Event Recording

GAIN Insight

Log in and watch the full video!

In this session, Daniel Goldscheider will give an overview on GAIN, the standards behind, and use cases. 

Log in and watch the full video!

Upgrade to the Professional or Specialist Subscription Packages to access the entire KuppingerCole video library.

I have an account
Log in  
Register your account to start 30 days of free trial access
Subscribe to become a client
Choose a package  
Never clap too soon. Actually my presentation should probably have become before next, because I was preparing something about, you know, really giving you an overview of gain. And I see so many familiar faces that maybe this is the completely wrong presentation. So if you feel along the way that you know everything I'm telling you about, please just interrupt. Feel free to ask questions. This is not a keynote. This is a relatively small setting. So I think we should take advantage of that. And rather than just me telling you about, about gain, I think insight is best. If it answers questions you actually have. So if you have a question, just ask away also, as you can see creative comments, so everything you see here, feel free to share it, use it, spread the word, do anything with it that you think is appropriate. You'll actually hear a couple of announcements tomorrow that will transcend the field of APIs. But even if we just focus on APIs and not credentials in, in the broader sense, APIs are everywhere. They're hugely important. They're now entire companies built around APIs. When you think about companies like plaid or Stripe or Edin or Twilio, those companies are essentially built around APIs. So much of the software that we use every day is really built around these APIs. So the white box here, who of you, by the way, has never played with Lego as a child. Okay? I am very sorry.
We try to use and allow you that most people would, would understand. I hope it is intuitive. Even if you haven't played with Lego, the white box, basically here, those are the apps, right? Might be a web app, might be an app on a mobile phone, might be an app on, on a desktop doesn't even matter. And what you see here below are essentially different APIs. And when you look at the direct connections, you know, if you are a developer and you want to connect to those APIs, the first thing you will do is you will take a look at the API and you will say, I have an app. I want to connect with that API, give me the developer's documentation and I'll connect. So the direct connections are really amazing for security. Why? Because they're now only two places to attack. You can basically attack the provider of the API and you can attack your app.
Nothing else. However, there is a problem and everyone who has played with Lego probably would not like to see something like that. I know my children wouldn't you need a different connector. And of course in the real world, this image is a lot more complex than this. When you look at open banking, for instance, in Germany, alone, you have over a thousand financial institutions. When you look at Europe, you have more than 5,000 financial institutions. So the record connections are great for security, but they're not always great for developers. Now, there is an alternative model. You can say, let's forget about API harmonization. It's too difficult. It will take too long. We don't need that. And that will give where to the gray level here, there are companies that do nothing more than basically take advantage of that complexity. They take advantage of the fact that we do not have standards.
And those companies basically are like, I don't know what is in the middle of a, of a cheeseburger? Is it the cheese, whatever. They're basically the middle layer here, right? They're they're getting in and they're aggregating APIs. And of course the same thing is going to do with verifiable credentials. If we can't standardize them, they're aggregators. They're basically trying to tackle the complexity you see here, and then translate that into one API, which is amazing because now as you see here, all of those connectors are exactly the same. So if you are the developer up here, that's exactly what you want to hear. That's what you want to see. You make one integration. And with that one integration, you can basically integrate with everybody. However, there is a flip side. It is not the most secure way, and it's not the best way from a privacy perspective.
Why? Well, because now you have another party to the table. Now you have someone else in the middle. It's like a good relationship. And you have two people in a relationship. And all of a sudden there is a third person. And even if that is a children, it's not child. It's not always easy, but here you have another person or another entity that at the very least will see that data in transit. But like the lawsuit with plaid shows you, sometimes these aggregators are doing more than just aggregation. Sometimes these aggregators are storing data. Sometimes they are analyzing data. So you have another point to attack if you're hostile and you are by definition, decreasing privacy. So what is gain really about what is it? What is the image that at least I have in my head, when I think about gain, well, it's this, it's a very simple image.
It's basically the simple idea that different providers could come together and could say, you know what? We don't need to merge. We're not going to become one entity. We're not going to be under the same roof we might have. As Nick told you, even different trust frameworks, we might have different jurisdictions that we operate in, but we can agree on those knobs. We can make it easier for people to integrate different APIs because all of those APIs are going to act like building blocks. I see fighter Alliance here. I see a couple of people here who work on standards every day. For those of you, nothing I say here is new. There are clear benefits to standards and we're trying to bring those benefits to APIs.
Well, if you don't subscribe to that principle, nothing I will tell you in the rest of this presentation is going to change your opinion. If you think it's a good idea, okay, let's try to standardize. Then the next logical question is, well, how do we standardize? Now? Some people are talking about gain as a standard and there is no such thing as a gain standard. The idea of gain is to build upon. What's built. There are standards already. Net is sitting here, chairman of the open ID foundation. We have open ID. Thank God Andrew. We have the fight Alliance. We have the Fido standard. We have web both N we had, we just heard an amazing new announcement that might go a little step further to killing the password. The idea of gain is not to create an organization that competes with the open ID foundation or IATF or fi Alliance, but rather to try and create a forum, a safe space for existing standardization organizations to come together and to say, is there something we can do to make those standards work together even better?
And I am super excited to see C here in the back. Who's going to join for the first time a game panel and he's representing I spirit. And I'm sure you're going to tell a little bit more about that. The idea is that it's an inclusive exercise. It is a diplomatic effort. It is an effort to reach across the aisle, not a love Fest within a standardization organization or between standardization organizations that already like each other, but rather to build bridges where no bridges exist today. So couple of the standards, probably not new to you. Of course we are looking at oof, because oof is used anywhere around the world. We're looking at FPI, we're looking at open ID connect, or rather a specific version of open ID connect called open ID connect for identity assurance, which adds metadata data that describes the identity data itself.
