Welcome to our KuppingerCole webinar, Evolving Identity and Access Management for the Digital Era. This webinar is supported by Broadcom, and the speakers today are Vadim Lander, who is Identity Security CTO and Distinguished Engineer at the Symantec Identity Security Group, which is part of Broadcom. The other speaker today, that's me, is Martin Kuppinger. I'm Principal Analyst at KuppingerCole Analysts. We have a big topic for today, so we will have a lot of information, a ton of slides, maybe not that many slides, but a ton of information on the slides. I think that's a better phrase.
No desk by PowerPoint, but really a lot of stuff we want to tell you, want to talk about. Before I start, a bit of housekeeping. Audio control, you are muted centrally, you don't care about it. There will be a Q&A. The more questions you raise, the better it is. Then we can have a very lively, very interactive Q&A. We will do some polls too, exactly, one right after that slide, and one after my part of the webinar.
And we are recording the webinar, so you don't have to care about sort of writing everything down, but you always can access the slides, which we will provide you for download afterwards, as well as the podcast recording of the webinar. You also surely can share it with your colleagues. Having said this, I'd like to start with the first poll, which is a more generic one, which is about how is your IM budget changing? So it's growing strongly this year. So more than 20% grows, or some grows somewhere between five and 20, or more stable, plus, minus five, or is it decreasing?
We'll give you whatever, a minute or so to provide your responses. The more responses we have, the better it is. So come up with your input to tell us how your IM budget is about to change this year. So the more responses we have, the better it is. I'll give you another 15 seconds. Okay. Thank you very much for participating in this poll. And now let's have a look at the agenda. So I'll talk a bit about the evolution of identity fabrics, which are concepts we brought up a couple of years ago, and which sort of provides a more comprehensive perspective on IM.
This is very important in this context of the, how to evolve it in the context of the digital economy. How to evolve it in the context of the digital era. So what do we need to do to make our IM ready for the future? And then we'll look at how to transform IM without a rip and replace approach. Provide a lot of insight here on what to do and how to make this work. And given that probably most of you have some IM in place, and it's, how do you deal with, there need to be changes, but there's also a lot of stuff here. How do you find the best solution here?
And then we do the Q&A session, as I've mentioned. And so let's get started. Where are we today? Where we are is, we have identity management as an established discipline. We have IGA, so Identity Governance Administration, very frequently, so the user lifecycle provisioning stuff, and access governance. We have access management, Federation Authentication, MFA. We have privileged access management for the admins for the highly privileged users. And I started as a workforce, as a workforce focus.
It tends, in many organizations today, also address consumer identity and partner use cases. And there's some coverage usually for each of these four very traditional A's, which are administration, analytics and risk, authentication and authorization. There are quite a number of different building blocks for an IAM. And what I show you here on the screen is our IAM reference architecture. We have created also several years ago, in which we are updating regularly to keep it, so as to reflect the ongoing changes and ongoing evolution in the identity management space.
So usually there is some IAM, but also when we look at it more in detail, then probably most of you will say, okay, we have some of this, we don't have everything. More modern capabilities like the advanced capabilities like decentralized identity support, policy-based access controls, et cetera, are way rarely found than sort of the baseline capabilities. And also for the baseline capabilities, so I see really a lot of projects. Some organizations are better, some are really baseline and even struggle because the baseline.
So we are somewhere on the journey, most organizations are, but there's, IAM is a churn, it's never ending and it means we need to continue. And so the next question is, what is the core focus we are looking at? And I think that the thing we need to cover is we need to expand, to extend IAM. We need to go beyond that and beyond what we traditionally had. We have the zero trust paradigm. We usually, most organizations are going to or shifting towards some sort of identity as a service. We need to get better in serving digital services.
And when you look at the top of the graphic on the right-hand side, that there are the digital services. And this is, I think, also very interesting because there are two flavors of how we can deal with digital services. The one is we continue as we do in traditional identity management, we manage the digital services. So we do sort of use identity management to manage identities and access entitlements, et cetera, in these services.
Or we provide a way, a means for digital services so that they can consume identity services, that they can say, okay, I need a new user to be onboarded, be onboarded, they call APIs, they trigger these actions. And this is a paradigm shift because it means we are not working sort of inside out from the identity management anymore only, but also outside in being a service provider or platform for all the digital services.
