Designing Your Future Identity Fabric Program

I think you remember me from the first half, so I don't need to introduce myself. I'm a lead advisor with co You probably know me already. What I want to talk about today and the, the focus of my, on my presentation today is again, the identity fabrics. So for those that didn't join our workshop yesterday or Martin's presentation today in the morning, I will later on repeat and, and introduce the fabrics and the reference architecture as well.

But to go through, through the presentation and to emphasize the importance of the identity fabrics and the reference architecture, I want to talk about these four topics. So at the beginning I will do a little bit of the groundwork, explain some definitions so that we are all on the same page. With that covered, we will go to the reference architecture and identity fabrics as an overarching framework in general. So the third one is about our coping, a coal identity reference architecture and identity fabrics as an example. And I can show you how that apply maybe applies to your organization.

And the fourth chapter here is takeaways and conclusion. So that is where we can look at your organization, how you can take advantage of the identity fabrics and reference architecture and explore a little bit the potential for you. So to start my presentation, to kick it off, I would like to give you a provocative statement. So any organization without an identity fabric.

Four, IM acts randomly. So why would I say that? So I'm convinced that many organizations are struggling with their IM journey, their program, their projects, their initiatives, or however they want to call it. And all of us can see that in our daily work as long as we keep our eyes open. So one of the most basic examples for such a struggle is an initiative or a task force. And that is usually when it's already too late. But I mean, ask yourself, when was the last time something I am related didn't work as intended? And a manager complained about that, what happened, right?

You had to fix it on the fly. This is, this is how that works, right? And this behavior feels like patching up a problem. And if you do that often enough, you get a patchwork I am that this is how it works, right? And patchwork iams are, they are colorful, they are diverse, they are pragmatic, they are a perfect short term approach to solving operational challenges. But the problem is at some point you will lose track and you will lose, lose the overview of what you've done.

And, and this one, one important reason for that is the overall complexity of of iam. So when we take, Nope, no, so when we go back a couple decades and, and investigate the complexity of IAM there, the complexity primarily come from the physical access. So we had easy verification, we had limited attributes, we had a strong focus on the work site rather than on the people. But now with everything becoming more and more digital, I am changes as well.

So today, physical and digital verification is required. And when we are authenticating ourselves, for example, we usually need multiple factors to ensure security. And this is where the overall complexity increases and probably becomes overwhelming. Overwhelming. So that's where we should go back to the simple basics and define structure so that we are able to, to control that con complexity before, before it controls us. So how would we do that?

When we, as Im expert, think about our duties, it all comes down to asking the right questions. So who is the identity that tries to get access?

When, when did that happen from where did the access attempt come? How was it requested? Why would that be a, a request? And what was requested? So those are the very simple questions that we need to answer to verify an excess attempt and to get those answers. Many organizations are creating complex architectures, adding a lot of tools to it, different tools, and at some point it becomes simply overwhelming. So we heard that talk earlier on how the complexity increases when we add tools to all of that, this is where that applies.

And to simplify that, we need a good structure, an identity fabrics probably because that is where the identity fabrics comes into play, simplifying everything with a good structure. So to do that, we need to understand what's, what an identity fabrics in general is. So it is a framework that helps us to improve our own structure for am it can also seen as a, it can also be seen as a paradigm to spread a unified view across a landscape or an organization. It can be a concept that we can use to incorporate future trends. It can be a high level architecture we use for implementation.

It can be used in various ways. That is the bottom line on that. The important thing is that an identity fabric is also a multi-layered mesh. You might remember those pictures from Martin slides. I use that as well because I really think the same way like Martin does. It's important to use an identity fabric to assemble big picture strategic approach for your own organization so that you have a vision where you go to. On the other hand, the identity fabrics can also be used to incorporate strategic, technical, technical details.

So in general, the identity fabrics offers you the flexibility to think strategically and add those technical details. You can also add capabilities, you can also add types of tools. You can add pretty much everything that you need to create and describe your very own landscape. So how would you do that? Or let's first talk about the requirements and advantages before we talk, how you do that. So the requirement and requirements and advantages for, for an identity fabric are that you do that for yourself.

I mean, we as coping a coal, we are offering our coping a coal reference architecture and identity fabrics, but you don't need to use it. You can very easily create your own identity fabric and reference architecture and to get the best out of that, to benefit from that, this identity fabric and reference architecture should be individual and specific to your organization. It should be comprehensive, it should follow best practices, it should follow standard procedures. And this is where you get the best out of it as a compass that is providing guidance on all levels.

It, it can serve you to incorporate future topics and and trends. It is dynamic so that you can add and remove certain parts that you want to exchange. This is ultimately where you get the best out of an identity fabrics. This is where you get enabled to get back into control in the head of chaos. So now we can check how that works.

I, I would like to give you the idea of how that works based on our cooking, a coral reference architecture and identity fabrics. So here we have the identity fabrics and I will click quickly explain you how that works. So on the left side we can see all the different types of identity. So we have consumers, customers, we have things, we have devices, pretty much everything that can be an identity type. On the right side we have all the, all the objects that you can access. So those identities on the left side want to access certain data objects. That's what you have on the right side. Yeah.

So we have digital services applications, we have platforms, infrastructure, legacy, iot, legacy it. So it's up on you what you can, what what you said in there. You can also put documents there, doesn't matter. It's about the object that that is accessed. And in between we have capabilities, services and types of tools. And the idea of the capabilities is that those are functional features that are put together to services. And those services are delivered by tools.

And in the end, an identity on the left side that want to access an object on the right side uses those capabilities, services and tools to get the access. This is the full idea. And since we are not approaching a greenfield at, at least not in general, usually there is something in an organization, we have certain type of APIs, we have connectors, we have interfaces to integrate the whole capability services and tools part into an existing landscape. And this is what you find on top, on the bottom layer, the connectors, APIs and so on.

