Welcome to our KuppingerCole webinar, Delivering True B2B Identity Management in the Modern Era. This webinar is supported by Thales and the speakers today are Marco Venuti, he's IAM Enablement and Acceleration Director at Thales Group, and me, Martin Kuppinger, I'm Principal Analyst at KuppingerCole Analysts. So before we dive into the subject of today's talk, I quickly want to give a bit of a housekeeping information I have. We are controlling audios, you don't need to do anything here. We are controlling these features.
We will run two polls during the webinar, and if time allows, we will discuss the results during Q&A. And that also leads us to the next point, which is we will have a Q&A session at the end of the webinar. But you can enter questions at any time using the Q&A section.
In effect, you can use the Q&A tool in the app you have on the right hand side. And then we have recording and slides. So we are recording the webinar and we'll make the recording and the presentation text available soon after the webinar. This is from a housekeeping perspective and before I start my part of the presentation, I'd like to run my first poll. You will find on the right hand side in this web application or in the app, you'll find the poll option. So you will see the polls and you'll be able to participate.
The first question I have is, have you implemented a specialized solution for managing B2B identities in your organization? So it's one, a set of consumers and employees, and two simple options, yes or no. So the more people participate in this poll, the better it is. So please enter your option and your perspective here so that we get some good number of results here. Okay. We'll leave it open for another 15 seconds before we then look at the agenda. Okay. So let's move forward. The agenda of today, as many of our webinar agendas, is split into three parts.
The first part, I'll talk about what makes B2B identity management so challenging. The second part then, Marco and Nutti will talk about effectively and efficiently dealing with B2B identities. The third part then is our Q&A session, as I've already mentioned. And as I've said, the more questions we get, the more interesting it is. So don't hesitate asking questions at any time. So where I want to start is with two poll results, which are related to this bigger subject of B2B identity management.
They are a bit closer to supply chain security risks, but I think this also goes into B2B identity management. So B2B identities, when you look at this, it means these are identities of partners, of contractors, and many other externals that have some sort of a business relationship with our organization. They are not customers in that sense. They are frequently from suppliers and other partners. So it's different from the consumer-centric use cases. And this goes also into the entire subject of supply chain security risks.
And part of the supply chain security risks are risks caused by external identities. It's only one. But just to sort of draw the bigger picture here, and this is data from our survey we released in May this year, we see that supply chain security risks in different forms became more and more relevant. So part of software supply chain risk, but also others that have some supply chain challenges. So do you understand which people are working with your suppliers, which other suppliers they are using? So which people at the end could have access to your IT entire environment?
The interesting point here, and I'd like to focus on this, most, or let's look at it differently. Only 16%, one out of six companies, one out of six companies says we have a centralized approach across the organization. Some have a couple of point solutions. Some know that they have gaps more than, way more than half. And another 12% say they just don't know about it. So we have very significant gaps in managing supply chain security risks. And part of that is access to external identities.
We will see, I'm absolutely convinced, and this is already happening, we will see some strong push by regulations. So, and by probably also, unfortunately, incidents. But I also see that we have a long way to go to get better on this. And part of the solution is having a strong B2B identity management. The second element, or the second part of the survey I'd like to look at is around work from anywhere, driving better authentication. And that has, even while that question was really more on the workforce side, it also has an association to the B2B identity management side.
Because at the end, the point is, when we look at B2B identity management, yes, we may have contractors that are in the organization for a very long time, that even have corporate IT equipment. But most of them come in with unmanaged UIs. And bring your own UIs, it's 24% is also a subject, an important subject for organizations when it comes to their workforce. And the other part is, when they say, okay, how do we deal with this different work attitudes, people coming in, different types of work, so different engagement types. How do we deal with this?
And the most important thing is multi-factor authentication, but also supporting bring your own device is very important. Endpoint management, in the sense of modernizing endpoint management, had a little lower perspective here. It's not a multiple choice in this case. It was a single choice question, which explains that most often probably for multi-factor authentication. But also we need to get better solutions on how we understand what is the risk of the endpoint? What is the risk of the external user? Are we able to authenticate the person in a strong manner, et cetera?
And unfortunately, and this is where I'd like to look at, unfortunately, B2B identities are the most complex case in identity management. So we have, I would say, a relatively good grip on employees.
Employees, they, yes, we may need to differentiate between first-line workers in manufacturing, for instance, and then the more the office workers with a bit of different complexity. But at the end, we know how to deal with it. We also know how to deal with customers and consumers. And customer-consumer use cases are also similar. There it's about efficient onboarding, simple authentication, relatively little differentiation between the entitlements, just that we need to ensure that people only see their own data.
