Welcome to this KuppingerCole webinar "The role of customer identity and access management in digital transformation". This webinar is supported by WSO2. The speakers today: my name is Matthias Reinwarth, I'm director of practice IAM at KuppingerCole analysts and I will be joined by Prabath Siriwardena. He is deputy chief technology officer and vice president of security architecture at WSO2. Quickly a short note about our online events. And we are holding a lot of them right now in there really nice and really successful.
Next week, we will have the cyber access summit actually in German language, and it will take place on the 17th and the 18th, and we'll be around cyber security, access management, consumer identity, and much more. And it will be followed the week after by our cybernetics world, which will be in English language and again for two days and all of these events.
And we are really proud of that. And we really mean it. It's highly content. It's world-class speakers and that's true. It's online only with lots of interaction on our platform and it's for free.
So join us there if you find the time, if you don't find the time register anyway, and watch the keynotes and the sessions that you are interested in afterwards, but contributing, taking place online is much nicer. Of course. So that's it for the, for the commercial break. And now for the housekeeping, first of all, all your control, all the participants are neutered centrally. So we take care of that. So you don't have to do anything about the microphone settings. This webinar will be recorded and the podcast, the recording will be made available as short term.
And we will also provide the slight techs for download. So no need to take screenshots or notes for the content that is presented very important from my side is the Q and a section.
We will have a questions and answer sections as the third part of our agenda. And I really ask you to contribute your questions. You have this go to webinar panel on your screen. There is a question section, just please feel free during the complete sessions that we are making that product and me are doing that.
You add your questions and I will pick up on them in the Q and a session, which will be the last some 20 minutes of this session today. Then we can answer your questions and make sure that you get the information from product and or me when it comes to what you really want to take away from here today. So that's it for the housekeeping very quickly now to the agenda. First of all, my part I will about how CIM consumer identity and access management helps to achieve the digital transformation.
I will talk about some best practices in CIM and some pitfalls to avoid.
Then Probat will join me from WSO two, and he will talk about the five pillars in CIM essential for your CIM strategy. Think of your questions and maturity models to determine, determine the stage of growth. And then as mentioned, the second, the third part that 20 minutes of this hour will be the Q and a section though, will where we will provide the answers to your questions. And that's the agenda or parts will be around 20 minutes. At least that's the plan a bit more or less, and that's it for the agenda.
And as mentioned, I will start out and as we say, this is about the trich of digital transformation and what CIM can do for this digital transformation. I just wanted to share a bit what we at KuppingerCole considered to be the digital transformation.
And we think of it as these circles of change. And we are starting from inside out the digital transformation. First of all, is really driven by external drivers. We are in a consistently changing world, and I don't want to mention COVID again and again, but this is an UN factor here, but many other things are changing as well.
We have a changing competitive landscape. Our partnerships are changing. Our supply chains are changing. We have to have rapid innovation. We need to make sure that we are capable of providing this rapid innovation. On the other hand, we are in this hostile internet, we are under ever increasing attacks. Regulations are changing and are growing. We have connectivity more and more, and we are moving from a product world to a service world from not buying things, but subscribing to services.
On the other hand, we have changes in the organization or key capabilities to make sure that we can meet these external drivers. We make to have to make sure that we are in our organization from our own mindsets, well adapting to these changes. And that means agility. That means organizational flexibility, multi dimensional structures when it comes to organization and the innovative-ness, which enables us to provide this rapid innovation, which is in the external drivers section.
We have the key areas of change when it comes to how we do our daily work.
We have smart manufacturing with changing supply chains with just we really services and additional product being provided just when they're needed. We have lots of customer interaction, and that is where CIM comes in. And we have, of course the internet of things and all these are just examples of, you could add more and more of these items to each of the individual circles of change here.
And on top of that, there are the key enabling technologies that we need to take care of, and that we need to make sure that they are handled properly and not just in place to enable this digital transformation. And that is what all this webinar is about. And we see as the first item here, identity, and that is really an important thing.
We need to understand all identities for all types of identities. So on apart from that, we need to think of big data. We need to think of all this machine learning, cognitive and AI.
We need, of course, to make sure that security and privacy are taken care of properly, but also such such aspects as robotics. And that's not only these mechanical robots. It's also robotic process automation, more and more. It's really the blockchain only hype three years ago, but really they is stay.
