Dr. Frida. Who's an IBM fellow, which is a very rare title. Only very few people really get it. And so he's one of the top experts at IBM, his CTO, IBM security. And he will talk about, he meets fraud protection to establish the true trust free Alexei your time.
Thank you, Martin. Good afternoon. Folks. Martin tells me eight presentations before beer. That's a long wait man.
So first of all, great to see many of you I've been here for four or five years right now, many familiar faces. So good to see you guys back to the announcement as most of you know, we have a fairly broad portfolio in identity and access management and, and the th partnership helps us in extending that to solve some new scenarios in privilege management, especially as our customers are embarking on cloud journey with DevOps and DevOp, fairly exciting, not just that exciting in terms of integration with our IM portfolio like governance and access manager, but also what is exciting for me personally, is the opportunity to work with the rest of our portfolio. Things like our security intelligence, our fraud protection threat protection with the data protection and combining that we can address some really cool scenarios. So like Martin said, you know, feel free to stop by and happy to chat.
The topic today is somewhat related, right related in terms of adjacencies. We've talked about adjacencies a little bit in the contest of blockchain, but this is not about that. This is about, you know, how do we, how, you know, one of the advantages or at least privilege that I have is working with a large number of clients and a big portfolio. So I see a lot of integrations across different parts of the portfolio, like data and identity coming together, right? Threaten identity coming together today. I wanna focus a little bit on fraud and identity to solve a, a problem around or establishing digital trust as, as most of you are embarking on digital transformations.
So I can't see this over here, so I don't know which slide is coming on. Okay. So in terms of, in terms of, you know, transformations that most of you're driving, you pretty much know that you're driving growth, but one of the other side effect of that is that you're also driving some level of expectation from your consumers in terms of convenience, convenience, to be able to access anything from anywhere, from any, any device, which is good, which is good. But if you look at art, we are in a world of, you know, good actors versus bad actors, human beings versus bots, you know, cyber criminals versus enterprise administrators in, in such an environment we need to be careful in who do you let in and who do you let not let in? And, and it's unfair to penalize the masses just because of a few. That's where I think, you know, establishing some sort of a digital trust helps it's it's think about it as some sort of a confident scoring to say, how do I understand that this is a, a person that I know of to a certain extent so that I can then do some transaction versus something that I absolutely have no clues, hence I may want to stop the transaction right away or better yet topic for next year, deception, move them into a different area and lead them into a different way. Sorry for my digression there.
So, so how do you establish this trust? Right? Most of us in the identity and access management space have kind of grown up with these principles of something, you know, something you have and something you are, and which kind of embodies the, how do we do strong authentication, not just by providing advancements into these areas, but also by combining them now, while we, as vendors are continuing to make advancements in new techniques of authentication, guess what the cyber criminals are not waiting on the sideline. They're trying to figure out how best to circumvent those techniques. I'm not gonna necessarily go through each and every technique per se, but in a broad strokes, in a passwords is something that everybody is familiar with, right? With the amount of breaches out there with the fishing, chances are a large number of our IDs are already in the dock web.
And even if you're asked to change a password, you may change a thing here or thing there. So when they, when, when cybercriminals are going and attacking that, they're not trying to do brute force, they're doing AI. They're trying to figure out, you know, from a known password, what could be a new password? What are the patents based on not once, maybe more than once and how the password has been hacked, strong authentication mechanisms like SMS and OTP are not susceptible for some sort of a theft either, right? There are many techniques to do that. And with the growth of biometrics there's research in terms of how you can defeat biometrics too. A simple example is, you know, a model for machine learning is typically trained on some training data, right? If you introduce a distortion into that bad things can happen, right? Most people don't worry about, you know, adversary AI, which is the bad AI, which can defeat the good AI again, topic for another year. So with this landscape, how do we, how do we establish trust now in terms of
Combining these things, which is something that we have done in the past, which is okay, sure. You can rely on one mechanism that should rely on more than one. So that one plus one is potentially more than two, right? Or sometimes three factor authentication. In fact, last year I got a call from a customer to help with a critical situation. And I spent an hour on the call. I realized they were chaining five authentication mechanism for five factor authentication. I'm lost after two man, right? I mean, from a usability perspective. So you have one side of the equation that cybercriminals are getting smarter. And if you add multifactor authentication where it becomes unusable, it impacts the convenience that we talked about earlier on. So how do we do that? The answer lies in context, it's all about the context baby, right? It starts with, it starts with the user. It starts with the user in terms of who the user is, is that a machine is at the human being is at a government ID issue to that. Is that a password issue to that? Is that a, some sort of an attestation associated with that? What are the attributes associated with the user? Think of this as the subject in, in, in the geek terminology, right? So you can think about all the attributes associated with that. That provides that context.
