Matthias
Welcome to the KuppingerCole Analyst Chat. I'm your host. My name is Matthias Reinwarth, I'm an advisor with KuppingerCole Analysts. Today, I have a full set of guests that will talk with me to you about a really special topic. For this podcast, I would like to welcome Warwick Ashford, Alejandro Leal, and Phillip Messerschmidt. Hi to the three of you.
Great to have you. And we want to have an episode that is making the balance between the past and the future, which sounds great. We are looking back at EIC 2024, the event that was quite some work and quite some success. So we want to look back on that on the one hand. And in German we say, "Vor dem Spiel ist nach dem Spiel." we really want to make sure that we also look into what the next event at KuppingerCole will bring, but starting with looking back at EIC. And EIC, European Identity and Cloud Conference, is something that has just been executed. And of course, although it's identity in its name, it also covers quite some substantial cybersecurity topics. So when we look back or when you look back from your experience, at EIC and the tracks and the events and the workshops and the sessions that we had. With a look at the cybersecurity part, how did EIC reflect the current cybersecurity trends and everything that's going on right now, the challenges that we all deal with in cybersecurity? What do you think were the most significant ones, maybe starting with you, Alejandro?
Alejandro
Sure. Thank you, Matthias. Well, EIC was very fun for me. It was very interesting to really interact with the vendors face to face. We usually talk to them on Microsoft Teams. So it was a different kind of interaction. And it was really nice to see their opinion on the topics, on the agenda. And also they show some of their, let's say, concerns that they have in the fields that they are experts. So I had lots of meetings with passwordless vendors, access management vendors. So it was a very good time to really get to know them and see what they think. And I think EIC is a really good place to be because we have people from all over the world, from different industries, different backgrounds, and they all come together to discuss these topics that in a way they are global topics. So it was a really good time and I think many of these topics were addressed by them.
Matthias
Great, thank you. And from a topic perspective, Phillip, what were the most striking cybersecurity - you and me, we are identity experts, but identity in the end is cybersecurity, isn't it?
Phillip
Yeah, definitely. It's a part of cybersecurity. And the most striking topics for me, this is what Martin also presented as trends in his closing keynote, is around zero trust about verifiable credentials, about the whole trend of authorization and let's say real-time authorizations. So zero trust is a topic that several companies, a lot of companies are investigating right now. We have seen that at EIC. We will see that at CRE. And I'm sure we will see that not just this year, but also the next years over the next five years probably as a part where we integrate and connect different topics with each other to get a higher level of security.
Warwick Ashford
I think from a security point of view, the fun thing was a lot of the focus for EIC this year was on AI, of course. So from the security point of view, we looked at the benefits and risks of AI in identity and security. And also there were some great sessions on the fraud landscape, trends, methods, countermeasures there, and building cyber resilient infrastructure. I think that was a key theme as well as building identity resilience. And then obviously there was a lot around identity security, which is becoming an increasingly important topic in the identity and security world. We looked at things like identity compromise, the importance of safeguarding digital identity, and then of course, identity threat detection and response, ITDR, which is becoming more and more common. And then as Phillip mentioned, there were practical implementations and benefits of Zero Trust. And then we also looked at how decentralized identity can improve security. So really a lot of security related content this year.
Matthias
Right, and know you Warwick, you did most of the moderation on the main stage. So when I ask you the question, what was your most fondly remembered session or workshop or discussion that you would like to highlight, I think that's difficult, but I ask the question anyway, what was the most important session workshop that you attended and that you've seen?
Warwick
Yes, you know, you're absolutely right. It's really difficult to kind of nominate anyone, but I must say Martin's, Martin Kuppinger's opening keynote, I think was really brilliant because he was looking at Vision 2030, rethinking digital identity in the era of AI and decentralization. And it kind of really resonated with me and set a really nice ground for the rest of the conference because he explained how decentralization, decentralized identity fits in with all the other components. And he sketched out the great vision of how all these things are going to be working together in a, or can be working together in an ecosystem of where different services ... to not go into a central repository of ID that's controlled by somebody, but to be able to draw on verifiable credentials from the holder. And that, and I thought, I thought that was a really good way to start the conference and kind of help focus everybody for the rest of the time.
