Hello and welcome to today's webinar. Our topic today is "there's no successful digital transformation without strong identity management". I'm John Tolbert. I'm a lead analyst here at KuppingerCole and I'm joined today by Asif Savvas, senior VP from Simeio.
Thanks, John pleased to be here with you today for this.
Great, a little bit about the webinar we're controlling the audio. There's no need to mute or unmute yourself. We will be recording the webinar in both the recording and slides that you'll see today will be available in the next day or so. And we'll do a Q and a session at the end. And anytime during our presentations, feel free to enter your questions into the question blank over on the side in the go-to webinar control panel. So I will start off and talk about identity fabrics and digital transformation.
Then talk about fraud, fraud reduction, and how that ties into identity fabrics. And then I will turn it over to us, see if, and we'll take your questions at the end.
So digital transformation and consumer identity, digital transformation, something that we have been hearing a lot about the last couple of years, it's a very important concept. It's something that's driving business change at many different levels, and there are lots of different technologies that pertain to as well.
Digital transformation really is a new mode of doing business that most, every organization has to embrace in order to be successful these days, you know, and with additional opportunities that are presented through digital transformation, there are additional risks.
And, you know, we see evidence of digital transformation in various aspects of our lives, both at home with, you know, consumer IOT products, as well as in the office or in the factory or in, in cities, you know, smart cities, smart manufacturing, lots of different instances of, and it takes the form of things like sensors and, and, you know, different devices that we've all become accustomed to. But you know, this is about offering agility and flexibility and really the key to all of it as we'll see, is having a good, strong notion of digital identity.
So what does it mean for us more users? First of all, you know, in the olden days, we can say that, you know, organizations probably worried about onboarding their employees and having their employees and their IAM systems, but you know, over the last couple of decades, we've seen a growth in, you know, adding partners, adding suppliers and your B2B customers are often inside your, I am systems to some degree consumers for consumer-facing businesses, IOT devices bring your own identity and bring your own devices.
And in order to meet the challenges of digital transformation, we have to offer more services, more software, which means more infrastructure, both on premise and in the cloud. And of course this means even more data, not just employee and HR data and your intellectual property and financials, but information about your customers and even information that they may own so that you have to protect that as well.
And with all this additional factors of users services and data comes more responsibility, and this is where we see things like the principle of least privilege really ruling the day, hopefully separation of duties, governance, things like this are necessary for ensuring compliance with various regulations and security policies.
So how and why are consumer identities a key for digital transformation?
You know, identity on the employee side was always necessary for things like access control, but you know, personalization, marketing opportunities. These are all tied to consumer identity today, and this is affecting just about every industry across every region of the globe and imperative within that is the need to provide good pain-free online experiences.
And this starts with registration processes, you know, registration identity vetting, which we'll talk a lot more about later authentication making it sort of the right size authentication assurance level, but also doing it such that it's easy for your consumers to deal with. And lastly, authorization and access control, but CIM is bigger than just security. Like I said, it has to do with marketing and increasing sales and revenue opportunities. And in order to do this protection of those consumer identity accounts is essential, sure, identity fabrics for CIM identity fabrics.
Our thing is a concept and an architecture, which we've been talking about here in KuppingerCole enables I think a lot of different aspects of improvements to consumer identity. It's it is an architecture. It is service oriented. We've been, you know, in it space talking about service-oriented architecture for, for many years now. And I think identity fabrics is sort of an instantiation of that, where the notion is to define very discrete and modular services to address specific use cases and functions.
And, and again, deliver those as services, whether it be from the cloud or on-premise systems, and this makes it easier to upgrade a particular services. You know, a lot of, a lot of times we see advancements in authentication, you know, new authenticators that come out and organizations want to be able to offer that, you know, quite nimbly. But if you have to do a rip and replace of your whole IAM stack to do that, then that becomes a burdensome identity. Fabrics are all about identity API platforms, you know, mini I am, and CIM vendors are offering their products with exposed API APIs.
And this allows not only applications to get access, to say data that's residing inside the IBM system, but also for, you know, additional management interfaces to be built into that. And then also interoperability with different security, some systems.
And again, if you deduplicate and modularize each of the services that your I am systems exposing, you can actually reduce your overall complexity by allowing, you know, flexibility to upgrade and change things as needed.
