KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Unlock the power of industry-leading insights and expertise. Gain access to our extensive knowledge base, vibrant community, and tailored analyst sessions—all designed to keep you at the forefront of identity security.
Get instant access to our complete research library.
Access essential knowledge at your fingertips with KuppingerCole's extensive resources. From in-depth reports to concise one-pagers, leverage our complete security library to inform strategy and drive innovation.
Get instant access to our complete research library.
Gain access to comprehensive resources, personalized analyst consultations, and exclusive events – all designed to enhance your decision-making capabilities and industry connections.
Get instant access to our complete research library.
Gain a true partner to drive transformative initiatives. Access comprehensive resources, tailored expert guidance, and networking opportunities.
Get instant access to our complete research library.
Optimize your decision-making process with the most comprehensive and up-to-date market data available.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Configure your individual requirements to discover the ideal solution for your business.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
Good afternoon, ladies and gentlemen, welcome to our cooking, a cold webinar, one it, one identity mastering the security challenge in the age of digital transformation, taking back control of your access management. This webinar is supported by IBM. The speakers today are me market equipping around the principle Analyst at and Brent and Richard of IBM. So before we start, let's have a quick look at some information about copy a call and at some housekeeping stuff and the agenda. And then we directly moving to topic.
So copy a call is an Analyst Analyst company providing enterprise it research twice services. Decisions are part networking for it. Professionals through our research services, advisors services and events. Our events include our top event, which is the European identity and cloud conference. It'll be held next time may tons to thirteens in Munich, 10 years of. So it's triple for us and definitely worse to attend some guidelines for the webinar. You are muted centrally, so you don't have to mute, run with yourself. We are controlling these features.
We will record the webinar and the podcast recording will be available latest tomorrow. And there will be a Q and a session at the end, but you can answer questions at any time using the question features and you go to webinar control panel, which you will find at the right side of your screen. I always propose such as that we, that you answer questions once, once you have them so that we have long list of questions for the Q and a session, then we can make it more interesting and focus on a variety of questions for the agenda today.
So I'll start and we'll talk about the changing requirements in this age of the transformation, and also about YX management essential for a company. I first more will present approaches on how you can handle that. And why on premise still is important here. And the second part in Brenda, Richard, we'll talk about IBM security access manager use cases, and also why there should be one access management and another of different access management solutions. Part three, as of status that the Q and a session at the end. So let's start with this picture.
I think what we really observed today is that everyone and everything become connected. We have far more connectivity and connections than ever before. So it's not only people accessing with their PC, some backend systems. It's people which use a variety of devices, which people who own or utilize a variety of things. We have things and devices being connected and communicating with each other. We have things providing information back to our organizations and devices as well.
So we have a very complex scenario where a variety of people and things are communicating with each other are connected with each other. And we have to understand how we can manage all the access of all these identities and also things about entities in this ever-changing world. So a while ago I created what I call the eight fundamentals for the digital transformation.
In fact, for the digital, for the security part of the digital transformation, one of this is the digital transformation effect every organization. So whether it's smartwatches used for activity tracking connected vehicles, smart homes, utilities, smart, Cris utilities, eBooks, old business right now already.
So to speak other part of the digital transformation, changing and existing business, literal music, changing the classical music industry, online retail, very established online payment established and manufacturing right now where we see with smart manufacturing, our industry for number of fundamental changes going on, and this is here to stay. So there are so many situations in the past where people said, oh, these things will disappear again. I don't believe that this happens with the digital transformation. We are far too far, too much ahead into the digital transformation.
It will not disappear. There might be changes. There might be new things, but in fact, it's here to stay. And so Kaiser, Wilhelm second from chairman said, I believe in the horse, the automobile automobile is trusted passing phenomenon. Maybe it will pass at some point of time, but not because of the horse Canon of deck. Once that there's no reason anyone would want the computer in their home. Yes. Maybe he's right. Most computers we have, we are already carrying around in the form of smartphones and watches and so on, but we also have computers at home with our TVs and so on.
