the cars of a manufacturer of connected vehicles that can in worst case drive such, even such a big company out of business. So we have to balance this. We have to understand it, but we have to enable innovation, not be the naysayer who always blocks innovation. So what are the key success for factors for the digitalization of business? It's fostering reinvention of business models. How do new business models look like?

And that's also about understanding what are traditional business models and what are maybe the good things and what are the new business models it's about stopping the naysayers and stopping being the naysayer many organizations, the digital of business struggles with the fact that the people are very used to their old traditional business models and that are not extremely willing to move to the next level. We have to foster innovation. We have to show what are the opportunities, but also migrate the organization. It's having a CDO, this chief digital business office linking business.

And it it's about understanding the use scope of identities. So we are dealing with far more identities than ever before. We need to support mobile devices, sync services. We need to support everything out there. It's not just our computers, it's mobile devices. It are the syncs. If you think about the connected, if you think about smart metering, whatever it, our services, the apps, cetera, and we need to make use of the cloud for the sake of team. So these are from my perspective, key success factors for the digitalization of the business, from an organizational and technical perspective.

And one of the things which is very important in there is what I've called some years ago. I think three or four years ago, my keynote, our European identity conference. I introduced the term, the identity explosion. And this is really what is happening. So you might have some tens of thousand employees or some thousand, or maybe even a few hundred thousand employees. You might have some more business partners or some less business partners to onboard into your system. You probably have many cases, far more customers. So you might have millions of customers.

And there are even more consumers out there which are not yet customers. So these are probably tens or hundreds of millions, potential customers. And then there are the things that we are talking about, billions, which we have to look at. So things are really exploding in the sense of identities. All of these things have their identities. We have to understand these identities. And when we look at a news scope of digital identities, then there are seven axioms I want to propose here. So the first of this is we will not manage all identities internally anymore.

There will be external directories, which are even not on birth. There will be no single source of truths and informational identities anymore. In sense of this is the directory, not even for a particular group of identities. If you look at realistically at your customers, there's information, the CRM, there might be informational database at the website. There might be external inflammation on various sources up to social networks.

There might be your internal directory service or your cloud directory, whatever it's more, many users will use different identities and flexibly switch between these. So users will have frequently modern one identity. Your consumer might move from Facebook to Google blast to something else we not even know today. And even your employee might want to use various ones for different types of devices, for instance. And that means also there's no single authenticator that works for all.

If you have a lot of devices, if you have services things, etcetera, then you have to support a number of different a indicators. This also means we must map humans to things, devices and apps. So there's the human person, but he might come through insulin app. He might own a device which communicates on his behalf, a thing, whatever it's far more complex, we have to understand the relationships, not only of humans, but of all these things and devices adapt based on that. We will also rely on a multitude of identity providers with varying trustworth in us.

So there might be different providers and you might trust one more than the other. And you have to understand what does it mean for your risk, which in fact means identity and access risk barriers. In context, if you use a weak authentication on your mobile device and an insecure network, it's different from using a strong authentication in your internal network against your own directory. But we have to understand these things. These are the seven, I would say Axiom's fundamental changes we are facing in identities.

So what you should, you do rethink your directory strategies is not only one directory anymore. Master the new distributed identities, understand how they are related manage relationship. Look at cloud directories, master all the stuff, wherever become risk aware and risk driven and build on adaptive authentication that is really can change. Where is authentics step up, whatever.

Some of the core identity concepts we are facing here is the multiple identity providers, risk based, versatile the adaptive stuff of authentication support for mobile and social logins support for things, apps and services supporting dynamic authorization. So providing the ability that an application can ask on runtime, what is the context? And then make risk based decisions, ideally based on central system, central policies and all that stuff.

And you also will have to think about dynamic virtual views on distributed identity information, which is dispersed across systems from a risk perspective. What does it mean? So there's no black and white pattern anymore. So the black not authentic indicated wide internal strong indication. No it's about many shades of gray and staff, different types of users, different types of authentication. The same user might be light gray or dark gray depends on the device. The idea etcetera, sometimes bigger risk, sometimes lower risk.

