KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Unlock the power of industry-leading insights and expertise. Gain access to our extensive knowledge base, vibrant community, and tailored analyst sessions—all designed to keep you at the forefront of identity security.
Get instant access to our complete research library.
Access essential knowledge at your fingertips with KuppingerCole's extensive resources. From in-depth reports to concise one-pagers, leverage our complete security library to inform strategy and drive innovation.
Get instant access to our complete research library.
Gain access to comprehensive resources, personalized analyst consultations, and exclusive events – all designed to enhance your decision-making capabilities and industry connections.
Get instant access to our complete research library.
Gain a true partner to drive transformative initiatives. Access comprehensive resources, tailored expert guidance, and networking opportunities.
Get instant access to our complete research library.
Optimize your decision-making process with the most comprehensive and up-to-date market data available.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Configure your individual requirements to discover the ideal solution for your business.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
It's all too easy to pretend to be someone else, whether it's organised crime, social engineers, hackers or paedophiles. The financial impact of this impersonation runs to 100's of billions of dollars per annum. As a result business costs increase, not only because of the increasing losses, transactional friction increases as do the processes that business implements to increase their level of trust.
It's all too easy to pretend to be someone else, whether it's organised crime, social engineers, hackers or paedophiles. The financial impact of this impersonation runs to 100's of billions of dollars per annum. As a result business costs increase, not only because of the increasing losses, transactional friction increases as do the processes that business implements to increase their level of trust.
Good morning. Thank you very much. Good morning. So the nice thing about talking to a bunch of identity people is that you understand the difference between personas. So as you can see, I've got two personas up there. My KuppingerCole persona and my global identity foundation persona. This talk is very much with my global identity foundation persona. So let's start the trust conundrum. So the next three slides. So if you are, if your fans of big bang and you like the titles they use every week, the next three titles sort of were, were big bang titles.
So the first one is the mainframe fallacy, 1964, who played with one of these things. Anyone go to own up. I was still at school. I was just starting school actually in 1964, when that happened, the problem we've got today in the iden, in, in the identity industry is that everything we do as far as identity is concerned is predicated on this. If you are lucky enough, and the gods that ran the mainframe DED, you worthy enough, you were allowed to have a username and log in and access the mainframe because it was a very scarce resource. It was very expensive.
And the problem is everything we have done ever since is predicated on that. So as we move from mainframes to minis and we moved to started to move to servers, and as we started to connect the computers together, we still maintained this fallacy and said, actually, it's too difficult. So what we will do is we will have one central machine that does username and log on. If you are worthy enough to get an account and we will then distribute that out and let that machine talk to all these other machines out there. But the principle still stood.
We have one machine within our organization, theoretically, that is God. As far as users are concerned, small G and that's continued. I talk a lot about locus of control and locus of control is a, is, is a control freak. Now you have to understand I'm an ex CSO. I was CSO for ICI CSO for AstraZeneca. I'm a controlled freak by nature because I'm a security person by background and security. People tend to that. If I can put my arms around it and control everything, then I can make it work for you. And we do that time and time again when it comes to identity.
So if I can only just get enough information about everything you need to know into my one identity scheme that I can manage for you on your behalf, I can make it all work and it'll work fairly seamlessly and transparently. And that was a brilliant concept until about 1995. When it ran out of steam. When we started to talk about working outside our perimeters, we started to talk about deep. Parameterization the destruction of the corporate perimeter as an effective boundary for anything, be it data, be it security, being everything else. We started to issue people with mobile devices.
First of all, laptops now phones, joint ventures, different ways of working. Yeah, it all broke down between about 1995 and 2000, but we still maintain this, that somehow, if we can pack enough information to the stuff that I own and I manage, we can still make it all work. And I'm sorry to tell you that didn't, that hasn't worked for the last 20 years. And finally, for the first three slides, the IAM falsehood, again, it goes down to the fact that it goes back to the mainframe fallacy, right at the beginning that my identity system therefore drives my, my access and management system.
And the problem with this is that actually you should divorce the two. Why should you divorce the two who here has an identity system that can talk Sam or, or whatever to other systems? Yes. Yeah. Okay. Keep your hands up for a second. Keep your hands up. If your identity and access management system can access and accept Sam OWA from other systems outside of your control. In other words, third parties that you do not manage or own.
Yeah, still a few good, but not as many. Certainly I've done this sort of presentation at other conferences where you're talking to it. Folk not identity folk. And you have about, you know, have 200 people in the, the hall you have about 30 people who say, yes, I can give out Sam oth and generally one or two that actually admit to being able to accept it. And the problem is connecting. The two together means you've got this contiguous system, that one is dependent on the other.
