Keynote at the European Identity & Cloud Conference 2014
May 13-16, 2014 at Munich, Germany
KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Unlock the power of industry-leading insights and expertise. Gain access to our extensive knowledge base, vibrant community, and tailored analyst sessions—all designed to keep you at the forefront of identity security.
Get instant access to our complete research library.
Access essential knowledge at your fingertips with KuppingerCole's extensive resources. From in-depth reports to concise one-pagers, leverage our complete security library to inform strategy and drive innovation.
Get instant access to our complete research library.
Gain access to comprehensive resources, personalized analyst consultations, and exclusive events – all designed to enhance your decision-making capabilities and industry connections.
Get instant access to our complete research library.
Gain a true partner to drive transformative initiatives. Access comprehensive resources, tailored expert guidance, and networking opportunities.
Get instant access to our complete research library.
Optimize your decision-making process with the most comprehensive and up-to-date market data available.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Configure your individual requirements to discover the ideal solution for your business.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
Keynote at the European Identity & Cloud Conference 2014
May 13-16, 2014 at Munich, Germany
Keynote at the European Identity & Cloud Conference 2014
May 13-16, 2014 at Munich, Germany
So with that, with that, I'd like to introduce Dragic from Diego and thank you very much. Welcome to EIC. And thank you. We look forward to your presentation. Thanks very much. So I would like to thank Stefan. Thanks very much for kind of keeping this on a lighter side. I think we've been kind of too serious over the kind of past couple of days about security, so right. Help. Everything is okay. So I work for the agile drug and poundage chief security architect. I'm pretty sure you've actually experienced or tried our products with the drinks, by the way. So right.
Do I have to press anything? And yeah, so, so practically again is Johnny Walker Smith of that's. That's what we do, right. Okay. I can see that on screen, just short disclaimer there, just to make sure that some of the stuff we're going to discuss obviously is, is not fully aligned, but these are thoughts and this has been shared with the company kind of executives. So I think with that in mind, I would like to remind us why we in the business, not in the security business, but in the business in general.
And I think we are here to serve our customers to sell our products because we exist only if somebody is willing to spend some money by our products. If it's end consumer, if it's a customer buying services, that's what we do. And I think this is the, the sole purpose of us really supporting the business. So came across this, if, if you dunno the name, Jay, he is the, I think as far as I think I've checked, he is the steel with Gartner as research BP. And this is, this was from the information security magazine in 2003.
And it was really kind of discussing the general state of understanding the importance of information security. And you'll notice the, the term of verb, their wing or two wing. So I don't know if you're familiar with that, but basically I think we tend to do these things and I I'm guilty of it, but I feel kind of, there is a greater good there. We need to kind of get on with these things and do something. So I think this is really important for us to remind ourselves from time to time, you know, what do we do and how do we actually support the business?
So I feel sometimes that, you know, as a character, you know, as somebody who's kind of being frustrated about things possibly like grandpa Simpson and, and really kind of, you know, kind of yells at clouds. So why does that happen? I feel kind of today we experience a massive explosion and I feel kind of generally we all affected more stuff is happening outside our perimeter then inside certainly kind of my company's experiencing that. So that in mind I feel kind of, our focus should be, you know, whether we like it or not, the business will do this. Even without our consent, we cannot devise.
We can do this things, but eventually there will do it because this is the only way to do the business today. So how's that even kind of related to mobi, mobi is an interesting character. And there was last year, there was an interview on, on BBC. The BBC news reports was asking MoVI about some comments being made at the mercury music awards in 2013, where British band called falls decided to kind of make a statement, receiving awards, saying Spotify is actually shouldn't exist because they don't pay us. They don't pay us enough really to, to sell our music.
And I feel kind of, they completely missed the point. What mob was saying is we use these services really to, to have a different experience. And mob is certainly one of the guys leveraging the cloud because he decided to share his music for free. And last year it was, it was the, you know, the, the most downloadable artist ever. And he really decided to partner with beat tolerance. So he said, okay, I'm going to allow you to have my vocals, my baseline, everything. And you make music because I think he's defense the kind of stance to say, we should make music and hopefully will like it too.
So feel free to use it as long. It's not for commercial purposes. So sort of a, a person leveraging a free me model if you like.
So if you, if you, if you kind of, kind of think about where everything started with the cloud, I thought this guy, which if I can pronounce his name, is there is a kind of tongue clicks and all of that. It's got a how or something like that. So anybody can have seen this movie before it was from 1980, right? It's a Slapsy comedy with this guy really kind of leading the, the key role. And what was interesting really about this is, is holding a bottle of Coke.
