Event Recording

Evolution of User Centricity in Customer IAM


Log in and watch the full video!

The transformation of the IAM landscape of a Multi Service Provider is taking shape.

Rolf Hausammann, Head of Identity and Access Management, Swisscom

Log in and watch the full video!

Upgrade to the Professional or Specialist Subscription Packages to access the entire KuppingerCole video library.

I have an account
Log in  
Register your account to start 30 days of free trial access
Register  
Subscribe to become a client
Choose a package  
Thank you for having me here. So evolution in user, interested in customer. I am. That's the topic I brought with me. It's actually my experience at Swisscom. So it's not the full picture, but still I would like to introduce Swisscom quickly. And also Swisscom is a multi-service provider in Switzerland. What I'm gonna talk about is the scope of providing services to, to customers in Switzerland. Also, the group is, is operating internationally. We have many products such as ultra broadband or 5g, which is in can you also lower networks, which goes into IOT devices. We are managing on behalf of customers. Remote working is of course a topic which has been in high demand over the last few quarters. Swisscom is the largest provider of television services to retail. Customers is heavily into entertainment, movie, theaters, and all that, and all things connect. And in my role leading am and the product domain, our job is to enable that all this happens.
We are the entry Porwal for the digital world. We are also the entry Porwal for the whole sales processes and the management services. And many of our services are now consumed online. So you're no longer lead a dedicated device like TV in your home. We no longer affects net telephone. You consuming the service online and the entry point is always am. And also the machine granting you the rights, but may user do or may not do that's our job. We set up the company kind of, it's kind of run like a small and medium entry company within Swisscom. This is how we run the product house for AEM and yeah, your identity, your access, your Swisscom world. Our mission statement, this reaches out from a retail customer that uses a free product, but has the same right to go online and receive support up until the corporate world wholesale and our indirect sales channels.
We actually have more indirect sales people than the Swisscom group has employees. So this is really important branch to sell products, but also to maintain them and to support the customer as well. Well, digitalization, we leading Swisscom into future with, in which users can be reliably identified and received personal access. This defines my day and this defines also sometimes a bit of the night shift, basically underlying the whole move customer interactions of group are still mainly in assisted channels. So people walk into shops, they call up on customer care. They have appointments with customer representative, or they use a chat bot, which suddenly diverts back to a human. And our goal is to massively increase the online shift. And again, the first thing that you need is going online, identifying the customer and making sure this person gets to see the right data, gets the right, right to access the Porwal, the product or whatever they need.
So as an intro challenge on day one on the transformation that's been keeping me busy for a few years, I'm starting off with the trends and if you've had the pleasure to attend all the lectures here, I'm sure you've heard of it from hybrid shift trends, security data, privacy it's in everybody's words. But just as an example, security, of course it's key. And we providing security capabilities to protect our products, to protect the data of our customers. And looking into that, you know, a few years ago, we discussed how many second factor types do we need does do we need to allow corporate customers to bring their own second factors? And this is all Techmark implemented. Then suddenly care fencing came up to make it a little bit secure. And then over the last few months, suddenly there was requirements like we need a care watch dog.
So nowadays we can control a session if you go online. And if, if you're using a sensitive service, we do terminate the session at real time. Once you go across the border. So everything comes together. Those attribute, those factors, identity management, and real time access control, starting point the brownfield, any company has a history. And in telecommunication, there was first the phone line, there was sometimes broadband on top. And then at one point, people wanted to manage the broadband or configure different wireless wireless land password. So a login was created on top and this login, you know, was stuck with the product with the product group. And there was a product group for retail. There was a product group for medium size companies and so on. So we had all those domains and those domains. First of all, you have functional overlap over those domains, but in between you still have gaps and smart people identify those gaps.
And based on the project, of course helped themself and started to, to connect one stack with the other, but on underlying they increased complexity. So what I didn't foresee is the change of the overall field acquisitions is normal. You buy a company, you acquire sales services that comes in, but the group change can also massively impact an am transformation program. And this did happen. Small and medium enterprise business is connected with corporate business. And the benefit is they can leverage each other's product and sell them again over their channels. So it's kind of a cross connect meaning that we now need the solution, which spans the full picture doesn't work. I would lead the next slide, Richard,
