Pre-Conference Workshop | IAM, the Cloud, and GDPR - Why you will fail on GDPR without a strong IAM posture

From copy our call and myself, we will lead you through the workshop today, where we will talk about GDPR privacy, data protection and how it refers to identity management, how it's influencing identity management as we are having slight check-in challenges over here in Berlin. I would like to propose that we delay the session for another few minutes. And maybe over here, you in Berlin, you get another cup of coffee over outside here of the room and all those who are, who are virtually joining the session. Please wait for another five minutes. So we will start at eight 40. Thank you very much. You will lead to through the agenda
Teams.
So good morning again from Berlin, I would like to welcome you to this workshop. As I already mentioned, five minutes ago, we start with a little of a little bit of delay because over in Berlin things start slowly at the first conference day. Very sorry about that. Even technical challenges, challenges we have been facing down there with our conference app. I hope that it will be solved soon. So now warm welcome. Again. I will immediately hand hand over to Andrea Homan. He will lead you through the structure of today's workshop. And after that we will do an introduction round. Is that right? Andre? That
Would be absolutely great. If you know a little bit about the person who attends this workshop, I would say the, the, the domain word is workshop that we try to, to interact a little bit. It's not only a pitch and yeah, I, I invite you to, to bring in your IDs, your, your, your thoughts and your challenges you see in these topics. Also what we try to do the welcome. And then we try to gather little bit expectations. The topic of the, of this workshop is IM GDPR and cloud and how it belongs together. And it would be very, very interesting to understand why you are here and why you spend this, this, this half a day or, or a couple of hours to, to dig a little bit in, in, in this topic. After that, we like to give you a short knowledge, knowledge push to, to, to, yeah. As a teaser for, for a discussion. Then we have the most important thing. The coffee break, the coffee break is not only to drink coffee it, to see and to discuss with each other, to see what kind of problem companies have other companies. Are we in the same boat or are we totally different
After that? We try to make a short breakout session. And hopefully it works for the online attendees as well. We have an online moderator and we try to, to work with some use cases to identify several themes. After that, we try to reflect and a short, I would say, survey of the results result of the survey. We have a couple of questions we like to, to ask you to understand where you are and yeah. Where you're coming from. Yeah. Introduction, huh? Myself. My name is Andre Roman. I'm working in Novum. I'm something like delivery manager for our projects in the IM. And yeah, I would, would be very nice to, to understand who you are from which companies you are. And
Yeah.
Is there someone who like to break the ice and to say,
Let's start here. Let's right here.
Hello. My name is Ajna. I am from ID zoo and I'm currently working mainly in the identity access management area in our cloud adoption program.
Thank you very much.
My name is Miel. I come from TV two Denmark. I work in our customer facing team, providing access for, for our streaming platform and our services, as well as GDPR compliance.
Thank you very much.
Hello. My name is Christian I'm from BWC in Norway. I come mainly come from a network security background and I'm, I'm quite new to this identity space. So I'm excited to learn.
Thank you.
Yeah, I'm Sarah I'm with Andrea at Novo, but I'm just a marketing lady. So I don't count.
Yes. Hello. I am as well. Andrea colleague Leo Mike background is cyber security and I'm working on hybrid cloud project with entre rather in their security aspect.
Hi, I'm an Barak from EMBO I'm CEO of Oxi solutions, and we provide the solution around customer identity, access management, and we are very interested to, to see how about using the recreation or for all what we provide. Thank you.
Hi, my name is represent the public sector, the Phoenix, local and rich law authorities.
Thank you very much. Very international, huh? Yeah.
Speaker 10 00:12:29 Hello. My name is Marcus Steiner coming from Switzerland. It concept as an integrator here.
Thank you very much.
Switzerland is very strong or
Speaker 11 00:12:40 Good morning ger from triple ID originally, originally from Turkey, but I'm based in Munich. I am the co-founder and IGA solution architects at the company. Yeah.
So how is your opinion that we moved EIC from Munich to Berlin?
Speaker 11 00:13:00 That's a pity for me.
Speaker 12 00:13:06 Good morning. My name is ER I'm from the Dutch government and I work as an identity access management architect stick.
We also have a very, very strong Dutch community over here at the IC. Very welcome. I think we even have more Dutch, civil servants over here than she ones, which is very significant.
Speaker 13 00:13:31 Hello, good morning. My name is Nick. I am also from the Netherlands and I work as an solution architect in the identity and access management space for a company called the identity managers.
Hi,
Speaker 14 00:13:44 My name is fi Don also Dutch from Netherlands. Also work for identity managers as an I am consultant.
Cool.
So last and
Speaker 15 00:13:52 Hello. I'm Roger Hanson. I'm working for, Nagarro located in Olo, Norway, and I've been working as a, as a solution architect within identity and access management for yeah. Some years.
Thank you. So how, how gonna we, how gonna do the, the round with the online participants? I think it's, it's a lot. We have there it's 40 already. No more than 40 close to 50, maybe to not, to not make it too long. I don't know what, how should we go about it?
Yeah, perhaps the one or order is open to spend some
Raise hand. If you would like to introduce yourself
Who like to break the, the ice. Hey, here we have a hand.
Yeah. Open your microphone. White hyper.
Speaker 16 00:14:57 My name is Hakeem. I'm a solution architect for a FinTech company here in San Francisco. Thank you.
Welcome reading. So San Francisco white,
Speaker 16 00:15:13 Why San Francisco, California. United States. Sorry. I should have mentioned that.
Why? Hi,
Speaker 17 00:15:24 Good morning everybody. My name is kin. I also work for at Novo, like I'm head of em and security consulting, and I'll be glad to lead the workshop, the digital part of it later on being very much forward to all your inputs.
Very welcome. White. Who, who else do we have?
Speaker 18 00:15:51 Hi, my name is frika Hoenstein I'm from the university of San Colin.
Can you repeat that? I didn't understand. University
Speaker 18 00:16:01 Of Sanko in Switzerland.
Ah,
Speaker 18 00:16:05 Yeah, the
Most beautiful
Speaker 18 00:16:06 From Switzerland as well.
Oh yes. And they build the most beautiful bicycles down there. I just got one and open. You know that, that brand.
Speaker 18 00:16:15 Yeah.
That's from barley. Yeah. Great.
Thank you very much.
Okay. Yeah. Then let's jump in. And the, the, the first thing we like to do is one second. I have to open the right browser here. Perhaps you can share my screen and yeah. Thank you very much. Also, you decided to sit here this morning. Is it allowed to ask why you are sitting here? Okay. I am. It's your topic? It's your hobby, whatever your profession, but why exactly here, you had no other choice or what is, what, what is the reason we tried to identify? Do you have really challenges or are you only interested in this topic? Or what do you believe if you hear this IM cloud stuff and, and all the, the, the GDPR around us who likes to start?
Yeah, for, for me, I had a choice. It's getting more and more interesting to see how your personal data or company data, customer, and supply data is move to the cloud and you have to provide some security and also being compliant to whatever you do. And I just want to see experiences from other companies. Yeah. How they deal it, because we are currently in a very fast ramp up face in the cloud. And as your fast and security comes, last identity and access manage comes very last. And you have to, to, you are always behind the race. And for me, it's just to see how other companies deal with, with those challenges.
Thank you very much. Other thoughts,
Volunteers,
Why are you interested in this cloud? Who likes to give some input, please? What do you believe, please? Yeah. Yeah,
Sure.
Speaker 19 00:18:54 Cloud is just getting more and more
Relevant for
Speaker 19 00:19:00 Different
Speaker 15 00:19:01 Clients. And I mean, we need to know just more about it. So I'm a bit curious to see what we can learn here today.
Okay. Okay.
Other thoughts?
Okay. Challenges here. Yeah. Is there perhaps someone online who likes to, to, to give input why he spent this morning for this topic? Do we have someone online? Do we have some hands silence in the room?
Speaker 20 00:19:54 Oh yeah. I, I can add something how to deal in terms of using cloud
Applications, how to deal with multiple identities and the fact that we don't only have one, but in each system, in each provider of identities, it's a separated ID and then how to deal with it.
Yeah. Multiple identities,
Maybe also, because we are in a time in terms of uncertainty in many different ways, not only politically, but as well on the technological side, that decentralized identity suddenly is becoming a topic or the way how regulation is evolving in the EU. And also beyond EU is changing a lot. These days. There's a lot of controversial discussion also on the political side, going on, where is it? Is it developing? So it's a very interesting question. How a changing identity and excess landscape can cap cover and can cater for a changing regulation landscape. This is we'll be causing quite a few challenges in future time. That's what I think.
Okay. Other thoughts,
Speaker 21 00:21:20 Maybe from my side, one thing we are all using teams. We are inviting guests. We are sharing data via Federation. These, this data, this data ends up in systems that we do not longer control. What does that mean for GDPR, with the data that resides with the system that issued the invitation?
Yeah.
And another topic is that we are, when using services to internet, we are continuously giving consent on sharing our data, but we do it sometimes multiple times a day. So how to manage finally this consent, how to come to a single place or an acceptable manner for the user to give agreement, to share his data. So consent management, you could, yeah.
Okay. Anything else?
What about identity of things? Is that a topic?
Yes. Here we have.
It's more matter of interpretation as such, but a user insight into your own data. How, how we expose those data in either a very technical sense that, that you are as a end user, not particularly able to understand, or if we should perhaps add some understandability to what you are getting.
Yep. Thank you very much.
Speaker 21 00:23:21 So, absolutely. If you ever try to download your data from Google that Google has upon you, you get JS and files and whatever, this is something really for the end user, not. So this is really something that needs to change make, make it more transparent. Yeah. Absolutely. Fully agree. Any other ideas, any other questions that you would like us to solve today?
Speaker 22 00:23:53 Hello. Good morning. My question is related to data destruction. So it's very common in consumer platforms where users' data stays maybe till the end of time or any intro, get his hands on. So how GDPR bound entities in destroying the data when it's not been induced. So I'm very keen to understand that
How can I summarize that? Authorized or forget? Thank you very much. It's very important. Yep. Thank you right. To forget,
Right.
