Okay, thanks very much Martin. And thanks everyone for having me and for your attention. And let's talk about the revise of developer in IAM, which also kind of corresponds to the fall of the administrator as much as we can do with automation.
And self-registration, we're going to encourage more to be done by the developer and making the developer's life easy is what we really need to do, especially when we can include those policies directly in their apps, allow them to pass security reviews very easily, even in the situation of complex multi-cloud environments as Patrick was talking about before. All right, next slide please. So I'm Eric newcomer. I said CTO of WSO two. I joined last November previous to that previously I was a global head of security architecture and strategy at the city consumer bank.
Where of course we had, you know, identity management was within my scope of responsibility for the security reviews before the, the applications could be released to production.
Prior to that, I was a chief architect again at Citi, but in a different division treasury and trade services or the institutional bank there. I had security architecture within my portfolio as chief architect, and we worked on several identity projects, including one together with Microsoft.
And I got to therefore connect with the, the great Kim Cameron and had some good interactions with him in the context of setting up a partnership with Citi that unfortunately never really became, came to fruition, but nonetheless was interesting based on identity cards and payment cards and, and things like that. We also did single sign on bridging across different apps, put in multifactor authentication and to end password encryption activities as well while I was there. And before that I was in industry for about 25 years CTO, Iona technologies is very similar to, to my role here at WSO two.
So kind of back to the future. And I started out in digital equipment.
Now, part of HP, I worked my way up to distinguished engineer in database and transaction processing. And of course, security is always a key part of transaction processing. So I kind of got, got started on the topic topic. Then I would have to say, I approached this more from the architectural point of view than from, you know, deep into the bits and bites, but I want to give you my perspective anyway, on what's going on with dent access management today. Next slide please. So what are these key benefits?
Key key things that we're trying to, to realize here, when we try to think about streamlining the administration piece and including improving the, the developer activity. So we can shift some of these things left, we're trying to improve the digital user experience in the digitization projects were becoming ubiquitous, certainly at city and the consumer bank.
When the pandemic hit, we had a lot of motivation to digitize all of the bank services that normally you'd go to the branch for you guys, people weren't going to branches. And I think this just accelerated a trend that's already there.
And I see no, no going back, even if the pandemic ever, ever ends, I think more and more business is going to be done digitally. Certainly the industry leaders showing the way Amazon, Uber, Netflix, and, and so on show what a great digital user experience can do and to get those great digital experiences, they have to understand deeply the problems of the customers and iterate quickly on those problems and improve the digital user experience means managing the identity seamlessly and transparently and as easily as possible for those customers.
That 360 degree view of the identity data helps make those decisions and iterate those customer experiences to what everyone expects from from the leaders nowadays and make it easier to onboard.
Third parties enable identity access management internally as well as externally and secure the API access, which is something, you know, very, very important. It's not least certainly last but not least of the items on this list. As we see APIs proliferating, the need for identities managing and all those APIs is, is very, very critical.
And again, something we saw very clearly at Citi, as we tried to improve the, the use of APIs, I worked on the Google project, for example, where we were at Google was putting a banking app on top of Google pay. And we had to federate the authentication systems from Google to authentication systems of Citi through the APIs that we exposed to Google we, which was not a, an end user app. It was a business to business type app API to API. And I think these things are going to be growing in importance.
SAS based APIs are going to be growing in importance and being able to secure all of those APIs and especially the interactions of those APIs, the workflows of those APIs, especially, and as we go into code being everywhere, OT becomes more and more critical, more and more important. Next slide. All right. But what are these challenges we have related to getting all these benefits?
Again, talking from the city point of view, where I recently was, was working in security area. We always got reviews at the last minute. I shouldn't say always some project teams were, it was a, it was a varied, you know, some project teams would come early, the security team and get the designs and the policies in place at the beginning. And others would come to us two weeks before production and say, can you please review this? And we would say, well, you haven't got the authentication, right?
You haven't got the encryption, right? You have to go back and rework this.
And it's not something that you want to be doing at the last minute, because it's like, I always look at it like user interface work, you have to have the design at, at the beginning and code around it, code to it, rather than coding something, putting it out and having to rework it.