Cinema's a little more than a fat child chaplain. Now. I'm not sure whether if this is really true television, won't be able to hold onto any market that captures after, after the first six months.
Also, the reality is different rock and roll will be gone by true 1955 or maybe 96, 5 56. No, it didn't disappear. So someone talking about the need of the telephone and the messenger voice, also wrong prediction or another drone, Kaiser, Kaiser will no one will pay good money to get from Berlin Potsdam, which is not far from each other. And one by train in one hour when he can ride his horse there in one day for free.
Okay, we have a lot of trains there. I rarely see horses in that region, particularly within the city of Berlin. So we have andous change products in our services, in our business models, our organization, our ecosystem. So this is really changing and this affects a lot of things.
We are, we, we have to handle around identity and access at the end of the day. So again, it's, that will come to this later. It's very much about identity and access management. There are some other fundamentals. There's also report explaining these fundamentals more in depth available. So it's more than just the internet of things. We need to change our organizations. And every one thing, and everyone become connected. The ones who have seen other presentations of me are probably familiar with this picture.
It's just the computing track cars, the cloud, social mobile, which already started changing a lot of things we are doing in it. What we, what we are having right now, what we are facing right now is sort of the next step. So beyond that, we, we really see that we have this connected world. I've had this picture before, where we also have a lot of communication, not only from a human to a system, but from devices and things with systems. So people use devices, people use things, and they communicate with the APIs through APIs, with services in the back end.
So this be could just, connectivity is something which is fundamental, which is changing a lot of stuff. Other things to look at when we look at the security and the transformation clearly is that there's security and safety, which is not a dichotomy, but which is something we need to understand the requirements of both. Particularly when we look at it from an information security perspective, there are other views. If your machine explodes or something like that, as the consequence will patched, then you failed in safety. So you have to look for both things.
Security also is clearly a risk, but it's also an opportunity. If you look at my block, you will find some more recent block posts, which look at security by design, enabling and privacy, by design, enabling the agility of organizations. My strong belief is if you do security right from the very beginning, then you are far more flexible when it comes to changes of regulation, changes of business models and all that other stuff. So I think there's a good reason for doing more security because it helps us in being more agile as an organization. And finally, that brings us to the identity.
Part of it, identity is to glue access controls, what you need. So a little bit longer ago, I created some other fundamentals, seven fundamentals for future identity and access management. And these are, we are talking about modern humans, something, our already touched the identities of things, devices, services, and apps. We will have multiple identity providers. So we will not manage all identities internally anymore, and trust will vary, but we will manage access to our resources ourselves. So we might trust a social login, but then we will decide about the access.
And this is the thing we really need to keep under control our access decision. We also will have more attribute providers. So information about, in fact, we already have to education information about our consumers is widely distributed distributed. If you look at where does it recite in eCommerce systems in the CRM in directories, et cetera, we have to deal with that. People will have multiple identities, but we need to understand how these are connected. So this is always Martin cooking or regardless of the social login or otherwise indication he's using.
We have to keep this under control to be able to provide Martin always the same level of access, depending on clearly on the risk of a source syndication, but it should be always access to Martin's data and services, multiple hours indicators. So there's no single indicator that works for all. We will have a variety of stronger syndication approaches over time built in into devices, etcetera, we must understand the relationships. So who owns a device and different device has a new owner. We have to understand that this ownership has changed.
If someone has a new smartphone, we need to understand, okay, right now he's using the other smartphone, cetera, cetera. And we need to understand context, identity and access risks vary in context. So if you have someone using an security device using an insecure wifi, then we should make different access decisions than when someone comes in through the corporate local network. Well secured with desktop piece PC, it's a different situation.
And anyway, all these things, I mean, we have more change, more devices, more types of logins, more directories, but we need to understand how can we manage access consistently not having a sprawl of access management solutions and consequence, access management policies, which become inconsistent. We need to do it consistent to pro also to write a good sort of experience to our customers. We need to do this as I've management for all types of identities, employees, business partners, customers, consumer services, devices, things far more than ever before.
