KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Unlock the power of industry-leading insights and expertise. Gain access to our extensive knowledge base, vibrant community, and tailored analyst sessions—all designed to keep you at the forefront of identity security.
Get instant access to our complete research library.
Access essential knowledge at your fingertips with KuppingerCole's extensive resources. From in-depth reports to concise one-pagers, leverage our complete security library to inform strategy and drive innovation.
Get instant access to our complete research library.
Gain access to comprehensive resources, personalized analyst consultations, and exclusive events – all designed to enhance your decision-making capabilities and industry connections.
Get instant access to our complete research library.
Gain a true partner to drive transformative initiatives. Access comprehensive resources, tailored expert guidance, and networking opportunities.
Get instant access to our complete research library.
Optimize your decision-making process with the most comprehensive and up-to-date market data available.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Configure your individual requirements to discover the ideal solution for your business.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
Do any big introduction talks because we have the names and the affiliations here, upstair in the meantime, instead, I would like to invite you and starting of course, with you, if what do, what would you, how do you understand what the digital transformation is? If you want from an identity management perspective? All right. I define digital transformation as an alignment of business models and operational processes and technology that moves offerings from a purely physical or offline mode to more digital and online and automated modes.
Ideally enhancing end users of relationships with the world around them. Can I, can I do a simpler one? Sure. All right. I'm gonna try this digital transformation is providing consistency, right? It's simply providing consistency, no matter what the channel of engagement is with your customer, no matter what shape or size it is, you treat them with the same amount of respect, deliver the same amount of value and do it efficiently. Hmm. Maybe Sounds fair. I think it's important to take the business perspective here.
Not really the technology perspective, it's really in my mind all about simplification for the customer experience, taking friction out of whatever kind of transaction or interaction you have with your consumers or your workforce. I think it's really all about that aspect. And I'll be a little more sweeping in my definition by borrowing Ray Kurtzweil perspective. Anyone ever read Ray Kurtzweil, sort of one of the great inventors in artificial intelligence.
Anyway, his theory was that we're going through an acceleration of history as our technology is developed, and that ultimately will merge with our technology. And that may be a bit too futuristic for your immediate business concerns. But when we worked in identity management, we're sort of on the edge of that sort of thing. We're on the edge of where humans meet the cyber world.
And it does become interesting to consider how it's changing us this digital transformation, because the way that it changes us as humans changes the way we work in businesses and the way we want to be regulated and many other things, Okay. Maybe just to add, I'd like to tend to talk about organizations, not only businesses cause government, for instance, also undergoes this transformation. So it's about connecting organizations and their customers slash consumers in a consistent way through all communication channels.
So a lot of season we might make a good see thing out of the, So it changes organization. It changes the business processes. It changes the business value generation. And it also requires how high level of consistency in all that, what we do there. So this is Ooh, kind of scaring me do to, to start that, to start that, that journey towards, towards this digital transformation, which obviously is happening also a lot around the identity management space, what do we need to prepare?
How, what do we need to do to be prepared? What do we have enough grip on the identities, for example, who what's the start just free this question?
Well, I wanna challenge the question in the sense that you talked about having enough grip on the identity. To me, the thing that's interesting about customer identity and digital transformation is that you have to start with sort of not thinking you're gonna have a firm grasp on this, right? Getting comfortable with things like progressive profiling and progressive proofing that you're going to know more about the individual over time, as opposed to start with a very fixed firm definition of who they are.
You may have a sense for the desired outcome, the user journeys that you wanna send them on, but you're not going to start with a fixed definition of Ian and the value of the relationship. You'll have a portion of it. You'll have a piece here and a piece there. And part of the challenge of the whole business is to, is as Martin pointed out consistency around that connection and delivery. Yeah. I think doing identity is kind of essential to the aims that we're talking about, but it's proximate to the goal you actually wanna achieve. Yeah.
It's a, it's a side dish. It's yeah, you, you have to do it, but as traditionally conceived doing identity, is it it's on it's on the way there to, to, to what you really wanna do.
So, you know, a couple years ago I was here talking about the VE of business drivers of identity. So protection, personalization, and payment is why you do identity. You don't wake up and say, I'll log in today and a, a business or an organization doesn't, you know, Institute identity and access management procedures and buy technology and put it in place or whatever, you know, for its health. I don't think it does.
