The Ministry of Education in New Zealand can now control access from a wide user base to agency applications in the education sector.
KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Unlock the power of industry-leading insights and expertise. Gain access to our extensive knowledge base, vibrant community, and tailored analyst sessions—all designed to keep you at the forefront of identity security.
Get instant access to our complete research library.
Access essential knowledge at your fingertips with KuppingerCole's extensive resources. From in-depth reports to concise one-pagers, leverage our complete security library to inform strategy and drive innovation.
Get instant access to our complete research library.
Gain access to comprehensive resources, personalized analyst consultations, and exclusive events – all designed to enhance your decision-making capabilities and industry connections.
Get instant access to our complete research library.
Gain a true partner to drive transformative initiatives. Access comprehensive resources, tailored expert guidance, and networking opportunities.
Get instant access to our complete research library.
Optimize your decision-making process with the most comprehensive and up-to-date market data available.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Configure your individual requirements to discover the ideal solution for your business.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
The Ministry of Education in New Zealand can now control access from a wide user base to agency applications in the education sector.
The Ministry of Education in New Zealand can now control access from a wide user base to agency applications in the education sector.
Good morning, good afternoon, or good evening, depending upon which time zone you are in, or indeed, if you are listening to the recording of this webinar, we please that you're able to join us. And we trust that this presentation on the education sector log on project in New Zealand is of interest to you. And if there are any questions that you will get back to us and learn from the experience that unify had with this particular project, my name's Graham Williamson, I'm a senior Analyst with KuppingerCole and I'm very pleased to be joined today by Shane day. Who's the CTO from unify solutions.
Who's going to give us some detail on, on the project. We have an apology from Stewart Wakefield. He's traveling at the moment and is unable to be on this webinar. But I did want to mention that just last week that the ministry of education in New Zealand was awarded the project management Institute of New Zealand award for a project in the public sector. And Shane will tell us the reason for that as we go through the webinar in, in the second part of the proceedings.
Okay, just to start with the background on KuppingerCole for those of you are not aware of the organization formed in 2004 to provide thought leadership in the identity and access management area. And of course, we'll be talking about identity and access management that is so important to cybersecurity the governance, how we govern our access control, risk management and compliance. And indeed it is one of the core technologies that need to be implemented correctly for a proper digital transformation environment.
The Asia Pacific headquarters were established in Singapore in 2013, in terms of the three legs to the stool, the there R and D three legs to the Analyst services that Kapor provides. The first is research and there is a wide body of research available via the website, do go into that and peruse it. If you register, you get 30 days free access to the articles there and can download, download five, the reports it's available then on a subscription basis, runs events. The prime event annual event is the European identity and cloud conference in Munich.
Every may, if you have an opportunity of getting to EIC, please do it. You will be find it a rewarding experience. There's also the consumer identity world activity that commenced in Seattle last week. It moves to Amsterdam next month and to Singapore in November. And the third activity is advisory activity. So if there's any help that we can, we can provide in putting together your identity and access management programs or digital transformation programs, please let us know. And we would be very pleased to assist in terms of events. I just wanted to make you well.
We've actually mentioned the consumer identity world tour. So if you're able to be in Singapore in November, please attend. And I would look forward to meeting you there. If you happen to be in Berlin the week before the security cybersecurity leadership summit would be well worth your while two there's other regional activity that's happening and that's all on the webinar. So go into the webinar, make yourself aware of those activities. And please register as, as suits your requirements terms of some of the guidelines for the webinar.
Unfortunately, we have to be muted because we have too large an audience to have it interactive, but that doesn't mean that you shouldn't enter your questions. So at the end, there will be a question and answer session. So on your control panel, if you click the questions panel and enter your question there, we will get to that at the end of the webinar, the webinar's being recorded. So you will be able to refresh your memory, go back and listen to it again.
And you will be notified of when the podcast recording is up on the, up on the website, in terms of the agenda for the event, I will commence with some generic comments on the access management, how we do access control, how we use our identities for access control, and also authentication authentication is becoming increasingly important these days. And so I want to talk a little bit about Federation, how we can use that, how we can accommodate a high assurance requirement if there's a, a requirement to give access to an application or protected resources.