And there shouldn't be a situation where we end up with an employee identity management with a business partner, identity management, with a device and sing identity management and one for the customers and consumers doesn't make sense at the end, all of these will interact with the same types of applications and there's no single application, which is only used by customers, all applications, which are used by your customers are also used to some degree by your employees and to manage access. You should have one solution which enables doing so we need to become adaptive.
So we need to understand what are risks. We, what is, what are, where do we have Analyst then? What is the context? And then by applying policies, controlling access to applications and services. So it's not that we, as, as I mentioned before, it's not that we say, okay, everyone has the same access regardless of how he comes in. This will vary adaptive access. We need to have one identity management already mentioned it. And customer identity management, operational technology, identity management, all this has to converge to one solution.
Everything needs to become identity aware in security. So with all these various persons and things and services, we need to understand who is using that, who owns this thing. Who's accessing the service who is accessing a service through is wife using an app. So all the security technologies have to be identity aware whether it are firewalls, whether it's endpoint security, identity management, identity, access governance, which is by design identity, aware what we call realtime security intelligence.
So the analytics of anomalies of changes, changing patterns, et cetera, realtime protection of threats, application security, and so on. So identity is the glue to control access in a consistent way. And just to look at, I do it quickly. And the second part, we look at this me detail. We have traditionally this outside world on the inside world. So the inside world where someone accesses fat client applications using his computer frequently is proprietary access to these applications.
Then the web applications came into play with web access, business partner, web applications, where Federation comes into play, but it's basically the same person and we need some control about it. And what we currently have is that we see frequently a lot of separate solutions for managing access to these different applications, even here. And then we, what we are currently facing is that this becomes even more complex.
So we have to integrate users outside, which come in based on their mobile devices, which then even might need to access existing client applications, where we can put some web access in front or where, where we can use virtualization. We have cloud services coming into play again with Federation. If you start managing all this with separate solutions, and we will end up with a, with inconsistent access policy, I already said it. We will have a situation where it's hard to, to really control access and consistent and that in a secure way.
And then the mobile devices come in as well, where we access sometimes with the browser, we web access, but sometimes also using APIs. So the app uses acts on behalf of the user, and then it uses APIs of the backend services. And we have to control this as well. So we have a multitude of different ways, how people, and we are not even talking about things here, people with various devices and future things are accessing a variety of services. And what we need to get under control is how can we match access?
In fact, consolidate and relate identities in this changing world. This is our big challenge we have to solve here. And I don't see that we end up with one solution for the employee to cloud services, another solution for, oh, we federate out to our business partners, one for oh mobile access. We are APIs. This should converge into something which is sort of a strategic platform for managing all is access. That might be technically seen. It might be a hybrid platform consisting of on-premise and, and the cloud elemented might be only on premise.
Certain circumstances might even be only, only cloud, but we have to understand that we need to one strategy for that. We need one approach, one consistent thinking for that, instead of doing a lot of point solutions, a lot of singular projects here, so where to do it, we can do it here. Federation, web access management, API gateways. We can do it here, or we can do it hybrid, whatever it takes. This is the second phase. The first phase is really understanding.
There should be one consistent approach for how do we handle identities in their access future single sign on maybe a last point to quickly attach. Basically all of these technologies relate back to identity providers or directories one or more so we can provide singles.
And on, based on that, all of these are in fact technologies helping us to, to provide the singles and on experience as well to our users. But we need to understand if we want to do this convenience for the user security, consistent policies, etcetera. And we have to think in one access management, which helps us serving all the emerging and changing requirements we are facing today with that I'm done with my partner and the hand over to Brent and Richard right now for his part. So Brandon, I would like you to present her and you can start with you part of the presentation.
Well, thank you, Martin. Thank you for that overview of where we are in identity and what my name's Brandon Richard, Richard, as Martin Martin mentioned. And I wanted to spend a few minutes, you know, kind of going a little bit further into access management. I think as we kind of look at the world today and you know, Martin just kind of talked about this was that when we go out and speak to customers, what we find is many times customers looked at the world and they started with enterprise applications and they often bought access management solution specifically for that.