And again, of course, the ubiquitous sensors that are key enabling technologies and all this, these to be tied together. And we need to make sure that we enable digital transformation as a whole, with all these aspects and many more. What does that mean for the organization? When we look at identity and access management. So we have, of course more users.
When we have a larger growing supply chain, we have more partners, we have more external partners, parties.
We need to make sure that we take care of our customers and consumers, CIM, interested, parties, systems, and devices, but we do not only have more users. We do provide more services when we're moving to a service to a services paradigm, we have a dynamic expansion of our own it. And we use the cloud as a platform. And of course, many of us has moved to software as a service, think of think of office 365, providing from the cloud and many other services like that. When we have more services and more users, we have more data.
We have employees, of course the employee data, but much more. We have context data. When you think of security, we need to understand our context where we are, what, at what time of day we are doing things.
We have customer data.
Of course, we have an increasing amount of intellectual property, highly critical financial data, but also share data, public data, open source data. And in the end we have more responsibility. So all this is an effect of the digital transformation and the foundation of digital transformation. We need to make sure that we accept our responsibilities and we, yeah, we perform on them.
So the principle of least privileged separation of functions, governance in general compliance duties of proof to make sure that we not only do things right, but that we have evidence that we do things right, that we have necessary certifications and more, all this is a growing and growing aspect.
If we think of more users, we've mentioned the customers, the consumers, and we need to understand that the consumer identities, the customer identities are the key for the digital transformation.
These are the individuals that we are doing business with, and we need to make sure that we fulfill on the promise towards them. So we are enabling business with them and we maintain security when dealing with them. And I am CIM has moved away from the it guys team. So it's more at the marketing team, the advertising team, the sales strategies team, the app development team, et cetera. And that is true for literally all industries and regions and consumers. They are actually a bit spoiled.
They are used to the experience that they get from say, Amazon say Netflix, and they want to have a seamless, a consistent, relevant experience from onboarding to their daily usage.
So registration authentication and authorization is, are key aspects to look at. And I'm sure that product we'll talk about that as well. So CIM is far more than just a security domain than that IAM was. So the traditional employee and, and enterprise, I am it's this and that, this is true. It sounds like a truism, but it's true. It's an access enabler for customers and consumers.
And we need to make sure that they get the access to all the resources that they need to have over time. And while they're doing that, that they are properly safeguarded and governed in our today's hybrid environments. And of course the I am is often especially about understanding monitoring behavior as the basis for security and business alike. So to identify unwanted behavior and to understand the behavior of a user while they're on the platform.
So I won't read out all these aspects, but w when you read a bit within the boxes, while I'm talking, it's CIM, it's about many of aspects that we have right here. So it's really about understanding your customer from registration and serving them throughout the relationship. So from the registration, from the verification, from the onboarding to the daily usage of a platform that you can provide the access to services at the level of confidentiality that you require that you give them access to services, provide authorization within the services, maybe make sure that you do that at scale.
So it's not only even for larger organizations with state 50,000 or 70,000, or more than a hundred thousand employees, we are talking about multi-million identities in a consumer, in a customer identity and access management. And that is a, a challenge to do that, right? And I said, I want to talk about the common pitfalls, and I want to talk about best practices.
So let's do a reality check where, where is CIM when it's not really done properly. And we often see that in real life, it is often not a strategic approach. It's a module within the marketing campaign.
It's something that somebody who was the first who needed it. Yeah. Subscribe to a service with a service with the checkbook approach, just to solve an immediate problem. And it's often operated and purchased decentrally. So it's closer to CRM than to IAM. Although these are technically similar, not the same technologies that is that it's closer to the CRM system and the people who run the CRM system. And if it's really done wrong, we sometimes even have more than one CIM. So one a CIM for each solution. So different purposes, different lines of business, more than one CIM.
And if you are a customer of such an organization, that is really something that you don't want in general, reality check often means that we have missed two strategic opportunities.
And this is off the cause of many issues downstream. And the main issue is yet another silo. And yet another silo of course, is something that we need to avoid. That is most, probably one of the most important pitfalls that are the most important mistakes that you can make here.
If you are treating your CIM as a not well integrated silo, well-integrated with your security architecture, your marketing architecture, but also UIM architecture, then you're just not fulfilling on the promise of a CIM. You have limited benefit, you're investing lots of money and you don't get the full ROI. You might end up in potential compliance issues. If you'll have just one more processing personally, identifiable information, then this is an issue because you have to track that.
