Identity Security: Its Role for Succeeding in the Digital Journey

So I'll talk a bit about identity security, it's role for succeeding in the digital journey. I think this is not far away from, from the theme that was originally in the agenda, which was around the digital journey and doing it secure and dealing with a ton of identities, et cetera. So what is, what I'd like to do, I'd like to talk a bit about why we need both identity and security in the digital journey. I'd like to talk a bit about why identity is so essential for security, and I'd like to talk a bit about where identity belongs based on that in an organization.

So who should be in charge for identities? This will be basically the things I'll do and I, I wanna start with the need for speed. I've called it so smooth customer journeys. And so when we look at the digital journey, and this is slide I created a while back for, for another keynote, but I think it fits very well here. When we look at, at this, then at the end of the day, it's means we as organiz, our organizations need to, to adapt to a changing competition, to a changing environment. We need to look at our business models, which for many organizations already have changed fundamentally.

Others, sometimes driving organizations out of business, others succeeding with being more agile, having the better business models. It's about new types of products.

It's, it's statistically about other shifting more to services. So usually it's more product plus service than just a product. Things are changing and, and we have a different type of competition. So competition is changing.

So who, who, who, who would've thought from maybe 15 years ago the Tesla might come? A real challenger for the German automotive industry industry in interestingly time once had 10% of the shares of Tesla and sold them way too early. Maybe not the smartest move of their CEO ever at that time. But anyway, we have a different competitive situation. And the differentiation comes through digital services. I think this is also very clear at the end, competition plays more and more on the digital end instead of, so to speak, pure hardware and things like that.

And this is also where, where the intellectual property is in, where the unique selling proposition comes from. Buy the right type of services by making these things convenient, et cetera. So when I take my cycling or, or, or hiking or, so when I look at my watch, then at the end of the day, the value comes from that. There's a good app around which tells me, oh, so afterwards what I did, which I can share and all these things.

So it's not just a product anymore, it's really all and just saying having a watch which tells, oh, your pulses to high or something like that, it's not sufficient anymore. And so that is the differentiation. And then we come to the delivery. So because if we don't deliver successfully, we are in trouble. Delivery is super essential. And there are a couple of elements in that.

So, so we need to be agile, we need to be also always on. But the agile part is a very important one. We need to, to develop fast, to move fast, to adapt to changes rapidly to be innovative. And I think it's, it's no surprise when, when you look at a lot of companies that many of these traditional manufacturers in Germany and all these areas today are primarily looking for what? For software people, for software developers, for architects, et cetera. And for security people, by the way, I'll come to this in a minute. So we need to develop, we need to deliver, we need to operate these things.

So this is essential. So when, when you're whatever online retail businesses off for a couple of hours, it just costs you money. That means that you sort of, your belt in the factory is stopping. And everyone who has been in the manufacturing factoring organization at some point in his life, working for them or advising them knows the worst thing is when production stops. That is what costs really money. So if SAP is out for whatever SPHR is out for three hours, who cares?

Okay, if you are HR people, but at the end you don't need to care much about it. But if your production stops for three hours, you've lost money. If your e-commerce stops for three hours, you're losing money. So this is the the point where we really need to be aware, which is, by the way, an interesting point. It it's very interesting to run as aro business impact analysis. Who of you has run a business impact analysis in this organization or or organization so far?

Oh, a little too few too. Not enough.

Hands up, do it. You will learn a lot of things about where is the re where does the re damage come from? So for instance, if you have an automated log of stock where, where you have all the stuff, the material, then an automated system, chaotic chaotically distributed. If this system stops, nothing works because you just don't get the parts anymore out of it. So these are the things that you need to understand this and we, we need to good be good for all the digital stuff we do. And then there, there's the identity. And finally I come to identity and security.

That's the identity and security part of it. So we need to do it secure. That's about customer trust, consumer trust or citizen trust. Also be the citizen. It's not only businesses, it's also the state, the governmental agencies. It's about customer journeys. So we need smooth customer journeys. I think every one of us knows this. You're saying, okay, I need that, or that or that. And then you say, oh, this is maybe I, I really want to support a smaller retailer. Now go there. And then I'm so annoyed by the entire procedure that I say, okay, let's go to Amazon again, or something like that.