Then they started to move things to the cloud and then they often ended up with a different access management solution for that. And then of course, everyone is starting to use SaaS applications, whether it be ServiceNow or Salesforce. And that often ended up in a Federation solution or another type of access management solution. And then as Martin was kind of saying is kind of go back in time, right? We really at the beginning focus just on our employees, right? Getting them access to internal applications.
But then we said to ourselves, really, we gotta do the same thing with partners and contractors. And then, you know, everybody is becoming a software provider of some consumer application, as Martin mentioned, right? Everything is gonna touch a customer at some point. And then of course, we've had all these different devices, you know, we've got our traditional notebooks and then we've got our mobile devices, whether those be our tablets, as well as our actual telephone. So as we kinda look out there is that we find that customers today have a lot of different access management solutions.
And when you have a lot of different access management solutions, you know, we like to think it ends to ends up in chaos. And what we mean by that is simply that it's very, very difficult to control access and ultimately be secure when you're trying to manage policy and access across so many different applications and so many different technologies. So one of the things that we did is we took a look at our, our solutions. And we said that, you know, we've made this a little too complicated as well. And we had different products for different use cases.
And customers really kind of came to us and said, you know, we don't necessarily want to deploy multiple products for all these different scenarios. So what we've tried to do is take all the functionality that you're gonna need from access management and put it in one single appliance appliance. And that includes all the things I have listed here. So if we think about maybe the most simple things, just basic single sign on and authentication, right?
That's usually where many people start, you know, that's our base application that, you know, you can install and get ready to go and use almost immediately. But then as we think about moving beyond that, we think about, you know, Federation and doing fine grand, a fine grain access. We've included those functionalities inside the application as well. And even getting to the point that we can actually do some things that are very sophisticated from a detection of different types of threats that I'll talk to in a few moments.
So as we go forward, you know, it's not so much that we think of access management, as you know, there's all these new things you need to do. We think of more about it as you have lots of different types of customers that you're serving, right?
Consumers, employees, and partners. You have lots of different applications, whether they be in the cloud or on premise. So we wanna make it possible for you to take all of that together and have one central place to manage access and policy. And lemme just talk about for a moment why that's important.
Of course, we wanna make it easier for the people that deploy the solutions. And of course we wanna make it easier for the people to log in, but ultimately, you know, at the end of the day, when we think about risk, we really think about security, right?
And if you think about how do I prevent people from getting inside of my corporation and doing something nefarious, something, some kind of hacks feeling types of data, and when you're managing multiple access points and multiple access management solutions, it's going to be probably impossible to make sure you're consistently enforcing policy for all these different people and all these different user bases from all these different locations. And so when we think about centralizing it, I always start with the idea here is that we're going to make your risk a lot lower, right?
That if you can protect everybody at one point, you're really gonna prevent lots of this other types of attacks from happening. So, you know, a lot of times we think about, Hey, you know, we're just gonna authenticate that user, but really it's about making sure that we have one central location to do that. Cause that's gonna make us a lot more secure and reduce our risk in the application.
So, you know, I'm just gonna talk about a couple use cases that, you know, people have asked us about in the most common ways that I think people today are thinking about access management. I think for the most part, people have a good handle on deploying access management and the providing single sign in their enterprise, right? That's a very common use case. What we'd like to see more people doing is really starting to federate from inside of their enterprise, out to those SaaS applications today.
You know, today when we go into most organizations, I would say, you know, maybe barely 50% of them are using their on-premise access management solution to actually federate out to Salesforce and you know, all the other popular SA applications out there, there. So with our solution is that one, you can take it, put it in your enterprise, two, it's already part of your enterprise solutions already deployed. And now when people start to actually go out and want to use new SA applications, whether that be box or Dropbox or SA, you can set up a Federation in a very quick and easy method, right?
