So hello, everybody is, we are thrilled to be here tonight. And with me, I'm, I'm Victor rake from, for truck. And with me, I have my colleague Alan Foster. So we've been struck about the digital identity for the internet of things. And we are wondering why IOT, well, IOT is part of the digital transformation and we can apply IOT technology, for example, to produce new products that are digitally enabled or IOT enabled. We can use them to enhance the customer experience to automate the industry or industry for the zero. And in general, we can use it in several aspects of, of a business.
In fact, we have seen several business completely transform already like the automotive industry, where now we are talking about cars or we were talking about cars, but nowadays we think of it platforms on wheels, right? And we can also see IOT as a new delivery channel, a channel that we use to provide new services, dynamic services, products that change with the time we can update them, we can configure them remotely.
We can use them to enrich the interactions with end users, and we can use to update and add new features on the fly optimize.
For example, the use of a product we can measure if the product is used with certain features and use that information to feed back to the manufacturing line and then focus on that specific feature that our customers are using. But these are the positive things that we can say about the IOT and everybody talks about the benefits, but there are things that we need to take care of when using this technology. And one is of course security and of course, identity and access management. So if we talk about digital identities, digital identities are also a core part of the digital transformation.
And we are very used to this scenario, right? So we know how to manage human users. We know there are humans of all flavors and sizes.
And for example, we have consumer users. These consumer users are very demanding. These guys, for example, ask for very secure interactions, but with very low friction, these guys might have their digital identity scatter. They can come with their own identity using an external identity provider accessing this digital services. We think we are very familiar with this scenario.
However, we still have data breaches. So think now about devices and things.
In fact, these new entities or these entities also have a digital identity. They have a collection of traits and these traits could be used to identify them uniquely. So that basically gives us an identity and we, we need to also follow the traditional life cycle of an identity. For example, we need to verify that they are authentic because in this case we can have rogue or pirate devices, and we don't want to offer digital services to these kind of devices.
So first we verify that they are authentic and then we can register them. We can register them.
And then after that, we can authenticate them. And there are different ways to authenticate them and not going to go into the details of that part. And once they are authenticated, in fact, we need to authenticate them mutually these devices and these endpoints that are providing the services, because we have seen scenarios where the device is sending the data to the wrong end point, right? So we have to authenticate mutually and we want to also control the access to both the service and the device. So we want to give access to the right people or to the right services or to the right devices.
And of course, if the conditions on the wish, the authentication or the interaction originated change, then we need to change also the security.
So for example, we start to use a device at home and that that device moves away from home. That means then we need to step up maybe in security, in authentication, by sending, for example, a message to a human user. Sometimes these devices operate independently. This is typical.
For example, in the industrial IOT, they, these devices don't need to interact with humans, but with the consumer products, usually we will have an identity or a user identity associated with these things. And what happens here is that for example, we will need to pair the identity of a user with the device.
The user, the human user will consent that a device can send data on their behalf. So we need to associate or create a relationship between a human and a device. And that device then will send data to a service. It needs to recognize that the service is a valid point.
It will send that data probably tagged with the source, the origin of the data and the owner of the data. Why do we need that? Because then the data could be accumulated.
It could be, for example, some data that a human user can use when accessing the Porwal and maybe in the future, share that data with another party in an ecosystem. Let's think, for example, this is some services that is collecting my health information, and I want to share the data with my doctor. And of course I need to be able as a human user to revoke the consent that I previously gave, but also able to delete the data that I allowed to be created at first. So this is to comply, for example, with certain regulations, for privacy and consent.
So as you can see here, then everything, and everyone has a digital identity, and there are also relationships between these different entities.
You have relationships between user and devices, devices, and services and services and users. So in general, we come back to the problem of handling the identity life cycle of these entities, right? With another issues associated with it. Like for example, we have now more devices, more entities, and then we have to scale up. We have to be high performant. We have to be high available because these devices need to be on all the time.
And we need to also be compliant with regulations, privacy, regulations, consent regulations. We need to be able to keep those consent stored somewhere. For example, we need to be able to revoke those consent. We need to, we need to keep that data also safe and private.
So how would will we fix that identity or that set of identity requirements? You don't want to do that in silos. You don't want to do that and fix the problem with devices or with users or with services. We want to think of a whole or holistic solution that tackles all these requirements, right?