So it looked back, you know, what are the differences between legacy I am management and a more modern identity fabric?
You know, we've had silos of user data. It was all typically managed through a gooey by administrators. Sometimes it can be difficult to interface different applications, but, you know, as many standards have in developed sense, some of the data models could be somewhat inflexible.
I mean, everybody's been using LDF for many years, but there were other user data repository formats that are better suited for other kinds of use cases. And this I think is helped by identity API platforms and the identity fabric model.
Again, you can have more discreet authentication registration, authorization processes, and you can use different formats. You can sort of unify all the different user data repositories that you have in an organization. And this is I think, key to a really good CIM deployment these days.
However, it is targeted more at developers than administrators. And this is something that I think can be a beneficial change for many organizations as well.
It is a three-dimensional architecture again, it's about services and exposing services through API APIs, allowing access securely to the various constituent backend processes to make this happen. It's really, we've seen a big shift to the use of containers and microservices, and there's a lot of advantages I think, to containerizing and using microservices.
Again, it allows you to deal with one, one set of functions at a time within your IAM stack rather than needing to make changes across the board. And then lastly, you can put up a logical rather than physical boundaries.
Again, you can have multiple data sources, but you can define different views. Virtual directories, think about virtual directories there and how, you know, multiple views of data across many different repositories can allow for security improvements as well as opening up to different kinds of applications.
So here is what we think of as the identity fabric for CIM and then other it's a kind of a busy chart, but let's focus on the middle of the, the different capabilities that get exposed through services. And then the technical architecture that backs that up.
You know, the capabilities that we see that we need within CIM range from things like single sign on identity, vetting, registration, consent management, different kinds of fraud and device intelligence. Each of these can be exposed through services that are instantiated as microservices, you know, irrespective of what the background, where they're, where they happen to reside.
But, you know, using standard protocols, things like jot auth SAML, and these again, can, can live either in your local data center, private cloud, public cloud. And this is the way to build integrations with, let's say your, your legacy applications as well as new digital services that you need.
Good. So this I believe will help us deal with one of the biggest problems that we've got today across multiple industries.
Fraud, cyber crime is unfortunately a growth industry. The latest revisions to estimates indicate that by 2025 cybercrime will drain about 10 and a half trillion dollars as a global economy.
And, you know, really almost every industry is a target. I mean, we've seen, especially as a result of COVID things like retail, healthcare and government to citizen interactions being highly targeted by different kinds of fraudsters, but all the other industries are haven't historically been dealing with this as well. Telecom of course banks and any financial institution.
I wanted to talk mostly about two major fraud types today, new account fraud sometimes called synthetic or account opening fraud and account takeover fraud. We'll dive into those right now.
So account take over is just what it sounds like. How do bad guys accomplish this? Generally through phishing is probably the biggest vector, still, you know, crafting emails that are designed to get user's attention and make them inadvertently install malware or redirect them to the link that is malicious.
There's still things like drive by downloads that happened SIM swaps, you know, gaining access to a mobile device forms of malware like keyloggers and root kits, giving total control over a user's endpoint spyware can steal identity information from cookies, credential stuffing attacks can use compromised credentials from the dark web, and then essentially spray that out, hoping that the users have used the same username, password combination and multiple sites.
And then there's still brute force password guessing.
Again, a lot of this comes from previously published data breaches. It can be used for financial fraud, trying to take over accounts at banks and, and other financial institutions, you know, like pension accounts or 401ks insurance rewards programs of any kind, anything that's easily convertible in the money believe multifactor and risk adaptive authentication is the best way to reduce the risk of a account takeover fraud. And ideally it's powered by a good fraud and threatened diligence.
And of course the old advice of don't reuse passwords and don't use the knowledge based authentication or security questions for account recovery still holds.
Then we have new account fraud. This is sort of using information about somebody to construct an account. A lot of the information may include things like email addresses, phone numbers, name, physical address, sources of this can be healthcare records, government records, school employment.
These are often used for things like the financial fraud, but in many cases, mule accounts to move money between other fraudulent activity and something that's more liquid credit cards can be generated from the same thing, lines of credit. They can use this information to sort of the identity theft thing. And why would they put all this extra effort into it?
