Morning. Morning. Good morning. Are you there?
Okay, cool. Yeah, happy to. So there so many people coming here so early in the morning and listening to our Siemens story of external identity business. I think I don't need to talk a little bit too much about Siemens. Everybody knows Siemens maybe here in Europe for those who don't or for those who think, wish, or believe that we are building washing machines and dishwashers. You should go to a keynote of the CES 2024 in Las Vegas this this year be beginning of this year. There was a great keynote.
It's recorded on YouTube and our CEO, Roland Bush and Cedric Nier were doing a fantastic presentation of Siemens that's really worth looking watching, which describes perfectly what Siemens does now coming to identity. Before we go into the details of our external identity business, I'd like to start with some, some general identity things.
My name is Thomas. I'm responsible for identity at Siemens. It my colleague and friend Andrea DEA is the guy if it comes to external identity business and I'm going to hand over in some minutes to him.
Let me start with a quote of our properties, Natalia Oropeza, who was mentioning this some, some time ago that, and I wanna wanna focus on on, on the, on the bold statements here on cloud, on security and enabler for productivity. I'm now working with Siemens for 27 years and I still remember as we started our cloud journey cloud was always considered to be unsecure. You might want to use that for some test data, but nothing more. And that has dramatically changed. We believe in cloud security.
We believe in cloud Being an enabler for security in the past, and I see some folks here from Siemens, from cybersecurity, it would would have been unbelievable that we do something like password hashing to the cloud or something like this. Not believable. Now it dramatically changed exactly the other way around.
I wanna talk some few minutes about our identity strategy. As I just said also on identity, we are putting a hundred percent of our energy into cloud movement to cloud and as a consequence, obviously also trying to get rid of our on-premise footprint in identity.
I come to that in a second. What that means for our internal workforce identity portion, which is quite substantial.
With 320,000 employees, we, we are focusing on Microsoft, but that should not be the focus of today's talk. We wanna talk about external identity and here we went some few years ago or started going with our zero now being acquired by Okta. So that's why Okta bring your own identity is also one of the key pillars. We don't wanna host, host necessarily all our externals in our internal systems for various reasons. Obviously this is quite expensive.
This is its effort and it's much more, or we believe it's much more secure to use those identities coming from there instead of just hosting this in our own systems. And last but least this is also close to my heart as I'm one of the three program managers of our zero trust program. We want to make all of that what we are doing. Zero trust, ready, zero trust, compliant, you name it, which is also, especially in the external identity space. Quite interesting and we are going to talk about that in also in a, in some few minutes.
This is my last slide before I hand over to Andre because, because I want to give you a little bit of history. What we have done in the past few years. We started already in 20 14, 20 13, where we honestly speaking, we had a quite messed up on-premise active directory that was not really considered to be very secure. We built it up completely fresh, new, we consolidated everything was a huge effort.
Everybody told us you're going to re our company, but finally we made it and that was this, this, this consolidation activity more or less brought us to, to be ready for the cloud, otherwise we wouldn't have achieved that. Then right after, or not too long after, we also started with our external identity business. At this time there were different systems isolated from each other. This was the first time 2018 where we started with a centralized or zero based external identity provider. Then the whole cloud internal workforce cloud journey started with Microsoft Office 3, 6, 5, et cetera.
We then finally came to the conclusion that we need to upgrade a little bit our licenses. Finally, we had a companywide E five license and right after all of that we started with our zero trust program. So we are running this for the fourth year already and that would be a talk for its own, what we are doing with zero trust here, what is the temperature?
Yeah. And then talking about some few seconds more about external identities.
We are now ahead or right before moving our S zero Okta system to the private cloud and we are more and more reducing our footprint if it comes to on-premise identity. Having said this, I'm happy to hand over tore
Hi
Everyone guy, as it just said of our
Customer business. Let's keep it not like that, but yes, so thank you. Effectively, as you've seen in some of the other slides, we've been very creative with the name of our external facing IDP. It's called Siemens id.
It's the usual thing and it basically, it's that, it's the login page, the entry point for all of our customers and business partners. We used to have, as Thomas mentioned, every business unit, every application owner, everyone at the company can have their own identity provider, their own way to handle identity. And roughly six years ago, seven years ago, we decided, okay, this doesn't make a lot of sense. Let's try to bring everyone together. Let's try to have a unique identified identity for everyone.
And especially a very clear, unique experience for everyone coming in because it makes no sense for a customer that needs to access completely different product to have to register differently, to who have to handle multiple passwords, multiple IDs.
It makes no sense. We hear this a lot in a lot of sessions. We hear this in the, the floor.
Every, everyone is talking about this. We've been working on this for the past six years roughly, and we finally managed to actually get it to deploy to the whole company and work. Now on the actual topic of the title of the presentation, here are the numbers on the right. This is what what we mean by a lean team. So we had three team members for the past six years, and we've been handling 2.2 million identities, which is not too much if you consider B B2C, but if you think about business to business, then it changes a little bit the the dynamics.