And, and, and some of the things we can do around that, then Shane is going to be talking specifically about the education sector log on project, what it involved and some of the learnings from that, and that I think is going to be very valuable in terms of, of, of understanding the process that generated this award-winning application authentication application. And then finally, we'll do questions and answers that you have for us. I'd like to start off by just emphasizing one thing.
And that is that as we talk about an organization and what it needs to do to provide access to, to, to applications, to protected resources, we need to of course accommodate a wide variety of devices. And we need to increasingly provide access to a wide variety of things and the data coming from things. So that's our task. That's the task that we are looking at here in the educational sec sector log on project.
But it's important to remember that in the middle of all that are people, and one of the strong points of this particular project is how it accommodated the users that were using the applications, how it accommodated a frictionless experience for those users all too often, I'm involved in projects where they're run by the it department and the, the, the it department does things that are best for the it department without thinking about the effect of, of, of youth of users. So, so let's, as we proceed, keep in mind that people are at the center of all of these projects that we undertake.
I, I want to just mention that this was a, a study done by caping ACO of the, the innovations that are driving digital transformation. We all agree that we are in a disruptive environment where we need to have a strategy, that to determine how our organization is going to respond to digital transformation and of those 15 innovations.
There's two that directly impinge on the educational sector log on project they're indicated in red here, the consumer IAM or citizen for government IAM, and then identity relationship management, understanding our identities and the relationships they have, not only with us, our organization, but also with others within the identity repository is becoming increasingly important. When, when we were, we are looking at consumer IAM and you'll notice that both of those elements are in the top, right, right hand quadrant, the, on the horizontal line, we, we have business value.
If we are in, on the left hand side, those are the things that we've got to do just to stay in business over on the right hand side, are the things we want to do because they generate business value. So both identity, relationship management and consumer IAM are squarely developing business value for us. They're also on the mature on the ver vertical. We've got mature versus emerging. So there's no leading edge technology. We're talking here, we're talking mature technology that is providing these facilities for us.
So as we talk about ESL, you'll, you'll notice that those two elements are com are high priorities. When it came to determining what technology and what environment was going to be used for a citizen identity access management.
We, there's a couple of things we need to realize, firstly, that is an order of magnitude different from just managing identities within our organizations. So within our companies, we've got, you know, we're deal dealing with thousands. We're dealing with the workforce. When we start talking about consumer identity, we are talking about the hundreds of thousands, potentially millions that we need to handle. So that's a whole different ballgame, and we need to make sure that we understand how we are going to deal with that. And typically we are not going to do the registration ourself anymore.
We need to be able to leverage an identity provider service. That's doing that for us. When we do that, we need to make sure that we, the registration processes matches the assurance levels that we need within our, our facilities. So if we're using a Google login, that's pretty low in terms of the assurance that's assigned to that registration process. So we might need to augment that with some additional authentication in order to provide access to a protected resource. We're also dealing with very much hybrid environments. These days. We no longer can.
We're no longer dealing with just on premise. So one of the major issues for ESL was how to bring together applications that were as of a disparate nature. And indeed how we going to accommodate that move into, into the cloud. So very hybrid environment with the fluid workforce regulatory requirements are top and center here, particularly when we're dealing with, with information on members of the public, obviously in the AsiaPac region, GDPs not so important for us unless we, we actually have European identities there, but GDPR does provide us with the goal standard when it comes to privacy.
And there's two elements of GDPR that I really like the first is the need for a data controller within our organizations. We need to make sure that we can point to somebody who's responsible for the data that we are maintaining on people. And secondly, consent. We need to make sure that we register when somebody gives consent to something and we need to register the scope of that consent. And this is very important because we're increasingly being required to accommodate the, a situation where somebody wants to rescind that consent.
And if we've not properly managing it, we have great difficulty in doing that. And lastly, legacy application support it, wasn't possible in the ESL project to dictate what applications could do. So that was a major part of it. Wasn't a shame for the project is to make sure that you could accommodate those legacy requirements. Absolutely Graham in the, in the education sector, particularly the line of business applications have a much longer life lifespan than you than most business applications might do.
So these, these are often heavily customized around education requirements. And, you know, sometimes it can be quite old.
