So the next speaker is going. We didn't really distinguish between consumer identities on the one side of customer identities and internal identities. And to some extent, this also relates to this, to the, to this era between it and OT information technology and operational technology. Because in my view, operation technology is something which is strongly related to the business. Whereas it, in the, in the narrow definition is something that is supporting value for organizations, but this is no longer true in the, in the new environment.
As we have learned, nevertheless, it's important to distinguish the two user groups, and this is going to be done by Ian Glazer from Salesforce. Welcome. Nice. Over here. So just before you start, you are member of the management council and board of directors for the us identity ecosystem C group.
Yeah. It doesn't fit on a business card.
What what's that
At all? No. So the ID ESG is a private sector body we're non-for-profit that was stood up as part of the white house cybersecurity efforts as part of the national strategy for trusted identities in cyberspace.
We're trying to find a framework that really helps people figure out where to start with identity management, because it can be, as we all know a sort of dizzying affair to begin with just learning how to start is important. Okay. Trying private baseline.
Thank you for
Sure. Okay. So all business travel is a function of fluid management, three fluids, water, caffeine, and alcohol. I'm really heavy on caffeine right now. And I know all of you want to be really heavy on alcohol. So I'm gonna be as brief as possible. Please continue to hold.
Your call is very important to us and it will be ordered answered in the order. It was received. Show of hands. How many people have heard this in a work context, maybe when you called your help desk show of hands.
Come on, come on, come on. Okay. How many of you have heard this in a home context? Maybe? I don't know, calling Deutsche bond to find out whether the ASPA is running today. Show of hands. Okay. About 50 50. Let's try this one. Your usage of this service constitutes consent to our terms of service. And if you have any questions, please consult our acceptable use policy.
Now is this the warning message you see when you log into your laptop in the morning, maybe is this something you see on pretty much any website if you go rooting around long enough? Definitely. Yes.
So to me it's a little disappointing, but not particularly surprising that these slides could apply to both work and home. So how'd we get here?
Well, we a lot about identity for employees and no matter what industry we're in, no matter what tech stack we have developed over decade plus decades, plus common practices, common patterns, and most of it centers around a fairly easy to explain concept, which is I want to deliver the right access to the right people at the right place. And at the right time, that's what I wanna do. That's identity for employees, identity for customers. That's a bit of a different story.
We've seen truly amazing innovation in the last 10 years, user centricity, Uma, just amazing thinking around how do we serve individuals better?
Now the problem is we haven't had enough bake time to come up with common patterns and practices. We're still in that innovation phase. And the mission of identity for customers is a little bit different here. I am interested in delivering the right experience to the right people in the right place and at the right time, a little bit different and delivering the right experience.
Well, that's a that's unfamiliar because experience could mean, I would like to make sure that my connected fridge can only open up trouble tickets when a part goes bad, but it can't change. My payment information, right. Experience could also mean I have an individual who's standing next to one of Jackson's eye begins and they've opted in.
And so, because they're standing in front of a display, I would like to push to them a special offer fire. Their mobile app or write experience is the one I think we're more familiar with, which is just a great experience in new form factors, but identity for customers, not just about experience.
It's also, we have to deal with a new set of stakeholders, ones that we, as it professionals do not have a great track record.
If any, with sales and marketing, weird alumni development, community development, these are stakeholders of dealing with individuals that we don't typically interface with, but we absolutely must if we're gonna be successful in pleasing customers. And here's the thing, since we didn't have common practices or patterns, what did we fall back to? That's right. Please continue to hold. We fell back to enterprise patterns and we applied them to customer situations. And this is a little disappointing, but it's not surprising. So what can we do?
What is the opportunity that we have, whether you call this subject, external identity management or customer or citizen identity management, it's the same thing. It is a growth opportunity for the business. No matter what the business is an opportunity to deliver better, higher quality, higher value service, which means this is a growth opportunity for us as identity professionals.
