Good afternoon, ladies and gentlemen, welcome to our equipping call webinar, knowing, knowing your customer well, the importance of assurance and identity governance for cm, cm stands for consumer identity and access management. This webinar is supported by S the speakers today are amid Zaha with COO at Sian and me Martin Ko, I'm founder and principal Analyst at Ko a call before we start some quick information about Ko, a call and some housekeeping information for the webinar. And then we'll dive directly into the topic of the webinar today.
Ko and Cole is an international independent Analyst organization focus on information security and with a specific expertise around that anti access management at anti and access governance, but also a lot of other topics concerning that the true transformation we provide neutral advice, expertise, and saw leadership through three types of source. Three groups of services. One is research where we, for instance, deliver our leadership documents, which provide comparisons of vendors in certain market segments.
Plus a lot of other reports on trends and how to, and other stuff.
We have DMS, which I will touch in a minute. And we have our advisory business where we provide neutral advisory services for end user organizations, such as tools, choice, and many others. We have a couple of upcoming wins, so we'll run the consumer identity world events end of November in Paris and December in Singapore, we will do an event around the rec tech. So the regulatory technology early December, we will do end of March early February, again, our digital finance world in Frankfurt.
And then with may next year, we will run the 12th edition of our European identity and cloud such as the leading event around identity management related topics in Europe, don't miss DC ones. And clearly we also will have a lot of other webinars within the first coming weeks in the advisory area.
We trust loans for our GDPR readiness assessment, which is about evaluating Western. You are already, and what you have to do to be compliant, to mitigate your risks regarding the upcoming U GDPR regulation.
I'll talk about GDPR anyway, later on, and this is something which can help you in understanding where you are and what to do in that respect. The agenda for today is as was most of our webinar split into three parts. And the first part, I will give an overview of the latest development around consumer identity and access management. So the cm topic, technical legal challenges imposed by the upcoming GDPR, which is a very important thing around the entire relationship to customers and how identity assurance helps address them.
So I will more set the ground and particularly talk about where identity assurance comes into play, how this can work out and which areas we have to look at.
And the second part that I Meetha, we'll talk about implementation details of a modern customer oriented. I solution he'll look at a reference architecture, fors implementing various types of services, such as attribute verification integration with third party identity assurance providers, delegated administration, and fine trained privilege management.
So I'll more talk about a bigger topic and a meet than we'll into the detail we have done afterwards, the Q and a session. I always recommend once you have questions, enter them in the area of questions and go to webinar control panel, which usually is at the right side of your screen. The more questions we have, the more lively the Q and a part of this webinar will be. So let's directly start. I wanna set the ground was looking at where does this entire interest on, on, on consumer identity management or cm comes from?
And so from my perspective, it's something which is just part of this bigger digital transformation. And this digital transformation brings in a lot of changes for organizations. And some of these mean that we just have external drivers, which mandate us to change the way our organizations act. And so there are different types of partnerships right now there's changing competitive landscapes to new players, rapid innovation, connectivity, and ever changing regulations.
A lot of, a lot of these changes at the end are about how do we define, how do we maintain?
How do we build extent the relationships to our consumers and our customers? So with particular, when I look at the partnership part in the competitive landscape, but also moving for products to services or a mix of both, it means that frequently new players come into the game and try to become the interface to the customer, to catch the customer, to be the sort of customer interface and for organizations it's essential to remain in a role where they have the direct contact to the customer. So many of these changes lead us directly to how do we manage the identity of the customer is access?
How do we maintain at the end relationship? And then with the regulations, we even have the second aspect that some of these regulations such as the huge DPR touch in a few minutes, make it more complex to maintain and extend that relationship.
So what do we need as an organization? What are our key capabilities for moving to, for, for, for moving forward in the digital transformation there's agility. So with all these changes, organizations that need to be more agile, they need to be more innovative and they have to have a lot of organizational flexibility.
And organizational flexibility also means organizations must consider sort of leaving their comfort zone and doing things they might not have done before. So new business models, which are totally different than whatever they have done before opening up some or providing services, which are provided better parties. Even while this might be problematic at the beginning, it might be the only way to keep the customer happy and to be the one who manages the customer relationship. So what are the key topics here?
