Leveraging Decentralized Identity Approaches in the Enterprise

So I don't see it on the previous screen yet. I, anyway, start, so I think most of you have seen me. I'm Martin Kuppinger. I'm one of the parts of co Analyst, as Phillip said, and I'm acting as principal Analyst. So I'm mainly doing a research thinking about things and writing and mentoring my colleagues, et cetera. So we hear a lot about verifiable credentials, verified credentials, sexual identity, d i d standards, decentralized identity, whatever. And, and there's also a lot of discussion about terminology. Honestly, I, i, I personally believe that, that we should be a bit more pragmatic than some are on this. So for me, at the end, it doesn't matter much how we call it, as long as it works and delivers value. That's the one point. And I think we also need to, to look at where, where can, is delivered the value.
I think this is, this is a very, very important point and, and a lot of what, what you currently hear in talks is that it delivers the value. So for, for consumer centric use cases, generally speaking, I think we already should think about the entire thing from a perspective of the, the recipient. So the, the user and, and where does it make sense, but also an organizational aspect. Some of the stuff, honestly, it's for me too much driven by, for instance, a perspective of a government on how to, to use it instead of saying the citizen is the customer and how do I make it work? But today, right now, as I've said, I, I'd like to talk a bit more about the enterprise side and the, this entire decent right entity thing is something which is, is very essential and it's at a core of web three of whichever meta metaverse we will have, we surely will not have one metaverse, but many, many metaverse.
And the point I'd like to make is, is factually when we take this web three with NFTs and smart contracts and all the other things, and, and the metaverse, which is web three plus, in fact sort of the idea more the application side of things like augmented reality, virtual, virtual words, is that right? Super complex to come up with. How do we do security for that? So I think if you ask someone, how do we do web three security, no one has a really, a simple answer on that. My answer always is, if something is too complex, deconstruct it, solve the pieces and construct it again. And when you deconstruct it, then you end up with NFT security and whatever, security for our towers and robots and stuff like that. And you end up with decentralized identity, however you'd like to phrase it. I use the term more frequently than Victoria did yesterday.
He tries to avoid it. At the end of the day, the, the, the common element in, in all these new things is a modern approach on decentralized, distributed, whatever identity, and then we can bring it back together in progress. So this is important more generally. And as have said, it's we, we are publishing this study these days. It's mainly seen. So when you, when we ask for what is the main use case, then privacy, 22%, 51% reusable consumer identity. So more than 70% say it's more than consumer side. Only 13% say this is the most important one. I believe this is the most compelling use case for decentralized identity on the short term.
So this is where I'd like to focus on today and right now. So some of you will definitely say Martin is totally oversimplifying things right now. I believe it helps to, to explain some things. What I, I'd like to emphasize on, and I, I also wrote an article on LinkedIn, I think the day before yesterday, around on one hand that these, these approaches don't disrupt what we do in identity management today. They can compliment it. On the other hand, they have a potential in, in sense of disruption that we can do a ton of new things like web three, et cetera, that we can also do a lot of things better in the enterprise. And I think this is important to understand, but so as I've said, you, you may say this is oversimplified. I I think it's helpful hopefully at the end, what do we have?
We have a wallet and we have proofs in the wallet. And one of the proofs that might be something which is derived from my E I D, which says this is really Martin and he has a name and an address, and then I onboard to an organization and I proof that I'm Martin. And that organization then can say, okay, good. He, he really showed me that idea. And we are living in a world of, in an age of world work from anywhere. So a lot of people never show up physically in any office of an organization anymore. So we can't do it that way. And then the corporation can issue proof. So this says Martin and he lives somewhere in Stuttgart and the organization says, oh, he's at Cooper and Coal Analysts. Maybe there's something like a, the virtual legal entity identifier already in from life.
We talked about this yesterday in the awards ceremony. So there's a proof of employment and it also says maybe Martin is a principal Analyst at our organization. So there are different types of groups and we, we, we, and then in the future for an authorization process. So, so first to access these things, I need to authenticate, I need to open my wallet, which means there's secure element on mighty wise there's a fingerprint or other type of biometrics, et cetera. So it's a quite, quite good way of authentication. And by the way, I think we also heard a lot about, talks about all the security things we need to solve to be at 100% security for that thing. One word on that, there is no 100% security, never whom of you has seen the movie Illuminati?
