Okay, Eve. Thank you.
And Mike, come up. I think we, we do it standing, which is probably the easiest way. Tag team. Welcome everyone. And right now we, we have really the session with the slide deck we started using yesterday. So we are here finally, as you see, it's again, this very long title.
I'm, I'm very convinced that my colleague Yrg, who is in charge of the agenda and, and and organizing the event, has made excessive use of generative AI this year. So just throwing all the buzzwords into not telling the chain AI that it's not good to use three times identity in the title. So I think we need to drain it a bit for, for next year still.
But, but basically what, what we wanna talk about is what I would say at the end of the day, quite a mix of topics around technologies that are, are emerging, that are impacting the way we think about identity and just sharing, sharing some of sorts.
And it'll be probably a very wild mix of Mike and me talking, which is, anyway, this combination a bit challenging because Mike tends to be a bit verbose, cut off bit tends to be verbose, and, and I also tend to talk a lot, so we will make it work.
I, I remember sitting with Mike on a panel at EICA couple of years ago where he then had a microphone, like he, so I cared for her own microphone because he had a microphone, like he has this time in the panel and then he said, oh, sorry, I can't hand over the microphone to the next one because I have a very infectious skin disease on the hand so that he could continue talking.
That's not true, but
It is true.
No, that, that is true under different context. Yes. Okay.
Okay.
Anyway, let's get started. And I think the first light goes to you.
Oh yeah. Okay.
Well let, this is obviously like a buzzword bingo slide. There's a lot of, there's a lot of interest in so many different topics we're going to hear and ex we're here to explore about how all of these things fit together and why, and what you should be worried about and hopefully put this better into focus. So we don't need to go into this too much, but these are the kinds of subjects we'd like to get into today.
Yeah.
And, and, and I think it's, it's probably all of them have been covered or will be covered in some way or another, but, but I think as we also see there, there's a lot around decentralized identity wallets, verifiable credentials, identity verification, which plays into that, but also sort of exists and lives outside of this domain. And when we look at, and I think this is part of the title, I think this is really impacting the way we do identity management.
And so I, I believe that, that we are in, in a situation or at a stage where we, we really should think about how can we make use of that for everything we do in identity. So a lot of the, the, the decentralized identity and you wallet dis discussion is probably more consumer centered or citizen, but it's for every, every use case.
And I think this is very important. And I bring, bring up a slide again, which, which I used yesterday in the, in the opening keynote session. And that was around the need for policies.
And this is a bit where, where these things also tend to come together and where we probably can see best the, the potential we have, we have with what is new around AI and around decentralized identity in our world. And, and I think, so, so one of the, the samples is really around static entitlements and, and take I-G-I-G-A-I-G is rarely a project that runs super, super smooth.
So whom, whom of you has been running an IGA project? Hands up. So whom of you said this was the super smooth project? Okay. One I think, I think I think you, you, you qualified for doing a best practice presentation next year at EIC and telling us how to run an IGA project really smooth.
So for the ones listening virtually, it was quite a number of hands raised for the first question. One hand accidentally raised for the second one. Yes.
So because there are a lot of problems, I believe a lot of these things can be done better when we bring in policy based authorization, when we bring in wallets, when we bring in credentials, have trust information from the individual we can use in policies and consume it. And the same is for, for British access management, where we can build policies much more flexible in access management, in consumer identity management for applications where we can get rid of the silos I've been talking about yesterday, AI anyway is coming in.
So, so AI is is something where, where we will need a a lot of things and, and I believe if you want to really do, do all this stuff around ai, well, so again, I quickly touched yesterday think about this, this bot that is acting on behalf of ours, that that bot will need information from us, which probably best come from our wallet as verifiable credentials together with policies that explain to the bot how the bot should behave, which that ends up in a semi autonomous thing.
So we have this idea of saying we have really a world where we have individuals with wallets and, and probably wallet is the wrong term because wallet is a wallet is small, and what we have here will be things that are much bigger than a wallet is. So, because there will be so many more things in that thing than you could fit into a wallet, but we will have these verifiable credentials, we will have context which we use to make decisions. Finally.
