Webinar Recording
Identity Information Quality
KuppingerCole Webinar recording
Log in and watch the full video!
Upgrade to the Professional or Specialist Subscription Packages to access the entire KuppingerCole video library.
I have an account
Log inRegister your account to start 30 days of free trial access
RegisterSubscribe to become a client
Choose a package
Good afternoon, ladies and gentlemen, welcome to our Ko, a call webinar identity information quality. My name is Martin Kuppinger I'm founder and principal Analyst KuppingerCole and I will be your presenter today for this webinar. Before we start some information about Ko, a Cole and some housekeeping information for the webinar, and then we will di directly into the topic. So company call an Analyst company. We are providing enterprise it research advisor services, decision support, and networking for it. Professionals. We provide three groups of services. One are our research services where we create research such as reports, our leadership leadership documents, which are market Analyst and comparison of vendors and their products in various segments of the market. Cetera, we do advisory services. So we provide advisory to end user organizations and vendors, and we do events in the area for events. We have our webinar. So you're currently attending one of these webinars and we have several percent events.
So options to meet with your peers, with the Analyst, cetera, two of the upcoming Cola events are the information risk and information security summit, which will be held November 27th, some 28th. And Frankfurt's, it's a one and a half day. He went, so it's not full two days. This is a new format we are doing here. It's about solid leadership from the Analyst with some initial presentations, giving some solid, some ideas and afterwards interactive sessions with the peers. So it's really peer to peer. When focusing on experts from the various end user organizations, talking with each other, being advised by the Analyst, we also will provide a rapport done on which, which puts together the results of these very interactive sessions. I think it's something which is very, very worse to attend. And so it's a, I think a great opportunity to dive deeper into topics such as identity, information, quality, and other hot topics in the space of information, risk management and information security management.
The secondly went is our European identity and cloud conference, which will be held again may or teens to 16th in Munich about all leadership and past practice in digital ID cloud and RC it's. The leader went around these topics in Europe, and we have a lot of attendees, a lot of very interesting presentations, more than 100 speakers. So it's clearly GUI you shouldn't miss regarding the webinar. Some guidelines you are muted centrally, so you don't have to mute or unmute yourself. We are controlling these features. We will record the webinar and the podcast recording will be available tomorrow
Latest. And there's the option for, to ask questions. So you can the questions at any time using the questions to then to go to webinar control panel, which you usually will find at the right side of your screen. There's an area questions and there you can, the questions and the quick U a session will be after my presentation, but you can the questions at any time. And I always recommend entering these questions once they come to your mind so that we have a good list of questions we can work on in the Q and a session. So let's start with the content identity information quality. What I wanted to talk about is what is this really about how to improve it? And when I look at various conversations with customers, we have in our advisory business with a lot of our end organizations, also with some vendors, etcetera, then identity information, quality clearly is one of the remaining under the, the everlasting sort of challenges we are facing.
When we look at identity and access management and identity and access governance, I want to talk quickly about what it is, and I want to talk about how to improve it. So bringing in some ideas, I don't think that I, that I already have found sort of the holy grail for perfect identity information for probably there is some those, those thing as, as, as the perfect solution. I think it's a process, a continuous process of improving the quality you have and identity information. And this is really sort of bringing in some sorts of about how could you do it? What are things we see at customers? What our ideas we brought up as result of conversations with customers, et cetera, to give you some ideas on how to do that. As I've said, at our information risk and information security summit, late November in Frankfurt, there will be the opportunity to dive far deeper into detail on this in a very interactive session format.
So you shouldn't miss this second part after my presentation will be the Q a session. So what is identity information quality about? It's about the accuracy of identity information. So this includes the status of identity. So is still an employee is still in customer, thus the person's to live, et cetera. So the status is one thing. The correctness of attributes is the second one. So are these attributes around the person and the digital identity person has still correct? And we frequently observe situations when customers talk about and say, you know, the problem we we are really facing is we, we know that we are not that bad in, in, in identifying orphan accounts, etcetera. So we know, okay, these people still are in our organizations. These are not. But the problem is for instance, that we frequently stumble upon the fact that they are working at a different location right now. And we don't have a clue about it. And other applications are relying on our information on our, these attributes and they then fail or their, their problems. They, and people come back to us and say, Hey, why don't you provide correct information? So this is really sort of the challenge.
A lot of organizations currently are facing around this, the correctness of attributes. And then the other clearly is also timeliness of changes. So frequently attributes are changing, and this has to be done at the right point of time. And frequently, these changes are done far too late. Sometimes they're also done too early. So if someone is changing the drop within the organization, there's a specific point of time to change certain attributes. And some might be changed earlier some later, even in, depending on how the process is set up, et cetera, the other challenge around identity information, quality aside of the status, the correctness and the timeliness. The other challenges that we have to think in a three tiered model. So we have accounts, the active directory accounts accounts are the website SAP account, whatever, and we have identity. So we have digital representations of persons, maybe also of things, et cetera, but let's stay for, with persons for that, for that webinar today.
And these persons might have different identities even on the same organization. So my favorite example always is the employee of an insurance company, which might be an employee, which might be a freelance broker every evening, and which might be a customer of the same insurance company. So he has multiple identities and we need to understand which identities are related to which person the same problem occurs. When you look at, I will talk about is later more in detailed when you look at bring your own identity stuff. So someone logging in, we are Facebook today. We are Google blast tomorrow, and maybe in two years using another social network or whatever we've never have heard about today. So we, we don't know what will be the system of choice in two years or three years, three years from now. And we have to understand there's a person which have might have more than one identity. And each of these identities might have more than one account. We have to think in the three tiered approach. And this is, I think very important for us for identity information quality, because obviously some of the attributes are in fact person attributes. So first name, last name, whereas others are identity attributes, employee location of its office versus freelance insurance broker location of this office. I think this is very important to understand.
Then the question is, how can we improve it? How can we deal with it? And the first step role is understanding where we are today. We, I think last year we helped released an updated version of a report around the K and KPIs or the key risk indicators and key performance indicators for identity, access management, identity, access governance, and some areas of KPIs. We have some, or one of the areas is identity administration within adminis identity administration. We have to find these six key performance or risk indicators. One is employee screening. So do we really track back with our employees, whether they are still S one is really orphaned accounts. So do we have orphaned accounts? One is the digital identity is per physical person. So the more we open up our organization to bring in customers, etcetera, the more we will have situations where someone is customer or prospect and an ley or other situations, how good is our, the reach of our IM the time requires changes on identities and access.
And we can then go dive deeper and do this time requires changes on identities and access, for instance, to really measure the timeliness of information. So in change process. And so creating an identity is one part, but changing, doing updates correctly is a different story. And sometimes this is where, where, where processes really fail. Also one of the topics I will touch more in detail later on delegation of administration. So we have various KPIs here. And one of these KPIs, or is the orphaned one, which looks at the number of account. So this goes a little bit more into detail showing what is our indicator? How do we inter what is the interpretation of it, the unit, the direction, the associated risk, what you do to, to optimize it, etcetera. And this is just one way, and probably one thing you definitely need to do understand where you are today and understand, so measure things.