Matthias
Absolutely, Phillip, your most impactful session, if you remember back to EIC, what comes to your mind?
Phillip
That's a very good question. I have not seen that many sessions, to be honest. I was very busy at EIC, but one that comes to my mind is pretty much exactly the opposite of what Warwick told us. It's a hands-on session, more or less. One of the not so trendy topics, what organizations and enterprises are currently struggling with is ITSM integration. So integrating IGA and ITSM. We had a session there, don't remember who was the presenter, but he was explaining the different levels of integration of ITSM and IGA and it is quite interesting because that's more or less a hot topic. Besides the trends that we see on EIC and CRE, we can also see the current problems, the current issues that companies have and how they are addressed. So it's not just about trends and 2030, but it's also about the problems that organizations and enterprises have right now.
Matthias Reinwarth
And for you that you've been attending EIC and everybody who's been attending EIC, of course there's a chance to, because it's included in your ticket, you can re-watch almost every session as recordings, as video, or at least check the transcripts and the material that has been provided, so the PDFs of the presentations. And that is also an option that people who have not been at EIC and can't wait until December, until the next event starts, there's a chance to get for a small fee to have full access to all of EIC 2024, just to mention it. Before I hand over to Alejandro, maybe one thing that I think was really a great workshop, and this is not because I moderated it, because I did not do much there, because I had great presenters there, but they showed that decentralized identity is nothing theoretical because they showed it, they explained it, they explained the crucial aspects of that and the components and then they built it during that workshop and showed how it works. So that was a 90 minutes or 105 minutes workshop. So it was not that long and it showed that decentralized identity is far from being theoretical. It's there and it's there to use and to integrate. That was my most memorable workshop because it was the starting workshop. Alejandro, from your side, what was the most interesting aspect that you've seen, just to highlight one, not to say that the others were not interesting.
Alejandro
Yeah, just to add on what Warwick said, I also really like Martin's keynote speak, especially the part of building the puzzle with all these fragmented tools and how organizations need to address silos and deal with legacy systems and how the role of AI and decentralized identity is going to change digital security in the next coming years. But another session that I really liked was a sort of workshop by Dr. Pablo Breuer and Daniella Taveau. They talked about the DISARM framework and how by sharing open standards and information, we can tackle misinformation. That was also a really interesting topic that I found. And they also talked about the rise of LLMs and deepfakes and how that's creating more complicated problems for organizations, not only in the business side, but also when it comes the government, we see that there's more sort of these issues coming in. And they talked about how in the next few years, it's going to be very difficult to distinguish between, or as he put it, said, in a few years, we're going to be able to have a Hollywood style content created by some of these tools. So it's really going to be a challenge to address this situation. And I think that's also a topic that we're probably going to be discussing at the cyberevolution conference later this year.
Matthias
Yeah, I fully agree that that will be aspects that I think nobody really has a full picture of what we will be facing. So we are looking really at an avalanche of technologies and impact. And nobody really knows how to fully grasp the overall picture as a whole. Since it was the EIC and I standing for identity, at least a quick question. Of course, we've mentioned decentralized identity already twice and it was one of the key topics together with digital wallets as the means of transporting those. Were there any other identity and access management topics that you considered to be relevant? Something that you took home with yourself to say, I need to work on that because this is important and that will be relevant also in two years time. Maybe again, starting with you Warwick.
Warwick
Not so much in terms of work, but I mean, one of the sessions that really excited me was the one on the future of travel credentials. There were a set of that, know, Annet Steenbergen, who's an independent advisor to the travel industry. She opened with a keynote on that. And then that was followed by a pilot project in the Netherlands using the digital travel credentials from someone from the government, Wim van der Lingen. And then there was a panel discussion about what travel credentials we'll be able to enable in the fairly near future, we hope. And yeah, I think that was really exciting because I enjoy traveling, but going through airports is not fun, especially when you have to worry about documentation and that sort of thing. And if it can all be done prior to your arrival at the airport, and you can just go through gates just by tapping a credential, I think that's great. So that was one of the sessions that I found really exciting.
