And good morning. Good afternoon. Today. We're going to have a webinar about the eight critical aspects for successful consumer identity and access management solution. And I'm joined today by Eric, the director of I cloud services strategy, a little bit about Cooper and Cole. We were founded in 2004. We're an independent Analyst organization headquartered in Europe and we offer neutral advice, roadmap, planning, thought leadership to all sorts of companies, software vendors, as well as end user organizations across multiple industries.
And we're highly specialized in information, security, cybersecurity, all aspects of identity and access management and everything concerning the digital transformation.
We have three major business areas. We do research. We research all those areas around information security and identity management. We're always vendor neutral. We stay current with what's the latest and greatest in industry so that we can offer independent advice.
We also put on events, conferences, and webinars like this one that provide really good networking opportunities and opportunities to meet other experts in the field. And then we also offer advisory services, which are anything from providing technology, roadmap, support, vendor roadmap support, and helping companies go through RFP events. Our next upcoming conferences are actually around consumer identity. We just kicked off the consumer identity world tour here in Seattle, back in September. And our next stop is in Paris on November 28th and 29th, and then Singapore on December 13th and 14th.
And this is a really good chance to catch up with everything that's going on in the world of consumer identity.
After that we have digital finance world in Frankfurt, Germany in February, which is very specifically focused on the financial industry issues such as the revised payment service directive or PSD two. And then our flagship conference is the European identity in, in cloud conference in Munich in may of next year. So I hope you can join us on some of these feature events, some guidelines for the webinar everyone's muted. You don't have to mute on mute yourself. We'll do that.
We are recording the webinar and the recording will be available tomorrow. And then we will save some time at the end for Q and a. You can enter your questions into the question blank in the control panel at any time, and then we'll take them at the end.
So I'll start off with a overview of consumer identity management. What makes it different from traditional IAM? And then look at some of the key features, market trends and business drivers, and then I'll turn it over to Eric.
So I thought a good place to start would be looking at the differences between IAM and C for traditional identity management. We think of it as generally employee facing or BTE. And for authentication, we use various methods from everything from curbs to smart cards or different kinds of hardware, tokens, and identities come Laden with all sorts of attributes that are typically used for authorization to different logical resources. The information about identities is usually stored in L D sometimes SQL.
And if we want to do single signon outside of a, a large proprietary web access management system, SAML was generally the preferred protocol for that security assertion market language.
And one of the primary drivers for IM is access control governing who can get access to what kinds of resources within the network. On the other hand for consumer identity and access management, it's, it's more customer facing. So that drives a different set of requirements.
If you look at the, the types of authentication, it's generally starts with username and password, although social logins are becoming much more popular and that's used in things like Facebook or LinkedIn or Twitter to get access as our mobile logins, people, everyone has a smartphone. It seems, and that's a preferred mechanism for authenticating to sites.
The attributes that are gathered are for know your customer, whether that be for better marketing or, you know, in the banking industry, there are very explicit regulations and most jurisdictions for another customer.
The data about consumers can be stored in a whole bunch of different places, whether it be LDAP SQL or Mongo, DB, or other kinds of big data applications and databases, the account structures are a little bit different as well. And, and for Federation or single sign on you typically find OAuth and open ID connect for single sign on and other than gathering information about consumers. One of the primary drivers on the cm site is for privacy, which is kind of different from access control.
Again, sort of looking at it, architecturally enterprise IM you've got employees inside your perimeter. Customers are almost always outside unless they're VPNing in, you're not really as able to capture good information about the customers because traditional IEM systems haven't provided good mechanisms by which to capture it.
So, on the other hand, you've got sales people who manually enter data into CRM systems about customers, and it's generally less flexible, authentication, authentication policies for internal users, or generally much more stringent than external. All this can lead to more inefficient marketing processes because you can't capture as good information about your consumers enterprise. I am also is really, really good at scaling up to hundreds of thousands of identities on the consumer side.
Again, very different picture rather than having HR create records for employees. You've got the need for self-registration and the social logins sometimes registering by the social login itself and then using it for authentication later.
And then rather than having all the information collected at once about a user, we call it progressive profiling, where you learn more about the user as you go, and don't overwhelm them with questions at the beginning. It can also gather information about the user activity across a variety of different domains.
Things like purchases, search history, likes social media likes. And this gives you a more well rounded view of the customer and the consent for the use of the information. We'll talk about GDPR in a little bit here. So in this way, you know, consumer identity management can work with CRM systems and then lead to better marketing. It's also omnichannel, meaning consumers expect to see the same kinds of features on the website, on the phone, on the set top box, whatever device they're using to interact with your content.
