So maybe of course we are now all on side. So what's about you Ivo some short, okay. Sorry about you Ivo some short, brief words from your side, what you're doing, who you are and what we can expect for the panel.
Yeah. So my name is Evo Vandorn. I'm the one of the lead solution engineers for zero. We were recently acquired by Okta. So it's now Okta zero.
I am, this is my first event after Corona. So this is I'm really excited to be onsite again. So my expectation on this panel is just to have a good fruitful discussion.
Well, what I do at zero is I help customers or prospects evaluate zero implement zero in specifically the Ben and Luxon Nordics region.
Thank you very much. So what we can hear from you, Oliver, Oliver.
Yeah, actually Holly Crips, I'm the senior vice president EA at on Fido, which is one of the market leaders in identity verification services worldwide. And I'm looking forward to a very interesting conversation. And I tried to do this with a lot of competent simulation because I'm the sales guy. So that will be interesting.
Oh boy.
And now we're talking.
Okay. Martin Kuppinger I think most know you maybe a formal note because I'm also here in double roll. There's a mask application for these rooms.
Usually Analyst, you drink something unless the, the discount can, the only auditorium is excluded from that aside of that. I don't think that I need to introduce myself here. I think I'll love, you know, me,
So thank you all from your, my side. So my first question to start with our panel would be, how do you define identity centric security? Because that's the topic of our panel. So starting, maybe with you, Oliver, what's your opinion on that?
So I'm, I'm working in the security industry for a quite long time. We know which other for a long time as well, and very long time, very long time. And I think whatever technology you use or whatever always was trying to put already these security on the centric way onto the idea, the problem was that the idea was, was disconnected from your body. Let's say it this way. And the new way, how it is is that the ways how we use centric security nowadays will become much more closer to the person themselves and makes it this quite hard to get around it. That's in a nutshell, what I see.
Yeah.
I I'd follow onto that in that the way I see this user identity or the, sorry, what's the exact wording.
So the question was, how do you define, or what do you think of when you hear identity centric
Security? Right? So identity centric, identity centric security. The way I view it is that it's, it really puts the user centrally as in the user has the device. And that device has been, they've put their fingerprint on it. They've trust, trusted that device with the fingerprint or they've profiled. Their face users themselves are becoming more lazy or agitated in providing username passwords.
So the user themselves are themselves the identity in order to log into services or access services, they don't want to actually use their username anymore. So you see a sort of a paradigm shift towards the user being the first factor as of the user themselves, and then the device that they're on. So they're very linked together, which does open up new problems in that. What happens when that device is lost, which I, you know, that does mean that there needs to be better self-service ways of, of restoring access, but that's how I view how, how I view it.
So,
Yeah, so I, I would have two, two thoughts on that. The one is, can there be security without identity identity? No. The second is look at the illusion of zero trust.
Yeah, it started 11 years ago, or so it started with zero trust networks today. Okay. Still a few vendors talk about zero trust networks because they sell trust network stuff. But basically everyone talks about zero trust in a very different context. And the center of zero trust today is identity because that's where we have a good crib on and at the center is the other side, which is the access. The service is what you do with that.
The data, hopefully more in future the software like we've learned with solo and CA say incidents where we also should not blindly trust, but it really shifted. And, and identity became at least I would say it really shifted to the center of attention within zero trust.
And I think also when we look at what we learned from work from home scenarios yeah.
So, you know, what was, what we could control. And I think so a couple of companies coming really in trouble with their VPNs at the beginning. But if you just say this is Martin, and I know that this is Martin and I control the access and I have a secure communication in between, then you, you have done a good part of the security. So identity and security, this is a combination it's, it's, it's tightly related and we shouldn't try to keep it separate. Yeah.
Great answer Martin.
But that, that directly leads to my second question, which is already partly answered by you, but maybe also Oliver and of course Ivo can join in. So, because that would be, how does, from your perspective, identity centric, security relate to zero trust in this parroting. Yeah.
So again, long time ago, I'm much older than I look like.
So for me, the thing is, it's always, how do I enforce this kind of stuff, because we could have already done 10 years ago to enforce the security things where we made sure when someone has a batch and can access special rooms and we allowed as a community that this batch was used by someone else. Yeah. That's the problem. So now with this identity coming closer to the, the person himself or herself, of course, it's quite hard to steal a smile. It's quite hard to steal an eye, even though we see a few interesting American movies sometimes, but that is the point. It is.