Matthias
Right, and Alejandro, are an IAM analyst, so what was striking for you apart from decentralized identity?
Alejandro
Well, maybe I'm going to be a bit biased because I covered the topic of passwordless, but I really enjoyed attending some of those sessions. And it seems like we've been talking about passwords being dead for a long, long time. But I think the important thing and one of the main takeaways was that the password is dead in the sense of people are completely losing the belief in this authentication mechanism. And one of the topics that I had with many of the vendors revolving around the topic of account recovery and how these organizations, they listen to their customers. So if their customers, they still want to use username and password, they still provide those options. But during our conversations, we talked about how we shouldn't even offer those options because we need to really educate the customer. Some of them have old school mentality. Some of them like username and password because they're used to it. But if the industry really wants to get rid of passwords, we need to also remove that option. And I know it's not easy and of course the customer is sometimes always right, but in this case I think we need to be doing a better job at educating them.
Matthias
Fully agree. Phillip, your IAM takeaway?
Phillip
Yeah, I'm seeing that from a different angle. For me, the access management in terms of authorization trends are very important topic, especially that ABAC and PBAC are taking up speed. We see that with all the discussions around the AuthZEN work group, around in general the policy point discussions that we see around zero trust and how access in a sense authorizations, also authentication is becoming one of the major security, not even attributes, but measures when we see the identity as identity security centric object. So zero trust, attribute based access control, and policy based access control. This is a topic that at least for the next three to four years, definitely a trend that we have seen, that we will see, and I'm happy to see that this is taking up speed again after the couple of last years. The technology is being ready for that step forward.
Matthias
Right, and before we stop looking back at EIC, I want to highlight a few aspects that are a bit offbeat. So I had the pleasure to present an award for the best real life decentralized identity project. the nominated and the awarded... organization is wrong, was the state of Bhutan. And meeting those people and understanding that decentralized identity and identity management in general is truly a global phenomenon and that we have to understand it and deal with it on a global scale. And meeting these nice people from Bhutan, that was really one of my outstanding, particular memorable events at EIC. And maybe you can contribute, the three of you, to that as well. Were there some funny, outstanding, memorable moments that you lived through at EIC that you didn't expect, starting maybe with Phillip?
Phillip
So that's a good question. Not that one comes to my mind directly. One thing that I can highlight is definitely meeting all that people back at EIC. So everyone is always mentioning that's like a classroom meeting where you see all the people from back then. That's definitely a thing that I always hear. And I know that. It always surprises me again how many of the old faces I see that you just see once a year at EIC. So that's really incredible. I met one of my old mentors that I've not seen for six years, I think. So this is how you get back to people, especially after Corona.
Matthias
That's true. Warwick, some of your favorites to mention?
Warwick
Well, just to me, as you said, I moderated the keynote track and I think just the level and diversity of people there. It was great having Anil John from the US Department of Homeland Security. Of course, Max Schrems, who's very well known in the privacy community. That was great to have him again this year. And then Joni Brennan from the Digital ID and Authentication Council of Canada. And she was talking about misinformation and disinformation, which also was a really interesting topic this year. You know, those in terms of people and just the diversity of topics and speakers we had. And of course, I mentioned in my opening statements that it was the last year that Joerg Resch is going to be behind EIC. And I was really pleased that he got a really warm and strong round of applause for all the amazing work that he's done to build up EIC to the event that it is today. So that was my standout moment.
Alejandro
Similar to Phillip, I think it's really cool to see all these familiar faces once a year and it seems like they're not changing or maybe I'm changing, I don't know. But it was also cool to see there was the British ambassador or ex-ambassador to the United Nations and I had a really interesting conversation with him on the role of the UN and he was a bit pessimistic on that. So it was not a very, let's say, constructive conversation or what I was expecting to get from him, but it really shows the reality of that organization in relation to digital security and technology.
