We continue here with the identity governance and administration track, where we were this morning, this afternoon, I'm joined by my colleague Paul Fisher, and we'll be guiding you through the afternoon and hoping to keep things on track and keeping the panelists and other participants on the straighten their own. The, the focus this afternoon is on workforce IAM and we're starting with a panel entitled turning distributed workforce challenges into productivity gains customer identity and access management has taught us something about reducing friction in the way that customers access and consume our services, but to add value to the relationship. But in this panel, we're gonna look at applying C I a M to the learnings, to workforce identity. So I'd like our panelists to just introduce themselves, say which organization they're representing and maybe just an opening statement on, on the today's topic.
Yeah. Wonderful. So let me start. My name is Sebastian I'm co-founder of umbrella associates. I've been a former copy, a call employee back in the day when this all started. So I'm really glad and happy to be back after a few years of being absent. And I think that the course sings that we can actually take from the cm world to the workforce identity management world is the ease of granting access. The usability aspects that we see as a mandatory component of cm. And we're still lacking that in the IGA world, I think.
Hello, I'm Ron bam. I'm working in identity management project since many years as architect implementer and getting my hands dirty in, in the code. And I'm also co-founder of associates. And I would say, we can think we can learn from cm projects or SIM approaches the fresh and new technology, which evolved in the last couple years.
My John, everybody, my name is Victor. Be I work as a principal architect of zero, a product unit of Okta. I have to use this voice every time I say it. And I've been working in this space for a couple of decades. My personal mission is to make a identity productive for developers, whatever that means, depending on the year. And I have no opening statement because otherwise what's the fun. I don't want to steal my own thunder.
Okay. So I'll steal the thunder. So I'm Alan Foster up until the end of last year. I was chief evangelist of for rock now, I guess I'm just chief evangelist and I'm doing it for myself, but the I've been in. Yes, it's true. It's true. I'm now unemployed. No, well, I'm keeping, I'm keeping busy, but nevertheless, still deeply involved in identity being involved in identity for, for well over two decades now. And I think as we sort of dive into this to me, the big thing to take away is that the difference between customers or consumers and employees are getting smaller and smaller almost to the point that we don't there is no difference anymore.
Okay. So if we look at CIM, what, what are the principles that we've kind of applied there and learned there that that can and should be applied now more universally across the workspace workforce?
Who are you asking somehow? I felt you were looking at me. So you're gonna
You're you looked keen Victoria to
Discuss. I think that the, the biggest contribution with cm has been having for the workforce workloads is the fact that in the cm world, usability is a matter of potential extinction events. Let's say that if your system is hard to use, people will walk and your company will flounder. Whereas you can abuse your employees at least a little and ask them to jump for hoops. And, but that's not very productive. And so the evolutionary pressure that the forced CIM solutions to still maintain an acceptable level of security, because of course you've got to, but at the same time, cater to the needs of people that are busy, that are not very deep in the authentication space. We don't want to save experience of authenticating. We just want this thing out of the way and the technologies that we developed for having adaptive, MFA, continuous authentication, risk management transport pretty well also in the context of a workforce that now can work from anywhere from home, from the coffee shop in Singapore. And we can maintain the level of, of security that we want to have, and at the same time, lower friction so that our, our employees can be productive. So we basically, we are reusing this thing in the same way in which we ramps were designed for people on wheelchairs. And now you can use it with trolleys, like infrastructure is there. We can use it for more than one use.
So I guess that's to your point a, is that, that kind of, it's all about usability and getting, getting the use of improving security and the user experience at the same time, rather than compromising one on the, on the other.
Yeah. And I, and I think it also highlights the fact that we can no longer rely on the sort of crutch of security in terms of, oh, well, we're all behind the firewall. We are fine right now, your average admin is sitting in a Starbucks on an iPad accessing Dropbox, which looks a whole lot like an average customer. And so we've actually gotta be a little bit more careful about what do we mean by security, be actual cognizant of the identities and what the privilege are for those identities.