And, and also then you will be able to, to direct your broker over time and to justify also the investments you, you do in, in to improving identity information. Quality. Yeah. Next question I want to touch is why to care about identity, information quality. From my perspective, there are five main factors or five main reasons why to care about identity, information. Quality. One is governance, risk management compliance. So there to, for instance, correctly enforce sod controls or any other type of access governance. We need to understand, do we have to still the right persons here? So are they still in place? Are the roles correct? Etcetera, etcetera. So this is one part, find information, quality. There might be former compliance requirements around this. So especially when looking at customers, dealing with customers and other things, there are various things we have to look at and general for information security.
It's important to have a good quality here. So if things are wrong and then people appear in a different, in a wrong role, et cetera, then this might cause problems. The second reason is business process quality and reliability. In many of the organizations, I'm gonna talk with our, our advice for customers, virtually all of these organizations, others rely on the identity information. So there should be either physical or virtually. There should be a trusted source of identity information where others can rely on. And this becomes clearly even more complex. When we not only think about the employees where the HR might at least surface one of the or reliable sources, sometimes, sometimes not also a topic I will touch later, but the more we go into business partners and customers, etcetera, the more complex these things become. So the worse our, or the lower, our quality is the more problems we are causing in our approach processes. So we have to have good quality for these other processes. And if the other process is riled, then we have a lot of discussions. We have a lot of finger pointing, oh, you are guilty of not providing the right data, et cetera.
And also our identity management system will not be used as it could be used. Another important point to is license cost too many users and systems might increase license costs. So if you have a lot of orphaned accounts, it might become a problem, or if you have inactive users, but inactive problem is a little bit out of the scope of the, the narrows or inner scope of identity information, quality administrative costs, another reason. And what I really see and observe in many organizations is that they spend a lot of money in manually refining identity data. So the point is they, they end up with, there are issues in our process. And then we try to fix this in some way or another frequently. This is done, this, this fixing stuff, trying to fix it done by, okay, we, we might add a script. We might try to identify the weaknesses, but then we still end up this list of let's say a gray area list where we don't know exactly is this correct or not.
We have to do this manually. And this can consume a, a very large portion of the overall time organization spend and identity and access management. And that's just the point where then really makes sense to think about how can we not only deal with the symptoms, so issues and add anti information quality, but how can we deal with the cause of this? How can we improve the processes? How can we improve the quality? Finally, there's a first reason there's return on investment. This is a little bit related to the second one identity information that is not used is of no value. So if the quality is an inhibitor for reuse of the identity management, then the ROI of identity management will be lower. And it makes a lot of sense to, to think about its reasons that there, I think there are various good reasons to invest in identity information quality.
As I've said, I don't have the single solution, which, which you can apply and say, okay, if I do that, every problems will be solved. I think the, the challenge is too complex for a simple solution, but I think there are various things you can do. One of these things is understanding which systems are leading source for what and what, what I, what I frequently see is that organizations do that. They look at an object and to create process. So what they, they really do is they say, okay, this one, the object, the person, and mainly this person, this object person, or identity is relevant to us. And I look at where does it come from? I look at a create process. However, this is, I think the, the important thing to understand, it's not all about the object. We need to understand which objects do I have.
And it's per it's identity. It's the organizational unit that might be several other objects. You can follow an data model of whatever data model you're you're following here. We have to look at the attributes, last name, first name, the room. The person's current is sitting in where the offices, etcetera, etcetera. And then we have to look at at least create, update and delete and try to understand where does it come from? So it might be from HR. It might be from various HR systems. So then we have to dive in a little deeper. So if we have multinational organization with a lot of HR systems, for instance, then we might end up saying, okay, there are various sources. And then we have to build a bigger, bigger spreadsheet than the one I have depicted here. But when we look at the room, HR might not know anything about this.
It might be the personal assistant of the departmental manager, which enters this field. And when we update it, it might be the user who has the responsibility. The user might be the one who does it when he changes the room. So we need to understand where, where could they come from? Where should they come from when we do that work and I've done it with customers. When we do that work, then it's usually a lot of learning in there because yes, they're CHR. When we look at employees, if we look at business partners, things are different. If you look at other identities, customers, etcetera, things are again, very different. So we also need to understand this is not, this is done right now for one group. HR is not a leading source for everything. If you, depending on our use cases for identity access management, but most organizations currently are, have to deal with far more identity.
So things are getting more complex. And then we, we, we will end up with some situations where we either don't know, where does, where does this attribute come from? Who's responsive for updating, et cetera. Or we end up with a situation where we say, okay, there might be various persons that update this thing. And then this helps us to, to understand where do we have weaknesses in our processes, which processes do we have to, to change? And when we have done this step, then we are a good step forward, have done a good step forward. When it comes to process understanding how should the process ideally look like who in fact is able to provide that information to update it, who should be responsible, who should be accountable. So it leads us to processes. This is not something which we do in 30 minutes or so it will take some time because the interesting part starts when you go beyond the standard, such as last name or first name to the me specific AEs, which are maybe not an HR cetera, then things really become interesting.
So processes, when we look at processes, then there are some things we, we have to, to, to understand and look at. First of all, we need to get sponsorship. This is about HR IM and sometimes business departments. When we look at the employees, when we look at other types of identities, such as business partners and customers, then again, other players come into this game. We need to clearly define responsibilities and accountabilities down to objects and attribute. So we trust saying, okay, data comes out of the HR is not sufficient. We have to give far more into detail to define then the processes. And then we need to communicate the benefits, not only the duties. So, so one of the, the typical problem is caused by the fact that Diane says to HR, Hey, we need these attributes and we need them in the perfect quality. And HR says, we do HR. We don't do identity management. We don't care about an attribute. We do not feel responsible. And don't tell us anything about the quality. So then, then you're in a clash. You should avoid this. It's about understanding benefits. But as I said, also, sponsorship on defining responsibilities and accountabilities on this.
What you should not do is you should not make yourself dependent on the HR consultation project, my programming in your organization. So I've, I've seen various scenarios for organizations are currently waiting for, for an HR consultation project to complete. Many of these projects take somewhat longer than expected and they don't necessarily solve everything. So there might still be a, a very mixed quality within that. So instead of saying, okay, I know the HR system, which has weak quality, I might have said, okay, I know the reach in our global HR, where the weaker quality will be, will be. And so this is really understanding you shouldn't be make yourself too much too dependent on this. Try to improve the processes step by step. Now, clearly identity information quality is not only about HR data. Some data is provided patterns. I remember, I think I've blocked about eight or nine years ago, even.