They are, from my perspective in the shared transformation, three big areas to look at.
One is smart manufacturing or industry photo. One is the internet of things. And the third one is know your customer, know your customer sense, which is far bigger than the KYC and anti-money laundering stuff we have in the finance industry. So when we talk about know your customer, it's really about knowing your customer, serving the customer well, creating a big picture, bigger view of the customer. So this is what I really see here in that space. There are various technologies we need in there.
So blockchain, cognitive, and AI sensors, robotics, big data, and their security and privacy to keep all this stuff secure and there's identity. We need to understand the identity. We need to track it. We need to extend it. We have to identify to authenticate, to extend what we know about a customer. This is where consumer identity access management comes into play.
This is the main theme of today's webinar. So when we compare the traditional identity and access management with CIM or consumer or customer identity management, then we see a lot of differences.
And some of them lead automatically also to the topic of identity assurance and related things. So there traditional identity management is employee facing. So we look at the employee while we in consumer identity management, we look at the customer, which also means there are big differences in scale, the way we all sent Cate in traditional identity management. As we look at smart card hardware, tokens, that things for consumer identity, we have to think about what does the customer want? How can we allow him to Cate in a simple way? What does it mean for the way we can identify?
We have an assurance which other information could be gained. So attributes for KYC, these are far bigger because we it's about looking at customer behavior at his interest, serving him, having the information to, to really serve him well, while in traditional identity management attributes are mainly primarily for authorization.
Data is held in different types of data stores. So big databases are more common in the consumer space. When we federate on the one hand identity management, it's more sample in the consumer space.
It's more OS and open ID connect for single sign on O IDC, standing for open ID connect. And so on the one hand, it's really more access control. The consumer identity space, privacy plays a highly important role, but also access control is increasingly important. Access control. Also in the context of privacy, you has access to PI. And if you look at the GDPR and I'll touch it, as I've said in a few minutes, GDPR is very much also about protecting the consumer data, the PII well.
So when we look at enterprise IM again, it's the employees inside the customers are outside, so we don't have to rich profile data. So it's more a CRM, which is somewhat separate from, from the rest of the world.
A lot of data around the customers is ended manually and usually trust. Then they become customers or at least leads not for the broader consumer perspective. Also occasions in tend less flexible and it start really for marketing. And it doesn't scale that big consumer identity management is fairly different here.
It's about self restoration, social logins, pro profiling, user activity, serious 60 view of customer and concern. And so it's, it's really a totally different way. At some point on the other side, it's also something which has a lot to do with, from a look at the technology with traditional identity access management. So it's the question is what is the right way to approach it?
But at the end, we need new capabilities and we need a view on how do we manage all that in a consistent way, which might be based on one more tools, but it's really important to have it done in a consistent way, with a big picture on how do we serve all identities.
So to bring in another angle of how do we, these topics relate then, so consumer identity, and then really K YC knowing and serving your customer. It should be K Y S K S Y C.
In fact, when we define it, we could say consumer entities, identity management scale, plus the customer experience. So we still need a life cycle, which might be less complex, but we need also access governance. We need to bring in governance for who has access to PII, but also what our customers allowed to do. We have the access and Federation stuff, single and cetera. That's all we have in identity management.
We still need it, but we need to add things like lifecycle the customer training in general, the relationship, the adaptive authentication, the integration of customer data from various things. And then to really work on that, it's about customer tracking, marketing, marketing, automation, privacy, and information protection.
That's why we really then can know our customer. Well also have the assurance that it's the person we really want to address and to interact with. And we can then really build new types of services around that.
So consumer identity is a pretty big beast to tame for a variety of reasons. It's something which adds a new level of scale and sometimes complexity, different types of services. And it is about a lot of involved parties. So we have sales here. They have the CRM, we have marketing with the marketing automation tools. We have it with the identity and access management system. We have maybe a chief digital officer or chief digital business officer because they newly detected the organizations that are customer digital transformation. So we need to add this as well.
So who's the one who's responsible. And so then they also might be the website operators because they owned some of the consumer data before the business departments, which create their own Porwal and their own apps.
