Next up we have from the right or left. I learn, I learn slowly. We have Peter Warwick, senior strategy consultant with IC consult and his title. These are all rather cryptic titles, externalized authorization. What is it good for? You have little less than 20 minutes. I'll warn you about four minutes before time. Thank you very much. Thank
You. Yeah, your introduction was quite right. It's a bit cryptic, obviously the stuff, because external authorization is a, a hyped topic by, by Analyst for years and the market does not develop. And that was why I said, let's try to find some explanations for this very slow market development. So what are the vendors telling and some ideas, why does this not work? And then I switched during my preparation to the detective mode and I found out some things which are happening, although almost nobody knows about them and short view to this future. So external authorization means that the authorization, the access to resources in an application is not managed by the application itself. It is managed by an external application, like something based on exactly provided by Matics or, or other vendors. The idea is to centralize security questions. So to, to obtain a centralized governance and compliance through this centralization of, of access to it, resources, Sebastian war, for example, from cooking a cold says it is a cool thing because the developers of all these web applications can get rid of this crap of having to program all these role based access rules.
And two is allowed to do what in my application, because this can be handed over to the central application and the programmer does not have to care any anymore about that. And maybe it's sexy, maybe not the, the standard description language for external authorization allows to do arbitrary things based on attributes, based on rules. We just heard about context, aware, access policies. They can be done as well, but no one does the market is developing very slow. So the question is, yeah, is, is external authorization listed in, in, in the book about two thou, 1000 things of the word does not need, what do you think?
Yeah. Needs
It needs it. Okay. Needs it. But so few customers use that today. Although the, the standard was invented in, it was it's, it's almost a decade ago. So maybe something has to do with completely different thinking. You have to apply and that some of the vendors use very, yeah. Cryptic cryptic measures to explain what they're doing. So one year ago, I, when I, I saw it first time, these, these slides, I said, Hmm, what is this good for? I don't understand what's happening there
Even though I've been in the IM market or, or already for about five years. So I try to find a, an image, something which has to do with real world experiences to explain what a pep and a PDP and P I P might be. So I, I found, I found this story about the users, of course, the people in ancient times and on, on one hand side, and on the other hand side, we have the applications, for example, talking to the king about well-defined topic or sitting in a executive dinner with the king or with a Caesar or whatever, whomever on a very well defined place where it's just allowed to say very particular things. So for that, there was this ceremony master who is the policy enforcement point. He told everybody what to do and where to see it and what he's allowed to do. And the PDP was just a book where, or a role where it was listed, who is allowed to do what so nice picture, but times have changed. Now we are living in a democracy self-determination of people, is this very important for, for the people. And today we experience that political party, which fights for things like transparency and disclose everything, make everything accessible to everybody is quite successful. So is it a cultural issue that
External authorization is not accepted in the market? Maybe this is an aspect, but companies and public authorities are not democratic and they have a need commercial need or legal need to secure their assets. And they have to follow certain rules and have to enforce that. And many of the organizations today lack consistent corporate-wide policy enforcement for rules and processes. So in fact, there are many, many arguments for this idea of centralized authorization. So let's have a look what's, what's going out. What's going on out there quite interesting is that within the financial services industry, mainly banks, this is commodity since decades. There are many systems in place like at Deutsche bank. It's only whisking here, battle curl some years ago at, at European identity conference, talked about DB Lagi, which is such a system. It's an individual solution at Deutsche bank and all transactions, which are triggered by, by, by employees of Deutche bank. Retail are covered by this external authorization system
Or another example, quite new example, a new service of a it service provider in, in Germany, in the financial services area. Unfortunately, I'm not allowed to, to, to talk about the name has established a new application, which grants end users access to their it resources instead of the tax consultants. Like it was still yeah. A year ago. And they use this mechanism almost nobody knows about it, but it happens. And another interesting story, because I'm, I'm doing some consultancy for startup companies as well. And one of my, my customers is a company who, who does this since decades.
They have a, and they now try to mark bring into the market, their product with a very cool name, or which is used by several insurances and banks, which does almost the same as DB lady at, at Deutsche bank. And interesting enough is that this, this system use uses a mixture of external authorization on one hand side and user provisioning of on one hand side. Because when, when talking with Sebastian, for example, we always talked about the, the idea that people say SAP will never use an external authorization system. Yes. And that's okay. Because the authorization concept is the core competence of SAP.
I, we are sure that SAP wouldn't be so successful today if they hadn't this, they, if they did not have this very complex and, and, and rich authorization concept. So it makes sense to do provisioning to SAP systems and not to try to, to put them underneath a external authorization system. With some exception I will mention afterwards, and in this case, many, many, many banking applications and in banking, it's normal to have thousands of, of applications. They are using this so-called LA site, art banking for authorization. So there's a lot going on, but in this case, not with standard because this system is much older than the standard is another discovery. I, I don't want to, to explain all this, this graph here, toner is sitting here, the, the, the general manager of OUM. It's a very interesting thing. It's a startup located in, in bond.
And they offer an open source implementation, which is based on learnings, which arose from the B E reference implementation for a so oriented identity and access management. They did this with open source tools before and their learnings about security questions. Open questions led to the decision that they now develop their own solution, which will be available shortly. So in, in September or so. So, and very interesting, this, this reference architecture just uses Samuel for authorization, for authentication and the standard for authorization, nothing else. So the group concepts in an LD up are just considered as a subset of SAC, interesting thing, and interest also interesting that there are already customers using them, for example, police in, in Bellion Broberg and some, some, some other public institutions, so interesting to be observed, and they have a booth here as far as I know. Yeah. So the third discovery, everything, what, which happens with web single sign on for the end users, web single sign on is cool because they do not have to log in into each of these applications, but for the company, it's, it spends security and helps in, in efficiency questions. But many of our customers who, for example, take the CA side minder for web single sign on. Also use it for authorization concepts, course grain and fine grain without attributes, of course, but group based on, on base of any kind of systems. So this is something which happens as well. Although people do not talk about that publicly. So four minutes. Yeah. That's great.
So what have we learned, hopefully, what, what have we learned? External authorization is not a booming market, but it develops step by step. And there are some drivers which I, I expect to be good for the markets. This one thing is the Sowa and, and cloud-based architectures, which become more and more important, the evolution of new business models, including more and more end user interaction and customer interaction. And also what the CA colleague already mentioned, content aware, authorization concepts. So yeah, I do not have to go into detail that was already done. And yeah, of course, I invite you to discuss more details at our booth, with the colleagues of Matics and, and, and at all, for me, I found this is a, this is a quite good idea of illustrating what's, what's the idea behind external authorization, many thanks. And maybe that's a question.
Thank.