I mean, some of the applications that had to be integrated as part of this actually supported a, not quite compliant version of Sheli. So they went that far back in terms of what led to be needed to be supported, but also you, most of the applications were actually some version of, of SAML authentication early on in the piece, the, the, the program had decided that their, their core directory of life cycle management was to be done using modern standards. So they actually used it decided to use open ID connect.
And obviously that created a problem about integrating the legacy applications in the ecosystem. They couldn't turn the applications they were in use in the education sector, in New Zealand, and they couldn't stop educating kids or, and adults that are learning as well, just because they wanted to go to a modern authentication protocol. So that certainly had to be considered, Okay, moving on to the, the, the customer journey.
I wanted to make a point here that when we are talking about customer identity management or citizen identity management, we're talking about taking somebody on a journey and we need to be able to, at the beginning of that journey, capture some information. So the initial contact, when somebody comes into your website, we need some mechanism to collect at least an email address so that we can commence that journey.
Now, privacy legislation tells us that if the request for information does not require a person to identify themselves, we must not allow, we must not require them to do that. We must allow them to do that function anonymously. So it's a good idea that if we can provide some additional information to them, if we can suggest that con starting that relationship with us is a good idea. And at least we can capture that, that email address, even if it's through a social login, we can commence the customer journey.
The next step is to then have, have a situation where they're actually going to register for something. So if they're coming back and actually purchasing some from us, we now will have, we'll collect more information.
If, if, if it's not a purchase environment, there might be some sort of experience that we are going to provide for them, that we can start to collect additional information that will allow us to move along on that customer journey. And then finally, we need to come to a point where a committed, okay, so we've actually got now a relationship between that person and our organization, and that's going to be a trust based organization. So what we're talking when we come to cm is moving people along that path from identifying them through to trust.
So, so that's an important part of C I M specifically regarding the ESL project, we moved from a former state to the current state. The former state was such that we had these agencies and eight of them within the education sector, within New Zealand, all had a number of applications that they were using. There were no common processes there.
And, and, and if a, if even within an agency, people have multiple account credentials to deal with. If you needed to access applications for multiple agencies, again, you would have multiple accounts that you had to deal with after 24 applications currently. And the ownership of those systems and the conditions of those systems were desperate. So we had to accommodate a, a desperate environment there within, in, in, in the form state, as we mentioned, there's 120,000 users in the current state.
Now what we've moved to is centralization of that login experience through the educational sector login project, ESL is built on the Microsoft Azure ad B to C product. That was the infrastructure that was selected for that integration environment. And it now provides us a single access control environment for the sector.
And as, as Shane mentioned, the, there was a decision made to use a single identity repository for the ESL log on project. And that's the sector identity and access management directory built on for drug environment, correct? There's the hybrid environment is now well supported within that environment. And we have common entitlement management. So the B2C product provides the ability to establish the entitlement that a, a user will enjoy what applications they will get access to. So there's a single account credential now providing access into multiple applications in terms of the B2C task.
Just three things I wanted to highlight the first is you need to rely as much as possible on self-service functions. While when we start moving into members of the public, we are talking a large number of users. It's no longer possible for us to have internal processes, that record information, and let's face it. Most people know how to spell their names. Most people know their address. So we re remove a lot of errors. If we use a self-service function there, obviously any access is going to get properly approved.
And the self-service function will include approval workflows, but having the user do the heavy lifting, so to speak is an important component of B2C. Secondly, we need to embrace risk based infrastructure. So increasingly we want to geofence our applications. If somebody starts to come into them from a, a remote IP address, we, we need to raise a risk level if something's happening in a timeframe time zone.
I mean, that, that is not normal. We need to, again, potentially require some sort of multifactor authentication.
Thirdly, we need to use all of the governance capabilities that we have. It's no longer satisfactory to turn on an application and not properly look after for instance, the consent management, not properly. Look after the entitlement controls that are available to us. We need to leverage all of those governance capabilities that, that, that we have. So a very important component of BTC in terms of authentication models. I wanted to make one point here, the ministry decided to use a single ID identity to provide service at this point in time.
So the agencies within the sector are all using a singles IM environment, increasingly in a B2C model, you need to support multiple identity providers where there's going to be. There's going to be an, an application that's going to request service. And that authentication service must now determine which identity provider to use and will provide access to the user based on the selected IDP.
