Panel | Identity Fabrics: The Mesh and the Factory for Identity Services

We are moving towards our panel and I'm really, really glad to welcome a set of really great speakers for this panel identity fabrics, the mesh and the factory for identity services. Please welcome Alan Foster chief evangelists that don't mention the company because it's not there. Andrew Hughes of ping identity Jackson shore of clear sky and Steve Vema of for rock and the discussion will be led by Martin. Yeah. I'm looking forward to it. Have fun. Yeah. Okay.

Thank you, Matthias. And I give, I think a few seconds to, to change seats, cetera, find your place. And when I come to everyone, it's one of these panels which have an advantage and a disadvantage. The advantage is me as a moderator, I don't have to care about people are talking and the panel, the disadvantages, I need to ensure that one of you sort of high checks the entire panel and doesn't stop talking. So that will be my challenge. It's great to have all of you here. Most of you have been working for sometimes decades, probably check time and geek three already, or so I had conversations.

I, I think it was the, the, the, what was the MMS user group, the MMS user group, Microsoft meta directory services user group, where, where we sort of speak first met virtually, which is quite, quite some quite some time ago. And, and so it's great to every year and the topic is identity fabrics. And so I'd like to ask everyone of you to start with a very, very short 20 seconds intro of yourself. And then we dive into topic and always feel free to erase your hands and ask questions.

These guys can answer every question perfectly well, You were looking at me when you said that whole takeover, the talk, right, And also was looking ATT. So my name's Alan Foster up last year, I was chief evangelist at, for truck. I left for truck at the end of the year and am now the wisen head old man sitting in the corner, actually enjoying not doing a whole lot. Thanks a, so I'm Andrew Hughes director of identity standards at ping identity. I started in the identity worlds around 2007 in user-centric identity technologies and policy.

These days I work on standards mostly at ISO around government issued credentials. So think mobile driver's licenses and related things. So in about five years time, when you have your mobile digital driver's license, it'll be based on the standards that I am focused on these days. I'm looking For great.

Hi, I'm Steven Vema. I'm at Ford rock. I'm a distinguished engineer reporting to our CTO E mailer. My focus is really on sort of bringing the future to the present for our company. And that includes a lot of standards work, vice chair of the UMO working group, and also getting more involved in phyto Alliance.

And yeah, some of the other gatherings we, we share Trexon And I'm Jackson Shaw, I'm chief strategy officer at clear sky. I started anybody. Remember Banian vines, put your hands up. Few people there's less and less of us every year. So I started my directory work back, then join a little company called zoom in corporation, which was acquired by Microsoft in 1999, launched active directory. Anybody used that and have been doing identity for a very long time. Very exciting field, still so great to be here. Great to be here with everyone.

Okay, Wonderful. So our topic today is identity fabrics, the mesh and the factory for identity services. And one of the things I, and I talked about is little trust.

Now, one of the things I, I believe is that we have a tendency to have too many identity managements out there. So we, we, we had a workforce identity management. We created a customer identity management. We do one for that. So a new problem and new identity management. So how do you see that? So tracks your nodding. I agree. We have too many.

Okay, good. That someone disagree of you.

No, but then, then the answer is the question is what do we do about it? So how do we solve it? How do we fix it? What's your take on that? I see that there's a life cycle to this, this space that there's a tendency to want to integrate for a variety of reasons. And then there's also, the innovators oftentimes are starting small. So I think you're going to see that constant tension there.

So I, I'm not disagreeing, but I'm not fully agreeing either. I think you're gonna see that constant turn if you will.

Is, is it maybe a matter of, of how we integrate? I think there's when you talk integration, that could be purely based on, on established standards on the one extreme. And it could be saying we have to the vendor who delivers that holy grail of identity management with the other extreme, maybe that's, that's the point of how to do it. Right.

Isn't it, I, I think part of it is the fact that as we start seeing new kinds of opportunities, they don't fit into the way that we were doing it. Right, right. And consumer identities, a fine example of that.

When, when, whenever it was 7, 8, 9 years ago, when we started looking at consumer, it really didn't fit well into the traditional workflow models that were there nine years later, the differences between workflow and consumer are minuscule and they're turning into the same kind of thing. So I think as it grows up yeah. As it matures, they merge.

And It, it's interesting, maybe just as a comment that on the other hand, consumer identity tends to split between consumer identity and authentication and customer data platforms. Yeah. So these days I'm of the opinion that we're, we're about to see the finally the separation of identification, credentials and systems from entitlements authorizations and certifications. Right.

Because I, I suspect that we see many, many different flavors of identity system because they're not actually identity systems, they're authorization systems and authorization systems are currently by necessity use case driven. So if it's a consumer, well, the identification of the individual is the same as if they're an employee, but the entitlements and authorizations that you need are accustomed to the scenario.

