Keynote at the European Identity & Cloud Conference 2013
May 14-17, 2013 at Munich, Germany
KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Unlock the power of industry-leading insights and expertise. Gain access to our extensive knowledge base, vibrant community, and tailored analyst sessions—all designed to keep you at the forefront of identity security.
Get instant access to our complete research library.
Access essential knowledge at your fingertips with KuppingerCole's extensive resources. From in-depth reports to concise one-pagers, leverage our complete security library to inform strategy and drive innovation.
Get instant access to our complete research library.
Gain access to comprehensive resources, personalized analyst consultations, and exclusive events – all designed to enhance your decision-making capabilities and industry connections.
Get instant access to our complete research library.
Gain a true partner to drive transformative initiatives. Access comprehensive resources, tailored expert guidance, and networking opportunities.
Get instant access to our complete research library.
Optimize your decision-making process with the most comprehensive and up-to-date market data available.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Configure your individual requirements to discover the ideal solution for your business.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
Keynote at the European Identity & Cloud Conference 2013
May 14-17, 2013 at Munich, Germany
Keynote at the European Identity & Cloud Conference 2013
May 14-17, 2013 at Munich, Germany
Our next speaker today is a woman I've known for a number of years. At one point in the past, she seemed to make a career out of trying to build up enthusiasm for information card technology. When she finally decided that that wasn't going to make a go of it, then she, she went over and joined pink technology where she's having a wonderful time in the office of the CTO as an architect, she comes to Pam Vanel come on up here. She comes to us today to talk to you about the very intriguing keynote number four, she's promised me she's not going to kill off any protocols. We'll see.
They're all dead already. Wonderful. Yes. So I do have an updated title and I wanna talk today about analog identity, which is something I made up.
So, but I'm sure it's gonna catch on. Yes. So my name is Pamela Dingle. I do work for ping identity. I do work in the office of the CTO and I get to talk to a lot of people who do a lot of identity work. And it's a, it's a real education to, to be able to look across multiple architectures and see how people work. You would be amazed how common people's problems really are. And by the way, I have a cold.
So if I, the problem with this mic is I can't turn away. I can't turn my head to cough.
So if, if it's a problem, maybe you can, you guys can Dodge up with a handheld mic or something. We'll, we'll see how it goes. All right. On that note, I think given the company that I work for, you probably are going to guess what I'm going to talk about, but I'm not, I'm not gonna talk about this. Although I do feel it's very important and of course my company's built on identity standards.
Now, there may be other things you think are important to talk about. For example, one of the big trends that we're seeing right now in our industry is this incredible mesh of form and function. And by that, I mean, it's not bits and bites anymore. That's not good enough. Things have to be usable. They have to be pretty. They have to mesh. We have a push towards self-service.
You know, that's really new. When I started at ping in 2009, my boss told me there is no user interface to Federation that's. That was the truth back then and how much the world has changed, but I'm not gonna talk about this either. What I wanna talk about is scale, but I wanna talk about it in a way that, that perhaps you haven't thought of it before. I do think this is another critical element of our industry at this point in time right now. So we all know how this works. We've all been around the identity industry for a long time. We started off with silos and we all owned our own silo.
And we all had to figure out what to do with that silo. And we all built complexity into our silos. We did whatever we had to do to lessen the burden for our users and to be able to apply centralized policy. So we took shortcuts, you know, we did right. We implemented provisioning systems where we pushed user identities directly into application databases, bypass the application, fooling them into thinking that a user had been added via the interface.
We, you know, hooked everything up to LDAP where the user still had to authenticate 20 times a day, but at least they were using the same password over and over and over again. Right?
We, we did many, many things. We had many fancy acronyms. We used things like LDAP and radius. And you know, a lot of things that perhaps some of you shutter over today, but you know what it worked and you got the job done. The next thing that happened though, is we had to start communicating outside of our silos. And the interesting thing about this was it worked really well. We developed a standard called SAML. We were able to communicate claims and identity information back and forth, but it was a club right?
