All the IAMs - Modern Convergence of Digital Identity for Different Populations

Oh, thank you. Such a pleasure to be back in 3D with you all and seeing so many old friends and meeting new friends. So can you see what I see? There's a famous cartoon where the cartoonist, as her own character said, clean all the things in her house. And so I want to invite all of us to think about unifying all the iams. So my hypothesis is no identity is an island. Different populations, and I mean wildly different ones actually either have to interact with each other or they tend to emulate the behaviors of the other.

And as we may know, security of one kind can affect the risk of another kind. So therefore, I believe you need a unified IM approach that understands the entire identity universe. So first I wanna take a look at different identity populations and see how different they are. So we're told customer Im and workforce I am are different.

Well, I agree they're pretty different, they're different things. When you're talking consumer facing identity, you're usually talking serious numbers. So I wanted to give you some examples. One bank that we support has 50 million customers in 40 different countries. So you have to think about scale even with the number of countries that they're operating in. There's a health organization that uses Four Rock to support 12 billion transactions a year and 800,000 logins a day.

So more examples of scale, but scale is also the ability to grow your population of identities when it's about customers, when it's about consumers rapidly. And so you know, that's something that you wanna do on the customer side and that's not a goal in and of itself. On the workforce side, I don't think. So one of the digital banks that we serve in its very first year of existence went from zero to 160,000 customers. So that ability to grow rapidly is really important. So when it comes to workforces, you're really looking for different kinds of efficiencies, aren't you?

You're looking to streamline, you're looking to perhaps unify silos of information. One of the manufacturers that we support has 124,000 employees. Still big numbers on a workforce side with production facilities in 26 different countries. So these are reasons why these two populations are different. So well you might say, okay, what about humans versus non-human entities?

Well, that difference is even more stark. Yes, endorsed, I agree. They're really quite different in their nature. Humans are unpredictable and you have to work hard to empathize with them so that you can figure out the kind of experience that actually works for them. That's actually true for any kind of population when it comes to things such as services, apps, sensors, devices.

Well, you kind of don't have to care about that stuff very much. That's not really a factor for human security. We strive for a famous triad of confidentiality, integrity, and availability. Now for some kinds of things, particularly critical infrastructure, think about like energy systems, but really a lot of different internet of things things, availability has to take precedence and that can affect your access strategy. Sometimes you have to learn how to fail open, which fuels very uncomfortable for cybersecurity people.

So, okay, those are some different things, but I wanna give you four reasons why we should think about a unified approach to identity and access management. First of all, well, employees or people too. More and more workers are starting to be a lot more like consumers. So my first example here is about how the customer experience is invading the employee space. Oftentimes we are called upon to allow people to choose their own devices. A lot of times people are called upon to operate out of public or personally own spaces. And that has impacts on how business does business.

So yeah, and, and because of this, one of the things that you need to do is prepare for experiences that actually work for them. And one of the things that our customers do is actually use our tree trees capability for journey orchestration to do a b testing for employee populations. This is done quite often and it's very important. So second example of, well, I, we're all employees and we're all people too. I believe workers are invading the actual consumer space. So sometimes B2B relationships are really kind of B to lowercase B if you will.

So sometimes the many partners of any one enterprise are, well, they're smaller, they rely more on a lot of off the shelf SaaS technology. And that impacts how we even think of and how we do access control. So bring your own social identity is used, I'm gonna say far more often than we care to admit in the enterprise because you might be running off of Google workspace and leveraging Gmail as the access control measure of last resort. That happens quite often. So these are some ways in which we need to think about unifying to do a better job.

Second reason, well, if business populations are kind of smaller than consumer populations, are they really different? Should we, can't we just treat them separately?

Well, it turns out there's a number of kinds of scale that look like consumer size scale, even in the enterprise context. So first example I have for you is what we like to refer to as identity relationship management. So if you think about the real life relationships in say a household, a homeowner's association, a church, a school, these real life relationships can be translated into digital form and used to drive access rules that are meaningful and efficient and do the right thing.