I mean, it is harder to do this than simply take over someone's account. It's often more lucrative for the fraudster to do this. It can be used more than once, generally before it can be detected some of the top mitigations here about intelligence and management identity vetting, and then credit freezes, but those required action on the part of the consumer. And then they can also actually cost money as well. Okay.
So what do businesses do?
I think there are, you know, I've identified six major fraud reduction techniques of which identity proofing and vetting, I think is number one here to look at credential intelligence, you know, where have credentials been used elsewhere for fraudulent activity, device intelligence, information about end points and mobile devices and whether or not they've been used to build fraudulent accounts, user behavioral analysis, behavioral, or passive biometrics, and then button intelligence and management. Yeah, I'm going to look at identity proofing in detail here.
This is validating a person against their authoritative documents, generally things like driver's licenses or national IDs or passports. These there's a biometric aspect to this.
You know, being able to compare the pictures on the authoritative documents. This helps businesses, particularly financial businesses to comply with anti money laundering laws and know your customer initiatives. And they serve to increase overall identity assurance, credential intelligence. This is again looking at whether or not a credential has been used for some sort of fraudulent activity elsewhere, many CIM providers and identity providers use information within their own network.
There are also third-party feeds of this information and this should be used in real time for risk analysis for any and all log on and transactions.
So the top of measures for preventing new account fraud, you know, we have to safeguard our own information, but in reality, this is often out of our control. Many organizations have information, the basic things about email address, physical address, and we don't have as much control over that as maybe we would like there are identity theft monitoring services.
There are identity vetting services, remote identity vetting services, such as those that may use a mobile device to do mobile biometric picture matching should include alive in this detection and then credential intelligence, having fresh information about where credentials have been used if they have been used recently for fraud is important factor for deciding whether or not you want to let a transaction go forward.
Same thing with the device intelligence it's useful to know a history of, or the devices of menus is a SIM swaps IX suspected, has the device been used to create other fraudulent accounts and then bot intelligence?
Is it a legitimate user is possibly a bot isn't influenced by and then risk adaptive and continuous authentication is a, as I said earlier, the top method for reducing account takeover attacks, risk adaptive over the course of time, I think builds a continuous authentication.
It's a risk analysis that involves looking at different user attributes and behavioral analysis, plus device intelligence, plus environmental attributes, which include things like, you know, where, where does the request originate time and day? Does it make sense that a user would be trying to do this transaction and in factoring that in, at every step along the way.
So to summarize digital transformation is, is here. We have to embrace it.
We need to constantly be preparing and adapting because we, we see changes coming down the pike as more and more things get digitized, new technologies that businesses and other organizations have to be able to deal with an offer. Identity fabrics are a good way to facilitate this digital transformation again, by dividing up all the different core functions and presenting them as services, you know, in the form of microservices and API APIs, this can help increase resilience and scalability.
And many of these services such as fraud and risk intelligence and identity proofing can be made available as a service within an overall identity fabric. These can help us deal with fraud. It's not going to go away. It's only going to get worse. As we've seen the, the projected numbers are going to be much higher in the next five years. So I think fraud reduction intelligence platforms are a key part of cam deployments going forward.
And again, those can be created and consumed as services within an identity fabric. And then identity proofing really is a key element for fraud reduction, identity providers and CIM solution providers will increasingly add capabilities to their own platforms as well as make it so that it's easy for customers to add on those capabilities at registration time. So with that, I'd like to turn it over to Asif. So thank you. Thank you.
Thank you, John. And thanks for everyone listening in today.
You know, John gave us a great insight in terms of, you know, the digital transformation and how identity fabrics can enable the transformation in, in, in my area of the presentation today, we don't want to talk about, you know, where we are seeing some of this transformation happen and how an identity fabric has enabled some of this district transformation for our customers, as well as look at one specific customer where, you know, we recently enabled a district transformation exercise and where fabrics compliment that, that Simeio provide slowly enabled that for, for, for that specific organization.
So it should look at district transformation, right? I think, you know, every industry is going through transformation. If we look at the healthcare space, you know, a lot of the healthcare industry is moving towards is moving towards virtual consultations and being able to access that digital health information via, via any device.
And then being able to share that through a consent framework, if you look at governments, governments are looking to that. We work with are looking to deliver citizen services in a G to C model for their constituents and their citizens.