And we do that with an identity platform instead of very individual solutions per silo. And we need to also cover this from end to end from the device, till the service going through a user, for example, but things don't stop there.
In fact, there are occasions in which your system will be partitioned, for example, in edge partitions or in clouds. So your identity platform need to be very flexible as to be deployed as you need it. For example, in the case of edge devices, this is a typical example of the industrial IOT or industry for zero.
You will have devices talking to each other that don't need the intervention of a human, right? So maybe you need an identity and access management edge device that is able to provide those services there.
Even if there is no communication with a central platform or a platform that is remotely located and the same could be applied. For example, in the cloud nowadays, we see applications that are not monolithic anymore. They are more microservices. So these microservices are entities that also have an identity. And when a microservice talks to another microservice, they need to authenticate with each other. They need to authorize each other. And they actually need also to carry the identity of both a device that is sending data and the identity of a user that is using that device.
So things don't stop there. If we get more complex, you can think of some entities that behave as systems think of a car. A car is in fact, a collection of sensors, actuators, processors that talk to each other. Each of these have an identity, but they behave as a unit or a system. When we are driving. For example, this car is owned by a person, this car, this person probably consent to send data on her behalf to a car manufacturer. Porwal because then we can collect data about their driving patterns.
And she could be very happy to share that information, for example, with an insurance company. So she can get a discount because she's a good driver, right? And she can authorize her bank or the car to use her bank or her credit card to pay the tools or to pay the parking. And probably she can also allow her couple to drive the car. So all of these are relationships that are created dynamically. So all this information can also be used for example, to enable policies, to enable access, to enable security, right? What happens when somebody else wants to buy that car?
What do we do with those relationships? And I'm going to leave my colleague, Alan, to talk more about that. I'll pass the clicker to him.
I have the clicker, I have the power.
Thank you, Victor. So Victor's drawn a pretty nice diagram for up on the, on the screen. We've got a whole bunch of identities. We've got a car, we've got all of these IOT devices and sort of, to me, one of the key we're looking at here is this phrase relationships. And as we start looking at IOT and the number of identities starts climbing up way up the hundred millions. We're beginning to think into the billions in the tens of billions and things like that. The real challenge that we end up happening it's that the absolute identity stops being important.
And what really matters right, is it's not who you are, but who, you know, something. My dad said to me when I was about so high, and I guess it's now coming true. The reality about it is that every single one of us in here who owns a motorcar, that car has a unique identifying number.
Not a very nice little panel up by the front window. I don't know mine. And I doubt that there's very many people in here that know yours.
However, we all know exactly what we are talking about when you talk about your car or my car or my wife's car. So what really becomes important in here is how these individual devices are related back either to people, identities, or to non-people identities, right? Other kinds of devices. And so coming back into sort of the diagram that we hear, those relationships, those relationships are the context that we have to start making authorization, authentication, and access control decisions about.
And one of the things as we start diving into ant space, and the number of those identities goes up into sort of unheard of kinds of numbers. It really does come down to this issue of trying to establish the context and how things are related.
So when we look at IOT, one of the problems, one of the mistakes, one of the errors that many of us make is that a device is somehow easily related to a person that it's a nice, clear one to one hierarchy, oh, it's Alan's phone or it's Victor's phone. And we can map up with that.
The reality about it is when we start looking at devices, they are not in a hierarchy. They end up looking something like this, right? We have a graph of different kinds of objects. And more importantly, as we start looking at these devices and these things, they generate multiple kinds of information that may well be owned by different people in different places and used for different things. And so it ends up giving us a very complex infrastructure that really identity gives us a frame of reference that we can tie them all together.
If we know who or what we are dealing with and how they're related to other objects, we can start bringing them all together. It's that simple frame of reference that we have to deal with instead of having to learn each and every disciplined way of dealing with things, what identity really gives us is the underlying math, right? It gives us a calculus that we can talk about it. And we can start looking at identities and see across the entire ecosystem, how they are connected and what those relationships are.
So looking at the individual devices, you can sort of break IOT down into two kinds of things. There are things that generate streams of data, and there are things that respond to streams of data, and they execute commands. Many of them do both, but if we break down these two kinds of tasks, right? Things that generate data, all of these questions that we are looking at here, they sort of look familiar.
They're the same questions that we've asked about people all the way along, except there's now multiple streams. We've got the thing generating data. Can I trust this thing?