I'd like to add the, the development integration aspect here, because we told, you said naturally developer, because that's, that's an important thing here for the cm side. But if you, if you just roll back like 15, 20 years, the complexity of integrating an IGA or, or back then normal identity management solution to the target applications was actually the interfacing. So there were people that were business analysts who were supposed to get all the nitty gritty roles and profiles, whatever was defined in an application that was created somewhere else by people who never met the guy who now needs to define the implementation integration between the identity management and the target system. And I, I guess what we could actually take over from the cm side is that we get those two closer to, to, to each other and actually get away from the, the paradigm that we need to put an identity into an account and provision that to the application and set the entitlements in that application. Just like we've seen yesterday with OPA and star receiving the award. I think that is something that should definitely have an impact to the, let's say on-prem workforce world two and those applications. And I just hope that we will see that well, making the need for those connectors go away just by keeping the identity or the account in a more centralized location and also abstracting the access entitlements and the authorization to, to somewhere else. So we don't need to do provisioning anymore that at least from my point, just per view will brigade.
Okay. So we've talked a bit about improving the user experience and improving security, but you know, for years we've been talking about security as an, a business enabler. I just love this. It's always kind of vague wooly, and nobody can actually point me to, to what it, what it means. So in this context, I mean how by applying this kind of approach to, to identity and access management, are you benefiting the business? How, you know, how can you sell it to the business and say, look, this is the way we should be implementing identity and access management because it it's going to help the business in the following ways. So what's the business case for going for more user-centric approach
Where you asking Alan,
Okay, I'll jump in on it. So I, I think that the, I mean, first of all, our employees are consumers, right? So we are all used to what that experience is like when we are dealing as a consumer. And so when we go to work, we're expecting the same kind of experience, the same kind of behavior that we have at work. And we have done a lot of work in the consumer space to try and do security behind the scenes, rather than putting security, right? Bang smack in your face. We are doing things like adaptive and context aware and things like that that makes the experience better. And a, a better experience is simply better for the workforce, right? If you can get job, the job done, even down to simple little things like physical access or physical requirements, right. Having to go into the office to pick up your ID card and then having to schedule to go into the office to pick up your ID card, using your ID card to schedule, right. Which, which I'm sure every single one of us have been through this situation. We haven't thought through those when, you know, we were all sitting in the office and part of this is forcing us to look at how many of those security things are there just because they've always been there and aren't actually doing much. And how many things can we do to increase security without getting in the way. And I think that's sort of part of the predictivity gains we get.
So, okay. I appreciate that. It's not brand new, but something like single sign on, I mean, that's making the experience better for, am I feeling your, your, your Victoria, what do you want to say about that?
I dunno why it's already three conferences that I occasionally do some expression and the speaker stops and say, oh, Victoria, raise these eyebrows and okay. I'm glad to be, but I didn't have a, I was just listening and emoting. Okay. But anyway, given look
Like you were positively grimacing. I mean, so, okay. So to finish, my question is single side on, I mean, it's making the experience better and it's, you know, how widely is that helping? I mean, is that improving the situation? Is it valuable?
But absolutely. I think that we all had the experience in which we received a link in slack and we clicked on that link and a browser opened and you go on JIRA, you go on a Google calendar, you go on office and maybe the wrong browser clicks visa, and you are signed in with a wrong user. And now you have to switch like some, like, we are how to say technical people, so we know what to do, but some people like are frozen. So what am I gonna do now? They don't realize what they have multiple profiles that the last browser that we touched is the one that will get the click. And in general, also like some of the integration between like those productivity suites are not obvious, because again, before you had a perimeter and within that, everything was nicely talking to each other.
Now you needed to park was fully say, yes, I do want to connect Google drive to my slack. And the sheer fact that we have the ability to do was things, and that we can make a decision on the fly when someone clicks, whoever to let them in or to challenge them saying, okay, at least show me that it's still, you smile at your face. Eddie camera was a significant productivity gains, which are not easy to measure people like numbers, but that were definitely reset. I'm sorry. I don't want to body so nevermind. No, no,
No. Sorry. I just,
I know my accent is hard to par. I apologize.
No, no, I, I was just doing kind of our, our, our app for bringing up questions from the audience seems to have lost its way. So I was mainly asking my colleague Paul to help it, to find its way. Yes. So it was no, no disrespect to what you were saying if we're talking
Oh, I mean, do you have, do you guys have a sense of how much that has improved productivity if we say, okay, we just look at that one thing, you know, is there any kind of metric that you can say, well, in my experience, I've seen whatever.