It's not about deploying another product. It's not about deploying more and more software. It's essentially just configuring that Federation so that you can automatically sign in.
And this, those two things, right? One, it allows you to let your customers log to those applications, using the standard credentials and, and methods that they're used to using inside their enterprise.
And two, it starts to give you the control back on those SA applications so that when people leave or when people move around or, you know, you need to shut off access because, you know, maybe one of the popular SA applications has suddenly been compromised. You have one location to do that.
So, you know, I think if you're deploying access management today, or you think about rationalizing your access management platform, the first thing you want to do is start to combine your single sign on enterprise platform and then with your Federation capabilities. So that's sort of the starting point. And then the next place that I like to think about is, you know, we kind of call this, you know, risk aware. Sometimes people call it content based access. But if we think about how do we make ourselves more secure and Martin touched on this, right?
It's about being really, really smart about looking at how someone is authenticating and there's some really popular ways of doing that, right? Of course, we're gonna look at things like the time of day, the IP address, potentially the location and all of that is, you know, making yourself a lot smarter about looking at the parameters upon which someone is actually gonna use when they log in. But I want to go further.
I want, you know, suggest that we as a, a group can go much, much further. And if we think about access management and in our solution, right, you have the capability to go through and actually build out your own attributes in your own rules. So one classic example is banking, right?
You know, if someone's going to log in and they're going to do a transaction and they're gonna transfer, you know, $25 or 25 euros, you know, that's a pretty low risk transaction to the bank. And we can look at that. We can make that a parameter, how large is the balance of, or how large is the amount that's gonna happen in the transfer. But then if we go through and we do the same kind of thing, and we say, well, listen, if someone's gonna transfer, you know, maybe 5,000 us dollars or euros, right?
Suddenly that's gonna be an attribute that we can look at and say, you know, I do see that this person authenticated correctly, but because of what they're gonna do, I'm actually gonna force them to do some step up authentication. Maybe they have to do some type of second factor authentication, go to their phone, enter a one time password, because that's really a point where like, there's a lot of risk involved. And if we think about this is that, you know, financial applications is just one way of thinking about it.
I would say, you know, really every business today, when you think about, and you go through your application, there's always some sensitive, more interesting use case that probably requires, you know, a higher level of, of, of excuse me, of authentication. So for example, like, you know, changing the address, right?
But even in, you know, other business applications, if you want to think about, you know, stock trading is a popular example or signing up for new insurance policies, all of these things, right when we're in there and we're actually, you know, going through and, and, you know, kind of, you know, dealing with our sensitive applications or our sensitive data, that's a great opportunity to start to build custom attributes in there and building into your access management flow. The other thing that gives you is really a whole new degree of data protection, right?
I like, I like to think of it as if, if you know, generalize, you know, there's lots of different hackers out there, and lots of people are gonna attack, but if you've built in some really specific logic to your application, that's gonna, you know, force some step up authentication. That's gonna be much harder. It's not gonna be as widespread for a hacker attack.
It's not gonna be the typical thing that they see every day when they're attacking different websites, because, you know, what's important to you in your type of business, but, you know, potentially those, those hackers and people that willing attack you, they're not gonna know that business as well. So you really provide yourself a whole bunch more security by stepping up and building custom attributes.
So, and something that we think is really, really important. The other thing is we have some great integration with trust here. It's another product here from IBM. And what it actually allows you to do is not only when you connect and authenticate, it will actually allow you to look at that mobile device and see if that mobile device potentially has been compromised, if there's any mail wear running on that. So it's a whole nother level. I always think about, you know, authentication is really kind of this dance between the provider and the user.
And, you know, we wanna think to ourselves like, how do we make it easier for the users? How much of this work can we do for them? So we don't have to ask them all these questions. So for example, if I can detect that their phone is, you know, potentially been contaminated for some malware, I can, you know, shut off that transaction. And then ultimately they would, you know, let 'em know to give a call and we can tell them, Hey, Kay, we've detected some problems on your phone. You may need to go ahead and, and wipe that phone or get a new one and get that malware off.
