Today at EIC, we're talking to independent digital identity expert Jacoba Sieders. Welcome Jacoba, nice to see you here.
Thanks.
Really, we are talking about the future of digital identity. So the first thing I wanted to ask you, with your wealth of experience as an identity expert for multinational banks. What is the one digital identity innovation that you think has had will have the biggest impact on businesses in general and banks in particular?
I think it is, after long consideration, it should be, decentralized or distributed identity, as it is also explained and regulated by the new eIDAS regulation of the European Union.
Okay. Well, it's been often hailed as the next generation of digital identity solutions. What do you see as the biggest advantages and challenges of implementing decentralized identity?
Yeah, well, it depends for whom we are talking. In digital distributed identity, you have a holder, the user, who holds a wallet and decides what attributes will be uploaded in that wallet and which ones will be shared and how. And privacy and ease of use will be increased largely for the user. But there is also verifiers, we would call them relying parties in the ancient world. And they also could benefit. For instance, if I'm a company and I have to rely on people's identity and I have to know who they are, for instance, employees or dynamic work force that changes all the time. You have a lot of onboardings, but many for short time. In these cases, it would be nice if you could rely on the identity that a person brings in their own wallet, which has a root or trust anchor in a government passport grade, digital identity, because it would save a lot of onboarding time and administration. That would be for the verifier or relying party. And then there's the issuers. Those are the parties that issue these credentials and attributes. I don't know what the benefit for them would be, because they would have to be able to issue all these data, and other people will be relying on it. So there could be an increased liability that could be maybe not so beneficial to the issuer, but if they are at the same time also a consumer of, and that's always the case, you are never as a company, only the issuer and the relying party, one of those roles. You always have various roles in the game. So these are the benefits for these parties. But of course, ease of use, privacy, trust and linkability, selective disclosure of attributes, quicker onboarding. Yeah. Anything that can be improved in identity could be improved with the wallet. Apart from delegation, that will still be a difficult problem.
Well, this is the thing. There seem to be a couple of issues that still need to be ironed out. From what you've said, now we can see there is a whole range of advantages, but how far are we in terms of implementation? When can we expect to actually see a lot of these benefits you've just been outlining?
Well, if we look at eIDAS, it prescribes that the member states of the European Union, we're talking Europe, will issue wallets for their inhabitants, for their citizens by 2026, which is pretty soon. The legislation has been adopted. But we are waiting for a few implementing acts detailing all the standards and procedures that can take 6 to 12 months. So there is some speed there. Two years. But if I look at the market, I can see new wallets popping up everywhere. And I know of a number of wallets that are functioning full stack and that are trying to be compliant with the EU legislation and certified because the certification, that's not clear how to do that and who should do it. But when we have that, it could go very fast within 2 or 3 years.
Okay. So we could speak for ten minutes just on decentralized identity alone. And in fact you are going to be co-moderating a track here as EIC on eIDAS and decentralized identity. But let's think a little bit broader. Are there any other innovations that you're seeing in the digital identity space that you think are also going to be shaping the future for organizations?
Well, there are, first of all, there are trends, things that are not new, but they are rising, like ITDR that's the sort of, SoC security operations monitoring, on the identity systems as themselves. So that's a thing which is probably going up. I hear the word everywhere. And I know that there has been a Leadership Compass being published by KuppingerCole analysts, which I've seen. So ITDR and another thing is policy based access control, also not totally new, but, and it can be done as a software as a service, also that's on the rise as well. And there's a lot more attention for privileged access management. So access to, root access to servers and to infrastructure or to highly impactful regular user accounts for applications. Those are three things, ABAC, PBAC, policy based, PAM and ITDR, that are more prominent. But of course, the big thing, that we're all talking about is AI as a help for, for instance, detection of patterns and fraud, and as an assistant to improve, and optimize things which are now tedious jobs.