How do you enforce the security and also how you allow to this enforcement to be done? Because then there's always this fine grade between enforcing this, but also protecting the privacy and protecting the employees when it comes to few things.
So this, the good thing is that I'm selling solutions and I'm not consulting on this one because that's a different story.
Right? And I think what's also important there is, is finding that balance between user friction and the security itself. So the lost device analogy that I just use in my, my first question or my first answer is, you know, you do lose that device or perhaps you have a new device or you've changed IP addresses or et cetera, et cetera, something's happened.
You should be able to step up that user's authentication at some time, at some point interactively request for more information before they continue to log in. And that doesn't necessarily have to be multifactor like multifactor is one way of addressing that. But you could also throughout the life cycle of that user login or accessing services, you can challenge them for, for additional information. And that could even be some using something like on Fido, where you can interact with, with that service in order to gain the necessary access to the next to the next service.
Another example is a large finish conglomerate is using O zero today to allow an e-commerce user to go through the store. But at some point they're going to rent a card. They're gonna do something that requires a little bit more access, and now they're prompted and forced to, with their finished bank ID. That's the only way they can complete that transaction. It's still the same user, but what we've now done is we stepped out that user through various services in order to ascertain that that user truly is who they say they are
Something very interesting point.
So, so to, to your first comment, I also always hope that I look much younger than I am you are. But back to that, I've never seen, for instance, a headline saying 70,000 sort of data points of faces being leaked. We see this for passwords day by day by day, it doesn't happen with faces and so on. Right? So I think there's something we should really keep in mind. The point you brought up, I think a very important one. It is this, this user churning thing. And I think a lot of things we do, we don't do wrong is because we believe it's too complex.
We can't do that easily because I think we, we, we, we usually don't deconstruct user journeys and we have, we have, in fact, we have two journeys. The one is basically we can add more.
The one is onboarding wedding registration and stuff like that. And the other, the recurring authentication and all of these consist of, of many elements.
So, so, and we can construct the onboarding training. If it's eCommerce, we might contract construct it totally different. We first fill the, the, the, the comes wagon, the shopping car I got, we fill first, fill the shopping cart and collect some data. And on then, then we say, okay, we already ended your address data. We might have even verified that this is valid address. And then we say, okay, come on board. Or we do it the other way around, but there are so many steps. There's the, the authenticator device we are using. There's the IDP, there are many IDPs.
We can bring decentralized identity. We can, we have a customer record. We have customer records. We have so many elements.
And if we deconstructed, I think we learn a lot about how flexible we can be in what we do and how, where we can add security if we need to add security and that this is not a rocket science. If we constructed the right way and understand the steps and keep them so separate that we always kind interact new things because we need to be adaptive.
And, and when we talk about adaptive a syndication, I always say, this is two elements in adaptiveness. One is be adaptive regarding the type of a syndication type of device, the type of false indicator do what user wants, not what you want. It's always better to, to do what the users want or the customer and customers tend to pay you more purchase more when you do what they want.
And, and the other point is be adaptive regarding what you do afterwards to increase security. And we can do that because really go back and sit down and, and really paint down the, the various items.
You know, Tolbert talked about this this morning. This might be a little bit of your blueprint, then you'll learn. Okay. You have way more options than you probably use. Yeah.
So good point from your side, Martin. Thank you. So today we have so many technologies options vendors. We also see it here on site. We have not only two so way more. And for me as an end user, because I'm not an technical guy, I was before a construction engineer. So this all new to me, how can customers limit the technical con complexity for these solutions?
Well, I can, so you described the end user, but really you're, there's actually two sets of users. There I'd say the, the vendor or the, the person implementing these technologies or the company implementing these technologies is a customer. And then there's the end user as well is, is also the actual customer from a company perspective. It's finding solutions that are extensible, that offer partnerships with other best of class solutions in the, in the marketplace where you can easily integrate these things together.