And, and still a lot of, lot of people out there are telling how, okay, it's very easy identity management. You use your HR as trusted source, and then everything is done. No, not true. And what you also need to do. Even when you look at processes, you need to implement quality assurance processes. So it's not only about defining a process for changing. It's also about implementing a quality assurance, but let's move forward. I think there are some other things you can do some things which go a good step beyond that. And that's what I, what, what I want to talk a little bit about here. So what you can do is you can do automated checks. So many attributes are held on many sources in your organization, and that's true for any type of identity. That's true for your employee. That's true for your customer, et cetera.
So you might have various systems for your customer. You might have to CRM, you might have some information. The ERP system, you might have some registration on information already at your website side, etcetera, and you might try to compare it. So why not implementing automatic tracks, automated tracks as part of your QA process on identity information, quality, how you, so you might rely on your provisioning system. So you might look at your provisioning system, think about how can you use that, that might work in some area, some cases and others don't. It might not work that well, but most of these systems in provisioning and governance have some capability of comparing things. I think this is something about evaluating, but there are at least two other groups of tools. You, you might look at. One is ETL tools. So tools which allow you to transport data in other systems, which usually have also some capabilities and, and comparing data cetera, or MDMs are the data management, not mobile device management, the case, but Mar the data management tools you might have in your organization, because the letter are already built executive for the purpose, but even scripts might do the work.
So doing sort of tracks and, and identifying where things out of swing between various resistance helps you to understand what is happening ETL by the ways extract transformation load. So this is a category of software, which allows you to transfer information and change firm, etc, from one system to another, but also do a lot of work transformation load, etcetera analyzes, which might from that perspective help you in that area. So, as I've said, there are various ways to do it, to move forward on, on, on really getting better in this area. And this might help you still is one thing which you clearly might benefit from is that you understand where other issues, where's the quality, where's the higher quality, where's worse quality, et cetera, fixing things based on that might become a little bit more complex because you don't have to understand what is the correct data and how can I automatically fix things, or you should why to end up in too much manual work and comparing them the, the mismas cetera.
But it's one thing you can do. The other thing. And I just recently blocked about the other approach I have in mind. This is what I would call identity recertification. So probably several of you have an access governance tool in place today. I think that is very common. So I think rather a big portion of organizations already has to blow such a tool and access governance tools. Commonly are one of the things you commonly start to do with is recertification of access rights. So departmental managers have to, to re-certify do my BLS cert ones in the department have to correct entitlements or are assigned to the correct business roles, whatever. So it's saying, okay, these are the employees. These are the access rights, correct. Or no, and say, okay, this has to be changed. And this is okay, and you go back there. And so this is from my perspective and I a good thing to do for access rights, but why not do the same thing for re-certifying the identity information?
Interestingly, I've never ever seen any organization using these tools, the recertification processes for improving identity information quality, but it's a, from my perspective, a very logical thing to do. So if you can set up a recertification campaign for access, why not for the identity and the attributes, some tools will allow you to implement it. Rather simple, some not something I'm currently researching. So which one is easier or better to use, which one is more complex, but in general, it's, it's nothing which is, which would be the sort of rocket science in the sense of, I can't do it at all because it's then just saying, okay, I don't care about the ex entitlements of that attribute, but I care about the location, the, the office number, the phone number, whatever for these persons. And so who should do this? The employee, for instance, the employee, I think is someone who can do some, re-certification some at adaptation for several of his attributes.
For sure. You can also do it with other groups, business partners that have self-register for customers. I would say it's a little bit more complex. So the customers might be a little bit reluctant in doing sort of certification, but maybe it's about giving them the opportunity to say, okay, check your attributes. Is the information still correct? Cetera. Maybe if it's about customers, maybe you say, okay, this is your benefits. So whatever this, yeah, I think they, you just can give, avoid this in some way, or I say, win the prize, etcetera. So there are various ways to do it, but I thought of the employee or the person itself there's the departmental manager or the personal assistant, maybe in that case, even more because the personal assistant knows more about the details in departmental manager. When you look at the attribute, so this might be a very interesting person to do it.
You also might assign into a specific role in your department. So as I've said, there are various ways to do it. Maybe if also to combine it because the employee might be the one who or the, the person itself might be the one who re certified some office attributes. Whereas others must be, must not be shown to him, but done by the personal assistant of the departmental manager. This is also because Pia data and legal issues, etcetera, you have to be careful around that, but done right. That will really help you to increase both awareness of identity, information, quality, and the quality itself. So people become more aware of it. And, you know, maybe it's, it's something, especially with the, usually you have some, some people or some parts of your organization where, you know, the identity information, quality delivered by them is not very good.
And so maybe it's a good idea to start recertification exactly with these, with these departments, with these divisions, whatever, because it's also about learning, okay. We have an issue showing it to them, increases awareness, and really help you in improving the, the data they provide through the HR system or whatever other way back to you. So this is one of the things I'd really like to see more in practice identity recertification. When we look at some other groups then such as the business partners, then for business partners, as long as we register them directly. So if they're self registration or we register them, then more or less, the same things I've I've talked about before for the employees apply hybrid is also the area of Federation where we federated or federated, some business partners federating in the, the easiest approach here because the business program manages the identity.
And usually in the contract, there's some liability defined regarding the identity information quality, or at least some liability. It might not necessarily directly say you were responsible for the quality of identity information, but if something goes wrong because you didn't manage your right entities correctly, then you are liable, but it still needs quality assurance. So maybe the business partner managers on your side might do some re-certification. So that for everyone, maybe depending on the number of partners clearly, but for some of them, why not doing it there as well, let them recertify. Or if it, if you onboard partners directly, they might be very willing to ensure that their information's correctly. If you show the benefits for them associated with the work they're doing for you, when federating out things are changing a little. So when we are federated out, then we have to look at the liability issues because you can't take the liability, unless you can guarantee a good level of identity information.
Quality. This level might be an agreed one explicitly, or it might be sort of the good practice because once, once something goes wrong and the end up as a lawsuit, then good practice might be the one you, you have to at least demonstrate here, orphaned accounts. So it's a worst case scenario in that case, a little bit of fat fear and uncertainty doubt here, orphaned accounts of former employees that are still active and lower remotes. We are mobile mobile devices to the business partner. Clearly that's something which you should avoid. You need a quality assurance process here. And yes, Federation is something where, where you really need to improve the things you're doing. And I've shown you some ideas on, on which we have around that. And for sure, if you have other good ideas and good experiences, feel free to enter it in the question section or share it via email with me or come to our event in November to discuss it or DIC, which clearly also will touch this topic next year in may.