And believe that they have this ownership, the corporate audit, because KYC and not on the audit, but also data protection. Officer KYC also has a regulatory angle. So for GDPR, it's a data protection officer. And so it's a complex scenario.
And while on the one hand, thinking about what can we do to get gastro as much information as we can about a customer or consumer we on the other hand have to take into account that there's the GDPR and that just see that on the next slide of missed the change. One number that's number down here. It's not 435 days to go anymore. It's roundabout, it's less than seven months, eight months to go it's May 25th, 2018 when the GDPR becomes effective. So it's roughly 225 days to go from here. That's not long anymore. And if you don't already act, it's latest time to act.
And if you're not done, it's latest time to speed up things. So giving you a quick overview in history here, before we go a little bit more in the details, and then come back to the consumer identity, the identity assurance theme before the GDPR in the EU, each EU member state had its own data protection laws. So there were mainly one main U directive dating back to 95, which had to be transposed to each national legal systems, which leads to horizons. Right now we have two years implementation timeframe until May 25th next year.
So the GDPR, in fact, the entry to forest was two years ago, one and a half years ago from now. And that there's a two year period for implementation until it's enforced.
So the important thing here is it's a regulation and a regulation means that it's in fact immediately effective. It does that need to be proposed into international legal system. And there's not that much room for exemptions. So we have an harmonization at EU level, which is based on rise on new technical developments and factual situations.
It will strengthen certain existing data protection standards depending on where you reside and what you're affected. One of the most important aspects is that it binds businesses established outside EU to the European standards when operating within EU. This is probably the most important thing for many organizations when they, in fact, at least from a water perspective, reside outside of the EU. If you want to do business, simply spoken a little bit oversimplified, but at the end, if you want to do business within the EU with EU resident people, you have to comply.
So what is the impact of the EU GE power, just touch or pick some key aspects. So going through everything in detail, I would take far too long, but one of the important things is unless another legal basis in place consent is required prior to processing personal data. So if there's a contract and it defines what is allowed or not fine, if not consent needs to be in place prior to processing, and this needs to be explicit consent, which has to be freely given informed, unambiguous, and must consist of a clear state of clear state affirmative actions.
And for instance, the regulations clearly say, it's not allowed to sort of retake all the check boxes. So the part of clear statement and unambiguous is people have to take the box and where no consensus require. There are some gray areas. Many of them are trust, light gray, to be honest.
So obviously they are relatively clear, but there's still some discussion in many other areas. There's a lot of information, right?
So even if you don't need to, not don't need to obtain consent, your consumers, your customers, the people, the individuals you work with in the terminology of the GDPR, they're called data subjects and still have a lot of information, right? So it will definitely change the way and needs to be considered when dealing with identity and individual data. So consent should be given per purpose. It might be revoked at any point of time and it might be revoked for purposes. It makes it more perspective, but also consent for the new, and that changes the interaction with your customer.
Because then you have to explain what you okay. I want to use the data for a different purpose. I need your consent. Please give it to me. And to get this, you need to provide or to, to, to, to show the customer, what is the benefit to him without that? It will be tough. Data protection office are required. They can be external, which is a change in some countries, not in all under certain circumstances.
For instance, for health data, fors data of public places, cetera organizations have to undergo a defined and regular data protection impact assessment, data breach notifications to the supervisory authority have to be done within 72 hours, which is not long. So be prepared for it.
And there are massive data control, right? That's right. To be forgotten the right to freeze data processing right to export data edit is etcetera. So you also need to understand where the data reside. You need to have a clear view on where is the GDPR data.
Finally, we have technical things such as privacy by default and design, which are right now mandatory GDPR in fact means that that a lot of things in the way you interact with your customers change, you need to have one place to do it. So not per app, not per Porwal. And that's where consumer identity and access management systems come into play. Some of the reasons why GDPR is a market driver is side of that. How do you know where all the data is it's moving to in standard? And opt-in in out scheme with the consent, with the history of consent you need to have so track it in one place.
So move it to standards of fair net per app, per Porwal, per service, the notification stuff. So if something goes wrong, export customer data. So if a customer wants the data back, you need to have one interface, delete upon request and security for PII needs to be at state of the art. So the state of the art thing is a very important thing.