Matthias
Let's use a topic that you all three mentioned during this part. We're looking back at EIC and that was Zero Trust. And let's segue over to cyberevolution, our cybersecurity event that will be executed in Frankfurt in early December this year. And a topic that you've mentioned is Zero Trust. And Zero Trust, I think will be also a topic over there. And I know that you, Warwick, deeply involved in preparing this already. So you can confirm, Zero Trust will be there and what else will be key topics for cyberevolution?
Warwick
Yeah, sure. Absolutely. Zero Trust, obviously, as you say, we've been using it for a couple of years now and is gaining traction. And I almost think it's kind of, it's becoming more or less part of business as usual. I think people are treating it less as a discrete topic, but just as part of the way we do things now, because that it improves security. It just makes so much more sense. It's a much better approach. And so, you know, as related to that though is the topic of identity security. I think that's kind of because security and identity are so strongly related and I think that's why it was reflected in EIC this year, such a strong theme. And that will be picked up again at cyberevolution because really security identity is at the heart of cybersecurity. So we're going to see a lot of that. But like EIC, trust in an AI driven interconnected world is also going to be very important. We're not going to get away from that AI topic because it's now becoming such a big part of our life and all our systems. And then in terms of legislation and so on, of course, NIS2 and DORA are an important focus this year at cyberevolution.
Alejandro
If I can add something to Warwick, think the topic of AI is going to be very popular at the conference. I'm going to be doing a session on SOAR. So I'm currently doing research on that topic. And if I compare my research to last year's, I see that all the vendors are talking about LLMs and the use of chatbots and generative AI to make the life easier for the SOC analyst. And I think it's going to be interesting to really distinguish between the marketing hype, let's say, and the tangible benefits that these tools are going to bring to the SOC analysts. And I think what I would like to explore in the coming months, and hopefully I can touch upon this at the conference, if these tools are really meeting the expectations of SOC analysts, or perhaps it's a bit premature to really say that these tools are extremely, extremely helpful. So I think it's going to be some interesting months of research to really see how are these tools really affecting the organizations.
Matthias
Right, and I think it's not necessary about them, these tools being or adding the intelligence, but maybe just doing the heavy lifting to do this part of the work that would be just tedious, the 80 % that have to be done anyway. And if you can delegate that to a box, to a machine that does that for you, and so you can focus with your intelligence as a SOC analyst on what's really important, that would help already. Any topics that you're looking forward to, Phillip?
Phillip
Yeah, still I can just repeat myself. Zero Trust is one of the major topics, not just for EIC, but also for CRE. It's good to see how Zero Trust is bringing all the cybersecurity measures together and not as an isolated thing, not as an isolated topic, like we were doing passwords or we are doing MFA. We are doing access management in terms of authorization. Now with Zero Trust, we bring all of that together and not just the identity security, but also beyond that. As Alejandro mentioned, we are taking up more controls. We are taking up real time signals for decisions. We are bringing networking security into the game and device security and so on. So this is definitely going far beyond what identity security can do, mixing up the different security measures and improving the overall security situation for enterprise. And this is good to see that not just the bad guys are moving forward, but that the defensive measures are also improving here.
Matthias
Absolutely. cyberevolution 2024 is the second incarnation of this event. And if we look back to last year, one of the highlights that was really always mentioned when we asked people what did they really enjoy was the Capture the Flag event. So where we had some teams from universities, from commercial organizations that were to solve cybersecurity challenges. And they were really into analyzing problems, issues, and they were really competing with each other. Looking at Warwick, knowing a bit of the agenda. So there will be another Capture the Flag this year, right?
Warwick
Yes, I'm not that involved, but I believe there will be and I agree with you, it's a very important element of cyberevolution because it brings together a whole generation, a new generation of cybersecurity professionals or potential cybersecurity professionals who are engaging with the challenges and finding great solutions.