And I'm, I'm probably completely wrong, but, you know Yeah. But, but, but wouldn't, wouldn't this again, maybe in seven or nine years from now to, to follow Ellen here, diminish in the sense of when we then really focus on authorization on policies, then again, it's, it's quite equal.

Well, once, once industry learns the patterns and sees what works competes debates in the standards bodies, then yes, there will be some convergence, but right now there isn't as, as you pointed out. And I think we see that right with say, you know, we had O one, we had O two, we now have map being developed. So there's learnings that are happening. And there is sort of a conversions. I think if you look at map, it's a reduction, a slight reduction in the use cases, but it's also more focused on, on what actually is working out of O two. Yeah.

I think the fact that we're, we continue as an industry to build standards and openness, at least hopefully in, in the products that we are, we're all building and the significant vendors like the Microsofts and the Amazons of the world continue to have, you know, an open set of published APIs. We're not gonna see this sort of convergence of tools. I do believe, you know, from your slide Martin, you showed, you know, IM tools and you talked about privilege.

I think there is a baseline of what I would saw call it meat and potato or bread and butter identity capabilities that probably could converge. But then too, I think some of the points that, that have been raised, there are a lot of these new vendors or new scenarios that come out. And my view is, you know, that's the way things innovate. And as long as the innovation includes use of existing APIs, then we can still, you know, kind of build the ideal system for ourselves.

And, and I think it's also, so I'm, I'm following this market for a while. So I think my, my identity management career started around 1989 or so with early land management network stuff, even venue wines was around and things like that.

And, and what was always the same is that there was innovation and then it got so to speak. Absorb might be a two negative term here, it converged and other solutions evolved.

And it's, you know, for us as Analyst, it's one, we do, for instance, when I do leadership compass, it's, it's very interesting to see, for instance, product innovation leadership at the beginning, if you take this into a quadrant and compare it, then in a mature market, it's highly correlated in an emerging market it's way lesser correlated, because there are some which are not very broad in their broader capabilities, but very innovative. And others might be in the market with traditional things for a while, but are not spearheading the innovation. I think this is, this is very normal.

I think that the standard thing you bring up is a very important one because it's not only, I believe it's not only about continuing standard works. I think the standard works has reached way higher, way broad and better level than when you go back, whatever eight or 10 years or, or even little longer.

So we see, see way more focus on, on standards. I believe these days than we had in the past. Yeah. I'm hoping, I'm hoping that customers are seeing the importance of standards too, because at the end of the day, the customers have to be asking for that. Openness also Believe me, customers are asking it. And then I say, oh, the standard is not ready yet. And then I say, then they are annoyed.

So as, as one of the people that sits in the standards committees at the ice level, again, we are, we're, we're constantly surveying the market, talking to our, our companies and our partners and, and trying to do that convergence. So the standards generation process is a multi-year process. So we can't get the standards out fast enough, but that's actually a good thing because it damps down the noise. So we can start to standardize on the successful approaches without pre-training them.

So, you know, imagine if you write, if you write a standard in advance of deployment, you kind of picked a winner before you've proven anything. So if, if it takes a few years, be patient with us, please, you have a chance to disprove some of the theories about what might come out and standardize on things that are actually proven to be deployable and usable in the market.

Yeah, Yeah. Yeah. I fully agree. I think it takes its time. And even when the first standard is there, it's not the end of the journey. So then we will see all, all the, the additions to the standard and the next versions of the standard, et cetera. OS two is not only OS two, but it's OS two plus a lot of things around and OS two is better than OS one. And I think this is also also normal because we learned it. We also learned from many standards, okay. Sometimes other things target.

So the, the shift from XL to rest and Chas cetera, meant that a lot of standards had to be sort of fundamentally updated P to Kim that's sample. Let's Not forget about X 400 or X 500. They're doing well. You to log that industry Checks, let's forget about 'em after all. But I think one of the things that's really helping with that is outside of the identity space, right?

The, the general consumer, every single one of us. And in fact, you know, our mothers are aware of standards and we all know when apple comes up with the next device that doesn't use the same charger and it impacts every single one of us. And we sort of realize how important the standards are.

And, and so it's becoming part of daily life. And so it, it bleeds over into identity and everything else we do. And Martin, actually, I have a question for you let's turn the tables with the identity, the reference architecture for the identity fabric that we saw in the previous slides are you seeing industry and, and, and businesses start to componentize their identity systems and demand those interoperable standards between those different components. So they can rip and replace the components like a directory service.

For example, if they wanna change it out or an authorization engine, if they want to change it out right now, it's, it's hard. I think it's a journey.

And, and I think that journey starts with saying, okay, it's not a lot of different things we treat separately. Oops.