And in many cases, the consumer IM systems literally have to scale to billions of users or billions of identities managed.
So look at the key features, registration self-service portals are sort of ubiquitous in this area. Everybody offers a self-service Porwal more and more social networks are being accepted for both registration and authentication as is just about any open ID structure. Many of them also offer bulk provisioning. So if you've got an existing set of customers in your L D you can either use L D or in some cases skim to do the bulk provisioning.
As we said, username and password still pretty common is an authentication method. Social logins are definitely increasing in popularity. In some studies I've seen, it could be between 40 and 45% of authentication events, our social logins, where it's allowed. We also see an increasing use of mobile apps and biometrics things like touch ID that everyone has become familiar with.
It's really ease of use very easy to use from a interacting with the phone perspective, but then also you don't have to remember username and password for every single site you wanna do business with on the customer experience side, most of the solutions allow for white labeling.
So you don't really know who's system they're using. You can put your own branding up and then SSO between whatever web properties you have beneath that is fairly easy to do too. And then consent management.
Many of the cm packages do allow for a pretty comprehensive consent management approach so that users can log in and take a look at where their information is going and be able to approve or disapprove that on the security and privacy angle, many cm solutions are using fraud detection. And that includes features like user behavioral profiling. Seeing what they've been doing over the past, comparing current activity with past activity.
And then also there are a number of different third party fraud and threat intelligence sources, including things like being able to look for known compromised credentials so that users can't create accounts or get into accounts with known bad credentials.
And this is very important, especially if you're gonna be building a CIA solution for a, let's say, a retail or finance or healthcare application on the privacy management. Like I said, many of the cm packages do allow for very fine grain consent mechanisms.
And in order to comply with GDPR, that also means being able to give provable consent that's clear and unambiguous for each use of the, the consumer information that they have provided. Plus the cm systems have to provide the ability to edit that at any time export that so that the customer can take it with them. If they wish or even respond to complete delete requests is what they call the right to be forgotten in security. It's good to look at the administrative security side.
Does it require, or can it be made to require strong authentication for administrators, strong authentication for consumers where appropriate, and then also does it integrate with other systems that you may have, like SIM or realtime security intelligence systems. It's very important to be able to get a very complete picture of all the activity on your site and cm can be not only a good source of marketing data, but also a good source of security information.
So about that marketing data identity analytics typically separate this out into a couple of areas here.
So we've got identity analytics, which are more about the monitoring and reporting on logins attempts to create accounts, locations where they are password resets, failed login attempts. Times people try to edit their profile, which this is more operational.
And again, very useful on the security side. Then we also have marketing analytics that marketing organizations like, which could be, you know, different types of data collected on people. The different kinds of canned reports that are provided by the cm solution. And those reports might be able to, you know, parse data on the consumers, according to all these different features, your age, gender income, social media activities, if they've consented to that.
And, and many of the solutions do provide these marketing reports built into the solution itself, and then you can customize the reports as needed.
In some cases, you know, a fair number of the CA solution providers do not provide a lot of the built in reports and, and rather use like rest APIs or maybe some out of the box custom integration kits to third party marketing solutions, or in some cases, some of the third party, big data applications as well. So there's two very different approaches here.
And if you're in the market for a cm solution, it's good to kinda have an idea upfront which way you want to go with that. If you want your cm solution to contain all the marketing functionality that you need, or if you've already got a, a really good existing infrastructure on the marketing side, it may be more advantageous to you to pick one that provides all these different APIs or custom integration kits for that purpose.
There's also marketing automation, variety of tools that can take information directly from a cm system, either through, again, an integration kit or maybe using using some open APIs and then plug that directly into the marketing automation tools. IOT integration is becoming much more important for consumer identity as well. Everyone's got an increasing number of IOT devices, smart home devices, wearables, all sorts of different things out there. And really the way I think everyone would like to manage those devices is by integrating it with a known consumer identity.
So some of the CIM solutions do allow for some rudimentary password synchronization between, well, let's say smart home devices and some of your consumer UHD identity accounts a little bit more sophisticated than that would be the ability to associate devices directly. And that in this case, it might be, you know, going through a registration process and then having, let's say serial number and description added to your user LDAP or SQL profile in the consumer identity system.