The bottle came from the sky from the clouds, dropped into his village and, you know, the Bushman themselves didn't have any kind of sense of ownership, no judges, no crimes, nothing whatsoever kind of, of full democracy. Like, you know, Bobby will say democratic chaos, really with music. And this thing actually landed and they've never seen anything like it before they said, oh, this is the most, is this the hardest thing we ever seen? We're gonna use it and kind of use it for all sorts of purposes, but it didn't scale.
Well, that was the problem. So how I want kind of click my tongue, decided to take it back to the cloud basically said, I'm gonna take you to the end of the world and I'm going to, you know, kind of drop thise evil back to the gods.
So I think, you know, what is really kind of happening is, you know, with, with this kind of representation of the Coke bottle, I think, you know, the Coke didn't scale well for, you know, how, but mobi actually kind of leveraged that and said, okay, for the great experience, we can actually use the cloud for all sorts of purposes, really create new experiences for people. And if you check mobi, gratis.com as well, you, you know, if you're independent filmmaker, you can actually use that music music for free, you can create and do whatever you like. It's really kind of there.
I think he can afford it because, you know, he's made probably kind of, he sold 20 million albums. So he can actually do things for three by either way. So what is really kind of happening with, with us kind of, we tend to sort of do these things.
We say, follow the codes, the codes, policies, standards, prescriptive, do things. And they, they really kind of, again, looking from our perspective is in the world we're living, they tend to be difficult to apply. Why is that? We've seen that in so many situations where we say we buy our services. Yeah. Fully certified pen tested. Was it yesterday? I think colleague from Deloitte was saying pen, test your applications. That's the way to do it. But unfortunately it's not enough.
I think if we there's a two opposites, if we tend to follow the code or not follow the code at all and fully follow the code, I think we're gonna miss the chance of doing things, right. So we become a bit of like Dexter and Dex stays all about the code, following the code. If it doesn't apply the codes, don't do it be aware of the facts. And then he actually kind of questioned the code so many times in the series, right?
So which, which I think we sort of in between Dexter and the guy, you know, how, and we need to be somewhere in between. So I think this is actually a friend of mine who runs a food shop, bakery, London, medium sized business. We were discussing really kind of offline kind of, can you help me with some advice? I want to sort of reenergize the business show, social interactions and so on. And this is what happened with his website.
I, I think you, you should notice the safe, safe mode design now. So I think this guy actually managed to kind of circumvent and exploit some PHP vulnerabilities. And this is what happened. Even he left his Skype details as well. And some other details and some annoying music when you land on the page. So your system security is very bad. This could happen to anyone. And I think all of the security measures we're putting in place is not going to be enough.
So by the way, this is, this is kind of from earlier this year, these guys actually now have the glance app, which is pretty much the same, but it doesn't require Google glass. So, so it's called basically side by side video. So you can actually kind of decide whether you want to wear this and whatever you wanna do, you could record this in your bedroom, but the point where this is, we moved on and I feel kind of living the world of I beacons, you know, wearables grab and goes glanceable or whatever you wanna call these devices today.
And this is really probably kind of the last place you wants kind of any intrusion or privacy or bedroom or whatever the place you're gonna be doing these things. So I think what is important is that we understand, even though it's, you know, important to save our, save our privacy or really protect ourselves, the more we, the more we share, the more and better experience will be, I think, online and with the cloud itself and so on. So these are the things we actually gonna, we sit in the middle and we need to be aware of it because we are restricting ourselves or our business to do things.
And with this in mind, I've actually came across. This is, is very tiny, but if you can actually have a look on top, it says, oh, sorry, wrong button, culture, environment activity really puts this place in, into a, into different environment. So it's all about experience, which comes with a thick data, which we actually looking for to make sure we understand what's going on versus activities and behaviors, which are normally we tracking as security professionals, I think in today's world, the less, you know, kind of relevant what we're really kind of looking for.
So I think we comes, I think Ian mentioned, I think, you know, just briefly in his presentation in GL I Ft T so when it comes to that and, and Dave, I think earlier today was saying, you know, 15 years ago he was quite a visionary kind of look at the, you know, what is the tomorrow's world of automation? You know, when I wake up, I want my coffee machine to be on. I want my phys hue light to be softer because, you know, obviously that time of the day time of the year, all of that can be automated.