I mean, may we all have fun doing it, but that's, That's different. That's different When Sasha, when you ask where to start, I think the first thing to start with is to, to understand and widen your view of identity. So in fact, digital transformation means finally getting away from an employee identity view, only going well beyond the consumer.
Well, beyond the customer, well beyond even a consumer I view towards, and you're doing a great job on this identity relation management stuff. Yes. Here around the devices, syncs and all that stuff, which is connected. I think this is probably the very first step to, to say, okay, the days where I treated customers and business partners and employees and all the other stuff independently are past, But Martin, you know, it's going back to consistency. This is the opposite of, we're not gonna treat each one of those in the same exact way.
It's that recognition that the constituency matters and they're gonna have a very different experience, a very different set of risks to mitigate and a very different set of relationship value based on who that constituent is at the point in the relationship with the organization. Yeah. That's all very much contextual on the relationship. And that was brought up in the previous in Dr. Reagan's questions and answers. Was it not only do you treat each constituency differently from each other, but you treat the same constituency members differently at different points in time.
That's a contextual a really good word for it. Sorry. Sure. Sorry.
But, and we've also already carved out this separate consumer identity management sector, right. That proves already that we can't use, we can't repurpose employee based identity systems for, you know, the world at large, a consumer base at large citizens at large.
I mean, there's some technologies and techniques that are valuable for, but it's a different mindset. I mean, you know, when you're doing these things sort of for the top line of the business, you're do you sort of doing them for a different reason? Yeah. If you come to work thinking I'm working in a cost center and I'm working on driving efficiency, reducing risk, right. So employee centric versus I'm in a growth center, that's a mindset for a partner or consumer. It's a very different mindset to do your job Deepening relationships with end users.
If they're consumers, customers, patients, citizens, special of duty of care, well, things that have relationships with your customers and consumers, you know, sort of mixing and matching I'm liking the contextual word because, you know, we, we we've, we talk about responsive web apps, you know, you develop apps to be responsive. I'm kind of thinking that responsive is the kind of relationship you should have maybe different in different contexts so that you can sort of smooth out things. Yeah. But doesn't, our employees want to be served perfectly well.
Like we do try to do with the customers. Yes. But we can abuse them in ways we don't abuse our customers difference between let's say unfortunately, things In augmented reality and what we do with things around the customer.
So, so I would say at the end, it's always the same challenge. So there are, depending on the context, there are sort of, sometimes you focus more on the sort of strong authentication, stronger syndication for high risk stuff your em might do, but the underlying problems are basically all the same and you need workflows.
You know, it's for interest registration, you need a workflow for your approval. You need to Haven't you notice though, that we make employees wait longer and give them worse, more annoying authentication methods than we do customers.
And, you know, our risk appetite changes when it's customers and, you know, a larger payment is at stake and more making more money is at stake than when it's an employee. We do do that.
Don't we, Well, you know, the funny on that very specific example, we're much more willing to wait to not treat chapter one with a relationship as the most important chapter with employees. It's chapter one, how strongly did it authenticate you? And after that With Customers' waiting to like chapter 10, we're like, wait a minute. I wanna know a little bit more about you. Right. And that's a very different mindset. We Know an employee a lot better, you know, day one. We've you seen a lot better.
I mean, come on. That's Probably reason why we have so many internal attackers. Yeah. Because we know that Rat hole, let's not go there. It's a different kind of relationship with an employee. We do. We proof them more. When they walk in the door, you know, in the us, we make them show an I nine and a, and a passport in this thing. And you know, we do similar things here, I assume.
And with, with, you know, a lot of consumers and customers, I don't know, I used to work for PayPal. And it was very important to PayPal that you let them create an account without having provided a funding instrument that comes later because you want to entice them.
Well, there's a whole spectrum of relationships that you have with different constituents and an employee is one of the deeper ones typically. And, and that affects your identity management systems on many different levels, the required strength of authentication, the amount of data that you can collect, the consent that's required.
It's, it's very different for a full-time employee. Of course, there's shade of gradations, a part, a supply chain partner, a contractor all the way down to a prospect. That's visiting your website for the first time. Yeah. I think that difference is summed up in friction. How much friction do you add? At what point in the relationship for the employees? We have a whole lot of friction and onboarding the first login, the supply chain partner activation processes.