And if it's just subscribed with this checkbook approach, how can you make sure or do you make sure whether it's run in the right legal area, regional area so that you are, for example, a compliant to GDPR, you have potential governance issues.
And can you be sure that this customer that you're dealing with is not also an employee, which might be a segregation of duties issue. And in the end, I've mentioned the more than one CIM issue that of course immediately leads to a user experience issue when it's not done properly.
So you end up with more than one account for customers and different solutions. And that is really something that I, as a customer would really highly question. When my partners, my providers would hand over such a solution to me. So that would be one of the major pitfalls, the things that can go wrong when doing IMC, I am here. So I own already come to my final slide, but this is the best practices, the recommendation slide. And for all of these items that I mentioned here, of course, if you turn them around, they immediately also show the pitfalls with it's not done adequately.
So what we really recommend as the key sentence for best practices when it comes to consumer identity. And I think private we'll elaborate on that as well. It's really thinking identity from a consumer's viewpoint because they who are in the driver's seat. So seamless access to services from every device, integrate payment, do it securely and preserving privacy. So six recommendations, first of all, think of identity and think of freedom of identity.
Think of freedom of the identity to use for the individual consumer slash customer so that they can choose which identity to use in which context, the social one, a registered one. And you make sure that you control all of the identities and correlate them and leave them in control with their, bring their own identity.
They do this from the devices that they want to use, and they will use the device they have at hand. So it should work from literally every device seamlessly.
And when they switched to a new device, just the new iPhones have come out recently, they will switch to a new device, make sure that they can use your services from their new device and that as simple and as easily as possible, and privacy preserving and maintaining adequate or easy and simple, but secure and things are changing. Also, consumers are thinking more and more of their rights as the customer, as the consumer.
It's not only regulations, but increasingly the user demanding for privacy and for control of data, for the right to delete the data on the other hand, more, more payment than commercials coming into play. And that is with this working from home and staying at home scenario.
It's not only about access, it's about having easy access also to paid per services, integration with payment and commerce that needs to be seamless, but managed, secure and controlled, maybe with some step-up authentication and authorization, just to make sure that payment is a bit more protected, but it's instilled with a great user experience.
When you enter such a service you want not to be bothered with cumbersome registration and wise KYC or your, you know, your customer processes, make sure that this is really seamless, really something that works immediately and iterative process of collecting data over time, not filling in large forms at the beginning, because then I would leave as for sure. And finally, an aspect that we really think is getting gaining more and more important. It's really this work life convergence of course, work is part of life, but life and private life is more and more converging with the work life.
So there is not really often a real distinguishing factor between the identity so that you're using for personal life purposes and for work life purposes. So many of these identities are used in parallel for different purposes, and you need from a consumer identity and access management point of view, make sure that you understand these different types of identities and that you make sure that you correlate them, understand them as a whole.
And that gives you the full picture.
And that is really my best practices recommendation as my final slide for thinking from a consumer's viewpoint, really fulfilling their needs, making sure that that is well implemented. So that is my final slide, as I said. So I would shortly hand over to product, but before I do that, I want to mention again, the questions and answers section.
So if you have any questions regarding my part, and if you have any questions regarding the part that part will now present, please make sure that you add your questions into the questions panel on your screen so that we can, can pick up on that in the third section. And with that, I would like to hand over to product for his part. And I'm looking really forward to him talking about that Prabath. Are you there? Yeah.
Thanks Matthias. Hi everyone. Thanks for joining in hope. You're doing great. And most importantly, staying safe. I'm Prabath Siriwardena.
And I've been with WSO2 for the last 13 years and mostly work on the building the WSO2 identity service. WSO2 a is a company that produces a set of open source products in the innovation and IAM domains. The company was founded in 2005 and we have offices in the us, UK, Brazil, Australia, Mexico, Italy, and Sri Lanka. I'm based out of the mountain view us office WSO2's vision in IAM is to build an API driven developer focused IAM product to address CIM use cases. We believe in moving forward.
Every service you develop, every API you deciding, every device you use, every person you interact with will have some sort of a managed identity in building a CIAM solution. You need to integrate with all these components, or in other words, you can't merely operate in silos that we see as a need for a developer focused IBM product to build a CRM solution.
Identity server is an open source IAM product release under attached to at a, some of you may only know Apache two voice, the most business friendly open source license.