To be forgotten, to be more be forgotten. Yeah, exactly. Yeah. One, one very popular topic about this is this COVID stuff I heard from the, from the data protection that everybody has now to clean, to clean up that their own data, which had together during the POME, every restaurant hotel everybody had within no, no time to build some crazy solutions to together, all the datas. And now the data protection is coming and say, yeah, now you please delete everything. Huh? You had no time in, in nothing. And, and I'm absolutely sure you will have a lot of datas which are laying around and you, you, you are not able to delete that. Trace traceability. The, we gather up to one identity. Absolutely.
So the traceability, how to inventory all the data we have in relation to one I, to one particular identity store it in the system.
Yep. Exactly. Thank you. All the challenges you see. Okay. Then let's try to, I would like to ask you perhaps something, if it's allowed and it would be absolutely great if the online people could join as well. And I'm not sure how we can count now, the, the, the online is possible that perhaps you can have a look to the monitor to, to count and we try to make a short survey. Huh. And we have only. Yes and no. Huh. And if I would kindly ask you to open the hand, if you believe it. So then, then please raise the hand. Also, the first question would be, do you believe GDPR affects or will affect your IM landscape? Paul? Unbelievable. Thank you very much.
Yeah.
It's hardly. Do you believe IM is a key element for GDPR. Thank you very much. And the opposite is someone believing it's not a key element.
No,
Thank you very much. Ah, you raised the hand or no problem. Awesome. Do you see increasing requirements for solutions in the cloud, in the relation to GDP or, or the opposite who don't believe that increasing requirements for solution in the cloud you believe or you, you don't believe?
I do believe, but I don't
See it. Oh,
I believe it's necessary, but I don't see.
Thank you very much also then the next question is a large part of your IM solution already in the cloud. Wow. The health of the solution are in the cloud. Cool. And do you believe you will keep your IM solution in the cloud or migrate to the cloud? Okay, cool. And the next one is, do you believe that the GDPR regulations will become even stronger in future? Thank you very much for this short survey. Yeah. Then perhaps after this short workshop, as the workshop today, we can reflect that again with, with perhaps the finding we had. Okay. Also,
Yeah. Then I would say, let's try to give a little bit knowledge push and we have three slots and I try to start with em, core functions and main challenges for IM in the cloud. And therefore, I like to start where everything begins. I don't, and I don't like to waste your time, but the question is for what is identity and access management really good for? And we do not have a IM system that we have an IM system and it's funny, and everybody has an IM system and we need a IM system as well. No, an IM system is the main reason is the secure execution of business processes. And our role is to ensure that we can say who has been and why access and what the user is doing there. And with GDPR hub, we have the audition here and is it really allowed what we are doing with that?
And here I see the first challenge we have with the IM system. Do we really know our business processes, do which we have to support. And mostly I would say no. And it starts to who has to gather requirements for these business processes? Is it part of a IM project to identify security, relevant topics in a business process? Are we responsible that the business process is secure or not? And I would say yes and no, of course we have to support it, but only together with the business process owners. And if we have these business processes, not under control, we are not able to gather GDPR requirements. And here I see the first challenge for identity and access management.
Then let's have a look to identity and access management. Most companies say ya, yeah, we have a, I am system FAHE and it creates our ad accounts and ya, everything on the control. And we have an I, I am system and that's not the truth. The, we have an identity governance system, but if you like it as a whole, also, you like to see it as a whole, you have to combine it with access management and that are absolute different solution and different technologies, which we have to combine identity management has to manage entities, the life cycle, the roles and rights and access management has to make the identification authorization and Federation and trust. And exactly as in this organization for this, this conference is someone gave you the identity, huh? And the nice guys at the door. Huh? Who not every let in with back with this.
Yeah, exactly. They have to control it. And if you combine it, if you would combine it in one single system, you have suddenly problem with segregation of duty. These people here have to work independently. And this system, people here have to work independently as well. But if we like to discuss about identity and access management in a common sense, it is always both. And yeah, from time to time, I, I see that the yoyo IM system, we creating this 80 account, but active directory. No, no has nothing to do with customer management. No, no. It's active directory. And, but the whole thing together is that what we have to build to ensure who has when and why access and what is the user doing there? And this is out, okay.
Then we have the whole cloud challenge. Yeah. Let's have a look on premise that that is what we normally have. And we, where we are coming from. And here we have a dedicated, and we believe protected infrastructure. On the other side, we have cloud and cloud has different flavors. And the real cloud we are discussing about shared solution. It's not only that you copy or bring everything you have on premise on your own server, into the cloud. Yeah. That's possible as well. But the real cloud challenge are shared infrastructure. And if you like to bring some something to the cloud, you have yeah. Really to redesign your application, like you play legal, you know, the legal bricks and you have to rebuild your application with standard functions from the cloud shared function and put everything together until you have your solution. Again, this is what we understand what is cloud. And not only I take the server with, with virtual server contain the technology, easy to push something around. Well, here on premise.
Yeah. Okay. No. What is the advantage and the disadvantage of the whole thing on the one side, you have standardization and with standardization, you can make everything cheaper. It's easier. And therefore is the cloud. So trendy, you have standard function. You can multiply the same thing and therefore it's easy and cheap to, to, to operate. On the other side, you lose, of course flexibility. If you go to the cloud and you have to deal with standard functions and all these funny, nice requirements a company has, perhaps it's not possible to, to cover everything and you have to live with that. And what's about the, the security risks. Yeah. You have data leak, theft, mail function, the whole program.
And yes, a little bit. It seems if you go to cloud, everything grows a little bit. But on premise, we supposedly we believe our data secure. They are in the seller. We have a door, we can close it. Everything is, is fine. I know some companies, they had problems with the mega cortex. I don't know if you know this, this tool and nothing was running anymore. And I saw really sea level crying. They had tears in the eyes, as they could see that the whole infrastructure was down. I don't say that IM is the whole solution, but with IM you can dramatically close the attack vectors. And with a strong IM solution, you are really, really good protection protected against a lot of these cybersecurity risks.
And here on this side, you have the problem across the borders. You have external operations. You don't know who is really now looking your data or doing something in the cloud infrastructure network, data storage, shared environment, and all the stuff. And if you like to go to the cloud, it is even more important that you have a strong IM solution in place. And to go to cloud without an IM solution becomes a nightmare. And if you believe, and Azure is not a, I IM solution that we understand us, right? And if you like to go and, and to do something with this Azure and, and office 365, you know, everybody has to make, to create its own account that he can go to cloud. It's okay. If a company register an own domain, a domain, you have it on the control. You have policies, whatever you want, you have your, your identities under control.
But every guest, every guest you invite has to create such Microsoft account. And millions of these Microsoft accounts are lying around with poor protection, never change password, no multifactor, nothing. And a guest has access to your data. You invite him, and this is a door, huh? And you have to keep such things on the controls. You have to clean up the, the, the access you have to, to monitor the, the, the guest accounts or there's still in use. There are solutions around really great solution. You can, yeah. You can ensure that someone has to, to approve it and strong IM solution. And if you not have from the first state is in place, you will get in problem. I would say, huh? Okay.
GDPR. I see it like the nice guys at the door. We entered here, the, the door keeper, they, they have looked that only people can access who has the right, and that we have no control what we are doing here and so on. But of course it's not, it's not the, the, the, the whole story you need additional, I would say pillars guardrails one is for example, secure infrastructure, secure infrastructure that you protect, that you work in container based that you harden, that you use hardened systems. And so on, on here, you need of course, trusted solutions as well. Here, you have to make stress, test ethical hacking and all, all the stuff, and you need strong operating model. And I would say with such a model security model, you can close the attack, vector dramatically. We know the absolute security not exist. You have still a risk that is remaining, but you can reduce and, and, and harden everything very strong. Okay, well, this is the last slide. And, and for me, it's important that we can divide identity management and access management. And we must be careful with our data that we not produce new risks with identity management. We know exactly who the user is. I have no problem that, you know, I'm on Roman, I'm living in countryside in Switzerland. No problem with that.
On the other side, the access management knows exactly what I'm doing and here I'm not so relaxed anymore. And if you would be able to bring my person with my traffic data together, you generate toxic data. And this data you have to protect. And here you have to ask the user for this nice content. Do you agree? And it's very important that the use is not agreeing what we currently are doing. He has to agree what we do with the data and what we will do in the data. And if we have the data and is it allowed to, to, to analyze the data, we will do it. And therefore the G D PR IM am delivers a lot of support functions that we can fulfill GDPR requirements. But on the other side, we must be very, very careful with our data to bring the things together.
And the most of the company, they have it in, in, in different storages. And in case of any accident, whatever, then they try to bring it together, analyze, but then put it away to have always the data together. It's, it's not so, so, so easy. And then you mix a little bit tracking. And so, and then you have, then you know everything about your, your customer. And this is a little bit the, the, the felt that the force field from the three points, you have to go with the IM to cloud, you have to use standard function. You cannot fulfill every entrance process or, or contract end process. You have to standardize a little bit. You have to rebuild with legal, your solution. And on the other side, we have to be careful what kind of data we are gathering now? Any questions? Any questions I hope because, yeah, no. Yeah. So how
Speaker 24 00:46:30 Do we keep this data separate the identity and the access management,
Therefore, because that are two different systems, because it are two different systems, mostly the, the access management it's active directory, Azure, whatever, there you have the data and identity governance is more in, in, in, in the identity governance tool. But if you go to platforms like Azure, again, the data are really, really close, and it's not so easy to divide it. And therefore we have to be careful if it could be that we can bring the data together. We have to be careful that we not get problems with GDPR, but, and the access, right, that only for example, this operation team has access to the access data. And this team has only knows who is the user. And if you can work in this, in this way, you are on the yep. Any other questions, comments. Yeah.
Speaker 26 00:47:53 Even if you have separated, well, the access management and the identity management, you have like the key field in I D PII email address.