Well, I, I would say with a single sign on your, have the chance to put all the complexity of authentication authorization from the application to another component, which has to reduce complexity and build up a platform and being in control of what's happening. And you can integrate new technology, new security technology, like manufacture authentication, or policy-based authentication on that platform using single sign on. So it's a big improvement, it's a success factor. You can hide all the complexity and at new security features with these.
So we've looked at the, some of the advantages of, of going down this route, but I mean, where, where do you feel that C a cm approach falls short is a kind of a new design pattern for IAM? So you've said it, it can help, but are there areas where kind of maybe just a dead end and that you shouldn't be going down there? I mean,
Well, I, I definitely say the governance part of it because, well, while we're preaching to, to centralize everything and, and put the identities in one place and, and do the authentication authorization in a centralized place that sort of is counterintuitive to the old ways of actually looking at what is happening in the application, in the on-prem application, you know, like, like the large stacks, like SAP with, I dunno, 57,000 different transaction. You can, you can get in those. I think that is something that we will not be able to solve easily with anything that's in the cm space right now, because at least to my understanding, the most applications that we're protecting with such cm technologies are definitely a little less complex. So they're definitely false fraud.
But Ellen, you were saying earlier that there's kind of the, the lines of blur. So are the vendors picking this up? I mean, are, are the vendors supporting this kind of in a way that it, it is easier for organizations to implement something that, that caters across the full spectrum? Sure.
But we're not there yet. Right? I mean, the, the, this is an ongoing challenge that we're going into, but absolutely the model is, is that the consumer space has gotten a lot more complex over the last, let's say 10 years, right? It, it used to be that consumer space was, there was a username and password probably stored in an SQL database somewhere. You logged into the website and you did something now it's much more complex to the point that anybody who's a frequent shopper at Amazon, I'm sorry, I I'm one of those. But when you go to Amazon and buy something, most of the time, it doesn't even prompt you for your username and password, right. It, it just knows who you are. That tells me that, you know, there was a study done several years ago that says that at least in the space, every click that the user has to go through before they get their order done, you lose 20% of your market.
Well, if you don't have to go through a login process, you're keeping a significant number of those people there. The same thing applies when we are working, right. If, if I get a message up and it's a slack message and I click on it and I have to register for an account or something like that, I lose interest in it pretty quickly. And, and, you know, I'd go off and do something else. And I lost interest. You'd spoke about single sign on and, and you know, when we're at Ford rock, we do single sign on to all of the apps. The advantages that happened with that was that when a new employee came on, they got their sign on and everything they needed just worked. You didn't have to go through a two week process of, can I get access to Salesforce? That's can I get
A two months project?
Yeah. Two weeks, if you're lucky. Yeah. Right. Can I get slack? How do I get this? How do I get that? It's just all there. And that work is all being done. That in itself gives us those productivity gains.
Although I'd like to cover, I agree with everything Alan just said, but there is one thing that people like, especially with bean counters, like look at visa and say, okay, fantastic. I just need one identity engine and I'll be done with everything. And although there is so much that you can transfer between the two workloads and so much infrastructure that can actually be reused, like is a Jo in checking, the signature is the same code, but there are still significant differences, which people are, should take into account. Like for example, consumers tended to be orders or magnitude more than your users. And that has an effect on how much hardware you needed to deploy in the cloud, of course, to front that like they need for scale. Also the distribution geographies and similar, the density of the things that you do with employees are different. Let's say that your employees will be in roles, will be in groups, we'll have a specific functions, we'll have lots of documents that they own or don't and similar. So all of us things are different between the two use cases. And if you optimize for one, you don't get the other or the other is awkward. So, although again, I agree that we are converging. I also agree that we are not there yet.
And can you give an another example? I mean, I didn't wanna get bogged down in single sign. I just thought it was a fairly good example to kinda illustrate what we were talking on. So, you know, like where have we gone from there? So we had single sign on what are the kind of things that you consider to be kind more, more advanced or the more breaking edge things that that organizations should be looking for. I mean, single sign on and what are the other things that we can be doing to, to go into this direction?