There's a story in the us right now with John Deere tractors, anybody's gear into farming where John Deere sells these $200,000 tractors. And now they've got authentication between the devices and the tractor so that the farmers are not able to change the alternator in their tractor, without the mechanic coming out and plugging a USB device in and introducing the alternator to the tractor. What the farmers are now doing is buying some kind of pirated firmware so that they can hack their tractor and get around those kinds of problems. Can you trust these devices?
How do I know which thing this is? If we look at the other side of the coin, right? When we are responding to data, we're executing commands, where are they coming from?
Who told the brakes on this car to stop, who caused the engine to actually quit? Right? These are kinds of things that if you are dealing with people in a car, you need to be pretty sure that it was the brake pedal in this car that told the brakes to actually stop. These are the same problems we've had with people all the way along, right? We are dealing with who are you? Are you able to do this?
What can you actually deal with? They look a lot like people. And so we attempted to say, well, if it's the same kinds of questions that we've dealt with people for the last 20 years, why don't we just overlay the whole thing that we already know how to do onto these new devices? And then there's problems there. The big problems that we come up with and individual device often has far more identities associated with it than we had with people.
A single device may generate let's think for the moment of an oil pump on a jet engine, the jet engine, the oil pump has data that is being generated for the company that makes the oil pump. It's also generating some kind of data for rolls Royce, because they've got the jet engine. It's probably important to send some of that data to the pilot, cuz you know, he's kind of responsible for the whole plane, but then United airlines probably want some of that information as does Airbus.
So we've got multiple players involved here and the data streams that are there are probably quite different and we've gotta keep track of how those streams are tied to the individual relationships. One of the things that Victor spoke about a little while ago was the issue of a platform. And I keep sort of coming back to this issue when we start dealing with, I T it's not about managing access, but it's about managing context.
It's about managing where the device is, who it's connected to, what are the other devices around it?
And in order to manage context, we need to have a basic underlying platform so that we all speak the same language because otherwise what we end up with is actually a lot like my home right now, where I've got magic lights that go wonderful colors and I've got a nest thermostat, but the two of them don't actually talk to each other. And I have all of these different silos of identity as we start moving that into more and more places where these IOT devices come into play.
We end up having silos where they don't know about the identities and therefore we don't propagate the relationships and we can't make those kind of access control decisions that are needed as we start moving into the small complex T space. And that takes me right to the top of 18 minutes. How about that one?
Thank you. Thank you. Great time management of two people. I must. Thank you. Can we see the questions please? There are two questions.
The,
There was one another
There. Okay.
One was, it's easy to attribute a relationship between an object and a person in case you, you have a personal device like a watch or something or maybe even coffee machine, but what about industrial IOT?
Yeah. I mean these relationships can get very, very complex. Okay. And often the relationships much like the oil pump in our jet engine. Yep. Right. Often ties into many different identities who have different claims of ownership on that device. Often the data subject is not the da the device owner it's coming from somebody else. Even when you start thinking about medical devices, right?
The medical device has to be able to give monitoring information and is it working correctly to the manufacturer, but it's also dealing with very specific information about a patient. And so yeah, we start dealing with all of these different relationships and that's what makes it much more complex than simply dealing with a manager.
And these, these relationships are dynamic.
So
You can say, yeah, do you actually, do you work with information classification technology because there may, may actually make lot of use of that, of that relationship information for classification, for example, do you have any experience in that
That information could be used in several ways? We, we don't have a specific way to deal with that information, but yeah, it could be, for example, apply with cognitive systems analytics systems to, for example, evaluate policies that give you for example, the right access, the right control to do something at that specific moment.
And, and I think a lot of it is that OT is a very young discipline, right? It it's, I like IOT because it's one word that means everything and nothing in the same word.
And, and what it comes up with is that we have already seen lots and lots of IOT devices that haven't taken any of these things into account. Oh yeah.
And thus, we had the DNS attack in the us. When was it?
I dunno, three, four months back. We've got, you know, baby monitors bringing down the internet and these kinds of things. And I think a lot of it is a learning experience as all of these devices start realizing that they really are in a complex identity ecosystem.
And what scares me more personally, is that I have attended several conferences that are very specific IOT conferences. And nobody speaks about security about identity.
They, they focus on features, functionality, and functionality.
Absolutely. But that's, that's where we were in 15 years ago, 15 years ago.
So that's, they need to have a steeper learning curve. Correct. Thank you. So.