Not just a good context. Sometimes it could be the bad context too, right? Remember the time where, when we went to a grocery store, they actually looked at a list to see if your credit card was in the bad list. Similarly, there's bad actors too. There's known fraudsters there, bad actors list as well, that are available. That one can consult. All of this provides context. Now the next one is device. Most users and identities have some sort of a device associated with them. Primary, secondary tertiary, depending upon the usage. And these devices have a lot of context context in terms of, are they compliant? Are they not compliant? Are they trusted, not compliant, not trusted. Is there malware on it or no malware, right? Is it a phone or a device issued by a known provider? Is it a prepaid versus not prepaid? Each one has a lot of set of traits in establishing that trust. And I'm just speaking mobile as an easy one, but devices could mean wearables or any, any other devices as well. Environment is a very complex one, right? This is where you have the familiarity signals as well as the risky signals, right? This is about where are you coming from? What's the IP address? What is my location? How do we then start looking at all of these different traits? And then understanding also anomalous behavior that sometimes, you know, trying to do a transaction on, on a Friday from Israel. Hmm. That's not necessarily a right thing to do. Kosher thing to do
Behavior is, is fairly popular these days in terms of how I'm using the device, whether it's a keyboard in terms of how fast I type, which keys I use more often and you know, the mouse in terms of how fast I move or how do I move it? The mobile device is a very, very, very rich source on how I use it in terms of how I hold it, how I swipe it, how I put the pressure, not just the good signals, but also bad signals in terms of, are you seeing something which is not logically possible by human beings, going from point a to all the way to the other side of the screen in less than, you know, a millisecond and behavior is not just user behavior, but is also behavior in terms of how somebody uses something. Like, for example, if I'm a clerk at a bank and I'm used to doing transactions less than 500 euros, and all of a sudden I see something that's an incorrect behavior as well. The next one is around activity, right? This is about the resource, the resource, you know, whether it's a 30 Euro transaction or a 300 Euro transaction or a 3000 Euro transaction, right? What are you trying to do? Based on that, we are able to establish the level of trust and determine the risk.
So the idea is if you combine these things, then we have a better sense of what is going on with that transaction. Let's take, for example, a simple
Digital
Journey, right? This is, this is most of you who are dealing with a online Porwal of some sort would have experienced a, a journey like this, right? You first have to discover when you discover it's,
You can, you can find, or you can get things like, are you a human being? Are you bot right? Is a user in a known fraudster list, little things like that help you, right. As you continue to build a relationship from discovering to onboarding, this is where you're assigning a mobile device to that user. You wanna make sure that the device is recognized. Is it a paid phone? We talked about it before. Is it a number? Is the address matches to the number on the device? There are services like that, which provide that information. Similar thing with email there's email reputation services. Today, as you build the journey, you can see that at every phase there's opportunities to collect more information and all the way to doing the transactions. And as you collect more and more information, you have a lot more data that you can collaborate with and you can build more trust and mind you, this has to be done in a frictionless fashion, right? The, the collection of data. And this is not a one time thing. This is a continuous thing. As you're, as you're taking the user to this journey, you're building enough information and trust to take them from an unknown state to a, to a fully known state.