I'm very interested in any positive learning and positive experience on how to do it, the opportunity there in so in a really improving equality, I think the good thing here is business is interested in a solution. So when you're talking about Federation and other ways to interact with business partners, then this is virtually every time driven by a concrete business demand. It's not something you and it in when and say, Hey, we need to do it up. But it's where business comes and says, Hey, we, we need to corroborate with this business partners. That's the point where you can say, Hey, to do that. We need a better identity information quality. And these are the shortcomings in the process. We have identified. Let's fix them. That gives you less issues around liability risk, etcetera, and is helps us. So this might be a pretty good starting point to improve processes because the business usually also has more power than it. So while you might be struggling, let's say with the HR department business can put a lot more pressure on the HR department when they need to solve a specific business problem.
Another area I want to touch is to bring your own identity stuff. So what about all these customers? Cetera? So bring your own identity, or I means you allow use users to use your own identity. That might be Facebook, Google blast might be some sort of stronger identity, their various providers right now T com whatever out there, which you can use. The good and the most interesting question at the beginning is how good is the quality and bring your own identity? Depends. I, I just have to say, in some cases, the quality might be arise or high. So if someone orders something which has to be physically delivered to his home and he pays in advance, then he's clearly interested in providing correct details on his home mattress. So that case quality is expected to be RA high. You might even increase the quality by relying on servers, such as PayPal, in other cases where it's just about registering, the quality might be weaker.
So in some cases, it's just that people say, okay, I enter something which is nonsense because it helps me really registration versus anyway. And I don't want this person to know who I really am. That's the other side. So there are various ways to increase identity information quality in this, in these situations. So one is you could rely on services such as shoe determined, credit standing agency, or a lot of other, a lot of, a lot of other companies, credit standing agencies are available virtual every everywhere, etcetera, where you could rely on, you could, could use other accessible information services to verify addresses or names cetera. So there are services which allow you to verify the address. Cetera, there, you can use the graph APIs of social networks, as long as you have access to the details of the person to get more information out.
And the more consistent information you can obtain from various sources, the better you can verify that the details which are, which have been entered are correct. So you can improve or assure identity information quality based on relying on various sources. One of the challenges you have to look at in this context is also understanding whether you have the same person already with some different identity. So someone who came in we Facebook and right now comes in, we have Google plus in that case, it's really about how you maintain correct mappings of person identity. The more attributes you have an access, the better you can do this clearly it's if you have a rise, a long list of details, then the, the certainty, the probability that is the same person that you do, things right, that you have a good level of assurance is higher. And this is something which in fact is currently happening.
So, so when you look at how things are, are changing in authentication authorization, then we see more and more approaches. You might look at Federation at the claims concept, the Microsoft propagating and others, where you have your directories, you do the authentication, but you also have identity providers which can provide additional attributes here, which might be internal or external sources here. It might be your CRM. It might be an external credit agency, whatever. You might also have some context information, which might fit to someone or not. And taking all this together then allows you to do a policy based authentication, authorization decision and per transaction interaction. There might be different authentication providers and identity providers for additional attributes over time. So this is really an area where we see a lot of change currently, the way we deal with identity with authentication authorization. And I think it's very, very important to understand is we had, I think just last week or the week before we had a webinar on the extended or connected enterprise podcast, recording is available to our website.
It might be worse to have a look at this as well. And this is exactly the point. You know, it allows you to sort of combine data sources. So instead of trying to have only your own data, which you put together in some way, and try to get smart information about your customer, think about, you know, you have some data. So if I go to the right side of the screen, you have some data, you might have some access to, to, to larger chunks of data from whatever type of information office that sells some data about customers or whatever, or it's your own data and your CRM or your own data. And, and some other data sources you have internally, you combine this, you process it, and then you enrich it. You go to social network, we had the API, you go to a credit agency.
We had the API to come back with a more, a refined and more well it's view on the data sources, services, something you should look at and think about how can you do it by combining various sources data. So to sum these things up, and I, I hope that could give you some, some ideas around how to improve identity information quality. And before I sum up again, we have the Q and a session then within the next few minutes. So if you have any questions, start entering them now so that I can pick them up right after my last content slide I have today. So what are the five steps I see in improving identity information quality? The first step from my perspective is define the data model in detail for all types of identities. I think this is one of the most important, valuable steps and one which is rarely done in detail in organizations, because this really helps you to understand where are my issues?
What are the processes, cetera, et cetera. The second thing is define, implement and enforce processes for create up that and delete. There might be a lot of processes depending on the types of identities, et cetera. This is second step define, implement, and first identity information, quality assurance processes as a service step. So define processes to ensure quality, very important, implement identity recertification. Think about really doing recertification here. I think this is a very logical thing to do. Makes a lot of sense. You might have the tool on hand already to do that type of recertification and review your options for verifying information, identity information based on external data sources. So which information can you verify based on external sources, you have to keep privacy laws, not regulations in mind here, clearly in Germany, it's the belief slot. So the workers count and other things you have to look at these things, but clearly this is an option. So these are some of my salts I have around identity information, quality, and how to improve it right now, we'll move to the Q and a session. So if you have any questions, enter them now. And as I've said before, I think we have two upcoming
Ones, which both might be an excellent opportunity, provide excellent opportunity to discuss this with your peers, with the co call Analyst, et cetera. So this is really what, what I want to share with you. Don't miss the ones. I will move over to the question last year. So one of the questions I've got here is that for bringing your own identity, what are the ideas and identity? Sure. So the ideas I have the ideas of quickly talked about is really for bringing your own identity. I think first thing is understanding which things so which identity map to other you might already have, cause it allows you to combine various attributes, to compare attributes, to identify things.
I think the other other thing is really verification of that based on external sources for identity information, some of them might be freely available, which is that frequently the case, many of them are just paid sources. So, so agencies which provide information about persons, as I've said, this is always a question of legal aspects, etcetera, but it can be done. So this is really the broad I would follow here. There's another question, which is how do legacy systems and previous mergers and acquisitions impact this exercise? I think it's a, it's, it's an interesting question because usually when, when you have, have done MLA than you will have different, you will have different processes here. So you will have various processes in various parts of your organization and aligning these processes, improving these processes, one of the things you need to do so that there, there might be an effect in that sense.
On the other hand, they might also positively affect what you're doing due to the, the bigger pain you're you're facing regarding identity information quality. So it can go into both directions from my perspective, legacy systems. I don't do not see that much as a, as a challenge. So legacy systems, if there are source of identity, and I think you can handle them the same way, it might be a little bit more complex to, to improve the process around legacy systems, especially with very legacy systems, which are RA role where no one knows how to customize them. So then you have to think about how can you change ourselves the problem in another way by adding or relying on another source or for identity information for a certain attribute, etcetera. Okay. Another question which came in back to this identity assurance question around, bring your own identity. Yes, I think there, there are a lot of other services, which in fact them so such as an credit agency agency or others, which in fact can act as an IDP service. And I think this is also great opportunity for, for business models around IDP services in, in a broader sense. So not, not as much, maybe the authentication, but delivering additional attributes for identity assurance, hope that answers the question. Any other questions?