This kind of has limited technical capabilities, but it does provide some basic means for associating device information with particular consumer identity accounts, and then going up to spectrum to more functionality. There's the I ETF specification called oof two device flow. And that can be sort of built into the smart home or wearable technology and allows for a much smoother registration flow and to connect to open ID connect types of accounts as well. I think this is an area we'll see the need for additional standardization going forward about cm in general.
It's really the fastest growing market segment within IM and we're estimating that it's least a 20 billion Euro industry over the next few years. And there are specialized vendors that have formed to address the, the unique needs of the consumer facing market. But then also enterprise vendors are moving into because they see such growth potential.
And, and many of the enterprise vendors have, you know, large infrastructure that can support that. And it's easy to build out new functionality that is useful for consumers based on their existing technology. And then digital transformation really demands consumer identity management. There's really no way to go forward with a big digital transformation initiative without including building out additional functionality for consumer identity.
We also see that in the cm market, the, the different markets that the solution providers are targeting actually tend to drive the features that they offer. And what I mean by this is if you have a, a solution provider that's going after, let's say media retail, they may not need as fancy high assurance authentication mechanism. So you you'll see them tend to build up features that are more oriented toward marketing and, you know, providing the best customer experience.
Whereas there are other vendors that are going after customers in finance or areas where there needs to be higher assurance, authentication, maybe less need for marketing per se, but also a need for risk adaptive authentication or things like that. So in looking at, at the market, you'll see that vendors tend to specialize and develop features that are most appropriate for their, the customer sets that they're, they're going after.
GDPR is a market driver. That's a default of opt in, not opt out CIM systems can be good at helping collect the consent.
As mentioned a few minutes ago, then also providing that audit trail. They can also allow companies to provide notifications about changes in the terms of service or privacy policies and obtain resend for that when needed. And then they can also help businesses comply with the export and delete the data request. So key takeaway, it really can CIM can help your organization become more efficient, both in terms of marketing, it can provide a better customer experience. It can also help collect and manage consent and, and help with regulatory compliance and domains such as GDPR.
And then in any privacy regulation that you may need to consider, depending on which parts of the world, your business, or organization's operating in that I'd like to turn it over to Eric now.
So at this point, we're gonna talk a little bit about how these critical aspects of a consumer identity system can help build out a successful program in your organization.
We're gonna talk a little bit about how each one of these aspects affects the program, but also show you the way in which BDM has put these aspects to work inside of our cloud identity service offering, which is a, a cloud-based identity and access management system designed for helping our clients reach both enterprise and consumer identity and aspect consumer identity and access management initiative. So we're gonna walk through about eight different kind of aspects here, some of which you've already gotten introductions to in John's portion of this presentation. So let's get underway.
We're gonna start with talking about frictionless registration and onboarding. So why is this important? Clearly we've all had the experience of showing up at a consumer facing website and been faced with a registration form.
That's about a mile and a half long, and wants to know everything from our birthplace to our blood type. And often this turns consumers off, right?
If the process of registering, overwhelms the consumer and the ROI is just not there for them to continue forward, they're gonna click and search or click their next Google results and go to the next site that has a frictionless registration or onboarding process. So adapting the way that you're bringing your consumer IM to your customers to allow for frictionless registration. Number one helps with the conversion rates. You're more apt to people to sign up and test drive your services.
If it's simple for them to do so pretty self-explanatory, which also drives the customer experience and their satisfaction, the ability for the client to get onboard quickly makes them happy.
They can start getting initially right to the goal that they're after either trying out your applications or downloading data that they're looking for on your products, whatever the case may be, but it also can help the fidelity and the accuracy of the, the data that's collected as well too, because customers tend to, when you present them with a very long form of data, you start to get a lot of garbage that's presented in it, just because this is a required field, I'm gonna put something in it, but I'm not gonna spend the time to put something accurate in it.
So presented with fewer forms to, or form attributes to fill out, clients are more apt to start presenting accurate data from a cloud identity perspective. On the IBM side, we meet this through a number of things. We provide our clients with the ability to do customized self-registration. That includes the ability for them to customize the branding, the content that also the behavior allows them to expose what we call social form, fill capabilities.
So if the client does have a social ID and they're willing to let you get delegated authorization rights to it, you've probably all experienced the popup box that says site X would like to and followed by a bunch of entitlements. We have the ability to help our clients pull in that social data to help do form fill or auto population of registration data. And then also through form builders that are intuitive, help our clients create intuitive forms that get right to the heart of what they want from their users as they show up.
