So we directly go ahead with another panel and we were talking about B2B. I am. We have two panelists, additionally, on stage, please. Welcome Richard Burr and Jo S O two. So welcome. And maybe we do a brief introduction just in case the people don't know you yet.
Check. Yeah. Hi, my name is Johan Alaka. I'm a, I'm a director of solutions architecture w so two. So I've been with the company for more than 10 years, predominantly working with the cm related solutions with our customers.
And I'm Richard by I have spent 20 plus years in the corporate side. One of the big things that I did that helped me understand identity was I formed the first centralized identity as a service functionality within any large bank in the world at JP Morgan chase to be organized under information security. So I took identity from the Microsoft engineers back in the day, but I've spent the last five or six years on the solution side of the equation just came off of three years with ping identity, moved to sexed, to focus on identities that fall outside of C IAM as well as workforce platforms. And I'm having a great time.
Thanks and welcome. So P2P identities are challenging because there are so many ways to manage them and we will have a look with you and you have, let's say also a different, let's say a scope in terms of B2B. I am. And maybe let's start with a question from your point of view, what are the main difference between B2C and B2B when it comes to I am.
Yeah, so yeah, I would like to start answering that by first of all, explaining the different types of B2B identities, because I see there are multiple types. So first of all, we have the partners, right? So the partners are like, for example, your agents, brokers, you know, distributors, these are external identities, but the important thing about partners is they don't really need access to internal systems, right? So their completely external and their requirements are pretty much similar to the typical customer em requirements, right? So that is one type. The second type is your enterprise customers, right? So if you're selling products or services to other businesses, so they, those organizations, those identities in those organizations become B2B identities. The third type is of course the, I would call the identities in your supply chain, like your contractors, consultants, you know, and other vendors who will need access to your internal systems, right?
So they pose more risk than the other two. And their requirements are slightly different as well. So, so these are the three types of identities, but, but in, in a broad sense, there are some common requirements to B2B identity management. So comparing it B2C, I would say in B2C, basically that the organization is directly dealing and managing with end consumers. Right. Whereas in B2B, you have, you can have multiple levels of interim organizations through which you work with the end consumer, right? So the, the concept of organizations should be recognized as a first class entity in B2 B IAM, right? And, and, and also like the, the, the, the, the first business, right? The, the service provider, they may not know the, the, the, the internals of the particular organization. So typically they manage these organizations at a, at a partner level or a organization level, and they pro they give delegated administration rights to somebody within that organization to manage the individual users. It may be the consumers. So it may be the employees depending on what the business is. Right. Yeah. So, so that is the main, I think, characteristic of B2B comparing with B2C.
Well, I think I might have a different perspective on that. I was a CISO 2015 with Metler Toledo and gr and sea and I in my business to business relationships, I did have partners that needed core system access. I had 16,000 calibrators in the field for analytical scales that cost a million dollars a piece, and they needed access to all of the weights and balances, tables to that were proprietary to Metler. You can understand there's only a couple of major analytical scale makers in the world. So it was very confidential and very proprietary information. And in the comparison of B2B to B2C, the issue is, is that B2C is much like workforce, and that it's linear. You have a relationship with a customer or with an employee that is defined by their onboarding defined by their life cycle, defined by, you know, the activities and transactions that they they can do in B2B it's nonlinear companies, especially large companies.
They change their partners all the time. Within those partners. You have tiers of risk that extend based on accesses that are accesses of accesses. So I have a partner, but that partner is using contractors from an agency. So now we're into the third tier of third party risk, and that agency has a subcontractor. Now we're in the fourth tier, and all of those people need administrative rights or delegation of, of access. And I've worked with companies now that have as many as 20 tiers of those relationships. There's nothing like that in business to consumer. So the, the landscape of B2B identity is really being evaluated and looked at with a different lens these days, as compared to trying to manage it through our traditional identity solutions.
