KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Optimize your decision-making process with the most comprehensive and up-to-date market data available.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Configure your individual requirements to discover the ideal solution for your business.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
We have one person here, Jason. Good. Who is? We need some chairs. Jason is here alive, obviously.
Yeah, that mine he's from ping identity. And our other two panelists are joining us remotely. And that is max Vaughn from head of consulting Europe with Okta and also daily Keilani, who is this chief technic officer for life. And so I'll now get my questions. Okay. How are you? So bear with me one second. Can everybody hear me? Okay. Am I coming through? I great super Well singers while I'm logging on.
What, what did you think of John was saying in that presentation? It seems like it's, it's not something you can sum up in 20 minutes.
It's, it's a long way to go on consumer identity, Customer identity and access management is such a, I personally find it so much more exciting than workforce identity, just because of the, you know, just the stuff that you can do with customers and cust doing customer identity. Isn't just about putting a website up there and hoping that people come and buy from you.
It's, it can be so much more than that. And it can really be a differentiator for the business. We heard a lot about how customer journeys are so important and the organizations that get those customers journey, those, those customer journeys, right. Are ultimately the brands that are successful. Those that don't, you know, we just stopped buying from them and, yeah, Dang. So I had a identity crisis of my own, then I couldn't log into my own tablet, but I am in now. So max and D nice to see you online.
So maybe for those that perhaps didn't or new to this, how do, how do, how do we differentiate consumer or customer identities from traditional employee or other internal identities? What, what, what makes them different? So I'll ask max first.
Yeah, sure. Just firstly, good to see everyone. Good to hear from everyone. I hope you can all hear me. So I think it comes down to three things.
Firstly, you know what they're accessing? Is it one or two apps or services that you've likely built for them?
You know, it's not Euro 365 or G suite apps. It's not your zoom instance. And then typically low friction, you know, friction kills flows. And when you are forced to use a service, that's full of friction as a customer, you'll go elsewhere. So other identities are kind of like captive audiences.
You know, your internal identity. You can give your employees, I shouldn't say this, but you can give your employees a bad experience. They're somewhat stuck with it. Yeah. Customers can just go somewhere else. Customers with the best experiences spend about 140% more than those are the worst experiences according to Harvard business review. So the second thing is what they're doing revenue generating.
So like earlier, instead of signing in to access a G suite or an SAP, they're logging to buy something to manage an account or their subscription, or they're using a free service whilst you advertise to them. And then lastly, how they're experiencing it.
So it's, self-service self-service user registration, email confirmation, self service account unlock. If they forget a password they're on any device and prior to registration, you likely have no idea who they are. So it's very different to other types of identities that are pre known potential managed devices and may have even had their accounts set up by it in advance. Okay. And how important Delhi is, is it to we yesterday? We heard in the keynotes about the onboarding of, of customers. And if you don't get it right, you're likely to, to lose that customer very quickly.
So how, like max, I said, you can treat your employees a bit differently, but with customers, you you've gotta get them, treat them nice. So how do you, how do you do that? Absolutely. Thanks for the invite today and giving me the opportunity. So of course I'm LIFA is a, is a player in the healthcare space.
As you can imagine, basically, a patient for example, or doctor is trying to access our platform and, and tries to self sign up any friction there, especially in the time of need, cuz when you're trying to access healthcare information, that's the time where you're probably stressed and you're actually anxious to get the access to it. Any friction, there is actually something that's gonna create a negative experience for you as a patient or even as a doctor is trying to treat a patient. So what we do to address this is we monitor very carefully, the whole flow, the whole funnel.
And we make sure that anything that comes in in the path of the user getting basically quickly access to their information. We try to get rid of it, but while maintaining a proper security context around this, because the risk profile for these accounts, max was talking about how we can treat them from a UX perspective differently. But we're also from a risk analysis prospect. It doesn't work the same.
You're really in the, in the wild west for accounts that are outside the, the building, even though we're all talking about zero trust, we're treating, you know, the, the, the beyond core type of model, but still the, the, your, your internal employees or users. You probably have an SSO, you have have a, you know, a strong control over those identities, but for third party or our customers, you really don't have that much control and you have to be careful with all that. Okay. So how do you create Jason? How do you, how do you create a dedicated CIM policy in 30 seconds? You know what?
