Keynote at the European Identity & Cloud Conference 2014
May 13-16, 2014 at Munich, Germany
KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Unlock the power of industry-leading insights and expertise. Gain access to our extensive knowledge base, vibrant community, and tailored analyst sessions—all designed to keep you at the forefront of identity security.
Get instant access to our complete research library.
Access essential knowledge at your fingertips with KuppingerCole's extensive resources. From in-depth reports to concise one-pagers, leverage our complete security library to inform strategy and drive innovation.
Get instant access to our complete research library.
Gain access to comprehensive resources, personalized analyst consultations, and exclusive events – all designed to enhance your decision-making capabilities and industry connections.
Get instant access to our complete research library.
Gain a true partner to drive transformative initiatives. Access comprehensive resources, tailored expert guidance, and networking opportunities.
Get instant access to our complete research library.
Optimize your decision-making process with the most comprehensive and up-to-date market data available.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Configure your individual requirements to discover the ideal solution for your business.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
Keynote at the European Identity & Cloud Conference 2014
May 13-16, 2014 at Munich, Germany
Keynote at the European Identity & Cloud Conference 2014
May 13-16, 2014 at Munich, Germany
So it's my very great pleasure to introduce to you next, Kim Cameron Kim is one of the older statesmen of the identity community and holds it wonderfully. Actually, he's, he's a, been a wonderful mentor to the community as a whole is very creative thinker and has done some amazing work. So Kim's always someone that I'm interested in hearing about. Thank you. I'll forgive that remark about my age.
I, I, you know, ageism doesn't bother me that much. No, thank you.
No, just joking. Okay. I'm here to talk about applied information. Stewardship. What has been called protecting your jewelry. I guess the big question that I'm gonna start with is how do we protect information in a world where it has to be available to a lot of people, a lot of different people, depending on this, on the use case and flow as it is required. In other words, it's not static, it's not inside a firewall anymore. We all know.
And I, I, I won't dwell on this, that the world has changed. It's this location thing on the one hand, and secondly, this question of devices, which devices do you want to allow your information to appear on which devices don't you? And then beyond the devices, there are the applications. And we know that some of the applications run on the devices, which devices are those. Some of the applications are now running in the cloud and many companies. So many companies end up finding out that they have replica applications running in the cloud that they didn't know about.
That we've actually had to build a pro a, a, a, a product to report it to them. So, in other words, just as in the old days, there was this move from mainframe computers to, to PCs, and then from PCs to lands, in spite of everything it did, same thing is happening in terms of the move to SAS and applications in the cloud. And it doesn't even know have a finger on, on what is going on there in many cases. And so that's another aspect of this overall tapestry. And then finally the fact that all of this results in data appearing all over the place.
And the question becomes, is it possible to manage that in a holistic way? I mean, the goal here is to enable people and to allow business to be done. But on the other hand, we want to protect the data. We want to protect the privacy, meet the compliance requirements and so on. And we want to unify the environment. The environment we're talking about is one that is no longer inside the firewall. And so the identity technologies that we developed in the world of firewalls are essentially, they very limited. They go as far as the firewall and then stop.
And so the, the approach that we've had to take at at Microsoft is to say, and I, I believe, and we did this because of the requirements of our customers. The approach we've had to take is to, is to say, we need to extend that existing infrastructure that the, the, the infrastructure that's so widely deployed out past the firewall into the cloud so that it can begin to solve the cloud era problems. So there are a whole bunch of firewall era problems that firewall era identity management solved.
Now there are post firewall era problems, and we see those being solved and having to be solved in the cloud because of the fact that the firewall doesn't have a big enough scope. An another example of this would be say, allowing information to flow from one organization to another sharing data between organizations. How can you do that? It's the extent of your visibility is the edge of your firewall. You have to have ways of managing and viewing identity and authenticating people that transcend any one individual organization.
And so this is the role of cloud of the, of, and here I want to be, make one more precision, which is that when I say cloud, I don't just mean public cloud. I mean, the combination of public and private cloud that allows business to, to happen. And the way that that combination works is really immaterial to me. It's very important.
The key to being successful around this is that the interconnectivity between the, what is in the public cloud and what is in the private cloud, be such that everything can be managed holistically without worrying about data, data leakage, or any of those sorts of things. So I think some of the, as much as I enjoyed Dr. Pashas remarks and, and, and agree with many of them, I think we also have to bring into focus.