At the moment, we have 200 plus production customers and paid production customers and 500 plus education institutes using that globally. That's in addition, 2000 plus completely open source deployments with no publishable subscriptions. I would say 90% of Adam silver deployments are customer facing addressing CRM use cases.
Of course, multiple verticals, including financial government, healthcare education, automobile retail, and many others. We have a very active slack community. So if you have any questions later to the product, we invite you to join our slack channel. The entire RMD 70 development team is on it to help you with that little background, with respect to that product. I believe we qualify as a well established vendor in the IAM domain to talk about CIA.
The major goal of CIAM is to drive the revenue growth by leveraging identity data, to acquire and retain customers.
It will build an IOT centric ecosystem to measure an anonymous website, visitor into a well-known loyal customer. We have come across multiple faces in the past and today at the age of customer identity has become the glue for all contextual marketing.
In, in doing that in our journey towards CIM, we face multiple challenges. If you take a typical workflow, a mini follow to onboard a customer, we start with an anonymous website, visitor, then nurture this anonymous website, visitor to a lead, and then to a qualified lead. And finally to a customer, there can be multiple variations of this flow, and we could be using multiple channels to onboard customers. When we have multiple channels, multiple points of connections and data sources that leaves us into a bigger problem.
Data data to the anonymous users may reside under marketing data sources, data with respect to leads and Sears might be under CRM data sources. And the identity data of customers could be under the IAM system. With this approach. We end up having siloed data sources and those siloed data sources may not know how to appreciate it. 52% of marketing leaders responsible for data analytics. They believe data integration and data management are the most time-consuming activities.
And also, oh, one third of marketers. See the inability to integrate data is the biggest obstruction to the success of the analytics team.
These are, these are real challenge, which we need to find a solution to then protecting consumer data at large scale, unlike in a workforce, I am in a typical same system. We work with millions of users. So we need to worry about how the CQL is to the PII data of these users.
And episode privacy is another challenging area. We need to worry about what you, your customers and your partners experience is the tip of the iceberg. So that's the experience your CRM solution is building underneath to build the right level of user experience. You need to worry about these five pillars.
Scalability is one requirement in any CRM system. Unliking a workforce I am in CIA. The difference between the average load and the peak load is considerable. So in a traditional way, if you provision new hardware to address the peak load, you'll end up wasting a lot of resources in cam, just having the ability to address scalability needs is not your CIS system should know how to auto-scale up and down based on the demand. Then the security. If you handle any customer data, the secret, it should be one of the top.
Most priorities you would need to worry about how your CRM systems tools and processes, PII data, how we talk to external systems and also how deep communications happen among the components of the CIM system itself or to the customers.
They do expect some control around how you collect to manage and share their personal data, any misuse of customer data with the deliberate or not can significantly damage. The brand equity you submitted is another key aspect.
So there are three types of users who need access to your CRM system, your customers, some of your employees and the partners, the customers demand a blue friction access both during the registration flow and the login flow.
Then some of your employees like the heritage administrators or the CXOs CXOs specifically would expect you a cm system to build dashboards, to do a better business oversight then comes the extensibility, both the extensibility and the developer focus go hand in hand, organizations need to continuously improve the level of consumer engagement and adapt to the changes in technology, business models, competition regulation, and then the customer preferences to address that you need an agile event-driven CRM platform that can flip to meet both new business opportunities and new challenges.
So you have a CRM system, a CRM solution should be able to address common CRM needs out of the books while its architecture should permit extending the platform to address unique business requirements. That's why VC CIA is a solution you build not just a single product that you bought. Then the API APIs and integration. 60% of digital transformation projects start with integration. As I mentioned before, CRM is not just a product. It's a solution we've built. When we built the same solution, we need to integrate with multiple components.
These components can be an IOT provider, the CRM system, the marketing platform, an e-commerce platform, a CMS and so on. So we need to worry about how you build an integrated CRM solution. The key enabler for integration is the APS and all the components in your CRM infrastructure should expose their respective functionalities by APS. They can be in-house. So outside of your local infrastructure, when you mix force API APIs and consume API, we need to worry about security.
We need to worry about securing APS at the edge, and also secreting the communications among the components in your CRM system.
All the time, we have spoken to hundreds of customers and probably thousands of leads from all those conversations. What we have learned is different customers are at different levels of maturity in building a CRM solution. Some even don't know they are doing CIA most business, as they do start with level CDOT at non-existent measure deliver at this level, you don't worry about tracking any customer interactions.
