Please come to the stage.
Welcome.
And
The stage is yours.
Thank you everyone.
For, for attending. I was worried there when I was first up at six 30 and the room was empty. I thought it might be a very long talk 20 minutes. So thank you for attending I'm I'm. As Martin said, I'm with CA technologies, quick show of hands. How many of you've heard of CA technologies? Okay. A few people. How many of you have CA technologies products in, in your organization? Okay.
Just a, a few here. So we are a software company focused on security, API management, agile. We have dev software, a lot of mainframe software based in New York, but have a global presence. We've been have an office here in Munich. If you haven't used a CA product, you've probably experienced it today.
Over 13,000 card issuers around the globe, use our payment security offerings to secure between two to 300 million credit card transactions online or, or credit cards online, literally billions of transactions a year.
And that's actually a critical part of our consumer strategy and how we're helping to manage consumer identity, which I'll talk about in a little bit, but what I wanted to focus today's talk on is a problem or a challenge that's emerging in our customer base is we look at large organizations who are depending on identity to drive collaboration and consumer identity, instead of creating fixed relationships, they really want pre-fabricated identity and enabling be more interoperability and sharing of credentials. Two specific examples. We're working with a very large aircraft manufacturer.
They have about 300 partners that federate in for access, but in reality, they could do 3000. And the question is, how do you scale that? How do you do it very quickly? On the consumer side, we're looking at consumer the positioning that the place where you're engaging consumers is constantly changing. Sometimes you're consuming identities from Facebook.
It could be a credit union or, and the variety and volume of places is increasing drastically. So let me set this up a little bit for, you know, like if, how many of you've been in identity management more than 10 years, big show of hands.
Okay. A few people.
Well, like I started my identity management career in 1997. I, I was like 12 years old at the time, but effectively for the past few decades, we focused on managing identities that were largely in the perimeter, like, like literally devices or computers, people that we literally knew that we could identify.
You know, even if we moved forward to the nineties, contractors and partners, we were literally, you know, one or two degrees of separation away. So like, like when you're in this kind of world, you're, you're looking at when your contractors federate in what devices they come in from what browsers they come from.
Like, like those are things we know how to do very well. If you've got employees, you source 'em outta the HR system, you give 'em access to applications. You turn that off. When they leave, you manage contractors, etcetera. And for the most part, whether it's efficient or not, we can take intellectual control of that problem.
Pretty, you know, pretty effectively the challenge arises when we need deeper verification. And I'll give you some examples of this. Like when we need end degrees of verification, where the path of trust is no longer fixed. And this sounds like a setup for blockchain night, which maybe this talk should have happened before blockchain night.
But you know, today when you look at the way we build relationships, we're looking at, you know, related lines of business, people are managing identities, business partners, your partners, partners like, like what happens though, when you can't fix those relationships?
What we're seeing is a trend where deeper levels of specialization in the digital economy are forcing a lot of our customers to require Pret trusted relationships in the event that they need them.
And, and what it's doing is it's forcing a lot of companies to increase the radius of digital identity. And I'll tell you what that means in, in just a second, but let me give you an example. So this will be a little more clear. The center for disease control is one of our largest customers, literally 15,000 employees, you know, 11 billion in budget operating in 66 countries. And like part of the reason we, you know, we don't get overrun by pandemics is because literally the center for disease control and other health organizations can collaborate very effectively.
You know, a disease breaks out somewhere. They get on the ground, they figure out how to contain it.
They collect data, they start looking at outcomes, connect that to trials and they can quickly figure out how to respond. The challenge is that despite the breadth and depth that they have today, they need to connect with more partners than they ever have before, you know, Ebola breaks out in New Zealand, which it hasn't. So don't cancel your trip, but, but if it does, they need to quickly connect the healthcare providers in the institutions and labs.
So they can start collecting data and collaborate. And that takes a little bit of time. We're working with them on how to accelerate this process. But that requires a world where trust has to like pre pre-negotiate it, right? Like you have to use some sort of identity broker, some kind of provider to help pre-negotiate that trust because you need to do it at scale and you need to do it very, very quickly at a long period of time.
The other thing that's happening here, and we're seeing this across, and you may see this actually in your own organizations, is there, there are pressures in the digital economy that are forcing deeper, extended identity. Number one, we're building an API economy. If you're a BA bank or a FinTech company, you expose APIs companies build applications on top of that. And there may be other services built on top. There's this layer on the API, the question becomes, how do you trust the users? How do you trust the, the devices? How do you trust those applications?
What's the threat of identity from the beginning to the end and how accountable are you? Even as we look at their more cross-border consumers, I was sitting with the, the state of Louisiana. If you haven't visited the state of Louisiana, the United States, or a small state next to Texas in the us, we were all of a sudden the topic of GDPR came up and the CIO from the state of Louisiana said, oh, we have GDPR requirements.
