Event Recording

Implementing Multi-Region Identity Identifiers and IAM


Log in and watch the full video!

Log in and watch the full video!

Upgrade to the Professional or Specialist Subscription Packages to access the entire KuppingerCole video library.

I have an account
Log in  
Register your account to start 30 days of free trial access
Register  
Subscribe to become a client
Choose a package  
I want to introduce you to name of all he is with a sweat bank in Estonia. I think orange Sweden. I'm not quite sure sweat bank. He will talk about implementing multi reach identity and identifiers and IAM. And he will be with us virtually because travel currently difficult. Hi name. Good to see you. Hello? Can you hear me?
I was getting a little bit nervous already because I was told to be 20 minutes before the start.
Okay, then. Sorry for that. I hope you're. You're ready to start. You're already on screen. Your, the audience is waiting. You're ready for Showtime.
Yes. Do you see my presentation also?
Just a sec,
At least I'm sharing. Yes. Yes.
Yes, it works. We can see you. We can use slides. So the stage is yours. 20 minutes to go.
Thank you. I was contacted with, and Andrea by Andre before, sometimes before the European conference and I was presenting previous year and Andrea asked me if I can present something this year also, I, then I asked, well, of course also previous year there was something which we could proudly show. We didn't have much big projects this year. So I asked, ask Dan that pick up the topic. And one of the topic was implementing multi region identity identifiers. Originally this headline was lessons learned. I thought that, well, you really haven't any have any lessons learned? We still are struggling. So it's the pain. And, and then I thought that, well, that's why I will not teach you anything. I will rather use you a doctor because doctors see I'm I want to speak. It makes me think. And that's why I'm you, you should rather try to just listen it and it's afternoon.
So rather listen, and let's think together about some things here than teaching you something. So the headline is implementing multi region in identifies and I am. And without anything like lessons learned, so let's go through some things. First. I, when I usually start to designing something or it, then I'm, I'm always putting things on the table and seeing what I have, because before I start cooking, then I want to know what I, what I have at all. Then I will know what I can cook. So the software systems that identity identifies are needed really for two things, distinctions and persistence. And actually the possibility to distinguish, identify identities is really needed for us humans, not really by the computer systems. They don't really care much about us, us, the humans behind the processes, but the persistence of identifiers is needed really by the software systems and questions about the persistence really arose on the same day when computers became to be, be shared and be able to run multiple processes.
Then the identity of the processes was really needed not before. And as a system and designer and developer, I will talk about some challenges here. So let's put some, some things on the table. What is the multi region? I don't have the some formal definitions. I rather have some intuitive descriptions. I think let's think about it like internal boundaries in the systems when things are so called, how to say different. And it can be either that recruitments are the process things differently, or there are restrictions. Then those are the two things which make boundaries. Then some examples, but not all. For example, the legislations difference between countries about personal entities, you must handle them differently. Then we have been from country to country, government identifi, which are just different. And then we may have internal policies when we crossing the policy boundaries. For example, when we move from a legal entity to the legal entity inside abank group, then we, sometimes we have to get the new user names.
We are not allowed to use the same, same accounts, but it's not exhaustively. There, there are many more then questions about before we dig into the resolving, some problems is which I always ask, is this really the problem at all? Maybe I'm overthinking. If it is the problem, what is the root cause? And if, if you have the fruit cause can we resolve it or can we just avoid it, then the problem it ended, the sameness. Is it problem already or not? Usually when I think about it and I actually, it has been hurting me a lot long time. And then I realize that the answer is always quick and same. Yes, of course we need identity seamless. But then I realized that we really, the answer is, is not really rational. It's us humans who feel uncomfortable when we imagine that the persons can take multiple personas in the computers.
And we, we don't feel, really feel safe because for us, the person is, is the one unique how it can come and the come that the computers can represent the person in multiple copies. No, it cannot be. We have, we must have the same as, but really it's, it's not, it's our problem. It's not the computer problem. So, so the sameness in distance is not really the problem. Then what, what is the problem? Really? The what problem in the computers is really the distinctions or the sameness and where do we need it? The humans plus humans, we need in use cases to understand these two given records are about the same persons. Then there are Interscope systems. I just name it, arbitrarily. The computers needs the distinctions. Don't understand if about action sequences. When there are something happening, some processes are running, we are doing something, we are reviewing doing something, but computers really see that's just the processes running.
And we are, what we are hunting for is the toxic combinations in operations. We, we are want to prevent something, persons or accounts, doing things a as user X and think B as user EPON, but really being the same person. And then there are some white scope systems. The, sometimes we want to correlate data from MotorWorld to events in interval. For example, now we, our customers cases, the money LA cost crisis and, and some misuse abuse, abusing positions. Those are the things where we distinctions are seamless. And then the persistence. What, what is the persistence? The persistence came to the play when the processes became to have identities. And then as soon as the processes became to have identities, this is something which we call the using the account. We don't really use accounts. The processes and processes get identities. And the persistence is really needed here in the, for the computers to remove frictions in provisioning processes.
What does it mean? It means that we rather are looking for the solutions when the are running the process, a in one computer, and then we want to be, have the same multiplication methods or same, same smooth possibilities to run the similar processes, owning the, having the, using the same data in other computers and other systems. So this is kind of persistence, which you need in the provisionings. And what are the problems which multi region really brings the, again, the small list, change of identifiers, of course, then data storage and exposure restrictions can Regione C identifies from region B. Those are really the two first things. The main things which hurt is constant changing the data. So the persistence is violated or broken and data storage conflicts of accessing the data. Then there's something about identify types. Then my thought don't jump to the identify types.
What are the types which are constantly changing at all to make some order here? I think that there are in current data, there are free already three kind of identifiers first and most simpler are the tokens governmental issues to identifiers. And this is what we know. Well, they have the low persistence of high distinctions. It meaning that the low persistence means that the government can, can issue the new ones. For example, the car license numbers can change. Passport numbers can change. Also some national identifiers are persistence, but for example, the Avia recently introduced possibility to choose the arbitrary national identifier. So it's not even something related to our per so it's low persistence. Government can choose to choose something new, but have high distinctions. Meaning that once given to us, it cannot be transferred to a mix. It be another one. Then we have the behavioral biomes, they, but they need observations and capture every time.
