Event Recording
Interview with Dr. Andre Kudra
Log in and watch the full video!
Upgrade to the Professional or Specialist Subscription Packages to access the entire KuppingerCole video library.
I have an account
Log inRegister your account to start 30 days of free trial access
RegisterSubscribe to become a client
Choose a package
Hello and welcome back.
Hello.
So for those audience members who didn't see the previous panel, which Andre participated on, would you Andre introduce yourself and explain a little bit about your role about ASAP?
Absolutely. My, my pleasure. So my name is Andre KRA. I am the CIO of Zaki Zaki in the space of information security and very strong in identity and access management. And we are very enthusiastic about self-sovereign identity since many years now. So I think in 2016, we started our journey with, with SSI and have become advocates of the technology very, very early on. We have made many publications and conference attendances in, in German, particularly, and we are a sovereign steward. And I'm personally, also now a board member of, of sovereign foundation. And we see a very vivid and strong future for SSI. And that's the reason why we are focusing our efforts in the identity and access management space. So, so persistently and so enthusiastically on SSI.
Thank you. So then from this perspective, what would you say the different stages of SSI adoption are? Could you walk us through that?
I'm happy to. So I, I think the whole SSI community is, is so bullish about the technology that, that they think everyone is, is just on the brink of absorbing it at full. But I think we are, we are not there yet. So we are, we are working with the customers to solve particular internal use cases first. So this is not the full blown SSI solution across boundaries of organizations across countries, maybe globally. This is doing steps that a customer and an organization can fully control at first. So for example, identity and access management, an organization can take fully care of its own organization and issue credentials to the own employees. This is not the bright and shiny future of SSI, but that's the first step to learn about the technology and see it in action and experience it and get users buy in so that it feels natural for them to just use it.
And then we can increase the outreach across organizational boundaries and the appetite will naturally come to exactly do this. And this is, this is where we are, where we are starting. So I think we are not starting with a cross organization, cross country solutions. We are starting with things that organizations can control, and this will evolve naturally into what we all desire so that we can use credentials at another organization, from a private setting, in a business setting, from a business setting in a public sector setting and so on and so on. So this is the, basically the second stage, but the first stage has value already. And if people see that, then naturally they revolution will come. So that's, that's the, the starting point where we are still, and I know the community is polished to get it all happening. And I know that we are having the tech ready to do it, but we have to start somewhere. And this is where we are now. And we have the technology now and the, the stuff at hand. So we are not theoretical, theoretically, ready? We are practically ready because our organization, for example, has it draw out, we are using it day by then.
Yeah. So then maybe you could explain that experience a little bit more of rolling it out. What is ASAP doing to live this out?
Yeah. So SS stated we are in the identity in access space. So SSI is not just identity in access, but for us it was a natural fit to transform the, the basically decades of man hours experience in that space into an SSI solution. So that's what we, what we have done. We have built a complete enterprise ready identity and access management suite, which we call is self, which basically enables an organization to use SSI to solve their daily identity and access challenges. And we have, we have not only built it, we are using it ourselves. So I think that's, that's always a, a strong message. So we are not just building it to sell it, but we are using it ourselves. So we have, we have rolled it out to our own employees. We have given them credentials, which they can use to authenticate and authorize access to applications we use internally.
So we have it at hand to demonstrate it and show it day by day to the customers. And this is exactly how it will work for them as well. And we have it in a complete, flexible manner that we can tweak it to the requirements of the customer, but we are in fact offering best practice framework for you to do it, but he can, he can adopt it basically also based on his own requirements. So that's what we're doing. So if, if you want to use identity and access management, SSI enable today, you can do it. You can, you can have it. And we can, we can give simple credentials which allow authentication to applications that use every day, like in addressing confluence at JIRA or the, the mail server, the intranet applications, Salesforce whatsoever. We have a, we have basically have a matrix of, of popular solutions, but you can trust back and play and, and enabling.
So then a follow up question to that. So you've referred to the, the product itself as an I am suite. So why is that? And what does this all encompass?