I I know.
Speaker 26 00:48:05 And how could you solve this issue? Thank you.
You can solve the issue if you are in Azure. Also, I, I have no stocks on Microsoft. I like Azure also. I must really say it's a great solution, but yeah, it's, it's lying there. And the European and with the European, you know, everything, you can combine it, I would say, don't let the data lying around unattended. You must move the data away in separate storages and ensure that you have only the last very few data lying around you need, and that you move it away really in, in, in the right storage archives. And that you give only the right people access to that Ashford example keeps it seven day. You can put it earlier away the data, but yes, the last seven day, for example, you have there, but you have to protect it and ensure that only real dedicated people have access to that.
And then you are closer to the GDPR requirements. I see also all this, this, this Azure, all these policies, it's very important that you make from beginning a clear design, and that you look to these details and after to clean up it afterwards, it can become a nightmare. But if you start from beginning and, and Azure has such such feature, you can have archive services for, for such data, and then you can divide it and then keep it a little bit separated. But I, I, I absolutely agree with you the European email address that is fingerprint today. Absolutely. Yeah. All the questions.
Yes. There is a question from, from the online, did you mention that it could be a good practice or an idea to separate identity governance from access management and have it in separated teams? What do you think about it? Did you mention this in the presentation
Also in time, like DevOps? It is absolutely the opposite of DevOps. You build pillar again, but if you, in, in it is not teams related, I would say it's role related. I would see it as a role and, and someone in a DevOps team has the role access and has the role identity. And, and, and so you can, can, can deal with that, but to bring it into teams, then we have hierarchy. Again, we, we don't like hierarchy in, in times, like as we live in today. And therefore I would say roles. Yeah. Yeah. All the questions. Well, who like to be next? You, you, yeah. Please go ahead.
Speaker 28 00:51:37 Start talking for two minutes. I'll have to find,
Okay. Oh, it's not on, on, on my PC. This is yours. Yeah. It's it's my, oh,
Or I can go ahead with,
I have it one second, please. Version, right? Yeah, yeah. Canal.
Speaker 28 00:52:00 Okay. Then you can continue and
I, okay. Also then you will do it. Okay.
Okay. So now the next topic that we would like to cover is to discuss with you what is a decentralized identity and what kind of needs it is addressing and what are current issues in the way we handle online identities today, or digital identities. So, who is aware, what is a decentralized identity? Who is, who already know a little bit, this topic who know about governmental programs, willing to standardize decentralized identity as the future of Hm. Identity for citizens and the, the bridge between physical and the real world. Okay. So what is the current situation actually today
Before our society and trust in our society was based solely our physical identity. So the government was delivering passport and ID, and all interactions we were doing in society were related to it. And we were operating those identities through physical processes. We were able to verify the passport. Visually the border control is also able to scan the passport and see if it is not revoked or stolen. So, but all that are manual processes. While today, of course, we are going through a massive digital transformation and all processes in the real world are mirrored in the digital world. And therefore our physical credentials from the past need to get digitalized. And already today, we are using digital systems in various use cases. So we go to work, we log, we log in to the computer. We access company resources. Then during the leisure time, we can play video games with our digital identity, register it on meta, ate on Sony.
Then we consume digital content or order from online shop, with a delivery. And at home, we socialize with people we don't even know, but we just refer to them using their digital identity, which exists in a certain system. And we can even buy plane tickets and check in using this digital identity as a main factor, and then supplying our passport number as a secondary information. And the problem is that multiple digital identities exists in all those places and in cloud services as well. There is something called social login that you all know, and through the social login, the platform, providing us the possibility of having it forces us to acknowledge with terms and conditions that actually they own our identity data and they can use it without our agreement.
And moreover they see what kind of applications we are using again, using social login. This is a big problem. So we are really do not control our identity information and the identity itself it's controlled and owned by a third party. And if we would like to redefine this, we, because we really need to improve to, to go to a better system. So we may define some requirements which really make sense. I think you, you will share, you share this, this opinion, of course, and we will see how it gets translated into the future of identity. So first we really need to have one single identity, basic identity per person, or per object. So we need to guarantee the ity of this identity. Moreover, it has to be designed with security in privacy in mind that all those problems that we are getting with modern systems, and this is why we have to come up with additional legislation such as GDPR need to be solved by design and not by processes.
Then those identities need to be a real bridge between real in digital world. Somehow we, in future, we may have our passport associated directly with digital identity. For example, this could be handy, right? Because this would breach the real world with the digital world. We need to be able to carry it with us and to be able to use it in a very simple way. And at the same time, this new identity has to be fundamentally compatible with the cloud because we can really see that the cloud is the future of the internet. More and more services are becoming SaaS. I think it's something we can't really stop while we can still have hybrid infrastructures. The cloud will be omnipresent in more and more in aspects of our life and therefore consortiums like worldwide web consortium, or think tanks and industrial leaders came up with a new concept called decentralized digital identity.
And this is a simple example, but that shows pretty well. What is it really? So you may scan your driver license and then you can present it even to a policeman that will read it and type numbers in his system to verify it. But somehow you may manipulate it. And when you show it without making a call to a backend, it's actually impossible to verify the integrity of the document, right? This is the simplest digital form of an ID document. But remember we defined as a requirement to be able to bridge, to bridge real with digital world. So decentralized credential, according to standards defined by the industry, looks like that. Actually it's a type of cryptographic material stored securely in your phone, like a certificate with the issuer, for example, the road authority that included your name, your date of birth, your parameters, which category you have the right to drive, and then it was sealed cryptographically. So you cannot change it again. And it is stored as certificate on the phone and through the capability of the NFC of the phone, you can present it in the same way we pay with a credit card. So it's very handy. It's cryptographically sealed and you can actually take part in digital processes by physical presentation of this, of this token that you carry always with you. Okay?
And therefore, as finally, we can have similar level of trust that we are having in the real life with the passport document, but digitally, the, our journey can be really improved and become more efficient. Actually just personally, we will be able to achieve more activities per day. And businesses will be able to work more efficiently because an improved digitalization is possible with this improved trust through decentralized digital identity. So we will be able to wake up, read newsfeeds, opt in for a car sharing with, without KYC, because our identity will be trusted. It'll be seamless. We walk out of the building, we need a car. We are not subscribed to car sharing. We see kind of car sharing car close by. We say, okay, I need to become customer instantly. I become customer. I walk to the car, I unlock it. I drive it. I don't need to go to the registration process.
You see, it's, it's, it's simple. So then I reach the office. I look into my computer again, using the same identity. The company will not onboard me the way I am onboarded today. They will simply make a reference to my digital identity that I carry with me as trusted one. So I will log into company systems without sharing my private data. Then on the way home, I can very quickly again, open a bank account again, without the KYC process, because my identity is trusted and reducing heating at home, entering the building, entering my apartment, ordering groceries for the next week. Everything can be fast and transparent.
And again, only one identity will be used for that. Not silos of identity that I do not control, but really identity stored on my phone. I am giving consent to transactions. I can manage this consent. I know what is happening. And I know how the information is shared with third parties and now cloud and identity how those two concepts come together. And if we think about the cloud technology, it's fundamentally distributed, but it has centralized logical access because we access to the cloud through a centralized graphical interface, right? And if you think about identity in a very abstract manner, decentralized identity is referenced on the distributed ledger or blockchain as we can call it today could be, yeah. Then it's also stored in, in a decentralized manner, but there is always one identity as well. So being decentralized, but logically only one identity exists. And in general, those concepts
Have similarities and we can imagine that they are compatible and this will generate much more use cases in the future use cases that we don't even imagine today. But if we think very pragmatically, now I can give already two concrete examples of current technology where we can benefit from the cloud and cloud can benefit from the decentralized identity. Maybe you will have some more ideas, but one is with, again, my distributed identity stored on the phone or store it on another mobile device or on my computer. I can access any cloud service without the need of having an account on each of those services. This would be marvelous, right? Having only one identity. This is one example. And another example is that what happens if I lose my mobile phone where the identity store it, this is a problem how I will recover it as I am the owner and the only owner, nobody else has access to it, how I will recover it. So again, here cloud can help because I can store the backup of my identity in the cloud. This is what for example, Microsoft and other companies think about the future, how they will benefit from the centralized identity keeping cloud as a main offering.
So yeah, to recap, there is a very clear value out of decentralized identity that can be seen, that it really will bridge the real world with a virtual world and governments today are making programs how to link those two worlds. For example, in Switzerland, the government decided to go towards self sovereign identity and are standardizing today, the law in order to make it compatible with all players in the, in the ecosystem. So it it's really undergoing today. And then of course, with improved digital efficiency for businesses, the time to market will be reduced. Everything will be more efficient. Transactions will be more secured because this decentralized digital identity on the form of verifiable credentials stored in the mobile wallet will serve as an additional authentication factor. So actually MFA using this will be everywhere by, by, by definition, single factors will not exist anymore. So yeah, we can improve therefore access control because MFA will be mandatory.
Risks will be reduced because we will know who is interacting with us. That is not a fake entity. It's not a fake user. And, and finally, yeah, really with the simplicity, with the inclusion due to this simplicity, we will be able to bridge the real and virtual world together. And this is high level outlook on digital identity, decentralized digital identity. Of course, then we can go into detail. What is a verifiable credential who can emit the digital decentralized digital identity, actually with one core identity, we can decline it. According to use cases, let's say the government is providing me my core digital identity. Then my insurance company can issue the insurance certificate under the form of verifiable credentials that I can present at the hospital. The same with the university university can issue the great certificate and the diploma certificate as a sub document of domain identity. And this can be verified using same technology as PPI. Basically it, it's not reinventing technology. It's really using the technology that's already available in a smart way. Yeah. I don't know. Now if, if, if you have some questions or yeah, please go one.