Then the most interesting part is the 500 plus tenants and the 6,000 applications because these are all our internal customers. We're not talking about whoever's outside, we're talking about our business units, our application owners, and everyone that's doing something that needs authentication at the company.
By the way, I don't think we mentioned this, but this is explicitly about authentication. We have some authorization behind the system, but not too much.
The focus is really on that authentication experience on the right or on the left side, you actually have our main structure of the solution. So as Thomas mentioned, we are using the customer identity cloud from Okta, formerly OT zero. And we just basically for all of our requirements, we align on this structure to support this, this let's say diverse universe of applications with such a small team. Effectively what we are doing is we are delegating to our application owners a lot of responsibility.
We did a very long exercise, internal exercise on what must we control centrally versus what the applications can actually own. And what you see there in that screen is when you see the main tenant, that's what we control.
It's the, the facto IDP where all identities reside, where the login page, the branding, everything is structured where all of the policies that we need to enforce exist, and then we simply create, we call them subtenants. It's effectively another IDP, it's another instance that we provide to application owners where they control that side of the story.
But we set up classic federation between that subtenant and our main tenant, and then they configure and control the app configuration at the subtenant level. This, this basically frees us from a lot of the work because they do the application configuration, they come to us, to us if they have an issue with the classic configurations, but for the most part they do end user management.
They do all of that because as they also have their access management inside of their applications, it makes no sense for us to try to, to triage requests coming in when the, the issue might be completely unrelated to us and completely at the application level.
So they have first level, second level, and if there is an issue with the actual integration, the actual login of the person, then they come to us and we support them there. This hasn't been easy, and if you take nothing out of this presentation or out of our story, I think this is the most important slide.
It's all of the topics that you see here. Look simple, deceptively simple, everyone talks about this, but the, the big issue is simple does not mean easy. And this is what allows us or allowed us to actually go forward with basically a big identity project at the company that was disruptive, but that we managed to do with a relatively small team.
So by the way, on the technical specificities of how the small team managed to do it, we can talk about later if you guys wanna reach out, we can talk about the technical details, but this, we're looking more at the, the process behind it
And maybe, maybe it's worth mentioning also, if you compare workforce identity and, and our internal customers, which we have and customer identity, I think they're the knowledge level and the the things, how it's working here and there is also a bit different.
My perception is that our external customer business, internal con colleagues who are owning these applications, who are integrating these applications, who are managing finally these, these tenants, they tend to be a little bit more technical than the workforce part where it's about, I don't know, we purchased some, some, some application which is useful and needed for our internal people. We had some partners, so let's integrate in enter, ID have no clue about identity, but somehow we are gonna manage it. So it's a little bit different.
Yeah,
Community, that's, we, we've done two things. One, we were lucky that our first adopters or early adopters of the, the product of the service that that came from the internal teams came from the product teams that are very technical. So we have teams developing APIs that they sell to do material engineering calculations. So they are really technically advanced, they don't want to worry about identity, but they are technically advanced.
So it was relatively easy to integrate them and to support them only when they had an issue with OIDC somewhere, one, one corner case somewhere we could support them there. That's not necessarily the case for our internal user base, but for our workforce. So from here, I guess this is across all projects, but specifically for identity projects that will mess up your existing processes. Management buy-in, if you don't have your management backing, you won't be able to release a proper, you won't be able to shift your identity strategy internally.
That has been one of the, the biggest things how we can actually do it with a small team is you work very closely with your customers and by customers here, I mean your colleagues, your applications, you need to have that close relationship to them. What do they feel? What are their problems? And to keep that communication channels open, not just when you start the, the project phase of whatever service you're deploying, but then when you go into a running service, you need to always keep that open and running. You should deliver fast, reliably and optimize all processes.
And this goes hand in hand. So to to, to do the configurations that we do with 500 plus tenants and everything. So configuration s code everywhere. I know this is all couple of years back now it's the decentralized identity discussion, but this is still for a company like us, we don't move that fast.
We just like to keep going. So all of these, the the standard, standard approaches to making sure code is deployed consistently. You can easily roll back, you can easily do changes, you optimize everything. So there's no more just playing around with things.
So you have to follow proper processes. You should have, and this is also a hard one, you should have, you should find good people to work for you. So normally we try to look at the hyper specialized ones of course, but the, the issue, especially with smaller teams, so if you are resource constrained, at least try to get a team that works with broad spectrum in the technology space so you can have anyone do anything. This is more like a, it looks like a startup pitch, but it's not. So even big companies have to do something like this a lot of times.
So keep that in mind then clear responsibility. So that goes back to the, the slide on that distinction between what we manage versus what our application owners manager manage. This is hard to do it even for you as a, an identity team or governance team, depending on where you are. So you need to really clearly define, okay, I need to worry about this. I can give you control over that if I have some oversight, if I have something.
And then you can find a, a good place to work together with them without overtaxing your team and without overtaxing theirs, but giving them the freedom to do whatever they want or they need actually. And then last one, we should say this, it's choose a great partner. You need to find a vendor that offers most of what you want. Let's be clear, as much as everyone in the stands says, ah, it's just a drop in, you can put it in it work, it's going to work.