Also, you need to protect the data. And that means when you look at access governance, access requests, this need to be done consistently. So consumer identities versus enterprise identities.
In fact, there are various things which are different for consumer. You look at convenience, primarily and secondary secondary focus at security. This is different for your workforce. Governance frequently is underestimated, but GDPR effectively managed state of the yard access governance for access to all PII. It's just according to the technical standard of today, identity assurance becomes an essential aspect.
So how do you identify and authentic your customers? How do you create that knowledge about your customers without being conflict with the regulations?
This is a pretty big thing in, within the enterprise. It's easier is just say in worst case, I can walk to the desk of the person and look at this it's the person or not, or his departmental manager, hands over the smart cut, whatever else. So looking at identity information, quality and identity assurance, as not as another aspect around what does it mean in the consumer identity space? When we look at this entire sea of identity assurance, then we have a lot of different aspects. One is identification.
So if a person it claims to be does the postal addressing system match, do you need to use video identification overall for consumer identity, a bigger blade than it is for standard traditional identity measure?
When we look at the identity information, quality, that's always a challenge. So how can you really get a good information, correct information, and people can ask you with GDPR. So is the information correct? How do you manage that?
Define the process of stakeholders responsible for that, regardless by the way of which type of identity management you have to do, that's always a challenge. One of the big things also indication who does those indication is that you are an external partner think from the customer, the customer might say, I want to use an external one. Then the way you have the one who does the identity assurance, the level provides the level of assurance of someone else, different play here, and also others might provide additional attributes, but that's also interesting from a compliance perspective.
So what can you use, who is allowed to provide which data to you again requires consent, etcetera. So very interesting play here and on these details. And what does it mean? That's this part where then right now a meet will talk about, make the moderator and he will talk about the implementation details of a modern customer and solution.
Sure.
Thank you, Martin, for, for that excellent discussion, you know, in terms of the overall view of what customer and access management comprises of, I think you covered it very well in terms of what the priorities are from a customer's standpoint. So what, what we wanted to do today was, you know, one of the things that Martin stressed upon was convenience is the primary factor when it comes to customer oriented and access management.
However, sec, security is more of a secondary factor in that case, right? So how do we bring this thing together and still ensure that as an organization is timely, responsible for the security, the privacy, as well as ensuring that we are GDPR compliant, how do we still ensure and provide that level of assurance without burdening the end end user? So that's where, what we are focusing on today withs is to how do we make the whole identity assurance and the governance aspect, much more seamless from an end user standpoint.
All right, thanks for that Martin.
So, so first and foremost, what we need to understand is that from a consumer standpoint, there are going to be different types of consumers. And we need to understand what is, what is the life cycle of a consumer within the context of an organization, right? So way we have tried to simplify this, and this is a very oversimplification of the complex of things is look, types of roles or which in drive, what are the different types of applications and assets can they consume in the organization? Right.
So first and foremost would be a consumer who is more of a casual browser who wants to potentially doesn't mind being identified. So you might want to use an open ID connect based either a Facebook or a Twitter based handle to authenticate or personally identify the user. But as the user starts consuming more and more critical services from a Porwal standpoint, which in fact have a commercial or a financial or a privacy implication, that's when you want to dial up the level of assurance that you want to validate for the end users, right?
And that's where the consumer then slowly moves to a customer and then on to a trusted user model. So at the core of this, what we are really trying to do here is lower. The risk as a user traverse is through different assets in the organization, increase the trust level, as well as in the backend, ensure that the overall experience is very seamless from an end user standpoint. So in order to facilitate that whats has done is given a whole set of tools, whether it's self tools that we expose to the end users or to the administrator, how we, how do you manage the access details of user?
How do you ensure that you are doing appropriate risk profiling of the user and how do you continuously monitor the user activity? Those are some of the tools thats provides, and let's do a deep dive on those tools.
So the first and foremost is how do you bring on a customer in Aless onboarding standpoint? So the whole experience has to be seamless from an in standpoint. So there are multiple levels of registration options that we need to support from an end user standpoint, all driven of different level of assurance.