Well, you mentioned a whole bunch of things that are going to be coming up at EIC this week, which I'm delighted about because that means they're all good and hot topics. Definitely, the ITDR is one area that I'm interested in. I'll be watching out for that because I want to see how this develops and how becomes practical. But you mentioned the AI word, I wanted to ask you, how do you see the intersection between identity and AI playing out in the next five years?
Well, it's difficult because there are two sides. It can make, AI can create the eternal good and it can create the eternal nightmare. And, I think both ends, it's sort of weaponized, for the defense and for attacks. So, it's going so fast, but, of course, maybe - and that's a very, maybe crazy statement - we'll go and return to some things to do them, not digitally, but in person, like, for instance, like liveness checks to see if a digital onboarding person is really a live person or an AI, that's coming becoming a lot more difficult because the AIs are so good. And also in phishing and things. they don't write bad English anymore because the AI knows the English better than people. So that's the attack side. But for pattern recognition and automating things, I think that is a very important factor to improve security as a whole, not just IAM. So yeah, but I think it's going really fast. But of course, you always have to talk to the vendors who create the tools, businesses use tooling for that, for IAM and also generic cybersecurity, which is, in my view, merging the whole tooling landscape. So you see, that companies buy each other and merge and expand to the whole value chain of identity and cybersecurity. And I think when that's done, when the whole tooling landscape is more unified, it's also easier to deploy AI assistants and things there. But yeah, it's yeah, I'm waiting for the next magic to happen, actually.
Yeah. Well, you mentioned, a whole lot of things that are coming together and coalescing and that need to be sorted out. I just was curious as to know, another area of your expertise is in regulation and legislation and so on. So I was wondering, what do you see is the role of being of regulation and legislation being and how do you see frameworks better supporting decentralization and also AI.
Well, it's easy if you, AI is a thing that people want to confine, they want to regulate it and forbid it and make it smaller in a way. But for eIDAS, they want to propagate the things. But by propagating it, of course, that's a good way of advocating a certain standards and things. And if you know how to do it because the law says so, it feels more secure to do it also. So that's, a good thing. But for AI also, when there's regulation, it also could be helpful in making people aware that, oh it's exists. It's important. These are the limits and this is what I can do. So yeah, I think if there's regulation it will confine developments. But it will also push awareness like we saw with the GDPR, which everyone now knows. So it's also an awareness campaign. I think only the problem is that engineers and legal people, they are two different worlds because engineers don't understand legal guys or they don't like them either. And legal guys are not well versed with engineers. So, they think technology, that's a strange world. And I think we have to work on that as well to make it all happen. But the impact of legislation can't be underestimated. I think it's very important to, to push, but also to guide innovation.
So that's a great point. I mean, that it's something that organizations need to absolutely keep an eye on so they know exactly what's happening in the regulatory framework. And they kind of take their lead from that. So in general, I'm guessing that your feeling on legislation regulation is generally quite a positive one that it's going to keep us on track. But I was wondering what advice other than keeping an eye on regulation, would you give tech professionals and companies looking to stay ahead of the rapidly evolving landscape of digital identity and AI, you know, what should they be doing?
Of course they should come to EIC every year and go to the cyberevolution event annually. And, talk to your peers. I've seen so many companies asking for advice, having no real IAM people in the house, having big issues. And don't reinvent your solution. Talk to your peers, mix and match with the people you know. Gather knowledge around you. Don't invent your own wheels, but also don't think that inventing some solution is the best thing to do, because that's what I see often, that they think technology solves the problem. But IAM is most and foremost a governance and ownership and business problem, and that's underestimated. So for IAM, that's my advice. Make sure your board knows why it's important and how, and be a good communicator to the board. That's the first and foremost thing to enable the progress in your company.
Thank you so much, Jacoba, for joining us today and for talking about the future of digital identity. I'm sure that there is a lot for the audience to unpack there, and I really appreciate your insights on the topic.
Thanks for having me and enjoy the rest of the conference.
You too. Thanks.