This is amazingly excited because no matter whether you are trying to service someone who is building polymer films or people explaining polynomials to students, your opportunity is to delight your customers, whoever they may be. And in every industry, we have them public sector, private sector does not matter. And if we think about the kinds of companies who seem to be doing okay by pleasing their customers, some of the innovators, I posit that. One of the things that they're doing is they're trying to form lasting relationships.
And they're doing this by taking what used to be a fragmented picture of the individual and start to be build a complete picture of their customer in order to delight them. So customer identity in my thinking is our killer app. It is the way we are going to become amazing in our enterprises because we have been trying for years to find the killer app for identity and let's face it.
You don't get boardroom access by pedaling, user passenger, password management, reset, provisioning just doesn't happen cuz your cost center.
But as soon as you start servicing your customers, you become a business enabler. And this is huge, right? This is huge for us as a discipline. It is such an opportunity, but there's a little bit of caution because we actually aren't the stars of the show in the same way that T C P I P is not the star of the show of the web identity is incredibly important, but we're not the center of this universe. Let me explain. So if we break this down, we think about what is this customer identity stuff? From our perspective, us in the room, we say identity is at the core of everything.
Bar not, you can't have interactions without us. Come on, everyone knows that until you go talk to a business peer and what do they do?
They go, no, no, no, no, no. The customer is the center of everything we do. You identity guys are just kind of along for the ride. Neither side is actually wrong. Customer identity is the enabler of these interactions. That's the way that we wanna think about this, but these interactions have to be bigger than we typically think about them.
In fact, in three ways, they need to be cross channel, cross business function and cross organization. When we think about what cross channel means, we think, oh right, I got you covered web mobile API, right? Done. I can do that. It's not actually the case. We have to include other channels. We're not used to brick and mortar, social listening, call centers, all of these other touch points where we're going to interface with an individual.
We also have to make the services available, cross business function, because it's not enough for just service to understand how they interact with the customers, the people designing product, the people marketing the product, all of them need a picture of the individual, their consent to form a relationship, cuz this is how we delight a customer. And increasingly no one delivers a service by themselves. Really. It becomes cross organizational because if you think about, say a hot water heater in your house, manufactured by someone, it is serviced by someone and it's sold by someone else.
Now, if they could all share again with my consent, a picture of who the customer is, well then I'm delighted that the service professional shows up to fix my hot water actually knows what model I have, what the service history is. And if there are rebates available for upgrade, this is a great experience. So we need to start thinking about sharing this notion of customer across boundaries.
But let's look in a little bit more detail about how this differs from what we do with employees.
You know, we think about our techniques that we employ. We find that there's really different ends of the spectrum enterprise identity and access management. Employee-centric, it's fairly traditional. We know this right? And that the organization is the owner and authority for those identities, we do things like provisioning, right? We do a lot of this kind of stuff. But on the other end of the spectrum, this is customer-centric identity. It's much more modern. The individual is not the owner.
There is no single authority about who the individual is, who the customer is and we use different techniques to actually service them. So let's look at this a little bit more detail from an employee perspective, we have a system of record in HR, but everyone knows that's a classic joke.
We actually have multiple HRS and they don't agree in the data's crap, but we'll leave that alone for a moment. The way we deal with attributes, we push them user provisioning, directory, synchronization, we're pushing attributes to targets.
We do that because we have a lot of islands of identity, but thankfully we are now reducing those things to Microsoft Excel. Oh crap. Sorry. I have directory. It's the other identity product that Microsoft makes. I keep forgetting that we have a hell of a lot of wham hanging around like proprietary, you know, token cookies that we're like, yeah, okay, let's do this. And a little bit of Federation more so for sass and new apps, we can have device management, mobile device management and consent for attribute use is implied because I'm employed. Now let's contrast this with customer centric.
So we have things like CRM and lines of business databases, but those are just the internal repositories, the internal representation of who the customer is.