Please. So the solution that we have is federated identity management in the heart. It's the broker that creates the SSO sessions because we want to connect our customers with all the applications that you need. On the left hand side, you see the concept three different types of interconnection, a customer, if it's own ad, of course you need to federate it nowadays. It's more an ad out of the cloud like Azure, for example, or smaller companies, retail customers, they don't run their IDP, which is fine. We provide them with a login and there we have several brands operating. So that's the customer facing part on the right hand side, the application part. And there's the full breadth of applications within the company. Some are new, some are cloud based, some are older and if a standard way to interface, but the first really thrilling moment came when we figured out, well, the core uses unique user identification patterns.
So you do your ID, but on the right hand side, there are seven legacy patterns, which is kind of a mixed match of attributes and it doesn't fit to anything. So we have now have this new bro broker cut space to call product. How do we make sure that it's not, you know, becoming overcomplicated by the whole brownfield complexity around it. And the solution was to build custom adapters, where we convert those attributes into view IDs and the lifespan of those adapters is now linked to the legacy. So the plan is by the time you can switch off the first legacy application, we switch off the first adapter and then the core remains pure as it shall be. So the next slide, please looking at the benefits that we've have right now, it's on the process side operator. We need the next slide, the click, it doesn't work.
Thank you, process complexities. Of course down we can onboard clients. It's fairly automated. Thank you fairly automated. And establishing Federation means establishing trust. Step one is with the humans to sync your readys. It's a bit, you know, not an easy business. So you need to allow some time to discuss that, to get to know each other. But once the questions are cleared, we have an automated process to bring the customer on board. And the same applies to the same applies to the applications nowadays, where there is a standard procedure for a modern application standard build to go online with the broker. The core is centralized functionality, reuses. The pro. We invest a bit more in the, in the core, but with the benefit of it, we use it multiple times across the corporation. It consolidation. We started off with three legacy broker, all in those kind of siloed domains.
We now have the new one. Two of the legacy are gone. The last one will be gone. The last legacy will be gone by the end of the year. So there we can make a take mark from an it operation. I think we're down to roughly a third of the operation cost. And as mentioned, we have to reuse functionality, but what is most fun for me is the net present value to benefit for the customer. Because now we have the chance to go online. In the past, you needed to order an, an ID for an admin and you need to order it in several stacks. Those ID had to be federated manual process prone takes days to weeks and nowadays it's an online form. You order it. And once it's approved, it's provisioned immediately. And this is really satisfying for the customer. And we might, we managed to free up a whole team of administrators in our back office.
So there's also from a business site and then almost them pay back experience is clear. It's always the same look and feel no matter what product, no matter where you're going. It's the recognition factor is there. And the opportunity side right hand side. What I really wanted to point out is self-service functions in days where you need multiple factors where you need to keep your attributes up. We have it now centralized. You do it once. And we also make sure that there is a need to know principle. So those attributes are not only shared with applications that they need and in an interconnected cloud world, we don't want that those attributes to go out to any supplier of a cloud service that we resell. So there is also security conscious point and then trial options is fun. You know, the stacks that I mentioned, the ID functionality, that in a company like Swisscom, that you, that pop up like SROs kind of that's my experience.
How can you make sure that it doesn't happen again? And the challenge is there's a product manager, innovative idea. They build a prototype, they do a proof of concept. They bring on a first paying customer and then a second, and then suddenly you realize, Hey, now we have a whole bunch of customers on again on a decentralized am platform. The customer is unhappy because they, they need to reregister every user. And we are really unhappy because to, to solve that we need to do a migration. So the only way around this is we need to provide a trial option service, which is so easy. That for even if you do build a prototype, it's easier to use our service, which is centrally provided rather than using the IDP, which comes in a software or do some brick collage of their own. Even if it's just a prototype, because once the prototype is running, once it's successful, it's too late.