You know, I wanna pick up on something you said there too about onboarding. I mean, I think C M an enterprise I am are usually totally different things, because from the onboarding perspective, you know, consumers come to you, however they want, you don't have a lot of control over that. If you're running a business and you're hiring employees, you've got an HR department, you know, they handle all the verification for I nine, or, you know, other government agencies, you can make them give up information. You have, you know, a right to process that information because even employment relationship on the, the consumer side, none of that really exists until you collect the consent. You don't have any control over, you know, maybe you do have control over registration methods, but you're gonna miss out on consumers. If you don't offer a wide variety of registration, processes of wide variety of authentication types.
You know, again, if you're running a business and you've got sensitive intellectual property, you can mandate what's required to get access to that. The consumer side, it's not really a, I mean, there's some access management, but it's, it's completely different than, you know, trying to protect your crown jewels of your company. You know, it may be, you know, delegated administration models for family management and consumer, you know, we've seen a lot of enterprise IM companies try to model that, you know, with their delegated administration capabilities, but it doesn't necessarily make a good fit for, you know, real, you know, business to consumer kinds of use cases. So I think B2C and B2B IM have evolved to the point where there it's it's would be difficult to satisfy all of it, you know, with a single facing
Platform.
So thanks for those insights. And it's interesting to see that there are different flavors, different approaches, different let's say, scopes, what would you say what is to consider in terms of, let's say process design and risk management when it comes to the implementation office? Yeah. I'm in that case,
I'll take that first because I think business to business has been, and, and business to business to consumer, let's make sure we kind of, you know, the gig economy has opened up, you know, things like Uber, which are not like a partner use case, or, you know, they're, they're very different constructs and each industry and each kind of transaction flow associated to B2B access really takes on the characteristics of the company's type of business. So when we, when we look at all of this differentiation, and one of the things that's very, very clear is the large percentage of the operating world for B2B access. I, I hope I don't offend anybody, but are still using active directories on the other side of the DMZ to provide an account to somebody in another company. It might be that somebody, or in my case, when I was at Metler, it might be 34, somebody that were actually using that account.
And I've got no visibility into any of those, because I'm not the boss of those people. And obviously in the case of the 34 that I found, I dug into it as a forensic, because I had had an issue with, with an exploit. And we found out that that risk was manifesting through that partner. So I would say when we look at B2B access, it very much is a risk bound exercise. There are partners that represent no threat to you. You really don't want to put in all of the controls and the features necessary to manage, you know, a very low threat, low risk partner, but there are lots of companies that are realizing that the partners that they thought were low risk are no longer low risk anymore, probably most recently because of the propagation of ransomware as a connection point from a partner and that ransomware then propagates into your network. And so now all these former low risk business to business partners are at least as risky and possibly more risky than other partners that you've been working with in your network. So risk is extremely important and extremely applicable in the B2B use case. But I think it's important to call out. There's not a whole lot of security organizations that focus on that risk as a part of their operations today. So this is gonna be a very, very important and dynamic landscape over the next few years as it, as it evolves.
Yeah. I think as, as Mr. Bird also said, like, so organizations have a certain level of risk external organizations, and then we are also have to acknowledge that the individuals within that organization also have risk. So, but, but like businesses are ready to accept risk right. In return of certain things. So I think that's where I think as, as a, as a combination of the organization risk and the individual risk, you need to weigh that. And, and based on the risk, you can, you know, design certain workflows that will allow you to accept those risks with certain criterias right. So if the risk is too high, you can maybe put it for an approval with your security team, or, you know, if the risk is medium, you can maybe put it to the line of businesses or you can, the risk is low. You can accept it by yourself with some exception rule, right. And periodically revalidate those risks as well. Yeah. So that's what I feed it.
Thank you, John. Good aspects from that.
Well, you know, risk is one of those words that people throw around. Like we really understand it. You know, I mean, if there's a case where there's an accountant, 34 possible users of it, people go, yeah, I'll accept that risk. Well, do you know what you're really accepting there? Probably not.
