Event Recording

Panel | Why Access Management Is About Managing Risk


Log in and watch the full video!

Log in and watch the full video!

Upgrade to the Professional or Specialist Subscription Packages to access the entire KuppingerCole video library.

I have an account
Log in  
Register your account to start 30 days of free trial access
Register  
Subscribe to become a client
Choose a package  
Okay, so thank you Matthias. I think we don't need an introduction for you. You've been present all, all afternoon or all, all morning, depending on the time zone. But welcome Matthew and, and maybe Matt, you can quickly introduce yourself and, and your role at forr and the access management field.
Yeah, absolutely. Thank you Martin and Matthews for having me here. I'm always excited to speak at KuppingerCole events and be part of a panel. I'm a senior director of product management here at For Rock. I kind of oversee the product portfolio in the, in the Amme region and have input across all of our products. I've been in identity management for longer than I care to admit, cuz whenever I tell somebody it's been 25 years, that makes me realize just how old I really am. But yeah, it's great to be here and I look forward to having a good discussion.
Okay, great. So our topic of today is about why access management is about managing risk. So, so it's it's pretty much about, I think that we can take different perspectives on that. It is, how does access management help mitigating risk? But you also can take, and this is what I would favor at least as a start for this conversation, why should we care and think in risks when we set up our access management and the terms that come to my mind here are adaptive or context or, or risk based. So, so maybe start with you Matt. What, what, what's your perspective on that?
So I, I think those are great terms, contextual, risk-based, adaptive. I think they've been around for a long time. And I think what we've always looked at is how do we provide the best user experience without, you know, allowing ourselves to be open to have our most valuable assets compromised. And so there's always been this understanding if you go way back into the internet and, and authentication that to get to my email, I don't need to do something really dramatic, but to get access to the corporate IP or to make a high value transaction, then I should probably have a little bit higher of a bar of authentication. And I think that's where we really saw the start of adaptive authentication, risk based authentication. It was really on that asset. I think now when you look at all the companies competing online for, for business, for traffic, for retail, and even if you look in your workforce, how do you make your workforce productive and secure? There's that same concept of, I don't wanna put too much barrier in the way of doing business, but I don't want to be exposed to fraud. And as a Siam, you have to protect your customer's data. You have to give them the feeling that you're securing them. So I think it's this balance of experience and security that adaptive really, really fits into.
Yeah, and, and, and I, I think, I think like, like this balance experience or I usually say convenience and security because I think one of the, the, the lesser smart things is saying, but maybe we should go even even a bit further because the end isn't is the combining nowadays because what you said, and in some ways in the past we, we added barriers right Now we should start with something which is good for everything and produce barriers, isn't it? But what you were saying a bit,
Yeah, I, I, so I, I think in the past it was, we only looked at context in this concept of being bad. I think now, and and I I kind of heard you say it in in your keynote Martin that when you said it's not enough to have authentication, you need to have context behind it because MFA is, is vi is hackable passwords we know are bad. So if you start intertwining context into that authentication, and I always call that invisible authentication, these are things that we do in the background that, that the end user doesn't see, but it strengthens that authentication and it makes things, it just makes things easier and more secure. So it doesn't always have to be about bad. And then if you think about on the good side of it, you think if there's context that I know about a person, I can start removing removing barriers down the line as well. So I think you're gonna see context evolve into being much more of a, of an authentication mechanism. It's just a, an invisible one. It's something that happens behind the scenes.
You also, in your role as someone who is advising in, in very large consumer identity, entity management implementations, et cetera, how, how do you see this this concept evolving in, in, in the, the implementations you're seeing?
Yeah, I think what we are seeing is that, that we are, we are transferring intelligence into the platform and thus are achieving what, what you've mentioned. So we've, when you have the, the decision making process within the application or within a system which actually is able to make intelligent decisions, and I'm not talking necessarily about ai, I'm talking about systems that take away a bit of the requirement from the person to do intelligence decisions, to do, to do intelligent decision making and does it for you, that already lowers the barrier. When you have context data and you have prop proper policies in place, many or many operations can take place without adding another level of authentication of authorization because that is fine and that is implemented into intelligence, acting upon context data based on on risk data, on a risk assessment, et cetera. So we are really moving that over to technology and that is mainly what I see in, in the reality that we can really say, okay, let's make sure that a bunch of operations really do not need any additional security because they are fine as they are, but at the moment that the risk rises and then it's about business risk in the end, and that leads to access risks, which is then derivative of that, then we can say, okay, now let's add for another factor, ask for another factor, make sure that there's a second pair of eyes, et cetera.
So this is really what we see in the, in the marketplace and we see it in reality and in projects. It's growing. It's not fully there, but we are working on that.