For workforce, we have the complex entitlements, but we know a bit of how to deal with it. But when we look at B2B identities, then we have users, we have federating and former business partners. We have people that are responsible for the security of our factories or office buildings or others. We have consultants that are coming in. We have system integrators working part-time in the organization. We have contractors that are in for a long time.
And when we look at how frequently these people change on one side, and so the turnover amongst these people, how it's always the same or always different people, and the complexity of their access, then it is that contractors have a relatively complex access system, integrators working with systems, having access to test data, sometimes even to production data, et cetera. And really challenging consultants frequently with more limited access to certain data for their projects, federated users mapped to define accounts.
But for instance, the people that are responsible for sitting at the front door and saying, okay, you're allowed to come in or not, that are protecting it, that are walking around during the night around factories, they sometimes need access to a lot of systems or more critical systems. So we have complex use cases and the risk sometimes is really big. And most organizations, I think, don't have a really good grip on that.
And what I want you in the next couple of minutes is to take a bit more detailed perspective on complexity, where I compare B2B identities with B2E, so the employee, and B2C, the customer or consumer identities. And I think this is an interesting challenge because it makes clear what it means. So when we look at registration, registration spans the line from self-managed to managed to automated. And we have a B2E spectrum, a B2B spectrum, and a B2C spectrum. The B2E spectrum is for registration mainly automated. The B2C spectrum is mainly self-managed.
But for B2B, it can be almost everything, self-registered to highly automated when we look at contractors. So there are different types of managed use cases, et cetera. It makes things more complex. The next one is roles and entitlements. So how complex are roles or how simple are the entitlements?
For B2E, again, we are on the complex side. So we have complex entitlement structures for people that are spending a lot of time in the organization, while customers and consumers usually have a rather simple model of entitlements.
Again, the spectrum in B2B can be virtually everything. When we look at people that are running critical applications as a managed service provider, then they are definitely very much on the complex side. And others just have very limited access to certain project data. But it's a wide range, and it's not one, but it are very different types of identities. How good are we in deprovisioning? Automated versus lacking or just by inactivity?
Again, B2E is on the right-hand side. B2C, sometimes we do it by just after some sort of inactivity, or we ignore it. We just don't do it.
Again, for B2B, it can be more or less everything. And it's important because we need to understand, is this person still that supplier, for instance, goes back to supply chain risk management? So we need solutions that help us dealing with this level of complexity, which also indicators can be used. That's a bit of different picture, because unfortunately, still, even in B2E, we still have a lot of username, password authentication. We must get better here. No doubt.
But it's, yes, we have this. While B2C also goes more nowadays into multi-factor authentication, sometimes linked to biometric authentication. So we see definitely a strong improvement in this area.
B2B, again, could be everything. So when I look at my engagements, when I was a B2B identity somewhere a B2B identity somewhere else, it was sometimes really very low protected access to few resources. Sometimes I even received an OTP, piece of hardware, one-time password generator, and stuff like that. So it varies. Which devices do we have between bring your own device and managed device?
Yes, there's a bigger spectrum also for employees nowadays. So it's getting better, broader. We have more on that. But clearly, the consumer is very clearly on the bring your own device side.
And again, a B2B identity can be everything. What does it mean? It means that we have really a wide range of different types of identities we need to deal with. So there's not the one type of B2B identity. We have some that are a bit more like a consumer, others that are really close to an employee, and a lot of in between. When you look at the upper three areas, then there's a huge space, which is only B2B spectrum, which are specific things for B2B. There are so many facets of B2B identities that we need strong solutions to deal with that.
Because going back to what I said earlier, this is part of what we are doing, or what we need to do to secure our supply chains. This is part of what we need to secure our entire IT. There's a risk by B2B identities, and we need good solutions to deal with these types of identities. So with that, I'm back at the agenda. I would have expected the poll to appear, show up here, but I'm going to do the poll later on. No worries. And with that, I already hand over to Marco.
Marco, it's your turn. Well, thank you all for joining us today.
Again, I'm Marco Vinuti. I had the pleasure to be in the identity space since literally the beginning of the century, assisting to a number of changes and evolution of how the answer from us, meaning solution providers, solution vendors, changed over time and now reached, as Martin clearly expressed, probably the highest peak of breadth and complexity with the B2B use cases. So in the course of the next 20 minutes, I would like to answer to three key questions that are defining, in my opinion, a good usage of your time, hopefully, which is question number one.