So we, we obviously have to look at the full user life cycle. So people who have attended coping our call conferences like the EIC, they, they know that there's this join, move lever thing and, and little bit of, of additional services like recertification and so on. So basically we, we support with the, with the product we support this whole lifecycle. So we have four regulated environments. We have full locking capability. Obviously this is not something that we want with SSI, but we can offer to make it compliant even in the banking sector, because we have that locking and, and audit trade. But the joining is easy. You plug it into your HR system. The, the credentials can basically be issued automatically. So you don't have, have to have someone who keys it in. You just connect it to your HR, to the onboarding. And then you issue credentials issues that prove facts about the, the people who use the credentials.
You can prove that they are a member of a certain department. You can prove that they're member of a certain project and you can dynamically adjust it, which makes the, the move experience smooth because you just don't have to take dozens of applications and adjust the access rights because you just give them the facts in their hands, in the cred, in their wallet, in with the credentials. And you formulate a rule which gives access to the application based on the facts that the people have in their wallets. And I think this is, this is of, of such a charming elegance that makes all this, what we have done for for many years in the identity and access based obsolete, because you don't have to fiddle with dozens or hundreds or even thousands of applications. You just do it once you formulate your rules, which will enable the access and that's it. And if the person leaves you can actually revoke all the credentials at once and then the access is disabled everywhere. So I, I think is this something the world really needs, we are, we are making it happen now with the customers. And yeah, let's see if the appetite goes further to, for, for others and to, to do it also cross organizationally.
Absolutely. And another question to this concerning easier experience, this is something that is going to be really key to later widespread adoption. So what is key to ensuring this?
Yeah. SSI to be, to be very honest with you is a, is a complex topic. And even experts from the industry sometimes struggle to, to drill through that and totally understand the technical implications, regulatory implications, process implications, and so on. So for, for identity and access management, it's, it's basically people are used to this complexity, but we want to completely shield it from the, from the end user. So what we have to do is we have to make it as easy as even possible for the end user tool to work with that. And I think there is a couple of stepping stone to actually achieve that. So today you have obviously a lot of companies who produce wallet apps. So that's exactly what SSI wants. SSI wants. You want to have complete freedom of choice to use a wallet, but if the end user now has to have five different wallet apps, or even other applications which have wallet capability, then you want to ensure that the end user is easily able to use credentials from wallet, one wallet app in another.
So this is something that we have to build in, and it, it has to be smooth and seamless. And this is something that what the community is striving for, but it's not, not really there yet. So this is one of our key roadmap items that we wanna solve. And the, the most prominent and, and pressing things actually enable the end user to not do harm to himself with the SSI credentials. So we have to prevent that he, that he has a big issue if he cannot access his wallet app anymore. Because if we empower the end user in the terms of SSI, we have to make sure that he is responsibly handling that power and able to use it with convenience. And this are the main challenges that we are addressing.
Absolutely. Very, yeah. Very insightful on this. And so how does the, let's see, you've made some references to SSI killer apps in some of your previous work. So could you explain what these are? Yeah.
I think what, what we are, what we are doing now is we are thinking of, of the, the really common things, a lot. So common things like, like using an entitlement to grant access, this is, this is, this is a brilliant thing to do, but this is an obvious thing using SSI to represent proof of a degree that you have proof of a capability that you have to have for your job. So for example, you have to prove that you are able to drive a bus and you are allowed to, to do stuff like that. So these are classic credentials that we use from the real world, but I think we have chances to, to basically reinforce existing processes, which are quite cumbersome with SSI and, and read them existing processes that that companies have today. So let's see, for example, we have, we have in the banking industry, we have many, many players who now absorb rapid payment processes like the players from the FinTech industry that, you know, so why do we not use, for example, SSI, credentials to use it for existing payment processes in banking with the, with, with Eban and, and big, and just attest facts to the people that they have in fact, proven IBAN and that the, the payment process was executed.
And in the second instance, the, the person can show it to the vendor where he bought something that the bank has issued a credential. This transaction has been processed. So we can basically use existing processes in the financial industry, in my example, to enable it and make it faster and more reliable with SSI and basically rebuild this what the FinTech world is proposing to solve with a completely decentralized manner. So this is one example there's many more, but I think in the interest of time, this is just maybe one little insight.
Yeah. Very interesting. So then going from the implementer's perspective, what is something that organizations and individuals need to be cautious of?