So from a Comy perspective, it's very easy to get a central sort of pain of like where the integrations lie and how a user journey or how a flow is put together, which reduces problems and or issues along the way when actually maintaining that configuration, because that actually has direct impact on the second part of that question is the end user is that if the company can maintain a cohesive setup, then the end user is likely going to experience a cohesive setup.
And so that means that to, to the end user, it, it all just naturally works.
I go from, I log into this service or I try to buy this and I go to this and it's a to, to them, it's a very natural state. I think another thing that's really important and you see that more and more is what these systems are doing is they're decoupling identity from the actual application, which allows you to do these things seamlessly as well. Think about in the past where you had an application or a web application be tied to that identity. So it released a new that new web application also required a new release identity or that identity product.
And you could actually not be nimble and release new features by removing identity out of the login box or the identity part out of the web application allows you to now also seamlessly build on top of that identity platform that you have, which means using solutions on, on Fido or using solutions like one trust in order to get these things done.
Oliver. Yeah.
So, so I would see, I would love to speak about the, not the end users. Yeah. I would speak about the, the company's building things like this, and this is always a matter of timing and speed.
So for me, what I'm seeing is nowadays this let's talk about a brick and water bank, for example, right? They take so long to make a decision on a solution. They think everything through. So that means they start with old stuff on the, in the beginning and then do bits by bits, the young generation of companies that call it like this unicorns, I think is a very fancy word for it. They want to be very fast. So they make a decision quick without thinking too, too long or too too much about it. And this means it's good for me and my, you know, all sales people out there.
They need to buy different solutions again and again, and only use the negative way. But sometimes to do the right thing at the right time would help to get 50% out of this whole friction away.
And the, I would call it. And another thing where we Germans are quite good in is silos, right? Really? We
Are
Good in that. I heard about it. The rumor for me, the point is you can see this, you can see how a company thinks when you see where are the solutions, and then they need to find a way to, to bring the solutions together. And then they call it a matrix streamline through the whole thing, which never works.
So this is the point where if you break up the silos, when you say, this is my, my process, I want to go through, and this are the solutions I need, no matter which silos I'm talking about, actually, maybe Mr. Kuppinger would have more free time as well, because he, there's not so much to consult about would be great. I'm telling you starting early
Retirement.
Okay.
So, so of, of course, for me as a end user, or also as a customer, less complexity would be great. So we talked about what's the, the thing behind identity centric, security, how is it related to zero trust? Maybe how we can reduce complexity last but not least what's about devices. So we talked about the human side, but what's about relationship between devices and humans in regarding the identity centric security.
Listen, I'm my son is 21 years old. So the he's connected to his phone. We were connected to our file effects. It's not sure if everyone knows what the file effects is, but there was a nice movie in the eighties, I think, and the phone or this devices, this digital device become our new file effects. What does that mean? Everything will be in there credit cards. We one might get a, our passports in there one day as well, all this kind of stuff. And the device will be is part of us.
The question is if we want to give this device the chance to be our, let's say, door opener, our gatekeeper, everything else, or should it still be asked to decide what we're doing? Because if this device has gone, like the file effects will be quite interesting.
That actually brings me to a story that happened to a friend of mine recently. And he is very connected to his device. He's a little younger than me in his late twenties, and he's also married to his, his phone and his phone broke and his phone held his, his Corona vaccine status.
And he suddenly was able to go nowhere until he got his phone restored. And, and really this question is interesting that, okay, we, we are very married to our devices, but we, we're not offering a good way back for when that device is gone. And I think that's his, we really need to start thinking about that journey because that's a realistic journey, whether you're getting a new phone or a new device, or you're switching platforms, whether you're going from apple to Android, Android, to apple, or a new unicorn startup, that's working on something there's no good way of moving from devices.
And it's a, because we're now putting so much emphasis on security on that device. Think about it. Like I have MFA set up, it's set up, you know, some, some of them use my SMS, which comes to my device. I have Google authenticator. I thankfully switch over to athe, but you could, if you're stuck on Google authenticator and that device has gone well, good luck doing OTP on, on every banking website that exists.
So we did, we do actually have this dependency and it's a concern. And so then the, the next best thing is we need to start thinking about those user journeys to come back to it, of how to restore access quickly and safely for that user. So they're up and running again, and they can go onto their new device.
So thank you for the panel. And I think our panels deserve a very well welcome applause from your side.
