So welcome everyone, and thank you for being here at EIC 2024. My topic of today has a very long title, which is, by the way, RG who created the title. So if you feel it's too long, it was y decentralized identity comes of age, how identity forces are making enterprise re rethink identity. And I only have a bit less than 20 minutes, so I'll, I'll try to squeeze in as many, many thoughts into this this time as I can. But a bit of a shorter title.
Oops, this shorter title has disappeared. I had a second title side factually. This was basically my, my short title would've been finally Solving the Identity or the I AM Puzzle. That would be something, sorry, this is the wrong presentation. That's the problem. This is not the opening keynote presentation.
So while, while you please switch to the opening key, I wonder a little bit about the title because my title was a bit different. There should be a second slide.
So anyway, I'll start with talking about that in the meantime while they fixed the problem. So basically our, the, the point is we, we have been around identity management has been around for quite a while.
So, so basically for, I'm, I'm in this business for, so two decades. I started, I dare to say around the late eighties, maybe the early nineties with things like Early Land Manager network and other stuff. And basically this is where, where in that sense started with identity management. And since then we have created quite a number of technologies. And in some sense we are still working on solving this puzzle. We are still working on how can we make identity management and all the pieces fit neatly together.
I think this is the challenge really.
We are, we are looking at in these days. So we have IGA, we have our directory services, we have access management, we have a lot of other things and all these things are there dare. And and when you look at how they fit together. So if you envision a sort of a puzzle, then it looks like, like there are pieces of different sizes of different shifts, et cetera, which don't really fit together perfectly well. So we spend a lot of time in making this work. And so basically our challenge is really how we can get better in this.
And the question I'd like to talk about today is will decentralized identity and AI in the sense of, on one hand, generative ai on the other hand, analytically ai, will this be what really helps us solving this puzzle? This is I think basically the challenge we are looking at. And until they have found the slides, I'll, I'll trust, sort of try to remember what I had in the slides and just tell the story here. So no worries.
We, we, we, we, that trust can we, that trust can walk very quickly through the slides. Hopefully at some point things happen. And I think it's funnily it's, yeah, I see number 17, it's the first time that this happens. So there's always something new here.
Anyway, I think we have, we have a, we have a challenge here and, and it's not whatever magic want we can use to say, oh, it just fits all together. It's really hard work. It's really hard work where we spend a lot of time in putting all these pieces together and really make it work. And this is, I think, the situation we are a bit in and yes, we have solutions, we have ways found ways to solve this. We have things like the identity fabric.
We brought up I think five, six years at least ago where we started talking about the identity fabric we try now has been picked up by many others in the industry, which helps us having a bit of a thinking where all the pieces fit together and where, where we can make it work.
But it's still not perfect. And so again, the question is, is this thing around decentralized identity around chain ai that what will make this entire thing work? And I personally believe this is a, a huge opportunity because a lot of things will become simpler when we, when we use these technologies, when we do that.
So a lot of these things really will be simplified. So decentralized identity in in a sense, we have a lot of other terms around that. Basically it's a concept where the identity moves from some directory, let's call it it, some identity silo. I'll use the term later on.
Again, a bit moves into what is called a wallet that I, the, the term wallet might be a bit too small for what we can keep in the wallet. And here we are finally.
So what, what I basically did is, so Vision 20 is 30, rethinking digital identity, still a long title and still Yrg is guilty for the long title.
My short title would be Vision 2030, finally solving the IM puzzle. And what I said is, yes, we have this puzzle, a lot of pieces and they don't really fit to each other when we look at it. So we have a lot of work to do. This is where this magic wand comes in. This is where unfortunately it's not a magic wand, it's hard work with rough tools. Like I've said, we have things like reference architecture to, to have a more holistic view.
We have things like the identity fabrics, which put these things together. And the question is, is it that, and I think we need to take a broader perspective on this entire thing, and we also need to distinguish a bit between different types of terms. So we have a term digital identity, we have a term IAM, we have a term identity security.
And they are not the same. They're not all the same. They have differences. And when I, analysts like to create things like metrics and things like that.
So, so when I look at more technology driven versus business driven, when I look at more protection versus, so governance and all security versus enablement, then we have I-A-M-I-A-M is something which has a certain element of business enablement like in consumer identity management, but it's still a bit of more in the technical side. Identity security takes a bit even more of a technical perspective. It's really going more into the cybersecurity area and it's an interesting mix here. And cybersecurity probably is then also overlapping business.
So cybersecurity and identity security and Im are definitely related. On the other hand, we have digital identity and digital identity is something which is bigger, which is really bigger because it's about the, the way we, we act in our lives in our businesses as citizens, as customers, consumers, workforce, whatever.
So it's a bigger thing, but it also has clearly this identity management angle in. And so I think we should be very careful with the terminology because there are different aspects. But one thing is clear, decentralized identity is here all the time.
So decentralized is something which evil impact and is starting to impact everything here. And I think this is a very important aspect to have. So solving the puzzle, and I believe there are three things at the core, which is decentralized identity. This is this individual, it's the holder. So this holder issue of verifi, many of you may have heard about it, of verifiable credentials. It should be to be concise or precise here, precise here.