Yeah, I, I think there's, there's SSI and false SSI. So we have, we have many, many providers in that space who want to jump on the, on the SSI train and basically reframe their centralistic solutions so that they sound like SSI. So SSI is only true SSI. If it's decentralized, if it empowers the end user avoid slot in effects, gives him, gives him access and control over his own data really immediately. And in his, in his personal control, technically and organizationally and process wise. So if this is not, not happening, if you detect a service that says it's SSI, and it's not fulfilling these attributes, then it's never true SSI. And I think we have to be, be very cautious about big tech absorbing or trying to absorb the SSI industry, because if we are not at tiering to the globally adopted and, and developed standards and technologies now that are in use and can be used for scale, and this is some somehow hijacked by big, big tech companies. And they say, well, this is SSI. It's completely compatible. And it's, in fact not, then we will have from the back door, big tech absorbing this really beautiful decentralized solution of SSI, which is end user empowering. And I think this is where we have to be really cautious that we are, that we are sticking to the, to the true meaning and, and philosophy of SSI.
Very good. And then perhaps a, an idea to end with it's maybe a little negative, but what if none of this works? What if this never gets off the ground? What do we do then?
That's a very, very fair and, and true question. And I'm, I'm happy to elaborate a little bit on that. So SSI is, as we stated, we are in that space since 2016, or even before that, we looked into blockchain, all that before it even came ASI. So from a, from a, from a visionary perspective, everyone should or must buy into that because it's, it's, it's such a thing that the world needs. So why has it not happened yet? So I, I know the community is, is really strong and, and has endured this also the crypto window, which, which was associated with, with, with stuff that's non SSI, but this basically brought the whole industry to a, to a, to a drop. And, and we have been been ready from, from a technology perspective longer even than now. So everyone who has been sticking around has been patient already.
So we are, we are all now keen on getting solutions out. So, but obviously this doesn't require only us, but it requires people who are interested to use it from, from a business perspective, from public sector perspective, from private settings and so on. So I think even if we are so convinced, we are not the ones to have to be, be convinced. We are, we are preaching among ourselves. We are preaching to the choir. So this is actually, we have to get out in the open and make it tangible and make it experienceable by people in the outside world. And ideally they don't even know that they're using it. They just thought, oh, it's more secure. I'm in control, it's convenient. And it's solving the problem I have at hand. So we have to, we have to, this is also a, a plea to the industry itself to communicate the merits without diving into this techno bubble.
And this is shying people off. So we have to make sure this is not happening. And I, I think I I'm looking to us ourselves. We are, we are, we are our team. They, they are tech experts. So they, they can tell you in, in, in many colorful words, how great SSI is, and you don't understand a single thing. So it's, it's, it's, it's something for, for techies, but we have to make it digestible for, for everyone. So this is the challenge we are addressing now. And also my companies is, is very keen on addressing, and we are, we are really starting with a big initiative in that, in that space now. So, but this is obviously just my understanding and the theory behind it. So if we look into what others are doing, we know that big tech, like the existing industry in then in access space wants to fulfill their promise with the status quo.
So they don't want SSI. So no one in the classic identity and access management industry is, is still on having that. So what, what is the outcome of that? We will have a prolonged suffering in the identity and access world. If we don't adopt digital very credentials at a certain point in time, we will prolong the suffering. And, and in in fact, we have, we have looked at our experiences and we have come up with a, with a, with a brochure, which you can download on our website. It's, it's called identity and access 2044 scenarios of the future. It's, it's a German paper now, but we have looked at themes like identity chaos. We have that today. We have looked at totals. We have that today. We have looked at mega corporations. We have that today. And we have looked at SSI and we have looked at what could happen if the world evolves further in these directions.
And I think this is, if you look at it and, and be not, not an SSI enthusiast, you will see the, the themes. If they continue like that, this will be an issue. So I think it, it will happen. I, I hope it will happen in the true SSI meaning. And I'm very confident that the, the, the people who can take the decisions to adopt the technology, we'll see that as well. And so I think we don't have any other choice despite making as I happen. And if it's, if it's not happening, I'm, I'm not only disappointed. I think we are all, we are also losing a big potential for the world for making the world more, more secure and, and bringing the identity scheme, the security scheme to the internet world, which we're lacking today. So I think it's, it will happen.
Thank you, Andre, for those really interesting insights and also personal experience of developing and also using the solution. So I appreciate your time. And please from the audience, if you have more questions for him, post on the wall of ideas, and we will be able to get those to the right person. So thank you very much.
