Thank you very much. And I'm looking forward to this panel and I have really interesting guests today. I want to ask the two of you to introduce yourself, first of all, so that we can start with the conversation afterwards. So Christine has not yet been with us she's on later. And so I try ladies first of course, I would like to, to, to have you introduce yourself very quickly, where you're coming from and what your relationship towards identity access management is just very quickly.
Thank you. So my name is Christina Owen. I am actually, I'm a director here at guide house guide house is an international consulting firm and we consult on various matters. I'm based in the us, obviously with my accent, but I, I, I call myself and I am evangelist because I love identity. I love to talk about identity and really go deep on identity. So I'm very excited to be here today and talk about this.
Great to have you and quick introduction also again from PRIE because maybe some people listen into this panel afterwards without having heard his presentation before. So short introduction from your side as well.
Yep. My name is Hal. Don't try to pronounce it. It's a finish name, impossible, and I'm a senior specialist in the national cybersecurity center. We do supervision on strong electronic identity services or strong authentication services and trust services for Finland. And I'm also part of the part of the team that participates in the level meetings on E.
Okay, great to have the, both, both of you here for this panel, many panels, these days start with questions around COVID and of course I'm tempted to this as well. You've talked about upgrading a whole country towards open standards. So this was a real large scale update of an IM infrastructure, but when COVID struck and you're also, yeah. Working with an organization to start with you did your own legacy IM in the organization that you're working with, not the one that you upgraded, did it deliver on the challenges that the pandemic raised towards an organization was your IM pandemic ready?
Well, the question is the answer is actually two-fold yes, it did the underlying protocols and things like this changed before the COVID situation, but for the normal user, it was kind of invisible. And the second part of the answer is that no, we, we kind of like were caught pants down, mainly because if you have an electronic identity, you are all set. You're fine. You can still use that and move on and start using, you know, the online services instead of going somewhere else. But if you don't have that and you can't go anywhere to actually enroll into the system, you have to do remote enrollment. And though it's, it's nothing that is forbidden or anything. We didn't have the rules or regulations, or let's say interpretations ready for the situation where all of a sudden these issuers or digital identities were asking us that, okay, what are the requirements that we need to do?
Or how do we come conformant with the regulations so that we can issue these strong identities to our customers remotely. And I've been in part of the, some of the peer review processes here in the, in Europe. And we have taken a look at the member states have that have already notified their E ID schemes. And there are remote enrollment procedures place, but in Finland, we didn't. And we had to kind of like quickly figure out what are the requirements that the banks and the mobile network operators can implement or do that they are conformant with the regulation. So yes and no.
Okay, great. Thank you. We at cold was quite easy because we are all working remotely. So it was not really a change. How was it for you, Christine?
So for, for guide house, for my company, it's exactly the same. We, because we all worked remotely already. It wasn't really a big change for us. The only big change that we did have is we had to start onboarding new employees remotely, which was a little different because we used to have people come in and show us our, their, what we call in the us. I nine documents, so documents to prove that they are who they say they are in, you know, whatever, but we, we didn't have that anymore. So we do all of that remotely now for my clients. It, it was actually a lot of the same. I think I was very lucky and a lot of my clients were ready, were telework ready. And so they didn't have as many issues there, but it's that in person proofing thing is still a problem. Right? So that's something that I think in the future, we're really gonna have to start looking into more so that we can do identity proofing remotely in case anything happens again.
Okay. And then that already hints at our actual topic. We, our topic is moving from legacy. I am to more modern approaches, but what constitutes more modern in, in from your point of view, again, maybe with you, Christine you've mentioned identity vetting identity proving already. When we look at modernizing, I am. Where are you looking at? Are you looking at deployment models? Are you looking at architecture? What else are you looking for when you say it is a more modern IAM?