I've got literally 30 seconds. Good more.
Well, I think, I think fundamentally you have to look, look at the two different types of identities. You've got the workforce ID, which is all about not giving the user choice because they've signed a contract, you know, they're in a role, they, they are provisioned with a particular set of accounts. Whereas customer identity has to be all about choice and it's striking the right balance between security and convenience.
So when you are looking at building policy around customer identity, you know, you, you do need to do your homework and you, you need to try and understand how your customers are going to interact with them and how you can then take as much friction as possible out of that interaction, because ultimately, you know, customers want to be delighted and you need to protect their data. If you get those two, two things, right, then you are on the way to building a good customer identity and access management service Max. Or do you have any more to say on that one?
Yeah, definitely. So I completely agree, but I'm also gonna be a little bit challenging, maybe a little bit naive and say, I, I fully agree.
You know, doing that for our customers is paramount. It's unbelievably important. Why can't we apply the same thinking to our workforce? Because the experiences that we now have in one vertical, let's say myself, logging onto Amazon to do a one click order. Actually there's no log on. It's already active. When I then transition into a work context, my expectations are set.
So I think we're finding now, you know, especially with the advent of, you know, COVID of working from home digital transformations, modernization that we're seeing employees, especially younger ones expect more from corporate it and internal use cases as they do from external use cases. And to be honest, when they can't have it to me personally, it's down to exactly what we're talking about here today. It's policy and technology. It is possible. We can't do it.
We can have apple iPhone, like experiences of internal technology, not just logging into, let's say, you know, old school ERP systems and clonking about with VPNs, right? The world has changed Dalia. That that's a very good point. Particularly, you know, younger people have got used to a, you know, a fast access world and if they can't get something and click they'll go somewhere else. So is that influencing CIM policy within the organization? Absolutely.
We had to actually throughout the whole COVID experience and we had a remote workforce that was almost 30% of the people were actually working remotely before COVID hit, but during COVID we had a hundred percent of our workforce basically being distributed. And we realized that some of the frictions that, that 30% of the workforce was living through and basically being silent about it.
Now, everybody was experienced it, including the CEO. So therefore you hear about it and, and therefore you had to adjust some things. We changed our, our basic policies internally. We were more permissive with certain things, but we strength our after the fact protection, for example. So we allowed people to connect from more places, maybe open certain things outside our VPN set up originally, but we strength our protections that are monitoring our anomaly detection on, on, on, on these authentication sessions.
So you have to adjust to the context and, and that's been actually a lifesaver cuz we actually gained the consumeration as consumerization of it is actually real, especially for gen Z of course. And you know, we had to react and we had to be very responsive to that. Yeah.
One, one thing, sorry you Wanna, yeah, I, I was going, I don't disagree with anything. Anyone said I was, I was going to say, I think what we are seeing in, in COVID has been a big driver for this is there are a common set of shared services for workforce and for consumer like user self service, even to the point where, you know, I had a conversation with a prospect where they wanted to do identity proofing, something that would generally be used in a know your customer kind of scenario, but for their employees, because the employees were no longer going into the building.
So yeah, I think there is, there is overlap, but traditionally it's all about not giving a user choice. Whereas now with the demographic, that's now moving into the workforce. Absolutely. We need to deliver more. And you mentioned health earlier, but I guess the, the industries or the sectors that are most active in this obviously eCommerce or whatever it's called these days used to be called out in the nineties. So I don't know now, but online shopping, but what about more, I don't know, pedestrian industry, I don't have to sell directly customer facing.
Are they also looking at customer identity and access management as well for different reasons perhaps? Yes.
Is, is the very short answer to that. And I think what, what we, what we've certainly started to see is how manufacturers who traditionally would, would go through some kind of channel to sell their solutions are now starting to interact with their customers directly through some kind of warranty process.