And I go, how, like what requirements for GDPR there in the state of Louisiana?
Well, it turns out over a hundred thousand European citizens, own homes go fishing and hunting every year in Louisiana, they need cars, hunting licenses, fishing licenses. And so they are a data controller for European citizen data, right?
And, and we're seeing this trend all over, more people are doing shopping cross border. And what it requires is that we know who those people are and can trust them, protect their information effectively. And at the same time, we're, we're taking advantage of a broader cross-border labor on demand market at the same time.
So, so the, the pressures of specialization change it. I wanna give you an example in the banking industry, that'll make this a little, maybe a little more clear bank. LACA is a customer of ours. They use our, our identity software, but they're a good example of this expanding digital identity radius.
Literally, if you're, if you're in the banking industry, the big challenges, there's a disintermediation with the banks, FinTech companies are moving closer to the customer, disintermediating banks and, and, and today 80% of a bank's wallet share is determined by the primacy of that relationship. And they're losing that relationship. So banks like bank Laka, cetera, are on a path to use digital identity, to increase trust, and actually get back in front of those customers.
And it's, and, and this example, he talks about like, you know, the customers are on Facebook. They could be on a credit union or, or lending club or some other place, but this target is constantly moving. I'll play the clip real quick.
Our customers are for us information. They're dealing with them and they are living in a world that it's more and more digital that's in. That's important. So to embrace the way they are acting, now there's a new party party.
And, and they use the social neighbors. They use the new devices, so are constantly online and, and the more convenient way to communicate with customers, the more convenient way to offer them services is to be very close to the digital world. So banks are now transforming the, the, the main business to a digital business, of course, so that this is something that interacts. We embrace that in the first stage being present to the, the, the main social media network that are in the world. The second states was creating our own social networks for segments of customers. That was interesting.
So some of them take value from sharing some common interests for, for instance, more old people, sharing government interests when they are tight in a,
Well, it goes on, but I think you get the point is that there's an endless supply of places where you are creating touchpoints for your consumers. And more importantly, I'll give you a retail example with loyalty programs, you have a gas station and a, you know, a grocery store that want a network, you know, share customers and drive incentives. They've gotta now be able to share identity data on a massive scale to do loyalty programs.
The challenge we have is that there's a price for trust, right? And, and that's typically the credentialing process, et cetera. This data comes from an open identity exchange study that was done a couple years ago that look at baselines and averages for what different industries were charging to do credentialing. And then these numbers might seem relatively small, but when you multiply them on very large scales, they become very costly.
And I'll show you an example.
So when you think about it, you know, regional governments at $5 and 60 cents, and, and what's happening is that as we do this across the applications and services that we provide, the numbers become pretty, you know, get very large. And what's interesting is this, the national Institute of standards did a study in the us government, at the tax, the IRS, the tax department around what that would look like.
And it turns out that us tax organization serving, you know, millions of hundreds of millions of citizens has a 5 billion of identity fraud every year, a really large number when you think about it. And, and so, but as a result of that, they looked at about eight different applications, looked at their credentialing costs. And the net was, if you could use a trusted relying third party or credential exchange, you could literally save, you know, just across these eight applications, 635 million a year, and quickly you, you move that across a government or any other large network of institutions.
You can see the tremendous economic impact. This has overall. They're also a very large CA customer today, and that has a result. We've been involved with them and collaborating with nest on this study. But they're one organization that demonstrates identity at massive scale, literally 140 million American citizens literally pay their taxes and sign on through CA's SSO. They have a over 110,000 employees and across 50 different agencies, right?
Very, very large scale. But despite that scale, there's this demand for much more dynamic relationships and greater trust that they require. I'll provide another context for you, which is that as we, the way we look at it today, like, you know, if you started your career in like the 1990s or the, you know, early nineties, there, there were a handful of people that had accounts to the proxy to get on the internet, right?
Like, like the few, there were a few people who could do that and your career was going somewhere if you did.
But today, like, you know, we cross that boundary every millisecond, right? Like it's tremendous. And as we move forward, a decade later, applications, chat, web, web service, et cetera, like emerge. We're under another equilibrium.
We're, we're in a new equilibrium now, which is we're looking at just an explosion of devices and applications. The question, what we're really making a decision on is which devices, people, and applications to trust. But in reality, for many organizations, it really looks like a multiverse. It's a decision up which partner organizations, applications, and devices do I trust if you're the IRS working with the department of justice or working with any other agency, you've got all the people in those agencies, their devices and applications that you have to establish relationships with.
And it becomes very challenging. Go back to the center for disease control. Imagine setting up relationships with, with, with organizations in another country, dealing with their compliance regulations, in terms of what data they can share and setting up access control.