Can you, you can raise your hand probably most of you, you may remember the eyeball on the floor. So there are always ways to bypass security. So 100% security doesn't exist. We must think in risks and in in, in adequate levels of assurance, not in perfect, in the perfect security which hinders us to do things. And if we are good enough and that is something we can well achieve for most use cases, that's fine. Yes, for an election we may need a higher level of assurance, but that happens not that frequent. For most use cases, we do online payments with our devices every day and we are relatively good with the security, so don't go over the top here. Anyway, the cool thing here is we can do authorization via proofs of the drop titles, et cetera. So we can use this in an author authorization process when we specifically, when we move to policy based access when we, and, and in, in that case, we would have have way more probably of these things in the wallet and we can then say, okay, based on that, and I check, okay, he's still at, I let him in, I let him do that, I let him access this, et cetera.
And maybe Martin then has an assignment at somewhere for, for an advisory project. And then this onboarding starts. So, so, so some of you may have experienced that going to being a consultant, working for a couple of days or weeks or months in a project that's not a company. And sometimes the starts with spending a couple of hours for onboarding, getting a batch, getting whatever, some sort of security talk and some other things. The point is when we look at the process cost here of onboarding, so you're paying a consultant for three hours of queuing and onboarding processes and you're paying a lot of internal people that are also involved in these processes. That's a lot of cost. And we can simplify this because this means, okay, yes, it's really Martin and he's at cola, he has this role. Oh yeah, and he's in this project. So another proof so to speak.
And then again, authorization for instance, for access to some project data can happen based on that. As I've said, this is a bit oversimplifying some of you may say, but I think it helps explaining what we can do and then we can simplify authorization. We can simplify a lot of the access management. We think about all the, the challenges you are having in granting pe, externals and projects, temporary access to certain project resources, a very common problem that causes workload. And what we are talking about here is really cost. There's a huge potential in saving money by utilizing the potential of this sort of brave new world of decentralized proofs, identities, et cetera. So, so basically this is the decentralized onboarding. We came, I, I talked about it, so I I walked through it. This is onboarding and it works for B2 e use cases, it works for B2B use cases.
We can improve things very significantly here now, physical presence and also the offboarding. You know, when when, when the partner here checks the proof and it says, oh, Martin is not a Analyst anymore, then we immediately can trigger offboarding and how frequently do we struggle with offboarding permanently? We are way better in onboarding and then grinding access than in revoking it. So it helps, it helps in policy based authorization and in instead of doing all this static entitlement work, et cetera, we can't do things much better again if we go just through this process. So, okay, it is time consuming, it is costly. So we create a contract, we need to verify the identity, someone walking somewhere showing the physical ID card, presenting it and someone looking at it saying, okay, this looks like this is Martin. So hopefully they don't rely on my driver's license because the date's back to 1984 and so no, I won't show it here even while it, that may, may be perceived as being funny.
And anyway, I had to sell some hair back then, by the way, then agreements are signed, the batch is provision and authenticator is provision, et cetera. And then some technical onboarding follows. And this is really a complex process and we can simplify that significantly. This is really where, where, where you should think about that there's a business case, there's a compelling business case behind because bros cost optimization is something that resonates not only with IT security and identity people, it resonates with the business people and is it really complex? So you know, what do we traditionally we, we say, okay, we have our HR system and then we match identities in our I H E A system and give some birthright entitlements and add some manual entitlements and put it to the target system. At the end, it's just one more thing coming in. But we have already ideally an automated identity verification.
So we trust check maybe the match or we have it in there. We have a better identity matching because we have way more data we can compare, we can use, we do birthright entitlements. We hopefully do as little or manual entitlements as possible because we can do a lot of policy based access controls. So why should we care much about manual entitlements anymore if everything is dynamic authorization based on proofs or if we create the manual entitlements because we say these are the attributes we use and then it's effectively it's some burst. We can do automated mover, we can do automated lever. If the, there's the, the proof says department changed, something else changed, whatever we can trigger move processes and change entitlements, we can trigger the lever process. We can automate a ton of things here we currently do manually. And this is not rocket science.