So the idea is that you're, you're collecting a lot of data around these five different domains that we talked about in a, in a very seamless manner, so that it's not transparent to the user. Of course, in some cases you may have to do consent for privacy reasons, but once you do that, you are able to then provide a, a level of trust in that transaction. And if you see the transaction being extremely risky, because of some of the context variables that you're seeing, then you can elevate the level of requirements for trust. And that may then elevate the level of authentication. And it's not necessarily always bad. Sometimes you have to reward the good behavior, too. If I'm coming from a same mobile device every day, I'm not traveling and I'm accessing email reward me for that, right. Don't ask me for the same password over and over again. Instead, you know, take advantage of the familiarity signals and challenge only when you see the risky behavior. Now, this sounds all easy, right? But talking to many organizations, it's a lot of customers of ours are still struggling in general. And, and I think there's two aspects that I can probably put my finger. One is that there's no one such technology which can do it all. It's a combination of different pieces of technology that have to come together possibly from different vendors and you know, the story there, right? So that means you then embark on a project which may be a little bit complex and integration oriented.
The other thing is that you may have different personas, different personas, where you have the, typically we, we saw it persona define authentication. Now that has become a line of business, understanding how the user interaction has to work with the risk officer that's chief digital officer, they all have to come together. So what we did was we built a, a quick framework on providing that a guidance in how to go about establishing some level of digital trust.
The framework is, is fairly simplistic, but it helps in terms of providing that decoupled nature of how we can make this work within an organization. First is the assurance part assurance is about building that confidence score that we talked about based on the fact that you may not know much about that user. So while you're collecting the information in terms of how fast they're moving, cetera, you may not know everything there needs to know about that. And in some cases, you mean to consult third party systems. The second is around authentication. This audience knows quite a bit on authentication, right? One thing that I wanna highlight over here is it to be able to make it pluggable because there's no one authentication which fits all, but we need to adopt to a number of different authentication mechanisms, both evolving as well as what customers may have already adopted. The third is the insights. This is, this is the brains of the framework. This is where you're collecting the information constantly dynamically, and be able to provide that risk assessment. You're providing a holistic view of the user so that you can then determine what to do next. Now this has to be machine learn, some level of machine learning involved in it. We have to make sure that the false positive, false positives are extremely low because you want to keep the security high,
Not compromise the security, but at the same time and, and the usability or the friction very low. And the last part is the integration, which is where, which is a glue code, which brings this together in terms of taking the recommendation and enacting by calling the other pieces of the puzzle and integrating the application so that while the authentication mechanisms may change, while the risk parameters may change, while some of the vendors may change, you have locked in, or you are decreasing the cost of integration by making sure that you have consistent API to work with. So
In general, we, we think about, okay, how do we, how do we make a product out of it that, right? So typically we think about identity and access management as a foundational capabilities. This provide a lot of capabilities. And while you can do some of these things, it is important to bring the fraud capability in together because it's not just about understanding a device mapping or a trusted versus untrusted device, but it's about that research, which goes on to understand all the new malwares understand the different types of ways that attackers are, are, are falsifying information, different types of threat intelligence that maybe combined together. This is how you can keep it relatively silent in terms of risk assessment and frictionless in terms of user experience.
So with that, I think I had a couple of examples, but Martin is patiently waiting for questions. I think I do wanna leave with one thing, right? The examples I was talking about is some use cases that we've seen in the, in, in, with the cus customers, in terms of how do you minimize fraud in a new account creation? How do you go and create authentication, which is seamless and frictionless and secure, and how do you keep it continuously validated across multiple channels, especially with emerging requirements, like open banking and PST two. So with that, I will take some questions right now, Martin.
Okay. Thank you. Shridhar for your presentation. I think there's so much to talk about here. And so in the interest of time, maybe we look at whether are questions of when I moved over there. Oh, there's one, but it's okay. It's an interesting one. Aren't most of the techniques described here, a violation of GDPR short answer on a complex question.
It's it's not necessarily right. I think it's a question of, you know, taking the consent, making sure that not everything is privacy related. It's understanding information about the environment, understanding the transaction when it comes to user you're. Right. In which case you do have to get the consent and when the user chooses to you need to delete that.
Okay. Perfect. Thank you. Thank you very much for this great present.