Okay, with that background, I'm gonna turn over to Shane and he's going to talk about the actual solution that unified put together Here. Thank you very much. Graham may do a quick introduction to those of you that haven't met me or spoken to me before. I'm Shane I'm. The chief technology officer of unify unify was actually founded in the same year as KA Cole Graham.
That very good noticed that when in, earlier in your slide deck there, but you, we grown to be a couple of over 65 people and were dedicated solely to solving and managing our customer's identity, access and security challenges now. And we've got a great deal of experience across government education.
Obviously, that's why we're here today. Health utilities and finance, and we've got customers around the global.
In fact, we've got customers who are global. So anyway, that's, you're not here to listen to a sale job or unify. So I'll get onto the, onto the meat of the, of, of the webinar.
Now, we first got involved with the ministry of education in this project when they needed to map out the requirements of, of, of the dealing with the legacy applications, you, they, they're in flight building Siam, you know, and C's a, a fantastic solution, but it didn't really address the, the legacy issues that they have.
And, you know, we were asked to look at these particular characteristics, you know, it had to be, you know, they wanted to focus on user experience rather than the system operation or the technology requirements, the system wasn't supposed to impose artificial constraints or provide unexpected functionality. The privacy must be by design and the user data would have to be protected with built in controls rather than system extensions. And the system had to support the collaborative use of identity data between participants.
The holistic approach was required to ensure that the solution wasn't focused just on the ministry of education. It had to deal with multiple agencies within the sector and with a view of integrating potentially the whole of government and all of the citizens of New Zealand as well. The technology platform must be current and would be able to provide a high level of security without going overboard and having to invest too much effort into doing that had to be interoperable between the applications and enhance the cross system operation. And it had to be future profile.
That was a big one because the system that was replaced and was kind of stuck, it was stuck in extended support period. And with the, for the operating platform and the, the access management solution was, was out service as well. So they didn't wanted to make sure they weren't gonna get stuck in that situation again. And it also had to provide governance features. Now it's for Graham mentioned earlier on in the piece, the European identity conference or, and cloud conference.
I highly recommend this conference, but the reason I bring that up again is a couple of years ago, Microsoft announced the, the private preview features of, of Azure active directory, B2C, which lifted my view of what the platform was capable of. And unfortunately at the time was under NDA. So we couldn't actually do much with it without permission to Microsoft. But when I analyzed these and myself and my team analyzed them, we felt that this had the, the underpinnings to hold, provide a whole of whole of country identity and access management solution for, for access for the citizens.
So, and I was actually at the European identity conference two years ago, and I bumped into Kim Cameron at the, at the Microsoft booth there. I said, Kim, this stuff that you're working on looks fantastic. It looks like you'll be able to do a whole, whole nation, the whole nation citizen identity of on me. He looked at me like I told him some sort of secret I wasn't supposed to know because that's actually what they were doing at the time. Yeah.
So, and do you think that's going to be important for the ministry going forward? I think it is. I think that's very important, you know, when we, well, I'll get into how this actually addresses these things in, in the next slide.
In fact, we might move to the next slide now, cause it's actually talking about that. But the, the characteristics of it mean that you can deal with that kind of scale, right. But you don't have to do anything.
The, because the solution is policy driven. It's a focus on, on what the user journey is through the authentication through to actually accessing the application without a focus, without the customer, having to focus on what the technology set is of what it's doing like that that's mapped out from the policy set into the technology delivery of it without you having to do too much planning around infrastructure.
And because it's a hyperscale platform as a service built on top of the Azure active directory platform, which does billions of a dedications in some stupidly small time period that I can't remember right now, but you know, it's used to scaling up to yeah. To, to huge scale authentications this platform's built on that. And it's able to scale on demand at the time this hadn't been done yet. They had actually had one of their test customers was real Madrid, but it was actually the customer identity and access management platform behind the FIFA world cup, which is a pretty large band.
And it was able to cope with that load without FIFA having to do any planning about it. So the ministry was pretty confident that it could have, can handle their requirement. Yeah. They're very confident that if you can handle a FIFA world cup, as much as I like New Zealand, the fee for world, cup's probably a bigger event. New Zealand could probably conjure up, maybe the rugby world cup, maybe we're Australians. We don't talk about the blokes in any case. Yeah.