Only the rich and the powerful could be part of this club because the security model around this was big and heavy and complex, you had to be able to figure out how to do things properly. You had to be able to issue a Sam assertion. This is 800 pages of specification on one side, and you had to validate it on the other 800 pages of specification again, right? Heavy crypto, heavy security, multiple profiles, right? It's a big club. And it was great if you were in the club.
And if you weren't big enough to be in that club, or if you didn't have the money to pay to be in that club, or however that works, then you end up out of luck. But enough, that was okay for a long, long time. And then these sort of little niggling things started to happen, right? We started to get little devices, right? That weren't big complex things that we knew how to connect to, and we didn't know what to do with it. So we ignored it, right? We all did.
And then, you know, a few more of these things showed up and we still ignored them. Right. And you know, we started thinking about security models in the back of our head. And while those security models didn't really feel very good. So we continued on the ignoring part of life and they got a little more common and they got a little more mind share and they got a lot more mind share. And suddenly you have a problem. We have all these silos, we have complex infrastructure in these silos. We have risk fraud management. We have adaptive authentication. We have two factor authentication.
We have heavy directories. You know, we have lots of Sam to connect the big players together, but what about the simple things? How do we connect to the simple things, right? And for a long time, that wasn't important. But today it is today. It matters. If you can't get to your simple partners, right? The small partners, if you can't get to your devices, if you can't get to small cloud applications that you might wanna interact with, or for that matter pull data from small cloud cloud based providers.
So it's a, it's kind of a war that's happening right now to put it in a negative light. Many people would obviously see it as an opportunity. But what we end up with is a question that has to be answered. And this is in my mind what Craig Burton talks about when he talks about the API economy, this is an explosion of scale. These are devices that cannot support the original high security model that we all envisioned for. Federated identity, moving back and forth. So what do we do?
Well, I would say to you that we have to change the way we think. We think today that we live in a binary world. We think today it's all about, is this John Smith? Or is this not John Smith? It's not true. It's just not true. There is no such thing as binary. There is no such thing as yes or no.
What, what we've done is create this approximation of who this person is with a password string match. We've layered security, we've layered risk analysis. We've layered audit on top of a credential validation, an authentication that may or may not be true. We don't actually know if it's John Smith. We only know if they typed a password correctly. That's a binary way of thinking that has got to end. And the way I think that we maybe need to start thinking about this is to think about this as analog, not binary, there will never be zero. There will never be one.
We will only approach zero and we will only approach one it's calculus. That's it. It's not discreet bullying logic.
So, alright. It's a great statement. What does it mean?
Well, it means that some not all, but I would bet you, most of the companies in this room can tell who the user is. That's coming into their environment as an approximation of about this quality. Okay.
You know, the rough outlines. Yeah.
I mean, most of you can probably recognize right there, there is recognition here of, of what might be coming in your front door. Now you can't really tell the difference between, you know, the, you know, the actual real identities underneath, maybe it's somebody great who can type your password string. Maybe it's somebody incredibly wrong who can type your password string. Okay.
The problem is not whether it's this guy or this guy coming in your front door, the problem is that the representation you have is not granular enough and not timely enough for you to actually make the decision you need to make. And I believe the way that we get out of this loop, we get out of this idea of, you know, I, I see eight characters and I assume that it's Pamela Dingle by getting out of the concept of issue and forget what we do today. We issue tokens and forget. We authenticate and forget. We validate and forget. We have no state system. We have a stateless system. Okay.
Especially in enterprise, you look at the PayPals of the world, the eBays of the world. They don't have a stateless system. They remember everything you do. They remember when you did it, why you did it. And they're looking for patterns to see when you're gonna do it again. That's what we need to get to an enterprise. So I'd like you to take away from this, the idea of issue and remember authenticate and remember, what do we have to do to change our thoughts from being binary?