But so it it's, go ahead.
One thing, you know, Matthias, one of the things that you started out with there, and you said about context and making decisions for the user, and we're talking about context as far as authentication, risky authentication, but just think about the context in enabling a great user experience. So if I know somebody's on a phone, there's certain things I can challenge 'em for in authentication that I might not be able to on a laptop and vice versa. So if I had just get that context, I can make that user experience a whole lot easier based on what authentication mechanism do I challenge 'em for. So it context goes so many different parts of the way, and as you said, if it's built into the journey or the application, it becomes so natural. So I I just wanted to add that in there, that there's this other concept of context of how do I make it easier for the user based on what they're using?
Yeah. So, so, so me meaning also if I come in with my smartphone, the system automatically does something different than when I come in with my, my notebook. That would be be the way instead of what commonly happens is that then the, the other side says, okay, oh, you could use that on your notebook. Should we activate or should we activate it? You can use that on your smartphone. Should we activate it? It would be probably even going into more automation there and saying, okay, I'm if, if it's that device, let's, let's use what, what we most likely can, can use.
Yeah, absolutely. Why? So if I know I have, you know, I have an Apple smartphone and I have face ID enabled or just use face id, if I'm on my laptop, maybe face ID isn't available, but maybe web is there, right? So it's, and if I'm registered in both, it just automatically happens as opposed to asking a user to make that choice every time along the way, one less click in your log on journey can, you know, simplify greatly increase that user
Experience. So, so, so talking, talking about log on journeys, which role maybe in practice materials and, and in technology place, the ability to construct flexible user journeys. So when we go back then, traditionally a user journey was a very fixed thing. This, this is this changing because at the end, risk is changing, context is changing, user expectations on the, on the user experience are changing. So Matthias maybe from, from your, your practical perspective and, and Matt, from your product perspective then, how do you see the, the changing in, in people look asking for and, and, and technology delivering more flexibility for creating user journeys?
Yeah, maybe if I start, if you look at, at c i m deployments, when it comes to having customers or potential customers or just people who are interested having easily onboarding processes, the barrier should be really low and, and that that can stay really low as long and as there is no risky operation required. So if I just want to log in, have a look around, want to download a PDF from a vendor, then it should be fine that I'm just rest registered via a very, very simple mechanism. Maybe even just using social federation or something like that. So then I'm in the system and that is good for me because it was easy. I just used my Google Apple something account and onboarded and the organization and the system and the policies can say, okay, yeah, that's fine, let's, let's leave him there. And if there is some progressive profiling, some more development regarding my identity and my reliability, my assurance level, then that can be heightened over time.
But the first barrier should be very low. And I think this is something that we see in so many areas where we should have a, a simple first step into the systems with le less friction and then maybe profile this identity over time profile authentication processes and understand, for example, as you said, Matthew, where do I usually come from and what are the factors that that make sense? I just onboarded my new iPhone and it really asked me to plug in my first generation USB u b key for, for, for verifying my, my Google account. Okay, no. So this should be much better. So I really go with the argument that you mentioned, Matthew,
What, by the way, just to interrupt, when I onboarded my new iPhone, the really annoying thing was that I then had to go to my banking application and to ask them to send me a letter with the snail mail, with the regular postal service with a QR code or, or very lengthy, lengthy cryptic code to bring up the, the push 10 application again. So that, or the whatever smart 10 application again where I said this is really breaking the process and kill, killing every user experience more or less, everything else went smoothly, but there it broke. Yeah,
Yeah. You know, it's amazing that even in today's age we see like these process breakdowns where you think, you know, you could put a QR code on the screen or say log into your account via your browser and just do that and, but you still have to wait for snail mail. The, and, and to your point, Matthias, I, I think you're a hundred percent right when it comes to the different context and the different adaptive journeys that you need to, to have out there, whether that's for registration, authentication, things along those lines. So when I go back to knowing what device someone's on and, and Martin, I'll use your snail now and I'll, I'll come, I'll put these two together. I, I saw a survey three years ago that people would rather fill out a form and a question and any question form of over more than five questions via being sent a piece of paper in a snail mail, fill it out and return it as opposed to typing it on your mobile phone.
So if I'm coming to a website and I'm on my mobile phone and I want to collect seven pieces of information and I want to convert that customer, I don't want to ask 'em seven questions, I just want to ask them three, get 'em converted and then follow up with progressive profiling and context is very helpful there because, you know, it's your mobile phone. I, I think Martin to, to your question about what's going on with static user journeys versus flexible user journeys in in the technology space. I think one of the things I know for DR is that our user journeys are, are very, very flexible and very context aware. And the way that our user journeys are constructed is every step along the way, you can make a decision based on user input, based on context or based on on other factors. And they don't have to be yes and no decisions.