The context risk awareness is the key to success balance the context risk and the information risk. So per step up authentication whenever requires from risk perspective. This is where things are changing, but behind all that, there's a fundamental change in what, from my perspective is evident. If you are not able to manage identities and their access for all types of identities, then we innovatively will fail in the digitalization of business. So this is really a business enabler. This is what will done, right? Help us succeed in this fundamental changes of businesses.

At that point, I want to hand over to Ravi who will do the next part of the presentation and talk about enabling digital business services, ID to services, cloud services, and mobile support building the infrastructure for the future. Thank you, Martin. Thanks for the insightful view of where you see the trends in terms of adopting digital identities to enable secure businesses. And from an IBM perspective, in my role as the director of strategy and product management, I spent a lot of time with customers around the world, and I couldn't agree more with you Martin.

The business transformation is driving how to reach more users, how to reach more consumers and interact and get closer to where they are interacting from use of devices as well. So we see digital identities becoming a central focus for enabling secure business, whether it is in adopting cloud or even using mobile support as well. So today I'd like to share with you the perspective of what we are seeing from a lot of organizations, right in the middle of this transformation.

So what you see is cloud is clearly rapidly transforming the enterprise and traditional enterprise is now looking at cloud adoption in many different formats. In some cases, organizations are looking to extend their data center to infrastructure as a service. In other cases, we see organizations, development organizations, adopting platform as a service when it comes to enabling them to quickly develop new applications and host them and drive consumer interactions with those new applications.

And in many cases, this has been happening for quite some time now where customers have been adopting business applications as a service and these business applications as services obviously are focused on employees, partners, and even interactions with end consumers. Given that backdrop organizations are clearly looking for how to secure these interactions and reach the identities closer as well. So from a security challenges, perspective, security priorities, clearly of focusing more on digital identities of the weak link.

As Martin described the seven areas of focus, we're seeing social media being a fertile ground for pre attack intelligence gathering of identities. And you're seeing more traditional offthe shelf security tactics being used by attackers to gain access, to authorized use user scenarios. And so with the CLO mobile and cloud momentum, as that continues to break down the traditional perimeter and traditional barriers for organizations, security has to be thought through differently as well.

And we believe customers need to start thinking about organizations, start to need, need to be thinking about threat aware identity and access management as a key line of defense for these multiple parameters. So let me share with you the how digital identities is becoming a security control for an open enterprise. We see four primary scenarios where digital identities becoming a central security control in enabling that secure business interaction. The first one is no surprise to all of you is focusing on safeguarding mobile cloud and social interactions.

You clearly wanna know validate who's coming in to interact. Whether it's the partner coming in that with an authorized access or it's a consumer already a customer of yours coming in, or it's a consumer, a new customer that is that you're trying to acquire. Clearly the focus in that safeguarding cloud mobile and, and social access is proactively enforcing access policies, using context. The second big focus for using digital identities in an open enterprise is preventing insider threat.

As you start to look at how users with elevated access are no longer just administrators, but you also have users in call centers in data centers who are accessing the environment in and being able to access the critical systems with elevated privileges. So digital identities need to now be validated. It needs to be verified and also to be managed and governed as those users get access and do their activities. And here we also see the need for defending the application against unauthorized access.

What I mean by defend here is actually be able to provide a level of security where we're not just talking about authentication and multiple forms of identities being used, but also being able to look at the content and making sure that the, the session's not being hijacked and the content is not being compromised as a result of a digital identity being used.

It's an important aspect that a lot of organizations often overlook, but here's one area that we see organizations that are transforming their security posture to enable secure business, putting an extra emphasis on how to defend the application against unauthorized access. The third big focus area is how to deal with the identity explosion. As Martin described identity silos.