That, that meant they didn't have to worry about that. And I didn't also didn't have to worry about the infrastructure. So not having to worry about the infrastructure, met the requirements of, of not having to delve too deep into it. And of course, because it's a global service and, you know, Microsoft, you got all the certifications for it and they invest a lot in the security analysis of the platform.
It, it took a lot of the learnings from Azure active directory and the huge investment that they've got into securing the platform, which meant that the ministry can leverage that security analysis as security analysis and application of it without having to lift a finger. Like you say, future proof. Yeah. It's it's future proof. And of course, it's got all the other capabilities there. There's global, global failover.
I mean, you don't, you don't need to plan multiple data centers for those of you. Aren't that familiar with New Zealand, New Zealand has a tendency to have, have events that cause outages and services. It has a lot of earthquakes, you know, with, so there's often having to, with services being delivered to citizens that need to carefully plan fail over. Particularly if the things being hosted within New Zealand yeah. With this sort of service, they didn't need to do that.
Now the service actually isn't in New Zealand, it's, it is a global service, which is in a number of as your regions, as yours, not in New Zealand, Australia is the closest location, but it even has fell over between regions in Australia. So the traffic is routed to the closest closest center based on an algorithm based on distance load on the different servers, etcetera. But vast majority of the traffic actually does go through, does go through Australia. And that said the, the charge or the licensing model put was very attractive too, because you don't have to pay to reserve this service.
You pay a fraction fractions of a cent per authentication that goes through through the service. So unfortunately, Stuart not being on the call. I'm not sure if I'm limited to say exactly what they do pay. I better not. Cause I don't want to, I don't wanna be these bad books, but it's, it's, that's almost insignificant the amount that has to be paid to get this equality of service out of it.
And it gives them a bit of sureity that as they look to expand the scope of the, of the service, that they know what to expect in terms of the, the future proofing of this outputs, that it's it's reliability and how much it's likely to cost them. And that that's a, a linear thing, bigger you get. It's not like it's not gonna explode in cost because all of a sudden you have to have, have a plan for, for extra load.
I mean, it's all taken care of within that, that rate. And of course, you know, it's evergreen as well, which was, there's no lock to current version of it. Right? Yep. Now that said there was still a fair amount of work to do to, to operationalize the service for that. You can't just take a platform as a service offering and turn it into something operational. There's still a lot of work that has to be done. And we are very fortunate that we had a very good relationship with, with the ministry.
And we were able to, to build some, build some IP, which we now have offer offered to the market in general and that IP that we actually call unified vantage. Now what this is, is it's an operated model on top of, on top of the cloud service. So it might say, oh, the cloud operates anyway. But that where that we are able to add value on this is that we're able to take the function, the technical function and operate that in a way to business service level agreements. So we do a translation between the technical outcomes and the service levels.
You get there and provide that to, to the agent or to the ministry as a business, SI you know, the users in your system will be able to access things, these applications at that layer and this IP that we generated with the different layers and that reference architecture we've we're now showing allows us to translate them and work on the stack. So, you know, essentially it's a managed identity service as a service. We can act as a license operator, but the customers can bring their own licensing as well. And we've got a number of different cloud platforms that we can operate on.
But I think what's probably more interesting is the way that we had to build a fast delivery methodology because of the number of changes that had to be and the number of applications, you know, I think there's a lot of environments here. There were actually, I lost count of how many environments.
I mean, there's three environments in this now there's shared test or, or development environment where changes are tested. And then there's a test or use acceptance test environment and there's production environment. Now from an operational perspective, user acceptance testing environment is actually alive and production environment because that's actually where the agencies within the sec, the education sector of New Zealand do their user acceptance testing. So in order for them to do, do the life cycle of their applications, they need an operational production system to work against.
But obviously it couldn't be the actual real production service. So, so there's really two production environments from, from our perspective, in any case, we needed to rapidly move that.
I mean, you know, we, you said there's about 26 applications. I always think 30 in my head just like around numbers. But out of those applications, there's a number of iterations through many different environments.
And, you know, we got up into the hundreds of the number of applications and we had to connect through the different systems. And we, we believed that using DevOps methodology or continuous integration, continuous deployment with test driven was a way to accelerate, but the, the integration of these applications, but also ensure the quality, you know, we start by obviously we plan, but we plan what the acceptance criteria is. We te we build the tests, we show the tests don't work. And then we, then we, then when we get the test reports, as it don't work, then we go make it work.