The fact that the, the cloud is not the public cloud is not disjointed from, and didn't be disjointed from a private cloud in which all of the requirements that people have can, can, can be met. Now that I got that off my chest. So if we look at this, this overall problem of identity in the post cloud, in the, in the post firewall era, we can sort of look at two, two different scenarios.
One is the just visiting websites and the other is not only visiting websites, but actually supporting applications on your devices, which means that information is downloaded onto the device and files live on the device and files start data itself, starts to move outside the firewall. So not just an experience outside, but data outside, what that brings into focus, what is, is this whole notion that we need convenient protection of data and files while they're at rest.
So that, that would include office documents, PDFs, texts, images, everything you need to do business. And in order to be able to decide who gets to unlock those files, it also means that we need to be able to determine the identity of the person who is AC accessing the file.
And here the new complexity is not just employees, but all of the people with whom we're interacting our partners and our customers, so that we have this problem of, of convenience and protection and the responsibility around what data is on the one hand as a new problem, as a deeper problem than we've had to face before because of the new new factors. And we have the problem of identity reaching beyond what we've traditionally been concerned about in the old days, as Mike said, which is just the employees.
So what, what we've done is to try and adopt data protection as a foundational principle. The, the essence of this is, you know, in heaven, data is born encrypted, you know, on earth, it's born in the clear, what we want is to move towards this, this more pristine state in which, in which things can, can actually be, be protected from, from the devil and similar entities.
So our, our overall, excuse me, our overall approach towards the protection of the day's, first of all, that we should be able to protect anything, any file type, any kind of XML, any, any, any kind of how old fashioned of me and any kind of Jason or whatever, secondly, that we'd be able to protect both in place and in flight that we'd be able to share it with anyone, not just with people inside our organization, that we be able to meet the varied organizational needs that people have in terms of, on premises and off premises and, and a really hard one that CSOs and, and, and the compliance people be able to selectively get at information that is encrypted when that is required and called for, but not be able to get to it when it isn't.
And lastly, that the keys and the data content must be safe from insider attacks and not visible even to the cloud provider or including the public cloud provider like Microsoft. And so we've developed a whole bunch of technology aimed at attempting to cause this to, to be the case is bring your own key work and, and all of the you proof work and things like that. While I'm on this, do I dare?
I promised I wouldn't say anything about this, but the, when it comes to the keys and the, the data contact content being safe from insider attacks, I have to, well, no, actually I think I'll save that for later. Okay. So I'm gonna, I'm in order to show how this data protection works, I'm gonna give you a a, a, a 32nd introduction. You have some kind of a, a document you wanna protect. We have a way for software running on a client to contact a server and say, here's the cont, here's the content here's hash of the document. Please create a policy for it, and a key for it and encrypt that key.
So that what happens is it's, it's the service never sees the actual data in the document. It never actually has to see the encryption key that is used by the organization. All it does is use that key in order to create a policy. Then at the other end, somebody who has access is able to ask for the symmetric key to be able to decrypt the, the document and, and can see the secret call formula micro.
For example, if, if Azure is, is running this user, this rights management service, it's never seen the data, it can never, it can never reveal the data so that this is an example where the cloud and the private cloud, the public cloud and the private cloud can, can operate together in such a way that you're, you, you know, there's absolutely no decrease in the, in, in the protection over what would be possible to achieve if everything were inside the private cloud.
The other side of this is that the, the, this encrypted content can, can, can go into applications that can be very made, very user friendly, that can decrypted and apply certain restrictions. And to do that, it, in fact, calls a, a, a, a, an API, which then goes into these services, whether they be in your private cloud or in the public cloud, and is able to get the key so that the, the, the key here is that it's possible to develop a whole bunch of these different and what we call RMS enlightened applications that can deal with this protected content.
So usability, I stress this because usability is the key, basically the way that the applications work. I'll give you the example of office. You go into office, there's this a new, a new thing called save protected.
