Event Recording

Expert Chat | Interview with Kay Chopard

Log in and watch the full video!

Log in and watch the full video!

Upgrade to the Professional or Specialist Subscription Packages to access the entire KuppingerCole video library.

I have an account
Log in  
Register your account to start 30 days of free trial access
Subscribe to become a client
Choose a package  
Okay. Okay. Pleasure to meet you. I don't think we need to do further introductions. Most people know me, at least the ones listening here at Cola and probably, and you have been already done your talk. So yeah, it could be a call following the Canera initiative. I would say, probably get to say probably since day one more or less. So we, we started very early, looked at us because at the end, what Canera does and just doing these days always is related to our cores of identity and privacy, et cetera. So, so to start, I, I think 1, 1, 1 thing you just touched was about, there are various working groups and maybe you can give a little bit of an overview of which working groups currently are sort of very active, where they are heading. So you touched Uma already. So a little bit of overview in the state of would be super
Sure. That's a great question. And thank you. And I'm, that's wonderful that you have been involved from Canara from day one. So you probably saw I've only been the executive director for not quite six months. So, you know, there's probably things, you know, more than I know, but I appreciate that, that background. So the most, well there's a variety of work groups and the most current one, the, the newest one is on privacy enhancing mobile credentials. And you know, it, that really got started from a discussion group around mobile driver's licenses. But what they're realizing is that we need criteria around mobile credentials because it's not just their driver's license, right? Their wallets, there's all kinds of other solutions. And we really recognized that we needed to be helpful in trying to figure out the criteria as the name suggests that is privacy enhancing, because there's a potential for it to be abused, obviously. And so mobile credentials we see as one of the most up and coming and, and moving so quickly that it's important to try to figure out that criteria.
That that seems to be very, that seems to be quite close to Yuma, at least the, in the basic syncing. So when, when I look at user managed access, there's also very strong privacy like, and angle angle about controlling. And, and we all know these discussions about, for instance, driver's licenses, and then you go to a bar in the us, you, and you have to show your driver's license. It doesn't only say, oh, you're about 18 or 21. You're allowed to drink alcohol, but it tells the name, the birth state, and a lot of other things which are not required in context. So there seems to be a logical link between Yuma and this new privacy enhancing mobile credentials initiative.
I, I, I think you're, I think you're absolutely right. I, I think that there is a definite link, but I think the reason for the spinoff is because, you know, examples, like you say, where mobile credentials can be used for a variety of things. And yet you want to be able to have that, that user ability control what gets shared. And I think that it got focused on the mobile credentials in part, because there are other places where the user managed experience in online transactions is also critical. So it did not seem, I think that the user managed experience still needed to be in place. And I think they're still doing really vital work because there's a lot of, of situations where their work is important and it's not always just mobile credentials, but what we saw in the field was the use of mobile credentials, really beginning to proliferate. And it seemed like it needed its own attention for exactly the kind of example that you've given. And we're seeing more and more used in financial transactions, right. Where wallets are being used also to pay for things. And so trying to make sure that we didn't leave that out. Sorry. Yeah. And
I think also some, some other things which makes, makes it meaningful to, to have a separate working group, because when I just think about, so on my mobile, I might say my standard setting for, for using, so I don't, I'm T I don't use my, my mobile, my, my, my driver's license on the mobile that much probably, but, but I probably would say, this is, this is the standard setting or our wallet. I, I probably would have some standard settings. And this also needs to be, I think, neatly woven into the operating systems into the app space. So, so it's, it's, it's a little bit of different blade than you might. It is, but the, the rational behind privacy enhancing it's very much the same.