Speaker 26 01:08:45 Well, the first thing is, let me, let me put it like this. If you have one identity, it also means that you connect all your contacts to only one identity. And I don't, I don't want to go into the exclusion as a service scenario where just, you can take somebody out of society with one push of a button, but everybody, well, you are a professional. You are a sports team member. You have locker room talk, et cetera. Why do you want, why do you have the ambition to connect all that to one identity? If you talk about universities, if you talk about employers, if you talk about insurers, they need to verify your existence only once. So what is the compelling use case to go to? Well, a single sign sort of identity that is always available to those players. I don't see it. And if I look at social media, I'm there on different identities and I don't mix them.
It's, it's a very good question. And basically what is technologically possible with the distributed identities is that you can decline the one core ID into sub identities. I would say, as it was mentioned, for example, for the insurance certificate or for the university grade verifiable credentials, and you may decide to build a sub identity out of your core identity, which you will use for certain activities, and that you will not be able to correlate with the, with the, with the core identity. Basically you will be able to verify that is a trustful identity, but without always relating to the identity, number one, you see, so there is this mechanism embedded into it. Actually this new standard provide a way to, to create sub identities efficiently. In this use case, we basically will be covered, but when you will be willing to present your and show your core identity, you will be able to do so.
And people will know what kind of identity you are presenting. And, and as this will be compatible with the use case you are treating at the moment, it'll be fine because the goal is to establish sufficient level of trust. If you are in a insurance scenario, you present the insurance certificate. If you are in the e-government scenario, you will present your core, basic identity. So it's you who will choose what kind of identity you are presenting, but it'll be a trusted one for the use case in which you are living that we can talk about it later. Of course,
Speaker 24 01:11:47 Which is there for, for my insurance, for example, does not reveal information about my say driving license.
Exactly. Yeah. I
Speaker 24 01:11:56 Get a con I get to choose when I want to share this information across platforms. Is that correct?
Exactly, exactly. Actually the number of in the informations included into your insurance certificate will be limited and will not include all your identity data. It will be a sub sub certificate sub identity, if you mean with only certain parameters and when you will present it at the hospital counter, it will ask you if you agree with it, actually you will have an application wallet application on your phone that will ask you for consent and you will have to give it explicitly
Speaker 24 01:12:42 Share the information only what is necessary for
Them. Exactly. Yeah. Data minimization, actually, you are able to enforce data minimization and you will even able to do what is called zero proof saying like, I can show I am older than 18 years, but without revealing your real age,
Speaker 24 01:13:03 One last thing. And the responsibility of maintaining a backup of this identity is on the user. Yes. Cause then creates a backup. If that is lost, there's no central location to get that identity back.
Right? Exactly. Actually it's reference it on, on the blockchain. If you like to prove that this identity exists and it was emitted, but all sensitive information is stored off chain on your mobile phone and not on chain. So you can revoke it on chain, but you cannot access the data. And actually if you lose, there is a problem of re restoring it. And for that, you may want to store it in the cloud. For example, this is where cloud and decentralized identity can have a mutually beneficial links. Some
Speaker 29 01:14:02 Question. Thanks. So is there a trace of all the, that the identity has been used is that traced and saved somewhere
In this kind, actually in this, in this type of use cases, the fire is the, for example, the hospital, you are the client of the hospital. You are the owner of the identity and the hospital is the very fire. You present your identity to the hospital and hospital is able to verify it without accessing a central identity store. It can, it has a copy of the block blockchain, let's say, and it can see if your identity is referencing to it, but nobody knows about it. It's a simple read access. So, okay. You can really avoid the disclosure of information where, and how the identity was used. So by design, there is no trace.
Speaker 29 01:15:13 And that way is not like self sovereign identity where you can see who has accessed your
No, no, no. It's like, it's absolutely as it's, it's, it's a publicly available registry. Everybody can read from it. So you cannot trace read requests because potentially everybody can have a copy of it and read it when he wants. So it's really untraceable access to your, to the verification process of your identities untraceable.
Speaker 29 01:15:42 And then it would be based on how can the hospital verify that you are coincide with your identity on your phone? How can they verify that it is in fact, you, do you need an identity card to like show that as well, or
Actually on, on the mobile phone, you, you kind of, you generate a, a pair of keys, public key and private key. Okay. Let's say that public key, you store on the blockchain to, to explain it in a very simple way. Yeah. Yeah. But you can sign information with your private key. Okay. And using the public key store on blockchain, we can see that you are the owner of the private key. So therefore it proves your identity, but without revealing the private key.
Speaker 29 01:16:23 Yeah.
It's, it's, it's actually, atric cryptography that is used as part of the, the, the decentralized identity concept.
Speaker 29 01:16:32 I understand. I don't understand in detail, but I do. I get the technical part. How do you then relate that to the human being that stands in front of you? How can you make sure that the human being is in fact
Yeah. And those
Speaker 17 01:16:43 May, may I, sorry, I deliver some input on this. Yeah. I'm joining by web. So, so there's, there's been some very interesting questions about this whole thing. Part of it, part of it is, is really the onboarding process, making it very, so making it possible to get from the, from the human and the physical identity to a digital identity. So that like the whole, the whole question from like, like you need to get from, from the, the physical also identity card and, and your, your being, you need to prove it somehow. So the onboarding process is a very key process and it's also the process that might be the piece of the puzzle that we don't need backups of the identity so that we can, if we lose it, we could revoke it and create a new one easily with a new onboarding, for example, or if, if we switch devices or if our device breaks.
Speaker 17 01:17:50 And so, so on, so forth. So, so, but like the, these questions are, are also like current challenges. I think that aren't those challenges aren't completely resolved. So they are like, I, I think that those are questions that need to be, be looked at also as in parts of them are technical questions, but then parts of them are, are how are users using it questions and, and that will create issues or, or, or needs for processes in, in, in the whole, in the whole aspect. And, and I think solutions are, there is a solution space rather than the solution yet where in which we can search for, for some of the, some of the answers to those. So, yeah. Does that, does that help a bit in answering the question?
Yeah. Yeah. Thank you, fate. Yeah. Thank you. And we, I, I, I would like also to add that is the responsibility of the verify. For example, the insurance company, when they are delivering the insurance certificate to you, is their responsibility to verify that your name is, is, is, is the right one. And your birth name is the right one, right? And then they include it into your verifiable credentials and they give it to you actually. And at the same time, for example, the insurance company can be registered by the government as the one who is authorized to, to deliver insurance certificates. So there is a chain of trust basically. And for, for, for this case, the insurance comp company will be responsible for onboarding and verification that the data is right.
We have two raise hands online. Maybe you small, you would like to unmute and ask you a question first.
Speaker 30 01:19:55 I'm sorry, this, this was not was unattended. So my mistake, so I forgot. I do not have any questions. Thanks.
Okay. Okay. The next one was Santa.
Speaker 31 01:20:09 That was also by a mistake. Sorry.
All right. No problem. We have another question in there, which is asking, what about if I lose my unlocked phone and my identity get stolen?
Yeah, very good question. Because this is actually a requirement for a software that will store the identity called the wallet and this wallet software, as a requirement, should enforce biometric authentication at every time, even if the phone is not locked. So we will not rely on the mobile phone security solely, we will need to implement an additional layer of authentication, for example, through a quick Fido biometric authentication. But good, very good question. Thank you.
Additional questions also, we, we never ask the people who are online here in the room. Do you have any questions please feel free? It's allowed.
I just wanted to know what would happen if somebody gets access to the backup of my identity of my identity, because having it on my phone and I want to sort it as a backup somewhere, I don't know why, and somebody gets his hands on it and clones my identity. And as you said, nobody has the possibility to trace the access of my identity. This would be brutally harmful because somebody could run around with my name, my identity, my, or the possibility to actually get access to my insurance data, to my driving driver license, or even my tax records. And how am I able to revoke it? Because I don't have, like, for my credit card, I call my bank. But if somebody clones my identity, I don't see that it is used. And I have no central point or I don't have the chance to say stop it. That guy's not me because he has clone my phone. He has clone my zoom card. He changed the biometrics on it. So
That's a, that's a very good question. It's like a terrifying scenario, right? So everything gets stolen. It's a big disaster at once. So first I would say that this scenario exists in the reality. So if somebody copied the passport, this is what can potentially happen. But the process is more complicated. He need to register using the password or hijacking accounts. It's, it's more complicated, right, but still possible. But the thing is that the identity will be by use case. So for insurance, there will be one verifiable credentials for, so actually you need to stall all of them, but let's say that you, somebody stole all of them and not only a particular one, then you have the revocation possibility, of course, cryptographically, you can declare that those verifiable credentials are not valid anymore. So this is very simple and it it's actually in the standard itself.
And then the thing that if we need to solve this challenge, I guess, but for example, in case of a mobile phone, and when you use Fido, you can store your private keys in the secure element, in the hardware, and they cannot be extracted theoretically because it's protected by the hardware. But I agree with you. As soon as you start backing your identity to the cloud, as for example, Microsoft proposes it, then it's become a challenge to be solved. So we, we know we need to get there, but some challenges, as faith mentioned are still unsolved.
Speaker 22 01:24:38 My question is most of the use cases of bring your own identity or decentralized identity are related to consumer services, whether it's from government or private sector, leveraging government E services, for example, while opening a bank account verification of my government issue IDs. Okay. So do you see any concrete use case of this in corporate workforce, maybe using some of the services in managing the workforce of a multinational bank maybe, or maybe a very large scale telco. Thank you.
Yeah. Yeah. Thank you. Yeah, very good question. I mean, in how it, it relates to the, to the corporate world, right? How it can help. But first I would say that if somebody can present his verifiable credentials without sharing the data, he can be, or she can be onboarded as an employee, without the company having to store all personal data and have the risk of a leak and therefore being subject to GDPR violation. So it protects you for VI against GDPR violation because you do not own your employee data or your customer data. You're just, you can it's them, but that's it, this is first. And then another example is a mandatory tofa as part of the, of your lifestyle. So it's not a question anymore. So the security and authentication on company systems is therefore simpler and standardized. So I, I see those, those two use cases and an additional use case is quick KYC. So you can onboard for a bank account very quickly. You don't need to wait two days, three days, you know, until they check your records, but it can happen instantly. So the time to market for businesses is actually reduced. Therefore new business opportunities are created, like signing up for an insurance on demand. I put myself in the car, I drive it and I'm insured for the time I'm driving it. When I stop the car, the insurance stops, you know, so we can create pays as you go services that were previously only conventional.