They can be, you know, more granular than that. I do see our competitors doing the same things. So I mean I think it's becoming more and more apparent that you need to have these, you know, you can call 'em, choose your own adventures or you can call 'em branching user journeys that allow you to deliver a really great experience and keep your security high and, and be able to do, you know, granular things along the way because not every risk association says I have to do a step up or not every risk says I have to remediate you. It maybe something says, Hey, you're not in the right country, I'm just gonna redact data and, and so you need to be able to have the flexibility to do that as well. Not, not everything is black and white, which I think a lot of people see context as either it's all as good or it's bad. We we need to make sure it's good.
Yeah. And, and this not everything is black and white. I think brings us back also to the, the title of the, the panel, which is around risk that we, I think we, the important thing learning from my perspective is, and, and I talked about this a bit earlier in in in my talk, that access management is not a, an, an authentication is not a black and white thing anymore. In it is not if you possess the right credentials, you're in and otherwise you're route, it is about finding or understanding, okay there things which are clearly good and things that are definitely bad and, and then reading the, the area, the cray area in between appropriately to, to understand, okay, depending on the risk I need more or less in, in, in, in what I ask the people or what I gas from This is I think the important point, what I gas from the system, but what I get from intelligence, and I think both of you brought up these, it's data, it's intelligence and it's automation which we need to bring together to make this work.
So when we, so we have a few minutes left here, Matthias, you, you will alert if there are any questions from the audience, Shirley. Otherwise I think that the, the, if you move a bit more to the conclusion, so we had had this, it's about data, it's about automation, it's about intelligence, it's about flexible user journeys. It's about having a, something which is is, is already strong for most and, and maybe maybe making simpler, not adding another layer, another layer, another layer. I I think also when, when we, so, so may maybe, but we, we could also turn around that question. So ca can we, can we solve such use cases without a, a strong access management solution? So we, we still see when we go to, to the average e-commerce side, then there's a lot of altercation and access baked into the application. Sometimes there's something in the back and behind frequently not can, can these e-commerce solutions or services, digital services was baked in and not flexible access really survive. A bit of provocative question maybe might TSU first then Matt, maybe it was a rhetoric question.
Yeah, we, we see it in reality and on the project that we are dealing with that is that this is really on its way out of the systems. So we, we need to make sure that we are applying proper mechanisms that allow for these, these choose your own adventure. I like that. What, what you've mentioned. So it's really how will that look like based on what device I'm on, how good is my authentic or my, my assurance level for this identity, what I'm allowed to see, where do I come from? I think this is where we are really aiming at as of now. And that maybe I, I just check them the questions. There is one that comes in and we maybe that fits in here perfectly. Somebody asks, where do you see role-based access going? And that is the, the, actually I think one, one of the key questions, it sounds like, again, a truism, but how can we still use roles but put identity first? Does the identity have the right to use this role or should arba go away completely? So that that, that is something that comes from the audience here right now.
I i I would simply say roles are one of many attributes in policy-based access control.
Matt, do you agree? Yeah,
Yeah. So I I I look at it this way, it's, you know, when you look at zero trust you have, you have two things, right? You have, you have what you're allowed to have access to and you have to have the least privileged and the least amount of access. And that's what I call good identity hygiene. And that's where roles come into play as this role, you're allowed to have access to these applications. And then on the other side, we're talking about this context and risk. And so now that I know Martin, you're allowed to have access to these applications, how do I know it's actually Martin who's getting that authentication? I think Martin, you called it your digital twin. How do I know it's not, not Martin's digital twin trying to get access, right? Yeah. So I think they play hand in hand. It, it's not one or the other if you ask me, but they, they play together very well that you have to know what somebody's allowed to access and then make sure it's that right person coming.
Okay, we have one minute left. Now maybe Matthias first one final recommendation in a short sentence to the audience.
Simple answer is really start looking into this many organizations are not yet there and it would make their lives so much easier for their users, for their customers, for their partners. So really go on that journey for a more adaptive, more context sensitive, more a risk based authentication and authorization. Just do it. Okay,
Matthew?
Yeah, I I agree a hundred percent. It's, it's really, it's the balance between security and experience and you can't just have one or the other anymore. You have to have both. And the only way to do that is to use context and have adaptive capabilities that can adapt and change based on the, on what is going on at that authentication or that authorization event. So it's definitely what you have to have in the future.
Combine security and convenience, get both and the technology is here, make use of it. Thank you very much to you Matthias. Thank you very much Matthew. With that I hand back over to, to Matthias in his other role as moderator of the event.