Basically, you know, they scale up. So now that we done the Federation management, what's our challenge now. And personally, I come out of the small business, small business area where I built product as a program manager there, we had the concept to make it easy to provide self-service to the customer. But depending on the size of the company, you had so-called templates. So if I have a company, two employees, maybe I run all the it by myself. I pay the bills, I do the administration. So I just need one user that's me to manage, right? But if it's a company of 2030 employees, probably there's someone taking care of it, one or two people taking care of business administration, contract management, and you want to provide those rights. Now, of course there's classical role management, but if the company gets bigger, we need more roles.
So the concept that we have is we have kind of a template where you can select how many roles there are from one to five, depending on the size of your small to medium company. And this works exceptionally well because it in general meets the demand. It's standardized user self-service, but it doesn't scale out around 50 employees, knowledge workers, there's a boundary. And the concept is just too static. Now, if you look at the corporate site, there's classical provisioning of rights, full flexibility meets the demand, even of a solution client of outsourcing client. That's all. Okay. But it costs us a lot of time and money to configure that. And if you want to do recertification of users, that's just difficult to impossible because how do you know if a person moved on has now new responsibility in the day job we don't and recertification is going in that wrong direction.
So of course the obvious thing is we would like to leverage the capability and extend those templates towards corporations and even groups make sure that we have the user centricity. So our plan is the first person. So that's the master admin gets access right from Swisscom and every other user that needs access actually does this master user can delegate out of a collection of templates, selects the templates and then defines the head of it, or defines the head of accounting or the head of contract management. And these people, they can once again, delegate some of their rights down to their team and so on and so on and so on. So it's the whole self provisioning service, and this will help us free up a lot of hours in the backend. However, if you go to corporate customers, some companies have divisions, they have different product teams or different departments.
They have different locations. And even if we have templates of up to a dozen different roles, we know we cannot, we cannot meet all the requirements. So we need to have some sort of customer customization and extension. And this is basically a view on the concept on the top left side, it's the small company where you can say, you can choose, you know, do I want to split between business and it, and you get about three roles. The standard user, the person uses its notebook and phone or whatever. And then you have the business person taking care of financials, the it person taking care of the techy stuff. That's fine. Then you go into the bottom one, which is for a mid-size company. And now you have about up to a thousand roles for inventory management, for accounting contract management. And you can split that.
And this is the structure that we are now putting into place and we have tested it and now it's gonna work. But, and the discussion and evolution is gonna happen into the custom attributes and also combination with attribute based access management that we need. Now, still, even though it's a cool concept, we see limitations. One is as an example, a role like a management assistant, this person is a business users, or they can order their notebooks. They can configure their phone, they can use all the services that they need. That's fine. But as an assistant, of course, they're helping someone and they need access to maybe an inbox, maybe some share, maybe the phone, the voice recordings and so on. So we need to provision rights, but there, it's difficult to find generally structure, which can be reapplied and reapplied. So we still jump back to basically provision of rights.
That's one of the limitation. And the other thing that we're conscious about is as we are rolling it out into corporates, I mean, some of those clients have thousands or more than 10,000 employees. Now, if we give someone in it, the right to provision a function, they might do so, but they might do so during peak hours and they might click the wrong box and then un-click it and click the other one. So they have three mass provisionings and prime hours, and maybe there's a lot else going on. So we are kind of, you know, reluctance to give the functionality, to give the functionality out to the business as such and, but not doing it would be challenge as well. So what we foresee is a workflow where you can actually request a bulk change and it goes into the pipeline and then a senior administrator on our end, doesn't double check and maybe calls up asking, are you really sure, because it would mean that you, this office doesn't have access to this functionality anymore, or it's a mass change, or it might actually a contract change. So this is where we stand on the overall transformation, looking into that. And of course, this is just an overlay below. We provision the roles fairly standard we use for am to provision those roles. And besides role-based access management, we also have the challenges, anyone else, where do we have to go into attribute based much of a functionality, much safer, but it's also much more intensive in terms of building and maintaining the whole stuff. So that's it for me. Thank you very much for attending.

Stay Connected

KuppingerCole on social media

How can we help you

Send an inquiry

Call Us +49 211 2370770

Mo – Fr 8:00 – 17:00