Speaker 16 01:27:23 Great. Thank you very
Much. There is one more question.
Speaker 17 01:27:31 There's another question online from hi, which is, which is yes. Please go ahead.
Speaker 16 01:27:46 Laws. Okay.
Speaker 17 01:28:04 Okay. This is unmuted. Yeah. So the question that I saw was, do you really think that using different certificates using Fido is handful for users not familiar with it?
Once again, once again, F
Speaker 30 01:28:20 I can repeat it. I can repeat it online. So honestly, I do not believe that
Speaker 16 01:28:28 The
Speaker 30 01:28:28 Scenario you, you just war it's really helpful for everyone. Yeah. Using fiber is a nice solution. And also having different certificates user has to decide, which has to be used, which certificate on his phone. Yeah. I don't believe that this is really helpful for, for all citizen citizens or, or all people in, in a country. Yeah. Honestly, I was partly involved in the E I D card in Germany and the use cases. And what we discussed in 2004 was never beyond the market until today. Yeah. More than 18 years nearly ago. So it was just too complicated. It was not useful, not helpful. They, they were not, they were not able to, to use it. And I think this, this, this scenario you, you just show might be also too difficult.
Yeah. It's, it's a very good question, basically. And again, this is another challenge. The user friendliness of the process is, is clearly a challenge. And so far the proposal is to solve this challenges by very easy to use wallet software. So basically it's a software on your mobile phone and it, it is extremely simple. We did a POC in Switzerland for, with a road authority for a car registration, and basically this wallet, software, it just an app on your iPhone. You click on it and then it, so for example, it, it, it uses the face ID and you are in the wallet. You can agree. So, and, and also the Fido, there is a very extremely user friendly implementation of Fido on the mobile phone. So you get a push notification, you, you show your face and then authentication is done. So for me, I agree with you that it is a challenge and we need really to pay attention and to preserve inclusion. So everybody in this society should be able to participate in this experience. But I really think that it's as simple as using the face ID.
Okay.
Yeah. Actually, my question was kind of the same as how to include all of these solutions. Describe solutions for digitally enabled people. But what about digitally disabled people, people without a smart device with an old phone, you, you kind of make the assumption that, that everybody needs a smart device. Yeah. People by choice don't want one. Yeah. They don't have the money to buy one. How about
That's? That's it's it's again, it's, it's perfect. Because in order to, to provide an, an inclusive system, we need to be able to mirror all physical processes to digital processes. This is our objective, and we know we have to get there. And sometimes we don't know exactly how so I have a proposal for this use case. So for people who are not using the mobile phone, don't have a smartphone, they can still use their physical ID, but just the processes will become more cumbersome for them. So they have to, they will have to present the passport. There should be a process of verifying it and then they will get access to the same service, but just with more effort. But I think it's doable.
Then we have an online question.
So it's not a question. It's a comment. You're basically describing how the Norian side society works. We all do this for all services. Why a corporation between a, a common company run by, by the banks and in corporation with the telcos. So this is all how all services in Norway work. We can sign up for an account in, in, in minutes, we can authenticate to the insurer and, but we don't mix it with, with social logins. It's not mixed. And it's now moving to a biometric authentication.
Okay. Yeah.
Thank you.
And just maybe a question. Do you and where the user information is stored, is it stored on the user device or in the central registry for the moment?
It it's a common central registry for, for, for the identity confirming the identity, but the data about you is with the insurer, with the bank that you all, that they all have their own data about you, but you just confirm your identity and it can pull some information yeah. That that's needed. And it will ask your consent to yeah, car registration, everything is, is run that way. And we are back.
That's great to hear. I mean, that that's clearly uses certain principles of distributed identity and distributed information information stored off chain and not in a single place and showcase that it's actually doable and we can solve multiple challenges present. Yeah. Thank you.
Then we have online question. One more, one more question. Oh,
Speaker 33 01:34:07 Sorry.
Speaker 26 01:34:11 When I'm looking at this, I'm also the devising, the Taliban scenario where you can use all these features and aspects of an identity to ensure that things are not permitted to be used. Have you been thinking about that for example, that you will turn out to be a woman, you cannot drive a car, et cetera.
I think so. Yeah. That's, there will be some issues with, with, yeah. With denial of usage. So
Speaker 33 01:34:42 As well,
Actually that's true in a way that this is true in a way, but the question is, do we want to increase digital trust or not? I think if you want to increase the level of digital trust, you need to go to let go away certain things as well. So it's, it's, it's a balanced scenario. So I, I am sure that technically there are possibilities to generate sub identities for certain activities that can allow you to preserve your, to, to make your behavior completely stealth, I think, but this is one of the questions I think that people will have to work more on this particular use case. I will think about it. I can, I can go back to you. What, with what I think,
Speaker 26 01:35:40 Everything, you, you, everything you say here as well, stimulating or favoring or opening a services can be used to deny a service as well.
Yeah. The fact of the fact of actually validating that the, the identity and being certain is the right identity, not having anonymity. This is the, the, the, the issue you are mentioning basically. So indeed I think solution need to be found. I, I will think about it. Maybe the question, the responses
Theory we had exactly this point with the co are difficult. I mean, and, and yeah, it is the question of the society and what we, we believe. Yeah. But it's
Speaker 26 01:36:26 Decentralized on paper. No app.
You are great. Thank you. Okay. Then we have the, an online question here.
Yeah. How all, how all providers agree on main identity? Actually, this can be done by the government. So this is why in Europe, there is an undergoing E does standardization of, of the future of the citizen identity and in Switzerland the same in, in Finland the same. And I mean, there are multiple governmental programs where the government in place of having an IDP for citizens is looking rather to use decentralized credentials, to implement the citizen identity of the future. And this will serve as a core identity. And then the government will have a registry of insurance companies, for example, that are capable to deliver insurance certificates and so on and so forth. And those identities will be sub identities of the identity delivered by the government and, and the same way a passport can be revoked. Those government identities will have to be, can, can be potentially revoked by the government.
That's another reason why global identity networks like gain for example, are pretty hot topic. Also on this conference, over here, many people from the game initiatives a year, I will be here. Okay.
I, I had a question related to, to the devices, right. Because what we're saying is that we're storing everything locally in our devices. What happens if I have 10 devices that I use and what happens when I wanna change the device? Right. Because right now we know that every year, every two years we're changing devices. So the first question is, can I use my identity from another device? Right? Because I may have a work laptop. I may have private laptop work, mobile, private mobile. So where is my identity stored? And with which device can I access services? Am I bound to only one device? Or can I use whatever device I want? And the second one is what happens when I want to change it. Right? Hmm. Yeah. The, the very good question. Again, this is really a tech problem that can be solved by multiple ways.
So first way, if let's say we want to have it only on mobile phone for, for some reasons, right? We, we could use the mobile phone as an access app. So every time there is a push message, we, we click on the push message. We go through the face ID authentication, then we are authorized. This is one way. And then to copy it, we can put two phones together and, and copy the identity between two phones. For example, Microsoft has another proposal because they are all one to position themselves on this market, of course, because they, they, they want to be the, the core underneath service for everything, right? So the Microsoft approach is that you can back up it in their cloud basically, and haven't have it on any device. They call it a software agent that you install on any device that will access this identity cloud to unlock your identity, actually. So there are technology blueprints, I would say, proposed by different actors, but we can see already now that we can solve it somehow, then we need maybe to be smarter. Maybe we need to say, okay, we should be able to use our passport maybe as a recovery way for the identity. I dunno, because there is, there could be a cheap inside of the passport, right. That can activate the recovery process. I think we, we, we need to outsmart those constraints, but you are right. It's rather a technological constraint that has to be solved.
Great. Then it's time for coffee. Have a good break. Okay. Also to be sure at 11 o'clock. Thank
You
At 11 o'clock we start here again. Please use the time to meet you and online. Please use the time as well. And yeah. 11 o'clock. Thank you,
Han. Yeah. Welcome back again to the workshop on privacy and identity, there was one remaining question from the last, from the initial session of this workshop who is at Novo. And maybe you can explain that.
Yeah, I try. Of course, one second. I hope it's working here. Yeah. I hopefully you can. I, hopefully I, you can see it not on the screen.
Speaker 20 01:45:09 Yeah. That's in, in the online session.
Yes. Ah, yes. Now it is. Yes. At no is I would say a traditional Swiss company. You would never expected it from my slang I have in English. And our main character is in Switzerland. We have branches in Hungary, Portugal, Vietnam, and Singapore. We are 600 employees worldwide, privately held. And we are focusing in industries, banking, insurance, public sector, and transport and logistic. That is our main field and customers, mainly Switzerland, Singapore, and the near foreign country. And not to, to waste the time what we offer. We are very strong in software solutions. We build a couple of, of very prominent software solution. We offering security consulting and of course last but not least IM solutions, as you know, and we are concentrating us to, to several products that we have enough knowhow and where we are strong is that we really can combine the IM solution together with the software solution. And that's exactly that what you presented that we are able to combine the different technology to one user experience
And maybe, yeah, just a few reference cases. So you, you see a little bit better. So there is the biggest Swiss bank UBS. For example, we, we made the, the eBanking application with mobile authentication and the access app. Actually, they wanted to go away from the hardware calculator and already five years ago, we, we, we, we helped them to do so and to implement proper security in the, in the application, or we made the Swiss payment solution twin that you can do peer to peer payments using mobile phone, or in another example, we did an application for the red cross where migrants can store their data securely on in the red safe application and can receive information ed by the red cross and zones of conflicts, for example. So, and actually it's funny because it's interesting because security requirements for a such system are actually higher than to protect the bank account because we are really protecting people people's lives and some foreign governments may want to access this data. So the security has to be even stronger than when accessing an online bank account.