And, and we think about that if we could do more of that intelligent testing for the users, that means when we actually have to ask them to do step up authentication or do more, it's a much simpler process. And then, you know, mobile, I just wanted to spend a few minutes, you know, talking about mobile specifically, right?
As it's, you know, probably the most important use case going forward. It feels like everybody is building mobile apps today. And when we think about productivity, right, I think we've all experienced that moment on our, our mobile phone where, you know, we're, we're typing in our username and then, you know, it can be difficult to type in the, especially if we're using, you know, good, strong passwords, it's difficult to type them in on the mobile device.
So, you know, we think about this the same way is that we don't want to make users authenticate over and over again. And we've got, you know, our mobile first protect platform that essentially allows you to integrate so that you can have applications authenticate, authenticate to one location. So think about it as once I've logged in to the mobile first platform, essentially don't have to log it in again for any applications that support mobile first.
So if we think about trying to make our life easier for the users, just like, you know, we, we give them authentication that's, that can be strong, but we only make them do it one time for all those mobile apps that are mobile first enabled. And then of course, you know, we can use that same type of flow for our IAM, our IBM security access manager appliance. So we have the same ability to come through and provide single sign on, into our authentication or into our enterprise applications, as well as our staff based applications.
So if you think about, you know, removing productivity, right, this can be a huge win. And I think, you know, like I said, you know, on my own personal experience, maybe much like yours is the less that I have to enter passwords on my mobile device. The more that I end up using that application. So those are some of the things that we think about around our access management solution.
The other thing I wanna spend a few minutes on is just kind of thinking about, you know, two specific use cases like, you know, I talked about risk based access and we have a large bank that uses us, you know, one of many financial institutions that, you know, does this access management kind of uses that use case that I mentioned before about going through and checking for the account transfer limits as part of their access management and, you know, that's one great use case.
The other use case that we get a lot of questions about, and we know that everybody today is building some type of consumer facing application. And I think one misnomer out there is that when you go out and you deploy a new consumer facing application, that you have to go out and buy an entirely new access management solution, somehow that, that, that, that use case is completely new and requires its own software. And that's absolutely not the case.
You know, so one example that we have here in the United States is we have a large state agency that's providing some services to their, to the citizens, if you will, of that state. And they have over 10 million users and they're using, you know, our access management solution to do that, just like the, our, our enterprise users use it to do that.
So, you know, really at IBM, we really think about that. Like, Hey, we've addressed, you know, kind of the enterprise use cases, the, the cloud and Federation use cases and the high scale consumer applications, all in one solution. So when you're out there and you're thinking about, you know, deploying it, I would, you know, urge you, you know, of course we want you to talk to us. IBM.
You know, we certainly are the type of corporation that has experience working with higher, large hybrid environments. But regardless of that, I would tell you, you only want one access management solution and it needs to do all of these things, and it absolutely needs to grow with your enterprise. So if you're, you know, starting as a small company, but you hope to build an application, that's gonna have have millions of users. You definitely need a solution that's going to, to move up.
Cause like I said before, as soon as you start to have multiple access management solutions, you're gonna have a lot of complexity and you're gonna introduce a lot of risk into your organization. So I've hit on most of this today, you know, just wanted you to know, again, we just released the new version of IBM security access managers available today. It's delivered as both a virtual and physical appliance. It's got all the capabilities that, you know, we think you need to make yourself really secure to solve those enterprise use cases, as well as those consumer use cases.
So we'd certainly invite you if you're interested to, to let us know contact us and we'd be happy to talk to you more about it. So with that Martin, I think, you know, we've covered the prepared remarks and it'd be great if we can open it up for questions. Okay.
Thank you, Brent. A lot of information and condensed presentation, very valuable. So it's time for everyone right now to enter the questions he has and hope that we receive a good number of questions.
Let, let me start with, with one question, which I found very important today. So you stressed the top topic of risk and context based authentication. And this is something which is around for quite a long time in the finance industry, particularly in banking, but you don't see it much in other industries so far. So the point is how do you see adoption in industries, outside of the finance industry?