And this picture, this graphic shows sort of a high level structure of the identity fabric, which is meant to provide the services backed by tools that deliver the capabilities that we need for a very simple task at the end of the day, provide seamless yet secure and controlled and well-governed access for everyone and everything, that's the left-hand side of the graphic, to every service that's the right-hand side. This is what I am supposed to do. Enable people, enable things, enable devices to do what they need to do with services in a controlled, secure manner.
And for that, we need quite a number of capabilities. So some of the characteristics are, it is modular, it's flexible, it's adaptive, it covers all identities, it has an identity API layer, it provides a transition, a means of transition. So how can I go from my traditional I am to this modern world? It supports as a service deployments and modern target operating models. And it also accepts and supports the fact that most IT environments today are still hybrid. So this is basically what is behind our idea, our concept of identity fabrics.
And this also maps very well to zero trust at the end of the day and beyond that. So it's all identities, it has an identity API layer, it's about legacy I am, transition supports us, it delivers us, it supports hybrid IT, and it delivers some verified identities and verified access for zero trust. And so doing this good is a key element also if we want to succeed in our zero trust strategies. This all comes also with challenges. It's not something where you go, okay, one stop shopping, I buy a tool, and this tool will do everything. There's always browsers and people, et cetera.
There are tools which can serve a lot, but you still need to figure out how do I move there from my existing work. There are also the scenarios that you say, okay, I have a core tool or two, and I need some complements to cover areas which aren't covered maybe at all or at that level I need. So we need to think about the challenges. This is about what do we need to do in identity management in general. So our requirements are changing. We also need to build in a way that we can deal with all the things, work from anywhere.
Cloud services, not that new anymore, or the digital service I already mentioned, needing, supporting consumer identities, supporting consumer devices, things, the connections between all of this. And also what happens with Web3, Metaverse, whatever it will be, it's a bit of a fussy thing, and we all know. How do we support decentralized identity? So that all needs to be done while we keep still costs sort of in focus. How can we do this with optimizing costs? How can we protect better against identity-based effects, which are the maturity of effects we are facing?
Serving the need, digital services, fulfilling regulatory requirements, serving everything all to the old stuff, supporting this work from anywhere, onboarding employees that never have seen an office from the inside, for instance, or partners. And this needs to be dynamic and flexible. So it's not something we built and construct today. We built it in whatever, X months or X years, then we are done.
No, it will evolve. So the identity fabric perspective you have today will have changed in 2025 or in 2028. It will evolve, it must evolve. And that's the reason why we define this paradigm in a way that it's modular, that it can grow, because we need to be ready to also support future innovation. Modern architectures, microservices-based, container-based, help us in doing that, but we always must be clear about that.
So solutions, identity fabrics to, in the way we define, we strongly believe they are a fundamental, fundamentally, a fundamental or foundational concept for what we can do, and they can serve a lot. In some way, it's a paradigm. It's a methodology, also, that helps architecting when you walk through the different capabilities and understand, what do I have? Where are my gaps? What do I really need? You can really build it very easily in methodologies. We do this day by day in the advisory of our clients.
It's also a bit of a high-level architectures, but it's not that there's the architect, the identity fabric that always looks the same. It must be adapted and it must evolve. But the basic principle applies, and I think also from an understanding perspective. So this term fabric has different meanings. And the identity fabric is, for instance, both. It's a mesh. It connects everything, it's a mesh. But it's also about production. It produces the identity services you need. What it isn't, it's not just a pile of Lego bricks.
No, it's more something like that. Oh, maybe not that complex, but it's something which is constructed, which is ready to use, or in that case, it would be probably more ready to look at.
So it's, what do you do out of this? It's the result. And it's about conversions, integrations, and looking at, how do you deal with that? And this is an interesting question I discuss quite frequently with both vendors and with end-user organizations. So when we look at the identity fabric, how many tools do we need? It depends on. It depends on which capabilities you need, which services you need, which tools you need, what you have in place from history. It depends on different. And my general recommendation is to start with a very limited number of core elements.