So the idea of frictionless registration is quite important.
It's, it's the first experience that your, your users have when they touch your site. It kinda sets the tone for everything that's gonna follow. The second, which ties into that is social network account linking. So the idea that if I have a social identity, I've gotten quite used to being able to use it as a, bring your own idea.
If you will, to consumer facing services, whether that's signing up for pulling data down from a, a retailer, maybe seeing some deals or specials or signing up for SaaS application, or in some cases, even a, a first entry into some more higher assurance services that maybe won't let me perform financial transactions per se with it. But do you allow me to start gathering initial data?
So the idea of providing a way for your users to link their social accounts at a, at the very least provides a better user experience because, you know, again, they get to get started and use something that's familiar to them, but it also helps you to harvest data and collect stuff in a timely fashion.
So a lot of people tend to think about protocols like OAuth as an SSO protocol, and yes, of course it can function for authentication and does, but it's actually a delegated authorization protocol at its root, which means that when I use a protocol like oof or open ID connect, I'm actually delegating entitlements to a third party to do things with that account. So in the case of Facebook, as an example, I may be able to log in with it, but I can also delegate entitlements to that third party to do things like see my friends or publish stuff to my wall, or take other actions in that network.
And that could be pretty powerful for your consumer identity program, because there is a lot to be learned, a lot of intelligence to be gained about the people using your services well beyond just allowing them to log in with these social networks, clearly that takes trust.
And that has to be built up your brand and the type of image that you're portraying your privacy policies.
The terms that you're exposing on your site do need to make the, the customer confident that as they allow you to have that delegated entitlement access to social networks, that you're going to respect their privacy and, and treat that data with some amount of, of self-control, right. You're not turning around and, and selling it to other marketing agencies or so forth, but they could be quite powerful. And that can lead to our, our third bullet here of being able to take some additional actions beyond just that SSO, like promoting activities.
It's not unusual today for certain sites to be able to do things like, Hey, Joe just did the following. Joe just bought this product. Here's why it's interesting or unique.
Here's, you know, Joe just booked a trip to, to Italy, you know, through XYZ service.
So clearly again, those, those activities are done with the consent of the user, but again, these social networking accounts and the power in which they can bring flexibility to your marketing organization is substantially more than allowing them just to log in.
So from a, a cloud identity service perspective, we out of the box allow our clients to provide users with that linking and unlinking again, beyond just logging in and do that across a number of social networks that we're gonna look at here is multifactor authentication. So we're all probably familiar with multifactor authentication at this point, but you know, more often than not, we're seeing it heavily used in the enterprise for super administrator accounts or privileged users, privileged access management.
We tend to see multifactor authentication being pushed hardest, but it is relevant to the consumer identity space. And it's been most, most predominantly embraced by institutions that have a lot to lose, right?
So financial institutions banking is the most popular, I think right now for most consumers where they're gonna see multifactor authentication, employed.
However, it is becoming much more prevalent in industries that are not historically seen as, as banking or finance types of institutions and the prevalence of breaches of data, whether it's something as recent as the, the Equifax breach for the Yahoo breach that took place, you know, while back the, the amount of personally identifiable data for consumers has been breached. A number of times over at this point and consumers and service providers are alike, are looking for ways to ensure better security.
So from the user's perspective, that's providing a better sense of confidence in the experience.
They know that if they're going to use your service and add personal data to it, or rely upon it for something that they see as critical to their lifestyle or to the way that they are, are leveraging the service, the ability for them to authenticate with something that's a strong form of authentication provides some of better sense of assurance, but certainly from the service provider's perspective, from your perspective, you're able to lower incident rates of fraud and account hijacking, which can cause frontline, you know, front page news, it's also helping to reduce the costs associated with that.
It's becoming very common now at this point that as breaches occur, as fraud incidents occur, the onus is on the service provider to make it right. And those expenses are only going up.
So from an out of the box perspective with CIS, we are addressing this by providing our clients with multiple forms of multifactor out of the box, the ability to do push notifications to mobile devices, classic time based passwords, and also the very prevalent SMS capabilities that are more ubiquitous with consumers that don't have some type of footprint on a device, various ways to leverage that out of the box with our mobile app that we, we provide for download no client footprint, such as, you know, using something like SMS or APIs and SDKs, where if you're building your own applications and you're looking to bake multifactor into them, that you have a way to tie that back into your consumer identity system, without having to write it from scratch or implement it from scratch.