So I'm, so we are following at we're following these topics for many years. I think we had six, seven years ago, we had had a keynote on risk and context based on the indication at our conference, even, even back then. And I always said, there's a huge potential for that for all industries. And I see that there's increasing correction, but maybe you can tell from, from the IBM perspective, whether other industries are really starting right now to adopt this approach, which I think is mandatory for everything we do in the future. Yeah.
I think, you know, it's not surprising, you know, the things obviously start with finance and I think, you know, we've covered the banking stuff quite a bit, but then, you know, as, as we kind of get more into it, you know, insurance typically follows that in healthcare are sort of the, the most common places that you start to see people looking at, how can we build in some custom attributes and do you know, more types of authentication?
And the other thing, you know, this may be less relevant to our European audience, but, you know, I'm sure we have at least a few people from the us on, I just wanted to one, you know, interesting that's happening here in the United States is there's this movement to allow people to do like daily fantasy gambling, which is like a big deal here in the United States. It's very popular with American football, but you know, there's this big controversy now, right?
And I just use this as another example that some of the people in these competing sites were actually playing the games on their competitor sites with sort of potentially having some advantages. Right. And I kind of use that as an example around access management around, you know, for that business, if they don't prove to regulators and really to the general public that they're not letting people play with inside information, not letting their competitors come onto their site and then use specific information that business not is not gonna exist.
So I think about that was a great example of like authentication, right? Like looking at things like, well, have you asked this person if they are an employee of a competing site or are you blocking people from logging in, from the site, from their competitors? And you know, it's a good example of starting to think about that. We often think about sometimes it's just bus risk of losing data, but also too, it's sometimes you wanna think about business risk, right? If you don't, aren't showing your users that like, absolutely these are the people that are allowed to access this site.
And only these people are allowed to use this site. You know, you really put your entire business at risk. So next case, you know, this is like draft Kings and Fandel for people that know the names, but you know, those businesses are super profitable and highly and are growing at these tremendous rates.
But, you know, they could go outta business pretty quick. If the government steps in and says, you know, you can't enforce the policies you can't control, who's accessing this site. So we don't think of access management as actually maybe introducing systemic business risk. But that's just one example of like, thinking about it that way, thinking about, it's not just about protecting it, it's not just about passwords. Right. But it's about making sure your business is absolutely providing the value to the customers that they expect. Yeah.
I, I think one of the areas in I touch is that we, we also need to start integrating. So as we need to do so things we need to understand that there's a lot of identity related information available or available already, which we need to make accessible for these systems. So we need to have a better understanding of the, sort of the, the identity, which might consist of attributes for a variety of sources.
And, and if you look at let's, let's just take changes in the finals industry. At the end of the day, we have to balance sort of when we have less PR cetera, we have still to provide a personalized experience. So people need to have access to, to the view of the customer in a combined way, meeting the regulatory requirements, meeting the privacy requirements. But anyway, having more integration, I think this balance is one of the, the perfect examples where we need to move ahead and, and where we can really provide business value.
And in fact, enable business by doing anti and access management better than we did in the past. Absolutely. Absolutely agree with that. So let's look at another aspect from, from, from the questions scalability. So when we look at historically the employees it's rather straightforward. So even IBM is a pretty big organization, has a, has included us only a few hundred thousand employees.
When, when we look at consumers, we dealing with far larger amounts of identities. And if we think about things, it might even multiply again. So how to scale two such large amounts of identities under related access?
Yeah, I think this is, you know, really probably the number one question and the number one thing that is on the minds of, of most clients today, right? Is that customers are out there, you know, they're building things for their employees, but all of them, as we've talked about as Martin, as you mentioned as well, all of them are starting to build some type of consumer facing application that needs access management. That's going to need that.