Self-service I, I think we, we, we are still lacking behind in that whole self-service thing on, on the IGA side is taking into account that the complexity of the internal workforce use cases with all the profiles and roles and, and multiple role layers is definitely much more complicated, tends to be more complicated than, than the C use case. I still believe that we could benefit from dumping it down for the end user still because it's still photo complex. Like
Yeah. It has to be more transparent. Yeah. I haven't got any questions on the app just yet, but perhaps just get a feel in the room. Are there any questions yet? Because we've, we've covered some ground, but if there's any direction you'd like, you'd like to carry it, to take it in something that you're particularly interested in this topic. I mean, obviously you're in the room. So there was, I'd just like to hear your expectations for what you'd like to hear from the panel. Cause you've got load of experience here.
So I'm curious as we see the rise of PAs key and the Fido from the Fido Alliance and the movement to using personal devices in the workplace for strong authentication, how is that? We, I think we can see what's gonna happen in the consumer space. How is that going to translate to the workforce space? How are workforces going to use my personal non MDM device? How are they going to allow that? What, what do you think the trends are gonna look like there?
Not yet, if I may go first, because I like to differentiate between what I call primary, second factor authentication and secondary, second factor authentication, like distinguishing between the fact that you're logging into your Microsoft machine, like windows, hello for business and stuff like that. And the final world I might, I'm, I'm a total fan and, and promoter of Fido and U two F. But while I, I, I still see some gap there because you cannot just put that together yet. You can, can reuse the hardware due to the windows biometric framework and, and the availability of multiple credential providers on, on one machine. But yeah, well then you're logged into your backend and not to your as service, which might require a 5 0 2 compliant thing. And as there's still so many use cases like layer three VPN where you need to have one of those old school tokens that some of you might remember awkward. Those two don't go too well yet say there's, there's going to be some, some work done.
So, sorry, Alan, before you start, we've kind of come up to time. I think next year we're gonna lobby four for extra time, but what by all means, make your point, but kinda make it your closing statement and then we'll just come through the panel. Cool. Just make any points that you feel that you haven't made.
I will, I will make the opposite point and say that I think on many of the leading edge companies and the bleeding edge companies, they are doing that, right. I mean, using personal, they've already moved into the, bring your own device. They've already moved into utilizing devices for that. And I think it's gonna apply differently for different businesses and, and what their requirements are internally. I mean, I use my personal phone for second factor authentication on, on all of our business apps. So, you know, I think everybody's on a different point on that journey.
I'd say that I'd be uncomfortable in hinting at one trend versus we other, because my feeling is that we are a bit in a Cambrian explosion moment in which nature is trying all sorts of body plan and they bring you own device has been a buzzword in our industry already for like better health of a decade, if not more. And now we have a better technologies. We have anomal detection, we have more ubiquitous and powerful mobile devices. And we are trying everything. People went all the way. We have no VPN, all sauce, and then someone gets breached and suddenly you get stuff that monitors all the movement of the people on the network and now, okay, your employees feel they feel surveyed. So really I think that we are due to some consolidation in term of practices. And right now we are trying everything we are experimenting and we'll see where the industry goes.
I would say that for many years we have built security solutions and CAHSI little defined environments like the intranet. And we, we did this back time when technologies and approaches were different. And now we have new technologies like Fido two, like my Deconnect and stuff like this. And we have new approaches to do that. And I would say that this gives us all of us, the chance to reconsider our approaches, how to do things and how to achieve better security, better experience for the users, because in the end users, internal workforce users or customers are digital identities, which want to use a service with little fraction and with a good experience and good security.
Okay. Fun work goes to you. So,
Yeah, so I, I just want to close with how, how much I hate that use case where you actually hit on that link and you are not in the context of the right user, that the one who sent you, the link expected you. And, and we had that, or I experience that was teams all the time because I, I now have like five or six accounts on teams and I really mess up all the time and can't get end with the teams meeting. We got so much more stuff to do there and, and reduce the friction and the, the user dissatisfaction on these ends. We never get unemployed.
Well, I hope you found that useful if not entertaining. Thank you very much.