Probably you don't have an online portal and probably you don't do any online sales. In case you have an online portal, you may use it only to share your product and contact information and would not expect any dynamic customer infractions. Probably you may use systems like Viber, WhatsApp, or a phone line to accept orders, but you don't worry about tracking who places, which order many restaurants, taxi services, retail stores, and family businesses. Follow this model at the start.
When you walk into a restaurant more than most about you, even if the same restaurant you are going back again, and again, each time you need to pick where you want to be seated and what you want for the meal, same applies for many taxi services, probably other than Uber and Lyft. Whenever you order a taxi, you need to share the address you need to go. You can't just say drove me home, or take me to the office at level one or the manage identity phase. You only worry about onboarding your customers, the system, and digitally manage their identities.
Even under level one, the emphasis different companies put on how they going to manage their customer. Adding in case various one may only worry about onboarding customers where an online portal, and then let them authenticate the system. We are using a main password. Another company would worry about integrating with social IDPs, for registration, enabling strong, authentic authentication options with the adaptive authentication, integrated risk engines do .
And so what you would do in this phase is distributed across a broader spectrum, but still you only worry about managing identities, no CRM system in place, no custom preference management system in place. I would say most of the companies we're working towards a digital strategy are in this phase, or at least start with this phase. Then again, the question is how long you want to be in this phase, we work with many companies who win in this phase for years.
And some even for more than a decade, what we have seen is the more you are in this phase, you start building disconnected identity silos. You may use Federation between applications and I in the providers, but still we'll end up having multiple Federation silos probably by different departments. Each department may have its own adding store and identity provider, which will result in a duplication of our information across the company.
Level two is one step forward from the managed Eileen defense.
Here, you have an ID management system in place, and you also worry about having a CRM system, the marketing platform, an e-commerce platform, a CMS data management platform, and many more to know about your customer. Better. One deficiency we see in the companies in this space is even though you collect customer data at different contact points, the data sources are disconnected and there's not helping building a unified profile for a given customer. When you want the generator report across multiple data sources, that would require a high labor intensive process with human involvement.
And even in some cases, you may have failed to find the correlation among different data sources. This is in fact, the is we see a company would start worrying about a CRM system. Once you are in this phase, you'll understand the benefits in building a unified view of a customer. And at the same time, you'll start realizing the deficiencies in your current system that prevent you from getting there.
The level three is the connected phase.
This is the phase where you start integrating UIM system with your CRM system, a marketing platform, a e-commerce platform, a data management platform and others. This helps in building a unified view of your customer. So you can see how long it took to nurture. And it must lead to a loyal customer. Privacy profiling is one of the key elements of this phase. When you onboard a customer, you only re request a minimal set of information, but as Yoshi starts using the system, the system will start learning more. The system can learn from the users.
Behavior orders directly asked from the user for inputs, irrespective of how the system learns about the user. It will feed those data into the IAM system, using an API. This helps the IAM system to make much informed decisions with respect to the use of action, as well as share a unified profile of the user among all the connected applications.
Another advantage you see in integrating IAM with other business platforms is you can track the customer across multiple platforms or multiple devices. Most of the marketing platforms, track users buy cookies.
So when you use cookies, you can track the user across multiple devices, but having your marketing platform integrated with the IAM system helps you identify user interactions, post devices. This is one reason I would say, arguably, why Google introduced Gmail? You are always logged into Gmail account and indirectly to the browser. So we're going to can correlate your search patterns with your identity and they can do that.
A post, all the devices, then apple ID probably introduced for the same reason. When you use apple ID, apple knows which apps you use from your mobile device as the last outside of your mobile device, to build a CRM solution. In this phase, you would need more than an ID provider.
You need to worry about integrating systems, exporting data as API is managing those APIs and many more. This is why we see many customers in this phase. Work with system integrators to build a CRM solution.
If they don't have a strong development team, in-house finally the level four or the optimized phase only channel access is one key feature we see in the companies who operate at this level in an only channel environment that customers interact with the business. There are multiple channels, but we'll still get a seamless, continuous use experience. If you're an Amazon customer, you can place an order to them side, a mobile lab, Alexa, or even working there.
When Amazon announced Amazon books a few years back, their intention was to bring the same digital experience you have on amazon.com to the physical world. If you visit an Amazon bookstore, you will see the book reviews, ratings, and many other digital only features.