And so this must work well, this must work. Muse customer journeys. Dealing well with digital identities is essential.

And it's, that's something I'll, I'll talk about on on the next slide a bit more in detail. It's also essentially for security. And we do also as, as I've said, we need to do all these things secure, oh whatever this company Marriot, whoever lost millions of customer data records. That's not the press you want. It's not the news that you want to hear about your organization. And this is a challenge. We need to be good here because this is the foundation for success. This is the foundation for succeeding and for com for differentiating in the competition.

So digital experience at the end of the day and digital experience at the end of the day, digital experience very quickly has to do with digital identity. It may start a bit earlier because you may look for certain things and I say, oh, I found some cool stuff. But then the identity comes in play, the checkout process comes into play. Okay. You may say just say pay with PayPal. And a lot of things are done so you can can do it a bit smarter sometimes. But at the end of the day, it's a thing.

And identity security done right, improves the digital experience and done wrong, it may kill your digital success. So you need to be good in that. And it's what I think is very important for identity, and I'll touch this again in a couple of minutes. It's that we are, in this case, we are talking about business enablement, which is very different from what we mostly do.

Oh, we use need some identity management, access governance for regulatory compliance. That is attractive to the ones with the money them saying, Hey, we help you succeeding in the, on your digital journey. So the second point, and this is why, why I believe identity and security are really very close to each other. So there are things in identity that are lesser about security, but to a certain extent they have to do with a good custom journey probably is more in the identity and on the customer experience side, but it also needs to be secure, otherwise it's not a good journey.

On the other hand, there are things in security like network detection and response that, oh, they have to do because we, at the end of the day, we need to map it to who is sending this packages, what is happening on the network. But it's probably things that are closer to identity and closer to security and some which are really somewhere in between. And when we look, when we look at zero trust, and I know it's a bit a, a boring term these days, but at the end of the day, I still believe it's a very, very well and very valuable concept for security.

So don't trust, always verify multi-layered security, the things that are behind zero trust. And for me, zero trust. And this is a slide I've used in various incarnations over the time starts with identity, it's about Martin also indicates using his device. Then this goes over a network to a system where applications are, or system and applications in one, like a SaaS service. And then I access some data and all this is done using software, but it starts with the identity. It starts with me authenticating. This is the journey.

And that means when we look at it from an attack perspective, we're talking about identity based attacks. And when you look at all these different types of statistics and surveys, the maturity of attacks are identity related. Start with identity. It's about obtaining a control, about an identity to do harmful things. It's then placing the malware, some lateral movement. So more access to more identities, ideally infecting other systems, gaining access.

Access, hey identity and access management. Again, it's about something which is very identity related.

Yeah, we have maybe stealing data spreading versus software in a software supply chain type of attacks. But at the end of the day, what what I'm, what what we see is identity is a very central element when we look at security. Because this is where many, many attacks starts. Not all but many. So mostly with identities and spread from there. And that means we definitely must think in identity security as something which is very close to each other, which is very closely linked, which is intertwined. And this is what we need to do.

If we don't do that, then we will need to be good in identity, in our insecurity. And that I think it's also becomes clear when we look at a bit of the, the history of identity management and the shifting responsibility.

So when, when I create a bit bit of a little bit of a journey here, so and yeah, some, some CSOs here, maybe starting with that. So to the cso, but beyond the cso, that's an interesting question. Who's should be in charge of a diet? Talk about this then even more in on the following slide. So identity management is not, not longer really just identity access management.

It is, there's the term of digital identity. And I think we need to be clear about digital identity is something which has to do with identity and access management, but which is also in some areas very different from it. It's about, for instance, having a wallet for EU citizens that hopefully works seamlessly in the global world and not only in the eu. That is an interesting point. And we have a couple of sessions around that as well.