Yes. I think you're absolutely right. You're absolutely right. There's a couple of other work groups to tell you about in my presentation, I mentioned the identity assurance work group. That's really the group that owns the identity assurance framework that Kenar created and really owns the criteria to make sure that companies are assessed at various levels of assurance. And to make sure that they're sort of maintaining that high standard, if you will. So that's an ongoing group that is probably about the oldest work group that Canara has. There's also another group that works on healthcare issues. And that has really started to take off even more because now, and I think part of that is because in, in the healthcare world, during the pandemic, it became much more problematic to share information for, for healthcare users of the system, to be able to access their information, to make sure that providers were sharing information, which in some instances is about life or death, right. This doctor needs to know what medication you're taking this, right. Be able to do that and yet do it in again, a privacy enhancing way. And at least in the us, there's more interest in interoperability now than ever before. I'm sorry. Yes. But,
But, but it brings us back a little bit to the questions for the audience just a few minutes ago, which was about the identity assurance and it's relationship to GDPR. And when I look at, at healthcare at the end, the challenges are the same. And we, we, over here in Europe, we have a lot of discussions about at the end privacy data protection versus the, the need to share data to have good, good for instance, good, good statistics so that we understand what to do next and how whatever sign works with which other, which side effects happen. And so this, this data sharing need is there, here as well, even while, while healthcare clearly works a little different over in Europe than it intend does in the us. But is there any, anyone in the working group then, which is looking more at the sort of the, the global requirements, the, and to make it apply to sort of different specifics in across the globe?
I would say yes, because it's a very international working group. So there are a lot of representatives, not just from us entities, but also from European entities in particular. I, I would say the us Canada and the EU are the most and the UK now are all in involved in that group. And I think you're right, that, that they're looking at a little bit differently. There's different needs in healthcare. And, and there's also, you know, some other laws or rules about sharing healthcare information. And I think that that's part of what this root group, this, this work group is trying to balance, because like you say, we need statistical information. We need to be share, be able to share some of this for other kinds of reasons, and yet protect the confidentiality of the individual. And I think that's where that balancing and why it's important to be, be able to, to come up with criteria that somehow do both. And, and that's, and I think that's the really difficult issue because I, no matter where you are, there's a lot of concern about the, the privacy when it comes to healthcare records of, of individuals. And so how do we do that? And yet share the information we need to, and that, I think that, that, I'm not sure that they've solved for that, but I think all the things you are raising is exactly what that work group is trying to, yeah.
This should be feasible because when you read the cheap DPR, there are the sections which are specifically about patient data and healthcare related information in the us, you have HIPPA and, and other regulations. So at the end, there's always a strong regulation around that. And I think it should be quite, quite straightforward to incorporate sort of specifics into a protocol saying, okay, depending on that, you could figure it that way. Or that way, when I looked at theara website, I also saw the connected live theme. So you have, have connect life. It says on your website. Yes. Oh really? That was, that was really related to on one hand Uma and then, but, but also beyond Uma in, in all this sharing of sort of, of rubs for, for when you're accessing. So, so credential sharing and stuff like that. So I, I thought it was very interesting when I looked at your website. Give a second, though.
Okay. I'm sorry. See, now my newness is showing
Yeah. Another problem. I'll figure it out. I'm quite absolutely confident that you have more insight trust. Once we look at this, it says connected life innovation groups are user managed access and information sharing interoperability, which continuous development in content, information, sharing, notice consent and stuff like that. Personal data use records.
Right. Right, right. Well, I'm not sure if there's an actual connected life group, but what you just said, there's an information sharing interoperability group, which feeds into this. There's the advanced notice and consent receipt group, which used to be, I think just a consent receipt. It's kind of morphed into a, again, somewhat more broader on consent receipt specifications, but I think, and again, I could be wrong. So I'll have to go double check to get back to you. But those, those that connected life is made up of these multiple work groups. But, and I think just like you pointed out in the beginning about the privacy enhancing mobile credentials relates to what Uma is already doing. Right. Yes. And I think that, that, and that's one of the things that I see a lot at Qatar. Again, maybe it's because I'm new, but there is a lot of interconnection here.