It could be one, it could be two, it could be three, but keep it really restricted. And then to complement it where needed. But it all starts with saying, okay, what are the capabilities you need? You need to prioritize them. You need to understand what is it, what you need. You then define the functional services. And then you look at which tools are needed to serve this. And that should be, as I've said, a reasonably low number. Suites have the advantage or solution to cover more capabilities that help you deliver more services.
Surely the common advantage is lesser vendors, consistent UI, UX, consistent APIs. It's easier to operate. Higher level of maturity potentially you can achieve at the beginning, at the start of your journey. On the other hand, there are always best of three technologies that help you to fill the gap to do some things better, to serve specific needs. And you have the legacy. You don't forget about it. You will need some integration to the legacy for a while because you should be able to transition where I am to a modern fabric at your own pace.
And that also could mean that you let whatever old IGA system run to just connect to the mainframe or some other legacy applications where you say, I will retire them. Okay, mainframes rarely become retired. They seem to live forever, but anyway, I think you get what I mean. And you can, that's for instance, avoid complex migrations. That then provides you with a fabric, a holistic concept to construct your modern IAM, but also to transition to your own pace. And that also provides you then some control planes where you manage certain aspects within your technical architecture.
So the identity fabric in fact serves or implements, includes several of these control planes. So when you, for instance, think about what is my identity control plane? So the control plane I use to manage identities. So all these identities, how do you manage them? Then it's about mainly the identity related capabilities, directory capabilities, and all this stuff, onboarding processes, the related workflows. And you have an identity management service with IGA tools and a bit of access management tools when you look at B2B identities, for instance, or maybe CM tools, even.
I haven't added this year, that could be in another area a bit, or privileged access management for certain types of identities and accounts that come from sort of modern Silicon and lesser human identities. You have an access control plane, which is about who can do what and how do I govern that, which is then supported by a couple of services building on tools like access management and privileged access management. You should have, when you go modern, you should have a policy control plane where you manage the policies that control all of what you're doing.
So who can do what, which identity can do what. We need to move way more towards policy-based approaches. That's a fully separate topic, which could take us hours to discuss. And we will publish quite a bit of stuff around policy-based access for to sort of speak to modern world, but also how to support the legacy world in a modern policy-based approach soon. It will be a very hot topic also at our upcoming European identity conference this year in May in Berlin, where we'll talk a lot about that. So don't miss the conference.
And then there are also, for instance, integration, security integration controls. How do you make this work with all of your existing identity management and all of your existing cybersecurity tooling, your SIEM tool, your SOAR tool, whatever else. So the identity fabric really delivers a lot of these elements you need for a modern or future-proof identity management. And what I then also added here is a bit around measuring the maturity of identity fabrics, because I think it's important to have something which helps you a bit understand what should be in there. How does Canvas evolve?
I will not read the full slide, no worries. I structured it into sort of the five columns or pillars which are common for the CMM or CMMI approach.
So one, two, three, four, five, or initial, they call it repeatable, defined, managed, optimized. It's a bit fuzzy here, but I think it helps to say these are the five stages. And then what is, for instance, the architecture? And even initially, you need a high-level blueprint across all areas of IAM. If you don't, if you just look at one part, it's not an identity fabric. So my baseline is relatively high. If you want to call it an identity fabric, you need a holistic perspective.
You need to look at a broad range of identities, covering at least the most important IAM services, have some sort of an API layer in place, having a bit of a portal for at least the key capabilities, a consistent target operating model including the organization across all of IAM and stuff like that. So it's not that you could say what I have in identity management today is an identity fabric.
It may be, or it may not be. So there are requirements. And maybe just metrics, as I've said, the slides will be available for download, helps you a bit in also looking at where do I stand? What are the things where I'm further away or further back? When you start your own journey towards a modern IAM based on, maybe based on the identity fabric paradigm. And I think what's also very important is always look at it as an evolutionary, not a revolutionary approach, because you will have something and you need to understand what is missing. What is the most important thing that is missing?
You also can't do all the big migration transformation projects at the same time. You need to plan, you need to have a roadmap and you need to think about how can you integrate and migrate what you have? And then how can you expand for the new requirements to serve the needs of your business? This is a bit of work, but I also can assure you we did it with many, many organizations. It doesn't take us long. It's not as complex as it may seem.