Thank you very much. This is, I would say BLE in a nutshell, huh? And if you have questions of course, visit our homepage or ask us here,
You'll be around for the whole conference. Absolutely.
Then I hand over to the next pitch.
Yes. The next few minutes, we will be talking about the actual relationship between privacy data protection regulation and digital ID, identity management identity and access management and how identity and access can support achieving GDPR compliance, GDPR channel data protection regulation, the European community legislation for, for data protection regulation means that it is the same, more or less the same law all over Europe in all in all membership countries. And it has replaced regional legislations in most cases. Now the question is, is GDPR the only thing that plays a role when we look into, ah, yeah, yeah, there is more than just GDPR. Let's, let's have a short look into the whole regulation scenery on the very top. You see the foundation, the EU charter of fundamental rights. And within that EU charter, there is something called the right to protect personal data. Do you know, by any chance when that European charter had been created and when it went into power to have an idea, is it five years ago, 10 years, 50 it's just like 12, 13 years. It was 2009. So this is quite a recent legislation. And it also, it also takes care for, or tries to take care for distinction between data protection and privacy. Do, does anybody have an idea what the difference is between data protection on one side and privacy on the other side, did you give you the thought sometime? Or do you think it's, it's all the same? Anybody who would like to comment on that?
Well, there are different approaches who, well, okay. There are different approaches, data protection protection is a traditional European term. If you look into it, protecting data is an important part of digitalizing, the human, the human rights to dignity, basic human rights to self-determination. It transfers into the digital life, but it's not the only thing. Privacy is much more. We will have quite a few interesting sessions over here at EIC. For example, this afternoon, during the keynotes, there will be Emilio. Maldini very interesting speaker talking about the, the plus the more privacy means compared to data protection. As one example. Now under the roof of that huge chart for fundamental rights, we have the GDPR, which is actually then focusing on protecting personally identifiable data PII. And to put it into one sentence, GDPR means you are not allowed to deal with personally identical information if it is not your own.
That's the, the, the, the fundamental, the, the, the basic layer of GDPR, but there are exceptions if you fulfill, and we will look into those in those require into those requirements exactly. And how they apply to the way we do identity and access management. If you fulfill those requirements, then you may have rights to deal with personally ly identify information, but we have to really consider that fundamentally it is not allowed. That's the legal position of that. Beyond GDPR, we have more regulations and directives within the European community, which somehow influence or deal with privacy and data protection. So to give you some examples, the second one you see here is not so important for, for the moment. Now, it is the protection of individuals with regards to processing data within EU institutions, bodies, offices, agencies. And this is also in, in the other, within the other European community member states countries that they still define sometimes different ways, how public institutions are allowed to deal with personally identifiable information. And that goes a bit beyond regulation of GDPR. Now we have as this, the third point over here, the electronic communications framework, legisla, the so-called EPRI directive, which still is a directive. That means it is not a regulation, which is, which is law all over Europe, all over the European community. It is only a framework and each member country has to apply that framework in, in its own legislation, in its governmental, in its state legislation.
And it is currently being amended to become a regulation, which then will be taking power all in all in all member countries. But it is not yet, there is still some dissonance there still discussion going on. This is not yet not yet fulfilled. The EPRI directive is dealing with, with, you know, it's, that's the cookies thing, this dealing with the way how, how communication can be made can be organized in a way that it is that it is conforming with, with privacy and data protection regulation. So this is, this is not, it is it's going beyond GDPR. And it is also creating requirements for the security and safety of communication within communication networks. Like for example, devices in a mobile, in a, in a mobile network. And so on, then we have the upcoming digital services act, which is on its way and will be in power most probably in 2024.
The digital services act is regulating communication and privacy within, within platforms. Like for example, Facebook will be the, the way how Facebook will need to comply to the way how information can be, or postings can be deleted if they are offending to, to some people. And then we have the, as the fifth important network legal network, we have the upcoming digital market act, which is regulating the way how, how the, the, the digital market is, is working and how requirements are defined for the big players in that market to make, to, to make sure that not only those big four or five platforms, which we currently have, will be ruling the market for all times, but that smaller ones also have possibilities there's for there's will be another very interesting keynote this afternoon by Micha. Seman is pretty famous writer over here in Germany has a best seller called the power of platforms.
So that's something I would really recommend you to listen to. That's about the, the, the way how digital markets are organized, and what's the chances for newcomers are and what rights individuals actually have conf confronting those, those big players and how that could be improved, whether the way how we do data protection and, and regulation for privacy today, whether this is the right way, or whether there would be alternatives, he's describing something like creating trade unions to level the power of individuals with the power those platforms currently have. That's a very interesting, very interesting argument. Then we have the electronic identification, authentication trust services, regulation. Everybody knows it, which is currently undergoing significant change to open it up for the EU identity wallet. We have yabada over here at the conference. She's a person who is evaluating projects for the European community decentralized identity projects. And she has been very deep into, into creating, into pushing forward that E Ida update, which will be probably also coming into power within, within the next 24 months. And as I said, there are national data protection laws in member states, covering areas, which are not yet, which are not yet covered by GDPR, or which are, are left to be regulated by the each member state.
Do you have questions so far?
So, as I said to go deeper into the GDPR part of that legislation framework, there are key principles requirements you have to fulfill in order to be able to process legally process personally, identifiable information. This, these are the, of course, that those data have to be processed fairly and lawfully that they have to be for specified explicit and legitimate purposes. And you have to process as few data as possible in order to fulfill the, the purpose of processing that data, those data have to be kept up to date and accurate. So they have to really reflect the, the, the, they have to be true in, in some sort, and you are only allowed to keep them as long as it is necessary to, to fulfill the lawfully processed project controller is the, the controller is responsible. That's the responsible instance for processing processing the data. And he has to the processor, the controller has to ensure and demonstrate compliance to the authorities. So that's basically those six profound principles and rules defined within GDPR. And now Matthias will describe to us how this reflects to identity,
Speaker 21 02:02:19 Sorry, for taking way too early. Yes. As, as Europe has shown, we are swimming in. So the first slide was the planet. This is the country. We are far away from IAM yet, but we are getting closer. So that's the idea here. So to drill down a bit deeper, what is required to remain GDPR compliant? This question, which has no question, mark means there is no such thing as I prove to be GDPR compliant. I can, I can only follow GDPR in compliant. Oh, one thing neither him nor me are lawyers. Very important. So what we need to see is that the protection of the individuals is the core. So really making sure that the personal data is being collected and pro processed. And this is a bit drilling down into what we've seen the slide before, and maybe look at bit at the terms.
Speaker 21 02:03:18 First is lawfulness or according to the proper law. So you just have to collect the information that is required, nothing else. So if you want to download a white paper from KuppingerCole, they are not allowed to ask for your kids very easy. So that is lawfulness fairness means that when you have an issue with the organization, which is actually processing that data, that you are not in an inferior procession, but that you are on the same level and that you have the same access to legal measures that the organization has. That is main meant by, by fairness, if it is always achieved different, different game, but that's the idea behind that needs to be processed and collected transparently. So you need to know what's happening with that. It's limited to a person to a purpose. So once we've sent you the download and we have not asked for proper consent, that's it, data needs to be deleted.
Speaker 21 02:04:17 Data needs to be minimized. Also during processing, if there is data, stop, it is no longer required that needs to be removed. Obfuscated deleted. It needs of course, to be correct. And you need to have the right to check it and verify it and alter it. Storage limitation is the time. And maybe also the place where you store data, it needs to be kept within integrity and confidentiality. So it's really limited to those who really need to have access to this information. And again, the controller is held accountable. So that is the next level of detail. We are still not at IM, but they're getting closer.
Speaker 21 02:05:00 You interrupt me with, if you have any questions, also, the online team, please. So the left side is what do controllers need to do? What are the activities they have to look at? And there is a lot to do and not all of this is IM related. So we try to find out what is relevant for IAM. So if we start at the top documentation obligation, you need to make sure that you document the way you are using data and processing it. You need to cooperate with the data protection agency. You need to designate a data protection officer, maybe if required, depends, but you should check if you transfer data internationally. And this is something that we're talking about all the time. When you think of storing data in, in global public clouds, you need to have a legal basis for this international data transfer.
Speaker 21 02:05:52 You need to notify people. If there is a data breach and all of this is not necessarily related to IM, but we, we need to do is we need to think of appropriate technical and organizational security measures. And this is where IM comes into play. And that's the reason why I've pasted our well known and publicized and widely available identity, reference architecture in here. So everything that can be achieved to implement appropriate technical and organization, organizational security measures, and that might be processes built into software or just processes that can be mapped to these individual building blocks that we see here. It's intentionally that small. You don't have to look at all of this. You can look at that later, but this is the whole pool of capabilities that might be used and can be used. And that is where I am, comes in play because for the other 2, 2, 5 things where there's not much to do, although can help, but this is the area where I am can Excel.
Speaker 21 02:07:01 So doing the right things for the controller in this right lower bubble is on the one hand organizational and technical organizational. Again, this is something that is not necessary DPA IM, but it might be reflected in what you do in IM so that the processes, the organizational measures that you implement might be also reflected in IM as well. So you need to understand your risk exposure. So this data protection impact assessment is very, very important. So you need to understand what happens if things go wrong and is the risk, and what does that mean for compliance? What does that mean for continuing my business? Maybe you have to adjust your organizational structure, not an IM task. You maybe need to nominate a DPO. You need to execute trainings, to make people aware that there is something like GDPR, and they have to deal with that as well.
Speaker 21 02:07:54 And use the mechanisms that I implemented in IAM properly. And you need to implement contracts, policies, and agreements. And this is policies either on the, on the organizational side, on the, on the, yeah, on the policy side, all these things that we are all confronted with when we are living in larger organizations and agreements. So this is the organizational part. Not much, I am a bit technical. That's much, much more interesting. This is where I am, comes into play, discover and document PII. And there are tools in place that can find and categorize PII throughout your systems. It in independent of where they are, and they might be in an IM or in a forgotten I am, or just somewhere in SharePoint, in a Excel sheet or somewhere else. So finding this information, that is what you need to do. You need to detect and document data flows better is documenting.
