As Matthias pointed out, the title is a bit long. I have to to to apologize for that, but I wasn't the one who came up with the title.
Anyway, I, I will shed a bit of light of, of what we see in as happening in access management and what what is important to look at. But where I wanna start is a bit on where are we today when you look at identity management, and I'd like to bring up our analysts, I am reference architecture here, then identity management has really become an established discipline in most organizations, at least in the mid-market to large organizations.
Definitely, yes, with three core areas which are iga, so the provisioning user lifecycle access governance piece, the access management part, and the privileged access management part. It also has grown beyond the traditional workforce focus, supporting consumers, et cetera. And the focus commonly, I still like this for a structure of administration, analytics, risk authentication and authorization.
So this is what what helps us sort of bit sorting out what is where and when we go to the, the, the center on the right hand side where we find web access management, identity federation, then this is with the core of access management, but other aspects like adaptive authentication, et cetera, play into that. We also see emerging topics like just in time access, currently more in privileged access management, but growing and, and, and, and more seems. And so still it is that many organizations focus a bit more on workforce.
I am for access management, also a bit more on, on customers, consumers. But it's also some way to go and things are happening and you'll, when you look very, very closely on, at, at this sheet, and there will be some more, some areas you observe like, like decentralized identity, which already sort of play into the future.
And so, but still today it is that, and this is also a bit of focus of my talk with, with with a strong tendency and focus on, on the access management pieces. It is, we have identity management usually in place, but it's not static and we must go beyond that. And what we did, a couple call a couple of years ago, we developed the identity fabrics model, which finds widespread adoption these days across the industry as a, as a paradigm, as a concept that helps and coming up with a, with a holistic perspective of for all of identity management.
And when, when we came up with this concept, it basically started with asking the co the question about what is, what is at the core, what is the really the top of identity management? And it is, when you look at this graphic on the left hand side, you find all these different types of identities.
On the right hand side, you find all the types of applications and services and top of identity management is very simple, providing seamless yet secure, yet well governed access for everyone and everything to every application and service.
And therefore we need certain capabilities which come in services which are provided by tools. And we need also to think about how can we support all the traditional, the SaaS applications, new digital services, and how do we work together with all the the existing im. And so what is happening these days is that we take a broader focus on all identities that we think about APIs.
So how can we enable access management, particularly for, for our digital services that we look at, how can we bring sort of modern and a way is technology into a world where we still have a lot of legacy identity management, but also a lot of legacy applications.
So high approach reality of our it, how can we support the SaaS applications, how can we benefit from new and modern delivery models? So particularly ida's identity as a service and hybrid IT support.
So what we definitely need to do is we need to, to think beyond the sort of the traditional access management and of identity management. And there, there are a lot of things we should keep in mind when we are modernizing our access management here. But access is very much at the center because it's really about how can we deal with sort of verified identities and access for zero trust. So when we want to make zero trust reality, then access management is the starting point. It's about, it's the first touch point for every identity.
So Martin with his digital identity becomes verified by authentication, then access is granted. So we are talking about access management as really the sort of the, the entry door to everything we do around zero trust.
There's no zero trust without a strong access management to be very clear on that.
And so we, we need to put a, a focus on access manage and think about what ca do we need to do today and for the future to really serve sort of the, the, the emerging needs we have. And I know that from, from what we do with customers, a lot of our organizations still are in the state that they, they're, they sometimes even have two types of access management. One for the workforce, one for the, the externals that particularly workforce identity management still frequently it runs on premises and that there's a need for modernization.
And when you modernize, then do it right, do it in the context of a broader model like the, our identity fabrics model, which for our experience is, is very valuable when you create sort of your, your strategy, your roadmap, your architecture for the future and think about how access management must look like.
And there are a couple of things you need to keep in mind when we are evolving identity management.
There, there are many things we need to cover because things have changed in the past three years. Work from anywhere even longer.
Cloud the, the uptake of digital service is also again driven by, by, by the pandemic, but also a lot of new challenges we we see at the horizon like web three metaverse, decentralized technologies. And we need to do then our evolution in the scope of a lot of different factors. So there's the aspect of cost.
So we, we still need to do it in a way that, that we can keep cost under control.
Using as a service model surely is an element in, in covering that we need to be strong when it comes to protecting our organizations against identity based attacks. There are various numbers out there, but all of them say somewhere between 60 or to 80% of all the attacks, the cyber attacks are related to identity theft, to password based attacks, et cetera. All the things which are around access.
So, or access management must be strong. It must get even stronger, but also very flexible. We must serve the digital services. It doesn't make sense if every digital service uses a different approach for access management, we must unify that. We need the APIs for that. We must work against the layer. We must meet regulations, serve the hybrid reality, support the world, the world from anywhere reality so that everyone can access from everywhere in a secure manner.
It must be flexible again as a service style deployments help and it must build for, for the future for supporting innovation.
This is where I wanna spend the, the remaining 10 to 12 minutes on. So what's next? This is I think a very, very important really fundamental question. What are the big things? So some things are more or less here, take passport less authentication, passport less authentication, has seen a huge uptake and it it'll continue to, to rise, which is very clear because password let authentication is addressing one of the, the critical aspects we have in security and in identity the passwords. And it does it in a way where convenience goes up and security goes up if we do it right.
So these things are here also, I would dare to say to a certain extent here is contextual, contextual intelligence and looking at the dynamic nature of access because it is not that, okay, if we can, if someone comes with the username of the password, simplify of Martin, then it's good.
It could be even the MFA options, Martin has, we, you still can't really say, okay, this is good because we see an uptake in, in MFA target or attacks targeted on, on MFAs, on multifactor authentications. So just authentication is no longer, longer sufficiently must understand the context.