And it surely helps you to build such a concept, to plan ahead and to have an identity management environment that is sustainable, that helps you over a long period. That was my part.
With that, I quickly trigger a second poll. So the question is, do you have something in place? Do you have a blueprint at least? So not technically done everything, but a blueprint, a concept that covers all major areas such as an identity fabric. So do you have it or is it a work in progress or don't you have it yet? So I'll give you a bit of time to answer.
Again, the more answers provided, the better risk it is. Okay, another 10 seconds, I'd say. So come on, some more answers, please.
Okay, thank you. Perfect, with that, I'll hand over to Vadim right now.
Yeah, thanks for the great insight. Hi folks, glad to be here. I'm gonna give you a bit of a sort of technical perspective on what identity fabric is. We at Broadcom have imagined identity fabric going back a few years. And really what we saw was a significant amount of sort of projects and digital transformation, modernization projects that our customers had. And a lot of it had to do with the fact that the modern IT infrastructure has become, is becoming increasingly digital and hybrid. And really in this world, we have moved for a while now, we have moved beyond the perimeter.
You know, I compare back 20 years ago when we sort of, we as an industry invented identity management. It was characterized by a sort of enterprise boundary by the perimeter, but there's no longer perimeter, right? If you look at this picture, we've evolved way beyond the perimeter where pretty much anybody can now access anything or wants to access anything, anywhere. And the question then, of course, is that how do you make this usable? How do you make this secure?
And ultimately what has happened is that the identity infrastructure, right, not only has become hybrid, it's become extremely contextual, right? Modern access is all about context.
You know, who, what, where, under what conditions. And therefore, in order to sort of make this work, make all these connections work, we have turned to significant adoption of standards. And if you go back the last 10 years, there's been a tremendous amount of innovation in the world of standards, whether it was the OAuth, it was the OpenID, it was SCIM, it was FIDO. So lots and lots of great standards have showed up in order to make these connections possible and secure.
And so, as Martin had talked about, that there's pressure on identity and access management to reimagine itself. Why is that? Because there's a longer perimeter. So we need to go to an identity layer, right, that is pretty much, I call it 100% API-centric, in order to deal with the kind of the new modern business requirements that not only ensure that your infrastructure, your applications are secure, you also have to address the omni-channel requirement that for us as identities, we would like to see kind of the same behaviors, no matter what kind of channel we use.
Zero trust now has to be accommodated as part of governance compliance infrastructure. And so when you look at what does it mean in terms of the architecture, it means that the identity fabric concept now has to basically extend itself into these various IAM capabilities, starting with identity onboarding, application onboarding, then identity authentication, and that has to have a very strong contextual authentication policy. With every IAM, there is a life cycle of authentication being followed by authorization.
So identity authorization and managing authorization, right, across all these different channels. Identity life cycle, the life cycle of identity management, right? And as Marty have talked about, making sure that not only we can continue leveraging infrastructure that enterprises already have, which is where the extensibility comes in, right? But you also need to be able to plug into the existing processes and plug those processes into identity and access management so that you don't have to necessarily deal with rip and replace.
So I would say that the now in this decade will be really from the IAM perspective will be measured, right, by the transition from a silo-based identity architecture, sort of more coordinated, orchestrated, API-centric identity infrastructure, and then identity integrations. So what does it really mean? So if I were to take a step back and look at the identity fabric, right, the reference architecture, right, you really need to think about in terms of capabilities, and I call them services. You need to ask yourself a question.
Do I have a strong authentication service, right, and can I apply authentication policy across my different channels? Do I have a session management service, right? How can I ensure that what I use, whether customers use mobile, and from the mobile they go to web app, and from the web app they can go back to mobile, or maybe they invoke APIs, and then APIs end up somewhere else. How do we make sure that there's a consistent session spanning and securing user experience from the end-to-end perspective?
From the contextual management, from the context perspective, right, having a risk service has a lot of work to do in the zero-trust environment because from the zero-trust perspective, you have to ask a question, right? Are we sure we can allow this transaction? Are we sure we can allow this user? And so being able to measure risk at every step of the way, being able to make decisions, right, whether it's authentication, authorization, or any kind of decision on a basis of risk requires having a risk management or risk service that basically maintains the risk assurance on an ongoing basis.