Similarly, when you're in, in, when you're just in your windows thing, going through the system, you can go and say, take this file and protect it. And all that's doing is wrapping it in this policy and encrypting it. So it can be sent around in a, and is safe, or in the, in the office case, it can actually be born encrypted because it's saved in the, in the protected format. The other key important thing is that these things can be read on any device, you know, whether on windows devices, or Macintosh or Android, or, you know, windows, iPads, or whatever.
I mean, sorry, those other iPads and so on. So in outlook, you know, you press this save encrypted, the save protected, and then you can actually say, you, you can either just have a one click type thing, or you can actually specify who can see it, how long they can see it and things like that.
And the, the way to think about this is there's two types of applications that are the ones that are, that really build in all of the functionality. And so that means even if somebody opens the document, they can't misuse it, or they're ones that are what we, we call a little, a little bit more basic, where once the document is opened, it's now visible in the clear, and somebody can misuse it. So the overall concept here is that if we actually were using rights management around all of the information that was sensitive, the total risk would be dramatically reduced.
Here is a little picture just to prove that, yes, it does work on this holy Trinity of devices, including Android, iOS, and windows. I, I apologize for putting windows in the holy Trinity, but I, I felt that I had to, not only that it works not only with text, but with pictures, and it works with pictures, you take with your devices so that you can, you can actually take information that, that, that comes off the phone and writes, manage that. So that's fine. But what about the reach? Can it go outside my organization?
Well, the first thing we introduced was this ability to be able to basically send a message to the person who gets it, and then the person who gets it, if they're already in Azure, they just download the stuff. If they're not using Azure, they can go and just register. And they now become able to use it free of charge, blah, blah, blah. So there, there is reach not only to the other people using Azure, but to anybody beyond that from point of view of how hard it is to configure.
Well, basically the it's, it's simple, it's, it's, it's ridiculously simple. The, the administrator just chooses, you know, the, the, the duration of the policy.
And, and from then on, it's available inside office 365. If you're using that, you can go in and actually have both SharePoint and exchange, look at the content of the document and apply your rules to decide whether there's something in there that is sensitive and use it. I have till 25 after. So don't, I want my full time. Okay. There are a number of other, there are a number of other pieces here there's, and I won't go into them as just an endless series of things that are being done, because this is a strategic vision that's being applied, not just a point solution.
That includes for example, multifactor authentication services across devices. Okay. And the last thing I wanna look, look at just for, I, I think I have one minute and 30 seconds is the next frontier.
Well, that's enough for the next frontier. Basically. It's what we call partner and, and identity management. And the reason I'm mentioning it is because I'm here recruiting people who want to be early participants in working with us to see if we, and make sure we get it right. The idea is to give people away now.
So, so if we want to make, make it easier for you to deal with your customers and your partners, how do you get on with them? How do do you, how do you register them? How do you authenticate them? And so we've come up with this notion of user journeys for identity, so that you don't have a one size fits all thing. You don't have to go through the same amount of friction to get out $1. As you do to get out a million dollars, you can have a bunch of different policies if you want. I was speaking metaphorically.
So basically we have this concept where there are a whole bunch of user steps, like consent choosing which provider you want and doing claims transformation, sending the claims, reviewing the claims. So there's a bunch of different possible steps. Here's an example of a consent form, and you'll see how ugly do you, do you see how ugly it is?
Well, that's actually on purpose. As I'll show you in a moment here's a really ugly claim selector screen. But the goal here is that the customer controls the visual design so that this becomes this, or this becomes that. In other words, your people control the visualization, not, not the supplier.
Meanwhile, in terms of how things work, you go and you set it up just through these menus. So for example, if you say, I want to have a claims provider here, if you look where the arrow is, there's a Microsoft exchange and Google as options. Now you just click a button and you say, no, I want to add Facebook. And I could be adding the government identity system or whatever I want.
Similarly, I come along and here I am adding phone factor. Phone factor is a thing that will phone people up and verify. So you can take these steps and put one in front of the other or after the other and create exactly the right experience for what your customer is going through.
If, if, if they're doing something where there there's a resource involved, you may want them to actually use a cell phone or something to verify that they are who they say they are in the case. If you're just trying to get them to come and be a customer, you're perfectly satisfied with the social provider. So anyone anyways, if anybody is interested in that, let me know. That's why I'm here and apologize if I went over by what? 30 seconds am I? Okay. Okay. I'm forgiven.
Thank you, Dear elder statesman.