Thanks, Jenny.
Hello.
So for those audience members who didn't see the previous panel, which Andre participated on, would you Andre introduce yourself and explain a little bit about your role about ASAP?
Absolutely. My, my pleasure. So my name is Andre KRA. I am the CIO of Zaki Zaki in the space of information security and very strong in identity and access management. And we are very enthusiastic about self-sovereign identity since many years now. So I think in 2016, we started our journey with, with SSI and have become advocates of the technology very, very early on. We have made many publications and conference attendances in, in German, particularly, and we are a sovereign steward. And I'm personally, also now a board member of, of sovereign foundation. And we see a very vivid and strong future for SSI. And that's the reason why we are focusing our efforts in the identity and access management space. So, so persistently and so enthusiastically on SSI.
Thank you. So then from this perspective, what would you say the different stages of SSI adoption are? Could you walk us through that?
I'm happy to. So I, I think the whole SSI community is, is so bullish about the technology that, that they think everyone is, is just on the brink of absorbing it at full. But I think we are, we are not there yet. So we are, we are working with the customers to solve particular internal use cases first. So this is not the full blown SSI solution across boundaries of organizations across countries, maybe globally. This is doing steps that a customer and an organization can fully control at first. So for example, identity and access management, an organization can take fully care of its own organization and issue credentials to the own employees. This is not the bright and shiny future of SSI, but that's the first step to learn about the technology and see it in action and experience it and get users buy in so that it feels natural for them to just use it.
And then we can increase the outreach across organizational boundaries and the appetite will naturally come to exactly do this. And this is, this is where we are, where we are starting. So I think we are not starting with a cross organization, cross country solutions. We are starting with things that organizations can control, and this will evolve naturally into what we all desire so that we can use credentials at another organization, from a private setting, in a business setting, from a business setting in a public sector setting and so on and so on. So this is the, basically the second stage, but the first stage has value already. And if people see that, then naturally they revolution will come. So that's, that's the, the starting point where we are still, and I know the community is polished to get it all happening. And I know that we are having the tech ready to do it, but we have to start somewhere. And this is where we are now. And we have the technology now and the, the stuff at hand. So we are not theoretical, theoretically, ready? We are practically ready because our organization, for example, has it draw out, we are using it day by then.
Yeah. So then maybe you could explain that experience a little bit more of rolling it out. What is ASAP doing to live this out?
Yeah. So SS stated we are in the identity in access space. So SSI is not just identity in access, but for us it was a natural fit to transform the, the basically decades of man hours experience in that space into an SSI solution. So that's what we, what we have done. We have built a complete enterprise ready identity and access management suite, which we call is self, which basically enables an organization to use SSI to solve their daily identity and access challenges. And we have, we have not only built it, we are using it ourselves. So I think that's, that's always a, a strong message. So we are not just building it to sell it, but we are using it ourselves. So we have, we have rolled it out to our own employees. We have given them credentials, which they can use to authenticate and authorize access to applications we use internally.
So we have it at hand to demonstrate it and show it day by day to the customers. And this is exactly how it will work for them as well. And we have it in a complete, flexible manner that we can tweak it to the requirements of the customer, but we are in fact offering best practice framework for you to do it, but he can, he can adopt it basically also based on his own requirements. So that's what we're doing. So if, if you want to use identity and access management, SSI enable today, you can do it. You can, you can have it. And we can, we can give simple credentials which allow authentication to applications that use every day, like in addressing confluence at JIRA or the, the mail server, the intranet applications, Salesforce whatsoever. We have a, we have basically have a matrix of, of popular solutions, but you can trust back and play and, and enabling.
So then a follow up question to that. So you've referred to the, the product itself as an I am suite. So why is that? And what does this all encompass?
So we, we obviously have to look at the full user life cycle. So people who have attended coping our call conferences like the EIC, they, they know that there's this join, move lever thing and, and little bit of, of additional services like recertification and so on. So basically we, we support with the, with the product we support this whole lifecycle. So we have four regulated environments. We have full locking capability. Obviously this is not something that we want with SSI, but we can offer to make it compliant even in the banking sector, because we have that locking and, and audit trade. But the joining is easy. You plug it into your HR system. The, the credentials can basically be issued automatically. So you don't have, have to have someone who keys it in. You just connect it to your HR, to the onboarding. And then you issue credentials issues that prove facts about the, the people who use the credentials.
