Event Recording

Eve Maler - User-Managed Identity and Access for the Digitally Transformative Enterprise


Self-determination, decisional autonomy, privacy enablement, and meaningful choice are not just tools for customer satisfaction: They’re also tools and characteristics for identity management in the enterprise that’s ready for digital transformation. How has user-managed identity and access shaped up so far, in terms of technology, processes, and adoption? And what progress can we expect in the decade to come? Join ForgeRock innovation VP Eve Maler to learn about the exciting ride we’ll all be on — one you’ll actually enjoy, because last we checked, enterprise IT experts are people too.

So next person to introduce, I hope she's staying a little bit of the, of the, of the stage here so we can play the music again. And I know her for quite a while as XML girl. So those people actually being active in sanitization, know who I'm talking about. She was working with, with Forster, with sun, so really strong striker. And now she's with four drugs. Please. Welcome. So glad you're here, Eve me too. Okay. For sake of time, I just leave the floor directly to
You. Oh, thank you so much. Well, it's a pleasure to be here. It's a pleasure to be back. Actually. It's been quite a few years during my Forester tenure. I wasn't able to, to join EIC. So I wanted to talk about user managed identity and access for the digitally transformative enterprise. So first things first, I think I need to define for you all what I mean by digital transformation. Even if you are responsible for manufacturing, outdoor clothing, you know, it's not all about atoms anymore. It's decidedly about bits. For example, your customers now expect you to help them track their fitness and their location, perhaps. And your supply chain partners probably want to integrate with your systems through APIs and you probably went paperless in your it systems a long time ago. So that's digital transformation. Now user managed identity and access is a phrase that I only first heard looking at the EIC agenda. And I admit to a little bit of feeling a little bit flattered looking at that phrase, but I wanted to define for you what I think it means. I think thematically user managed identity and access has to do with valuing relationships over barriers when it comes to identity and access. And I found this wonderful picture, which I think values relationships over barriers. Wait a second. That's not right at all. You guys are seeing all my notes. No, you're not good. I'm seeing all my notes.
So a shallow definition of what user managed identity and access might mean is that it's about systems that enable discretionary choice in identity and access control when it comes to people, even if they're in business and employment situations, but a deep definition might be that it's about systems that enable individuals acting entirely on their own behalf, making exercising true free choice in identity, in access control and in privacy controls when it comes to user management. So those are my definitions for the terms before we get into this. Now there's a symbiotic relationship when it comes to user managed identity and access. And that thing we sometimes know is the extended enterprise. Now this is my, my little cube for the three dimensions of what started out as an unextended enterprise.
When it came to the server side, it used to be data centers. And now sometimes it's in the cloud. When it came to the client side, it used to be managed desktops. And now oftentimes it's a personally purchased smart mobile device. And when it comes to user populations, it used to be just employees. Maybe what I used to think of as the greater employee population of contractors. And now it's partners, it's employees, it's communities it's maybe even prospects who aren't even customers yet. So now we've had a lot of aspirations when it comes to user managed identity and access. And I actually just made this little Wordle here thinking up a whole bunch of phrases that a lot of us I think are familiar with. You know, this is sort of a modern phrase, but it started out with a lot of things that maybe some of us in this community here have worked on, you know, in the technical community.
I think, you know, we started out with things like, you know, open ID and info card and all the way through the personal data ecosystem, consortium and things all the way up to, you know, things I've worked on like user managed access or Uma in governmental projects. We had things like the prime project through prime life through, I think stork, you know, had elements of this all the way up through ends stick. And I DAP, you know, we've worked on this for really long time. Haven't we? 10, 15 years plus, I mean, I remember actually starting work. This is now seven years ago on the predecessor to my UMO work and looking at the prime project, white papers going, oh man, they put that stuff so, well, I wish I'd read that before. So I, I think there's been a lot of agreement about the problem spaces. In fact, the problem space. I think we're all sort of agreed on. There's a lot of overlap in the problem space, but in a way, what we've seen happen over the last 10 plus years, it, it didn't really turn out the way we exactly thought it would as experts in the space. Would you agree with that?
Let's take a look at what the reality has been. Here's one aspect of reality. Well, there's SAML. Did you know that you could buy this bear? You can go on cafe press and buy the SAML. Teddy bear is true. I don't, I don't own one. I just use this all the time on my slides. So we actually have in business, SAS vendors, pretty much saturation of SAML federated identity, which is kind of cool. Another thing that we have is we have the social login phenomenon, at least for a lot of marketing sites for a lot of loyalty sites. And it was popularized by of all companies, Facebook, who to think another thing that we have is we have the OAuth consent flow. That's part of that sort of social login story sometimes with some user choice, given at runtime, as you see here, oftentimes not another thing that we have that's built up over the last 10 years is web APIs. This is a developer Porwal picture of Nike, and that's been popularized by mobile and profit. Here's another thing that happened, the EU cookie directive, which has God knows what effect on actual privacy,