In the meantime, I just also want to mention some of our related research. So there are various documents, which might be interesting in the context of identity information, quality, such as the curious performance indicator report I've talked about. So there are various types of documents and you will also find a lot of research. As I said, I also recently blocked about the reer identity re-certification idea. I have. So as I said, don't miss our events, have a look at our research or rely on our, our advisory and hope to see the one or other of you late November in Frankfurt or next may in Munich. Thank you for your time. Thank you for attending this. A call webinar, the various other upcoming webinars as well. Have a look at our website, see you, or have you listening to me soon again. Thank you. Bye.
So options to meet with your peers, with the Analyst, cetera, two of the upcoming Cola events are the information risk and information security summit, which will be held November 27th, some 28th. And Frankfurt's, it's a one and a half day. He went, so it's not full two days. This is a new format we are doing here. It's about solid leadership from the Analyst with some initial presentations, giving some solid, some ideas and afterwards interactive sessions with the peers. So it's really peer to peer. When focusing on experts from the various end user organizations, talking with each other, being advised by the Analyst, we also will provide a rapport done on which, which puts together the results of these very interactive sessions. I think it's something which is very, very worse to attend. And so it's a, I think a great opportunity to dive deeper into topics such as identity, information, quality, and other hot topics in the space of information, risk management and information security management.
The secondly went is our European identity and cloud conference, which will be held again may or teens to 16th in Munich about all leadership and past practice in digital ID cloud and RC it's. The leader went around these topics in Europe, and we have a lot of attendees, a lot of very interesting presentations, more than 100 speakers. So it's clearly GUI you shouldn't miss regarding the webinar. Some guidelines you are muted centrally, so you don't have to mute or unmute yourself. We are controlling these features. We will record the webinar and the podcast recording will be available tomorrow
Latest. And there's the option for, to ask questions. So you can the questions at any time using the questions to then to go to webinar control panel, which you usually will find at the right side of your screen. There's an area questions and there you can, the questions and the quick U a session will be after my presentation, but you can the questions at any time. And I always recommend entering these questions once they come to your mind so that we have a good list of questions we can work on in the Q and a session. So let's start with the content identity information quality. What I wanted to talk about is what is this really about how to improve it? And when I look at various conversations with customers, we have in our advisory business with a lot of our end organizations, also with some vendors, etcetera, then identity information, quality clearly is one of the remaining under the, the everlasting sort of challenges we are facing.
When we look at identity and access management and identity and access governance, I want to talk quickly about what it is, and I want to talk about how to improve it. So bringing in some ideas, I don't think that I, that I already have found sort of the holy grail for perfect identity information for probably there is some those, those thing as, as, as the perfect solution. I think it's a process, a continuous process of improving the quality you have and identity information. And this is really sort of bringing in some sorts of about how could you do it? What are things we see at customers? What our ideas we brought up as result of conversations with customers, et cetera, to give you some ideas on how to do that. As I've said, at our information risk and information security summit, late November in Frankfurt, there will be the opportunity to dive far deeper into detail on this in a very interactive session format.
So you shouldn't miss this second part after my presentation will be the Q a session. So what is identity information quality about? It's about the accuracy of identity information. So this includes the status of identity. So is still an employee is still in customer, thus the person's to live, et cetera. So the status is one thing. The correctness of attributes is the second one. So are these attributes around the person and the digital identity person has still correct? And we frequently observe situations when customers talk about and say, you know, the problem we we are really facing is we, we know that we are not that bad in, in, in identifying orphan accounts, etcetera. So we know, okay, these people still are in our organizations. These are not. But the problem is for instance, that we frequently stumble upon the fact that they are working at a different location right now. And we don't have a clue about it. And other applications are relying on our information on our, these attributes and they then fail or their, their problems. They, and people come back to us and say, Hey, why don't you provide correct information? So this is really sort of the challenge.
A lot of organizations currently are facing around this, the correctness of attributes. And then the other clearly is also timeliness of changes. So frequently attributes are changing, and this has to be done at the right point of time. And frequently, these changes are done far too late. Sometimes they're also done too early. So if someone is changing the drop within the organization, there's a specific point of time to change certain attributes. And some might be changed earlier some later, even in, depending on how the process is set up, et cetera, the other challenge around identity information, quality aside of the status, the correctness and the timeliness. The other challenges that we have to think in a three tiered model. So we have accounts, the active directory accounts accounts are the website SAP account, whatever, and we have identity. So we have digital representations of persons, maybe also of things, et cetera, but let's stay for, with persons for that, for that webinar today.
And these persons might have different identities even on the same organization. So my favorite example always is the employee of an insurance company, which might be an employee, which might be a freelance broker every evening, and which might be a customer of the same insurance company. So he has multiple identities and we need to understand which identities are related to which person the same problem occurs. When you look at, I will talk about is later more in detailed when you look at bring your own identity stuff. So someone logging in, we are Facebook today. We are Google blast tomorrow, and maybe in two years using another social network or whatever we've never have heard about today. So we, we don't know what will be the system of choice in two years or three years, three years from now. And we have to understand there's a person which have might have more than one identity. And each of these identities might have more than one account. We have to think in the three tiered approach. And this is, I think very important for us for identity information quality, because obviously some of the attributes are in fact person attributes. So first name, last name, whereas others are identity attributes, employee location of its office versus freelance insurance broker location of this office. I think this is very important to understand.
Then the question is, how can we improve it? How can we deal with it? And the first step role is understanding where we are today. We, I think last year we helped released an updated version of a report around the K and KPIs or the key risk indicators and key performance indicators for identity, access management, identity, access governance, and some areas of KPIs. We have some, or one of the areas is identity administration within adminis identity administration. We have to find these six key performance or risk indicators. One is employee screening. So do we really track back with our employees, whether they are still S one is really orphaned accounts. So do we have orphaned accounts? One is the digital identity is per physical person. So the more we open up our organization to bring in customers, etcetera, the more we will have situations where someone is customer or prospect and an ley or other situations, how good is our, the reach of our IM the time requires changes on identities and access.
And we can then go dive deeper and do this time requires changes on identities and access, for instance, to really measure the timeliness of information. So in change process. And so creating an identity is one part, but changing, doing updates correctly is a different story. And sometimes this is where, where, where processes really fail. Also one of the topics I will touch more in detail later on delegation of administration. So we have various KPIs here. And one of these KPIs, or is the orphaned one, which looks at the number of account. So this goes a little bit more into detail showing what is our indicator? How do we inter what is the interpretation of it, the unit, the direction, the associated risk, what you do to, to optimize it, etcetera. And this is just one way, and probably one thing you definitely need to do understand where you are today and understand, so measure things.