The fourth area that we're gonna look at is IOT device management and device association. At the very least whether, you know, some, some folks recognize it or not. Everybody has an IOT device at a minimum, their, their cell phone and these devices are used for everything from application access through browsing, the mobile web performing functions like mobile banking purchasing off of major retailer sites. So from ant perspective, the cell phone is the ubiquitous or first OT device that every consumer is aware of. But clearly some organizations are producing.
As John mentioned, wearables or devices that sit around your home, others from a, a retail perspective, things like store beacons, the auto industry has connected vehicles at this point. So nearly every industry in some way, shape or form is forced with addressing how to provide identity management around these IOT devices. And in many cases in a vein of consumer access to them.
So one of the key benefits of addressing this becomes the ability to identify those devices and have them associated and entitled to the users that own them, right?
Devices don't tend in many cases to act on their own behalf, they're acting on the behalf of a user. So the ability to put that device in context to a user is critical from a consumer perspective.
So if I'm wearing a wear IOT device and it's performing an action, like calling an API or trying to pull profile data down from, from your services, it should be authenticated and entitled scoped for instance, from an O I C perspective or oof perspective, the same way a user would be if they were sitting down at a web browser, logging in those devices should be able to be provisioned and audited transparently. So when they take actions, clearly it's no different than a user taking action.
Again, through a user experience on a mobile device or a laptop or a web browser, those devices need to be tracked and audited the same way that you would expect a human user would be. And last would be those devices from an entitlement perspective, being treated and governed with the same policies that you would expect to be able to apply to users as well. So we talk about things like the ability to revoke, for instance, access of a device. If it's lost, how do we deal with that? The consumer needs a way to be able to decouple or deprovision that device from their identity.
You need a way potentially to govern that device. That could be anything from the entitlements of which it has to access services based upon a subscription plan potentially of data that you're exposing everywhere through maybe geofencing, certain wearable devices or IOT devices that from a licensing point of view should only be able to access data when they're in a particular geography.
So there's all sorts of policies that from an identity and access management perspective can be associated with these devices, coupled those devices and associated with human users, and then providing auditing rapid around that from an IBM cloud identity service perspective, we provide our clients with out of the box abilities to do device management and association. So associating devices with users be able to associate them through a self-registration process and also be able to perform that enrollment and management through APIs.
We do allow policies like traditional access controls, whether group based attribute based role based policies to be applied as well as some advanced policies that are risk based, such as networks, time of day access, various different qualifiers that may need to be associated with those devices. And then finally we do tie those devices and their actions into our audit infrastructure.
So they're seamlessly ready to go when you get an audit and you're looking through what's happened in the environment, you're seeing users alongside their devices at the same time, the next area to look at is profile management.
So we talked about the idea that, you know, profiles become a, a critical part of understanding, knowing your, your, your customer, so to speak.
But how do we, how do we best leverage profiles in a consumer kind of facing environment we're used to, from a, an enterprise perspective, being able to plug into authoritative sources of record, like a human resources system and provision that data into an identity and access management environment. And we're ready to go in a consumer IM space. That's often not the case.
The idea that the user can participate in the identity life cycle and be a part of their profile management is never more important than in a consumer space where we don't have those authoritative systems of records to reach back into and say, did this particular user change their address or their phone number?
There are no HR systems equivalents there, but we do have tools that our disposal, the ability to expose a credible profile management capability here, users allows them to obviously keep their, their information timely and up to date makes it accurate, but also allows you to, to give them consent controls and privacy controls, which data can be shared with third parties, which attributes can't, which attributes they feel should be stored, and shouldn't be stored on the system.
So the ability to provide that level of control to your consumers is not only a way to make sure that the data remains accurate and timely, but also builds confidence in your brand and complies with the numerous regulations that are sprouting like weeds. At this point around the globe, focused on data privacy. It obviously provides a better user experience. You're reducing help desk calls. This is very much in line with benefits that we see on the enterprise side and juxtaposed efforts in the marketing side of your house become that much more emboldened.
So the ability to feed richer, better data to upsell campaigns and marketing campaigns so long again, as you're being transparent with the consumers about how that data's gonna be leveraged can be a boon for the organization. How we implement this through CIS, we provide outta the box applications around self-service that allow you as a client to configure them.
So how does profile management look and feel and brand configurable sections and fields, what attributes need to be made available to the consumers?