All of this is possible because of the, the cloud services, the APIs that drive this sort of life management platform, your management, your, of yourself.
So I think in terms of getting to a point where we actually facing what is really kind of the, the real obstacle today, and I'm certainly facing myself in my organization is the user experience, whether it is, you know, CTO or CIO, whoever, or really is somebody really sitting next to you, they're going to question things if it's not really straightforward, if it's not simple to do, they're going to question those things and people, you know, when it comes to security, we probably renowned to making things more complicated. And I think we live in the world is already too complex.
So what we need to do is really kind of provide that immediacy. People want things right now.
And, you know, based on the kind of convenience this picks up really kind of to represent what was the, the outcome from the survey done by Potterman institutes and knock knock labs last year. And you can see the kind of, what was the reason for multipurpose identity credential, obviously convenience and all other things, you know, enhanced privacy. We wouldn't go into details.
Whether, you know, the actual respondents were, were really kind of knowledgeable about, you know, is it possible, but this is how they perceived, which comes to the points of risk and rewards. There was a lot of risk sort of specialists in the room, architects, technologists, consultants. And I think what we actually tend to do, we start with the risks, I believe, you know, for the sake of really kinda where we heading to with this world around us, I think we should start discussing the rewards and opportunities.
First, the only thing, you know, why should we start with that is to engage and build conventions with the rest of the people or stakeholders will be making decision about the risk because we tend to sometimes go or define things to be too risky and not to be possible at all because of the, you know, difference in, in really perspectives. When you look at the things, the way your CTO, CIO and others will be looking at your CFO, they see things completely different way. So you could be really kind of saying, but it's obvious, it's clear.
I've actually sat down with my GRC guys so many times, and I couldn't understand the word of the actual risk description. And I said, if you take this to the CIO, he will probably say, what are you talking about? What do you want me to do with this? And this is really the response from the senior stakeholder. If he doesn't understand what he's facing, he's up against you wouldn't be able to do anything. So with a mind that was a discussion about last year, I met up with, with a sea of agan in, in Madrid, and we've discussed kind of some, some elements of social identity and is it possible?
Is it safe and so on and so on, but this is clear example, this is actually in production. It can be done.
And if I, if I sort of reflect my company and I say, what we do and what agan is about these guys are heavily regulated. They had a massive challenge from the regulators in Netherlands, really simply to explain what they've been up to, but it's been a massive success. So the reason is, is really kind of, I think we up against certain things where your device company, you think, but I think is again, is sort of, you know, customer attention, more people signing up in an easy way, selling more services and is about all about selling.
So I think this is one of the examples where things can actually go in the right direction. So I've tried really kind of to, to kind of, you know, what needs to be done. It's a couple of more slides really in the sense of, you know, where we can actually focus ourselves. So when we look at the curve of things around us and we say, you know, cloud is insecure and we need to kind of, you know, secure the cloud, we need to secure mobile devices and so on. And so on. I think we need to kind of the right focus.
The focus is important because we can actually build the conventions and really things that people understand around us developers will understand the senior stakeholders will UN will understand. And I, I feel kind of the, the area of focus simply because we can actually kind of make things better are actually far left down in the corner where we say, okay, identity and what it really makes this device universal really kind of between Androids and all other windows phones is the actual app itself because you have variants of the same application delivered to different devices.
And I've purposely sort of decided to remove device, or really not even mentioned device in the mix. Because I think for the discussion today, they're not even relevant. They don't really kind of forget about them because if you want to control them, you know, Mac addresses, IP addresses issued, I think, you know, face it. You're never gonna be able to do that.
So, so what is, you know, when we actually kind of focus ourself and we should be able to, to abstract things. So what I, what I've done really kind of in my kind of one page I thought, okay, who is connecting to my business? So I've got joint ventures, I've got more values users. I've got my corporate users, I've got support and so on. And so on merges and acquisitions guys. So they poking things to my, you know, services and really what they use to connect and with what they're connecting, they're connecting through the browser or native application.
So where they're, where they're connecting from is, is another two things we've got the gateways, you know, come to the mothership, you know, connect all of the, kind of, you know, two factor authentication versus they go over the, over the net or over the internet off and on. So those are the two, two things and where they're connecting to these the most of the time, they will be using ServiceNow, Salesforce, concur, work days and so on, or really kind of mobilize web publication sitting somewhere. So this is the world that the agile will be living.