Now, I've also gotta consult social providers and banks and governments and universities and all of these other sources for pieces of who the individual is that they're willing to share with me. We see more about profile management, the individual taking more control and to some extent, more poll oriented attribute management. In the sense of at the time of login, I'm gonna get the freshest attributes at the time of use.
I'll do just in time provisioning. We're seeing more standards based login for SSO more Federation, but still there's sort of a new VO like role of proprietary, which we'll get to mobile device management.
Uncommon, if not illegal, that's a good thing in my mind and we've gotta get consent and we've gotta adhere to consent consistently, but it's not just the technologies that are different. There are different life cycles, join, move, leave the classic traditional IAM life cycle.
I join the organization. My role changes. I move within the organization. I leave the organization. There are two life cycles for customers, for citizens, individuals. One of them is actually a progression. I call it relationship value.
What happens is this as the relationship that you have with your customer grows over time, you are likely going to take them on this progression. They start as an anonymous user. Then they become synonymous. They use maybe a social provider for login to facilitate that action. And then they become known, known can take a lot of different forms, but we tend as organizations to want to move people towards known as the relationship increases with value. If we map this to join, move, leave a little bit different, right? So we join when you're anonymous and then we sort of change state. We move.
If you will, as we become pseudonym, as we become known, that's a very different life cycle.
The other one I observe is there's a change in the way we access things. And this progression has an interesting implication. So it starts with, well, I would probably start engaging with the organization on the web that becomes mobile. That may even become through a thing. I'm getting a service through a thing that's connected. And I might even become a developer against some APIs, but this is the way someone changes with respect to the organization. We map this to join, move, leave.
It used to be, you would join to the organization by the website increasingly it's the mobile app. Okay. But then I changed sort of state for the thing for the developer. What have we seen?
Well, we saw join. We saw move.
And so this is where the Eagles know something about identity management, right? You can check out anytime you like, but you can never leave. What we find in this customer identity world is that we have these really long relationships. There's no leave. There's no severance. It's just a really long relationship that changes over time. And this means we have a whole bucket of privacy implications. That quite frankly, we were very happy as identity professionals to ignore because we could blame HR. And that was fun, right?
HR gave us the privacy permission to use attributes. I can't do that in the customer world. I've gotta bring to bear a whole new set of technologies to do this customer identity stuff that I have not really done. Traditionally can attribute consent release. That's the closest thing to it. But then privacy preferences and then data retention. And this is a whole new set of things.
If we're gonna solve this customer identity problem and customer identity is much larger than identity for employees.
Yes, there are familiar. I, I am components. Things like Federation, things like assurance familiar, but this isn't the only stuff we need. So there are some things that are well they're like I am. And then there are some things that are totally not like IAM. And we have to bring all of these things to bear. Let me explain. So Federation isn't a particular surprise. Most of this stuff can be standards driven.
Increasingly it's open at Deconnect except then you've gotta go off and implement OAuth one a because Twitter has an upgraded G thank you, Twitter, but there's also proprietary bends like Facebook connect. So you've got a mix of standard and nonstandard and you've gotta be able to broker, right? So I get Facebook connect in and I'm doing open ID connect out or some combination thereof. You've gotta be able to do these things from a profile managed perspective. We've got registration needs. How do you gather data?
Whether it's through a social provider, whether it's through a static screen, that's branded appropriately. We ask the individual to manage their profile, their preferences, both privacy and marketing and others. And we also need ways of gathering more data as the relationship increases in value.
We have also assurance and proofing needs.
And by the way, for those of you who are working on, on identity assurance projects, specifically looking at stronger ath, this is the battle line of usability because the techniques we used on employees that we'd like to imply to use on customers will fail in a horrible fiery wreck. And you deserved it for giving them a token. We've gotta figure out other things. And there's really interesting things that can be done at this very point of how we service our citizens better.