So, you know, in the old days you'd fill out a card, send it back and, and you'd have warranty. That whole process is now going online. And so traditional manufacturing organizations that were more concerned about, you know, my, my value chain and, and getting raw raw goods into my factories to start manufacturing are also now having to look at well, how am I actually servicing my customers?
So yes, that has, that has been a change if that's what you meant by industrial industry. Is there any questions from our audience at this point? Any online? Okay. So the a is asking what is the panel's view of enabling desk administrators to impersonate users? Okay.
Max, did you, did you hear the question I did? Yeah. Slightly odd and very specific questions. So I'm wondering, well, what this is about. So I think it's a bad thing. I don't think anyone should be impersonating anyone at any point in time because that kind of flies in the face of what it is that zero trust is supposed to be.
You know, instead of having shared credential, shared accounts, system accounts, it's a user who requires access for a reason that is approved for a time box period of time to one specific system, not, you know, the previous old world of giving, you know, within network access to anyone that was on the network. And if I was just on the network, I could do anything I want, right. Those days are very much gone due to the advent of devices, the advent of the cloud, you know, perimeter based security.
So, you know, to think about this question maybe in a slightly different way is if you look at a very famous report, the PON Institute, if anyone's ever heard of it, really good report, three times an insider breach is three times more damaging than an external breach. And you have to stop and think why is that is because the level of the access that an insider has think about this exact thing, talking about, I can impersonate you as an admin. I have your access. I can act as you, and now let's pause.
And my final comment is let's think about on massive global social media company, not the biggest one, the second biggest one that had admins that had a hack where famous people were posting, you know, send, I think it was Bitcoin to this address. That was because an admin account was breached that had the ability to impersonate user accounts. And there were no checks and balances, no audit, no, no programmatic controls within the platform.
It was just a free for, so maybe I come from more of a, you know, a, a security, you know, kind of like best, best case or, you know, how a dream state scenario. But no, I don't think that's a good idea.
I mean, I know why people would wanna do it, but it's usually due to limitations within their existing. It that they're forced to adopt slightly strange processes to work around them. Yeah.
There, there was another social media network that I heard of that was sharing admin accounts and the password was Chuck Norris. Oh my God. That's so bad. But that was the biggest social Media.
Did you, did you guys, I know that we're going a bit off topic here and I'm aware that this is on the stage, so I should be careful. Do you catch the solo winds fire? Right. Do you know the password for that? The password 1, 2, 3, 1 Solo winds.
1, 2, 3. Yeah. Sorry. Do I any comments from you? I was gonna, I was gonna mention that in certain industries where you have a, a population that you're serving, basically that is not tech friendly, your desk support, basically person needs to assist them in a way that is remote controlled, basically off a computer or impersonating a session. But what we've implemented for example, at late life and is strong audit controls over that and consent from the user.
So the, the, the, the support person would request basically access and there's a whole protocol around it. And there, the access is actually granted for specific reasons.
All, everything is tracked, cuz again, that's how consumerization of these services actually the user at the end on the other end expects to be helped and not to be stuck with a problem. So that's where creativity around short lived sessions, short lived permissions, escalations on demand that are completely structured and actually time boxed and also time. And also well defined in, in scope are very, very critical I think, in, in this world. Okay. Was there another one?
No, no, but maybe we have a question in the audience. Oh, we do have one sorry in the audience.
No, yes, no. Jason, back To you.
So I can, I can, I can think about a use case, which is particularly important for some of our clients, which are customers calling into a call center and needing, needing help. But then of course, to Max's point and then to my other colleagues point, you know, making sure that the customer's consented to that and also making that the individual that's accessing the data relating to that customer. They only receive as much data as they actually need to do that job.
And I think that's one of the challenges with customer identity and access management in general is as we become more online, companies are collecting more and more data about us and how they secure that data, but not only how it's secured, but then how that data is then shared via APIs or with colleagues is, is probably even more important. Thanks a lot.
Well, thank you, Jason. And thank you to all our panelists max Dahlia as well. And thank you for listening. I'm gonna have to wrap it up.
No, thank you very much. Thank you. Thank You. Thank.