The issuer issues such verifiable credential, it's in my wallet, I present it to the verifier that hopefully trusts that these are our identity, but it's in my wallet.
It's not in the central identity silo. And then we have the analytical ai, which is really more about the analyzers and the generative ai, which is really creating stuff out of it.
I tend to, to keep this a bit separate because there are so many, many facets of ai, but these are two very important ones. So solving the puzzle, and we already can do a lot of things here. So this helps us in, in, in dealing with workforce identity, with consumer identity, with e citizen identity by verification, onboarding, registration, all indication hopefully. And I touch policies in a minute. Policy-based authorization, which can make a lot of things much better mover and relocation processes based on attributes.
When our, our verifiable credential changes, it can trigger a mover process. Oh, Martin's not this OU anymore. It gets different access offboarding things like revocation. We can also add workload identities.
So the next generation, Pam, probably not all solved here. So human identities in PAM and privileged access management. We can do well wallets for workloads.
Maybe one of the next things to look at should be, should have it, we can do things like working with application access risk with legacy IHA with legacy directors, I've been talking about this quite a number of times, but envision trustee, the onboarding process of people. You have the proven Martin Coppinger with this address and you do the onboarding process into your organization, into IGA, into hr, not via hr in some miraculous way into I am with all the associated challenges.
You just build it on the same source of truth in that sense with verifiable credentials or business systems and processes, consuming these credentials and, and controlling access. Envision a world where these things work that way we can show you identity, wedding and access.
This is really a built in part. So the built in identity verification, simplified access on many verifiable credentials. If you know a lot about Martin, we probably can be much better control what Martin is allowed to do. A lot of signals for fraud prevention, the gaming identities, the Web3 identities, the AI identity.
So where AI and identity come together, this is all decentralized more or less by default. And so I think we, we will have a world sooner or later where we provide verifiable credentials to AI bots or others acting on our behalf together with policies which then control what the AI does when she acts for us. We can add privacy and data governance, privacy also a core element. It's privacy by design and we can simplify data governance because we have this trusted data that's verifiable and data out of our, our wallets.
Think about data governance, where where this data comes from the source so to speak. We can do better XDR fraud detection and other security things because we have a ton of signals. And you should think about a wallet net as something which holds the name and the address, but something that holds thousands or tens of thousands of verifiable credentials, then it's a bit bigger than your wallet you have around with you because it's way more than than factually a wallet. So there are more things here.
So this is something where, where the same set of technologies impact so many areas of identity. And this is where we really get closer to the puzzle and also get back, get away from the, the identity silo challenge because this is a challenge we have.
There will be still silos.
They, they won't disappear quickly. Also, mainframes didn't disappear at all. Other things also don't tend to disappear, so they will be there. But today's world of silos, that is we have i a a, so identity governance administration, which works with a directory. We have consumer identity with a directory. We have B2B identity management sometimes again with another directory. We have cloud infrastructure, entitlement management, maybe with another sort of directory. Usually it's not called directory, but in that sense it is, oh, and we have a lot of applications which have their own user base.
We need to provision into it. All these things. Applications with directories, directories, directories, a lot of identity silos here. And tomorrow's world of identity silos will involve decentralized identity, which is, yeah, we have this, we have identities that have their wallets with the verifiable credentials and this information for instance.
So if you have done consumers onboarding, then they will provide information from these wallets into maybe your, still your consumer identity management.
But their registration process will be much simpler and it will be based on much I would call better data because it really comes from the individual, from the source. So it still might fill that or not, but it definitely will be that you still have a systems of system of records. You still will have your business systems and they, they will still have the data. So we will have in that sense, still more than one place where the data is, but the way we bring the data in can be simplified. We probably can get rid of some of the parts of or improve them.
So many silos will disappear.
Being replaced. Others will be managed, so to speak, will consume the data. We will need some interesting capabilities there. So we will need some means of revocation and other things. So also to get data out of the silo, so to speak. Very important. What I find is worth thought in that context is the risk we are facing. And one risk we are facing here is what I will call, what I call the risk of siloed wallets. So we need, we have a strong need for openness.
We see, and many people in the room are active in, in standards initiatives, and we need to do a still a, we have done a tremendous work or these have done a tremendous work on, on really moving this forward, but there's still some way to go and there's still some open questions here and, and one is, is really the one around, we have the individual with the wallet verify credentials.
Factually, we have many individuals with many wallets and probably more than individuals with many credentials. So let's take this individual, probably that person has more than one wallet.
So I probably will at least a wallet for my personal and my business life. I don't want to have endlessly many wallets. I want to have few.
But so, and I have in this wallet, I have whatever the name from the EID card and the BIR date of birth. And I have the, the number of the EID card and I have the address and I have the employer and I have my health card. And I clearly have the information about what is my favorite football club, which is the most important one. Nobody knows that.
Oh yeah, I think a lot of people know that club have been ahead of Bay uni this season in the German Bundesliga, which is really very important.