Be it from the perspective of benefits delivery are licensing for businesses and so on. So there's a lot of consultation, even with the government looking to modernize the way they do business and the whole thing that area around, you know, be it a digital bank or traditional credit union in today's day and age are not able to onboard customers in a typical retail context. A lot of these businesses that are moving to a full digital bank, but they do not have retail locations anymore.
So how do you ensure the individual that you're working with across that on the other side is who they came to be?
How do you identify them from a, from a anti money laundering perspective and truly going through your, your KYC processes that they would traditionally do in, in, in a, in a, in a physical manner and making it digital at the same time with all the privacy and regulatory mandates based on the jurisdiction that they operate at. Right.
And if you look at retail, you know, we've seen a lot of transformation in retail as well in today's day and age, where, you know, the COVID has really changed the way some of the retailers have to do business. You know, the large, big box retailers have always had a digital digital storefront, but the more midsize and smaller organizations need to find avenues to have a digital storefront, to be able to make their skews and products available via other distro platforms, to be able to sell their services and their goods.
If you look at the telecom and media space, we are seeing traditional telcos who offer mobile home phone and internet services, looking to transform and add IOT as a capability in terms of offering smart home services for their customers, right? So they are going through an evolution and a plastination in terms of the services and products they offer. And why did they get into new business areas?
They're looking to, they have to adopt a more modern service delivery model and, and the frameworks that come around it, the travel and hospitality industry has been, you know, one of the innovators, you know, even over the past decade, they've had great loyalty programs have been really early to adopt a lot of digital transformation, but even there are now going through a further transformation in terms of how do you now do some identity verification and proofing before the customer comes to your, to your kiosk or before the customer goes to that gate before they can board that aircraft or, or that train that they've got the necessary vaccinations already in place and all their information is up to date.
And how do you secure that and ensure that the, the, the privacy of that individual is still is still maintained. How do you secure that data and how do you get rid of it when you're no longer needed or needed for your business purposes? Right. So why all this district transformation is happening. The key business goals are that we are seeing from, from our customers. We need identity to now be an enabler for the business case that our customers are, are, are looking to achieve. And we don't want identity being to be an inhibitor, right?
So if you look at the digital transformation, whether it be a move to the cloud or delivery of more modern services online, and based on any device in any place or wherever you are, some of the ways to authenticate, verify authorized users and transactions, you know, customers feel that their legacy identity tools are not to, to, to deliver those capabilities, right?
So why the digital transformation is happening, the, the, the, the security and risk requirements that John talked about, the various fraud teams and the various threats that are out there have not reduced, they've only increased, right? So now why we roll out new ways of consumption for, for our products and services, the adoption of an identity security and a privacy framework needs to be inherent within the services that we are rolling out so that they are not, they're not open to, to being compromised, right?
And once the services are delivered, we need to be able to monitor them, report on them through a robust operational framework that can prove compliance to both the various jurisdictional or, or legislative mandates that are out there as well as both our internal privacy and audit teams. Right? So if you look at identity, being an enabler far for the district transformation, you as view is that a fabric and identity fabric is, is, is going to be instrumental in that service delivery model.
Right?
So if you look at, you know, the challenges faced, there are a whole gamut of tools that address various identity use cases today. And as customers are looking to, to, to roll out business services, they are challenged with going to multiple tools to, to provide various use cases. If you look at user registration and user onboarding, they have to work with a set of identity government stores.
If you look at authentication and authorizing authenticating a user, and then authorizations at that transactional level, be it, you know, is this individual really allowed to perform this amount of transactions on a daily basis, right? They have to work with a separate set of tools just in that access management umbrella. If you look at proofing services, that is again, a set of tools that they need to work with.
So the, the, the district transformation with, with these application developers and the application teams are to look at it in the concept and the construct of services that are now being exposed.
Y various, you know, to an Omni channel format, those service owners or application owners are challenged with, you know, enabling their applications for various identity use cases by integrating with native underlined tools.
This, this process we find is really cumbersome for the user communities for that, that are focused on delivering quick time to value and, and, and taking these services live. That's where the fabric layer comes in, which includes not only, you know, service based architecture, I think a service base or a service catalog is something that we've been really used to in, in the it world.