What it means is depending on the type of application or type of asset or type of report that the user is trying to access, each of them has a different level of assurance. And that level of assurance then drives what sort of registration or details do I need from the end end user at the end of the day, what it means is we are going to do a progressive profiling of the end users. So that means the initial onboarding of the consumer itself will be frictionless. That means we are going to ask them very less set of questions before we, them level assurances.
We increasingly additional validation so that we know who dive into what that means, right? So this is again, a very high level conceptual architecture of what we call as tiered identity proofing or tiered level of assurance management. So on the left hand side of this diagram, you can see here that you have the consumer as the user traverses through the lifecycle and ultimately becomes a trusted user. What they're essentially trying to do is navigate through the different channels that you would want expose to them, right? So in today's day, it's not going be just one type of channel.
It's going to be a combination of web or mobile, or even phone based model of engaging your customer, or even a paper trail base model, right? No matter where the consumer or the user is coming in, they are trying to access some of your services and what we call them as just claiming access to different products.
So as part of that, what we really need to understand is what is the channel that the user is coming in from? What is the risk level associated with that channel? Where is the user coming in from what sort of device is the user coming in from?
And what exactly a resource is the user trying to access that drive the level of assurance based on a combination of all of this, what allows you to do is identify what would be the right combination of identity proofing providers. These are more of the assurance providers that Martin was alluding to at the end of the day, what we believe is that not just one ID proofing vendor would be applicable based on the different channels or different geographies that your organization operates.
However, rather you would rely on a combination of multiple ID proofing providers, right? So whether it is someone like anomaly ideology, Lexus nexus, new start, or could be even security metrics, S like S and others, or it could be your internal asset itself, more like a customer database management, or maybe your insurance data warehouse, right?
Or your data mark, where your different proofing metrics reside.
What we need to then understand is depending on the level of, and where the user is coming in from choose a combination of one or more ID proofing providers, the whole Q and a, or the backend forth of gathering information from the user validating with ID providers, and then allowing them access.
All of that has to be as much real time as possible with keeping in mind that all of it has to be a very stateful dialogue between the end user and the ID proofing providers, and then subsequently derive whether the user has provided the adequate level of assurance so that we can assure that they are who they claim to be, and then carry the onboarding of the users. And as part of that onboarding of the user, it's not just creating the user in one particular identity store.
However, as organizations move, move towards a more federated Porwal or federated user experience, you'll quickly see that it's not just creating the user, maybe in your identity service provider, like an Okta or thing or full shop, but there could be combination of those. It could be an internal identity store, like an LD app or a virtual directory, or you would also need that user then to be created across a third party staff provider or to your backend legacy systems. So all of this orchestration has to be done based on the level of assurance that we have and validated for the end user.
This is going to be key, right? And the last aspect of this overall ID experience is to also deal with failure scenarios. So what if the data that has been provided by the user that does not satisfy or meet the level of assurance requirements?
So in that case, we need to also transfer some of that information back to your customer service rep create a case for them so that they can do an appropriate follow up with the customer and still try to bring them on board and consume the services that you're off.
So that is the key aspect of the solution to ensure that, you know, we are doing a much more frictionless onboarding of the user asking reduced set of questions or using open ID connect framework to onboard the user. But as the travelers through the different channels, we derive the appropriate level of assurance as they navigate. The second aspect of ensuring a seamless and a better user experience is, you know, you are trying to derive information from the end user and then trying to personalize the whole experience across the different Porwal.
So one of the key aspects or implications of GDPR and any kind of privacy regulation would be that, how do I ensure that the user themselves, as well as others who are the Porwal administrators, or as you retain their data, or you traverse or transfer some of that data to third party providers, how does that whole information gets secured?
Where does it reside? What amount of information is stored virtually or made visible to the end users in which format is that the right level of encryption applied address during transit or not?
So, again, one of the key aspects of the self-service capabilities that you, again, need to expose to the end user. Now, many of these services will be exposed or presented via a presentation layer, like a web or a mobile platform. But at the end of the day, what we are talking about here is a set of services that will be exposed through the data or the personalization, or, you know, the security services to ensure that only the right people have visibility to their data.
What it also means is you also need to support the ability for end users themselves to appropriate and control the right level of delegation of data who can see that data that has to be controlled by the end user, rather than the administrator, other than just the administrator, as well, as, you know, there are a lot of financial or business transactions that the end user might want to delegate to someone else, right?