Just saying I had to get that out there. Just, here's another thing that I think is fascinating. It doesn't get enough notice, no pun intended, I suppose talking about notice and consent. The share paradigm that share button is a really interesting thing. And it's not just Google apps for business users. It's actually ordinary people using it. I don't know I'm in a competitive barbershop chorus, and we use Google docs for sharing documents about our choreography and you hit that button and you share when you feel like it, for reasons known only to you. That's really interesting. Finally,
We have actual consumer demand for end to end encryption in defiance of government requests to add back doors. This was in the register, but it was actually, you know, a us, I think Senator who said, just follow the damn us constitution in response to the, the feds who wanted to disallow that end-to-end encryption, which foils their, their aims. So let's assess where we are given that sort of mixed picture. Well, okay. One way to observe this picture is, well, we haven't achieved the user managed identity and access equivalent of flying cars yet, although isn't that cool? It doesn't have any means of propulsion. I would just note, but another thing to, another way to observe is that we've got some green, Schutze some interesting green Schutze, so let's just sort of take a step back and say, okay, well what, you know, what are the good signs here?
Well, one interesting thing is we've got consent at runtime preserved as something we have to offer online users. So we've got that ensconced as a central part of a ceremony. That's actually a good thing. And by the way, that's not something anybody was sort of required to do. And I don't believe that's really part of any of the privacy requirements as part of the, the regulatory compliance landscape, an OAuth consent flow, that's kind of drawing outside the line. So that's kind of an amazing thing that happened all by itself. Another observation I would make is that we've got individuals choosing what persona to expose for what purpose that happened all by itself. So that's what I would call a green shoot.
And then when you get to that, this is the sort of the experience that you have. Once you click that share button in Google docs, you have enterprise users most often, but also other users creating what I think of as scope grained policy, over sensitive resources that they rightly control in a way. And at a point that feels entirely natural. It's the right point to capture their constraints on sharing. And we see that in other places too, like in Dropbox and box where you can say share only for this amount of time, that's actually super powerful and it's the right way of sharing for those kinds of resources. So I consider those actual positives for user managed identity and access. Now on the other other hand, with apologies to John Gilmore, who said some things about the net and censorship, if you recall, my colleague, Alan Foster said this to me recently, the enterprise interprets access control as damage and routes around it. And all those systems of things like Google app setting of policy and sharing only make us more efficient at that. If you've noticed it's not really easy to properly control and have governance and auditing as an enterprise over the way we do share selectively share sensitive resources in those kinds of circumstances. So that's kind of a downside.
So with that, I thought maybe I would share with you my thoughts on where we're headed with user managed identity and access. I'll take a little bit of a longer time horizon than Kim just did. I'm gonna say in the next 10 years, given that I've just looked back on the last 10, maybe a little bit more than 10 years, based on a cleared view of how we know humans and enterprises really are and what we really want and need, not what privacy and identity experts wish would happen. So I'll make three, three predictions. I'm gonna lay a ven on you. You guys may have heard, I'm sometimes known as the queen of VE I like Venn diagrams. So this isn't actually a super new VE, but I've been perpetrating on some people lately. So my prediction businesses will leverage a cornucopia of context to address what I'm calling the ven of business drivers for identity.
So my company likes to say, identity is the center of everything, and it's actually true. There's nothing you can't do. That's important to business without identity, but people don't think about identity all day long. And actually companies given their choices, wouldn't think about identity all day long. They do identity for a reason. They don't do it for their health. In fact, they do it for one or two or three of, I would say these reasons, protection, authentication, authorization, fraud protection, and or personalization, user experience, customer engagement, driving more customer engagement and or payment or larger transaction goals. Identity helps drive summer. All of these things. And as I think Kim was pretty eloquent about, we need every scrap of context we can possibly gather. We need every scrap of intelligence, threat intelligence, fraud, intelligence, and customer intelligence, to do a good job of all of those. So I think that in 10 years time, we can comfortably say, we're not gonna leave any of that on the table.
That's one prediction. Next prediction, maybe harking back to Patrick's presentation is I think we're gonna be ready to have business SAS applications no longer just be relying parties on identities coming from their customers, but start to accept that their customers can be authorization providers and they can now be authorization, relying parties that to a certain extent, maybe not to a hundred percent but significant portions of application entitlements can come from central repositories and not have to live at the edge. And the reason I feel comfortable in saying this is because the pressure is being put on those applications to get, get the entitlement semantics into scope form by API pressures and by the pressures of API security and identity simplification. We see it now with OAuth. That's why I talk about scope, grained, entitlements.