You, you had it inside your organization with multiple lines of businesses with different repositories. And this problem only grows bigger when you start to interact with consumer identities where consumers are asserting their identity from various social and other identity providers as well. So this is where we are seeing company organizations want having to put more of a, a service layer that enables them to provide secure online business collaboration, but use a federated access type support.

We're also seeing our organizations having to focus their efforts on unifying the identities for efficient directory management. We know that companies can't look to only one single source of truth when it comes to identities.

But here we see companies that are in the leading edge and environments like in financial sector, like in the transformation of the banking sector, where we're seeing identities coming in from multiple channels and organizations implementing and identity validation, identity, propagation, and identity virtualization type layers, and, you know, enable to bring in those identities and use them for authentication, but not necessarily have to manage all of those identities inside your enterprise. So the key is to use the digital identity, but not have to manage them.

And federated directory capabilities are key to be able to enable those use cases. The fourth focus area from an scenario standpoint is how to help organizations deliver actionable intelligence when you're using digital identities across your enterprise identity and access management continues to sit on a rich amount of information about who the users are, what they have access to and how they're using that access across all security domains. Now you add an element of digital identities that are being used from outside your enterprise, that you don't manage and gaining the visibility.

Gaining the intelligence on the identities being used is critical for companies and organizations, to be able to manage and monitor all the entitlements and activities here. Again, our organizations are able to use capabilities like a security intelligence platform to be able to not only identify these identities, but enrich them with information about who they are, what the entitlements are and have that connectivity from the identity source, from an identity provider all the way connecting into your enterprise.

So these are the four key focus areas to addressing what we see as the securities weakest link, when it comes to using digital identities to secure businesses. Now, I wanna take a few minutes to spend the topic on how we're seeing organizations looking to adopting cloud based identities. Most of the organizations are now at a, at are very interested in if I'm not gonna be managing all the identities and I'm gonna be using identities asserted from an identity provider. We see customers seeking flexible deployment models as well to manage and operate identity and access management system.

So here's example of, from an IBM's perspective patterns of how we see organizations adopting identity and access management, we have, we still have the traditional methods of adopting identity and access management on premise, but we're also now seeing organizations adopting identity and access management in a cloud hosted model where organizations are able to reflect their companies specific policies, the company's specific workflows, the company's specific business requirements, but have it managed and hosted for them in an extremely efficient manner so that you can use a cloud hosted identity manager to not only manage the identities that you own, but also use it as a broker service to be able to bring in a lot of digital identities and use them in your enterprise.

The other third scenario for adopting identity as a service is more in the infrastructure and platform as a service. As I described to you earlier, we see companies building out new applications using platforms in the cloud. How do you organize, how does an organization using a platform or a developer using a platform, implement identity controls into their applications without having to wait on an infrastructure?

We're also seeing opportunities where companies are implementing infrastructure as a service and making that infrastructure identity aware the infrastructure providers, many of the cloud based infrastructure providers will ask customers to bring their own security customers are gonna be putting critical workload into the infrastructure and companies will need to be able to implement identity and access controls in the infrastructure that reflects their specific business policies. So that's the backdrop of enabling secure businesses using digital identities.

And I wanted to take a few minutes now to, to turn it over to my colleague, Eric mass here at IBM. And he'll share with you the perspectives of what cloud identity service is and the scenarios that we see in the, in customers, organizations in adopting cloud identity service to enable secure businesses.

Eric, Thanks Robbie. So we're seeing a number of different use cases where clients are looking to adopt identity as a service. And in order to meet that challenge, IBM has launched its cloud identity services platform in order to deliver market leading identity and access management services to the enterprise in a multi-tenant fashion.

So similar to what we're seeing here, one service that's capable of serving multiple enterprises and offloading a lot of the traditional complexities of cost, time to market and time to value complexity of, of managing in in-house staff to keep abreast of changing protocols and, and technologies in that space, but also to enable our clients to more effectively meet their business challenges.

