Designing the New Identity Fabric

Yep, move up. So thank you very much for being here. Obviously you're interested in identity management, and I've got 16 and a half minutes to tell you about that and how to do that.

So, a little bit about me. I've been in the business in identity management business 20, 25 years. We started identity management back in 97 with a company called Integrity. I was the chief site architect for site motor. We built site motor, ran in for a number of years, then we built another product, identity minor, got acquired by ca. And now with Broadcom, we're continuing the journey. Before I get into the details, you'll have questions, you know, what does Broadcom do in this area? We are moving forward. We are building identity fabric. We have done that already.

We have many customers who are in the process, either in the production with identity fabric or, you know, modernizing the infrastructure. So what's going on? The world has changed every 15 years. Identity management undergo in transformation.

It has to, because the world, the, the connectivity of how assets are being accessed is changing. It's a hybrid world now, right?

Anyone, workforce, consumers, partners, machines, cars, whatever, right? Access some kind of asset somewhere, and it needs to have personalization, it needs to have authentication. It needs to have authorization. So we're solving the same problems again. But now we're having to solve this in a much more hybrid, much more contextual world. And that creates a challenge for identity management, because now the business of identity, the business of that security decision making that has to take place, has to take into consideration all this additional context. And this creates a hardship.

It actually creates a hardship for making that connection secure between people, between machines and resources and applications that they want to access. They want to access them securely. We want to enable them with great experience, you know, easy to use. We all know how to, how difficult sometimes it can be to even log on to certain sites. So the business of connecting, right, has to be secure, and it has to enable those identities, right? To access any application. And that's what identity fabric. The new identity fabric I'm gonna talk about is actually supposed to be doing now.

Basically solving the whole problem, but in a new way. And I'll tell you why. It has to be a new way. So when you take a step back and really think about what is it that the identity management does, you know, at a very simple view of it is we manage access. That's a data plane. We manage identities. And the experience that those identities have with the applications, we call it control plane. So the control plane is who can access what and why. And the data plane is, can they access it, right? So to do that, you have to have certain capabilities.

You need your authorization, your authentication, you need your self-service, right? To support that, you need your session infrastructure. You have to have your intelligence analytics. You have to understand the risk. So the challenge is the, with traditional identity management that we, you know, know, and love, is that it's too siloed. And you've heard this before, right? Pretty much everyone at this conference has talked about silos. What does it mean?

That means that the various tools that you use to manage various aspects of identity infrastructure, identity management comes with its own authoritative source for whatever it is that it's doing. Maybe identities, maybe policies, maybe risk, you know, maybe groups, maybe relationships, whatever, whatever, whatever it may be. But it comes with its own silos. The problem now in this interconnected hybrid, highly contextual world is that you can't really integrate them anymore, right? Because there isn't a view of who you are across all those siloed stacks.

Who you are, what you can do, what are your entitlements, what is your risk, where is your session? So it's just not possible to do that. Technically speaking, you have to rewrite identity management, right? In order to achieve the right sort of the right end state that you're seeking with, you know, the proper user experience and proper security, you can evolve it. You don't necessarily have to rip and replace, but you can evolve there by extending what you have. And then modernizing sort of step by step by step.

And that's essentially the business of what the identity fabric has to do On top of that, the new identity fabric, because it is so woven into sort of your infrastructure now, you have to, you have to make sure that it scales. How does it scale, right? You may have certain workforce, 10,000 people, 20,000 people, you may have consumers. If you're a bank, you may have millions of identities. If you're very big bank, you may have a hundred million identities. If you're a telco, you know, or, or, or a public utility you may have, or government, you may have a lot of, a lot of identities.

You have to make sure that it scales really well. And, and then you have to answer question, how is it scaling?

How, what's the reliability? And this is where you tend to, you tend to look at sort of these new cloud native principles, right? Where the architecture itself of how the technology is built gives you that scalability, reliability, resiliency out of the box.

Very, very important to understand who's gonna operate it, how it's gonna scale, how it's gonna evolve, how, what the resiliency of this technology is, because it will fundamentally, it underpins everything you do business wise. So just a couple of, couple of points. If you look at sort of the, the requirements and, and how does it align to identity fabric principles. I'm not gonna go through every one of these, but you sort of look for business drivers. What are you looking for on the left? Are you looking for zero trust? You may be a regulated business.

