Event Recording

Expert Chat: Interview With Eve Maler


Log in and watch the full video!

Log in and watch the full video!

Upgrade to the Professional or Specialist Subscription Packages to access the entire KuppingerCole video library.

I have an account
Log in  
Register your account to start 30 days of free trial access
Register  
Subscribe to become a client
Choose a package  
So welcome Eve. Pleasure to talk to you again. So, so we had many conversations over the past, probably more than a decade, and so it's always, I think, interesting and enlightening talking with you. And so ahead of this call, we already chatted a bit and, and found probably easily 10 topics we could cover, but we only have some maybe at maximum 20 minutes. So, which, which means we need to be a bit conscious of time. Maybe we got started around this verifiable credentials, decentralized identity, et cetera thing. What you mentioned at the end was there, there's a need for, or there, there are a lot of sort of reasons for, for organizations creating wallets. And I recently had a conversation that was about, is the wallet really the, the thing where you will, for instance, earn money with, because we see a lot of organizations or startups creating wallets.
I, I personally believe not because I believe first we will see wallets, like you've mentioned, coming up with certain types of applications. We will see wallets probably from the very large organizations and we will need interoperability. I think this is very, very, very essential that we have that we, we are able to say, okay, we have to proofs not only in one wallet, we can use it in, in different wallets and on different devices. When, when this entire em of blockchain id, which is also closely related to that popped up, I talked this a lot of vendors and I always ask, do you support, so to speak, roaming? So on different phones on the pc, et cetera. Virtually no one had it on the radar. What's your take on that?
You know, I th I think you, that's a very trenchant question, right? And I love this concept of, you know, applying roaming to, to wallet contents. We actually in four track, we call them wallet holdings, kind of like a bag of holding, if anybody out there plays Dungeons and Dragons or similar role playing games, I, I think that there's going to be increasing pressure over time, assuming that payment wallets, which are kind of everywhere, start to have more holdings in them that are not just, you know, transaction oriented and payment oriented. And I think that the payments are gonna pull along the other things. So currently we don't have a lot of pressure to have those be, to, to have that information roam or those benefits roam. But I think that the pressure will increase over time. The more that they become repositories of important things for people, not just for border control agents. You know,
I I I even would say even for payments, you know, if I have a, whatever, a personal iPhone and a business iPhone, then I'm already in that situation that I have more than one.
Oh yes. I, I mean I think there will still be more than one. I mean, the example I've been using is, you know, there's a prominent retailer here in the US target and they have an app that is very attractive for shopping for target things, right? And there's a wallet now that wallet is, you know, really only for, you know, the payment card for that retailer and there's incentives tied to it. It hasn't been very successful to date for large kind of cross retailer loyalty systems. We've seen, you know, several of the big ones fail. I think we're getting to the point where that will be more attractive as incentives become something we, we need, we as organizations need to bring people into the equation more overtly. Not just give them agency, but give them money. Right? That tends to work. So that's why I think that there's gonna be pressure on that direction
And, and latest when the airlines come in, which usually have this cross company approaches, not only other airlines, but beyond that, where, where you find that, and I think we need interoperability and, and latest when we then move from consumer to, to workforce use cases, again, it, it means we need to, to figure out solutions for more interoperability, et cetera. But the thing is, we, we are here, what else do you think is, is is really important for the future of access management? So which are topics come to your mind?
One of the things is that we, in order to make better decisions and authorization and access control is a very large class of important enterprise decisions, we need better data. And that's where the prospect, that verifiable credentials hold out to provide better quality data could really be interesting. It's, it's, you know, it's a big part of that equation to get right, you know, and oftentimes I think we, we still get that wrong.
Yeah. And I, I wrote, more than decade ago, I started writing about the need for identity information quality. Because I think regardless of, of where you look, you have this issue. So when you, when you talk with, with an organization about their IGA part, yellow side of identity management and then they say, always complain about data quality and that day sometimes an identity management must fix what HR doesn't deliver, et cetera. So that day, this is, this is a challenge here. And, and when we look at, for instance, the, the, the N zero trust model, which is very much about policies, yes. Then we have policies and we have attributes we use for the decision making. When we look at the, all the policy based access control piece, then, then again it's, it's a policy and it's the attributes and so for everything we do at the end, so policies are easy to keep under control, way, way simpler than roles and traditional re-certification. But the other side of the coin is even if you have a valid policy, the result is only correct if the data is valid and correct. And so yes, I think we have an increasing need for, for data quality.