The identity service, right, being able to manage the lifecycle of identities, right, is obviously very important. And so the point being is that in this sort of canonical architecture, right, as you look at your readiness, the question to ask is do I have a capability and can I leverage this capability, right, across a number of my applications, my projects, my initiatives? And not only that, but depending on your business, the question to ask is can my customers or can my vendors, right, can the partners that I work with use this capability? Can it be extended to them?
So I wanna go over a couple of different concepts, right? I'm gonna start with the authentication. I'm gonna drill down into a little bit of this sort of authentication policy. The key point here, it's about being able to apply it across a number of different channels, right? So the question to ask is do I have the right policy, right? Can I use different factors? Can I use modern passwordless factors? But at the same time, can I also delegate to an existing authentication infrastructure that my organization may already have and I have to use?
So you need to be able to deal not only with the new modern, but you also have to deal with the fact that you have existing infrastructure and existing user experience and you wanna be able to manage that. Can I deal with credentials, right? Can I deal with enrollment questions?
You know, automatic enrollment, offline enrollment. And how do I apply context, right? Does the tool that I have allow me to apply different kinds of context, whether it's the application context, identity context, you know, maybe external context, you know, maybe it's something that we know about the identity somewhere else. So can I plug that context into the policy infrastructure, right? And ultimately what you're looking for is to positively authenticate users based on their context rather than trying to access application of the data, right?
It doesn't really matter whether it's a mobile app, web app, API app, right? The need for authentication is consistent. Another concept that you want to take a closer look at in your organization basically is the ability to, you know, orchestrate trust across identity providers, whether those identity providers are internal to you, perhaps two lines of business or different identity providers. But for the most part, the question becomes is like, what are the identities that you're working with, right? Are they maintained inside of your LDAP infrastructure?
Are they maintained inside of your trusted partners, you know, somewhere else? And basically, how do you then deal with the fact that the lifecycle of identity management enables us to decouple use of identity from management of identity? And so while the use of identity is really about being able to accept the identity, authorize the identity, right?
Use the identity inside of your different kinds of applications, but also the being able to delegate the management of identity to other providers and then accept that identity whether it's, you know, bring your own identity or whether it's, you know, on the fly delegation. So being able to work with identity providers and have a strong identity provider capability based on open standards such as OpenID, such as SAML or, you know, other kinds of standards, you know, very, very important for your sort of modern identity infrastructure to have this trusted identity provider capability.
Another critical element of any IAM, especially the architecture of identity based on identity fabrics, is being able to maintain sort of a holistic session, right? Being able to maintain a view of identity's risk, right? And it doesn't necessarily have to be, you know, implemented solely within your own infrastructure, right? When you look at sort of from the end-to-end perspective, being able to share signals between your identity environments or your identity silos or between your partners, between you and your partners is very, very important.
And so there's been a lot of work in this space over the last few years focused on continuous access evaluation protocol standard that enables us to sort of communicate important events between different systems. And I think really for the first time in identity management, it's this ability to share risk. It's this ability to share signals in a unified sort of standardized manner that enables us to manage security effectively while providing sufficient amount of sort of a user, you know, frictionless user experience.
And that's really where kind of the interaction between your application environments or your identity ecosystems comes down to basically having this interoperability. And now I think really happy to report that we see a fair amount of progress in the industry about being able to consume different kinds of events and issue different kinds of events. And at the end of the day, really what it enables you to do is create a much stronger zero-trust-based posture, right, protecting your environments while, you know, creating much more useful and frictionless user experience.
Another element of an identity fabric that is sort of has become possible is this notion, and I think Martin talked about this, is that really we need to be thinking about identity management from two different perspectives. They're different perspectives, but they're very much, you know, tied together, right, into this sort of this concept of having a control plane and having a data plane, right? So the control plane is all about management, right? It's the last A in the AAA, right, authentication, authorization, administration. It's the management.
It's the lifecycle of onboarding identities, onboarding resources, right, onboarding policies, right? It's the business of identity management is to understand how the identities are related to resources, right, whether it's through, you know, direct entitlements, you know, whether it's through adaptive policies, whether it's through RBAC, you know, ABAC, but fundamentally, having a control plane enables you to create the relationship between identities and applications.
