Identity Proofing as a Fundamental Element for Zero Trust

Welcome to that session. I would like to talk about my journey regarding identity proving for Siemens and lessons learned from that. I hope this will help you to think about all what you have to consider when you think what is identity improving, how to improve the how introduced, how involved that in our, in our architecture and how it is the benefit we can get from that. So the key message we all know digital alerts mentioned has enforced the detail in remote onboarding. That is what we have the need to rethink, refocus on fast track onboarding and trust identities.

We have never from persons we have never met before or we are hiring from everywhere and that is the motivation. We would like to trust them. We would like to prevent the identity. Fraud is the key message from from that we have our zero trust landscape and integrated that identity proofing process as part of the of it. That is what the title of the this presentation is, is referring to is the key component. And you see we want to trust and open our network to the outside, get trust and confidence to share data with things we know, things we trust.

That is our trust, zero trust way along with all the secure communication chain we would like to achieve. Starting from the digital identity which we want. This is the key component in the starting component. We want to ensure that that is the one used by the people we have hired and get us that confidence. That is with everything starts and we goes along different steps to assure the communication chain. Like we trust that entity. We're using the right authentication methods. We are having a very good managed device.

We have the trust on the network being used and finally we have the decision to take, we give in access, let in to the next door or not. That is our sir trust architecture. What is valuable for you? What I think that is convenient for anyone to know about this is that the identity proofing process consider multiple aspects. Not really technically is is a multiple aspects approach where you would like to be confront with data security, data privacy.

How I assure that the data of our people, we are handing that in the transmit manner and they can trust us that entity not getting more information or personal that we misuse and we have European regulations we have to meet in terms of what kind of data we retrieve, we use, we process, we store means have to state exactly we take just the data we need for our process and nothing more. That is how we decided we need to con get convinced that it's a person without any trace.

We can track the people we get photos where we can do some screening across the social media and find out their profile habits.

Things like that is what we in Siemens consider personal nature respect independent from where people are located, race, demographic, situation and age, gender, the security and privacy exactly is we want to get that assurance that that is the right people where we get granted that right access for the need he has depending on the where they are located, need access to have and assure that the data are only getting consumed by those who have granted the permissions in general.

And that is where the identity proven process improve the identity assurance and we can be more convinced that our integrity and intellectual property we can share with us identities being used by the person we are binding in that process. That that is what what we do. And I mentioned that before. That is where we have to rethink how a onboarding can work after the pandemic. How this would look like, how we can be a very good company in front of all our competitors. How we can onboard, hire onboard people very quick, provide the right access, let them in our system and we can trust them.

That is a very good, I have that here in the front. I can read that from here.

That is a very important piece of that implementation is about how can I orchestrate the vendors because probably you will not be satisfied by a tool with all the functionalities by one single vendor because of convenience, data security, data storage, how they are retrieving data, the confidentiality of their algorithms and the way they are getting that identity proving that could be via biometrics, scanning, id card corporation, photo facial, liveness, recognitions and also how we can react to the changes of the vendors.

That means we have quarantine Siemens, two different vendors, two different processes to satisfy the different government requirements in different countries. We have a biometric, a approach that will be based on ID card scanning and we make sure that the vendor satisfies that that requirement verifies the validity of the identity card the person is using for the authentication.

Being capable to take a LI facial liveness verification and compare that with the photo of the ad card and just verify on the device without data sharing that just the person that match because benefits analysis is a very thing that you can argument to your, to your leadership. But the fast track onboarding is one of the benefits you will have in the data protection that we can be confident that the right people are getting the right access and that is what we are using to prevent, to provide access to confidential data. That is where we have introduced that process within Siemens.

Anybody who is being em, em boarded in our infrastructure, we have very well set up. IM system will very well set up processes, data delivering. We trust the data coming from our HR systems, our providers, but there are people we nobody has seen before. So how to deal with that.

We have the our, our challenges how we can accelerate that remote onboarding but granting the right access to those we, we think we know we have seen one, eh, the future proofing is multiple technologies are emerging, bringing new features rapidly challenging the data protection regulations in any country, getting more data than we should provide. And the data privacy is getting challenged day by day by this new rapid emerging technologies where anyone is using biometrics by smartphones or fingerprints.

And that is where also our government laws, they have to react to the, to the need of the data for the process we need and take the right decision is allow or not. And we consider also the the vendor ecosystem that they do the same data harmonization. That means the results must be the same independent from which vendor the data is coming from or which method or technology is implemented. That will help us to keep valid and harmonized results.

We can integrate in our IT landscape having no matter which process we will use and the monitoring, how the system are performing, how the processes are being used are the right technology we are using for that what which new technology we have to get in consideration to get a very better good user experience. What is is key to get that success and how the, the metrics are working on our vendors cause of the different degrees of accuracy based on technology, based on product, based on the human races in certain demographics countries in certain gender and ages.

It makes this quite challenging. That is what we do and that is what I consider our challenges and opportunities. We see we have to get involved any Siemens employee, we have to let them know why this is important. Create that culture of trust for that remote processes that allows anyone to start working from everywhere and and we have to collaborate with multiple we I'm from, especially from the it, we have to collaborate with multiple of departments from hr, from our governance, from our leadership.