As we're seeing most organizations are changing and shifting from identity and access management as a cost of doing business to one that is helping them to exploit new avenues or, or, or new ways to get to market reach their consumer bases, especially if they're in a B2C type of environment, retail facing organization as well. The IBM cloud identity service is, is designed to be comprehensive in fashion and incorporates a number of IBM's traditional on-premise identity and access management products at its core.

So its power is in delivering the same enterprise class capabilities, but now from a market leading cloud based perspective At a glance, the IBM cloud identity services provides three core areas of service, identity management, where we support user provisioning and self-service our automated life cycle capabilities, enroll governance, and compliance in the access management space. We're supporting capabilities such as web single sign-on centralized access control and strong authentication.

And in the Federation space, very popular federated, single sign on capabilities for SaaS applications and B2B integration as well. Our strategy here is to incorporate a comprehensive platform, a strategic platform for our clients that enables them to satisfy a very wide array of identity and access management use cases from a single platform, all which is cloud based and all of which allows them to leverage the same value propositions across their lines of business. Or as a complete enterprise today are solution services more than 14 million users worldwide in about 57 different countries.

It provides millions of hourly transactions. So it's a scalable and flexible solution that's capable of, of scaling down to the smallest of regional enterprises and the largest of global enterprises. We're seeing a number of different scenarios as well. The first of which is adopting enterprise identity and access management from the cloud. Most of the organizations that we're speaking to out there are concerned about how they're going to continue to meet the requirements from a functional capability in their organization of IM.

But they're also concerned about the traditional inhibitors such as the delivery time and how flexible and agile the organization can be in changing with the times. Most of the assets that organizations are integrating now are in the mobile cloud and social space.

And in keeping pace with those changes in the market, a lot of organizations are struggling with the infrastructure investments, the time in which those investments take to materialize into usable capabilities in their environment, but also making sure that they're staying abreast of aspects that affect their end users, such as self-service capabilities and providing a usable and, and comprehensive experience for their, for their end users. This helps us to eliminate a lot of the deployment constraints that our, our clients are seeing.

It enables them to get up and running in a much quicker time, time to value. It enables them to also minimize the costs that they're investing from a, a maintenance and ongoing investment perspective as well. And this is not only hard costs, but also soft costs as organizations would traditionally have incorporated development into custom tools and infrastructure on site, which grow old and, and required continued investment.

Our clients from a cloud identity perspective can leverage very comprehensive service level, agree that enable them to simply adopt those upgrades and maintenance without, without investments in them. This is also attractive to organizations which have previously deployed and managed IM infrastructure on premise as well as those as we would refer to as, as Greenfield deployments.

The second use case that we're seeing is for organizations that are looking to extend their identity and access management into areas of rapid expansion, as previously mentioned cloud with the rapid expansion of portfolios in software, as a service infrastructure, as a service and platform as a service, many of our clients are finding that because of the ease of adoption of many of these cloud-based assets. There are lines of business has been rapidly expanding the number of applications and platforms out there that need to be managed by their corporate identity and access management system.

We're also seeing a very rapid expansion over the last several years of mobile devices, whether those are smartphones and now tablets and the concept of bring your own device, as well as supporting consumer devices that are connecting to corporate assets that are internet facing, and the ability for the IAM infrastructure, not only to recognize those devices, but to be able to register them and apply risk based policies to them, be able to provide context based services, such as self-service capabilities down to native applications, as well as those that have traditionally been web based integrated assets.

And last but not least the social space where we're seeing increasing demand for organizations to start to leverage identities that have been born in the social space, such as Facebook credentials, Twitter, LinkedIn, Pinterest, and a number of others. This has been specifically of interest to organizations with retail facing assets that they've been identity managing and providing them with a way to leverage and interface with the identities that their consumers have been creating and utilizing elsewhere on the web.