What the input types should be, check boxes, radio buttons, text fields, what tool tips you wanna expose and more, but the important part about that is it's just point and click build up. So our clients can very quickly build these capabilities and deploy them without writing a single line of code, but they can also quickly change them as their policies change. And they decide for instance, to relinquish control over collecting a certain attribute due to a change in regulatory policy. So those changes could be made very easily through point and click.
And then also from a privacy and, and security perspective, we provide a bunch of controls to our clients around which of those attributes become viewable editable view, only shareable with third parties. So you can build your security policies again, point and click right into those profiles.
Number six is looking at the bound to happen situation where users forget either their username or password, or both as John mentioned earlier in the, the discussion here, username and passwords for better or worse, probably worse at this point, but for better or worse are still ubiquitous in the consumer identity space until we're at the point where some forms of strong authentication, multifactor authentication become much more prevalent in the industry. We're still forced to deal with usernames and passwords and users will inevitably still forget them.
So providing the ability for those users to very quickly and frictionlessly, again, recover, forgotten username, recover, forgotten passwords, obviously reduces your health desk calls. You know, that's the first place they're going. If they can't figure out an easy way to self-service reset those credentials, it provides something that's more efficient, obviously from a user experience perspective, but also helps to retain your users.
There's nothing more damaging to a, a, a client relationship than making your users suffer through the pain of trying to figure out how to, how to recover credentials. They're already frustrated that they've forgotten them. They're frustrated that they can't get access to the system and the data. You can only compound that situation by making the process of recovering an ID or password more difficult. And then finally it does provide for better account security because there's various ways in which you can deal with a forgotten username and password.
So outta the box, from an IBM perspective, we're looking at this in a number of ways, we provide the traditional knowledge based authentication or KBA ways to recover IDs and passwords, which again, for better or worse, probably worse. Again, at this point, there's still ubiquitous mechanisms in the industry for users that don't have an OTP or multifactor capable device or way to enroll in such a service.
So we do provide KBA based reason capabilities, but we also provide OTP through again, push co OTP, SMS types of capabilities, temporary one time passwords through email, a number of OTP capabilities that provide a stronger, more secure experience for those users. If they do forget one of these credentials, number seven is the ability to deal with flexible account security policies. So there's a lot of security policies that can kind of fall under this. And I'm just gonna try and touch upon a few of them to highlight.
But this gets into areas of sufficient complexity for most organizations that are planning their consumer identity program. Seemingly simple decisions become complex decisions fairly quickly. When you start looking at how your consumer identity system plugs into assets that you're looking to protect. So a CIM system, isn't an island.
It's not there just to live on its own, but like most IM systems, it's a supporting piece of infrastructure that you're deploying in order to expose portals, expose SAS applications, expose web content, knowledge bases, other self-service portals, it's there to support those business functions and thinking about the way that logistically it plays with and integrates with those assets is critical to designing your cm system.
So consequently flexibility in the way that you can define and design those types of policies is gonna be critical to a rapid seamless type of integration with those assets. So one of the first to look at there is something as simple as username policies we saw back in the day that a number of people built consumer IM systems based upon username policies that were flawed. First name, last name, well people get married, people get divorced, names changed. There's a lot of reasons why that becomes difficult.
So then we saw people moving to email based policies where yes, it's a unique identifier. It tends to remain more consistent, but we've all back in the day, had a AOL account or something that we've since moved away from, you know, back in the day.
So the idea that you have flexible ways to define usernames may seem harmless, but the supporting IM system needs to have ways to tie unique identifiers underneath the covers that may allow for a surface level login with something like a name or an email, but actually tying it to unique identifiers behind the scene to backend systems that don't get disrupted when those policies need to change, or when the users need to actually adjust things like their username, password policies very much like in the enterprise complexity age history rules.
In many cases, most consumer facing organizations have taken a position that they want to reduce the, the password complexity simply because changing passwords is a, is a burden for consumers and they don't want to Institute too many complex rules because, you know, consumers get upset with that. Instituting history rules becomes a burden again, but time and time again, we've been kind of proving the point that through breaches and through various types of vulnerabilities, those organizations that are not instituting, these policies become the victims of 'em.
So the idea that you should be looking at instituting these, these types of policies on the consumer side is very real. And even if it's not your system, that's breached consumers do tend to use the same passwords over and over again at various systems. So the idea that you can force uniqueness, especially if you're providing a higher, a higher net worth, if you will type of transaction behind the scenes.