Then Amazon goo. When you enter into the Amazon go store, the system seamlessly authenticates you where the MSN Google mobile app. Then it uses sensors to track items as we put them into the cart or return them to the shelf. And finally your Amazon account gets automatically charged with more cachet invoice.
So this is the next level of omni-channel experience. Amazon is building and identity is key in doing that. Then the CXO dashboard is another key feature VC in this phase, the CSO dashboards get updated in near real time with the data, with respect to the current status of the business, and also prediction from integrating with machine learning systems. Also in this phase machine learning and behavior analytics are being used to suggest how you can design better, more effective UX AB testing for user registration and logging flows.
We only see a small percentage of companies at this optimized debit. This is a summary of the maturity model we discussed.
Finally, the takeaway is the goal of CIM is to drive the revenue growth by leveraging identity data, to acquire and retain customers.
Organizations need to continuously improve the level of consumer engagement and adapt to the changes in technology, business models, competition regulations, and customer preferences, and the giant event-driven Sam platform can flex to meet both new business opportunities and new challenges and CRM system should be able to address common CRM needs out of the books by its architecture, should permit extending the platform to address unique business requirements, double digitization in RIA to build an API driven developer focused IBM product to address CRM use-cases.
Yeah. Thank you very much.
Private, thank you for this presentation. That was really interesting. And before we joined the questions and answer section of this webinar, my final call for questions. So if you have some more questions to add to the panel, please add them right now so that we can use them so that I can ask Robert, or maybe answer them myself. So final call for questions. And it's great that we have quite a great set of questions already there to start out with. So without further ado, we start out with the first question from our audience.
So the first question that I received very quickly while talking is the question that I was using. And I think private did this as well, customer and consumer more or less like synonyms. They are not synonyms. How do they differ? Maybe I just start out and then maybe prompt you.
You want to add to it? So I use them as, as synonyms because sometimes the dividing line is difficult to draw. You're not, you're not always doing real business with the identities that you are handling in such a systems. Sometimes you want to, sometime it's not even intended.
So the distinction between the both, it really depends on the individual use case. So a consumer can be somebody just passing by and trying to find some information and then turns into a customer and really doing business, doing purchases, buying services, subscribing to something. But sometimes this is not even wanted. Think of a, yeah, a football clubs saying tickets, they, they might do that vary by other platform. Maybe they are just doing some, some social interaction with their fans and they do a consumer management for that purpose.
But private, do you have additional ideas to add when it comes to distinguishing between customer and consumer?
Yeah. Yeah. So I agree with what you mentioned, but if I give you some concrete example, let's say we are building a digital aviation platform. So we are the owner of this platform and our customers would be different airlines like American airlines, if you had a million different airlines. So those are the big customers of us. So we can call consumers as the people who use those services, like in consumers, who is at the edge, we should buy direct services from our customers.
So that's a differentiator.
Okay, great. An additional question that came in while I was talking, but I think you, you probably can also add to that as well. I I've mentioned as my final point that we should think of integrating the work and the private life identity and to get to a common picture here. And the question is here, if I was suggesting that they should merge or how a system can establish that context. And there is a bracket which is important to me as well, I, I much prefer to separate work in real life myself.
I do as well, but nevertheless, sometimes it might be required to, to, to make that, that joint approach, to understand that this cooping a coal address is also this private materials address. For example, I've mentioned the use case. How do I understand that the customer's also an employee that is an interesting thing. And with working from home right now, I think the, the, the lines are really blurring. What's your, what are your thoughts here?
Yeah, I
Totally agree. So I would say you should not be accept them as a user or also as a company who are implementing IAM system, you should not mix up the IAM system, you house for the workforce and IMS system you have for CIA. So that VC without customers too, like some of our customers, they use different IAM product for the workforce I am. And for the employee, the consumer customer, I am a CIM. Then he was a WSO too. And as a person too, I would not like encourage you to use, like, I didn't get tributes headed from your work place for your personal interests and actions.
So you should not use your company email to register for personal events or share with your personal contacts, because I immediately like there's a legal ownership of your company account to your competitor. But first I am, plus I didn't the email account to your company.
So whenever like you will leave the company, you lost everything. And also company may have legally, legally, legally allowed to go through all your personal chats that you do with your company and go through emails. So companies will go through that.
But if you use that for your private communications, then your private data is also exposed to you, we'll combine it. So we see some people using your company email address for the, the account recovery email. So that's also not a good practice of when you leave the company, you don't have any access to those, those information.