But it's, it's first starting with, I have a, a, a full picture of it. And, and I think it's, it's the blueprint. It's the bland like when you do a house and you should have tried management, this is the first step, because this helps to understand what do you have, what is lacking? And this is something we do quite frequently with customers at that level. And then looking out or discussing which type of technology can serve, deliver the capabilities you need. Also looking at the, the API part increasingly. And I think over time, this exchange will become more topic.

It's also a little bit built in because when you look at this identity fabrics picture, maybe you've seen that the lower layer, there's this legacy I am seeing. And, and I'm, I'm a big believer of, for instance, saying, you must be able to gradually migrated your own pace. And one approach can be, take your legacy. IGA. You might have some, some connectors there, which are hard to replace, and which you also think you might, may not need in five years anymore.

So, so one strategy can be to say, okay, I use this sort of trust as a, a dump fulfillment engine, which is powered by your new identity fabric and trust serves the requests. And then, then, then you have have this, this, this part, for instance, which we discuss frequently with customers, how to deal with that. If I have an existing, I chain a access management is easier to replace and IHA is more difficult to replace. And in that case, it can be for instance, a strategy to say, okay, I, I, I sort of reduce it more and more. And at some point I can retire it.

And, but I don't invest much anymore questions from the audience questions from the online audience. Here's one, Hello, morning, all these comments on have heard here today about waiting. We have to create some, my standards.

Cetera, at some point are a bit against the needs that we have in a world today where the world is super fast paced. We need to really deliver very quick solutions. And sometimes from anarchy take to point of view, or from a, from a perspective where we have to take decisions for us, it's like, you know, drag on to the air and let's pray for the, the decision that I've made.

It's going to be the good one for at least keep my business on for the next next amount of months or years with, with a little bit of like, so can you let us know if we can take some, a, some approaches, some keys in order to help us to see what could be potentially the prepared direction to take in these cases Who wants picked the question or who wants to start? So you're looking, I guess I'll take a step back from your question.

The would I see happening in the industry is it's not, there's a maturation going on, but it's also a understanding of the change in the threat environment that you're talking about. So, as an example, Martin, you were talking earlier about dynamic authorization as a way to really address that the rapidity of change in the threat environment.

So there are, there are things that happen in the industry that try to address this increase in speed, but you're also asking about how do we change the fundamentals of how the industry, how fast the industry itself changes, which is almost a meta question, right? That's, that's hard because standards are, are a big part of that. And standards really have to rely on operational experience that you it's, it's like a least common denominator of all the different things we tried.

Well, this is the, the set that works. And oftentimes those standards are, they exclude a lot of things just to get that standard out. So if you look at OA too, there's a lot of things that says, ah, we're not doing that because we just have to get this, this one thing done.

I dunno, if you wanna build on that more a or, Well, I, I mean, the, the reality about it is no one sets out to build a failure, right? And so every to every standard body that sits down on things is trying to make it better for all of the youth than the use case that they sit down on. Many of them are successful and, you know, we've all bet on the wrong horse every now and again, I have to take my hat off to, to Martin and we are here in 2022 and he had a slide up there that had Zal on it, my personal favorite, right.

Which, which, and I've got one on my slides, two thirds right there, but you know, these are things, they looked like a good idea. And that's really the, the, the onus on the business itself is looking at and saying, do these standards actually help us move forward? Or are we fighting them? Right. And if we're fighting them, then maybe that's not the right way to go. Okay. But in general, all of them are put forward to try and get us to a better place.

But, but maybe there's also an element in if there's no standard yet. What do you do then? And that's the conversation I had with, with a lot of organizations and part of the answer is APIs. And the problem is then if you say you build on the APIs or when they're X or Y or set, then, then you're, you're risking to, to log in.

So at the end, what you then need is some, some good architecture work, some more at that level saying, okay, how can I abstract these APIs in a way that allow me to, with sort of the highest probability to, to change what is below that at the end of the day, if there's another standard, then try to build your own API layer in an as abstract manner as you can, which is not easy work. I have to, to be clear on that, but it can be done and it's better than everything else you can do. Yeah. Because everything else would be Standard, right? Yeah.

Well, and, and the one that I would add to that, right, which is, is really important is events like this because Lego has this staying that says 99.9% of the smart people in the world don't work for you. And so if you have a problem where standard makes sense, talking to other people at events like this is a way to distill out and to say, yeah, other people are seeing the same problem. Let's get together, let's work. And there's plenty of bodies that you can get together and start working on those, you know, it's hard work to build up a standard, but there's other people that help as well.

Yeah. Yeah.

It's, I can't agree more. There's no better standard than what successful cus what, what other customers and peers are using successfully. There's no guarantee that a standard is the right standard, whether it's Zamal or the old X 400 X 500, which I said deliberately as a PO standards. Right. And the other thing is there are, there are commercial standards and by commercial standards, I mean, what is the market really using? I'm an apple guy.