Matthias
One topic that's on that list that surprised me, it seemed unexpected for me, but at second sight, this is really relevant. It's not necessarily a technological, a technical topic. cyberevolution will address leadership on one and mental health in cybersecurity on the other hand. I don't know who wants to start on that, but can you elaborate a bit on why this is in focus and why it is important and why it has such a prominent position within the agenda at CRE this year?
Warwick
I'll take that because I'm actually moderating the track and I'm really pleased about this because the holistic well-being of professionals in this high stress field is really important. And I think including it at cyberevolution just highlights the need for supportive environments and it'll hopefully reduce the stigma and promote overall effectiveness and innovation in cybersecurity because I think lots of CISOs are concerned About personal and financial and legal liability in their role. And that's one of the questions apparently that many of them are asking now is like, is there insurance for this? Am I protected? Is my employer gonna look after me or am I gonna have to do this? And many of them are having to find ways of doing more with fewer people and with flat or reduced budgets. So we're gonna be looking at how cybersecurity professionals can cope with the stress of the job, how they can avoid burnout, how they can improve their overall job satisfaction. And then there are gonna be a couple of presentations on those topics. And then to wrap up, I think there's gonna be a panel discussion on addressing mental health challenges in cybersecurity. And so far we've got some great speakers.
Matthias
Yeah, that sounds really interesting. And it's really a bit, yeah, a step aside to say, okay, yeah, this is a much bigger picture. Even cybersecurity is a bigger picture. Just as I said, IAM is a global phenomenon. Cybersecurity is something that goes far beyond technology. Talking about far going beyond technology, regulations, you've mentioned that already, Warwick, NIS2, DORA and other regulations coming up. They are a driving force when it comes to implementing cybersecurity. So maybe you can elaborate a bit on how these regulations influence the way we do cybersecurity right now and how it will drive that and how we can deal with these vast amount of changing and growing and increasing regulations in cybersecurity in general.
Phillip
Yeah, mean, regulations are one of the main drivers for us in IAM, but also in general in cybersecurity. It supports any enterprise in finding the right measures in the right time. So this is what we are seeing right now with DORA and NIS2 that there are upcoming regulations and pretty much every enterprise, every company is somehow involved in that regulation. So we are all looking towards them. And with the date coming closer that they are coming into force is they are becoming more important. And enterprises are right now investigating what they can do, what they will do, and especially how they bring that to an operational level. think CRE will also give us some more insights because it's close before these regulations are going live and we still expect some more information on how to operationalize this regulation. I think CRE can do a great job with providing this information.
Matthias
Yeah, again, I fully agree. And one set of vendors, one set of products that typically raises their hand and say, yeah, we can support in NIS2 compliance, yes, we can support into DORA compliance, are the identity and access management tools. And this is where you, Alejandro, come in. They, of course, come with the promise we can at least secure this area of access, of access management, of control, of access governance. And that is where you are the expert. So this will be an important part again and that's where IAM is cybersecurity and compliance, right?
Alejandro
Yeah, absolutely. I think many people see regulations as a bit problematic. Perhaps they think that they prevent some innovation in certain aspects, but I think that regulations act as a restrainer because technology is moving so, so fast that it creates a sort of space for dialogue, for reconstruction, and for listening to different point of view. So I think that events like this are sort of those spaces that we can have a nice conversation about the impact of these regulations, not only for enterprises, but for consumers and citizens alike.
Warwick Ashford
And considering this is a cybersecurity conference, what I found really interesting in recent days, I've been talking to a couple of vendors in the MDR space. And I was quite interested to hear from them that DORA is actually driving renewed interest in some wider MDR services that are more risk focused. So for years, we've been trying to get organizations to adopt a risk-based approach to security. And I think that's what's great about NIS2 and DORA because although they apply to specific industry segments, they can be used by every organization to improve their security posture. I think that DORA in particular has placed emphasis on operational risk. And so that's why these vendors are saying to me now that they're getting a lot more queries around, how do we quantify our risk, how do we manage our risk, how do we look at the risk of our operations. So that's something that we'll definitely be talking about at cyberevolution because we know that's what organizations are looking to know.