And when you actually kinda have, have a look at that, I've I had something similar, but I thought for actually did much better job. I've had, you know, actually kind of put some, some kind of few things in there, but basically it really represents the three kind of assets of what we are actually dealing with today. The actual data and information in general, there is an iden, you know, identity as in really generic really kind of form. It could be a system, it could be a person, it could be a carb, whatever you wanna do. And there is on top, really the transport, the network itself.
And in between you have users, you have applications sitting, there is a APIs communication going on in between. And I feel this is the, the ultimate really concise, compressed, condensed version of where is the focus today?
You know, at least gotta be my opinion, so identity, and there is more identity. And I thought, you know, kind of whether the, this could be called the identity service bus or whatever is being called, but we need something similar to this. We need to understand how we're going to map how we're going to assert how we're going to consume identities. And to be honest, you don't necessarily need a grand scale project to start with, you need some visibility, but you need to be, you know, you need to understand what you're up against and where is, where is your destination?
So with a mind, again, I want to kind of, sort of think about one of the things is, you know, those initiatives, strategic sort of things where, you know, people discussing mobile first and so on. I I'd like to kind of think where when those things do happen to remind yourself that you need to reassess your overall strategy and your enterprise architecture, whether there's going to be sounds with that in mind. So there's a lot of knock on effects and so on.
Don't focus too much on mobility or really kind of on the cloud and really kind of focusing too much that you actually end up with a house on the left. So Frank Gary is the guy who will teach us really kind of notice that building on the left hand side of, of the, the dancing house. This is house in Prague, by the way. And always kind of have a discussion with, with my wife, she's a traditional architect. And she said, always kind of, you know, how can you call yourself an architect? I'm the architect. This is the legacy service sitting next to you. It's all of the constraints.
It's modern, it's funky. It looks great. It's functional. And I think we should be striving to be Frank Gary, okay.
As a, as a professionals. So these are some dues dons, you know, undo things. But this is with, with this in mind, I will kind leave something behind and you know, what we should redo and on purpose really kind of said, have an honor discussion with the business and in that order rewards opportunities and risks please. Right? Because I think otherwise we're gonna get things wrong. Obviously non-negotiables are there to be, you know, like legal regulatory, some of the stuff must be done, but there's a lot of opportunities for us. So with dues, make sure you hook up with your business.
And I think when you hook up means you understand the strategy of the business. I think how many of you have a security strategy in your organizations? Right. Lot of hands, right.
I, I think security strategy is really boring, right? It will bore people to death. And I feel kind of when we understand other strategies within the business and make their strategies, our strategies, I think it's far better. And it's easy to understand.
And I, I mentioned digital business, my digital marketing guys are pushing the limits all the time. So with that in mind, obviously kind of, there's a lot of kind of dos and dons and undos. I feel kind of, we need to roll up our sleeves and do things properly.
You know, don't underestimate the, the people-centric controls. And I feel kind of, we're gonna be more relying on people. What Stefan was saying, obviously kind of people coming back to you asking for advice. My CIO came to me when it was a hard bleed in the news.
He said, I bought a season ticket for ticket, for arsenal, and I've paid with my credit card. Should I be worried? It's good. Let's leverage that people are getting interested.
You know, my I'm, I'm waiting for your presentation next is going to be obviously as always interesting. So I think with a mind, I would like to thank you and remind you really kind of why to stay excited, because I'm definitely excited about security and technology in general, because otherwise, you know why we're doing this job. Thank you. Thank you very much. Thank you. Thank you. Yeah.
So I, I, I was very interested in your comment about the difficulty of communication. How did you solve the problem with the GRC team that couldn't explain?
Yeah, I think it's, it's, it's one of those things I feel kind of, this is probably kind of speaking, you know, kind of being honest about that. We need really kind of not strictly security professionals doing the security work. I think we should be kind of delegating things around, getting people to champion security. And by doing that, we get the feedback from the rest of the business in a way that we want them to not really articulate the risk, but better reporting things. What should be relevant to our team to articulate risks on behalf of the business.
So the better communication, the better risk descriptions will be obviously representations within the forums, discussing risks and really kind of what security team should be doing with, you know, as a CISO function is important, but really kind of having an honors discussion and thinking about what is the next move of the business is this is why we exist.
I think sitting all alone, really kind of isolated thinking about threat management, securing our websites, PCI compliance, and so on and so on is not going to solve our problems so that the better kind of the Reacher communication, the better Communication is essential. Thank you very much. Thank you. Thank you.