I have information about my education, like diplomas and, and I, I like it when someone from Carl who is raising the hands, when, when I praise, which is very uncommon here, I have probably some things around whatever, where I'm shopping, e-commerce information, et cetera. I might have a, a lot of other information in there like, like financial information, all the, the stuff, et cetera. So this wallet will be big.
Basically what happen may happen is that I have in one wallet, I have whatever my personal life, so still my name and address, my football club and dropping and healthcare. The next wallet I will have things which are more about education and business. So my diplomas, my employer, et cetera. The next wallet I will have other things that are probably more around all what I have reached, so to speak, qualifications and finance, et cetera.
And then I, I might be in a situation where I have different wallets.
What I want is I want to be able to decide about which credentials, where, which credentials are in more than one wallet, move them around, have multiple wallets or multiple devices, all that stuff. What we must avoid is that we have at the end many, many, many wallets and data doesn't flow between these. This is one of the things where we need to be careful so that we not, the wallet becomes the new silo. I think we can solve this, but it's something we should keep in mind here. What else do we need? We need policies because all this thing will become dynamic.
So we can solve ton of challenges with the combination of verifiable credentials, AI and policies. Today we have static entitlements, the root cause of all bad in identity management work for workforce in relative stable organizations.
This is the way we think IGA, but in future we will have things for all identities and policy based. So Martin changes the drop and access is grounded based on dynamic ization works for fast moving businesses.
We have privileged, privileged access management, not only for human administrators and servers, but for DevOps, agile applications where everything is moving. We need to be agile and that requires policies and we need to bring, consume the data for the policy from somewhere which is decentralized identities, which is the wallet workforce and passwords and access management. Moving to something where we have a ton of signals from different sources.
Customer consumer onboarding with traditional authentication, shifting to also bots, reusable identity, integrated privacy, managed signals, passwordless. Then we have applications which are right now identity silos. And we need to, to make them agnostic of that, they should move away.
They just should consume what comes in. So when Martin accesses, they use the information from the wallet and make the decisions. No need to keep all the data unless there's for instance a whatever invoice or so in the system. Basically it is also this ai.
So when we look at ai, we, we don't have good solutions, but I envision a world where we really couldn't control with our information from the wallet, how the bot that acts on our behalf act. So the individual with the wallet and the verifiable credentials together with context, which is a, a separate thing. These provide signals. We use the policies to make decisions in many, many areas. This will unreal a huge business potential. And I just create one sample here or bring one sample. This is requesting a loan at a bank.
So in my wallet, I have all these things like name, address, all verified strongly.
I, they know who, who I am. They have my, my salary statements in Germany would be maybe from the data they have my banking and my financial details from different banks. They have information about what I own in real estate, my marital status.
And then in the future with the verified entity, with some liveness detection, with really Martin reduced, doing that strong indication, all data in the wallet, all data assured we can move to a massive process automation together with digital designing the certificate, also the qualified signature in the wallet. We can improve these processes and we surely need a bit of change regulation for around AM LKYC. But we can do a ton of things here. And imagine how the business process or the process cost changes. We're talking for large banks, we're talking about hundreds of millions potentially.
We are saving here. So we are talking about real money and this is where the business case is.
We also can automate a lot of things in, in, in, in IIGI talked about this previously and I'm running a bit out of time so we can, in the future, I envision that we use all the credentials for authorization at runtime.
So we, we don't use static entitlements, we just consume from the wallet and always have UpToDate authorization. Imagine the teams folder of the project is the access is based on Martin at right now in a project, a company X, Y, Z in this project, in this role. And has this access, no management of Microsoft teams access manually anymore. Great. So we can do a lot of things here. So we need to think beyond, and this is the point, I am under change. We need to think when we develop applications, we need to construct them in a way which is sort of decentralized identity ready.
So every developer of applications of whichever type must think in that way, prepare for it. It's a massive business. PO potential. It's a foundation for a lot of breakthrough innovation in business service and business model. In in it. It's a new paradigm, but it also works with what you have. Very important, you can optimize your onboarding, your registration process without breaking what is behind. But you can get better if you change what is behind.
So only when you move away from the legacy way of doing it, you will be able to unveil the full potential and be ready to stay in the business. And thinking then about how this also goes into ai, let's call it AI identity, this is also an incredible potential. So digital identity fosters the change of our reality. And I would say it's not just an update, not even an upgrade, it's a quantum leap here. So it goes even beyond that. And with that, I'm done. Unfortunately, I think I'm one or two minutes too long, but I had a tough start. So thank you very much for listening to me.
Enjoy the conference.
Thanks so much, Martin, for setting the grounds for decentralized identity. Don't forget everyone, if you wanna ask questions to our presenters, you can do so through the app. And so we've got one for you. Just before you go, what is the call to action here, Martin, to the audience here in the IEIC, what can they be doing in terms of, of forging a secure human-centric and resilient identity framework?
Yeah,
So I, as I've said, I think it was my, my my, my final slide, when we do something, we need to prepare it for the age of decentralized identity. When we create an application, we need to prepare it so that it can consume decentralized identities, that it works as policy-based access in all other areas. We need to embrace this way of thinking beyond our traditional legacy static way of doing things in it. Thank you very much.
Welcome, pleasure.