That's really what identity is about, identity management is about, is being able to manage and secure that relationship while the data plane, right, the data plane of identity management is about enforcement. It's about enforcing authentication policy across a number of different channels. It's about enforcing authorization, right? Is there a connection, right? Is there a policy? Is there a path from a particular identity, you know, people or silicon to a particular resource and under what conditions?
And whether that's something that's enforced, you know, in a legacy system, whether it's something that's enforced in the modern system, you know, using tokens. Fundamentally, the notion of the control plane and the data plane is a critical component of this sort of modern identity management, you know, architecture and principles that at the end of the day, right, enables you to maintain and enforce the trust model, right? What is the trust model? Trust model is very simple. It's about being able to answer questions, such as, right, who has access to what?
You know, obviously, that's the big I am, you know, that's the question in the I am space. But also, it enables you to sort of model, right, what resources does a persona have access to, right? What personas provide access to a resource, right? What is a persona? Is it an identity in my LDAP? Is it a set of generic claims that are asserted by a particular identity provider?
Or is it a combination of something that, you know, we manage on behalf of an identity in an identity store, while at the same time, we take the context from those systems, right, that have something to confirm on behalf of that identity through claims? And when you put it all together, you have this notion that I call identity authorizer. An identity authorizer uses these rules, right, to determine whether or not an identity, right, at the end of the day has access, right, to a particular resource, right?
So having this sort of view of identity management that has the notion of a control plane and has a notion of a data plane is a very important construct. The other thing that the identity fabric, basically, this identity layer gives you or should be giving you is observability, both at the business level and operational levels. Observability, from the perspective I am, is kind of a little bit simple, right?
It's like, how do I know what my authentication is doing? You know, how successful are they?
You know, how many factors, you know, does the identity go through? What is the, you know, what is the return on investment for passwordless, right? Are they really using the passwordless, or 90% of my traffic is still relying on passwords? And if they are, then how do I move them sort of towards more modern, secure, and frictionless factors, right? So being able to gain this level of visibility into your KPIs or your processes is another sort of critical element that an identity layer based on this architecture, identity fabrics architecture, can enable for you.
So with that, I want to talk a little bit about kind of how we see the fabric. Really, at the end of the day, the fabric and the fabric based architecture means that it's about connecting, right? Securely connecting any identity to any application, which has always been the main goal of identity management. It doesn't matter whether it's a packaged apps, native apps, mobile apps, you know, what are you connecting, identities that are born in the cloud, let's say Azure AD, you know, to an ERP like SAP, or you can, or vice versa, it doesn't really matter, right?
The goal is to be able to apply these identity capabilities, authentication, you know, authorization, where possible session management across these channels, and ultimately, right, you know, try to cover, right, this sort of the any identity to any application, you know, paradigm with this architecture. And so last but not the least, coming to the end of my presentation, is this fabric that we've been working on, helping our customers modernize.
We call it the security services platform, right, that enables us to sort of deliver the kinds of capabilities that both Martin and I have talked about, not while at the same time, kind of, you know, embracing and extending the traditional classic identity management infrastructure to help our customers modernize the experiences and enable our customers to move forward with their digital transformation projects. With that, Martin, this is the end of my presentation. I'm just gonna go through one slide so that we can capture the recording in case people want to look at.
We have a little bit of content that we've been generating over the last few years. We started actually identity management fabric back in 2020, white paper sort of predicting the strength, and we've been doing a few webinars along the way that you guys can take a look at. Thank you.
Thank you, Adam, for this insightful presentation. And so with that, I'll share my screen again where we can directly start the Q&A session. So to all the attendees, please enter your questions now. So you have Adam here, you have me here with some background in identity fabric. So use the opportunity to squeeze us out, so to speak. So there's the first question, and then there's one that goes to you, Adam, that is probably a bit more technical one, which is which challenges do you see related to session management?
So what are the things you need to be aware of when dealing with that part of authentication access? Great question. From a session management perspective, it's important to understand and ensure that you have control over session boundaries. That means being able to define the initiation of a session, and then being able to get events or know of events when those sessions may potentially need or require termination.
