Let's go ahead over here. I just want to introduce these three gentlemen, who've come up to join you who have a, an interesting common thread and that's all of them at one time or another were part of the Burton group, the late lamented Analyst firm from Utah, which put on the catalyst conference and that's Craig Burton. Of course, who founded it is now a distinguished consultant with KuppingerCole Jerry Gable, who now is with axiomatic and Mike wan, who is now with Oracle. And of course our own Martin Kuppinger take it away. Yeah.
Active one. I'm the one who've never been, has never been at the Bergen crew. So
Utah.
Yeah. Yeah. The whole topic going over here. Okay. I think that's probably to the issue here. So we wanna spend some, some 15 minutes on talking a little bit about the future of, I am sort of everyone of us giving sort of one bold statement there, and them have some discussion about this. And I just wanna directly dive into this and okay, Craig, your statement you sent over to me says the APA I economy goes mainstream. What is your sort of one minute pitch on that?
Well, we've seen recently all this activity, I mean, MuleSoft gets acquired computer associates, buys layer seven. What, what mash Intel gets purchased by mastery? This, this gap between providing the API and consuming the API and the management software that's in the middle is being catapulted into an area of importance that I think is just going to increase. Okay. So that's that
Cherry, your statement exactly is not that, but it's the future for access control in the API economy? Yeah.
I'm not sure.
I was sure that you would say it's not that
Right, but I'm not sure what it is about the Analyst these days. It seems like there's an annual yearning to pronounce something dead.
Yeah. You know, sometime, sometime I'll go, all of a sudden, everything is 2.0 right now it's everything is dead. And I maybe sometimes, so
Maybe
For, for a while I think I was the industry coroner, cuz I pronounce so many things dead. Right. Remember this? And so the L app thing, I think anyway, that was actually, you sort of accused me of that. I think I remember
Correctly. I think you were misquoted in that case.
That's okay. But, but, but, but maybe explain what your point on this is.
Well, and following on what Craig has been talking a lot lately about the API economy, APIs are the latest kind of resource that customers expect us to manage access to, along with, you know, data resources, web resources, web services. So on. So what's interesting is that in the Oasis technical committee we've been working my colleagues and, and others in the industry on arrest profile JS O profile to make this heavyweight XML policy and language and in coding format much more usable. So it's right in line with the move toward APIs for exposing data and functions via APIs. Now this is just another resource that can be protected under your dynamic authorization umbrella.
And we need something which relies on business rules in a central way. So my statement is access control, take risk and context into account, not only for authentication but authorization. I think that's a very important point. A lot of things are said about around adaptive authentication or risk based authentication, but that's only the first part of your journey. So saying, okay, you are allowed to go in or not. Based on this context is one thing then deciding about, okay, you are allowed to do this transaction up to this limit because the context is this or that is another story that tightly relates again to the dynamic authorization management stuff. That's true and exactly more. And I think, you know, these things are very close together and the more we do around API economy, the more become the more important it gets before we start through the discussion. Mike you've brought in this one,
I I'm starting to see a need for just in time identities. It's an extreme form of bring your own identity, bring your own token kind of capability. I think in the past, we've been able to separate pretty cleanly between access management and governance and, and provisioning and that sort of thing. And the, and the provisioning stuff was always a background process. As we think about what's happening with cloud now though, that's that convenience is sort of going away. We need things to be in fact, in the, in the governance and provisioning side to be much more timely. And it doesn't make sense to be, you know, trying to keep track of a hundred thousand accounts in every cloud service and hoping thinking that somebody might show up and use one of these accounts. Eventually we need, we need a better model essentially when we, we go to cloud and it fits in what I think you said as well about, about,
I think it resonates very well with also what, what Jerry said around dynamic authorization management. So if, if you have trust and time identities, you just can't provision an ACL to a lot of systems anymore. You have to find another way, which reli on something you do at run time. Isn't it?
Yeah, that's very true is we see this a lot in government to citizen kind of scenarios where they don't want to manage a hundred million or 300 million users. Right. They want to be able to deal with an unknown identity based on some other kind of metadata or attributes.
Yeah, Craig,
I was just thinking about the Zack thing and what you said. And I it's so out of alignment with the way it was designed that I'm willing to bet that we'll never see a production product that has Z Molin it's current state in it. It's gotta change.
Well, it is changing, you know, and it always, I mean, it will continue to change as long as there is that demand for dynamic access control systems. Yeah.
On the other hand, I think that's, I've wrote my block. I think just been posted yesterday. I think we shouldn't underestimate one thing. We need a standard, which separates the applications from the authorization management system. Because if we work against sort of proprietary APIs of a vendor of, or of the, the product we are, we are working against, then this will become a nightmare in management. So we need something as sort of standardized interfaces for doing the, because these applications will live 30 years, 40 years, 50 years, and we have to support it through all the time. So a standard is mandatory.
That's true. And what you said Martin, about having a rule based language to deal with those authorizations. I mean, that's what it allows you to be more in alignment with the business rules that you're trying to enforce. So you need some kind of policy or rule based language to support that as well.