We talk about self self-registration is one thing, but activation of partner is very, very different than a consumer getting that PayPal account with no funding methodology, right. There is a very different amount of friction. We sprinkle in at different parts of that user journey. Yeah. You don't do AB testing for, you know, well, you might do for some, for employee processes and things, but you know, probably not for very infrequently done supply chain partner flows. For Example, for consumers though, there's some conflict here in how much data and information you collect upfront.
You wanna entice them to offer more over time versus the, the push, at least in the us markets to personalize and to know where you are, you know, to track you through your apps on your phone now, so that you, when you go near a certain store that where you've established preferences, they alert you to the sale of the day.
So there's, you know, there's, I think a real conflict here of, of how much data you're collecting and the, the use of technologies of, to know where you are in the proximity to certain shops and what have you, you know, there's that creepiness factor that enter The equation. You don't have to over collect to still have an omnichannel experience. Right. I can delight a customer and know nothing about them other than their phone number or their Instagram login. I can really delight that customer. Right.
But I think the default mode is still to collect too much data And that's a bad default. Yeah. Yeah.
Well, and, and this is where, you know, the notion of offering, you know, data transparency and data control to users is a part of ensuring that the relationship with them won't go dark or, or, or that you will have a relationship with them at all. Part of digital transformation is respecting that you will have identity information about them in order to, you know, engage with them at all As a custodian. That's the key part is that you respect the custodial duty you have of your customers, your partner's information. Yeah.
And, and E Ray is a really key point here that as we are in this digital transformation, we have more ways that we can engage with customers or other constituents. Jerry had the example of wanting to send an ad to them right. When they walk by your store. But to the point on respect, that feels really creepy. And it's useless if it's not done with respect. Remember doc soles was speaking earlier about the, the whole intent casting idea where engage your customer by having a customer, tell you what his or her preferences are, rather than blasting them and data, mining them all the time.
It's a whole shift in a way of thinking. Yeah. What over here with the upcoming huge GDPR. I think the interesting point then is that with the content for purpose, we have some game changer for that, because yes, at the end, it means you don't have that cookies thing where you say, okay, we use cookies, click. Okay. Otherwise we, It has to be voluntary. Yeah. But then you need to get a consent and you might even need to get a consent for a new purpose. And you only will get that consent if you give the customer a good reason exactly. For that.
And that's, I think will very much deliver what you were talking about that the businesses need to better explain on one hand, why do I need the data and to be careful with what they collect and then these things will work fine, but it will change sort of the, the balance between customers and the vendors. So what I understood is that the, the, the, the, the segregation of stakeholder groups that we put people in when we do identity management, is going to blur over time with the digital transformation.
So there's no clear separation anymore that putting that person in that bucket, in the other, in this bucket, and that the context will define what and how up to approach that person. So, but, but this is from my point of view, this is only half of the picture because you have, you have the other identities, which, which may not be humans.
So how, how, how does that fit together? So if this explosion of digital devices, I, I think it's important to, that's what I always tell to people when they come up with this issue, differentiate between the physical and the logical view on that. So the physical view might still consist of a couple of different data stores while we should be able to create a more unified, logical view, including the relationships, et cetera.
And I think when we try to, to not always, and I think this is typical reflect that we say, okay, what, when I want to start a customer data or the things, what is the directory or the database to use? I think it's, there's a level which says, okay, how do these things relate to each other? What is our view? What do we want to do? Which services do we want to base on it? And then there's the physical, the infrastructure layer below it. I think it's very important to succeed, to differentiate between these two layers, But that's an identity professional talking about customer identity.
That's not the business the business talks about, well, I think He was talking about identity of things In this case. No, no, no, no. Hold on Technology, If you're not describing the onset, what the user journey is, what the individual's journeys are gonna be in with respect to their Silicon proxies with their connected devices, with these things. Then if you're already starting with, well, we're gonna have this kind of repository of that. You've lost the conversation.
If you're gonna make it anywhere with your stakeholders, you've gotta speak about user journeys in a connected set, but It wasn't the question of ser ser asks. I think what I answered. Yeah. Going back to the question.