And, and also then you will be able to, to direct your broker over time and to justify also the investments you, you do in, in to improving identity information. Quality. Yeah. Next question I want to touch is why to care about identity, information quality. From my perspective, there are five main factors or five main reasons why to care about identity, information. Quality. One is governance, risk management compliance. So there to, for instance, correctly enforce sod controls or any other type of access governance. We need to understand, do we have to still the right persons here? So are they still in place? Are the roles correct? Etcetera, etcetera. So this is one part, find information, quality. There might be former compliance requirements around this. So especially when looking at customers, dealing with customers and other things, there are various things we have to look at and general for information security.
It's important to have a good quality here. So if things are wrong and then people appear in a different, in a wrong role, et cetera, then this might cause problems. The second reason is business process quality and reliability. In many of the organizations, I'm gonna talk with our, our advice for customers, virtually all of these organizations, others rely on the identity information. So there should be either physical or virtually. There should be a trusted source of identity information where others can rely on. And this becomes clearly even more complex. When we not only think about the employees where the HR might at least surface one of the or reliable sources, sometimes, sometimes not also a topic I will touch later, but the more we go into business partners and customers, etcetera, the more complex these things become. So the worse our, or the lower, our quality is the more problems we are causing in our approach processes. So we have to have good quality for these other processes. And if the other process is riled, then we have a lot of discussions. We have a lot of finger pointing, oh, you are guilty of not providing the right data, et cetera.
And also our identity management system will not be used as it could be used. Another important point to is license cost too many users and systems might increase license costs. So if you have a lot of orphaned accounts, it might become a problem, or if you have inactive users, but inactive problem is a little bit out of the scope of the, the narrows or inner scope of identity information, quality administrative costs, another reason. And what I really see and observe in many organizations is that they spend a lot of money in manually refining identity data. So the point is they, they end up with, there are issues in our process. And then we try to fix this in some way or another frequently. This is done, this, this fixing stuff, trying to fix it done by, okay, we, we might add a script. We might try to identify the weaknesses, but then we still end up this list of let's say a gray area list where we don't know exactly is this correct or not.
We have to do this manually. And this can consume a, a very large portion of the overall time organization spend and identity and access management. And that's just the point where then really makes sense to think about how can we not only deal with the symptoms, so issues and add anti information quality, but how can we deal with the cause of this? How can we improve the processes? How can we improve the quality? Finally, there's a first reason there's return on investment. This is a little bit related to the second one identity information that is not used is of no value. So if the quality is an inhibitor for reuse of the identity management, then the ROI of identity management will be lower. And it makes a lot of sense to, to think about its reasons that there, I think there are various good reasons to invest in identity information quality.
As I've said, I don't have the single solution, which, which you can apply and say, okay, if I do that, every problems will be solved. I think the, the challenge is too complex for a simple solution, but I think there are various things you can do. One of these things is understanding which systems are leading source for what and what, what I, what I frequently see is that organizations do that. They look at an object and to create process. So what they, they really do is they say, okay, this one, the object, the person, and mainly this person, this object person, or identity is relevant to us. And I look at where does it come from? I look at a create process. However, this is, I think the, the important thing to understand, it's not all about the object. We need to understand which objects do I have.
And it's per it's identity. It's the organizational unit that might be several other objects. You can follow an data model of whatever data model you're you're following here. We have to look at the attributes, last name, first name, the room. The person's current is sitting in where the offices, etcetera, etcetera. And then we have to look at at least create, update and delete and try to understand where does it come from? So it might be from HR. It might be from various HR systems. So then we have to dive in a little deeper. So if we have multinational organization with a lot of HR systems, for instance, then we might end up saying, okay, there are various sources. And then we have to build a bigger, bigger spreadsheet than the one I have depicted here. But when we look at the room, HR might not know anything about this.
It might be the personal assistant of the departmental manager, which enters this field. And when we update it, it might be the user who has the responsibility. The user might be the one who does it when he changes the room. So we need to understand where, where could they come from? Where should they come from when we do that work and I've done it with customers. When we do that work, then it's usually a lot of learning in there because yes, they're CHR. When we look at employees, if we look at business partners, things are different. If you look at other identities, customers, etcetera, things are again, very different. So we also need to understand this is not, this is done right now for one group. HR is not a leading source for everything. If you, depending on our use cases for identity access management, but most organizations currently are, have to deal with far more identity.
So things are getting more complex. And then we, we, we will end up with some situations where we either don't know, where does, where does this attribute come from? Who's responsive for updating, et cetera. Or we end up with a situation where we say, okay, there might be various persons that update this thing. And then this helps us to, to understand where do we have weaknesses in our processes, which processes do we have to, to change? And when we have done this step, then we are a good step forward, have done a good step forward. When it comes to process understanding how should the process ideally look like who in fact is able to provide that information to update it, who should be responsible, who should be accountable. So it leads us to processes. This is not something which we do in 30 minutes or so it will take some time because the interesting part starts when you go beyond the standard, such as last name or first name to the me specific AEs, which are maybe not an HR cetera, then things really become interesting.
So processes, when we look at processes, then there are some things we, we have to, to, to understand and look at. First of all, we need to get sponsorship. This is about HR IM and sometimes business departments. When we look at the employees, when we look at other types of identities, such as business partners and customers, then again, other players come into this game. We need to clearly define responsibilities and accountabilities down to objects and attribute. So we trust saying, okay, data comes out of the HR is not sufficient. We have to give far more into detail to define then the processes. And then we need to communicate the benefits, not only the duties. So, so one of the, the typical problem is caused by the fact that Diane says to HR, Hey, we need these attributes and we need them in the perfect quality. And HR says, we do HR. We don't do identity management. We don't care about an attribute. We do not feel responsible. And don't tell us anything about the quality. So then, then you're in a clash. You should avoid this. It's about understanding benefits. But as I said, also, sponsorship on defining responsibilities and accountabilities on this.
What you should not do is you should not make yourself dependent on the HR consultation project, my programming in your organization. So I've, I've seen various scenarios for organizations are currently waiting for, for an HR consultation project to complete. Many of these projects take somewhat longer than expected and they don't necessarily solve everything. So there might still be a, a very mixed quality within that. So instead of saying, okay, I know the HR system, which has weak quality, I might have said, okay, I know the reach in our global HR, where the weaker quality will be, will be. And so this is really understanding you shouldn't be make yourself too much too dependent on this. Try to improve the processes step by step. Now, clearly identity information quality is not only about HR data. Some data is provided patterns. I remember, I think I've blocked about eight or nine years ago, even.
And, and still a lot of, lot of people out there are telling how, okay, it's very easy identity management. You use your HR as trusted source, and then everything is done. No, not true. And what you also need to do. Even when you look at processes, you need to implement quality assurance processes. So it's not only about defining a process for changing. It's also about implementing a quality assurance, but let's move forward. I think there are some other things you can do some things which go a good step beyond that. And that's what I, what, what I want to talk a little bit about here. So what you can do is you can do automated checks. So many attributes are held on many sources in your organization, and that's true for any type of identity. That's true for your employee. That's true for your customer, et cetera.