One more important thing that I would like to add here is the number of functional layers. When we think about the identity types on the left side and think about employees and for example, consumers and you can take whatever identity type you want from there. And we are talking about a capability like for example, the first one here, identities, capabilities for employees and consumers in the are not, pretty much not the same when it comes to implementation. So they are different for employees and for consumers. And this is where you add multiple layers to an identity.

Fabrics capabilities might be unique for each type of identity. So this leaves you or you might end up with multiple identity fabrics for different types of identities Good. When we go into detail, we use the reference architecture to discuss capabilities in detail.

Also, let me quickly explain in case you were not in the workshop and didn't listen to Martin's presentation. So the reference architecture is the metrics on the left side, you can see core IAM, extended IAM integrations. So where the capability belongs and in the columns you can see the functional topics capability belongs. So this would be the four A administration, analytics and risk authentication and authorization. Above all of that, we have deploy time and run time and we decide on those two dimensions because we believe that not everybody is happening in advance or on real time.

This is why we split that up. We have capabilities that happen upfront that are can be prepared in advanced by an administrators or perfect example would be role creation or account creation. You can do that before the actual access. And we have activities that happen at runtime.

So when a, when a person tries to, to access a certain object, there can be a check whether it is allowed to do that or not. So that would be policy based access control. The rules are checked and there is made or decision in real time good on and everything in in the metrics. Those are the capabilities, the functional features that can be part of your reference architecture. This is what an identity needs to, to access a certain object or an identity needs to be maintained. That is what we as engineers need to keep an IGA running.

And to give you an example, I will also dive deeper into one of those capabilities. I've chosen the identity lifecycle for my presentation here because I think probably every one of us should be familiar with identity lifecycle management and has a basic idea of what that is. So as a basic example, and I've, I've simplified that example a lot just to show you how that works. We are able to discuss based on the reference architecture, what the details are. So when we are talking about identity lifecycle management, we can go into the details on join a mover lever.

We can even go further into details and talk about join our processes like identity creation, account creation, how are birth rights provisioned, how are access rights managed for join us? We could also talk about movers and the change of attributes. How are access, rights, rights managed here? And we can talk about levers. So what is an emergency lever? What does that mean? What is the consequence? What is the regular leaf? What happens in a, in case of a regular leaf? So this is all what we have seen or this is all of that is behind identity lifecycle.

What we have seen in the reference architecture. So in a nutshell, although this is just a simplified example, it perfectly shows how deep we can go into detail and discuss details on certain topics without losing the overall structure. So this is exactly where the identity fabrics becomes an opportunity for each and every organization. So there are multiple ways how you can utilize an identity fabrics, you can use it to provide guidance, functional and technically seen. You can display the status quo. We have done that in the workshop yesterday. You can define the target state.

I mean I've already talked about that in the workshop yesterday as well, even though we have not done that. And from that you can derive a roadmap. We can talk about the target operating model and we can also explore trends. It gives me the op, the opportunity and the possibility to talk about trends as well.

So we can, we can talk about strategic stuff and we can also talk about operational stuff. So on both levels, on all levels of detail we can talk about I am without losing our structure. And this is what really helps creating the benefit for you. This is how you stop patching up short term problems and how you start taking controlled actions.

So, and that's basically the good news for you. You are obviously still in control and you can improve your organization's situation, but it is up to you to decide to act and to change the current situation. And that starts with thinking about making good use of an identity fabrics and how you can establish that. And with that call for action, I would like to conclude my presentation and thank you all for your attention.

The, so thank you Phillip, we have, I I think one, one is probably more more comment and, and one question here, but by the way, if I answer using the app either here from the room or remotely to to, to ask questions, we rarely have time to answer all to respond to all questions. But we will send the questions to all the presenters and ask them to provide a written answer so that we can paste them into the app so that within the next couple of days all the responses to questions should be there. That's just a quick info.

The one comment is, I would argue that it's also easier to communicate I am to the company with an identity fabric. So this is, I think also a good comment when you have one bigger picture instead of a lot of pieces, you can tell a more, more consolidated story. The one one question we, we can pick can try to give a short answer and surely we can follow up on that. So isn't it a huge challenge for a bigger organization to bring everything together under one department, one one organizational area, and what is an estimated timeline to do so? And how many employees do you need?

It's probably impossible to answer that in a single question, but maybe you touch a bit on our centralized, centralized tom stuff here in your response. Yeah, I mean it, it, it asks for a lot. That's true. And without a, a real analysis that's hard to answer. But in general, you can say it does not really depend. If you are a b a huge organization with, with lots of tools or a small organization, so the, you, when you start on a strategic level investigating the capabilities and and services and tools, you, you, you start pretty much at the same spot.

If you are a huge company, a small company, a medium company, doesn't matter. But when you are going into the details, this, this becomes different because obviously there are more tools in a huge company than in a small company. And I mean, one perfect ex example that we have seen already today was the presentation of Steven. He showed how easy it can be to derive an architecture to convince higher upper management to do something. Yeah. And in his case it was establishing a PAM tool and he used an identity fabrics to display an architecture and to get the upper management to a decision. Yeah.

And, and I think that that's one point. And the other point is, will, will you succeed without a structured organization, someone who is lead and maybe a very well defiant approach on how decentralized or or regional entities work together with central identities? I doubt. So at the end, you need to do that exercise. There's no way to avoid it.

And yes, there are people needed either in your team or leading over to the next session by managed service providers and other partners we have. So again, Phillips, thank you very much for your talk and we right now shift to a panel.