Yeah. Is is funny, there's a saying I've heard that, you know, once you solve your most important problem, your next most important problem gets a promotion. And what's interesting about the policy world, authorization policy world is that it's, it's quite generative right now. I mean, you know, we had, you know, quite a long time to look at exact mall and you know, assess it, try it. And I think we're seeing some new things. You know, OPA being one a w s just came out with this cedar language to do finer grain policy management over AWS resources. It's, it's kind of a, it's an interesting era right now for, for policy. And if we actually get that right and make that interoperable and understandable, then I think, you know, the gays will turn towards the, the quality of the data that's coming in. Cuz now it's really gonna matter, you know, if you've got your arms around policy. Yeah.
And, and, and I think, I think what probably drives this entire evolution is I, I think there are two things. The one is we've learned in the past few years, we have a huge security issue and, and, and also management issue in our cloud infrastructures. And not only the cloud infrastructures, but everything which becomes sort of dynamic. So with actual it, with DevOps, with dynamic workloads instead of, oh, we have a few servers and we have an application on that server. The world has been changing and, and the way we handle it is not adequate to that. So that is part of it like, like what AWS is doing with managing stuff more, more concretely and centrally. It's what the cloud infrastructure entitlement management looks at for certain environments. And then we have the developers, and I think this is an interesting point when, when I talk with identity management people about policy based access, it's really a simple conversation.
When I talk with digital teams, it's usually a very attractive intensive and, and, and, and fruitful discussion because they say that helps us. We don't want to care about identity and access and authorizations. We want to work against the system, we want trust to have the policies and business should bring into policies. We do the code and someone does the rest of it. By the way, that's not new. I always say 1976, what happened? IBM released rag f it's not new, it's out. This concept is out there for 46 years. The point is, back in the days it was a differentiator for organizations to have good business applications. Then this became commodity, so to speak. Yes. Nowadays it's a differentiator to have good digital services. So software is back and so this means this brings us this topic back and we need to, to think beyond just authentication and integrate it with authorization. I'm fully with you on that.
Yeah, it's, it's funny, you know, I mean we've been, we've been at this for a few decades and it's been an inexorable pressure to kind of democratize the creation and the management of policy the same as we're seeing with the no-code, low-code movement where, you know, we, we are always striving to get not just users but developers into the flow and you know, really meaning flow state and the, the more that you can make that available to non-techies, the more you can actually ensconce business value in business logic that turns into policy. And I think we're really, we're starting to get there now after, you know, trying for quite a long time. So it's kind an exciting time for that reason.
I, I see it as well. We see even customers saying, okay, that's truly also driven by the, the, the, the role of policies in the trust concept, which say we need to, to move to policy-based concepts, so to speak everywhere. And we see some movement in privileged access management, we see it in consumer facing digital services in, in that part it's slower in, in traditional legacy workforce authorizations. I think this is, this is a bit more tricky, but we see organizations saying we want to have a concept that helps us over the next few years to move forward and transition into such a world. Do do you see these these evolutions in, in your customer base as well?
Yeah, I do. And and I'll tell you where the, where those worlds kind of meet when you mentioned consumer, because so many conversations I have around fine grained consent and consent are just, you know, very democratized, you know, user designed permissions that have to drive various kinds of authorizations, right? And so I really foresee where you can imagine an advanced data sharing permissions architecture that doesn't actually discriminate between workforce and consumer, between enterprise resources and, and you know, consumer controlled resources. And in my work and protocols for last empty decades, what I've learned is solving for the consumer use case to make it automatable and scalable and self-service is the hard case. If you can do that, you can sort of back form it to the enterprise world. And I think convergence there really is possible and I think it'd be really beneficial to enterprises.