So it could be something like I have an insurance policy from my service provider, and I want to give limited visibility of that insurance policy to my spouse, right?
So how do, how do I safely delegate some of that access and ensure that only the right people have access to that data. Those are all critical aspects that are again enabled as part of this service oriented architecture that we are trying to implement as part of our customer access management. And last but not the least, we, you also need to take into consideration that users will, at some point in time will have multiple profiles based on the time and how they tried to register. For example, the user might have a different identity profile.
Maybe they came in through the phone channel versus when they log into the mobile channel. So you also need to have the ability to aggregate the different profiles that user has, and all correlate that back to one single identity so that you can uniquely identify that user across the different channels.
Now, how does all this administration or the policy management gets applied is through a very robust access control and policy management framework. So what you are seeing here is not just the customers, but also not just the customers, but also the administrators, sorry. They are able to, you know, enforce all this policies, right? So one of the aspects that we, that Martin also talked about earlier is scale, right? One of the key distinguishing factors of customer IM as compared to enterprise, I is scale.
How do you scale this to millions of users rather than the hundreds and thousands of users that you deal with in enterprise I management solutions? Right? So what we have requesting our organization, our customers to move towards is what we call as a data spark architecture.
So in this case, we are not trying to create a very physical call located or a centralized identity repository, but rather have a federated model where data resides added source, which is very crucial from a GDPR or privacy compliance perspective, or from a geographical standpoint where you want the data to reside at its source.
And as the data is consumed, you enforce the access control policies in real time.
And, you know, not very about enforcing the access policies at rest in a central location. So that is going to be key in terms of how you manage the data. The second aspect is because of the data, fast architecture, you are spending less time in synchronization of identities, on profiles and attributes across different repos. So that means when the user wants to change their profile, you are pulling that information in real time from a particular repository.
Then they get to the end user, the end user might be the consumer or the delegated Porwal administrator, or your customer support representative. They pull up, pull up the information in real time, you do all the access control, the processing, the visibility, the application of the visibility rules, right? Based on that, you can either trigger some additional governance processes like going for additional approvals or notification to the end user or validation to the end user saying that. So and so profile has been changed. Do you approve of that?
So on and so forth, and then instantly synchronizing or provisioning that information back to the primary data source or the federated data source. So that takes away the focus of the focus away from the traditional identity management framework, which relies heavily on synchronization of attributes and data across different systems. But rather here you are doing more of on the fly more for real time, identity management and governance. OK.
The, one of the other aspects, when we talk about customer, I am some of the initial aspects that I talked about were more focused on how do we make the end users experience more seamless, more frictionless, but then on the other side, we also need to be very of as the transactions that the user is performing on your Porwal, you still are monitoring their risk on a continuous basis. Right? So one of the things that also ums that organizations look at is how do you calculate or compute risk of a user's profile as well as activity in real time, on a continuous basis.
So, and I have just listed out here very three, three high level aspects that you might look at. So one is during the time of registration, you want to look at different parameters that the user is providing, which could be in terms of the device, the channel that the user is coming in from is one of any of the email addresses that the user has provided part of any blacklisted email list that you might have, or is the IP address that the user is trying to do the registration or perform the registration, is that compromised or not?
So those are some of the aspects that you might want to look at from a user registration standpoint, similarly, as the user logs on and accesses your different Porwal or different channel services. Again, you need to do the continuous evaluation and last but not the least, you also need to look at how is the user behaving in your channel services. So that means looking at which type of assets does the users normally look at versus what are they trying to look at? I'm actually seeing a spike in their activity, or they are trying to travel URLs or links that they have not done.
So in the past, which is more around event ready, or how are their peers doing this activity, right? So for example, you know, you might, one of the averages that you might have as part of your consumer identity and access management would be, you know, the user potentially logs in maybe once or twice a month, right?
But maybe your marketing team has launched a campaign because of which you are seeing a spike in the user trying to access your services. They're trying to log on more.
One aspect is of reducing the false positives in that case and not trigger the event ready flag would be to look at, you know, how are my, how are the peers of that particular user doing? Is, am I seeing a spike in their activity as well, right?