And it turns out that enterprises can use that same kind of relationship based access control and in many more efficient ways achieve better results. And those numbers, even in an enterprise when you talk relationships, they can start to really expand. So you may have the same kinds of numbers that you might have for consumer populations. By the way, relationship based access control can be used to do what I think of as calming the inflammation of the role explosion problem. These things are ways to improve upon workforce. I am with consumer lessons.

The second example I wanna give you is what partner ecosystems look like today. So any one enterprise might be large, might be lumbering, it might have partners not just in the hundreds, but frequently in the thousands. And I've heard one case of millions. So at some point, managing identity and access correctly for this entire ecosystem, it kind of feels a little bit like consumer onboarding as soon as you're talking millions. So there's some lessons to be learned there as well. Third reason why I think unifying is valuable, the threats are coming from outside the, the house.

Jean Paul said Hell is other people. Well that's certainly true in the case of breach risk. So workforce end users, whether it's employees or contractors or partners, they're critical links in every organization. And any one compromised account can enable attackers to move laterally and access partner data and even customer data. So I wanted to give an example from four direct publishes an identity breach report. And last year's breach report showed that this is just us only, there was a 297% increase in breaches from supply chain and third party attacks.

So it was 500 breaches versus 126 the prior year. And you know, I'm awaiting eagerly this year's numbers and I'm pretty sure it's not going in the good direction. And so we well know that identity fraud has consequences that range far and wide from the original attack and fraud and account takeover are not exclusively consumer problems, they are worker problems as well. And so this number comes from the anti phishing working group. So that's just one quarter from last year experiencing 1.2 billion phishing attacks. So that's my third reason.

My fourth reason is that well all of these entities, human and non-human don't live in different universes. Although I don't think that this universe exists yet, but I'd like it to.

I mean, you're having drinks while you're driving, that would be a nice thing to be legal. So in our industry we do talk about SIAM versus workforce.

I am, I don't know that we've settled on a name for like the things maybe identity of things. I don't think it's I, I am or t I am. So this scenario painted here, automobility connected car autonomous vehicles, it's especially apt to illustrate the importance of these, of these four themes for for unifying. And so I kind of wanna stick with it for a second if you'll allow me. So if you think about all the entities and their relationships in this kind of an ecosystem, you have an identity for the connected vehicle itself.

You have the technical microcosm within a vehicle, which is, you know, bristling with sensors. There can be thousands of piece parts in there. You have the people in the ecosystem, which can range from, you know, a car owner can be other drivers in a family. You've got people at the manufacturer, you've got people at a dealer, you've got people who are mechanics. Each one of these needs different access, different extents, different kinds of access to a vehicle and to all the data, the huge amounts of data in this ecosystem at different times. And that really requires a lot of coordination.

And of course there's smart infrastructure, the smart roads, the smart parking garages, the smart cities that are growing up all around us and oh by the way, other cars and other little ecosystems that they all have to interact with. So in order to battle all these risks, you need to protect all the identities. And so here I show kind of like a continuum of the different loci of both business interests and attack surfaces. So you've got, you know, development of devices, you've got connections to a network which sometimes flicker in and out.

You've got development of applications, APIs calls to other third party APIs and you've got what, what is sometimes called user management. And I really, I'm putting pejorative scare quotes around user management. And this is where a lot of the risks arise is this kind of one by one view of identity. So I'm gonna continue with this example for a little bit longer. By the way, this applies really to not just to every universe that has things in it with identities, it also applies to banking, it applies to retail e-commerce, it applies to healthcare organizations.

All of these sorts of examples can benefit from this unified view. So rather than physically walking into a dealership and finding a car you like and taking it home, this is turning digital. The digital sales cycle is everywhere now. And even such a complex thing as a vehicle, which means you've got a customer in control, they have a lot of control over configuring just exactly what they want.

You've got the notion of a theoretical car that then becomes a car, eventually a real car, and you've got somebody who wants to be able to permission others in their orbit to get some of that limited access that they deserve to control. So just a couple of weeks ago at, at the RSA conference in San Francisco, my colleague Tim Vog and I actually brought a little connected car with us and we did a demonstration of the these two use cases of the digital sales journey and then permissioning somebody in the family to get access. I I was the unlucky person who got access but not with full horsepower.