And automation sometimes, you know, even though automation really helps us get things out there more quickly in production, if there's a problem with the automation or even just setting up the automation takes a particular skill that can be hard to come by and hard to modify when complexities emerge, next slide piece.
So now how do we meet these challenges? In a nutshell, putting security into the code, allowing the developers to focus and maintain their focus in the ides, help bake in the security policies, into the code and their automation pipelines.
From the beginning, you can provide standard SDKs and libraries, little bit like open source phenomena. We just have these things available, put them into the code and you can add in the identity access management, the authorization, the rich authorization, the multifactor authentication, social media, authentications schemes, and extensions integrations, federated authentications.
All of these things can be put into SDKs and libraries and organizations such as Citi can put in their customization of their, of their policies and standards into those SDKs and libraries to make them available for the developers. And in fact, we were working on this when I was there. We were looking at vulnerabilities from the edge of the network when somebody touched us all the way through to the database and trying to remediate all vulnerabilities along the way and put as much of that into code as we could and give it to the developers to make it easier and streamlines the review.
But it also helps because security skills and developers are not as prevalent as they should be. And, you know, as Patrick, before he was talking about, we want to be able to abstract these, these challenges into code and offer low code abstractions for stitching things together, doing federations for connecting to the identity access management systems for self-provisioning and, and so on. And very therefore embed the knowledge into the code to get this everything to, to market much more quickly and pass those reviews and scan results. Okay. Next slide please.
Now Patrick made a couple of very good points here in the previous. Talk about the complexity of cloud. And this was something we worried about quite a bit at Citi. And I did publish a, a talk on this. It was given at HPTs in 2019, we were in the middle of really trying to figure out what to do about security for moving to AWS GCP and Azure, particularly this was right around the time also of the capital one incident, which was caused by server side request forgery and overprivileged account access to share data.
That was something we were seeing in terms of overprivileged accounts in some of our initial cloud development activities. And this is something very difficult to, to, to prevent, but at the same time necessary to understand, because the intersection of the resource permissions on the shared services with the Maxus management capabilities and privileges of the accounts, and the identities is a key to make sure this is locked down, it can happen. It can have a long argument about whether it's zero trust, zero least privileges or, or least privilege is really possible.
And many of these things have to be handled by guardrails and alerts and monitoring to make sure that you cha you check when somebody changes something. The reason for that is because these policies and these permissions can be changed by APIs and the cloud. There is no operations team. Everything, all of the, these resources are set up.
Provisions are set up, configurations are set up and executed by APIs, meaning the developers can have control over their own permissions.
And this is one reason why we so see so many, misconfigurations so many incidents related to misconfigurations so many overprivileged accounts and so on. So it really is a big challenge. And I think guardrails and constantly locking down and checking who can do what and their whole company startups that focused on this problem as well. But I think looking beyond what individual cloud providers are doing to look at independent solutions that provide some consistency and abstraction is something certainly I would agree with as part of the solution here.
Okay, next please. And then we're talking about security is code ultimately, and the security is code trend, I think is very meaningful in this context because it talks about another word for it is shift left.
It talks about getting security into code as soon as possible in the developmental process.
For example, if you want to implement your strong, authentic policy policies, for example, Fido based MFA and the code, you can use your configuration gooeys in your admin tool to configure and generate those SDKs that developers can include in their code and putting into their pipelines and pass those policy tests that you would put in there to make sure that phyto MFA was being was being used.
For example, other examples here are tools which helped you during development process automatically and detect and fix open source for liability, such as for example, the HV proxy versions prior to 1 18 1, our susceptible to Doax. You don't want to go into production with that, but you have a way in the pipeline to detect and fix before you go to production.
Before you go build the application, similarly for crypto vulnerabilities and code, and is all critical because you wanna be able to configure your C I CD pipelines correctly to check and make sure all the code is there before you generate your containers before you deploy to Kubernetes, because containers are immutable and they cannot be passed or changed.
Once it's in production, you have to recreate them. If you have a security problem.
And the only way to do that correctly is make sure you have all the right code available and all the eight points, all the right checks, all the right scans in your C I C D pipeline to automatically regenerate a new Docker container and redeploy to fix that problem. Okay, next please.