And the tokenization of trust that I talked about, using JOTS or using any other kind of token is really a great mechanism to minimize the amount of lifetime an access control layer deals with. So by tokenizing access, by tokenizing trust, you give session management a chance to ask the question, is it still the right user? Do I still trust the user? Should I allow that? Or should I terminate that?
Yeah, and I think this is something which makes a ton of sense in the zero trust context, because this is exactly the point. This is still a session, and it also provides us an interesting opportunity, which is shifting more of your authorization to the authentication, to the individual session instead of dealing with all these static entitlements with the standing privileges, which cause the biggest trouble in identity management. The biggest trouble in identity management stems from roles, recertification, and all this is based on static entitlement.
So there's also a logic to go more at a session level. The second question here, where I probably start best with answering, and then I hand over to you, Adam, which is, I did not see identity proving being listed anywhere. Is this still being considered as a new area?
Factually, it has been listed on my first context slide in one of the boxes in the reference architectures. There's identity proving, because we believe it's a very important thing, and it's increasingly important to my perspective, not only for consumer use cases, but also for workforce and partner use cases, specifically in these days of work from anywhere, where we have way less touch points of humans to the offices, and where we need to do identity proving in a proper way.
I also strongly believe that decentralized identity, if we integrate it with our identity management, will help us massively in process optimization around identity proving. A huge subject, we can't cover everything here, but surely this is, for instance, something we will touch on at EIC this year, and at our locations.
Wayne, what do you want to add here? Yeah, definitely, this is a good point. Identity proofing has a lot of weight. I think organizations maybe should be a little bit sort of more interested in identity proofing for a couple of reasons. On one hand, it enables consumers especially to have a more frictionless experience. I don't mind having someone look up my reputation. And on the other hand, it creates a stronger security.
The good thing is about identity proofing, it has been a lot of work in the OpenID community, defining interop standards for how identity documents, identity proofing documents can be incorporated into the fabric of OpenID, and be recognized automatically through standard notations by various policy engines. Okay, great answer. Another question here, what are the metrics by which to choose, touch whether what you do in an identity fabric is good, better, or best? So I provided my slide on the maturity levels. I think that could be a good reference.
You can pick up, as I've said, you can download the slides after the webinar. It will take a bit, but I think latest tomorrow, they should be available.
But Wayne, what do you want to add from your perspective to what is good, what is better? What I was looking at, right, how do you, at the end of the day, what are the critical factors, and how do you know it's working well for you? The question is, how long does it take for you to onboard new applications? How long does it take for you to enable a business to benefit, right? Does it take nine months? Does it take 12 months? Does it take a month? So the ability to get the work done, the ability to basically drive user experience, improve user experience, and then connect people to applications.
If you can do that effectively, you've got a good, you've got Identity Fabric in place. If you cannot do that effectively, and you keep running into issues, then you have something to look for and improve.
Okay, I think that fits very well. By the way, your response already fits very well to another question, which is, are there success factors to look for from an Identity Fabric-based IAM architecture? So what are success factors? And I think you brought up some interesting KPIs, or, yeah, KPIs that help measuring where we are. And I think at the end, success is, to my perspective, very much based on, did you get it implemented? And how does it help your organization to perform those things better, faster, more efficiently?
So process optimization, to my perspective, for instance, is something which is one of the really important success factors, because process optimization also is something which is about cost reduction. Do you want to add something?
No, I agree with that. We've seen customers who are actually actively practicing the principles of the fabric. It's interesting. They've been able to go from initial proof of concept to full production for 10 million identities, it's a telco, in four months.
Like, literally, from nothing, knowing nothing about it, never seeing it, never practicing it, to full deployment for multi-factor authentication in four months. That's unheard of.
Okay, a few more questions here. Has the market identified concrete use cases requiring novel mechanisms, such as decentralized identities?
Adam, do you want to start? I think there are certain scenarios that are kind of being early drivers. One is sort of the audit compliance governance requirement for multi-factor, right? There's a lot of regulatory pressure, as well as sort of the kind of initiatives coming out of the Zero Trust, coming out of MFA, to make sure that basic authentication, I call it basic auth, does not exist.