Yeah, I'm, I'm, I'm absolutely with you on, on that and I think we still have some protocol work also to do here, no doubt. But I think another point that's what I like as policies and access is people understand policies. Policies have a very simple structure, which is subject action, off track may a constraint and whatever firewall policy has the same structure. Like child don't touch oven at the end. And if you talk with, with someone in business, people can describe policy, oh, my employees are allowed to access this part of SharePoint. If you ask them for business roles, they look at you and say, what do you mean by business roles? That's a really
Good point. That roles are the foreign thing. Whereas policy just kind of has a, a standard grammar, right? I mean it's, it's, I want this to happen, I want this not to happen over the, you know, these things that are in my control by these folks. You know, it's a sort of simple, usually sort of three-dimensional, sometimes more than three-dimensional equation. And I, I think you're right that it's quite intuitive and we should be making it more intuitive everywhere.
Yeah. What else? See you as the, the big things and coming up in access management. Where do you spend, where do you think about or what do you think about,
You know, I spend a lot of time trying to, to square that circle of the, the, the similarities between trying to do data privacy, right and data security. Right. You know, I see them overlapping obviously when it comes to data protection, you know, as I say, not accidentally letting the data out, but also transparency, which you know, for the enterprise looks like sort of auditability and for an individual looks like, you know, they get the sort of some sort of monitoring dashboard and then that pinnacle of what you wanna achieve is control and for privacy control looks like, you know, maybe consents as regulated right now for, for, you know, any enterprise it looks like really getting finer grained and you know, I'm quite interested to see that, you know, from the open banking world we've started to get these tools around the oof stack that, you know, let the, those magical scopes, which are, you know, some people use like roles, but really that can be anything to let those get finer grade and more transactional and you know, aligned with the payment world and the banking world. And so I think that that's actually a really important direction that that fine greenness
We we need to, to get a fine grade. But, but the other point I think is, is again, when, when you say for instance data security and data privacy, again policies are, are a common element. Yes. And what I've learned in, in all discussions about policies, I think the tricky thing is at the end, aside of, so, so one thing is the data governance aspect we mentioned. So you need to be, ensure that the data you use for decisions as correct. The other tricky thing is how do you combine policies? So is this an intersection or what is it? And that that is something which, which sometimes requires some, some very thorough thinking to figure out the right way to do it. But I also like this fine crane aspect because at the end what, what you look at this policy is fine crane authorization at the end with, with traditional access management we do anyway, course crane authentication authorization, we say Martin is allowed on a web access management system to access the system. But we need to go go more into detail and I think you, the example you brought about your from the open banking world is a good one. And I think the other good mass use you bring in there is this can be incorporated into established existing protocols. Yes. So it's not about yet another protocol. Yes. It's about doing so sort of maybe, maybe it's about oh three so to speak.
Yeah, I mean it is really, it's, it's layering functionality on top of something that's, you know, we understand, we know how it works. And what's always fascinated me about it is, you know, the, the original use case for some of these PE pieces that are coming into the, the financial grade a p i, you know, standardization, they, their motivation originally was around payment cuz like if you were to grant somebody payment rights or, or you know, read, write access to your bank account and that means they could just send out to themselves as much money as they wanted. That would be bad. But the use case was really around like, well if you wanna pay this much money to this merchant to go buy this specific thing and then the access turns off. That was actually too tricky for OAuth to do until they, you know, invented a few relatively simple things on top to achieve that transactional and the use cases go way beyond payment and banking. You know, everybody could utilize the notion of, you know, do one thing once and then access stops. That's a nice, and
Hopefully everybody
Understands it. You just have to be able to implement it and that's where all the work came from.
Yeah. And, but hopefully that this comes back into sort of the broader standard perspective. If, so first thank you for to, for Truck for supporting this Casey Lament, thank you for, for being available today and it was fascinating as always talking with you. A lot of topics we've touched, I think we could probably spend hours continue talking. Unfortunately we have fixed agenda. So it's time for me again to thank you, to thank everyone for listening and, and to hand back to Matias.