For example, when it comes to getting stronger assurance and same with proofing, I'd like to know more about an individual and depending on your geography, you're gonna have different limitations to this, but I still need some capacity, whether that means just including web service calls to our own internal databases, cuz that's where we think we have proofing data.
Those are the familiar things.
When we hear the somewhat familiar things, consent management, we've talked about a little bit, we've heard it in terms of minimum viable consent receipt, but also things of just how do, can I use an attribute? We need these capabilities. But as soon as you start dealing with an external identity population, two things happen. One inevitably someone's account is going to be taken over and they're going to call you in tears because they can't get to their transcript. And that means they can't apply for a job account.
Takeover is one of the things that is expected as part of your service to the individual. And yet it is not something we as identity professionals, frankly, we, as organizations are particularly good at or know something about and sharing signals. I'd like to know that this email address just had a password reset event or this email address just had an account takeover because that may be a signal for fraud.
And I'd like to take that into account.
And then the things that are unfamiliar to us integrating with automation systems that we've never worked with marketing content management, these are things we're gonna have to do to service the individual. But also we want to understand how better to do that. And that requires analytics. That frankly are not the who has what kind of report. And then lastly, as I talked about, we're going to need a way of meeting all of the long lived privacy requirements we're gonna have. So why is this customer identity thing different?
Well, the technology needs are different, right? Yes, there are familiar things, but there's a whole realness stuff that we're not familiar with. As identity professionals. Life cycles are different.
Join, move, leave that got us so far, but it's not gonna work. As we focus on external populations, there are different cadences to our relationships that we have to learn to manage.
We have a whole new set of privacy expectations because we don't see leave. We have these long live relationships and we have to respect privacy throughout the course of the relationship. And the goals are different. I'm not focused so much on delivering the right access. I'm delivering the right experience. And that's a new way of thinking about things, but best of all, the opportunities are greater.
Doesn't matter what industry you're in whomever you're trying to serve citizen student, customer partner. This is our opportunity to become business enablers and actually delight our customers. This is what is ahead of us. This is amazingly excited. So I ask you as a favor to me, hopefully, or yourselves more importantly, cuz this is your opportunity. Stop trying to take employee centric techniques and map them directly to customer will work. We need slightly different thinking. So don't treat your customers like you do your employees start delighting them. Thank you.
Your time is really important to me. Enjoy the rest of the conference. Thanks again. I have not broken this clicker. So whoever comes up next, it's still got like three or four clicks in it. So it'll be okay.
It'll be okay. So battery is empty. You think?
Yeah,
Those are good new batteries. Okay.
Great presentation. So you basically said that the value is not in the data, but in the relationships. Can you expand on this a little bit?
Sure.
So I want to believe, and this may be me being a little bit naive, which is that if I form a relationship with a customer, regardless of industry, that over time, that will become more valuable to both parties because there's a symmetry to it because it's long lasting and we build up trust and we inter we interact more deeply and more frequently if I'm just in it for the data, that's pretty one-sided and I think it's, yes, you'll get value, but I feel like it's a short term value jolt you'll get, it's sort of like taking an espresso versus a coffee. How long does the caffeine sort of draw out?
So I think that organizations who recognize the relationship with the customer, those long lived things that we actually have are more valuable, more consistently over a longer period of time, as opposed to I'd like all of your profile from a social provider and then I'm just gonna market the hell out of you. And you're gonna dump me at the first opportunity and that's what's gonna happen.
Wouldn't it be then a good idea to learn from customer identity management to treat your employees better?
Well, so that's an interesting implication and I think, I think every employee would like to be treated better. So that would be a good idea. I think it maps nicely too, as we think about the consumerization of technologies, as more things end up in the employee's hands and the access paths start to change, they look up more and more like external access. And so I think there's some, some interesting lessons, especially to larger organizations trying to be more nimble.
Thank you very much. Thanks so
Much.