So you might have various systems for your customer. You might have to CRM, you might have some information. The ERP system, you might have some registration on information already at your website side, etcetera, and you might try to compare it. So why not implementing automatic tracks, automated tracks as part of your QA process on identity information, quality, how you, so you might rely on your provisioning system. So you might look at your provisioning system, think about how can you use that, that might work in some area, some cases and others don't. It might not work that well, but most of these systems in provisioning and governance have some capability of comparing things. I think this is something about evaluating, but there are at least two other groups of tools. You, you might look at. One is ETL tools. So tools which allow you to transport data in other systems, which usually have also some capabilities and, and comparing data cetera, or MDMs are the data management, not mobile device management, the case, but Mar the data management tools you might have in your organization, because the letter are already built executive for the purpose, but even scripts might do the work.
So doing sort of tracks and, and identifying where things out of swing between various resistance helps you to understand what is happening ETL by the ways extract transformation load. So this is a category of software, which allows you to transfer information and change firm, etc, from one system to another, but also do a lot of work transformation load, etcetera analyzes, which might from that perspective help you in that area. So, as I've said, there are various ways to do it, to move forward on, on, on really getting better in this area. And this might help you still is one thing which you clearly might benefit from is that you understand where other issues, where's the quality, where's the higher quality, where's worse quality, et cetera, fixing things based on that might become a little bit more complex because you don't have to understand what is the correct data and how can I automatically fix things, or you should why to end up in too much manual work and comparing them the, the mismas cetera.
But it's one thing you can do. The other thing. And I just recently blocked about the other approach I have in mind. This is what I would call identity recertification. So probably several of you have an access governance tool in place today. I think that is very common. So I think rather a big portion of organizations already has to blow such a tool and access governance tools. Commonly are one of the things you commonly start to do with is recertification of access rights. So departmental managers have to, to re-certify do my BLS cert ones in the department have to correct entitlements or are assigned to the correct business roles, whatever. So it's saying, okay, these are the employees. These are the access rights, correct. Or no, and say, okay, this has to be changed. And this is okay, and you go back there. And so this is from my perspective and I a good thing to do for access rights, but why not do the same thing for re-certifying the identity information?
Interestingly, I've never ever seen any organization using these tools, the recertification processes for improving identity information quality, but it's a, from my perspective, a very logical thing to do. So if you can set up a recertification campaign for access, why not for the identity and the attributes, some tools will allow you to implement it. Rather simple, some not something I'm currently researching. So which one is easier or better to use, which one is more complex, but in general, it's, it's nothing which is, which would be the sort of rocket science in the sense of, I can't do it at all because it's then just saying, okay, I don't care about the ex entitlements of that attribute, but I care about the location, the, the office number, the phone number, whatever for these persons. And so who should do this? The employee, for instance, the employee, I think is someone who can do some, re-certification some at adaptation for several of his attributes.
For sure. You can also do it with other groups, business partners that have self-register for customers. I would say it's a little bit more complex. So the customers might be a little bit reluctant in doing sort of certification, but maybe it's about giving them the opportunity to say, okay, check your attributes. Is the information still correct? Cetera. Maybe if it's about customers, maybe you say, okay, this is your benefits. So whatever this, yeah, I think they, you just can give, avoid this in some way, or I say, win the prize, etcetera. So there are various ways to do it, but I thought of the employee or the person itself there's the departmental manager or the personal assistant, maybe in that case, even more because the personal assistant knows more about the details in departmental manager. When you look at the attribute, so this might be a very interesting person to do it.
You also might assign into a specific role in your department. So as I've said, there are various ways to do it. Maybe if also to combine it because the employee might be the one who or the, the person itself might be the one who re certified some office attributes. Whereas others must be, must not be shown to him, but done by the personal assistant of the departmental manager. This is also because Pia data and legal issues, etcetera, you have to be careful around that, but done right. That will really help you to increase both awareness of identity, information, quality, and the quality itself. So people become more aware of it. And, you know, maybe it's, it's something, especially with the, usually you have some, some people or some parts of your organization where, you know, the identity information, quality delivered by them is not very good.
And so maybe it's a good idea to start recertification exactly with these, with these departments, with these divisions, whatever, because it's also about learning, okay. We have an issue showing it to them, increases awareness, and really help you in improving the, the data they provide through the HR system or whatever other way back to you. So this is one of the things I'd really like to see more in practice identity recertification. When we look at some other groups then such as the business partners, then for business partners, as long as we register them directly. So if they're self registration or we register them, then more or less, the same things I've I've talked about before for the employees apply hybrid is also the area of Federation where we federated or federated, some business partners federating in the, the easiest approach here because the business program manages the identity.
And usually in the contract, there's some liability defined regarding the identity information quality, or at least some liability. It might not necessarily directly say you were responsible for the quality of identity information, but if something goes wrong because you didn't manage your right entities correctly, then you are liable, but it still needs quality assurance. So maybe the business partner managers on your side might do some re-certification. So that for everyone, maybe depending on the number of partners clearly, but for some of them, why not doing it there as well, let them recertify. Or if it, if you onboard partners directly, they might be very willing to ensure that their information's correctly. If you show the benefits for them associated with the work they're doing for you, when federating out things are changing a little. So when we are federated out, then we have to look at the liability issues because you can't take the liability, unless you can guarantee a good level of identity information.
Quality. This level might be an agreed one explicitly, or it might be sort of the good practice because once, once something goes wrong and the end up as a lawsuit, then good practice might be the one you, you have to at least demonstrate here, orphaned accounts. So it's a worst case scenario in that case, a little bit of fat fear and uncertainty doubt here, orphaned accounts of former employees that are still active and lower remotes. We are mobile mobile devices to the business partner. Clearly that's something which you should avoid. You need a quality assurance process here. And yes, Federation is something where, where you really need to improve the things you're doing. And I've shown you some ideas on, on which we have around that. And for sure, if you have other good ideas and good experiences, feel free to enter it in the question section or share it via email with me or come to our event in November to discuss it or DIC, which clearly also will touch this topic next year in may.
I'm very interested in any positive learning and positive experience on how to do it, the opportunity there in so in a really improving equality, I think the good thing here is business is interested in a solution. So when you're talking about Federation and other ways to interact with business partners, then this is virtually every time driven by a concrete business demand. It's not something you and it in when and say, Hey, we need to do it up. But it's where business comes and says, Hey, we, we need to corroborate with this business partners. That's the point where you can say, Hey, to do that. We need a better identity information quality. And these are the shortcomings in the process. We have identified. Let's fix them. That gives you less issues around liability risk, etcetera, and is helps us. So this might be a pretty good starting point to improve processes because the business usually also has more power than it. So while you might be struggling, let's say with the HR department business can put a lot more pressure on the HR department when they need to solve a specific business problem.