Speaker 21 02:08:46 Detecting means you did not know about them. So document is better detect helps. You need to apply relevant patches. That is all what is in the, in the regulation. More or less at the high level, you need to configure your system securely. And we've talked about security and privacy by design before that is exactly what is meant here. Data needs to be encrypted wherever possible, and that is changing. So we, we are used to having it encrypted in transit, and we are used to encrypting it addressed, but it more and more also needs to be encrypted during processing. And my colleague, Mike is way back there. He is the expert in, in all things of processing data encrypted at runtime, you need to control access to data. There even is the word access for IM you need to protect and monitor administrative accounts. So that's not only the usual user.
Speaker 21 02:09:41 It's all also the elevated user. Once you monitor all access, you, once you protect and monitor administrative access and accounts, you also need to monitor and audit all types of access, end user, whatever is relevant, and which might be relevant for your risk assessment that you did. You need to apply segregation of duties to prevent toxic combinations of processes taking place at the same time, the same goes for the principle of least privilege so that any user just has the right to what they really need and nothing else. And I think if you think of your own organization, your own access rights, there might be some leftovers and that might be re removed. And this is where I am can help. And in the end, detected contained threats, not really in the first place an IM task, but I think it is. So if you look back to the, to the identity reference architecture, there is also this detection part in there because I am knows many things that can be leveraged for that.
Speaker 21 02:10:40 I have to speed up. I'm stealing the time. So to the left, now it's the same list of, of tasks that we need to do to the right are building blocks that are relevant in my op in my opinion, that you have to look, take a look at, and that are core IM or maybe are related to IM or are to be integrated with IM where IM can really help in achieving compliance. So of course, it's identity management, which is a discipline. It's a capability access management, access governance. And then it gets more, more deeper into detailed functionalities, which are under the umbrella of IM we will discuss the, whether it is in which system, in which service to be implemented, but it is for us close to IM or part of IM, or at least at least needs to be integrated in what we call in identity fabric, privileged manage privileged management is a tool category.
Speaker 21 02:11:30 There might be vendors out there. You might want to talk to privileged user analytics, making sure that you understand what this privileged user that root user is actually just doing right now on your Linux console might be interesting. Database encryption is something that is mentioned platform encryption. And if we go down there, there are lots of functionalities that we might look at. And if we look at security monitoring and threat detection, failed authentication processes, many failed authentication process might hint at something that is a brute force attack. And so that might be used somewhere else might be used on the one hand and XDR MDR. So in really detection and response systems on the platform or within the client software, on the other hand, it might be something that is used for adjusting policies, changing access rights within systems at runtime, or at least to make the Analyst, the security Analyst in your team, aware of things are going wrong.
Speaker 21 02:12:31 There's much, much more to in, in the, in the, with looking at the time, this is my final slide, and I don't promise that every is right, but it could be. So if we have on the upper row, the requirements that were in the left block before, and we have some of the capabilities that I chose to look at where they can help in achieving compliance to GDPR, that is a metrics which really should help. So discovering and documenting PII is identity management, access governance, and maybe a tool that is not yet. There, there are really detection tools that can find and analytics tools that can help identify PII beyond what you did know encryption of data is done in identity management, mainly because this is where the data is usually stored control access to data. You see the full range from access management to access governance, to UBA, to privilege management, to privileged user analytics PBA.
Speaker 21 02:13:32 So there are many of these aspects where IAM can support and help. It does not solve the full picture of GDPR requirements, but if there is an essential platform and the essential system of all these combined capabilities, then it is IM plus Pam plus all of these capabilities that we've mentioned. And I think for a bigger IM you will agree that this is something that is very close to, to that, and can be implemented there as well. And, and of course the more you go to the right there's additional functionality required, good policies being implemented for sod, and also the integration with cm, sor solutions and the implementation with XDR MDR. So that is where I am really can help left the basics on the corner, the basics, the right, really the that's the in Germany, we say the, this is what really makes things really work together. And you gradually can benefit from that. That's what I wanted to present. And maybe that also gives you a hint maybe for the, for the exercise that we're doing right now, where individual in individual use cases, these tools, and more can support in achieving GDPR compliance. Are there any questions
Speaker 21 02:14:52 I've talked a lot. I know
How I have a question. How does it become mainstream to implement those tools, or it's still only selected companies that do that, do it.
Speaker 21 02:15:09 Okay. No simple, no simple answers. Usually if you look at the IM market, you have different types of product services, vendors that have different kinds of, of suites or, or have some kind of specialized tools that can support in achieving that in the end. And that is what we at scooping and Cole do with our customers, is trying to identify what is important, what it as stake, where our gaps look at the risk management and look at what is required for, for this specific organization to choose the right tool. That might be something that is not yet really fully there, but if it solves a problem and supports achieving compliance, that cannot be done another way, that would be something that I would add. You've mentioned the Lego blocks. I would add that as one block to the overall architecture Mike.
So I'd like to make a comment, which is
Speaker 35 02:16:08 Thank you. So privacy and security overlap that many of the things that you need for, to enable privacy are in fact security tools. And in particular, the way I look at IAM is, is that it's really very important because it it's actually something that prevents unauthorized access, but it actually enables authorized access. And one of the key things in, in, in the privacy work is that you need to be able to use the data in the way that it is allowed to be, and also to prevent that enabling part that I think is really
Speaker 21 02:17:09 Absolutely. Thank you. Any other comments or questions? Okay, then that's it. Oh, sorry.
Speaker 36 02:17:25 It's also related to just made what's in the collaboration or the split and responsibility between the C and the DPO. When you speak of assigning a DPO for organizational measures, I is the split between a DPO and a CSO,
Speaker 21 02:17:43 The C the CEO and the DPO,
Speaker 36 02:17:45 The CSO, and
Speaker 21 02:17:46 The, the CSO and the DPO. Okay. Yeah, that, that is something that can be heavily discussed upon. Usually I, I would consider the DPO being somebody who is so first of all, independent and, and needs to make sure that data processing takes place the way it should be. So, and the CSO is of course, talking to the DPO and taking the recommendations or findings, and then moves towards implementing measures that are adequate to mitigate these findings. So that would be the, the division of, of the role here. DPOs are always required when there is a higher confidentiality of data to be, to be processed. So, and this bar is very low. So if, if you don't know, install one, so it, it might help here as well. So the C is the one who actually defines controls and make sure that measures are implemented properly. So that would be the dividing line. So it's DPO more being the, yeah, the control, the, the, the insight into what's going on.
Speaker 36 02:18:51 Right. Thank you.
And maybe just, just to continue on this is that usually when a digital system is designed, there is something called security concept that defines and follows security by design. And at the same time, I think we need to do data privacy assessment and to trace all information flows and to make sure that actually it's compliant with requirements we defined, but actually it's two separated flows. In my opinion, this is how we, we handled certain projects with high requirements in term of privacy. And yeah, there is a question I have it online offer. Oh, he has it. Yeah, you have it. I,
Speaker 21 02:19:46 I can see it in. Okay. And, and this is really two sides of the same coin. On the one hand, if you are using an IDM system, you are in the best of all worlds, defining designing processes and documenting them and implement them within an IDM system, whether this is provisioning into a target system, whether this is something that is related to the life cycle management within the IDM system as itself. So that's the, this is the simple side of things. So where you are in control of your processes and where you can document where PII is and where it travels and how you control it over time. And deprovision it. If you're no longer need it, the other part is, oops, it's gone. The other part is to, to document something that is somewhere else. Nevertheless, you need to find a system where you can put the documentation, and that would be identity management for the identity governance that would be access management and governance for the access management part of things.
Speaker 21 02:20:39 But it relies heavily on this analytics processes that were in a different category. And that helped in, in identifying the, the data that you did not take care of across the different systems. So it's, it's both. So, but, but IDM, I would hopefully expect a well defined and a, a, a close circuit identity management management is the place where you would also document these processes, be it in something like BPM L or something like a proprietary format of the vendor you're using no matter where it is, once it is documented. And once it is properly implemented, then this is the place where you have the, the control of our PII. But the second part is more difficult. Of course. Any other questions then I hand back to you?
Well, yes. Thank you very much.
Speaker 21 02:21:42 Thank you for taking too much time.
No, no, no, no. That's very important. And currently there is a operating password. It it's so called digital and digital is something that a customer is expecting from, from, from a company, from a company that I hand over something from me, my data, and I trust into the company and the company to do everything that the, the data are, are processed and stored in the way. And not that you use my data on the wrong way and digital, that is a marketing tool that company can play and to, to, to get trust. And of course, you have to, to follow this at this, this digital, well also we have some minutes left and I would invite you to short breakout sessions. Huh? It is not that you have to do a big work or so, but, and I know in this time with Corona, it's not so common to come together and in, in groups and discussing groups again, but we prepared for topics. I like to show you, it is only the base to discuss about something, to have the same picture in the mind. For example, here we have, where can IM be used more extensively to meet G DPR requirements. Exactly. That what we, we could here today, this would be one discussion group. I would invite you then to go to the different topics where you believe that is the most important for me.
This is one, the other one we have is this one here. What are GDPR risks for IM solutions in the cloud? I mean, we push now IM into the cloud and, and sensitive data are in the cloud. How we can do that. Then we have this one here. It is about the, the, the, what are the challenges to handle constant management and privacy in IM for my customers, that is a, a topic we could offer. And here this one here,
Speaker 37 02:24:42 Oops,
IM transformation to the cloud, how to avoid mistakes. And it's not so that yeah, you have to work. It is only to come together and discuss, and perhaps to, to profit from each other, for each topic, we have hosts myself, Leon it, York and Matthias will be there and try to moderate it. And for the online people, hopefully fight. Are you online? I am fight.