So these things are now software defined features. So basically features of a car that are essentially API endpoints that need to be protected. It's a rolling API, can be controlled preferentially in the way that we know these things need to be controlled in the fully digital world. So I wanna talk for a second about, I'm gonna call it the identity free version of such ecosystems, which is what a lot of businesses live with today.

Again, this applies to any sector. This user management model is, is all around us. And when every service and every application, first party, third party deals with users in its own fashion, what happens is you start to get gaps and you start to get risks. And so what happens is you can often get very poor authentication assurance and you get just complete misses in the user experience. So true story, I love my car dearly, it's connected. Of course 97% of the cars being sold today are, I might have a digital key that's assigned to me.

I might have an app on my phone that is associated with me and I'm sitting in the driver's seat versus my husband who is taller. And 10% of the time the car is not able to identify which one of us is sitting there, which of course has consequences for seat position and steering wheel and a whole bunch of things that at the end of the day end up as a physical safety question among other sort of permissions and preferences things. So another true story I was driving to, I was actually driving from Dallas to Nashville if you wanna know.

And it took 10 hours and near the start of the trip, okay, in fairness, I was the passenger. I was char starting to to do this little thing.

The, the trial subscription to the navigation service had expired and we thought, well it'd be really good idea also a safety feature to go subscribe. Like shut up and take my money. Well it took us three tries of logging into different systems and failing and calling customer service and that worked, but it took 24 hours for the data to be turned on. So security can be impacted, user experience can be impacted, bottom line and digital transformation can really be impacted when you don't have all these systems able to use a single source.

What could it look like with full identity and relationships baked in kind of the inside out view versus this bolt-on view where you've got each system determining for its own self, what data it needs and what data it's willing to give. So when you can solve challenges and challenges in this inside out way, you can build the security posture over time. Gradually as each new identity becomes known to the system, you can have a digital identity for the hypothetical car that somebody wants to order.

And then when they order it, you can track its manufacturer through supply chain telemetry and you can even, and this is something we demonstrated, you can even update the owner as to the status through a digital key that resides in the wallet on their phone and get really high assurance out of that. So I hope that this goes a little way to proving to you that unified identity can provide really powerful, flexible, and scalable solutions and to satisfy all these requirements, I kind of don't need to tell this audience what the piece parts are.

Storage, setup of identities and synchronization with all the non identity sources of data in the world. Runtime checks of identity and access and some way of communicating reliably with the outside world, all the other technology stacks. Now obviously in the case of iot it's quite valuable to have that gateway component, but it's useful really in all cases. So this is something that is four Dr. Bread and butter enterprise grade born to be. So some examples of how it makes a difference in this one car case that I'm focusing on here.

If you're not just relying on device pairing between the car and the key that somebody's been given this virtual key, but you have unified identity and relationships, you're able to avoid a little problem with impersonation by somebody else who can use their biometrics to unlock the same phone. You can actually depend on the identity information. The car is not in charge of authenticating the user. The car is in charge of itself and it's able to reliably rely on that information coming from elsewhere in the ecosystem because you can use standards.

The many wonderful standards that we have for strong authentication, 5 0 2 web A, we were using web authentic PAs keys. And because you have federation standards open, ID connect siba, even saml, she says you can actually reliably reproduce these results. So I hope I've proven to you that unified identity harmonizes and makes security, privacy and experience cohere. And with that, I'll thank you for your time. Thank you. It's a compelling vision. How far do you think we are away from that vision? So how long do we need to get there?

You know, we have seen glimmers, I think specifically in the world of connected cars, but also in all of the other worlds. I think we're maybe 25% of the way there. And there are many ambitions.

Yeah, among the organizations that I talk to. Yeah. But The opposite, the vision needs is always the prerequisite for getting things done. That's right. I say infuse identity into the connective vision. Thank you Eve. Thanks everybody.