You're looking for, like what kind of, you know, options should I have in order to prove zero? Trust, trust, but verify zero Trust is very nebulous. What is it actually, it's very, for me, it's very simple. How much risk are we willing to take? Should I take a lot of risks? Should I take very little risk? And how do I measure that? And so the more you can measure how risk, how much risk you're taking, the more aligned you are with, with the point of what zero trust is supposed to be. Omnichannel, right?

We want to create, you know, user experiences, very smooth user experiences, authentication of the business of who you are, right? Is not only on the web, it's on my, it's on my mobile, it's on my iWatch, it's on, it's in my car, it's in my Alexa appliance.

It's, it's everything now. And so we have to make sure that services such as authentication, even authorization, can be now become omnichannel, right? They need to function the same way across different channels. You have to, you have to see the same risk, right? Across different channels. You have to see the same session and validate the same session across different channels. So if you look at your, sort of the business drivers, right?

You, you, you look for the what is it that you need to achieve and then what are the print identity fabric principles, right? That you need to have at your disposal in your technology stack with, with which you will satisfy those objectives. I wanna talk a little bit about the reference architecture. If you guys, anybody wants sort of a deeper discussion into any of these pillars. Obviously we have a booth, we, you know, we can, we can chat. But fundamentally comes down to capability. Very durable, very scalable identity capability. And that's why we called it fabric, right?

It's a fabric, it's a strength, it's a wire, it's a dial tone. I like, I like saying it's dial tone.

What is, where is my authentication dial tone and how open is it? How extensible is it? How scalable is it, right? And I want all of my business units, I want all of my stakeholders to use my authentication dial tone.

I wanted, I wanted to in integrate with my risk management dial tone. I want my session infrastructure integrated with my risk management dial tone. I want my identity plane, I want my governance plane to integrate with the risk management dial tone. Why? Because it's still you. There's only one of you. And how much risk are being is being taken across various channels needs to take into consideration a single authoritative source.

So the, having that common data model, and I would say, I don't think anyone has mentioned this in the conference yet. I know that last year at Gartner, they talked about that a little bit. But I wanna mention that it's so important for the identity fabric to have a unified data model. Very important. One view of the identity, one view of the profile, one view of risk, one view of session, right? That's what makes it, that's what makes it compelling. That's what makes it secure, that's what makes it usable.

And that's actually what makes the fabric be fabric as opposed to just a set of technical tools. The very first question is authentication. It's always the aaa, it'll never go away. Authentication, authorization, administration, once we solve our journey, access journey, we have to start with authentication, multifactor, no factor, passwordless, whatever, whatever it is, right? And then make sure that it works, it scales and it can be woven into your applications, right? Standards have become key.

You know, whether it's you open ID or of saml, doesn't really matter, whatever it is, it could be pure API calls, you know, from Android, SD case makes no difference, right? You should have that in your, in your position to be able to basically open the authentication business and have your stakeholders come to you with whatever their use cases may be once you solve the authentication, multifactor security, whatever, right? The very next question is gonna be how do we create a useful and brilliant user experience, right? I can't log in for whatever it may be.

My, I don't have a signal, I can't use the mobile today. You know, a lot of people are running into this issue. They create all this infrastructure for, for mobility, but then there's no signal.

What do, what do I do? How do you deal with that?

So, self-service, administrative experience, you know, creating, you know, dealing with account lockout issues, you know, making us be successful in connecting to our applications because we don't, frankly, we as consumers don't care about identity management. We want it to be out of the way. I don't even know what it is. I just want access to my apps. So making that authentication, making that access flow be highly usable is part of your access requirement. And that's where some of the identity capabilities, identity services, identity fabric comes into the picture that way.

You need those capabilities to help us as people and sometimes as machines connect to our applications. Once you solve that, right? The next sort of principle that the identity fabric enables you to address is the, the business of the business of access, which is authorization. Authorization is never about, you know, how granular does it have to be or how course grain. There's a lot of this, we've been in this conversation forever. It's about how much do I need to let you through the next door? Whatever that door needs to be.

And sometimes we think of identity management as providing course grain authorization. So you can get through the front door or through maybe some other door. But when we leave the business of fine grain to the application, you know, application developers a best, best position to deal with fine grain authorization within their, within their application or a set of applications. So the authorization is about leveraging the knowledge of who we are and leveraging the context of the app or the infrastructure, right?