So it's, it's time for the identity was to now embrace this whole service oriented architecture or design where the identity services are now encapsulated within various microservices, right? The microservices can interface with the underlying technology and tools that are behind the scenes and offer the application one standard API for API model and format for, for user onboarding or for identity proofing, or for authenticating a user all within a catalog of services.
That's based on the same API construct. So it's no longer integrating with this tool does API.
So a certain way, this, another tool does things another way. So they have one enterprise standard for enabling identity services for their applications, right? And then they are provided with that orchestration capability where they can pick and choose already approved enterprise policies for when a user should be authenticated, when should go through a stronger authentication mechanics, when a user should be identity proofed, right? So all these policies are kind of drag and drop for their specific applications, and they're not having to develop them as they go.
And we feel this model is, is applicable for both. I am as well as enterprise identity, right? The common identity framework can work for both customer facing identity use cases, as well as your enterprise identity use cases, both to your employee, contractor, consultant, user community, and your, you know, your end customer organize.
Some organizations have B2B partners who have just-in-time supply chain and inventory management to meet access to your enterprise assets and tools and govern access for their employees accessing and other organizations, IP systems as well.
So this is where an identity fabric really comes in and offers true time value in terms of both agility, as well as ease of integration. That's where we feel a number of enterprises have been challenged based on our experience working within the market and the whole aspect of some services running on premise, some services, you know, when we talk about services, this pertains to both your identity tools, right? Some identity pool providers are fully cloud based. Some of them are on-prem based and some of them are vendor delivered.
So the end application owner does not need to worry about where the identity product or platform sets that integrating with the service and the same goes for their application as well.
Some of these applications or services are, are on-prem, and some of them are, are delivered via the cloud. So where the application sits is no longer a part of the part of the conversation, it it's truly service-based available for integration.
So one customer where, you know, we, we, we enable, well, the digital transformation recently was, was a large health system and, and not America, you know, and we are still in the days of COVID. And when we look at consummation, one of the things that they really were challenged with with, you know, they had a huge volume of users who needed to be tested, and they wanted to ensure that they didn't have the manpower to be calling everybody booking appointments, doing the tests, and at the same time delivering the results, right?
So they wanted to offer, you know, a purely digital approach to both booking your code COVID appointments, getting you're going into a clinic or, or, or a hospital getting your testing done, and then coming back and looking for your tests also, as soon as they are available, right.
And then they were given a set of instructions. So look at the, the whole, the labs piece of it as the, as the application that needed an identity service, right? So we enable this customer with, with, with a common identity fabric, through the similar identity, as a service delivery platform, right?
Let we nibbled services for user registration, identity proofing, and validation authentication, and then authorizing them to view their COVID test results. Once I want to say that avail once they were uploaded by the, by the lab, right? So multiple user communities here, which is the, the, the end solution or the patient user community, there's the user community around, around, around the number of labs and hospitals that needed to be brought into this ecosystem as well. And their identities needed to be managed.
And of course from a, from, from a public health perspective, there were reporting requirements in terms of being able to see the trends and so on, and putting that data into multiple BI systems to deliver intelligence results and data.
So all of a sudden, a hundred thousand users have had, you know, have gone red, registered and consumed, or have had their results available through the spot form from some start to finish from the day that the, the organization, you know, put ink on paper to say, let's go, it took us 18 days to take this customer live with this platform, right?
This is the kind of speed that an identity fabric and can, can truly deliver completely run on the cloud. Some of the lab systems were more on-premise installations. There's a huge change management exercise that, that, that the customer had to go through as well. And really moving, you know, from, from, from a traditional way of, of service delivery. Right?
If, if my son were to look at this, I, I would say that, you know, some of these people in line are standing too close to each other right here.
You would put his arms out and say, well, you're in my bubble, right? So I don't think, you know, this traditional way of doing things no longer applies, right?
And it's, it's all about how do we make that district transformation possible? So people are moving from inline to an online process where it's truly a digital customer experience for how we onboard users through one unified interface, where they can consume all the services delivered by that institution to one interface, with multi-device support, being able to come in and link the various services. If they are already a consumer of their products or services, they can come in and link the other services that they can consume from that institution, if not registered for it.
And then being able to authenticate and authorize and, and managing their consent. If, if, you know, if it's a banking or a financial services institution, you can, or even a healthcare provider, you can consent to saying my spouse or significant other is viewed to book appointments on my behalf, or is able to view my health results and manage B be a part of my care circle.