If, if there is a correlation between the two types of activities between the peer group, so then maybe, you know, I don't consider it as a rare event and reduce the risk profiling of the user. But the idea here is to use a combination of factors, whether it's in terms of abnormalities or anomalies in the user activity versus their own behavior, versus their peers, behaviors, combine all of that, and then apply that risk factor through the entire consumer identity and access management.
And what that entails is that during the right level of thresholds, that I have set from a risk profiling standpoint moment, that risk threshold is exceeded. I then either do a step of authentication or drive a multifactor authentication where I might ask for additional validation of the users, identity or proof trigger some of, some of the additional assurance providers and get some additional information from the user.
Or I might trigger off what we call as an investigation workbench, where someone might actually, or actively monitor the user's activity and see whether, you know, the behavior is still risky or not. And then take that whole a risk factor and synchronize that distribute that across my channel landscape, right? Which means that I need to either spike the risk level of the users when it comes to my IDAs or access management solution, or register the appropriate risk level of the user within the Porwal or application, and maybe force a global log off from the Porwal right.
Or if there are federated services that I'm consuming pass on the risk factor of the user to those federated services so that they can take appropriate action on their side. So this is again, keeping the customer close in terms of continuous risk profiling and ensuring that, you know, the exposure is always under a very control as the journey of being a consumer to a entity. So last bit, not the least, I just wanted to summarize this from more from a service oriented architecture perspective.
So what you're seeing here is a very high level conceptual set of services that the, that com combine and provide the overall customers, identity governance, identity management, and identity assurance services, which in this case are being consumed by different type of users, not just the consumers or the customers, but also by your Porwal administrators, your audit compliance, as well as the Porwal owners, and then abstracting all those different services and providing that through some, some sort of a presentation layer, abstracting that through an API abstraction layer and in the backend, you have got all the different type of services, whether it's in terms of account management, which might be done in a self-service or a delegated administration mode, or doing the right amount of account validation or linking where we talk about the consolidation of the users' profile, you know, ensuring that you have right visibility through dashboards so that the Porwal team can see how the user registration is behaving.
Are there any risk profile risk users that are accessing my environment so on and so forth, right? And then from an access management perspective, there are these set of services in terms of not only just doing the Federation or doing the open ID connect, but so more importantly, doing the adapt authentication on a continuous basis or doing the token transformation, right?
And then as part of this overall identity and access management framework, there are the additional assurance providers, which would be either a SIM or a U EBA kind of a platform, as well as your internal and external identity and information, data providers, which again, drives the overall end user experience. So that concludes my part of the presentation. And with that, I wanted to hand it back to Martin for question,
Thank you, mate. And so let's directly move to the Q and a session. So it's latest time to enter your questions.
If you have any questions for the Q and a, we already have some questions here. And so, so maybe let's start with one of the questions here.
So, so one of the question which went, goes to a meet, so one of the things highlighted wast capability, how does the seven solutions scale to millions of identities?
Yeah, Martin, that's a very important question.
So, you know, one of the key aspects that organizations need to understand is, you know, when we talk about customer identity management, the focus is all around identity management. So that means, you know, the typical way of looking at things is I'm going to expose a set of services, which will have a create user delete user update, user kind of services. And then I'm going perform all those activities on one particular identity repository, or I'm going to synchronize that across multiple repositories.
Like I said, that kind of a model may not scale because moment you have the identity profile or attribute information being consolidated across different repositories and synchronized and re reconciled and brought to one physical location that significantly access a detriment to the overall performance.
Because now when the end user is trying to perform an identity management function on a particular user profile, and if that profile information is not accurate, or if it's not current, or there is a delay in the reconciliation process that defeats the overall purpose from a security perspective.
So that's where one of the architectures that we have been proposing, and it has been very successful in terms of its implementation is to adopt the data far architecture where not only you address the issues that come because of reconciliation, but you also address the GDPR concerns where the information resides at the source. And instead of replicating it, you are showing that information in real time and enforcing the access control policies from one single place, doing it presentation layer time.
So that drastically simplifies the need from a scalability perspective and allows you to scale the platform from, you know, up to millions of users standpoint.
Okay. Thank you very much.