To, to decide what are the rules, manage those rules. And sometimes look at, look at the intelligence that we've gained, right over the, you know, various time periods of, of, of those systems, resources being access to decide, you know, whether the authorization is, should be successful.

So, for example, looking at our risk, looking at whether or not we are peers with a group that has access. So even though I may not have access, there's a reasonable chance, very reasonable chance that I should be given access because I'm a peer of a group that has access, right? And that's one way you can think about solving those. A lot of the scenarios where it's very, very difficult to understand exactly who should have access to what, because frankly, that's a, that's not a, that's a, I would say that's not a scalable problem. There's just too many, too many relationships.

So you can take a, you can take a risk for a resource that is less risky. You can actually grant access if you have confidence that somebody should have that access. So we call it jit just in time, just in time access provisioning. And you can actually make a record in the system about that. So on so forth. And then of course, application integration, you know, access to identity repositories, whatever they may be. Managing sessions, managing risk, and making sure that those authoritative sources, right, give you a single view, right?

And single authoritative source is what makes the fabric be fabric. Very, very important to understand that. Because if you don't think, if you don't think that way, if you don't think of the unified data model or as, as unified, it can be, you are not going to get the value of the identity of, of, of, of identity fabric. How we doing on time? Four minutes. Four minutes.

So I, I purposely left a couple of slides in the deck to give you guys a chance to sort of look at some of what I think are the top five capabilities that you should have in order to take advantage in order to design with the fabric, right? You can look, you can look at the slides later on. How do we work with identity providers? Very important because our identities are no longer in one place, right? I come to work as, as, as an identity that somebody knows about me and I wanna bring that identity into this organization.

You don't want my identity sometimes because you don't wanna manage my credentials. Why would you wanna manage my credits if I already have them? And you trust them, right? So being able to bring, being able to federate my identity and it's not just pure Sam ID Federation, that's a little different. That's Enterprise Federation. But bringing my identity, you know, jitting my identity, giving me access on, on the basis of who you trust and how much you trust is an important aspects of just working with identity providers.

That's a key, key capability that a fa that enables you to design really good identity infrastructure, dealing with session management. Extremely important, you know, for security, right? Just because I've logged onto your site doesn't mean that I'm not at risk when accessing your provider. You may be creating some experiences. You may be, for example, leveraging Salesforce communities to gimme some, you know, marketing space. How do you ensure that my session right is validated whenever I access Salesforce community that you've built, right?

So you, you need to ensure your fabric has to make sure that session continuity at the right level of risk right, is taking, is taken care of. So, so please take a look at the, what I call top five, right?

Very, very important. I also, last slide talks about some of the presentations that you can, that you can, that you can take a look closer look at. I think with that we have maybe time for one or two questions. Sure. Does anybody have any questions online? Feel free to submit 'em in the app. Anybody in the room with a question? Could you explore more this unified data model in the identity fabrics? What do you mean exactly? I mean the consolidation of identities or the Unified Sure.

The, the, the unified data model simply means that there is a, that you try to obtain a single authoritative source that's used by different identity management services. One profile, not three profiles, but one profile. So how do you make that profile? What do you keep it right? That has to be performant.

Two, one source, one view of risk. You can extend the risk with your own solution perhaps, right?

You can, you can leverage what you've got. But we want to make sure that session management, authorization management, authentication management, identity management, identity, life cycle, governance, they all see what is your risk, right? For example, over what we think of you. So that's what I mean is being able to point that is my, that is my authoritative source for risk management. This is my authoritative source for session infrastructure. This is my authoritative source for identity profile.

Cuz once you take, once you take the position that those, that those items are services, those items are independent sort of capabilities, that's how you get, that's how you create this, you know, harmonization. Do you, I'm Assuming the privilege, privilege identities or OT identities, which in fact is point to the same person, but They can't, they can be integrated that way.

It's, it is possible. It, it takes more sort of knowledge and experience. It is possible. What is really hard to do is keep information synchronized. There's only two ways, right? Either I come to the data or the data comes to me, right? As an application. So the question is how in sync, right? Are those are those systems and very hard to keep systems in sync. Okay. Perfect. Thank you very much volume for sharing the identity fabric and your reference architecture.