Those complex relationships are, are becoming part of the barrier of how quickly we can scale this. So what it does is it creates a whole new set of requirements, multiple applications to map to multiple audit standards, you know, multiple authoritative sources.
One of the ways we're tackling this is to take some of our threat analytics capability and move it to the cloud. We recently launched a product called risk analytics network. That's specifically for banks and card issuers that can literally look at risk across multiple clients. If it invalidates a device on one, one for one bank, it's invalidated across all the banks, the studies show that we can literally reduce the amount of fraud by 25% by centralizing the intelligence and risk analytics in the cloud environment.
One of the ways that the agencies and our customers are tackling this is by looking, having a common framework that they operate with identity.
And this is kind of important because instead of looking at it as an access challenge, a Federation challenge, a provisioning challenge, they are standardizing the way they talk to partnering organizations about identity management.
And I'll, I'll give you an example of that state of Louisiana, the customer of ours, they were looking at modernizing their healthcare enrollment. They decided that instead of creating a one off scenario, they were actually gonna create one shared service that would operate for data sharing across every agency in the government, and also become the foundation for their citizen services. Like if you worked in the government, you know, like the government is pretty much siloed. There's department of motor vehicles, et cetera.
But if you could share data and set up a single identity, you could solve that problem. And I'll let them talk through it because I think this is probably a good example.
I don't think a lot of people have a great experience when they're working with the government. So currently, if you are a citizen and you interact with, let's say office of motor vehicles or tax, or really any of our other services, it's a different ID. It's a different account that data's not shared. So your experience as a customer is
Fragmented. We're in the process of going through a pretty big transformation.
And what we have to do is ensure that what we we build today is not around the technologies or the needs of today, but what we're projecting the needs of tomorrow, be we like to look at how the industry is approaching internet browsers, how the industries are approaching tablets. We need to be able to take that same approach and create technology that is easy to use and intuitive for our, our constituents and our
Customers.
The vision is that there will be a single sign on Porwal for our citizens of Louisiana, and really bring the data behind those services together for more cohesive experience for our customers. They see the government as, as one single entry point in reality, there's a lot going on in the
Background. I got data center operations over here. I got my server guys. I got my storage guys. I got my network guys and gals, I got my end user computing. They're all siloed. They just throw things over the, the proverbial wall.
When we start looking at a service oriented approach, those walls have to disappear, and we need to be able to provide it as a service that can be consumed. And more importantly, it reusable
CA had the right set of tools to really fit in with the direction we're going from an identity and access management standpoint
And great setup there for microservice architecture. That's like, you know, we're seeing that pattern as well throughout all of our customers. And they depend on three things like as they work across agency. And this is the learning experience.
Number one, robust levels of identity assurance and how you credential improve to reduce the redundancy. Secondly, like, like working out a model where that stuff can actually pass across as assertions within Federation, and then standardizing the way we do authentication and then different form forms of authentication. Like if you're coming in for a hunting license, you need very different, you know, authentication, or you may not have to collect biometrics versus if you're coming in for a driver's license, et cetera, you definitely need a picture.
The other thing, you know, and I'll, I'll kind of gloss through this quickly. One other organization use department of agriculture, very large doing the same thing in terms of pattern of tackling this problem.
The learning experience here for us is pretty straightforward is that there's not a silver bullet, but what we focused on is creating a steel threat of identity. And the learning experience is this one it's, self-service right, as simple as possible.
If when you make it easy, people participate and they do more second it's omnichannel, it's across multiple devices, web interfaces, et cetera. It's about human device relationships. You're making a decision to trust, not only the people, the applications and the devices and, and the devices they're coming in on. And it's about the applications.
You know, there's a study by the, the software engineering Institute, Carney Mellett Mellon that tracked a series of its tax. 90% of all of all data breaches can be traced back to or utilized weaknesses in the application as a form of attack vector. The last thing I wanna say is that it can actually make us relatively safer.
This data comes from the, the Verizon data breach investigation report. It shows hacking malware and social engineering. 70% of all malware literally uses identities and attack vector.
And 60% of all, all the mal or 60% of malware use identities that attack vector and 70% of all hacking uses it as an attack vector. We, you know, the, the last thing I want to close on is, you know, if you're thinking about identity, it's more than just who you are today. Your behavior is a form of identity.
Like, so it is literally what you do. And most importantly, I think it's the foundation for trust.
Yeah, that's it. Thank you,
Martin. So thank you Naish. When I trust looked, I think we hadn't questions yet. So even while it's late, and while you had a tough day, don't forget to submit questions for the next keynotes.
Anyway, I think this was very informative, also the insight from your customers on what you're doing. So very helpful. And thank you again for your great keynote. Sure. I appreciate that, mark.
Great.
Thank you.
Thanks, bye. So you might have noticed.