And finally, one more prediction that I wanna lay on you was anybody here in the demonstration that I did in the Canera workshop this morning, this is a screenshot from that. So this is showing some of the early open source work for my company on open Uma user managed access, final prediction individuals who we know in the main don't care about identity, unless it's maybe identity theft and that's a bad thing or privacy, cuz they think about it as an opt in or opt out checkbox that they hate will nonetheless become attracted to a data sharing paradigm. That means that they can centrally and conveniently control the sharing of all the stuff in their lives, through a central data hub. And what you see in this example is somebody who's able to share their allergy record information from their electronic health record and their heart rate data from their implantable cardiac defibrillator, with different people and organizations in their lives to different levels of scope, as they wish and remediate and change that access as they wish from a single place.
And why are they gonna need to do that? And why are they gonna wanna do that? Well in the era of webpages, they wouldn't need that. Maybe even in the era of the API economy, they wouldn't strictly need that, but in the era of files and wearables and identity attributes and connected cars. And I tell everybody this, I counted and I have 31 light bulbs in my house. They're gonna need that. I was imagining if I actually rented out my house through Airbnb and I wanted to make sure that it was possible to give out access for just two days to all my stuff in a limited fashion, the only way to do that is going to be centrally. That's the only way that it's gonna happen. Otherwise it's a nightmare. So I couldn't resist one more VIN just in conclusion, we're in an era where we're hurtling towards the identity singularity.
That's actually good thing for security and privacy and interoperability and simplicity. We're making progress in all these areas, but I think we need three things to make sure we actually do accelerate towards that progress. One is we have to work towards measurable trust. There's a lot of work going on in terms of trust frameworks. There's a lot of different groups, a lot of different conversations. So I urge all of you to get familiar with that work. One, one of the efforts going on is in the Uma group. There's another group at I ETF called vectors of trust, lot of different conversations going on that needs to be solved. We need to be able to make these agreements faster. Second thing is the notion of dynamic introduction and dynamic discovery. I T needs that in a big way. And the third thing is technical agility, all the emerging technologies that we are getting more comfortable with in the VIN of access control that Jackson was so kind to show already do that. We, we cannot sacrifice. We need to have that agility, the restfulness, the cleanliness, the generativity of all that technology. So with that, I'll thank you for your time and attention.
Thank you so much Ave. I, this, I think you are absolutely right. And I believe this is the right direction to go. The information ownership concept that we see in sharing platforms is something that people start using and the more the devices are close to them, the more they will discover is this of useful. So I think this is absolutely right direction. But the question for me is how would you transport this into, into the community who develops all these things?
Ah, well, you know, we're finding a lot of interest as we talk to people about this. In fact, just here at this conference already, we've had a really interesting conversations. Some of it is regulatory driven. Some of it is, seems to be interesting as a differentiator for these companies. So I find that some of it comes from turning the tables on what consent means, but some of it is just product functionality, you know, do you wanna add a share button and is it too hard for you to develop that functionality on your own?
So just use O oth sharing underneath something like that. Yeah.
Well, for example, I mean the Uma protocol is built on oth, but OAuth out of the box is only there for runtime consent, which means two applications decided that they want your stuff and they need to ask you first. Whereas Uma, the, the term we use is actually that it's asynchronous consent. So it's a, it's a different value proposition. In fact, so the share button I've found is the easiest way to convey that value proposition. So, and looking at health record portals is an easy way to sort of observe that some folks have already built it into their portals. For one, for one example,
The only remaining question is what happens if people can copy that information
That, you know, I've had that conversation a lot lately, the way it went at lunch today was yes, information wants to be free. You could layer encryption or DRM techniques on top of such solutions. If you add enough friction to the solution that you're propagating, you're making it more attractive to not use that solution and easier to make it, to just make it copy the old fashioned way and not give somebody access to a feed of the data. Yeah. So it's a, it's a difficult balance. Yeah.
But I see, I see these, I understand the approach.
So, so the, the trick is to make it attractive, to give somebody access at your discretion, to the true feed of the data because they get it, they get whatever the fresh value is.
Okay. Thank you very much. Thank you again.

Video Links

Stay Connected

KuppingerCole on social media

How can we help you

Send an inquiry

Call Us +49 211 2370770

Mo – Fr 8:00 – 17:00