Very, very useful for harvesting identity information and also providing integration with protocols such as oof, for delegated authorization, where an organization can now interface with those social networks and provide a more rich user experience out to their consumer base. So the identity and access management services here are becoming more of a bridge and the IBM cloud identity services can help those clients with existing on-premise infrastructure extends that infrastructure as well to these new areas of assets out in the cloud mobile and social space.

As mentioned previously, we are seeing adoption of these types of services from anywhere in the regional smaller business area, all the way up through the global fortune 10, an example of one of our clients here with about 8.5 million users in the fortune 10 space and about 50,000 users who are union workers on an internal side, as well as the 8.5 million on an external user base are finding value in being able to bring identity and access management capabilities to both ends of their spectrum.

Those very large consumer bases of identities to require access to applications and a simplified way to access various different assets that the company is exposing on the web, as well as for internal users who need to find access to a large number of internal applications and a simplified way to self-service their own identity.

In this case, the client is seeing a simplified web and mobile experience as they've integrated the system across various different types of traditional assets as their corporate it environment, laptops and desktops, as well as to mobile assets out in the field, both with their internal employees and with their consumers. They're seeing a simplified login capability. That's allowing the user to have a much more streamlined experience, a reduced time to market.

That's enabling them to integrate more assets in a shorter amount of time, especially for organizations with a very large portfolio of assets and an agile and scalable environment that enables them to essentially turn on and off services in a relatively quick fashion as their business demands it versus a traditional approach, which requires essentially building infrastructure from scratch, planning capacity, integrating that tuning it, scaling it, et cetera.

So in this case, we're seeing a very large organization get extensive value out of incorporating a concept of cloud based identity as a service into their business, both on the consumer and on the internal user base side. For more information, you can visit us on the web IBM security out on the web on YouTube number of videos out on our YouTube channel, our blog post out of security, intelligence.com and follow us on Twitter at IBM security. Okay.

Ravi, Eric, thank you very much for that presentation. And right now I just wanna look at a few questions we have here. So what us, what do you see as the main requirements of customers for enabling their digital business? So from your perspective, what do you see as the main things they're facing? Yeah. Good question Martin. One of the big focus areas with digital identity is, is how to help our organizations improve a level of assurance that the identities are going to be what they need to run their business and expand their businesses.

And so, as Eric described, there are key scenarios where organizations want to be able to apply stronger forms of authentication to, to reach critical application areas. Being able to, even in some cases, provide delegated authorization to be able to access capabilities.

But again, the focus is on improving the level of assurance that the digital identity is going to be what the, what the identity was that, that that's gonna be used for interacting with your applications and services. Okay. What about the, or how about the adoption of this? So how far are customers on that? Is it more something which is a, a hype trend in the future? Is it something which is really happening in reality beyond the, the use cases you have shown?

We're, we're seeing this in reality today, you know, as, as I mentioned, IBM has a number of clients already on board, more than 14 million identities being managed today, all the way from, you know, your small regional clients to the global fortune 10 right now. And we're seeing a very, very large interest in, in organizations to cloud enable their, their IAM strategy.

So this doesn't necessarily mean that every organization is going through a complete rip and replace of their IAM infrastructure and moving into the cloud, but it may be in some cases, more of an incremental strategy where certain capabilities are initially extended with cloud-based infrastructure and a more strategy put in place to eventually migrate those capabilities.

This is gonna be much more the classic scenario for larger organizations who have more than a decade or so of investments in their existing IM strategy, and definitely for mid-market and SMBs where regulations have now started to more so apply pressure to them, to comply to the same standards and capabilities of their larger market brethren, those Greenfield types of deployments today, maybe going holistically straight to the cloud.

And we are seeing that more so in the mid-market and down in the SMB space where no strategy or a very loose IM strategy had previously existed, and those clients are, are jumping straight into solving that challenge with, with a strategic cloud identity based platform. Okay. Thank you. So thank you to you. Thank you to all attendees and have a nice day. Bye.