I think this is the the point. It's not rocket science. And this is something where we have a, as I've said, a compelling business case. And this is why I think we should think way more than we currently do about how does this help us in our standard identity management use cases. Yes, we can do a lot of new cool things with that as well, but we also can improve what is bothering a lot of us, the ones who are in the daily Im business that bosses us every day and which causes a lot of the challenges we have. And this is, I think as I've said, flying high, being abstract maybe and simplifying things. But at the end, there's, that's what I'm convinced of. There's nothing in we can't do. And so this is just so my advice and my recommendation to you and my, my my hope that that we start thinking about how can we make concrete practical use now of these technologies. I was RAA quick today, so we have a bit room of questions, room for questions. Phillip is already grinning, so it means he probably has some questions on his tablet.
Okay. So we have a question from the audience first, but I, I have more. So
Yeah, that's what I've feared no hope for, honestly. Okay,
Thank you. I look forward to the first real life case where you show the cost savings with this kind of onboarding. My question is about the IGA identity governance and administration portion. Do you see that part becoming decentralized also
Over time? The question is whether we will still need it. So I, I think I, I easily can envision a scenario where we say, okay, we have the wallet, we have the proofs, we have an authentication system, we have policy based authorization, so why do we need IGA anymore over time? The point is that we have legacy and the systems will not disappear quickly. So over the next one or two decades or three or four, they will be still alive for iga, probably lesser IGA and lesser organizations, but it will not quickly disappear. But yes, we should be able, and this is also why I'm breaching a lot about the policy based access. We should be able to reduce a lot of, a lot of IGAs because we need to create accounts and because we need to manage static entitlements. And if you're realistic, the bad, so the root cause of all bad and identity management are static entitlements. This is where all the problems start, so to speak, a bit over the top maybe. But at the end, this is really one of the points and we can surely address several of these challenges here.
Good. Another question from the audience.
Yeah, it's actually what I've, I've written also down in the, in the q and A here, if you say decentralized onboarding is emergent, do you see any chance open standards or governance could win the race against Azure, A d, B2B collaboration potentially combined with LinkedIn as social IDP or SAP success factors or Workday? Like is there any, because we have talked a lot about open idea, we have talked a lot about standards and stuff, but seems like pretty much of all this realm is already like taken by bigger players in the market.
I I, I see it a bit differently. I think when, when you look at what Microsoft is doing, Microsoft is, and I think Mike Jones from his previous work experience can confirm that several of these players are, and he, he will be in the panel soon are including Microsoft, are very, very engaged in working on standards. So I I I really see this as a conversion. So I see whatever your LinkedIn history as one element you can use amongst many others. And I, I think the point is, what I think is we need to be very careful in all the work around wallets and around standards to not create something which is so artificial that it doesn't allow us to incorporate what is valuable and what what is there. And I, I'm very hopeful that we will still see a lot of conversions because many, many of the players in the, also in the standard bodies are working very closely.
And when you look at for instance, which companies are supporting the open wallet foundation than it's quite an extensive list already. So, so I'm, I'm, I'm a bit more positive on that, but I think we definitely also need to be pragmatic at, at the end, we need to have something that is widely accepted. We need a critical mass and it must work first for the majority of use cases. It was very interesting, Eric Zu yesterday in this room said, asked the question of how, how frequently do you interact with your government per year? No, a few times. How frequently do you interact with your employer? How frequently do you interact with Amazon or other retailers per day? And you probably interact, do have more non-governmental interactions per day than you have governmental interactions per year. So the governmental interaction is the exception. It must first work for everything else. And then you must have something that allows you to do the few things with the government, which need to be really super secure, voting very secure. But most of the things with government are not even have this high level of assurance requirements. And that is how you need to think about and how you need to fix it. And then we will come together easily.
Other questions up
30 seconds or so.
Okay. Just if we talk about it then it seems like the account is already there. It's just like with a company or with the organization when it comes in the space of the own organization, should then there just be an activation like by an iga or is this a security risk if it's not like created
From scratch? If you, if you're here tomorrow morning, nine 20, then come to my keynote. Okay. About policy-based authorization. I think there's the big challenge there is. So more, more with the legacy applications to require an account, how do we solve this? I have some thoughts about us. I'll talk about tomorrow morning. Okay, thanks. Otherwise, if you're not here, it'll be recorded. You can look at it later. Anyway, so I think we're running out of time
Unfortunately. Thank you. So thank you Martin.