It's not, you'll have to work on top of it. You'll have to build something. You have your real business needs that don't map to what they're offering. So you just find someone that offers you the largest coverage over what you need and then also the largest opportunity to grow with you so that you go in the direction that you need. And they also grow as a, as a partner.
We've, we've done that with Okta
Before we come to the upcoming activities. Quick additional remark on management, buy-in our C trust program where we have now done for the last four years, substantial investments obviously also brought a lot of attention and governance and management buy in, in the complete identity space. So we would not have been able to execute on our identity strategy without our zero trust program to be very clear.
So it, it gave us, on the one hand, lots of budget. On the one hand, lots of attention on the other hand also lots of pressure in in our team to get things done in time and ready in time and as fast as possible. But that helped us a lot. Definitely
You can start,
Yeah, I mean phishing resistant, MFA, everybody's talking about, well,
It should be old news, but it's not
That we did already some, some substantial improvements on the workforce side, but how, what we are still struggling with, to be honest, and if everybody has, maybe we can share ideas later on.
Phishing resistant MFA governance and enforcement on the customer side becomes sometimes not so easy because again, as Andrea explained, we have our internal business units. They obviously want to sell products. They might not have the full visibility on identity security. We from the identity side, hey, you need to get, you need to get rid of SMS. This is not secure anymore. So the first thing, what you hear from them, never touch my, my my system here. We wanna get everybody onboarded, who wants to get onboarded and if this guy just has an SMS text message, phone number, don't touch it.
Interesting discussions. Nevertheless, we are working into that. And sori
As a follow up to that. So PAs keys, it's all the rage now. We are coming currently running a couple of POCs internally and with some of our business context to see how this may improve a lot of the issues that we've been having where we tried to do away with S-M-S-M-F-A and all of those things. So this might looks like it might be the way we still find some rough hedges. So we'll see how that's going to evolve.
Data residency. Interesting topic.
If you, if you think about what I just told you in the very beginning, we are cloud, cloud strategy. What's one of the attributes of cloud for sure. You have various distributed systems, let's say, of all of those cloud providers, is it AWS this is Azure, whatever. However you want to keep in theory identity as centralized as possible. You don't want to have, I don't know, lots of different systems in all over the place, but this is exactly what's currently happening and where we are in, in, in, in tough discussions.
So the one says I want to have my isolated system definitely in the US because I have customer obligations on the one hand or legal requirements on the other hand, and we just recently heard from somebody, I want to have my IDP in Australia, not to mention China. How do we run on the one hand cloud identity, cloud identity security, and at the same time also have all kind of different isolated solutions, which idiot e not even are really separated in the various locations without any communication to the outside world.
I heard that in fact specific for, for China, we want to have a system still using Siemens. Id kind of, but no communication to everywhere else. So as in case of, I mean our China business is quite large, we want, we don't want to endanger this and whatever politically happens, we want to ensure that this continues, which is kind of a contradiction to to to centralizing identity systems,
Decentralized IDs. It's actually on one of the slides just to keep up with the team.
So we, we, we normally, so we, we are classic IDP in the sense, so we do with our business partners, it's bring your own IDP to us. So plastic federations that what we have been doing, we are now looking into decentralized i ideas and more in the sense of how is this going to change our approach to how our other partners come in and talk to us less. It's been less on how the users, the end users themselves come in.
But, okay, I'll put the other one quickly, but basically we're just looking at the topic as a whole. We are not doing any implementations or any looking deeply at any implementations yet. It's more like how do we prepare for what's, what's coming.
Last thing just to think about how do you do zero trust, specifically device trust, device compliance information in with external customer business.
If, if anyone has a solution for that, please approach us
Solution. So yeah,
Okay, then let's talk afterwards. Cool.
Sorry to, sorry to rush you, but the, you've generated quite a lot of interest. Thanks guys for the questions and for voting. It's really important to participate.
Also, you guys and girls online, please do participate. Give us your questions. We've got quite a few, we're not gonna get through all of them, but if you could keep the answers as briefly as possible, the one that's got the most votes is how do you maintain consistent configuration across tenants? Aren't you worried about their security if their management is purely on application teams?
It's not purely on application teams. So we have a central set of configurations that we deploy to those subtenants. We still have admin in all of the subtenants.
So we are deploying a central set of configurations to them and we are basically monitoring every action that they take with our logging log analysis. And we see if, if they touch a configuration that they shouldn't touch, we get a warning, we get a trigger. Of course you can still argue Oh, but they can remove those checks. Yes. And we can put them again, which is what we do every single day and what we check every single day.
Okay. Next question. Did you find challenges in B2B self-registration when they use social logins to help identify the company they belong to?
Yes.
Okay.
Yes,
I gather there's a whole discussion around that.
Please reach out.
Okay. And how do you maintain consistent?
Sorry, we've had that one. Yeah.
Oh, well I, I guess so. You nowhere where to find these guys? Yes. You've gotta stand. Please catch up with them.
Great, great participation. Thanks very much.
Thank you. Thank you.