So hopefully the hot liners don't succeed, but the people who make a very usable solution, so probably some people, some more people hate me now for this, but that's fine with me. So we need to think about it. And where did we start? We started with administration. So I'm long enough around, so, so when, when being asked about when, when did I start with identity nexus management? I tend to say this was around 89, 90, 90. So was early network and Microsoft land manager and Penan wines even and things like that.

So a, a few in the room may know the systems still from the past, probably a lot of you haven't even been born back then. And so my, I started early and, and then at some point something at the end, it wasn't even called identity manage or identity access management. At the beginning there were some directories and then meta directories. And the purpose was really to manage and synchronize data. So we had data in a directory. There were something like X 500, which then ended up in what we then called Ldd up at some point.

So lightweight and there was a, for X 500 there was a directory access protocol and the ldd UPS was the light wide version of it back in the days. So long time ago, the owner typically was someone in the IT infrastructure, frequently more in system level before it started to integrate into converge. And then the next thing, the next wave was a bit about user experience. So we had this thing about single signon and we had all these these funny things in marketing then where people stood on the stage and said, if you do password synchronization or single signon, you will save so much money.

'cause you can save 0.72 headcounts in your IT help desk on your, at your IT help desk. It's relatively difficult to save 0.72 people, notably. So usually it didn't turn out in in real savings, but they were, there were all these mathematics, the the only problem was if you changed whatever one reset costs 90 instead of 60 or 40 instead of 60 US dollars, the result was totally different. So I think we did always to be very careful with that. It was about single sign-on provisioning, simplifying things, automating processes a bit.

So So the first identity management tool, so to speak, the first, yeah, what then later became AIGA. When we added access governance, the first tool in this space was called provisioning day one. That was the first product name because it was about getting rid of papers where people walked through and said, okay, I need a computer. I need this access, this access and do a bit of automation. And from there it evolved, but it was really about user experience.

Then Enron came and their, their major problem they had with their accounting, let's phrase it like that, sovereigns, ex sores OX act came, compliance came into play. So you need to ensure that people only have the access they need least privilege, stuff like that. So regulatory, compliance, owner, DIM, lead. I think three out of the two out of these three are at the end of the day, definitely very technical administrative, hard to sell to the management user experience a bit more.

But also at the end of the day, even today, compliance, if you don't have a really compelling argument or huge pressure and the negative experience at the board level, the tendency still is to say, okay, let's wait for the finding. And we have, if, if we have a major finding, then we start investing a risky game, specifically in these days. A a risky game when we have technology risk that must be reported in your annual statement if you're a public listed company and things like that.

So I think we see some, some change here because yeah, audit is changing, regulations are changing anyway, it's still that. Then we had cybersecurity. This is what I talked about, identity related threats. It's the point also where, so E, even with regulations, we, we had a, a change in ownership to a certain extent to, oh we have an IMM department right now. It's not necessary anymore in the IT infrastructure department. I still see IM every now and then being part of IT infrastructure specifically, surely when it comes from to certain systems.

So active directory owned by IT infrastructure, no shouldn't be Azure ad definitely not Azure AD is an identity system or enter ID nowadays it's an identity management system. So it's not, it's something that needs, that should be owned by the IT infrastructure department. Just wrong, full stop, it belongs somewhere else. You can quote me on this and I'm very happy to repeat this is when you, whenever you need in your organization. But by the way, it's also not a good practice to manage access. If you can avoid it in some cases you can't avoid it.

It's not a good, it's a common but not a good practice. If you manage access via ad groups or AAD groups, it's definitely not a good practice. It's a bad practice because it's not the right way. Not a tool that is intended for things go wrong.

Anyway, that was just a side note here. Cybersecurity, yes, purpose mitigate all these identity related threats and ownership. More and more shifts to the ciso.

So in, I would say today probably in the majority of organizations I'm working with, the CSO is responsible for identity management. It really shifted, which also means the role of the CSO changed usually. So when I go back a couple of years, the CSO was the one writing regulations and doing a bit of audit and stuff like that. Nowadays CSOs have a very active role. Usually they're really in charge of the systems insecurity, et cetera. So this change, and that also means there's a logic in in identity management shifting to the cso.