But, but going in on what Craig was saying, which I think was somewhat inflammatory, which, which, which is, which is fantastic because I noticed when I got up here, there's three of us, but there's only two microphones. I know. So because, but, but if you think about the API economy, like you're talking about emerging, there's not one application per se, it's out there like there's, there's a, there's a set of services that are sort of being consumed in the context of a particular transaction. Let's say so how, so Jerry, I guess my question would be then with Zal being what it is, how, how does Zal enable authorization across a chain like that? A set of method. Yeah. Is there anything you want to add to that?
Well, I, it's a set of methods being called by rest interface. Yeah.
Yeah. So,
Right. So they're just another resource that can be protected. And what really matters is having a policy based on who can execute, what particular method of a set of APIs, that's no different than specific methods within a set of web services or are there other kinds of applications? Yeah.
And it has to be done in context and it has to be done dynamically. And I like this trust and time identities, because I think that's really one of these interesting challenges we are, we are facing today. That's a discussion or a point I, I see, I observe in a lot of projects where it's about, on one hand, you, you federate in some people on the other hand, it's about self registration stuff, et cetera. How do you enable really masses of people to come in? Or we are social logins. How to do you transform these people to higher level sort of accounts once they become your customer, etcetera. And I think that's, this is really a, a very challenging area there and given. So, so I think if, if you would start the other way around, so we started with the API economy and ended at the trust and time identities. If you start the other way around, we have to need to deal with trust and time identities to become far more flexible in that. And that means the other, all the other things need to become far more dynamic than they are today. So if you read it the other way around, it makes sense as well.
And I'd add not just in time, but automatable, I not only gotta, I need to be able to generate them and have them be usable, but I've gotta be able to put 'em in code just as they're generated.
Yeah. I, I think, I think of a couple things on this topic and thanks for bringing up again. I, I, for one thing, I, I think that the methods that we have tried before for just in time include, you know, Sam assertions and we're, you know, we'll, we'll fix that, that assumes that there's an assert out there that can sort of make things happen for you that, you know, and everything's gonna be in a nice, neat Sam token that you trust and all that. Yeah. And, and that model works. Okay. But not, not for as many connections as we need for one thing. Like we, you know, we thousands and thousands of connections, like literally yeah. Mil millions in anyway, but the point being, I, I, so one thing I liked about the way open ID approached identity was that the, the, the person's identity is actually a URL right now.
It sucks for logging in, I don't know if you've ever tried it, but cuz you have to type in a or something and it's just an act of weirdness. Right. But the, but it is cool to be able to say my, my identity exists in the addressable internet somewhere and I can, and I can somehow point to it's in the cloud somewhere and I can point to that and I can bring it with me and I can say, you know, here's my stuff. You can go, you, you don't know me yet, but you know this, you can go find it. So I think there's something to that model that is a little bit better than just the classic. Okay. You have to set up a federated connection first and then I'm gonna send you a SAML token that has all the information in it. You need to construct an identity. And that's what, so I, I guess I'm just, I'm just trying to say, we do have methods for getting closer to a, just in time identity because there's permanent things out on the internet, but we're we still I think have a ways to go.
Sure. Well, there might be a couple people in the audience that think X IDs are the way to, to do that. But I think beyond the, the technology, I, I sense that there's still some tension in the business area that each property or each franchise on the internet, they still want to own these identities or the, and what they think of is they wanna own the credential. Right. Because they want you to be logging in there first. So I think there's still,
They want to own it, but they don't necessarily wanna pay for it. It's it's, it's, it's pretty expensive, especially when these are not your direct employees. Right. So,
Right, right. But I think there's this misalignment, like you were saying earlier Martin, about what the business view of the, of what needs to happen is versus the whatever technologies that we can support that, that, you know, our side of the industry comes up with.
Yeah.
Well, what we see is companies like both salesforce.com and Microsoft doing identity management as a service that does Federation and all this just in time identity creation and, and doesn't look to have you as their customer to do it. They're they're custodians rather than selling your information. Whereas, you know, Facebook and Google. Yeah. They want your credential cuz they're selling it.
Yeah. I think
It's their business model.
If I, if I take our, our very short discussion here and those things, we, we we've exchanged on those things you brought up, it looks like we are, we are currently at the beginning of beginning of a very fundamental shift, again, not only in identity, but the way identity affects all those things we can do in the internet and in the cloud, because it's really with these things, trust and time identities, context, and dynamic authorization manage and the API economy, it really enables us to do things fundamentally different and fundamentally better than we've did it before. And it's probably, we are trust at the very beginning, but it looks like also, if you look at some of the things it's just about things have matured. We have learned a lot of less lessons around Federation and things are moving to the next level. Isn't it?
We see that a lot, you know, and the challenge for it organizations is to keep up with that speed of change because the, the business side of most organizations are changing much faster than, than it is capable even today.
Yeah. But these technologies and these things we've talked about will help it to keep the speed. So I think we are running out of time. Thank you for this information I hand over today. Again,
Thank you Martin. And thank you, Jerry and Craig and Mike for a wonderful presentation. And you noticed they weren't able to get into a whole lot of depth on these topics, but I guarantee you that all of them will be explored in much more depth over the next couple of days. Just check the agenda and, and plan your schedule accordingly.