So this is, this is basically my, my my starting point and, and I think this entire thinking around policies, around signals is something you should spend a lot of time on because I think our strong belief, hopefully it's not only mine but yours as well. Our strong belief is that this, this world where, where we bring together this idea of I have a lot of verifiable information about myself with context and this being really signals we can consume in many use cases, apply policies to it will allow us to make much better decisions, much better actions, very dynamic.
And this is really where, where I believe the things are, so to speak, joining forces in that sense. And this is a bit a starting point and I, I think one of the examples, and maybe you might start talking a bit, so I think our animation has a bit, a slight flaw. It's my fault I believe because I added some, some I consider later on a missed to Adam to the animation. But anyway, I-T-D-R-A sea of yours. I think it's a wonderful example for that.
You wanna
Continue?
No, it's, I just, yeah, I want, okay. Yeah, yeah. So one thing that we've noticed about this combination of ITDR and decentralized identity is that that verifiable credentials and other sorts of portions of that really do feed into helping stop some threats that are coming through the identity threat detection response area, right? So I think that one of the things that enterprises are, are interested in is understanding one of the, one of the big motivators to get decentralized into the enterprise is this idea that it might makes the identity much more difficult to, you know, hack, right?
And, and it's the authoritative sources are, are distributed through government and other types of entities, the verifiers. So I don't know, is there more you wanted to say on that Martin?
Yeah, so, so, so basically I think the point basically is we have credentials and, and this is something which, which helps us to understand, okay, what is, so it's some facts about Martin and, and we have context. So Martin is coming in, we have signals from IT security.
So we, this helps us to sort of have more, more, more signals, more information to use to make good decisions. And I, I think this is, at the end of the day, this is I think a very central aspect that we, we need to, to, to understand.
So, so when we think about a wallet and a wallet is not something attached where we have 10 or 15 or 20 verifiable credentials in the wallet will be something where we probably have thousands or tens of thousands, maybe at some point verifiable credentials and there's a lot of information about everything.
Maybe it's split across multiple wallets, but we will have a lot of information we can use. And basically the point is if we want to, to detect identity threats, we can go beyond sort of user behavior analytics.
But by the way, I, I I think it's quite smart, ITDR is, is a much smarter term than user behavior analytics. Because when you say user behavior, then the associations, okay, we are observing the user, what will our workouts council say, et cetera, et cetera. If you say ITDR, it is, oh, they're fighting threats. This is something very positive in some sense there's a big overlap between the two things, but the one term resonates much better with, with the world and the other.
So what we are basically saying is we will be able to do, be, make better decisions also in, in, in the, in detecting challenges by having better data and we having this sort of very viable and in that sense, and also rather trust versus source of information adds to what we can do nowadays.
That's right, yeah.
The, the you, there's a greater number of sources you can add to your signals as you think about reducing threats to the identity. So with a distributed system, you, you get data from its source, these signals are allow you to make much, much better policies and, and take action on those. Yeah.
And so, so we put together, I think we have only two slides left. We've put put together some, some two more slides and the one is four thesis on the impact of AI and decentralized identity.
So I, I've shifted to the, the abbreviation DCI for decentralized identity because I've been using DID last year and some people said DID is used for the standard, you must not use it. So I decided then, okay, let's take another abbreviation anyway, I think, and, and Mike, you always trump in whenever ever you want, the first thesis is that if we have more signals, we can make better decisions. And this is not, not super tricky, super simple, but which is thesis number three then.
But at the end of the day, the point is if we have a lot of, a lot of data around something, if we have a lot of relatively weak signals even for inequality, but all are hinting in the same direction, then it's very likely that this is positive or negative.
If we have a lot of signals in one direction, but a few outliers, it also is a very clear indicator. So basically more signals help us and it's easier to deal with a lot of signals that are even sometimes not of the very best quality than to try to have the one perfect signal. I think it's a, it's a bit like multifactor authentication.
If you have more factors at the end, it's better than trying to have the one perfect factor. And as I've said, we, we will that way also together with context, et cetera, we'll get more signals to consume. And we have with ai, which is especially good when you have a lot of la large number, large amount of data, large volumes of data, we have the ability to, to use that. So these technologies together help us doing, doing things better. Clearly we need to be a bit smart in, in, in using it the right way.