So I'm not just downloading some product information, I'm providing some type of financial transaction, the, the net worth of that transaction, if you will, behind the scenes is, is, is significantly higher. You wanna be able to ensure that your policy is align with the risk of, of the system and last, but certainly not least there is things like your access policies.
So again, consumer systems may or may not have, you know, extenuating circumstances to build complex access control policies, but you still do need to think about what parts of your service or applications or whatever it is that you're exposing portals should be entitled to specific types of users, maybe based upon a subscription plan of sorts that they may be signed up to. It could even be down to things like embargoed countries here in the us. There are certain countries that we're just not allowed to provide services to due to embargo.
So we have to be able to define policies around certain types of content that prohibit access from users. Those, those defined geographies from a CIS perspective, how we get to those. So we implement out of the box controls for customers to define things like usernames, define conflict, logic behind them.
So if we're going to allow users to select their own username, we should be able to deconflict that if the name is already taken, suggest alternatives, the same with password, age, complexity, and history, and then last but not least, we Institute a number of complex access control capabilities that allow for groups roles to attribute based as well as things like time, time of day network type authentication levels like multifactor policies and so forth. That could be applied to resources.
So last but not least here, our eighth aspect to consider is multi community.
So in many cases, now we live in a global world. And if we're lucky enough, our services that we're exposing are applicable to more than one geography, more than one country, more than one language speaking consumer base. So the ability to make sure that your consumer identity system is multi community ready means a couple of things. It means being able to display content in a user's native or home language, it may seem simple, but you know, even an identity system has quite a bit of content. If you think about it, there's login pages, there's error pages.
There are profile management capabilities. As we talked about password reset, self-registration help related content. There's various different places in which your identity system is actually exposing content to your users. And you wanna make sure that it's just natively available in the user's home language.
And that includes everything from, you know, traditional, single bite languages to double bite character languages as well. You wanna be able to embrace brands.
So it's not uncommon for large multinational organizations to have various brands or even just lines of business or subsidiaries that have unique branding to them. When a client connects to your system, you want to be able to provide them with an experience that meets the brand of which they are a patron.
So even though your organization may have three different types of widget brands, you wanna make sure that the branding that's being exposed in those self-service types of interfaces on your identity system, again, meets the expectation of, of the client helps you build your brand image, very important, obviously to your marketing stakeholders. And then last here is being able to take action that's appropriate for that user community. So you may have different rules per se.
Some countries based upon privacy regulations may prohibit you from storing certain types of personally identifiable data in a profile in other geographies or for different user communities. You may be perfectly fine to store that data. You want to be able to tell the identity system how to treat that business logic based upon the community of user that's logged into the system. So these are just a couple of examples. There are many, many more to consider, but a couple of examples of where multi community controls become very relevant to a consumer identity system.
So a few of the ways that we address this in IBM's cloud identity service, we provide all of the ISO languages out of the box for multi-language support, allowing you to set up all of these user facing screens in, as in as many languages, those make sense to be able to store default or preferred languages and users profiles, and also be able to support what we call multi-instance, which allows you to set up end number of versions of these consumer facing screens or services like a registration or OTP password reset, which you can vary the look, the feel and the behavior of which to meet the expectation again of that particular community.
So what did we learn here? What did we address? We looked at frictionless registration onboarding the importance of social account network account, linking, which supports that multifactor authentication be able to provide security for both you and the organization, the client, and the organization, rather the importance of IOT, even if it's just down to cell phones, everybody has ant concern at this point in 2017 profile management, the ability to help the user help you and the identity life cycle, the ability to address forgotten user names and passwords and flexible account security.
And then last as we just discussed here, multi community readiness. So these are just some of the questions that you could begin to ask inside of your organization to determine whether the approach you're taking is going to be truly ready to meet these challenges and areas that we would recommend.
You start to kind of probe, not just within the realm of it, but the broader set of stakeholders across your organization, including marketing, including your sales organization that maybe, you know, plugging in CRM systems that are feeding your profile management system, or from that branding and control perspective content and branding with your marketing organization, who becomes your number one stakeholder in that.
So important to kind of gather the mind, share across your organization, again, not just it as we're used to in the enterprise identity space, but spanning into sales and marketing for consumer identity and access management.
As we've been discussing throughout this portion of the presentation, IBM does provide a cloud-based solution, that's consumer identity ready. And we've been talking about a number of ways that we address these challenges.