And then we have this enablement part, and I think this is what where I started, we have this part which is about enablement. And the purpose at the end is enabling digital business, supporting the digital journey, all the stuff I talked about at the beginning. And that's the interesting question. Who should be the owner? Is it the CSO or the CDO or the CIDO? Who is it? And this is something I I'd like to look at in the remaining few minutes because I think that is something I also get quite frequently asked, where does our identity management belong?

And I believe it's not an answer of identity management belongs here, but which part of what we do as identities belongs where. And what I like to do is I split, I'd like to split this into three parts. First is identity and access management. So all that stuff around IGA and authentications, the usual things. So this thing we, we commonly over the past whatever, close to two decades associated with identity and access management, we have a level which I'd call like to call identity security. This is more really the security part. And there are some overlaps you'll see in a minute.

It's also things like identity, threat detection, response and other things here. And we have the digital identity. This is really more this perspective on the customers to consumers, the citizens, the digital services. This is that level. So here we make identity work, we do the groundwork, we provision, we synchronize accounts, we do all that stuff that needs to be done. We do privilege accesses and so on. This is really where we, we do the cybersecurity part. Where are things going wrong? Are there anomalies? Is someone doing things we don't expect that person to do?

And this is about the digital business enablement, the customer journey, things like that. And yes, there are blurring lines, there is modern authentication. I didn't use passwordless authentication, but a more neutral term modern authentication here. So everything which is convenient and secure can be different things. Modern a syndication is something which is provided here. It helps in improving security. So it's an essential service delivered by the IMM team. And it is what is what enables the modern customer journey.

On the other hand, when I look at for instance, all this evolving things around decentralized identity, which I believe, and I have a talk about this on tomorrow or on Thursday, I don't know. Decentralized identity is something which commonly comes in here. It comes in at that level. It's about we need a different type of interaction with our customers, citizens, consumers, whatever.

And we need to support this because sooner or later I, I'm pretty convinced the expectation will be that it is supported, that it works, that I can use my wallet or one of my wallets in a seamless manner with your digital service. So it comes from this, it's, it's a part of the enablement. It's about improving the security because this is something which helps us to, for instance, use way more proofs about Martin. Martin is so he has a proven identity because someone did a video ident or or different type of identity based on the, the E ID card.

Much better proof than we usually have in onboarding someone. If you onboard a customer, we just trust that this is a customer and if the payment works and the parcel is shipped, okay, we can say this is sufficient. And for many use cases it is for others it isn't. So we have more proof because we can know more, we can get more proofs here. We also have things like age verification, very easily done and all that stuff. It comes really from the digital journey for digital business. And it also helps us at the end of the day, modernizing our identity management.

There are a ton of things we can do better in identity management by utilizing decentralized identity. Because there are a lot of proofs, which are attributes so to speak. We can use an authorization for instance or for simplifying our onboarding process with a proven identity. How much money do you, does your organization spend in onboarding employees and externals which have to go through to an office and maybe show their ID card? A lot of humans involved. We can do automators, we can do a waste move, save money. So it it's a relationship in both ends, but it are different things here.

And this thing here, I call it head of im, there might be a different title, title vice president, senior vice president, whatever of VP of I am. And usually that person reports the cso. This is where the CSO is. The CSO is then reporting. In an ideal world, my opinion to the CIDO, oh, you shouldn't have ACIO and ACDO, you should have A-C-I-D-O, A Chief information and digital officer. This is what belongs together, which helps the CIO not only to look at this boring old SAP stuff and the CDO to look at how this, to make these things work in reality, so to speak.

Probably I tapped on someone's feet right now again. But anyway, that's how I am. So I believe this is the way we should look at it from an organizational perspective. Not saying there's one person who is responsible for identity or chief identity officer. As someone proposed a while ago, I believe it should be a mix of that and that will make identity and not identity, but the digital business work at all levels. Thank you.