And so context and, and this contextual intelligence is about a couple of areas like device. So it's just the same device Martin has used all the time or not. And is the device healthy? Where does Martin come in from? I suppose dare to say this is of of lesser relevance nowadays in the work from anywhere world, but there are areas where it's still remains relevant. We need to look at, at the user. So is this the, the behavior, is Martin doing what he's always doing or something different? That can be the way he uses the mouse or swipes the screen or types of transactions or whatever else.
And the location, if that changes, if this is uncommon, it's something around the context. And, and even while the authentication might be correct, we still may think about is this really Martin? What is the risk? And depending on the risk, we must make decisions. And there are a lot of context structures.
And the interesting thing is when we did our leadership compass on access management this year, we also asked for support for different types of contextual factors like profiling device, tagging device helps network profile, connection analysis, user profiling, user activity, location awareness. And what what is definitely interesting is to see that the, the vast maturity of solutions in the market supports several factors, several context factors to make better decisions. What we now need to do is make use out of it. So the technology helps us today in providing contextual intelligence.
The information is there, but we need to make use, we need to say, okay, if that and that and that is met, then we understand your risk that way or that way or if it's not met and then we decide about do we allow access or we allow access but only for in a restricted manner or we ask for another authentication factor, whatever we need to act upon that.
So we need to go back, go away from, from a sort of a yes no approach, good bad to understanding different shades in between.
So this is one of these areas we, which are very important for the future of access because we, we are living in a complex, in working in complex IT environments and we need to, to react on that in a more differentiated manner. The the second point I wanna bring up is decentralized identities. And what what I find particularly interesting is when, when I go back to our LA this year's, in fact it was the 2022 May, 2022 European identity conference in Berlin. We have been covering the topic of decentralized entities itself in entities and all the other terms around it for, for more than decade.
But it was the first time that we talked that talked mainly about, or there's something on the horizon, but how can we make use out of it in practical use cases.
So this is becoming a reality now and there are a lot of potential use cases and advantages we can have from that. Not everything is solved. So some things in standards are lacking. There's still an evolution.
It's, it's a bit than 1.0 situation, but we are, we are making progress. And what is, from my perspective for the entire access management piece, very, very important is that we are not talking about something isolated with decentralized identities, but we need always to think about how does this work with our Im, how can we benefit from it? And we can benefit from decentralized entities in the context of access management. So by improving access, by providing more context, by simplifying onboarding process.
So let, let me bring up a billion o oversimplified example. So, but I think it helps sort of of providing my, my perspective on, on, on, on the broader, the bigger potential here.
So in this decentralized identity world, the user owns the identity. That's why it's decentralized and information's held in the wallet. And in this wallet there are proofs and these proofs state for instance, that based on the e i D card, it's March equipping or with a certain address. This wallet then needs to be, so access needs to be authenticated usually in a strong manner with biometrics.
And then okay, Martin says, okay, I'm Martin. And this could be used in an onboarding process because think about onboarding of, of remote workforce disprove, so you don't meet the people anymore. And then you can say, okay, this is room that's Martin. So I issued the corporate proofs to Martin, which say he's an employer of Coco Analyst and his top title and role is Principal Analyst.
Based on that authentication could be simplified because there's already context provided when I authenticate and if I'm able to open my my wallet, then it means okay, I, I have authenticated so to speak to the wallet, which is helpful for authentication but also for authorization because that information can be used in an authorization process.
It also can be used when I work for, in a project for a, for a partner because I have a proof of an employment from Analyst and that partner could issue a sort of a partner ID visa project proof saying, okay, Martin is working this project supporting me and use it again in the authorization. And so we can add information in onboarding processes in access in authorization based on decentralized identities. And so my perspective is, and this is seamless, this is just one other means to come in to provide information some more in some way context than authentication information we have.
It's not breaking the process, it's not breaking the technology. It's if you do it right, add into the technology. So think about it, it's a super essential aspect here. The other thing is, and that is a bit more really to the future, this is and a bit more fussy, I have to admit that's all this web three and metaverse or metaverse thing.
So the question comes up, what what does it mean access to, to the web three in the metaverse? What is happening here? And I think there are two challenges.
So, or a couple of challenges, but two main challenges. The one is both web three and metaverse are rather blurry in their definition to phrase it friendly. And on on the other hand, we, we have a bit of an inside what, what, what AppStream means. It's using certain types of decentralized technologies like, like NFTs, like decentralized finance, like decentralized identities, et cetera. And the metaverse factually are then applications for around augmented reality or using avatars that that act for us, et cetera.
So there, there's some idea how this really will look like investor, we will have standard based metaverses that are really public or whether we have private proprietary, proprietary meta versus like the one meta is intending to build remains to be seen.
But surely we have, we have a lot of different technologies. The good thing is when we look at it from a security and access perspective, the easiest way to look at it is by deconstructing. So if you have a complex problem, make smaller, simpler problems out of it, look at how you can solve different areas.
And the common denominator, the common element is decentralized identity. So this comes in here in the axis and then we can go back into a sort of a unified security. We will face some, some really interesting challenges here that would be something for a way longer discussion. But thinking about identity relationships, which UI and seeing connect to which person, which digital to which physical identity. I think we need to find a totally different meaning for the digital twin.
Not as something which represents a machine in in software, but something which is really, I have my physical and my digital identity and this is so to speak my digital twin acting on my behalf. There are a lot of interesting things and there are many of these are or part of the solution, very central part of the solution is decentralized identity, which again is part of the future access management. So that were trust some thoughts as a part of my opening keynote, thank you very much for listening to me. I hope that gave you some, some ideas and I hand back to my tears.