And unless you split it into two systems and have this thing called entitlement, we'll talk about entitlement in the middle. Then it breaks down. And if you don't believe me that this stuff is broken, then just look at the facts around you. 2015 was a bumper year for breaches hacks, password loss, you name it. How many people regularly here run hacky, hack their IAM system, their password files on an automated basis. Anyone regularly hack your, your password system on an automated basis. We used to do it at Motorola on a regular basis, and I've done it every company.
Since typically, if you speak to people who do it, the first time you run a password cracker against your corporate network, you will crack 30% of passwords guaranteed in worse cases where you don't have a good awareness program, it's up to 50%. The bad guys are walking all over us because we still use username and passwords. We can socially engineer two factors. They are getting in left, right. And center. Yeah. Just look at the breaches credit card breach. Yeah. Credit card breaches. Typically 95% of credit card losses are down to identity fraud.
Credit card breaches globally are running at 36 billion a year. If identity isn't failing, then why are we losing that much money? So what is entitlement? This comes the, the document up up there is from the cloud security Alliance. It's the cloud security Alliance guidance. It's domain 12, it's called identity entitlement and access management. And it splits the two and basically says, if you're gonna work in this cloudy environment with your identity, you need to divorce the two so that you can hand out tokens from your identity system and you can accept them from other people's.
Because the beauty of cloud is that I can work in a disparate environment where I can work with my joint ventures without having to tunnel them inside my corporate perimeter. So I can put all this stuff in the cloud and we can collaborate and do joint ventures and do some really great stuff in the cloud. But only if my cloud identity and access management system, or more importantly, the access management component will accept stuff from all those disparate organizations.
And is just this it's about making a risk based decision about access to data and systems based on the trusted identity and attributes of all the entities in the transaction chain. If you are gonna make this work across the whole lot, You've got to trust the entire transaction chain rather than just username of password says it's Paul Simmonds because we are now working in a divorce situation. We are now not in the nice cozy world where it says I'm Paul Simmonds and it's only distributed to, in my case at AstraZeneca, 130, 8,000 computers in the organization.
If you want a fallacy, there's the biggest one. It department says I am who I am. And every other system is expected to believe it. No mention of risk it department says I'm Paul Simmonds. So I'm good to go. But in the cloud environment, we have to do it differently. And I brought my prop. If you have a roll of this at home, yeah, I'm British. We call it gaffer tape. I think if you're American, you call it duct tape, bodge tape, whatever. And the problem is we all run our own little locuses of control. Usually it's called active directory and we try to put everything into it.
And then, because we have our own little active directory, we have to connect our locus of control to other peoples. And of course that starts getting really difficult. So what we do is we take a role of this stuff, Include it budget or whatever into other third party environments, either your joint venture partner or your cloud environment or your SAS provider or whatever. And we do it in a whole bunch of ways because we are forced to, because we are using that mainframe fallacy that we've made it work because it works for our environment, cuz we can put our arms around it.
And what do we use? We use reduced signon. There is no such thing as single sign on any vendor who tells you single sign on is lying. There is no such thing at best it's reduced signon I have never met any large corporation that truly does single sign on. There is always 1, 2, 10, 20 systems that don't connect. So at best it's reduced sign-on and reduced sign-on is a compromise because generally on a lot of systems, it involves pushing passwords on your behalf or worse tokens. And some of them are pretty weak depending on how old and decrepit some of those systems are. You're trying to connect.
We use protocol SAML, oth skim, oth two a to again, bodge this between systems and yeah, they're great protocols. Don't get me wrong. And a lot of really hard and thoughtful work has gone into them, but they're boing two systems together that weren't designed to be connected in the first place we resort to provisioning all identities.
So how many times have you had to provision the auditors who want to come in and plug their computers into your system so they can audit them because you're required to, especially if you're running SAP on whatever ERs and young come in and all of a sudden the request goes out to security. We need to provision five auditors onto our identity and management system. So we create dummy accounts for people. We create guest accounts for people. What about cleaners?
If we really want an integrated identity and access management system that works, wouldn't it be nice if I could extend that to my door controls? So the guess what my one active directory account works all my doors as well, but of course, then we'd have to provision our cleaners onto active directory. We'd have to provision all those people. And we're gonna talk about recertification in one of the tracks later. So if that's an issue for you, but again, we budget, we create all these accounts. We federate identity.
I would talk about Federation and our leave Federation and talk about it in a second. We buy into someone's identity management system, whether it's Google, Facebook, LinkedIn, Microsoft, whatever, or finally usually because active directory cows going into the cloud in Azure ad is to are too expensive. We use a cloud authentication glue service. So we go out and pick one of those vendors out there who promises to do something magic in the cloud for you to glue all these things together. But that's what we do. Isn't it.