And I, I've directly another question to you, so I, how do you, does your, how do you help organizations meet compliance requirements, requirements such as consent management or opt in?
Yep, absolutely. So this is where the delegated administration or the fine grant access control kicks in place. So obviously when I talked about, you know, having the data spots architecture, that is a key factor for addressing GDPR requirements from, from an architecture perspective, but from an end user standpoint, what we also need to understand is how do you constitute the profile of a user?
What should go into the primary profile of the user versus what is backend customer data that resides at the source, and then applying fine grained visibility rules during the time of consumption, whether it's the end user who is consuming that information, or whether it's a service, a third party service, as it consumes that information, you need to have the ability to strictly control visibility transformation rules, as well as enforce C hold delegation model.
On top of it, inheritance plays a very key aspect of how the policy propagates from one system or from one user to another, and using that inheritance model and the delegated administration model combined with the visibility policies, you can then enforce different type of controls, which then translated into Okin so that, you know, we are not automatically Captur capturing more information from the user than what we are supposed to, but rather we gave a clear indication to the end user that this, the type of information, information that we are storing, whether it is PII or Phi, and they can control whether they want to share that information with their delegates, or they want to share that information with third parties, having those different flags on sutures and that granular control from a delegated administration standpoint, those are a key in my mind when it comes to, you know, enforcing GDPR policies for the consumers.
Okay. Thank you. So there's another question which is targeted me, which is about, I mentioned governance needed somewhat underestimated. So the questions, how are the enterprise IDM techniques such as certification and delegated administration applicable in consumer identity and access management.
And when, when I go back to what I've talked about regarding the GDPR requirements regarding the state of the arts sort of protection and, and governance for PII, it's very obvious. We also need to understand, to, to verify to, to re-certify who has access to that PII. We need to restrict it. And so the entire re-certification thing becomes from my perspective, very important for all PII and then to touch the delegated administration part.
I think this is an extremely important topic because delegated administration potentially is far more relevant in consumer identity management than it ever has been in the sort of employee identity management for consumer identity management.
What we are really talking about is that we have different parties, which might include us on certain groups of customers and are responsible for the management of certain things around these customers.
So delegating on one hand, the administration of certain groups of customers like regionals customers for various regions, or for instance, according to the whatever key accounts and other stuff, or by, by different type of data. So who's responsible for certain type of data becomes far more relevant than it ever has been.
So, so having said this, I believe that these capabilities are of massive importance. And so we shouldn't underestimate that the entire governance part with all the various techniques, but even beyond that is essential for successful deployment consumer consumer identity measurement. Do you want to add something around that?
Yeah, thanks Martin. So, yeah, I mean, you know, from a certification standpoint, one of the key aspects also that we need to assure from overall security perspective is to always ensure that only the right people have access to the data and only if they're using it and only if they need it. Right. So getting the right business justification is going to be very crucial. So in the consumer management, what we have tried to do here is give a different twist to the traditional model of certification, right?
When it comes to enterprise, you know, usually you have a very clean layout of all the different users, all their access in one single place. However, in the consumer JD management world, what we have tried to do here is do the same amount of validation and ensure that only the right people still need access to the information.
And what we have tried to do here is launch different type of email campaigns, where you only have a subset of the information that you feel is risky or critical.
And only that information is then sent out to the relevant parties and get their consent saying that, yes, I still approve this information to be shared by. So and so parties, or I still am certing that this person should be my delegate and should have access to my insurance policy versus not right. So those are some of the validations that you do on a continuous basis, more from a consumer standpoint.
And the same thing can also be done for the system administrators, the Porwal administrators as well, where you can go through all the different federated access policies that you have and bring all of that in one single place and launch different certification campaigns. So it, it basically manifests itself in different ways, but at the end of the day, ensuring that you continuously review appropriate access is, is key to ensuring that you always take clean and insecure.
Okay. So thank you very much, Amit, and I think we are close to the end of the time.
So thank you very much, Amit, for your presentation on the input you delivered. Thank you very much to all the attends of this copying all call webinar, hope to I, you soon at one of our events or in one of our other upcoming webinars. Thank you for spending the time with us this afternoon or this morning, depending on the time soon you are in under goodbye.
Thanks Martin. Thanks.