Another area I want to touch is to bring your own identity stuff. So what about all these customers? Cetera? So bring your own identity, or I means you allow use users to use your own identity. That might be Facebook, Google blast might be some sort of stronger identity, their various providers right now T com whatever out there, which you can use. The good and the most interesting question at the beginning is how good is the quality and bring your own identity? Depends. I, I just have to say, in some cases, the quality might be arise or high. So if someone orders something which has to be physically delivered to his home and he pays in advance, then he's clearly interested in providing correct details on his home mattress. So that case quality is expected to be RA high. You might even increase the quality by relying on servers, such as PayPal, in other cases where it's just about registering, the quality might be weaker.
So in some cases, it's just that people say, okay, I enter something which is nonsense because it helps me really registration versus anyway. And I don't want this person to know who I really am. That's the other side. So there are various ways to increase identity information quality in this, in these situations. So one is you could rely on services such as shoe determined, credit standing agency, or a lot of other, a lot of, a lot of other companies, credit standing agencies are available virtual every everywhere, etcetera, where you could rely on, you could, could use other accessible information services to verify addresses or names cetera. So there are services which allow you to verify the address. Cetera, there, you can use the graph APIs of social networks, as long as you have access to the details of the person to get more information out.
And the more consistent information you can obtain from various sources, the better you can verify that the details which are, which have been entered are correct. So you can improve or assure identity information quality based on relying on various sources. One of the challenges you have to look at in this context is also understanding whether you have the same person already with some different identity. So someone who came in we Facebook and right now comes in, we have Google plus in that case, it's really about how you maintain correct mappings of person identity. The more attributes you have an access, the better you can do this clearly it's if you have a rise, a long list of details, then the, the certainty, the probability that is the same person that you do, things right, that you have a good level of assurance is higher. And this is something which in fact is currently happening.
So, so when you look at how things are, are changing in authentication authorization, then we see more and more approaches. You might look at Federation at the claims concept, the Microsoft propagating and others, where you have your directories, you do the authentication, but you also have identity providers which can provide additional attributes here, which might be internal or external sources here. It might be your CRM. It might be an external credit agency, whatever. You might also have some context information, which might fit to someone or not. And taking all this together then allows you to do a policy based authentication, authorization decision and per transaction interaction. There might be different authentication providers and identity providers for additional attributes over time. So this is really an area where we see a lot of change currently, the way we deal with identity with authentication authorization. And I think it's very, very important to understand is we had, I think just last week or the week before we had a webinar on the extended or connected enterprise podcast, recording is available to our website.
It might be worse to have a look at this as well. And this is exactly the point. You know, it allows you to sort of combine data sources. So instead of trying to have only your own data, which you put together in some way, and try to get smart information about your customer, think about, you know, you have some data. So if I go to the right side of the screen, you have some data, you might have some access to, to, to larger chunks of data from whatever type of information office that sells some data about customers or whatever, or it's your own data and your CRM or your own data. And, and some other data sources you have internally, you combine this, you process it, and then you enrich it. You go to social network, we had the API, you go to a credit agency.
We had the API to come back with a more, a refined and more well it's view on the data sources, services, something you should look at and think about how can you do it by combining various sources data. So to sum these things up, and I, I hope that could give you some, some ideas around how to improve identity information quality. And before I sum up again, we have the Q and a session then within the next few minutes. So if you have any questions, start entering them now so that I can pick them up right after my last content slide I have today. So what are the five steps I see in improving identity information quality? The first step from my perspective is define the data model in detail for all types of identities. I think this is one of the most important, valuable steps and one which is rarely done in detail in organizations, because this really helps you to understand where are my issues?
What are the processes, cetera, et cetera. The second thing is define, implement and enforce processes for create up that and delete. There might be a lot of processes depending on the types of identities, et cetera. This is second step define, implement, and first identity information, quality assurance processes as a service step. So define processes to ensure quality, very important, implement identity recertification. Think about really doing recertification here. I think this is a very logical thing to do. Makes a lot of sense. You might have the tool on hand already to do that type of recertification and review your options for verifying information, identity information based on external data sources. So which information can you verify based on external sources, you have to keep privacy laws, not regulations in mind here, clearly in Germany, it's the belief slot. So the workers count and other things you have to look at these things, but clearly this is an option. So these are some of my salts I have around identity information, quality, and how to improve it right now, we'll move to the Q and a session. So if you have any questions, enter them now. And as I've said before, I think we have two upcoming
Ones, which both might be an excellent opportunity, provide excellent opportunity to discuss this with your peers, with the co call Analyst, et cetera. So this is really what, what I want to share with you. Don't miss the ones. I will move over to the question last year. So one of the questions I've got here is that for bringing your own identity, what are the ideas and identity? Sure. So the ideas I have the ideas of quickly talked about is really for bringing your own identity. I think first thing is understanding which things so which identity map to other you might already have, cause it allows you to combine various attributes, to compare attributes, to identify things.
I think the other other thing is really verification of that based on external sources for identity information, some of them might be freely available, which is that frequently the case, many of them are just paid sources. So, so agencies which provide information about persons, as I've said, this is always a question of legal aspects, etcetera, but it can be done. So this is really the broad I would follow here. There's another question, which is how do legacy systems and previous mergers and acquisitions impact this exercise? I think it's a, it's, it's an interesting question because usually when, when you have, have done MLA than you will have different, you will have different processes here. So you will have various processes in various parts of your organization and aligning these processes, improving these processes, one of the things you need to do so that there, there might be an effect in that sense.
On the other hand, they might also positively affect what you're doing due to the, the bigger pain you're you're facing regarding identity information quality. So it can go into both directions from my perspective, legacy systems. I don't do not see that much as a, as a challenge. So legacy systems, if there are source of identity, and I think you can handle them the same way, it might be a little bit more complex to, to improve the process around legacy systems, especially with very legacy systems, which are RA role where no one knows how to customize them. So then you have to think about how can you change ourselves the problem in another way by adding or relying on another source or for identity information for a certain attribute, etcetera. Okay. Another question which came in back to this identity assurance question around, bring your own identity. Yes, I think there, there are a lot of other services, which in fact them so such as an credit agency agency or others, which in fact can act as an IDP service. And I think this is also great opportunity for, for business models around IDP services in, in a broader sense. So not, not as much, maybe the authentication, but delivering additional attributes for identity assurance, hope that answers the question. Any other questions?
In the meantime, I just also want to mention some of our related research. So there are various documents, which might be interesting in the context of identity information, quality, such as the curious performance indicator report I've talked about. So there are various types of documents and you will also find a lot of research. As I said, I also recently blocked about the reer identity re-certification idea. I have. So as I said, don't miss our events, have a look at our research or rely on our, our advisory and hope to see the one or other of you late November in Frankfurt or next may in Munich. Thank you for your time. Thank you for attending this. A call webinar, the various other upcoming webinars as well. Have a look at our website, see you, or have you listening to me soon again. Thank you. Bye.
Stay Connected
How can we help you