Yeah. Great thoughts. Thank you. We have a number of questions around the, the onboarding process for consumer slash customers. First question here in that context is what do you make of social logins? Isn't that a weak foundation for CIM?
How do you, how, how would you, what, what would be your answer private when it comes to onboarding users based on a social login?
Yeah, so that'll definitely radios the fiction. You can easily register you to a system using your social account, but then again, we need to be careful. We should not just rely on one social ID, but you should not just rely on Facebook, Twitter, or LinkedIn. You should support like multiple options for the users or register. Then again, you should also have a local account for them. Okay. You use your social account to bring in your use attributes.
You don't need to type all your data in our site. You can bring in them from your social IDP, but you need to create a local place that is essential.
In my, in my view, in the current context of the world, we have seen in many countries, Facebook being bad. So I experienced this firsthand in Sri Lanka. So the Facebook was banned for more than I guess, two weeks in Sri Lanka. So that had a huge impact on our e-commerce business, which will be which, which were based on Facebook login. So when your Facebook is banned, if your business relies on Facebook login, your customers can log into your account. So you need to take care of like everything about those lines to venue enable social registration.
Of course you can have it, but think about having a backup plan too.
Right? So another question closely related. So is the value in the management layer of CIM or in show and are in ensuring digital identities are authentic and secure and private. What is from your experience and from your point of view, the most important part.
Yeah.
So most, most important part is build the right level of user experience. So that's the most challenging part too. So you need to, you need to find a right balance between the user experience and security. So Facebook is like registration with Facebook is one example. Like you need to give the ha you need to give the opportunity for your customers to sign up with Facebook, but then again, you should be prepared for you in case like this social IDP got banned. So finding the balance is the, the key thing in, in building a CRM solution.
Then again, apart from the business requirements, you also need to think about those five pillars of CIM are discussed in the webinar. Those are the key things that will help to differentiate you from others.
So if you, if your CRM solution cannot scale, then that will have huge impact on your business.
So what we see is we work with one of the financial institutions in Latin America.
So there, the average load is around thousand login requests per minute, right? But there are two days in a month that the peak load goes up to 300,000 logins per minute. So that's a huge variation. So if you feel a CRM system is not scalable or not cannot auto scale, then you are having a bottleneck. So you also need to think about the, the, the tip of the iceberg, as well as the factors that help you to build that tip of the iceberg. Right.
Fully, fully agree. One more almost philosophical question is, is CIM missing a universal identity proofing standard?
Therefore, is this, is this something that you would consider to be valuable as a universal identity proofing started really knowing who's behind that customer identity?
Yeah, so it depends once again, based on the services you provide. So we see in financial institutes banks, when they deploy SEM solutions, they worry about the ID poofing.
But once again, I need to agree, but I haven't seen that that has come across as a real need for most of our customers to like work with, like, they don't feel the lack of a universal standard, but yes, I think as you mourn, when there are many companies get that need, we would need to have a new set of ibuprofen standard. Yeah. Right now it depends on like different vendors. You get a vendor looking as well.
Right.
And I think that that is also real sense in having consumer identities that are weak, that are not fully proof that they are, they are just for doing some, some, some polls or just interaction on the platform. These should not necessarily be required to have a stable proof and to have a connection between a real life identity, a question around your products. When you build an established, a CIM with an WSO two product, what is required, do you need only the identity server as a product? Or are there other products required?
Like, I don't know, ESP or microservices.
Yeah. So it depends on like where you are in that maturity model. So most people, they started having ID Federation and single sign on for that. You can just use that in the server, but when you won't integrate with multiple systems, then you need to build the like intuition story for that. You need do the API management, you need the integration where you can stop this, do a enterprise integrator and doubly. So two API manager.
And I see that's an advantage we have, like, we have all the ingredients under WSO two that can help you to build a bit like integration, CRM story. So when you, so we are right now planning to go to cloud. So probably Q1 next year, you will hear more about it. So in the cloud, we are building the CIM into the integrated story with all our WP products.
Right. Okay. We have really great questions today. So another one did this time about, about content management and requesting content from your experience. And also from my research view, what is a good approach in requesting consent?
Should it be a step-by-step approach for giving consent whenever it is required for individual attributes or for individual usages, or is it better to start with a blanket of approval of end user privacy policies and all that at the beginning? What are your best practices here? Proper?