That means we need to think on the right setup and gather their, their support or they buy in to become to successful process. That is exactly what I was, was thinking about leadership support that it is represented by, by a law. Siemens has introduced a security policy where we are subjected to verify every new employee after the COVID 19. That is the regulation we stick to and we have are introducing these processes for that for to achieve that target.

That means you need to base on a requirement to get people aware of or the consent that they have to do that is not just another IT process where introducing it makes sense. It has its purpose and a purpose is prevent identity fraud and trust our identities. That is the very big component and support we need and need to be aware of the technologies to use, the features we have in place we can trust on a full supplied service product.

It is not a component that you can use is a product support that you can use as a service to prevent deal with multiple instances, multiple parties involved in that solution and take the right decision where you would like to have to have the data. What exactly you do you expect for the tool in that? Depends on your particular use case. How important is that? You get people verified. You can only achieve that, that achieve that target if you know exactly what do you need the identity proving how important it is. It is a bank conditions are different.

It is an industry where we exactly prevent granting access to confidential data. That is our approach.

We have, we have that level and the requirements to meet that, that accuracy of the data, the communication strategy across the company. That is more than on the IT level. It must be on the organizational level because that is a policy where are, yeah, being the, the incense to implement something to cover that necessity and usability is everything. That's what I have learned today or it was clear to me. More and more if we have a tool, if we have a process, if we have a very good ex user experience, we will get success.

We will see how fast the acceptance and the ability to move forward is is is being produced. That is the point. And yeah is it has been done currently at the first step of identity improving with the current technologies. But as any IT processes integrated in our IT landscape, we have to think about the improvements, the changes we have to consider on, on that. Probably we use different technologies. AI in the future that is, is not only just one single run, this is a continuous process you have to to maintain. And that is interesting slide because this reflects exactly which point.

Siemens, along the process of hiring an onboarding has decided to introduce the process. That means we make sure that we have a very good hiring process, a very well-established identity management system. We have an onboarding process, we're activating our users with mfa. That means we have certain hurdles achieved and when it comes to data access is when we enforce that identity proving that is classifies data that we will build up with our policies after the identity proving.

So we have different technologies and methods you can implement that identity proving we have of course still our physical presence. We can do it via two-way video call with the manager gets by video. And the most common in solid base on the static data is document centric where people scan their ID card and rely on the validity of the ID card and the photo matching the liveness facial identification.

So, and this is how, this is the part how it comes integrated in our IT landscape. That means we move from the hiring initial provision you have seen before and we introduce the identity proving and do something with that because the benefit is not only get conf verify the the identities bind to a human being is to do something with that information. And that is what we have enforced the identity assurance level where we upgrade that value in our IT systems to build up our policies to have the, the access request.

Once the user is getting authenticated by our iden identity systems based on that policy, the confidentiality is being granted and the person can have or cannot access to that confidential information. And these are the takeaways for, for someone who is thinking really on probably it made sense to introduce that process in our company is there are multiple tools, multiple vendors with different capabilities, technologies methods.

It depends really on your use case that satisfies that your case you are aiming to, to fulfill in your company this scalability and the orchestration layer that you make sure you orchestras the vendors and not the other way around otherwise you will get in conflicts with multiple vendors. This harmonization of data, what leads to very long delays in blocking the process in general, the user experience success factor mentioned before facial lifeness recognitions, they have some BS and you we know and have to count on.

There are some people concerned about private data privacy that will be very cautious going that way. Sorry. And the integration in the landscape, the alignment with the onboarding process. Hiring process, what what process is being triggered by whom is, is important. Getting this same sense of information and interest to leverage that accuracy of the entity of people we are doing is, is important.

We, that is a very important point. Our HR got confused multiple time why we are doing that because they have seen the people signing the contract by personal presence need to explain, we're binding the virtual identity to the human body. That is what we are doing to get trust. But it's not easy.

Align this process with HR and send out the global communication supported by HR and not least the normalization of the identity proven results across the whole system line that you get enforce the same policies everywhere to not create backdoors on systems who are missing that identity proven values, identity, assurance level, and people find a way how to get access to data. That is all, all the experience and lessons learned. I wanted to share with you if feel free to ask questions if you have Tom. Okay.

We had one question online but I think you actually answered it during the course of the, the talk, so we'll, we'll take one. Yeah. Thank you. So we've been also running like through the, let's let's call it selection of, of candidates for ID proofing the plant of them on the market and, and the one of the questions which we had and how did you do that also, how about the accuracy of verification and there are no, so at least we haven't identified any standards, any like, like benchmarks, like established benchmarks.

So, and and some of like suppliers to why do you think you are good enough in accuracy? Because our customers say that.

So, and I don't think that that's a good benchmark. So what was your benchmark to to get assurance of the accuracy of the results because we, I don't feel like we are experts in to tell if it works well across demographics and across everything.

So yeah, that's the question. So we, we count with multiple employees, employee types, customers, business, bus to business, internal external people depending on their identity quality and the sources being used for that creation. Depending on is this an identity managed by Siemens? What we usually do is, is our very well maintained and process and verified that is is a Siemens identity. We grant some certain trust by default is different than using identities from a customer.

Bringing with, thinking of bringing your own identity will be different case what we own and we manage in, in a very good manner. We set a certain trust, level of trust for get access to internal information. But when it comes to access to confidential, strictly confidential information, we need our verification. Great. That's all we have time for now. We can Talk a date about this. Yep. And then Thanks again Leonardo.

Yeah, you're welcome.