And I'm really excited for a panel tomorrow. You're going to hear that gain is going to become even a little more inclusive and you will hear it here tomorrow at EIC first. Now, where are we? Where have we started last year at EIC? And we had a little less than one year to prepare for this update because EIC last year happened September to have that right. So last year in September, we announced at EIC the game paper, and it was really just a paper. It was essentially 150 people coming together saying, Hey, can we do something together? And it was, we're all surprised by the fact that it was really 150 people, 154 actually, but it was just a piece of paper. Well, now it's a little more than a piece of paper. There is a game POC you might have heard about the game POC already.
We're going to announce three new members of that proof of concept tomorrow that I'm really, really excited about. And it's really trying to take those game principles and say, well, are they just words? Or can we actually do something? Is this really possible? Can someone like bank ID come together with someone like secure key in Canada with someone like MOIP in India and harmonize APIs, to the extent that a developer can make one integration and receive data from all of these data sources as if they were one. So we're very excited about the game POC. There is also a series of round tables that is happening every Monday at known UTC. And those round tables are rather unimaginatively coined gain two at the moment, and maybe we find a better, a better term for them. And this is really designed to take the gain principles of corporation and apply them, not just to identity, but to account information and to payment initiation.
Can we do that for open banking and eventually while maybe we can do that for any sort of API and any sort of credential next step is that the game POC is going to go live this year. And we're really excited about that. And you probably hear a little bit more about that at the next Taron is nodding. You're going to hear a little bit more about that at the next panel. And then we're going to launch a little more information on what we're going to do with gain two. And if you're interested in open banking, if you're interested in reaching across the aisle in trying to build bridges, please do speak with any one of us here. And we would be thrilled to find new partners and members for the gain POC to work with new standardization organizations, to join the spirit of gain and to work together under a master liaison agreement.
If you have use cases on the provider side, on the receiving side, please do reach out. We are looking for you. Gain is only a headline unless we fill it with life. And we actually turn that idea of global interoperability and global corporation into something more. There is just one more thing I wanted to tell you, and then maybe, I don't know if we have time and if you have questions one last, sorry, we have five minutes, five minutes. Perfect. So I hope you do have questions. Otherwise you will gain five minutes for a coffee this past couple of weeks have not been easy for me. And I assume they have not been easy for many of you. The fact that we have war in Europe, the fact that, you know, we've spoken to people in Russia about standardization and about how to embrace these principles to work together, to come together. The fact that the world seems more and more polarized. That fact makes this project really personal to me because at the very end, this is not just about digital identity or just about open banking or just about any API. This is about whether or not we are trying to build bridges. And in a digital world, digital bridges are critical infrastructure. I think we have an opportunity to do something here that plays at least a small role in bringing the world together and preventing the world from drifting further apart.
Thank you very much. Any, any questions, any insight you would like to have Gail
That we needed for the virtual?
Can you talk a little bit about governments and governments participating in such an effort?
Not officially. So yes, governments. So of course, what we, I think what we can say is that when you are trying to bridge gaps, ideally you bridge them across countries, across companies, across standardization organizations and across use cases, but you also bridge them from the private sector to the public sector. We've seen a couple of attempts that go really, really well. And in most cases, they are helped by the fact that countries and companies are coming together and are building infrastructure together. Again, I want to plug the next panel right after that. See, I'm sure you can talk about something about the, the corporation between the private sector and the public sector. And we are very much trying to reach out to governments as well. And we hope to have a couple of, of concrete announcements in the not too distant future. And that is of course also true.
You know, GAE can tell you more about ISO MDL, the mobile driver's license standard. And I think this is another area where you see that interoperability is so critical, right? I can take my physical driver's license and I can go to Bangalore or to Paris or to Guam. And they will probably rent the car to me, losing that ability in a digital world would really be tragic. And I think that is true for, for everything we are, we are doing here. And I want to shamelessly plug also the panel tomorrow at 1130 or 1230. I think if you 1130, if you're still here, please do come to this panel because we have, I think, 10 panelists,
Biggest biggest panel ever. And we see this as a, hopefully an optimistic closing statement at EIC that will bring a lot of what you heard over those really packed four days together.
I don't see any, we have one right here. Have one more question. So in your view, how, how this trusted framework can be decided is for example, by whom or how, or by which organization, or is this, you know, like a C certificates? Have you ever thought about that?
Yes. Thank you for, for the question. And I think it's a very good one. So first of all, we believe that it should not be any one company and maybe it should not be any one organization either. So part of the idea of gain is very deliberately to not attempt to create a new nonprofit. There is no chairman of the board of game. There is no secretary. There is no one who can ask $50,000 of Microsoft or Google or any other company in exchange of a board seat, because there is no board. Our hope is that ideally we are able to create a forum of standardization organizations to come together and agree together how this is working. And these standardization organizations will be the ones to determine whether they need more structure and how that structure should look like. My hope is that we can be as pragmatic as possible because every new organization you create is going to create a little bit of friction as well. Thank you very much. If you have any question, please come see any one of the, any one of us or the 155 coauthors.