But that means that whenever we make a change in any environment, we do that in a lower, a lower environment, get the test report, make sure that it works as expected and that there's no regression. And then we approve it and the build, and it goes into the next environment where the same exact same set of tests are executed By the, by the, the, the agencies themselves.
No, these tests are automated. Oh, okay. So there is actually user acceptance testing in the user acceptance testing environment, cuz not everything can be automated.
You can't, it's very hard to automate users. You can pretend to be a user, but it's pretty hard to automate what users actually do. Yep. So before it's, before it goes into forest promoted product, you will complete that user acceptance. That's correct. So we will do the test. We'll do the automated test report, provide that execute. That is acceptance testing. Hopefully it passes. It usually does you get, but if it doesn't, you go back through the cycles again, but if it does, then you press, you press, you press the button to approve it. And it goes into production. Gotcha.
And in, in production, the same tests that we run on, those things we run again. And as the verification testing, the production actually works the same way as the other environment. So How frequently are those tests run in?
Well, it's run on deploy obviously, but I, I think it's about once an hour, we execute the same test and production and they emulate an entire user journey. So they're not just making sure that the authentication endpoints work. They make sure that the journey that, you know, like a user using a browser, we actually use selenium for it, that they actually can hit the website, go and get redirected to our page, sign in with their account details and actually get into the application. And the correct claims are actually sent through to, from, from the identity platform to it.
There it is as expected so well, that actually is on, that brings me to unify operate once it's in, once it's in production, it's actually what we call unify operate. Now those tests are still being executed and they're directly driven into our I framework for incident management. So if any, one of those automated tests fails that are automatically creates a case force and starts the SLA to go and resolve it. And as a consequence, but we haven't had terribly many issues with the directory OFC, that's been pretty reliable, but things happen in environments.
And you know, we've been able to pick up on a couple of things that would've prevented users from using applications pretty quickly and they're resolved before anyone even noticed. Right. We also take all the telemetry out of that and, and push that into unified monitor. Now unified monitor is basically an operational intelligence platform where we do take all the telemetry and we get alerts and reports out of it.
And, and even though, even though there is that security analytics that driving the security layer of Azure, there's still events that you need to be aware of. There was an event a while ago, where at a strange time of the day, there was a high, high number of people logging in from, from China, which was when they did the analysis was actually ended up to be expected. But it was, they were very grateful to know that the, the, that was actually being picked up by the service.
And obviously, because this is a as a standard offering service, they've got, we, we're also continually improving the delivery of it. So you, for example, on unified monitor, there's a roadmap to leverage artificial intelligence, which I did notice was on, on your, your diagram about business value.
You know, I think as long as we get the privacy constraints, right, artificial intelligence can deliver great value in the field of identity and access management. Okay. And in terms of the actually knowing what's happening first, you would, you would be able to know, for instance, if an application gone down and was no longer available, you would identify that Yes. Quickly. Yes.
We, we, obviously the, one of the things I I'm thinking of for artificial intelligence is are there any signs that they're about to go down? Okay.
So can, can we do something before the event actually happens? Okay. Yeah.
So by, by for instance, determining that there was a very slow response time happening That yeah, absolutely. And, and we would actually feed the incident management stuff into the artificial intelligence. Gotcha. Yeah. So it might be able to make correlations between that information and the telemetry that it got before that.
And, you know, most people would like to head off a P one incident as they could. Absolutely.
Now, obviously Graham said that art started saying, you know, well, I'd like to congratulate the ministry too. They deserve their, their award for public sec sector project of the year. And you know, it was, it was a very successful project, you know, and proud of everyone involved. And it was a fantastic outcome. There's always lessons. And I think even the best projects you have have lessons. And I was personally involved on the escalation committee for stuff.
So I think some things might have got dealt with in a project lab, but from my involvement, these are the things which we saw as, as things that we, that we learned not to do next time. So for organizations that are used to running their own infrastructure, I it's a, it is a relief to not have to, but you do have people whose jobs it is to look after that infrastructure and their roles are gonna change. And obviously their expectations will have to change on what they can and can't do.