Oh man. So the first thing I do is I go into an organization and I see where they are today. I see whether they have a hybrid model. Generally, most organizations are at a hybrid model now. So I wanna see where all their assets are, where their data stored. And then I look and see, do you know, who's on your network? Like, do you have, do you understand that? Do you have strong credentials? And if you don't have those two things, then those are the two things I think are the hot fixes. We need to know who's on your network. And we need to also know that you, that you're using more than just username password, because some people are still doing that. And then after that, if, if those are not the issues, right, then we, then we look further down. What other reasons did you call us in what other things are you, are you working on? There could be things such as I think a hot topic right now. And a lot of my clients is the fact that audit findings are surrounding account management. So then that gets us to identity governance. I also have a lot of clients who understand the concept of zero trust and really wanna get to zero trust. So we look at, at the holistic picture and we figure out what are the things that you're missing to get to zero trust? Because zero trust has to have the strong foundational IM component without it, you can't do anything,
Right? I fully agree because I think this, this, this role of identity and access management for security is growing and growing. And I think that is really an interesting, having stable, reliable identities as the basis for, for secure communication is really an important starting point. But pet, do you have additional thoughts on what constitutes a modern, I am a modern enterprise. I am a modern country. I am,
Let's say, yeah, I can't really comment on the modern enterprise IAM because that's out of my field at the moment. I did have some part to play in that field as well previously, but right now it's, I mean, there were two different regulations that came into effect a few years ago in Europe that was here S and PSD two. And those were the driving forces of for example, banks to adopt new technologies. And in our country, it happened that we let go of the legacy, or let's say bad authenticators, mostly. And those were like these printed OTP lists that are easy to copy these still easy to lose and so on, so forth. So all of the banks now have mobile apps that you use to authenticate. And because we allow, or this situation here in Finland is that you can use these banking apps or bank authentication apps to authenticate the third party services.
We had to look at the modern mobile apps, and we came across quite a few interesting findings because we have the requirement of assessment. So the stakeholders or the banks, they need to do the biannual security assessments on the technologies that they offer. And me and my team, we act as a gatekeeper and we don't allow crappy technology to be deployed in to the finish customers. And there were some quite nice findings and the other big move that I, that is actually still happening, but it started like one or two years ago. The providers also started to move their services from on-prem installations to cloud services. And our role is to supervise and check. That is everything's okay. Things change when you have a bank data center, five kilometers away from you, you can go there quite easily and see if everything's okay, but when they move their stuff to Amazon or Google well happens. Well, we were kind of lucky. We had some Amazon guys visit our office from their Stockholm headquarters or, or whatever. And they, they promised us that if we come knocking on the data center doors, they will open up and show us the goods and show that they are, they are conformant, but yeah, two, two modern things that cloud and mobile. And I think this is like lagging. There are still more modern and more bigger changes globally happening in the space, but this is what I'm seeing,
Right? And there are actually similarities between the both of you, although looking at different areas of IAM, it is of course, making sure that authentication takes place in a more secure, in a more reliable manner that you have access governance that you have proper access management and the right to audit is also something that is, is of important to, to both of you. When we look at these modernization of identity and access management, again, maybe starting with you, Christine, where are the obstacles? Where, where, where can, where can problems lie when it comes to updating your IM towards a more modern infrastructure? Is it the, the, the, the, the management that, that says it worked yesterday, it should work to tomorrow as well? Or where are the obstacles?
Yeah, I, the it's definitely communication. Like the, the biggest obstacle is getting, buy-in not only from the senior leaders, but also from the day-to-day users. So for example, I have app owners sometimes in some of my clients who say, oh, you know, we don't need that. We have this form. And it does account management really well for us. We don't need any of this new F thing. We don't need to do all this integration work, and we don't need to explain to you how we do account management so we can get to an automated system in the back end. So there's definitely pushback because a lot of people wanna do what they know really well, and they don't want to learn new things. And they think that it's, in some cases, I've found that they're also worried that their job will become obsolete if we automate parts of their job, which it won't what we do is we, in my opinion, I am as an enabler.