Stay Connected

KuppingerCole on social media

Related Videos

Webinar Recording

Unify Identity and Security to Block Identity-Based Cyber Attacks

Join security and identity experts from KuppingerCole Analysts and ARCON as they discuss the importance of securing enterprise credentials, explain why a unified identity security approach in line with Zero Trust principles improve security and efficiency, and describe how to combine…

Analyst Chat

Analyst Chat #152: How to Measure a Market

Research Analyst Marina Iantorno works on determining market sizing data as a service for vendors, service providers, but especially for investors. She joins Matthias to explain key terms and metrics and how this information can be leveraged for a variety of decision-making processes.

Event Recording

Cyber Hygiene Is the Backbone of an IAM Strategy

When speaking about cybersecurity, Hollywood has made us think of hooded figures in a dark alley and real-time cyber defense while typing at the speed of light. However, proper cyber security means, above all, good, clean and clear security practices that happen before-hand and all day,…

Event Recording

The Blueprint for a Cyber-Safe Society: How Denmark provided eIDs to citizens and business

Implementing digital solutions enabling only using validated digital identities as the foundation for all other IAM and cybersecurity measures is the prerequisite to establish an agile ecosystem of commerce and corporation governed by security, protection, management of…

Event Recording

Effects of Malware Hunting in Cloud Environments

How can we help you

Send an inquiry

Call Us +49 211 2370770

Mo – Fr 8:00 – 17:00