And, you know, like I said, like, as I think I've reiterated my presentation several times, it's absolutely, you know, to me, it's the number one mistake is to start to build a separate infrastructure, to deal with, you know, different types of, of populations. That's really gonna introduce a lot of risks in your organization. So here at IBM, like, you know, we do have one advantages we've had is we have dealt with some of the world's largest telcos telecommunication providers for a long period of time.
And of course, as we all know, you know, there are several billion cell phones on earth or mobile phones. And, you know, we have been dealing with that question of scalability for, you know, carrier class and carrier users for a long period of time.
So as, as I, you know, as we go forward, I always tell like, just as I said in my presentation that, you know, IBM can absolutely scale up to you your needs. And we've got some very large examples to prove that, but regardless of what you decide, do not start buying different access management solutions to solve these different problems. You're gonna end up in a big mess and then, you know, three or four years down the road, right. You're gonna have to kind of step back and rationalize it all.
So I think it's a big, you know, disservice when people think to themselves like, oh, this, this application maybe came from the enterprise world. And I think of this other thing as consumer, right. It's really not, it needs to be the same thing. So we've got the scalability to do it. And certainly we would love to talk to customers that are interested in, you know, hearing more about that. Yeah. But on the other hand, aren't these different use cases don't they require, let's say sometimes fundamentally different access policies.
And if you have so many different access policies, isn't there a risk of ending up with a two complex policy framework. If you put all, all the X in one basket, so to speak. Yeah.
I mean, mean, I, I think you, that's a question that certainly comes up. I kinda look at it almost opposite as like, you know, anytime you have like something that becomes incredibly complicated, it's gonna be very difficult to manage. So moving this out into like different silos, right.
Is when, when things, people stop communicating, right. They don't talk about it. And then you kind of have different access management policies going in different places. I think keeping it in one location. And I think this is, you know, where you do kind of have to get into the product details to kind of see this work and effectively, but we believe you can absolutely do that.
We've, you know, built out the management framework that allows you to, if you will manage it all from one location, but at the same time, keep it simple while not sacrificing the scalability. So there is a little bit of like, you need to see that and we need to prove that to you rather than me just say it, but it is probably one of the hardest things to get. Right. And that's what, you know, we've spent a lot of time here at IBM working specifically on that. Okay.
So, so what you're saying is basically the complexity of running a variety of access management solutions is far higher than the complexity of managing access policies for a variety of use cases in a single place. Absolutely.
And I, you know, another thing too, is I don't ever wanna come across. Like it is always, it's always a hard problem. I don't want, you know, it's not that we ever take away that it's, it's something that's hard, but if again, doing it in multiple locations, I think makes it quite a bit more difficult.
So we're, you know, we clearly see it as one solution. One appliance is the way to go. Okay. So still time for the audience to enter questions so that we can look at some of the other aspects here. So let's wait for the next question to come up. What about context factors? So what do you support here? Yeah. Yeah. We support the, the ones I think most people, I think it's, I'm trying to get 'em all right here.
It's like, you know, the IP address, the time of day geographic location, I think I've got the device type device that you're coming in on. All of those things are, you know, built into the actual service as well. We also support through our integration with trust here, the device fingerprint, as I mentioned. So we can actually look at what device you're coming in on and then does it potentially have any type of malware on there? So those are the ones that I think are all built in to the, you know, out of the box, if you will.
And then, like I said, in, in my presentation, I do think the, the, the more interesting part or the part that really starts to up your security quite a bit is the ability to start to define your own group attributes. And I always think, you know, the, the place to start with that is when, you know, in involving your development community, as part of the access management process, when you build new applications, looking at your application and saying, where are the most sensitive parts, and then sitting down with the developers and figuring out, well, what about the application?
What are the types of custom attributes we could build into the application to really start to check when someone authenticates? So that's another way to think of it. Okay. So it looked like we don't have further questions at that point. So I think it's time to end the webinar.
Brent, thank you very much for your presentation on the answers. Thank you to all the attendees for participating in this. Copy a call webinar, hope to see you soon. And one of the other call events and hope to see you in MUN at the European identity conference 2016 next year in may. Thank you. Thank you.