Yes, no right. To set of points, graphed on a plane. And that graph becoming a line. And that line, the volume under that line or the area under that line, describing a sense of confidence in who this user is, that changes over time and not just at authentication time in real time, right? We are in this terrible world right now where we we've constructed tests. Our user passes a test. We give them a reward. The reward is a session.
Oh, you pass the test. Here's a session. Sometime later your session expires, oh, let's run the test again.
Oh, here's another session. How many sessions would you like session session session?
Well, that's not gonna work for us. I believe that we have to turn this idea of test and reward into a feedback loop that continues on and remembers. And so it becomes not a question of a million disparate, simple and complex things that are all in your way. And that all have to be answered in a stateless fashion. It becomes linkage linkage of these things to each other. It's the patterns of how people use devices and websites and when and why. That's gonna give us actual defense in depth when we want to actually secure our assets.
So this has been a very abstract talk, but let's talk concrete for a minute. What kind of tools exist for us to actually be able to change our world while those tools are changing? They are not surprisingly standards based and we're actually in trouble right now. We have just come to the point where authentication. We have a chance of creating a, a solid feedback loop.
We, we're not in the right place for provisioning whatsoever. We can't actually provision identities today between discreet systems on the internet. And that's a huge problem. Huge problem. It's coming on this list. Clearly open ID connect is something that I feel very strongly about as a way that we can create a feedback loop where devices and websites can communicate identity data backwards and forwards through the concept of a refresh token. Yeah.
And through the concept of an ID token, giving us many of the abilities of, of SAML, but being able to actually have one participant in, in the identity dance, be a very, very simple participant. Okay. That is one of the keys to making this whole thing work because when it's a big club of sophistication, the feedback loop is too small. There are too few participants. MDX is anyone here heard of MDX? And John Bradley cannot raise his hand.
All right, there's only one other person. That's a big, so what are we missing right now?
Well, we're missing the completion of the loop. We're missing full automation of our identities today. If you wanna create a connection, you've gotta export Sam metadata, right? You have to install, you have to register for a client ID.
Well, how do we make that automatic? How do we make that? Just the most obvious thing on the planet so that we can step that next layer up and just let things begin to ripple through our system. Let them register work, die, register again, work die. That's where we need to get, you know, Sam's on the list obviously, but the one on the bottom, you've probably haven't even heard of it. It's actually probably eight years old. It's called ex dads. It is the closest thing I know of to a distributed audit standard. So why is that right? It's crazy.
Why, why are we not already thinking about how to send, audit data back and forth between disparate systems? We know it's coming, right. We know we have these compliance needs. Nobody's even having the discussion yet. So my advice to you is to look at the things on this screen and at least put them on your radar. Know what they're for know how you might do automation through trust frameworks, know what dynamic client registration is. So I just wanna leave you with one thought. And that is, to me, identity at depth is where we wanna go.
And analog identity is the way that we're gonna make it possible. And that's it. Thank you very much. Thank you, Pamela. Great. And I think there's some, some really interesting things and I like this analog identity because I think it it's pretty close to what I said around. We have to, to become more creative also in things. So it's not about a black white decision about, this is a good one. This is a bad one. Yes. There's some many things which really require us to become more dynamic more. Yeah. More analog in fact. And I think that's, that's really important.
And there's tomorrow at 4:00 PM, there's a big on talk by one of your colleagues about Federation of scale. So that might be sort of an interesting add on to Pamela grade keynote. And the other thing I just want to mention, this is theta thing. I remember, I think six years ago at EIC, I tried to convince some vendors of forming standard bodies for auditing and probably I was too early then. But if any, one of the windows is interested in doing that, feel free to contact me because we still need it. We have some standards around authorization. We have a lot of standards around authentication.
We have some around the identity, but if, or the administration part, but we really like a standard around the very essential element of auditing. And if you talk about the fours or to, to look at the a, we reduced them to three A's because it says, I think it's right. Authentication authorization. That's one thing I think you probably will fully agree with that. Yes.
So then, then it's still one a missing and I think you're absolutely right. I really very much like your keynote. Thank you. Good to have you back here at ESE. Thank you very much. And.