If they're using platform as a service or software as a service or even infrastructure as a service, you've got less control over what than what you did before. And obviously there's trade offs involved in that.
So, you know, when you are aligning those expectations, it's good to be clear about what your objectives are when you do this without, without those clear objectives you could. Well, I'm thinking of one of my cats running around chasing its own tail.
So it's, you, it's not, not productive if, if you are trying to over optimize something, which is completely out of your control, that's well, that's never productive, but these things that used to be in your control aren't anymore. We got a good test out.
We said, we actually worked very closely with, with Microsoft on this. You know, I said that this is, was public, sorry, private preview preview. When we first started. And we actually got commitment from Microsoft that the engineering team from Redman would back us on this project because it aligned with some of the objectives that they saw for the platform.
And yeah, we continue to build a strong relationship with that group. In fact, no, I probably shouldn't mention that. I dunno whether it's supposed to be mentioned that relationship was yeah. The relationship. Yeah.
It's more, more formalized recently had some great time at Las Vegas recently for the inspire conference, but it was important for the success of the project that support you had. Absolutely. But I did test some of the escalation procedures and comps, you know, most organizations aren't great at disseminating every piece of information that needs to be known to everyone. Yeah. Microsoft is especially large organization and they do a pretty good job of it under circumstances.
But, you know, given the nature of the project and what we were trying to achieve, there were some special compensation or compensation, but there was some special arrangements made for support. Yeah. Which could have been, had a little bit better. Maybe there was no note the right notes on there, but, but you know, everything worked out, worked out. And I think Microsoft had a good test of some of the support procedures around that. We did learn that, that DevOps does really accelerate the outcomes and we kind of put it in as a necessity.
But the thing that we learned is, well, this is, I mean, I'm a software engineer by trade and DevOps was mentioned at EIC. So the latest one as one of the trends in identity access management, I thought, oh great, I've already investing in this.
So, you know, it's good that people are thinking that I might, it might be a bit of a winner, but as a software engineer, as my background, of course, I can see how that accelerates outcomes in, in software development. But the same principles can accelerate outcomes in, in different fields of, of information technology. It's very hard to get people to, to ex clearly articulate exactly what their requirements are front and be able to hold that to right through to the end of a project.
So you, you tend to get with faster feedback loops, you tend to get much closer to what the, what the customers really wants and expects much closer rather than what they can articulate up front. So that was, that was a fantastic innovation that came from the project.
And, you know, it's, it's proven to be very good in terms of that our service delivery stack unified advantage, you know, that's, what's only new on the marketplace, but there's already been a lot of attention and we've had some we're, you know, negotiating some very big opportunities through that one at the moment on the basis of that IP that we've built. So that's fantastic.
And the other thing we learned, I mean, this is part of the DevOps anyway, is that by integrating your testing into your, into your delivery pipeline and, and automating it, the quality of your outcomes, it get increases. There's no chance, there's no chance of progression occurring. If it's something that you test automatically your test, report's gonna tell you if it's regressed and it doesn't make it into production, which is, you know, that's exactly what's needed. The last thing you want is to something which did work to stop working. Exactly. Yeah. And there is always a chance.
I, I mean, everyone's used evergreen solutions, there's always a chance. Something changes on you. It's hard to, to foresee every permutation of everything. So it's much better to get, get warning of these things much, much earlier, which the continuous testing and monitoring would give you.
Now, we haven't really had any circumstance with that on the platform. And I don't expect to, but you know, there could be things that we could regress through our policies or some of the associated function that we've got that got forth the system. So that's pretty much it.
I mean, yeah, there's a fantastic project. And as I said, proud to be involved in it. Excellent.
Well, look, thanks very much for the description of what happened there. And the learnings I think are critical.
So I, what I took away from that is being able to communicate throughout the project and here you had correct me if I'm wrong, a number of communities, you had your DevOps community, obviously you had your project management community, you had the user community. And, and I suppose that was also quite fragmented because they were, they were interested in their own applications. Not necessarily everybody else's applications. Correct. So maintaining the communication across those various communities, what sort of, what sort of things did you do that?
Oh, we had to keep regular cadence on them. So I might move off that side, go to that, but people can start asking questions and yes, we've got a couple here already, so yeah. Regular communication.