Right? So that's something this customer is also looking to do, you know, or, or using a phased approach today, it's it's lab test for COVID results.
They are, they are looking to further expand this to all the other lab results that, that, that a consumer may have, and then take this to the next level with a truly consent based model, using some construct such as user managed access, where they can delegate consent to users within, within their ecosystem. And once that's delivered, or once the core service framework exists, the enterprise now has the option to really open the doors and say, Hey, application owner or service owner come in and onboard application. We already have all the microservices available, right?
You can pick and choose the service that's applicable to your application. And within each of these services, we've already defined what the enterprise policy is, or in terms of how these services should be consumed.
And based on the risk classification of your application, is it open to the internet? Is it God-sent? Does it have sensitive data within it that can compromise the privacy of our, of our users?
They can then come in and choose, choose the services and orchestrate the authentication flow, the registration flow that pertain to their specific business application that they users need to be taken to. And it's not, it's no longer an integration with each application.
It's, it's more so come in and onboard in, in mass scale, the number of applications the average enterprise has is, is 200 plus and some largest solutions. They looked at large bites and so on have 4,000 to 5,000 applications asking one application or an IMT team to go integrate. All of this. And at scale is, is, is, is an exercise that is not possible. We need to give our application owners the tools and the framework to come in and do this.
And self-serve themselves to Selena in a, in a, in a service oriented model.
And then once they have onboarded giving them the tools to go in and look at how their application is consuming these services, right, in terms of how many users are registered to their service, how many authentications are they having for their specific applications, right? How many of them are successful? How many of them are failing? What is the average transaction rate? It gives them a lot of data that they can now either look at within, within the identity fabric, or even be able to export it or integrate it into their business reporting engine. Right?
So this is how we believe at Cemil an identity fabric or insomnia as we call it. The Simeio identity orchestrator really enables to digital transformation and, and adoption for identity capabilities. So over back to you, John, and I think we can take some questions
Regarding identity API platforms. Are you seeing more of a shop around approach where best in class solutions can be stitched together with fabric? Yeah.
You know, that's, that's a great question and a great point. And I think it really is, is one of the main motivations for using an identity fabric.
The, the notion of being able to put together services as your organization requires, I think is a very valuable benefit. Particularly when you look at some of the discreet things that we've been talking about, like, you know, an identity proofing service, different kinds of fraud, risk intelligence, there are many different providers out there that, you know, if you're, let's say you're an organization that's quite mature and you've got you understand your use cases, then you want to assemble your own different intelligence sources. Then I think the identity fabric is, is great way to do that.
And, you know, on the other side, there are solutions that are sort of all encompassing to the many of the cam solution providers. We'll, we'll have a lot of these kinds of functions already built into their platform.
So again, being able to tie that back and use common identity repositories and custom identity repositories as needed, but also being able to bring in a new and different services to meet whatever your business requirements are. Oh. And then to be able to offer new forms of authentication when they come up. Because I still think that that is one of the areas of most innovation and new authenticators come out, you know, fairly regularly.
And being able to add that on, you know, simply as, you know, a service within your identity fabric is can enable you to sort of stay ahead of the competition and, you know, be part of the digital transformation. Do you have any thoughts on that? See if
Absolutely.
I think, you know, the answer to, you know, digital transformation is not going out and, and ripping and replacing your existing identity investments. That's something that, you know, we are always asked by customers, you know, we need this capability, but not sure if, if our existing tool set provides that your tool set most likely provides 80% of the capabilities, right?
So the key is making, making that those capabilities available via a common fabric layer and going out and looking for that additional 20% and, and truly assessing if that additional 20% is going to add value to your enterprise ecosystem and then procuring that additional 20% as opposed to ripping and replacing their entire existing or daddy investment. Right. So your fabric will give you, you know, more return on the investments that you already made into your identity ecosystem, right?
So digital transformation, that's not necessarily have to mean net complete new reinvestment in, in, in your identity ecosystem, right. That's, that's what a fabric really should enable.
Great. Next question is what are some key considerations when planning your roadmap for CIM and registration? I would say, you know, well, pointing out registration is an important thing. I see a lot more emphasis on that from both the vendor and customer side today. I think that's why we're seeing a pretty significant uptick in the use of identity proofing and vetting services.