And, but they have high persistence, meaning that when something is unique for you and like your retina, then it's a very highly persistence. It's, it's it's video forever, but sometimes they have low distinct distinction depending on the systems which we are using them. The system may have errors. And that that's, that's why I'm saying that they have comparably low distinctions. And then finally we have S and prob ERs the data, which must be analyzed as a whole or pattern to, and then we can save it confidence that this, this is the same identity and thereby it has the low persistence, because as soon as the people are changing, when, when we, for example, using the behavior patterns, it's possible to, to same behavior and good actors can do it do every day. So it's comparably low persistence and low distinctions also because depending the systems are very complex and needs really the good artificial intelligence or, or the understanding analyzing the data.
So, but those are the, all, all the free identifi types, which, which we are existing today. And then on some anti patterns, which we are trying to fight with the systems. When I, when I have the task to design the, the multiregional identity systems, there are anti patterns which we have, there are, for example, at the mixing persons and users in Asia systems in authentications, what, what does it mean is that HR can sometimes implement some their own authentication systems. For example, when you want to file their vacation plans, then you must authenticate your HR systems. And they, they low hanging fruit is by HR systems to use the same identifier to authenticate you or the create actually authentication provider. And this is the mixing concerns and mixing the abusing of person's data, because just it's possible. Then we have transitive usage of logic, login information in systems, meaning that one, one system having the user authentication.
And then another system is starting to use the same identifiers because one system is, has easy access and I, I can have it. And then let's, let's share data. And then the four 20 pattern is used of non persistent. It means that the most common example is using the email address as identify, which can very easily change, not for much for males, but in females recently, then it's, but still it's common used. And of course, then we have to think about when we have talking about the multi-regional region, not just graphics, but for example, when we talk about group organizations share, want to share the data between that, they want to share the HR systems or authentication systems and active directory applications. Then immediately we have to think about it, but what are the legal legal basis for this? Can we share the identity data can, how they can travel the boundaries in, in site group, group organizations.
And then I ask it for our legal department and this, this is something which is, of course it comes directly from the GDPR, but this is you must, GDPR is generic. You must implement something here on your own. So what we have is the group DPAs data processing agreements. We, you have must, we have the legal bodies. And every time we, we, when we create a new type, but it interfere, we must also initiate something called data protection, impact assessment. And finally, I build past this because there are, there are some, some process also implement, which are affected by the MultiGen interfaces, but this is something which I really came up and I'm using argument tool. It's not on the reasons that to, to look fancy and, or, or the it's not boys with the toys, but it really makes you think about things. It, it doesn't allow you to just draw boxes because the architecture for me has been long time being something backwards, because it's the art of throwing boxes.
But then you have to also possibly must be able to explain, but argument is making somehow easier. It doesn't like let you do some much, much stupid things. And it forces to, to think about the things. So first, what, what I thought that to resolve those things in multi region things, I started from the capabilities. There are the capabilities, which I thought that which are needed in the, having the possibility, the identity correlation management capability are the functions, business functions. The there are free free business functions, which I think that this are implementing. Those are our needing them are identity capture, identity, correlations, and identity transfer. Those are the ones which are make up the basis of this capability, which is called identity correlation management. And there is the identity lifecycle or identity access management. It's actually it's there it is the, just the zoom in part of the things which are new used in the identity, onboarding, leaving, moving all the processes.
Those are the small parts. And there are objects, important objects, which are related to those functions. Identity capture is something which the functions, which I want to deal with things which are called identifi tokens, the everything, which is which we must cover the regular tokens, but also the biometrics. Then we have correlation records. I want to keep it separate. I want to some have some functions, which is able to correlate identities and without to that kind of black box here. So something which is able to really to understand that this is the same person. And then we have the transfer ticket, which is, must cover the leg legislation aspects of those things. So when two parties want to share the tickets, then the entities, they must presented transfer tickets. And finally, then the HR is really the only interface as you see that I separated those functions from HR.
I built some service and then in the, I have the correlation and life cycle service, what I want to have. And finally, what I, what I will have is this, this kind of data model. I have four processes. I have the capture, which is a responsible of taking caption, taking your identify when you are onboarding, then you, this is the process which is responsible just correctly, capturing their passport, but storing it without revealing to the, to the lower layers, then there is associations, which is responsible of understanding. If you are the same person, then, then to have transfer processes. When two legal bodies want to share the entities where are moving, and then this tender is the lifecycle processes, which are finally creating the accounts. And what is important is that each of the system is, is dealing with their own data and they don't share the, really the identifier token.
So the token is there. And then we have the functions. Authentication function is something which is really only deals with the user authentications. And there is no identity tokens like passport numbers or social security numbers in account level, because the authentication really should not deal with this when they need, when, when there is needed on our authorization level with when it's needed to know who is the identity, then there is the identification services, identity, identification, functions. Then they are able to, when you present to them, their account information, then you can have the answer who is the identity behind it, but it's still, you still don't, it doesn't reveal your person informations. Then there is another functions which is needed the person disclosure, when you need really to correlate for who are not need to understanding like KC processes, the, this information. So this kind of things are where, where the response, when I was given topic to think about most regional identity management and, and this is the voice, the draft of the architecture, Richard a draw
In,
Yes. And this is the,
We're almost at time on your presentation. Are you nearly, and
I'm, I'm I'm I finished it because this is was something which I, I, I plan to explain the terms. And then I wanted to, to get, talk about, think about the draft of the possible architecture addressing this concerns.
Okay. Sorry. I didn't quite understand what you said there. So are you, have you got much more to go on your presentation? Nope. Okay.
I wanted to reach the point than I can present to some proposed architecture of the concerns related to the multi ERs.
Okay. Well, I'm, I'm really sorry. We have to bring on our next speaker, but thank you so much for joining us this afternoon and thank you for an excellent presentation.
Yes. Thank
You. Okay. Thank you ne.