Okay. So for developer focused identity access management in particular, we're starting to think about how every service API device, every person, everything is code. Everything has an identity persons have identities, cars, phones, appliances, homes, APIs, everybody it's got identities.
This is a critical part of digital business. And the developer now is becoming more prominent in the role of dealing with this than the administrator. Because first of all, it's a lot to administer, very complex, hard to deal with so many things going on. Self-registration really helps putting all the code and the capabilities. The hands of developers helps speed. Time to market helps create that virtuous cycle of customer feedback associated with identity to help define what the problems are and fix them and deal with this fact of developers who don't have a specialization in IM.
So somebody can set the code up and put it through, and people just need to have agile event driven platforms.
They use to meet all of these, these challenges across multiple environments, including multiple clouds.
Okay, next slide please. So for this, we have certain number of developer requirements, especially for the customer identity access management, part of the problem where we often are focused on digital transformation projects that reach out to customers to give them a great customer experience. This requires identity centric approach.
We can leverage cloud-based technologies to rapidly deploy critical apps, find a place to download the SDKs and libraries and a place to register your applications for enforcement of the policies in a very handy way that that eliminates the need for a lot of the administration and operations overhead that often goes with on-prem activities.
And this allows companies to pivot to new business paradigms quickly as market change and to implement new privacy requirements as they come up and to ensure that there's the right tore degree of control over those activities is also some of the very important and to be able to connect different IAM systems and federate them in long running extended business workflows that are more and more becoming constructed by multiple SAS provider APIs, all of the diff all of whom have different IAM systems that need to be stitched together.
The integration of which needs to be I defined in a low code abstract way and have the systems of the identities, identities of those systems, federated in a very seamless and abstract way is possible and also be flexible for requirements because not only we're iterating our digital transformation products very quickly, we're also responding to constant business change and constant competition. All of our competitors doing the same thing with their digitization programs, we have to respond to market changes as well as respond to customers.
Okay, next please. So just to kind of sum up how customer identity access management as code software security as code is gonna help this providing the libraries and SDKs for developers to include application projects early as possible, implementing those customized policies and processes. The company has decided on which standards they've selected and embedded in those libraries and SDKs developers.
Don't have to worry about that. Reviewers don't have to worry about that. They just have to check the right code. What's included.
These checks can be done in the C I C D pipeline with auto bills and testing. So it's important to automate this process as well, which helps improve the shift left ensure security team reviews, therefore are checking the box rather than finding issues at the last minute. And sending people back to rework their security co processes and policies and reduce time to market. The developers don't have to search for the code it's right there. Part of their build time it's in the IDE, it's all part of their daily job.
It's gonna help streamline things and get things to market more quickly and help respond more quickly to market changes and customer experience problems. Okay, next slide please. Okay. We have to maturity model for CIM.
I, you know, I'm getting short on time here, so I think I'm going to skip through this rather briefly. It's just is kind of a model of how the need for customer identity access management capabilities grow with the organization, which can start very simply with a simple need for its customer identities to be provisioned and managed and average with average developer skills. But by the time you get to a, you the large scale of big projects and, and business flows, you're going to need some specialized skills and some maturity in cm.
It's gonna have more impact on the code and therefore you need the code approach more, more importantly as things mature and get more complex. Okay, next slide please. All right. Then just the last minute or so on how WSO two is helping to deliver this kind of a solution and help drive the IM cm as code movement.
We have a platform called Ardio, which provides our identity access management capabilities in the cloud as a software, as a service offering with self-service Porwal self registration support for wide variety of SDKs and different kinds of applications connected to our other softwares, a service product called Corio that helps provide integrations across B2B workflows and so providers. So we have a comprehensive solution to define identity federate identity integrate across multiple SaaS providers and applications using high, using also low code approach for high degree of abstraction.
In addition to providing a lot of these, you know, code security as code capabilities in the SDKs and libraries, businesses need to include their, their processes and policies. Then of course, backed by integration with all of the, the monitoring and alerting services that are needed to make sure everything is going, going correctly. Okay. I think that's it. Next slide, indeed. Thank you. So thank you very much, everyone for your, for your time. Thanks for having me virtually and hope to see you in person.