So, you know, it, it probably the highest level, one of the things to understand is where are you going to be operating? And if you want to use identity proofing and vetting services, many of them are highly localized or regionalized.
So looking for partners that you might want to work with and, you know, taking advantage of their API APIs for identity proofing and vetting, and then being able to offer it, let's say if it is a purely CIM use case, which social log-ins do you want to be able to accept, and then thinking about, you know, the jurisdictions you're operating in, in terms of consent management, what would be required for privacy, regulatory compliance, most of the CIM solution providers today offer, you know, the ability to white label and customize the, the look of their solution to make it, you know, sort of tailor made for every environment, but then there's also single sign on.
And maybe what, what back end applications do you want to integrate with? I'd say those are some of the, the top things to think about for, you know, beginning planning for a CIA roadmap, focusing on the registration part, your, your thoughts, CIF.
Yeah. I think one of the biggest challenges that, you know, we, we found, right, John was around first understanding the user community, right?
Two, two aspects, right. One is, you know, what's the user community that, that your services looking to address, right? And the second is what are the services that, that you're looking to deliver, right? So really prioritization of users and prioritization of applications, right?
If, if you want to look at your applications, what are the services that's going to, it's going to offer, and what are the various identity services that this application really needs, right. Does it need, it doesn't need to go through, you know, when we, when we onboard users to the service, do we need to do a identity proofing?
Does this, that's the services really need dynamic authorization capability within this specific service? Are we gonna offer, do we need to, you know, I think if you look at consent, largely, you know, some players within the industry look at consent as just a check box for terms and conditions. But if you look at a to control consent framework, it's, it's being able to delegate authorizations that are more granular level to two data sets, right?
Is that, is this service or applications going to need back capability? So once we've done a true assessment of what, what the services that we need from an identity perspective in, in conjunction with the end users is my end user.
If it's going to be efficient this experience on my end user, right, how easy can we make it because CIM is all about adoption.
Like, that's, that's what we found, right. We can roll out some of the greatest services, but if it's not easy to use and consumable, and then the end users are not going to adopt it. So I think the key is looking at the capabilities and then looking at the Denver user demographic that they're going to service and then rolling out capabilities and in a manner where it's, it's consumable in a phased manner, as opposed to overloading the users with way too much. Right. It's all about, it's all about adoption is what we've seen in the, in the same world.
Yup. True.
A follow up question there, as it pertains to identity proofing, where did digital knowledge for them in the picture? Well, you know, I guess it depends on the issuer of the wallet, then, you know, the, the tie ins with identity providers and, and thinking about different financial applications. I think that identity proofing, you know, should play a pretty large part in the, the provisioning of digital wallets. Do you have any specific case studies you could point to on that?
Let's see,
You seem to construct two different concepts of identity, right? One is let's call it a real time. Identity proofing, right. Real time identity proofing is like even the customer that we talked about has gone about the process of their diamond, very proofing, right? At the point of onboarding to the service or the platform, you know, the user does a biometric, like a selfie document document based authentication as well, and then onwards into the service.
And then based on, based on the regulatory framework, the organization can, can you gain some of that data for, from, from an audit perspective and from a compliance perspective, in some cases they don't retain the data, right? So that's real time. The second construct is where the whole concept of, of Wallace coming, right, where the user is truly in a, in a decentralized model, the user has proved themselves. And it either in their mobile device or a bet based model, they have their verified attributes or verified claims already available.
And when it comes to the point of onboarding two surveys, then they share these claims to that service provider or line party to accept, to accept claims from, from, from a digital wallet, right. We think both, we've seen both models work.
So, you know, it, it really comes down to the, the, the service provider or B the enterprise, if they want to go down the wa model of, of wallet, or if they want to go down the model of doing their own identity proofing, similar to how they've done it in, in a traditional model of how they prove users today, do that proofing and then move on. I think there's a long ways to go with regards to, to standard for wallets emerging. I think that's been part of the challenge for, for adoption to wallets as well. I really see the large mobile phone providers kind of coming into this space.
And so I'm looking at how this industry is growing. I think that is the big, the big boys are gonna come into into the wallet space and kind of start acting as that wallet providers. Right.
That's, that's kind of how I see this market evolving.