Stay Connected

KuppingerCole on social media

Related Videos

Analyst Chat

Analyst Chat #152: How to Measure a Market

Research Analyst Marina Iantorno works on determining market sizing data as a service for vendors, service providers, but especially for investors. She joins Matthias to explain key terms and metrics and how this information can be leveraged for a variety of decision-making processes.

Event Recording

Cyber Hygiene Is the Backbone of an IAM Strategy

When speaking about cybersecurity, Hollywood has made us think of hooded figures in a dark alley and real-time cyber defense while typing at the speed of light. However, proper cyber security means, above all, good, clean and clear security practices that happen before-hand and all day,…

Event Recording

The Blueprint for a Cyber-Safe Society: How Denmark provided eIDs to citizens and business

Implementing digital solutions enabling only using validated digital identities as the foundation for all other IAM and cybersecurity measures is the prerequisite to establish an agile ecosystem of commerce and corporation governed by security, protection, management of…

Event Recording

Effects of Malware Hunting in Cloud Environments

Webinar Recording

Advanced Authorization in a Web 3.0 World

Business and just about every other kind of interaction is moving online, with billions of people, connected devices, machines, and bots sharing data via the internet. Consequently, managing who and what has access to what in what context, is extremely challenging. Business success depends…

How can we help you

Send an inquiry

Call Us +49 211 2370770

Mo – Fr 8:00 – 17:00