Yes, you can. Hello. Yes. That would be your online host. And I would be really, really happy if the, the community online can try to make a use case together with fight. We have a meter port where fight can share, and the ID would be, as we have now, 20, before 12, that we use the time until 12 o'clock to make this breakout sessions discussions, to exchange more in detail profit from the knowledge of each other of each of us. And I would now kindly ask the, that weight can hand over the virtual room. He has not to hear us and that white can share his screen. And I kindly ask the online community to contribute there. And we will come back here at 12. Also, we are here in the plan 12 o'clock again, is it possible that I can ask you to go to the different places where you believe? Okay. So this is a topic I'm interested in that let's discuss a little bit more in detail. I to close the discussions. I see here, a lot of discussions. Hey, cool. Cool. Cool. Also, listen, come. I would say we, we close and, and go back and then let's try to find out what are their key findings and I can see, Hey, online. Hey, great. Thank you very much to the online community. You made a great job as well. Hey, Hey, great. Great. I liked it. Thank you very much.
Great. Awesome. Yeah. To make, to try to make a short summary here, we discussed the content management and we discussed the problem of, of, I would say company withholding structure, where you have to give on several level,
Because there are own legal entities. You have to give on several positions, the, the, the right contents. And it's not easy for a company to handle such a complex structure to fulfill all requirements that the user afterwards is able to see. Ah, okay, no, here I give the content. No, I don't. Like I like to withdraw the content here and that become really a nightmare. And another thing was, is it possible that I can, for example, handover to Google, but before Google, before someone enters my page, someone else can gather the, the, the, the content in theory. Yes, it's possible. But in the law, in the point of view of the law, it's not able that there can delegate the responsibility. I will be always in the responsibility to gather the right contents and to offer all services that the user has an overview, what he has given and that he is able to withdraw. Okay. Is it possible that we have some words from, from, from there?
Speaker 21 02:54:55 Okay. This was a tough one because the scenario picture is the only thing that we actually worked in and a list of findings. We have an organization that has an internal set of users who do privileged access to devices that are not their own, which are maybe owned by a customer it's called measuring and contactless measurement organization. And they had this set of findings. Data was collected within devices, realtime data stored in the device. Then somehow we had to make assumptions transferred to, to a central database. I hope you can see that here where it is processed and history data is consolidated to be used again by the organization to learn more about the users are doing with their devices. That is what we read out of them. And the, the findings are really a best of, of findings you can get. So it's really, there is no proper access management.
Speaker 21 02:55:54 There is no control over modifying data in transit. Data can be corrupted in that in transit and lots and lots of more data processing might not even be here or there. It might be somewhere else. So what we came up with is if there is nothing really there, and it looks like that, that we need to start with a proper enterprise IM that takes care of the, and we add a privileged access management, which makes sure that some people I've forgotten that are capable of doing maintenance and support on the devices on customer side. So we have Pam here as this is a cloud service. We need some kind of Pam here as well, could be something like cm or a cloud Pam, or however you call it. So that these identities that maintained here are also controlled here as well. What else?
Speaker 21 02:56:44 There was a sentence that we improper access needs to be prevented. We do not know if this improper access from that somebody here or somebody in North Korea. So the remote attacker was also in, in, in one, one input that I got, that's really great in the end. What they need is really Pam. They need cm for their customers. Maybe if this is a, what we, what we could not really identify, maybe this is a business to business, to consumer scenario. Then we need end times consumer identity, access management here as well. So to make sure that we understand the end users better, and if they need to have access to that, we came up with the idea maybe that don't have to have access to that device at all, then they can get, go through the cloud because then is only one vector rather than 9,000 or yeah. Oh, 9,000 end users. Okay. But lots of devices. So thank you to have access here is one shop and this is and shop to the data. So there's lots to do for them. I would not sleep well with this list of findings. Yeah.
Okay. Thank you very much. Great. Thank you. And perhaps we can switch to the online community fight. Are you able, I could see there are some results around right. Fight.
Speaker 17 02:58:09 Need to find the unmute button first. Well, yeah, so we had quite some interesting inputs all over. We looked at you didn't mention it really, but we, we looked at differences between IM on premise and on cloud. And we started collecting inputs on what differs in regards to end user processes and service management processes and skills needed. And we were, I would say we collected a lot of input, but I also would say there was potential for, for discussion. Like not, not everybody was agreeing. There was like partially contradicting input as well, which I think would, would make for very interesting coffee discussions as well. But maybe a few, few things that were interesting that stood out is that I, I guess definitely like scalability stands out in, in the cloud, just technically available and the customizations, but then on the other hand, and, and, and obviously like, it can be accessed from everywhere, but then that can be seen also as a negative because you, you can have higher trust in the user's identity due to the physical presence often on, on premise solution.
Speaker 17 02:59:43 We also said like, there, there is difference. As in, in, in the service management processes already, again also, maybe from technical perspective, there's just things that are taken care of from the IM or, or cloud provider. You don't have hardware to maintain monitoring tools are usually well integrated and provided. So it makes it potentially a lot easier. But then when it comes to, to the employee skills, it actually there, we see that some parts are, are obviously the same that you, you need to understand networks well as well, but you don't really need like a, in depth in depth UX or windows knowledge probably anymore. You don't have the hardware maintenance, certain providers take care of certain parts of the GDPR as, as the, the nice overview that was shown before you can see how they contribute. And, and one of the things that I also thought was quite an interesting input is like, when you are, when you have the IAM solution on premise, you have the trust in your own skills. While if you have the solution in the cloud, you have to trust the skills of the cloud providers. Yeah. And security is always ends up on trust. So looking at the trust anchor, I think that was also quite an interesting input. Generally. I think this would've been a, a base for a lot of discussion also, but yeah. With the time constraints, I think we, we stick to the, to the collection of, of inputs.
Yeah. Yeah. I will, as it's the same case, I will provide some more elements. So we identify the potential issue with legislation because the cloud, if the cloud is not localized, and let's say we have European customers, they have to give consent for. And we, we need to gather this consent for each customer, unless we can guarantee that information is stored in Europe. So gathering consent could be an issue. Then in term of access control, we, we may say, okay, it's an enterprise ecosystem. We have customers, employees, partners. We would like to manage them in one single place for access management, for example, but this is not possible because they do have different level of access. So they need to be, at least customers need to be in a separated repository. And this is for example, how it is implemented in Asia, but in other systems as well, you have Asia B2C, which is separated from Asia 80, and you cannot mix them.
If you want to use Asia B2C for everything you will get in trouble. So this is another thing that you need to separate at least repositories of different types of entities, then a legacy applications, because, okay, you, you may go to the cloud for certain usage, like for the workplace. But if you want to go back to your on-prem because you are having a hybrid structure, you need to authenticate to legacy apps. And those legacy apps do not support modern protocols. So you need to think how you modernize them either through usage of a reverse proxy, doing the authentication or through model modernization of the app itself, or simply through rewriting it from scratch. Sometimes then microsegmentation is another challenge because before it was a big company network, but when you connect it in a hybrid infrastructure, most likely you will be willing to implement zero trust and bring access control as close as possible to the resource. So, and then you can implement this microsegmentation by, by agents installed, for example, on different host that can adapt firewall rules dynamically, depending on the policy. This is one of the solution for legacy apps do not supporting APIs. And then finally, the last thing is monitoring is how to monitor the whole thing, because you are ending up with two parameters, basically one on-prem and one cloud. Do you use two separated CMS, or you concentrate everything in one place. This is another challenge to solve.
Thank you very much. Great. Cut. And then ya, thank you. Thank you. And then the last one and yeah,
Yeah, maybe the two core findings we had in this use case where we were discussing about a shop system that is placed in different locations. The two core findings to cut it as short as possible. Number one, cloud first and cloud only that's the mainstream. It will not go away anymore. That's not a surprise for us and it will, it will prevail over, over the on-premise concept on the other, on the other side, finding number two, correct me if I'm wrong. If I forgot anything finding number two, if you do business across legislations, go with the strongest legal concept within the range of your business. Most of the time, I think nearly and any time it would be GDPR that puts you on the safe side, much saver, safer than trying to, to escape in whatever way you would not manage. So those were, I think the key findings.
Thank you very much.
Thank you. And I promise to think about this SSI issue in to continue to use social social media in the, in a secure way, right? And not having the government controlling everything. So basically inside of the SSI technology, either for services that need to identify you, at least in a certain ecosystem, you need to stick to identities provided either by the government or true subsidiaries like insurance ecosystem. I dunno, car ecosystem, this and that. But if you are using internet and social media and you are not engaging yourself in any contractual contractual relationship, you may choose to emit your own decentralized identity. So actually you issue it for you on the registry of your choice and you stick to it through your social media. And this will simplify. You can have one or two depending on your choice, but so depends if you need a contractor relationship that you use verified identity validated. If not, you generate one yourself and you keep using it except it's not, it, it do not identify you as a person. So you have the choice, basically it's embedded into technology itself.
Okay. And if you have further question, ask Leo, Leo knows everything.
Not everything. No, no, no, no. Far from knowing everything, you know, everything.
Yeah. I would say we are, Hey, five minutes. I would say, yeah, it was really a pleasure to meet you. And thank you very much for the contribution here and for the cool discussions we had online as well to the whole, no, here I must wrong side to the whole world. And for the time that you was attending the workshop, we from Novo, we say, thank you very much. And hopefully we see us IM is a small family and you meet each other. Yes. Okay. Thank you very much.
And feel free to stay in touch with course we are welcoming. You that's all send us LinkedIn invitations emails. We are really, it's good to have a discussion aside and, you know, validating the market. We can use it as a opportunity to build a small community for discussion sharing opinions. I mean, this is how the business goes, I think. Okay.
Thank you.
One more word to regarding this afternoon after lunch break in a bit more than one hour's time, the keynotes will start. That will be upstairs in the main auditorium. Thank you very much. Enjoy your lunch.
Thank.