Is it, as you said, like we are dealing, we were dealing with the education sector, not just the ministry of education. So there was architects from a Nu you know, enterprise like architect program, a number of different agencies that wanted to know what was going on, had to be in regular communication with them and, and often run the change management through them so that they can understand what was going, what was going on with changes to it. And a lot of them were going through the same moving from, from on-premises and infrastructure to, to platform as a service.
So they were making a lot of those learnings was Somebody as well assigned to change management. Yes, there was. Yeah.
Okay, good. Okay. We've got a couple of questions here, please. If you got additional questions, enter them into your questions. Section of your control panel. The first one is, does ESL use MFA, were, were there any, is the current in the current environment? Are you using any second factor authentication?
No, there isn't. At this time, obviously the platform can do that outta the box, you know, and the, a dedication is being done against sign, which is also capable of it. But at this point they weren't doing it in the old system, so they wanted to have as minimal user changes possible. So I believe it's being looked at in the, in the future. Do you see that some applications, well, is there support for applications at different level of authentication assurance a requirement?
Like, are there gonna be some sensitive applications that might indeed need that second factor? Yes. Yeah. Okay. Well obviously when you're dealing with a whole country education sector, you're dealing with children primarily, and there's a lot of rules about who can see what About them. Okay. And I had a question in that space.
So moving forward, I mean, new, Zealand's done a lot of work with we dealing with the public and, and registering people through the real me, for instance, do you see, like, I mean, education, the ministry of education probably is the most difficult identity and access management from a public point of view. Cause you've got parents, you've got guardians, you've got accessing sensitive information. Do you see that being a future for the, the ESL Platform? I do. It's probably, I'd say probably that.
And social services are the two hardest to do, particularly it's around children primarily because the power of attorney over children doesn't necessarily sit just with the natural parents. Right. So there is a very complex relationship and have been caught up with Colomo and the Canara initiative at the last European identity conference. And unifyer actually are a member of Canara. There's very interesting work being done in that place of how to map legislative regulatory and contractual relationships between organizations. And that's been doing a good job. Yeah. Been mapped onto the Ima two.
And it's, you know, I do see that as, as A future for this. Yeah. I think to prevent potential embarrassment. It could be, yeah. Another question here. Did you use agile, maybe they're referring back to the project management Institute award. Was it a waterfall approach or did you use a very much an agile approach in project Management? Yeah. It was agile worked off, worked off backlogs and yeah, it wasn't, it wasn't time sprint based necessarily.
I mean, we had time boxed delivery for, you know, there was compelling events that we had, which meant there were deadlines. Yeah. So there were furries of activities sometimes trying to get to the deadline as always happens, but, but we didn't work on a spring basis with time boxing, everything.
So it was, it was pretty agile in nature. If that was, that's probably the best description of what the project was. Yes. And by necessity Really? Yes. By necessity, You mentioned In case too many stakeholders to Didn't understand their requirements absolutely. Work through. Yeah. Okay. Last question here. Why B2C? Not B2B.
Ah, you mean as your active, direct B2B Director? I think that's what that mean. That's a very good question. And it actually comes down to being a pretty technical nature.
The, of the capabilities of the platform, you know, when you think about what they're named, it makes, it makes sense that B2B we're talking about access to ministry of education's business partners with other in The current. Yes. Correct. In the future, in the schools cloud, it might be different, But yeah. So the primary reason for that is the component of, of directive directory, B2C that was actually used to build a policy set isn't available on B2B. That's called the identity experience framework.
Now it would, it would make sense to me that if on some roadmap in Microsoft they're converging these things, right. Because the B B2B doesn't give you much granular control over the attribute sets that get imported. It basically imports the attribute set from the, those directive directory tendency that you are inviting them from, or they have to self register with those things. But if you want to do attribute verification or multipart registration of, of people, of people or specific consent roles, then not, yeah. The be is much better suited for that. Okay. Okay.
Well, look, our time is gone. Really appreciate you giving us that background information on ESL and we'll be keenly watching how that moves forward in, in, in the future. So thank you very much. And thank you for inviting me. Just one comment for the, for the participants do make sure that you go on the website and pick up the case study on ESL. That should be on your available on your browsers within 24 hours. Thank you again for your attendance. I trust has been a useful event for you and please let us know if there's any additional information that you would like. Thank you.