Basically, we have to eliminate, and I don't necessarily say there's passwords only, but we have to eliminate the weak security. And so, multi-factor authentication, step up, risk-based, adaptive, is a very well understood scenario that's creating quite a bit of need for to apply identity fabric principles.
So audit, audit, audit, governance, compliance, as well as user experience, frictionless, more frictionless user experience, leveraging passwordless factors, too. But I'll also point out that, and that's sort of the scenarios that are kind of driven by the business. But fundamentally, if you take a step back, the fact that 20 years later, after having invented identity management as an industry, we're still dealing with silos, we're still dealing with spaghetti code. Why is that?
And to me, that's really the realization that the right way to think about identity management as an IT area is from what both Mark and I talked about, having the control plane and the data plane perspectives. And that requires sort of this taking a fresh look at what is the right way, right, and identity management as an IT area needs to be delivered. And that's where the concept of identity fabric, you know, API-based layers, interoperability, comes into the picture.
Yeah, maybe to add, I think it was interesting at last year's EIC, it was the first time that we really started talking about practical use cases, the practical implementations of decentralized identity. I think some things are already happening, which is more in the consumer space, but we also see a huge potential to improve KYC processes. If you have all the proofs, the various proofs, then you can really simplify KYC processes. And KYC processes are extremely costly for the regulated industries. The other side of it is there's also a huge potential in onboarding.
I think this is one of the trigger use cases for workforce and partner identities, simplifying onboarding. And from there, maybe even authentication authorization, because every proof at the end is an attribute I can use in authentication, and I can use in authorization. So we definitely have a very significant potential here. And we're seeing people already discussing more, thinking more about these types of scenarios, these types of use cases.
I'm absolutely confident that we will see some significant adoption of decentralized identities, also as part of what we do in our identity fabrics for each and every type of identity. Another question here, and I think this goes a bit back to what you talked about, Vadim, which was around authentication and attribute-based, et cetera. So what are privacy implications here related to using more and more of these attributes in the authentication authorization or audit use cases? So is there something from a privacy perspective we should be aware of?
There's definitely, there's traditional privacy implications, which is having the information, being able to secure that information and expose that information on a need-to-know basis. There's traditional privacy. But I think also when it comes down to us as identities being able to give our consent. And so with the identity fabric architecture and the standards-based architecture, there is technology enabling applications, enabling your projects to take privacy into consideration through the notion of consent. Consent is granted by us. That's obviously up to people.
They decide whether they allow use of that information or not. And of course, if we don't allow it, then we don't get the service. So from their perspective, it's our right. And so where it makes sense, using consent to drive better user experience and more trustworthy relationship between identities and service providers makes a lot of sense.
Okay, I think we have one final question here. I want to quickly grab which is, how does the identity fabric support sort of the identity-related threat intelligence? So how does it help in getting better here? And maybe Esther, you continue. So what I see is we have a consistent environment.
So we can, and we have consistent APIs if we do it right. So we can access events from all different areas. And we also can consume internal events, for instance, an authentication, other use cases, in a more consistent manner. And that provides us insight into, which is way easier to implement than in a silo-based identity management environment. Braden?
Yes, so what, from the threat management, and I call it intelligence, from the sort of analytics perspective, an identity layer that's rooted in using tokenized trust, in using APIs, it's much more open to being, the information is much more open to being collected, collected and analyzed in order to detect patterns. For example, if you see that tokens are continuously getting rejected, or there's too many privileges, that that information can be harvested and understood. And then look, for example, for anomalies in terms of coordination with my peer group.
So it's much easier to collect the data, it's much simpler to analyze and determine patterns. And then once the patterns are determined, they can be brought back into the policy infrastructure to say that, hey, this particular identity seems to be out of compliance with a peer group, maybe we need to step up, right? Maybe we need to block, right? So you have a lot more control while having sort of more effective collection capacity.
Okay, perfect. Thank you. And with that, it's time to say thank you. Thank you to you, Adam. Thank you to Broadcom for supporting this Google Analysts webinar. And thank you to everyone attending this webinar, listening to it, sharing the information you've learned about here. Hopefully I see you soon back at some of our webinars, or at EIC in Berlin. We have a great venue there, it has been really fun last year and it will be a lot of fun this year as well. Thank you. Thank you.