You can prove that they are a member of a certain department. You can prove that they're member of a certain project and you can dynamically adjust it, which makes the, the move experience smooth because you just don't have to take dozens of applications and adjust the access rights because you just give them the facts in their hands, in the cred, in their wallet, in with the credentials. And you formulate a rule which gives access to the application based on the facts that the people have in their wallets. And I think this is, this is of, of such a charming elegance that makes all this, what we have done for for many years in the identity and access based obsolete, because you don't have to fiddle with dozens or hundreds or even thousands of applications. You just do it once you formulate your rules, which will enable the access and that's it. And if the person leaves you can actually revoke all the credentials at once and then the access is disabled everywhere. So I, I think is this something the world really needs, we are, we are making it happen now with the customers. And yeah, let's see if the appetite goes further to, for, for others and to, to do it also cross organizationally.
Absolutely. And another question to this concerning easier experience, this is something that is going to be really key to later widespread adoption. So what is key to ensuring this?
Yeah. SSI to be, to be very honest with you is a, is a complex topic. And even experts from the industry sometimes struggle to, to drill through that and totally understand the technical implications, regulatory implications, process implications, and so on. So for, for identity and access management, it's, it's basically people are used to this complexity, but we want to completely shield it from the, from the end user. So what we have to do is we have to make it as easy as even possible for the end user tool to work with that. And I think there is a couple of stepping stone to actually achieve that. So today you have obviously a lot of companies who produce wallet apps. So that's exactly what SSI wants. SSI wants. You want to have complete freedom of choice to use a wallet, but if the end user now has to have five different wallet apps, or even other applications which have wallet capability, then you want to ensure that the end user is easily able to use credentials from wallet, one wallet app in another.
So this is something that we have to build in, and it, it has to be smooth and seamless. And this is something that what the community is striving for, but it's not, not really there yet. So this is one of our key roadmap items that we wanna solve. And the, the most prominent and, and pressing things actually enable the end user to not do harm to himself with the SSI credentials. So we have to prevent that he, that he has a big issue if he cannot access his wallet app anymore. Because if we empower the end user in the terms of SSI, we have to make sure that he is responsibly handling that power and able to use it with convenience. And this are the main challenges that we are addressing.
Absolutely. Very, yeah. Very insightful on this. And so how does the, let's see, you've made some references to SSI killer apps in some of your previous work. So could you explain what these are? Yeah.
I think what, what we are, what we are doing now is we are thinking of, of the, the really common things, a lot. So common things like, like using an entitlement to grant access, this is, this is, this is a brilliant thing to do, but this is an obvious thing using SSI to represent proof of a degree that you have proof of a capability that you have to have for your job. So for example, you have to prove that you are able to drive a bus and you are allowed to, to do stuff like that. So these are classic credentials that we use from the real world, but I think we have chances to, to basically reinforce existing processes, which are quite cumbersome with SSI and, and read them existing processes that that companies have today. So let's see, for example, we have, we have in the banking industry, we have many, many players who now absorb rapid payment processes like the players from the FinTech industry that, you know, so why do we not use, for example, SSI, credentials to use it for existing payment processes in banking with the, with, with Eban and, and big, and just attest facts to the people that they have in fact, proven IBAN and that the, the payment process was executed.
And in the second instance, the, the person can show it to the vendor where he bought something that the bank has issued a credential. This transaction has been processed. So we can basically use existing processes in the financial industry, in my example, to enable it and make it faster and more reliable with SSI and basically rebuild this what the FinTech world is proposing to solve with a completely decentralized manner. So this is one example there's many more, but I think in the interest of time, this is just maybe one little insight.
Yeah. Very interesting. So then going from the implementer's perspective, what is something that organizations and individuals need to be cautious of?