So IBM's cloud identity service is a multi-tenant ready to go if you will, from the cloud system that supports BDE B2B, as well as obviously we've been discussing here, B2C use cases used by millions of millions of identities that we manage worldwide in, in about 57 different countries of origin right now. And last but not least, we're gonna give you some links. If you wanna be able to go grab some, some documents that will help you look at which types of ID a vendors may be appropriate.
If you're looking to go that route and looking at your TCO, if you're interested in, in addressing some of the questions that your CFO or finance may be asking you about the cost of building such a program and system and where you could be looking at saving for that. So at this point, John, I will turn it back over to you.
Okay. Thanks Eric. So let's check our questions here. When is it appropriate to offer a social login for consumer IM I'll start, and then Eric, you can jump onto that too.
So I've noticed in talking with customers, it's very, very common for users to wanna use a social login in a variety of different settings, whether it be retail or media or, or things that people probably perceive as needing a little bit lower assurance, or I think people also get concerned about the attributes that can be passed back and forth and maybe not be aware of the granularity of selection that's possible. And by that, I mean, people in the finance industry report that their consumers are less likely to use social logins for finance and in some cases, healthcare applications as well.
What's, what's your experience with that, Eric?
Yeah, very much the same, John.
I mean, we're, we're seeing clients embrace social login really as kind of the tip of the spear, if you will, in many cases, even if you're offering, you know, a critical service that wouldn't really be appropriate to trust the social login, those organizations may still be using it as a tip of SP right, as a way to frictionlessly again, get the user on board, get them engaged with your organization, be able to collect some initial demographics on who's interested in your products, but then as soon as they try to do something, open up an account or, or perform some type of transaction, there is a concept of step up registration or progressive registration that can be used to put them through a slightly better proofing or vetting process.
So we're, we're seeing it pretty, pretty much exactly how you described it as, as being used in lower assurance types of situations, but even in those higher assurance situations being used as kind of a tip of spear wave and then coupled with progressive registration.
Right. Can you talk a little bit about IBM's use of fraud reduction technology for CIA M
Yeah, absolutely. So fraud reduction is a big part of everybody's concern in a consumer space because, you know, you're, you're opening up these applications to really a lot of unknowns.
Like I said earlier, we're used to in the, the traditional sense of identity, having these sources of records, we know our users very well, and it's not to say there's not an insight or threat problem as well. There certainly is, but the consumer space is much more wr with, with challenges there. So IBM has a number of capabilities are user behavior analytics that could be plugged in to look at our audit data underneath the covers of, I was talking about our cloud identity service. We use IBM's Q radar, which is our SIM system that also has UBA types of capabilities baked in.
And we also have services like trust that are used for fraud detection, very heavily in the financial services space that we can couple again, with even even looking at how the device is footprinted, you know, making sure that we can recognize devices that we've seen before. If a user is logging in from different geographies, that don't quite make sense based upon test user behavior.
So there's a number of capabilities that we have, you know, throughout our portfolio that could be purchased individually to couple with other identity systems or that are baked into services, like what we have with cloud identity service.
Yeah. I was thinking of the trust connection too. That's that's a good point. Okay. We're almost near the top of the hour. How about one more question? And that is when planning a cm initiative, what parts of the business should we be involving and go ahead and take that one, Eric.
Sure. Yeah.
I think kind of similar to some of the discussion we've been having during this, this presentation we're used to, I think thinking about especially people who have been around identity and access for a long time, we're used to thinking about application owners and corporate. It we're really in a consumer identity program. The main initiative, if you think about it is the face of the, of the products or services that are being sold to your consumers. So sales as well as marketing.
And if you have a digital specific organization that's performing digital transformation, or just responsible for the digital face of the company, these are all stakeholders that need to be first class citizens. If you will, in any consumer identity program, whether it's as simply involved in branding or content definition, but they tend to know the customers a lot better than the folks in it do who are designing the actual identity capabilities.
So getting their insight into what data should be collected, how it should be managed, and then certainly less, but not least is legal because privacy policies are, as I said earlier, kind of sprouting like weeds at this point, not just the European GDPR, the us has privacy policies, Asia and China, specifically with its cybersecurity law that just recently came out. There's a lot of considerations that have to be taken into account in terms of how to deal with data sovereignty, cross border transfer of that data.
So you definitely wanna make sure you're involved in compliance and legal in your CIM initiative as well.
Okay.
Well, great. Thanks to everyone for attending today and thanks to Eric and IBM for their support on the webinar, the webinar will conclude now and the recording should be available tomorrow. So once again, thanks everyone.
Thank you.