There's hard not to be overlaps in the different topics that each work group is doing. And I think that connected life is real. I don't know that we have a specific one just for that, although I'll double check to be sure, but I think all of these are coming together and specifically looking at how this is right. Connected life. It, it's hard to, to get away from that. But I think just as you pointed out in the beginning, it is interesting how all of these really need to be coordinated. And I think in some ways that's the challenge. Yeah.
And it's all about, it's all about identity privacy and assurance. Yes. So to speak, it's all centered around, which brings us back to this identity assurance scene. You talked at the end of your talk, you, you, you liberated a little on the third party assessment. I, I found this of particularly interest because a lot of what we are doing current is Analyst is looking at this sort of anti user journey, be the onboarding or be the recurring access is, is moving more to the center of attention, but it also gets more modular. Hopefully I think that's probably the right term to say, so organizations increasingly don't sink in, okay, this is my onboarding. But onboarding is you have different authenticators. You have different IDPs. You have identity wedding in between. You have various steps in that. And that includes a couple of, of providers and the protocols and, and interactions in between.
And, and I think that reflects well, what you said that this, these processes become more complex. There are more parties, third parties involved. So I, I think this, this really aligns very well because we, we really see this tendency take, take also whatever, all the stuff around identity wedding this has been until now, primarily primarily used when it's about strong KYC regulations, New York customer regulations in certain industries like finance. But right now we see this happening in, in more and more sort of other industries. Non-finance non telco because they say the, the identity risk is getting bigger. That also means in consequence there there's this need for saying, okay, can I trust this provider in my process? This is the right way to look at it.
I would say, yes, I think it, I think it is the, the right way to look at it. And again, I really think that so much of this has gotten heightened attention in the pandemic. You know, there's just so many more things that had had to convert to being remote, had to convert to identity proofing that, you know, maybe before somebody walked into an office and, you know, did whatever their transaction was and, and now, and that became not feasible. And I think what, what we offer in that assurance process, again, to me as the, as the new executive director, I think one of the really important things about it is it because it is technology agnostic. And yet that third party assessment holds everybody to a higher standard. And as we are seeing, as you said, it's much more complicated. And so I think what happens is purchasers of identity proving surfaces are looking to see, how do I know I can trust everything? And when I'm hiring company a, but they're using company B to do a piece of it or company C to do another piece, how do I have confidence that the whole thing is really in compliance because if one breaks down, it breaks down the whole system. And, and so
Are you then, then when you look at, at one of these providers and, and this market is, is highly fragmented, but we have also sort of very complex OEM partnerships and other types of partnerships. Do you also then, then look at, so if I'm company a and I'm using B and C for certain steps, do you then say, okay, to approve me as company a I, you need, I need first to approve B and C.
Yes. Essentially. We don't necessarily say company B has to get their third party assessment first. But what we do say is that a you're gonna have to be able to show that companies B and C comply with this criteria. So if you're saying, this is what you're using, then the onus becomes on you to show that companies B and C also meet the criteria in order for you to get that. So
It's very much the same, like in supplier risk management or the cybersecurity supply chain, risk management. Okay. And I think this is a great thing. Maybe, maybe we cannot end up with one sentence, one recommendation, one statement from you before we hand over to Christopher where we know he has at least one more question to ask from the audience. So what, what would be your final recommendation or a statement?
I, I think that, I think that the market owes to individuals the highest level of performance, and in order to do that, I think that maintaining a high standard and compliance with international standards on identity proofing and being willing to allow your solutions to be third party assessed, to show that it really is in compliance. I think that's what we owe individuals. It, yeah, we have to, we have to protect their privacy and we have to maintain security and that's, I think that's one of the best ways to do it.
Okay. Kate, thank you very much for, for all these insights and back to Christopher.

Stay Connected

KuppingerCole on social media

How can we help you

Send an inquiry

Call Us +49 211 2370770

Mo – Fr 8:00 – 17:00