I think it should be on demand as in when you ne you should not gather any, any consent or any identity attributes, unless you really don't need them. So you should only take them as an, as an avenue needed.
And then again, what we have seen is when you gather consent, and when you work in a Federation use case, there are two parts in this one is the consent management at the IMD provider side, from the identity provider side, the venue logging to another application to the identity provider. The only consent required from the identity provider is, is it okay to share this attributes with that particular application? Then when the customer goes to the application, application needs to get another level of consent. Okay.
You give consent to the IDP to share your email address with that particular application, but then application has local consent management. You would need to ask, can I, is it okay to use this email address to send you a newsletter? So that's a different level, but you can do it. So that's something we are planning to, to this level of two levels of handling consent is not a good user experience. So what you can do is the IDP itself can manage consent both on the IDP side and also the third party applications. So that's something we are working on.
Okay, great. Thank you.
And I, I would fully agree. It's really, it also, it feels a bit fishy if, if, if you really have to, to give consent for many, many attributes in many, many use cases, when you're just registering with a wet website and you don't even know whether this will be relevant at all, or if you're quitting afterwards, because, and many will just jump off and leave at that point in time, because they just don't want to, at least I would do. Okay. A great question.
Again, it is a bit as a side note because we've been talking about, see, I am right now, but when it comes to B2B IAM solutions, is this a completely different game? Or is this something that, that trends towards the CIM space as well? What are your experiences here? Is there similarities?
Yeah. So when you, when you say CIM, it, it calls us both B2C and B2B too.
So the, the example I gave you, right? So if you're building a digital agent platform, you are, your customers are the airlines, right? So now the airlines, they have their own customers too, like, and they will, they also need to interact with other businesses. For example, for airline, there can be other service providers like who doing catering staff maintenance. So they need, you need to share some of the resources from the ally with those vendors too. So there may to be interaction.
So we, we have many kinds of use cases, the companies using our identity server to build platforms like that. So B2B interaction is also becoming an essential part in CIA.
Okay. We have one, one participant today who really is planning for a large scale deployment. And he asks if there is a, a affordable and scalable platform that can handle up to 180 million users, not necessarily a question to WSO too, but maybe you can elaborate on that as well. I assume there are, there's the need for that.
And can, you can use scale up your platform like this and do you know of platforms who are capable of doing so?
Yes. Yeah. So I think I know, like, so there are many on an 80 million is not a huge number when it comes here. I am.
So you, you see in CIM, the numbers are in like hundred million, 10 million range. So we have a WSO too. We have like a large scale deployment about like Hilton, for example, the 106 million abusers using our platform. So the way we have designed our platform is we don't completely rely on the number of users in the, in the system. But what we worry about is number of concurrent requests. We can do system. And based on that, you can decide how you want to scale the product. So mostly that's what I mentioned. Scalability is a key requirement.
You really think about when you are evaluating a CRM product. So when you, when you get a request, you same solution should be able to auto scale. So rather than have provisioning your product to address a peak load, you can adjust your platform to auto scale based on the demand. So I don't think that's an issue. So WSO2 support that, and I don't think any, like other key vendors, they, they do support that too. In as a CIAM platform, you must support that, that size of like customers,
Right? So unfortunately we are reaching the top of the hour.
We have quite some list of questions still left. So we will follow up on that afterwards.
And, and, and we'll, we'll get in touch with that. And both OWS are too and decouple KuppingerCole, we'll do that so that we can answer that questions. So thank you very much. You product for providing this deep insight into your work, into your product and your experiences. Thank you for the great questions to the audience for, for participating, for, yeah. For contributing their, their questions. And there's still more to, to answer here, private, any final recommendations, any final remarks you want to make?
Yeah, I think so. You need to a, because James solution, you also need to think about the, your business requirements, as well as think about the other five pillars I mentioned. So those would be the critical ones as we move forward. Like whenever you have business requirements change, you, same platform should be able to adjust, accommodate those changes. If you don't think about those five pillars, you will get stuck and that'll be a costly operation to add new changes. So think about those after.
Great. Yeah. Thank you very much.
Again, product. If there are any more questions, please get in touch with private and or me. The contact information is on the side where you registered for this webinar. That's it for today. Thank you again for being part of this webinar. I'm looking forward to welcoming all of you for a future edition of one of our webinars, and that's it for today.
Thank you, prophet goodbye. That's why they ass. Bye.