And it frees you up to do all the cool things that you wanna do. So you don't have to do all the boring things like white list people into an application. Right? So, so I think that communication is number one, the most important thing, explaining to senior leaders that I am is it, isn't just about security. It also enables you to get, I, I like to say your mission done, but what your job done, it's very important. And I've found that whenever I have conversations with clients or potential clients, I figure out what their pain points are. And then I teach them how I am, can actually fix their pain points. And that has been a really good inroads to get them to start thinking about and modernizing their IM system.
Right. Great, thank you. Pet maybe from, from your side, although it is a different audience that you've preached to where the, where were the obstacles there and how did you overcome them?
I think right now the biggest obstacle is lack of standards. So our customers that are basically the banks and the mobile network operators, and then the brokers, they want to deploy new technologies. And sometimes there are no standards available to, let's say, to assess, assess these things, or to really understand what they are about. Biometrics is one, if we think about modern IAM blockchain, there are quite a few blockchain projects here in Finland, in the financial field, for example, and in general IEN, and they want to use blockchain. But if we think about the situation that you should deploy a solution that should probably be available to all citizens and be I interoperable and so on, so forth, and you have multiple stakeholders each deploying their own flavor of that technology. It's a minefield right now, for example, blockchain is, well, we have verifiable credentials, that's basically, and some ledgers in open source format and these kind of things, but interoperability and these kind of things, they do require a need standards. And for example, coming back to the biometrics right now, there's an upcoming standard for using biometrics and doing the remote enrollment, but it's still a draft it's coming and it's for trust services and so forth. So standards are lagging behind on what the companies in our field want to do. And that's challenge for me because I have to, you know, I have to make sure that they are okay,
Got that point. And I think, yeah, usually you, you think there are lots of standards and they just needed to be implemented, but there are areas where they are just really still missing. We have five minutes left or even more four, if you could do any recommendations, how to properly implement such a migration project. So an, an update and modernization project from, from the two of you, if we, if we start with Christine both two minutes, what would be your learnings, your recommendations for all these IGA project leaders out there to, to take away from today.
So it, I feel like I'm a dog with a bone here, but it's literally communication. We are actually doing a large migration project right now. And communication is very important. Whenever there's any deviation from the plan, it absolutely needs to be communicated immediately to your client. And, and in the beginning, you need to explain to your client exactly what's going to happen, the stages to get to migration. All those things, communication I've found is the number one most important part of this, of this project that we're doing. And, and it's, it's definitely highly beneficial to make sure that that migration project is successful.
Has, has, has communication improved or, or, or deteriorated in the last year.
Oh, I, so that's a good question. I, I think the communication has improved, however, I think there's too much communication. So the being able to really absorb what that communication is has deteriorated. If that makes sense. I feel like we're getting bombarded with too many zoom calls, too many. We're, we're too open to calls at this point. So now you can't really absorb all the things that are happening at once.
So the need to focus.
Yes.
Okay, great. And, and maybe final recommendations from your side with a different approach, but how to execute such a project, which, which I think is really a really, really a challenge.
Oh yeah. I mean, I didn't do the actual and I wasn't really a part of the actual change. I was just observing and, you know, looking at what's happening and I'm guided by the law and the regulation. And when the company has changed things, we came across with some challenges when the law and regulation was too strict. So, so the regulation didn't allow some things to be implemented. So I would say that if that would translate to a kind of a recommendation, don't be too strict on your requirements, because if you create the requirements specification that is too strict, it, it usually falls apart or it's really difficult to implement. So give you some self yourself, some leeway on that and starts more. I mean, that's the things that I learned very more previous work. So don't try, try to tackle the whole thing at one, go start with the one specific part of the, you know, the whole, and then move that to the modern one and then apply that to the rest.
Okay, great. Thank you very much. So time flies, when you're having fun, we are through thanks to the two of you for being my partners in that conversation today. That was very insightful. Thank you very much, Christine. Thank you very much pet. And I hand back to Annie.