Matthias Reinwarth
Yeah, absolutely agree. I think that the bigger picture around that is really the important part. And this is where cyberevolution can actually shine. It can also shine, and of course, I need to do some name dropping as well, so we have some really distinguished speakers already announced and confirmed. So we will have the Head of Cyber Crime from the BKA, which is the German FBI speaking. Mr. Carsten Meywirth will be there. And the Hessian Minister for the Interior [Prof. Dr. Roman Poseck] will also be doing a keynote, so we will have quite some distinguished speakers there as well. Marina, our colleague, and Christopher, who is the Director of the Practice Cybersecurity and our CISO, they will present a study about cybersecurity in 2024 and beyond. That will be really interesting. And of course, a main focus will be identity security. Before we close down, final focus, you've mentioned that already a bit. The subtitle of the cyberevolution mentions AI even in its tagline. So the importance of AI, trust in an AI-driven interconnected world will be a central topic. So maybe if we mention a few of the aspects that are around that right now, that would be really interesting. What comes to your mind or what do you expect when it comes to cyberevolution?
Warwick Ashford
Well, sure this is a very important topic because, you know, although everyone can see the benefits of AI, you know, it's obviously far more efficient. It can look across vast data sets of cybersecurity information. It's going to be a real help in things like security event management and that kind of thing. But obviously we have to build a competence within organizations on using this technology. And as part of building that competence is also building a trust and knowing, you know, when can we trust using this? How can we trust using the results of this. And I think that's going to take us a while because as with automation, we've been talking about automation and cybersecurity for a while, AI and automation are fairly closely linked as well. And I think in general, there's a certain kind of mistrust of these things because for so long, people have been in control of what goes on in their environment. So slowly, the industry is now beginning to get confidence in outsourcing cybersecurity. They're getting confident in automating cybersecurity. So now this is going to be the next leap now is to get more confident and trust where AI can and cannot be used going forward.
Matthias
Right, and you can divide the people looking at AI from the complete doubters to the absolute fanboys when it comes to AI. Phillip, where are you located? What do you expect from AI in cybersecurity in IAM and what do you expect from the topic of AI in identity centric security from CRE?
Phillip
So I'm not that excited to be honest, but I think that AI is a very strong tool, especially with pattern recognition when it comes to scalability and doing some stuff, some effort, some time consuming tasks that people would not do in their daily business because they don't have the time. So thinking about access recertification, for example, thinking About mixing up with the access patterns, mixing up multiple attributes and events and information and data into deriving a certain decision, especially when we think about authorizations. This could be important about access in general, also authentication. But especially for zero trust, and sorry for circling back to that all the time, data is very important for that. Attributes, identity attributes, we are talking about the data quality here. And AI is doing a great job in attribute verification in increasing the quality of that data to give us a better position when it comes to security and this security and risk driven decisions there. And I think that's where AI can support a lot and that's my expectations for CRE to show how we can use AI to increase the data quality to increase the security posture.
Yes, I think that is an interesting aspect of artificial intelligence, really providing some real life measures that we can actually use and see right now. Others are a bit more far away, but CRE will have a look at the topics that are next in cybersecurity. For that, I want to thank all of you for being my guests today, for looking back at EIC and looking forward towards the cyberevolution in Frankfurt in December. I think, again, I highlight that all the recordings of EIC are still available and they're still topical and you should have a look at them. I really recommend that and I do that myself. So I really follow up on some of the sessions that I just could not attend. Just like Phillip said, it's difficult when you're there and you're busy, but it's still there. If you're interested in CRE, the agenda is already on our website, go to kuppingercole.com and events and you can't miss it really. If you have any questions, if you have topics to suggest for CRE, or for this podcast, leave your comment below. If you're watching that on YouTube, just in the comment section. Or just reach out to us, to me, to Warwick, Phillip or Alejandro. And before I close down again, thank you very much Warwick, Phillip and Alejandro. I'm looking forward to having you soon in another episode. Thank you for being here today.
Warwick
Pleasure.
Phillip
Thank you.