I also believe that we will see other things than the typical three lack approach in decentralized identity, which is issuer holder verifier. We will have approaches where we have probably multiple holders contributing at the same point to the same decision. So could also say it's a multi wallet approach and we will have, you may, may say this is also four leg approach, for instance also organization wallet and individual wallet.
And we will have two legged approaches where, for instance, and, and for certain types of verification like liveness, the, the credentials issued in real time as part of the decision. So this model will become more rival. That will will be things that change. These are some of the changes diseases we have. And as it is in thesis, you always can argue wrong or right. So just some ideas to, to give you some food for certain. I said I hand over to the, the final slide for Mike, the slide I didn't understand. So I'm very curious about, this is good.
I give you the clicker because you have did the animation. Thank you.
Okay, so I just wanted to walk through briefly why enterprises are interested in decentralized identity. And this is a brief history lesson, but we'll get to the point briefly.
Normally, as you know with when enterprises start out with directory services, they basically own the identity. And so if you, like, you all got identities from us, you know, they were wearing badges and things like that. So that was, that was great. Until then the partners came into play. Okay?
And they, they started a situation where, okay, let's, we have our our people, let's give them access to, you know, we gotta hurry through this. So the you, so that cost a lot of money and so we invented, you know, federation, right?
So that, that was a fun moment in time and then that was really costing a lot of money. So then we ended up going into a decentralized approach, right?
And so the, that there's this idea of shift left, which is sort of making things simpler is the idea that you're supposed to over time move the cost to where the center of of that is. And so decentralized identity actually makes a lot of sense for enterprises because it gives them the opportunity not to be authoritative for every possible data combination that they need for identities.
Now there are, I think some cases, some things that the industry has yet to figure out about this type of scheme. And I've mentioned a few of them here that there is wallet explosion and bloat. That's something that Martin was getting at. There is inconsistent verifier operations. That is the verifiers up here in orange. You know that, that there will be thousands of those and, and they all do things slightly differently. We need some interop interop tests. Integration with each tech with existing technologies is also very important.
Enterprises tend to own things for a very long time, like with mainframes and other things, right? So how do you do that? So policy and trust incongruence signals could be noisy. So even though we can get more signals, there'll be noisy ones and then it's possible that decentralized identity may not really become as ubiquitous as we'd like it to be in order to adopt it fully in the enterprise.
So, okay, great.
Okay.
So, so, so, so may maybe, maybe one, one last sentence before you left then. I think we have very little time left. I think in this context it'll be a very important also to, to work hard on the topic of level of assurance or assurance provided with the VCs. I don't think that we need something which says this is that trust level. I think what we need to have with a verified and information about where does this come from and can we trust it so that we can make our informed decisions.
I think this is much easier than saying this, is that that trust level, if you just know sort of the origin, like, like with a, with a, with a painting, an old painting, we have the, the, all the, the history, the origin of that, that would be extremely helpful. It looks like they are the first questions.
Eve, back to you.
Well help me thank these two gentlemen for these comments.
I, I turn around and I see a very, very, very full room. There's been a number of questions and I think we have time for maybe one or two of them. One simple question, what is ITDR?
Yeah, well I mentioned identity, threat detection and response earlier, but if you really wanna know about that, I have a presentation in, in 10 minutes on that topic. So yeah,
And somebody asked for a, an example of what kind of signal we might be talking about coming from the credentials, what
Comes to mind?
Yeah, mostly with signals. We're talking about things that could basically show you that there's a threat in under underway, right?
So you, you, in this case we're talking about that. So the idea is, is that you have question.
There's a, so yeah, these are signals that you use in your security operations center to try to understand if you are being attacked, that sort of thing, right?
Yeah.
So, so I, I think what, when I think about signals we can, we can use, so we have a lot of information about Martin. We probably will, will have much more detail about Martin, what Martin does, what Martin should do and, and all a lot of this can go. So a lot of, some of this will be really the behavior history. We can even think about some of the typical behavior part, which of verifiable credential in the future when we think big. And so we can, we can put a lot of things into that and I think this is the, the charming thing.
All right. Fantastic. Thank you again Martin and Mike.
Okay, thank you. We'll go on to the next session.