I've got a lightning cable in my pocket, but it's the standard because that's what most of the, I shouldn't say most of the world, but a good part of the world is using. So to Alan's point, I would definitely say, and to Martin, this is the reason I come to these kind of shows is to, is to understand what other people are doing. It may be standards based. It may not be standards based.

And these, the risk, of course, I bought a company that was AMO based, had to throw it out. Sorry, but that's what happens. Speaker 10 00:22:21 I, one question about standards and forced use of standards, we'll force probably land down in the metaphor or that's standard, not by open standards by default and opensource, like, but are we used to, are there companies Toor services to give us an avatar to use the metaphors? Who's the metaphor expert, Speaker 10 00:22:45 No metaphor expertise. Yeah. But I think isn't it with like, with every evolution.

So, so if we take web three, maybe with, as a very related term to death, then, then there, there's a lot of things which are using some things which are moving to standard or partially standard. And, and I think with every, every evolution, it will be at the beginning, there will be some who, who, who bring it up, who are successful and which do it very differently. And then at some point there will be a tendency to conversions.

I'm also optimistic that over time, for instance, there will be standards that help you to manage the infrastructure, go back to reality, the IIS environments of Google, Amazon, and Microsoft in a more standardized manner because the world needs it and the pressure will be there. And sometimes they will together and think about the least common demo denominator or things like that. I think we have one more question and then we are, or okay. Matthias.

Hi, you've got it already. Speaker 11 00:23:48 Hi, I'm radar from PWC. There are a number of tools for identity and access management today.

But my, my thought after working with this for a while is that the problem is not the availability of tools or the security on, on the tools themselves or the standards, but rather the implementation of business processes into the tools and the understanding of the capabilities of what you're buying. And it was mentioned during the keynote today that a lot of businesses has more than 70, 70 security tools built on top of each other, which all bring value to the overall solution, which would, which may, may have a lot of like duplicate features.

So what is your thought on, on the problem of implementing business processes using available tools? Okay. You first and I'll comment on this, but quickly. I think we have only a few minutes left. Gosh. So business tools to me that what that resonates with is how do you integrate identity systems and access management and governance and all, all those great things, APIs into a business process. And how do you make that easier over time? And I think Martin was emphasizing, APIs are part of the answer.

That's becoming more common today, but of course the APIs need to be stable or, you know, you'd end up throwing out your integration anyways. So I don't know if that's answering part of your question.

I, I think part of it is, you know, I think probably some 15 years ago or so I started an initiative about sort of standardizing the ITA processes because they are at the end, they are pretty much the same across every organization. It was very huge success, a lot of work, little success because the vendors were that's interested integrators even less have to say in, in doing that exercise.

I, I think we're making progress right now on that. And we also, with the workflow capabilities we get these days, we are making brokers when it comes to all these things, but not everything which could be standardized is already standardized. Maybe some of the things never will be standardized.

So it's, I think it is also part of the journey, but we are, we are making progress here. We have three minutes left. So I'd like to ask my panelists for, for one closing statement, one sort of the one takeaway you want to, to share with the audience they, they should consider for their journey and identity management checks. And do you wanna start this time? Sure.

I mean, I, I, I'm very biased because of where I work right now and, and the reason I'm working there is because I do believe in the integration of a lot of the basic identity governance and administration capabilities and a business platform and that business platform being serviced now, I'm, I'm a proponent of having the integration of a lot of these capabilities around a company's business platform, not standing up a separate platform, that's separate from the business requiring separate integration.

So I'm really, I'm really thinking more along the lines of where can we integrate at that business layer and not build things that are separate from the business. Steve. So I think that the, we we've talked a lot about standards and where the interesting, so there's sort of almost a commoditization in some areas, for example, directory services, we're at that it's at a maturity level. You could almost just plug in one directory for another. Maybe the scheme is a little different depending on the application, but where the interesting work is happening is where the pain points are.

And for example, dynamic authorization at scale is, is a real challenge. And there's some very interesting work going on in that space. Another is the actual business process integration.

How, how do we make that easier? You have to remember, it's not just pain points, interoperability. One quick takeaway. Yep. One quick takeaway. They're interesting. I could go on and on. I'm doing an a, sorry. So my takeaway is pertinent to the question about overlapping products and services. Watch the space of orchestration and low code, no code because it's a bridge to the next interoperable environment. Yeah. Okay. My mine has to be authorization and policy.

I, I think that taking authorization from a how and taking it up into the why is going to be the next steps that we have to do. Okay. Thank you very much to the four of you. Thank you very much for you and all the people online, listening in. I think it was a great panel. Thank you.