Next question is can one identity fabric work for both workforce and CIM, and are there differences in how the fabric would service workforce versus CIM use cases? I would say, yeah. So it's kind of, one of the purposes for having an identity fabric is so that you can have one, one cohesive set of services that can meet different kinds of use cases and business challenges.
And I would just think that let's take directory for an example, you've got, you know, an internal LDAP directory that you've had in place for years for your workforce, and you can keep all the information you need about your employees and that, but in order to serve customer or consumer facing scenarios, maybe you want to use something like Mongo DB or something, no SQL database to store extended consumer profile information. Both of those could be offered as a service. You have a different front end for the consumer facing side versus the employee side. It's all part of the identity fabric.
And let's say you might want to run some sort of synchronization processes or not. These things can be exposed as different services through the fabric and, and leverage what's common on the backend, it in cases where it is, but also present, you know, a very different look and feel, you know, that meet the particular business challenge for that, your thoughts.
See,
Yeah. You know, one of the things that, you know, some, you know, we, we are uniquely positioned because we operate both in the CIM space and in the workforce Agari space. Right. And we see a lot of the use cases, you know, being, being very similar, right? We'd say 80% of the use cases for CRM and workforce use cases are very similar, except maybe the, the flow may be all different.
And, and Tim, you may, you may be all, you know, onboarding users using either other IDPs, or you may be onboarding users through a self-registration process.
And in the enterprise world, you are onboarding users through, through an HR system, the onboarding process, maybe the experience of the UI in terms of, as the data and attributes comes in is maybe in some cases entered by an HR associated associate, in some case, and in the CRM world, it's entered by a it's entered by the end consumer themselves similar, you know, the, the, the process of identity registration, the concepts of Federation, the concepts of a user provisioning is, is, is very similar in, in, in enterprise identity and customer identity.
And one of the things that we are even the user experience aspects of customer identity are now becoming very relevant and workforce identity organizations can no longer get away with the aspect of, well, this is my internal workforce. You know, the identity experience can, can be ugly, is no longer an option, right? Organizations are the businesses that we're working with are moving towards a digital workplace type of model, right?
So we see the requirements or ease of use with functional use cases with security, privacy aspects of managing and delivering identity services to be very similar in, in both the enterprise identity and the customer identity world. So this microservices based framework for delivering identity services, and it is, and does work for, for both enterprise and customer identity use cases.
So you no longer, you can get, again, more bang for your buck by using the same, the investments that you've already made, maybe for your enterprise identity capabilities for your customer identity capabilities and that customer identity system loaded. There needs to be a separate system.
Most, most itinerary tools provide the capabilities. And it's, it's all about how that those services are consumed by customer facing applications versus employee facing applications.
Okay. There's one final question. I think I'll just take a quick shot at answering it as an organization. How can I plan to introduce consent management as part of my CIM solution offering?
You know, that's, that's a topic we could talk about for days probably it's quite complex consent management, I think, oh, let's just tie it to the previous conversation about registration. I think consent management obviously starts at registration.
You know, what attributes, what, what authorities do you want to be able to contact? What information can you store, you know, at a high level, I would just say registered consent management has to start at the registration process. And fortunately, a lot of the CIM solution providers have pretty, pretty good consent management offerings built into their product that the, you know, as a customer, you can tailor as needed and it will, you know, work across many jurisdictions. And in some cases, and again, you've got to pay attention to, you know, where do you need consent management?
How, how is that embodied, you know, in different laws where, in areas of the world where you're doing business. So it's a kind of a long and involved thing to get into, but it, it is a good thing to bring up here. I believe.
So we've reached the top of the hour. I wanted to thank Asif for joining us today.
Any, any final comments, Asif?
Thank you.
No, it was great. During this session. We'll do John and thank you for everybody who attended, and we wish you all the best luck in your identity and digital journeys.
Yes. Thanks everyone. Just to reminder all of our research, including the things like CIM, there's a new CIM leadership compass out there it's available on KC. Plus we do a digital advisory. We cover topics such as CIM and how to build that into part of your identity fabric.
We're also offering masterclasses more information available on our website, and here are the specific items of bullying are relevant for consumer authentication and consumer identity. And with that, we'll close and thanks to everyone for attending and the S the, the webinar has been recorded. We will make that available along with the slides. And thanks again. I'll see from, thank you for attending.