So, so, okay. Let me be more precise and give an example. So today's physical identities are maintained in companies in the company's context in so-called CMDB. And those working with these things know this works go rather not so well, let me say so they're, it's kind of difficult to get, to keep them updated and to be, to, to have them also well managed and, and to have corresponding responsibilities at attached to.
So, and if my, my feeling is the problem that I see is that if we stick to the area of managing people with identity management, we forget part of the picture, the more intelligent devices will be the more they will act on behalf of people. The more we might also need to take them into our identity management picture. Yes. I see what you're saying. Okay.
Actually, I would completely endorse that. I mean, if you see it as an E R P problem, if it's, you know, devices are just things that go into an E R P system or something like that, and you don't see them as having identities, then we've really got a crisis on our hands.
I mean, one of the things I've noticed about the internet of things, conversation is there's been perhaps a faster awakening to the problem of IOT security and privacy than we've seen with digital services generally, cuz certain things have been seemingly more of a nice to have according to people who aren't security and privacy and maybe identity pros when it comes to just online services and APIs than it has been in this suddenly interesting IOT era where you have what I call device identity theft, you know, you have Bricker bot.
And before that this series of, you know, malware attacks that are caused by what is clearly an obviously device identity theft, because you have default passwords that are sticking in devices, you know, as shipped and basically it's, you know, identity theft of, of the credentials, the weak credentials in these devices. And if you see them as having identities, kind of like people really not that different from people managing it as an identity and access management problem, other than the fact that they don't log in, like people looks like a pretty attractive proposition.
That's at least how at least my company has been treating it. And it, it seems to be really successful. And so the conversation that we've been having has been pretty well received.
So I'm, I'm kind of, I don't know. I published in a thing called the IOT agenda, some articles and the analogy that I was making, at least when it comes to privacy was, you know, how everybody see the thing about United airlines, the very embarrassing thing that happened, which one, Yeah, maybe more specific the re accommodation, The re accommodation, the re is the thing I'm thinking of, not the most latest thing and the thing with Delta and the other thing and the other thing, right.
But the original thing with United airlines where the guy was hauled off and, you know, bloodied up and everything. So that's a compliance oriented way of treating a problem. Really? Did you just, Yes I did. Wow. I went there in the article. I went there. Your Relationship with auditors is weird. What I meant was now apply to privacy. You have two ways of solving a problem.
You, you know, one is to say, well, according to the law, we should be okay. The other way is to say, we need to build trusted digital relationships. And that's what I think the proposition is now with digital transformation and identity is to say, well, we could say, we're, we're fine. According to the law.
Well, but that isn't building trust and that's what we have to do now. Not. And there may many Cases not expand your business and Well, well true, but there may be many cases where there's no applicable law yet.
You know, there's so many scenarios that are possible here. I think, I don't think we've gained them all out.
Well, The same applies you should, your high water mark should be above whatever you think is just squeaking by. Yeah. And that's what will determine whether a regulation like GDPR will be a big freeze for you or whether it'll be an opportunity to expand your business by picking up some of the customers that leave your competitors that only follow a compliance led approach. And don't do anything to engage the customer in this control shift that we're seeing where the customer is now needs to be put in more control of their data so that you can have privacy and choice.
And yet still the best companies can interact with people in the digital transformation, expand the use cases and expand their business Well, and the same is true for security because as everyone knows, security compliance is not the same thing as security. Yeah. So summing up somewhat because we are more or less at the end of our, of our recession. I think they, the different topics ultimately seem to come together and, and give us a close picture. Can we have the results of the poll please? If possible? Very good. So this is what our, what the audience is actually responding.
Do you think that digital transformation we transform the way we do identity management? Yes. Fundamentally 50%. There you go. Any closing statement you would like to make regarding these figures? I think it's about right.
I think, I think what the audience is is showing is that if we have a principles driven program, right, if we are doing things from a position of ethics and principles, we apply those generically and that's good, right? That we have consistent application of that. What will change is our stakeholders. And that feels like a fundamental change. The language use is gonna change. That's a fundamental change. Our value to the organization is of one of growth. That's a fundamental change, but I see a lot of agreement actually in, in these figures. Good. Sounds fair. Thank you very much.
It was a very interesting discussion. I thought.