Well, I'd like to piggyback on John's comment and it's been a while. I think it was Munich the last time we sat on a panel together, but I'm actually for the third time rereading the black Swan. And if you haven't and you really want to understand the dimensions of the, the gaps and the issues with risk management and risk scoring, you know, risk in the aggregate, go out and reread it because reading it now for the third time, it's really changed my mind given the last couple of years of issues, because the, the main point that he makes is, is that we continuously try to predict bad things happening from information that we know. And, and it's actually the information that we don't know where all our risk lies and it's, it's absolutely true that, you know, we have an entire construct around business to business access that has been built on enabling the unknown, those 34 people that were using the same account. In my case, I didn't know any of them. I had no context for any of them. So yeah, your point about risk is, is well made.
Especially if we have a look at BXS BP to B and the topic is that organization dramatically increase, there are a number of insiders and that's we also topic we must consider
I'll take it. Yeah, it's really interesting. A number of years ago, when I first started speaking and doing the things that I do, and in, in, in kind of the public sector, I had a presentation that was called, there are no more outsiders and, and that's really come to materialize in the last year or so, especially during COVID with remote work. Once somebody is in your system, they're no longer an outsider. They are an insider, doesn't matter if they work for you, right. We, we tend to try and differentiate based upon liability protection and contracts, or, you know, agreements between parties. And none of that matters, right? If we actually look at the history of the last three or four years, major catastrophic breaches, every single one of them was executed by a contractor in the case of the AWS and capital one breach executed by a contractor that was no longer on contact a contract, but still had access via a VPN credential that they shouldn't have had. So, you know, this, this, you know, kind of, you know, world of no more outsiders is really not yet registering because you have general councils that are relying on contracts for indemnity. You have, you know, cyber insurance policies that are now maybe paying out 30 cents on the dollar, maybe a zero payout after they do their forensics. So this notion of everybody as an insider, once they're inside of your systems really has to be a part of your architectural and design thinking around business to business access.
Yeah. I think, you know, a lot of the noteworthy attacks over the last couple of years have involved members of what we've been calling, you know, the it supply chain. And like you said, you know, outsiders are not really outsiders. You know, another observation is with accepting risk. Sometimes I know executives may think, well, we've covered that in contract, you know, like, like legal terms are gonna protect you from a data breach or, you know, loss of your intellectual property. Once that stuff goes out, the virtual door on the wire, then you know, if it's a trade secret or something, then you can't really recover that. How do you quantify what that loss really cost you?
Yeah. And, and another thing I tend to see is that, you know, when you compare these partner identities compared to B2, B2C, or employer, employer identities, there's a, there's a tendency to have like, you know, duplicate identities as well, multi more duplicate identities because they kind of come into your organization in through different channels, right. Different teams, different different applications through different vendors, different organizations. So, so there's a tendency to, for duplication as well. So I think at some point organizations also need to think about, you know, consolidation of these identities so that they can reduce the risk, you know, of having multiple accounts. And sometimes some of them becoming like dormant accounts. So that's also another thing.
Thank you. There's a question that just came from the audience and maybe we used the last two minutes to answer to that question. What do you think of single versus different apps based on region for B2B or B two CS?
Hmm.
Can you repeat that single versus what
Single versus different apps based on a region for B2B or B2 CS probably based on scope B2B. B2C.
Yeah. So the unfortunate reality is, is we can't solve for in general identity issues by introducing more complexity, we've, we've actually had, you know, a bad history of the last 30 years of either continuously adding more complexity to try and manage control issues. You know, so a great example, actually, a topic or a timely answer based upon some conversations that I had yesterday. And we think about this notion of identity proofing and legal entity proofing against, you know, your partner base or your B2B access. Well, there's, you know, you could try and break that down by region and location. But the reality is is that there are many regions locations where identity proofing is illegal, or it is not, you know, managed by commercial enterprises. It's managed by a large government entity. And so, you know, adding in those additional layers of complexity, you're not going to be able to achieve the type of differentiation that's necessary to be able to manage holistically back to your point about, you know, you need to understand and know all of these identities. If you start to fragment them, you have less and less probability that you're going to be able to accomplish that.
Thank you very much. And we are perfectly in time. Great. Thanks a lot for the discussion for the insights.