And what's it look like if you start using bodge tape, that's the result and that's why the hackers and the bad guys are stealing from us and winning and why we have all the data breaches out there because we are building that. So I started to talk about the trust conundrum. So the question is very simple. If Arus B and B trust Z does C trust a and the answer is, I don't know, maybe under certain circumstances, if I have enough information possibly, and what you have to understand about Federation, first of all, Federation is part of this massive clues that's going on.
But Federation is an in factorial problem. The more federations you have, the worse it gets. And typically it starts to break down at N equals three and beyond three, forget it, all bets are off. So let's talk about how we might want to do it differently in the future. So the first thing is should the end, the entity in question should be in controlled. So who should be in control of your personal information? We asked the question, we went out and asked the question as you do in surveys. And guess what? 85% of respondents.
And there's quite a large survey said me, Not surprisingly, unfortunately of course, a commercial body from a list proved by the government is what that should say. Or a commercial body that I choose are right down at foreign 5% unfortunate. If you are a UK citizen or a, you are a us citizen, that is what your government wants you to do. They want you to choose Verizon or one of the other identity providers out there, not what the public wants. How should I control how my personally identifiable information is used?
Again, me, although here, of course, I've obviously a cut number of Europeans in this list. A government or government approved regulator should set the rules. So some people believe in, in data protection and its ability to deliver. But ultimately me, this is from ends stick. If you're involved in NS, stick NS stick is the American government national strategy on trusted identities. In cyberspace, only the Americans could have come up with an acronym like that.
This is, this is from a set of InStick slides. If you are going to make this complex glue environment work for 350 million Americans, you need all of this stuff. I didn't make this up. This came off a set of InStick slides. The one thing I have learned after doing 35 years of security is if it isn't simple, it isn't going to work. Guys. This doesn't stand a hope in hell. If I'm gonna be perfectly honest, trust my identity must be ubiquitous. There are one point, no, sorry. 3.4 billion internet users out there. We have to make this work for all of them.
You heard Mia, hopefully at her keynote, talking about the disenfranchised people out there, Europe And Europe and north America are very small part. And yet that's what we seem to be designing for. We need to design for the billion in India, the billion and a half in China, the billion and plus in Africa.
Yeah, Africa currently only has 10% internet penetration of over a billion people. They're the future. We have to make this work globally. The citizens such that this stuff interoperates so that we can leverage it within our business and get trust. You have to have anonymity at the root. This is a topic in itself. So I won't go into it. But if you don't have anonymity at the root, if you don't have, if you, you have to have 100% anonymity for you and I at the root, and if you don't, you can't solve problems like e-voting, you can't solve working globally.
You can't solve the acid test problems, which is will the Chinese government accept us identity and vice versa. Your identity ecosystem has to work across all of this. We're running a track later about how to scale to, you know, billions of users and billions and billions of, of devices. If you don't do this stuff, it isn't going to work. Has to work across the five entity types, not just people, which is what we tend to do, personas the way we fix this. Yeah.
So the join between me and organization, UK government gives me my citizen persona, which contains only attributes for which I'm authoritative. It gives context. You now understand how my attributes work in the context of me being a UK citizen, and guess what? They're signed by the authoritative source for my citizenship. And therefore you don't have a liability issue anymore. And all those lawyers go away. Ultimately, and I go back to the original statement about entitlement.
You have to understand end to end every component and the risk associated with those components starting with how is the wetwear me connected to the firmware, the device. So I can make a trust based decision about access based on every single linkage in the chain, such that in this E world that we live in, when I'm here and the person I'm transacting with is the other side of the world.
They can get a complete picture to make a risk based decision about whether to transact with me and only then do we eliminate the fraud, the bad guys, the hackers, the crackers, and people who want to do us harm. So I'll show you this one later, if you are coming into our session, this is what it looks like. And if you want to go onto Wikipedia, this is identity 3.2. And what it should look like. The blatant plug is that if you're interested in learning more, grab me over coffee or over lunch, but identity at scale, I'm gonna change the title of this track.
It says managing millions of users and billions of things, I'm gonna change it to managing 8 billion users and hundreds of billions of things, because that's where we are going. And if you want to learn more about identity three, then same track, 11 to 12, I'm doing a, a longer exposition of what identity three looks like. Thank you so much. Thank You, Paul apologize. But for sake of time, and since you've already pointed out the possibility to grab your later. Yeah. I'll pick it with here. Thank you again. Fantastic. Thank you.