Yeah, I, I think there's, there's SSI and false SSI. So we have, we have many, many providers in that space who want to jump on the, on the SSI train and basically reframe their centralistic solutions so that they sound like SSI. So SSI is only true SSI. If it's decentralized, if it empowers the end user avoid slot in effects, gives him, gives him access and control over his own data really immediately. And in his, in his personal control, technically and organizationally and process wise. So if this is not, not happening, if you detect a service that says it's SSI, and it's not fulfilling these attributes, then it's never true SSI. And I think we have to be, be very cautious about big tech absorbing or trying to absorb the SSI industry, because if we are not at tiering to the globally adopted and, and developed standards and technologies now that are in use and can be used for scale, and this is some somehow hijacked by big, big tech companies. And they say, well, this is SSI. It's completely compatible. And it's, in fact not, then we will have from the back door, big tech absorbing this really beautiful decentralized solution of SSI, which is end user empowering. And I think this is where we have to be really cautious that we are, that we are sticking to the, to the true meaning and, and philosophy of SSI.
Very good. And then perhaps a, an idea to end with it's maybe a little negative, but what if none of this works? What if this never gets off the ground? What do we do then?
That's a very, very fair and, and true question. And I'm, I'm happy to elaborate a little bit on that. So SSI is, as we stated, we are in that space since 2016, or even before that, we looked into blockchain, all that before it even came ASI. So from a, from a, from a visionary perspective, everyone should or must buy into that because it's, it's, it's such a thing that the world needs. So why has it not happened yet? So I, I know the community is, is really strong and, and has endured this also the crypto window, which, which was associated with, with, with stuff that's non SSI, but this basically brought the whole industry to a, to a, to a drop. And, and we have been been ready from, from a technology perspective longer even than now. So everyone who has been sticking around has been patient already.
So we are, we are all now keen on getting solutions out. So, but obviously this doesn't require only us, but it requires people who are interested to use it from, from a business perspective, from public sector perspective, from private settings and so on. So I think even if we are so convinced, we are not the ones to have to be, be convinced. We are, we are preaching among ourselves. We are preaching to the choir. So this is actually, we have to get out in the open and make it tangible and make it experienceable by people in the outside world. And ideally they don't even know that they're using it. They just thought, oh, it's more secure. I'm in control, it's convenient. And it's solving the problem I have at hand. So we have to, we have to, this is also a, a plea to the industry itself to communicate the merits without diving into this techno bubble.
And this is shying people off. So we have to make sure this is not happening. And I, I think I I'm looking to us ourselves. We are, we are, we are our team. They, they are tech experts. So they, they can tell you in, in, in many colorful words, how great SSI is, and you don't understand a single thing. So it's, it's, it's, it's something for, for techies, but we have to make it digestible for, for everyone. So this is the challenge we are addressing now. And also my companies is, is very keen on addressing, and we are, we are really starting with a big initiative in that, in that space now. So, but this is obviously just my understanding and the theory behind it. So if we look into what others are doing, we know that big tech, like the existing industry in then in access space wants to fulfill their promise with the status quo.
So they don't want SSI. So no one in the classic identity and access management industry is, is still on having that. So what, what is the outcome of that? We will have a prolonged suffering in the identity and access world. If we don't adopt digital very credentials at a certain point in time, we will prolong the suffering. And, and in in fact, we have, we have looked at our experiences and we have come up with a, with a, with a brochure, which you can download on our website. It's, it's called identity and access 2044 scenarios of the future. It's, it's a German paper now, but we have looked at themes like identity chaos. We have that today. We have looked at totals. We have that today. We have looked at mega corporations. We have that today. And we have looked at SSI and we have looked at what could happen if the world evolves further in these directions.
And I think this is, if you look at it and, and be not, not an SSI enthusiast, you will see the, the themes. If they continue like that, this will be an issue. So I think it, it will happen. I, I hope it will happen in the true SSI meaning. And I'm very confident that the, the, the people who can take the decisions to adopt the technology, we'll see that as well. And so I think we don't have any other choice despite making as I happen. And if it's, if it's not happening, I'm, I'm not only disappointed. I think we are all, we are also losing a big potential for the world for making the world more, more secure and, and bringing the identity scheme, the security scheme to the internet world, which we're lacking today. So I think it's, it will happen.
Thank you, Andre, for those really interesting insights and also personal experience of developing and also using the solution. So I appreciate your time. And please from the audience, if you have more questions for him, post on the wall of ideas, and we will be able to get those to the right person. So thank you very much.
Thanks, Jenny.
Stay Connected
Related Videos
How can we help you