Why is B2B different in the first place? Question number two, if I'm already featuring or leveraging some identity solution, do I need another one if I now need to deal with B2B? Yes or no? Or to put it differently, question number three, are there solutions that does it all already if I don't happen to have anything in place? So to answer those questions, I start from the beginning. The reason why we're having this entire conversation and the real core reasons behind is the digital transformation. I will keep it short.
I believe we all know what digital transformation is and what it dictates and what it entails. When it comes to the identity side, the side effects on the digital transformation on the identity spectrum, there are three key things that are guiding this conversation. First is that what before was a focus on the B2B side for the identity controls and optimization and cost and compliance is now no longer the case.
A focus there only but rather spans different identity types, including a contractor, including B2B, including others who will see them in a minute, but each of them demanding specific life cycle and interaction. And there is no longer such a thing as a single customer scenario that we have the pleasure to deal with where it's just about one identity type. The new normal is to deal with the rainbow of identity with different types of identity within the same business context, the same business scenario. So what are these types of identity?
Well, of course, there are two main ones which are all familiar with which are the employees, meaning employees, employees or remote worker, frontliner, but even long-term contractor as the definition of Martin gave before of employee type B2B users. Of course, right at the opposite side of the spectrum, we have the customers, the consumer, the citizen, which have totally different set of use cases, of course, as very nicely represented in the detailed perspective slide that Martin just delivered in his introduction.
There are, of course, some in-betweens and for the purpose of this conversation, the in-betweens are at least of two types. There are the temporary workers, the contractors, the gig workers, which very often, hardly ever or at all, they come to the office. For the entire contractual relationships they have with the organization, they are remote. They sign up remotely. They start working remotely and they go without, again, going at the office a single day. So that entails, of course, from the identity side, the entire spectrum of capability, including the full onboarding with validation.
And there are one final type, which are corporate customers or corporate entity more in the broader spectrum, such as suppliers, partner, agents or brokers, insurance, for instance. Those are not individual. Those are organization of individual. So there's a nested testing of entity that pose different challenges in terms of what is the way to onboard, to manage, to delegate, who can do what. So this is, of course, probably something you already are familiar with.
But again, worth mentioning, because indeed, this is the new normal. Most often than not, we deal with at least the two or three types of users in each and every use case for the organization we have the pleasure to serve. And of course, coming from the employees, this is very often part of the go-to market that the service and product that our customers, our organizations that we serve are dealing with. So they might be reaching the customers directly, or maybe with some business intermediaries. Maybe not just one, maybe a chaining of them.
And because of my personal customer and access management heritage, I tend to look primarily at the go-to market side of the equation. But of course, there is also the supply chain part, right? There's also other companies, business constituents, business organizations, which are on the left-hand side of this representation.
Again, this to say, there are different types of bees, okay? So it's not just about to say that we need to deal with business organizations. There are different flavors even within the bee box, so to speak. That being said, let's pick one single example, only one of a case that we addressed a couple of years ago in this case, which was a bank, a mid-sized bank that was now starting a new initiative in the real estate market through an indirect go-to market model. So let's talk real estate. So those dealers were the ones really talking to customers, and there were different types of dealers.
Some of them were in that, sorry, dealers here means business organization with multiple people belonging to them. So again, not individual. Each of them could have been in the direct relationship with the mother bank, kind of mother company, or rather with some of the subsidiaries. So it's already different bees, back to my analogy one slide ago, are represented in this slide. So of course, those dealers were meant to be given access to select a business application for delivering the services to the customer base, and they were to be managed autonomously by themselves in a sort of delegation.
So it's about enrolling them, it's around delegating them, it's around delivering access to applications. This where the key needs in this case study, again, in this case, specifically on a banking group, should have been other industry, maybe rather than dealers. If it was an insurance company, it could have been, for instance, brokers, very similar use case as the one just described. So when it comes to what the customer asks, I thought it would have been no more, doesn't get any more clear than bringing up what the customers are asking for.
So this is a list, and you don't need to read it, of what real life is like for us as a vendor now listening to what our customers are asking us to provide them with. And some of those requirements are more and more frequent. Here I highlighted them just to comment a bit on the flavor they come in with. So for instance, is your solution managing hierarchies of sale point or layered user management is supported? So those are all reflection of something which is no longer me dealing with my employee, but rather something closer to what I represented in the previous use case.
And of course, it's about external users. Why that? Because questions such as, can you create your own registration process? Is there a validation included?
That, of course, applies only to external people, people not coming from the HR system. Of course, you also have another bunch of requirements around provisioning, the provisioning federation, and so forth. So in a solution provider jargon, this is a composition of workforce plus consumer use cases. This has been dominating our life for the last few years.
Okay, this is always the case. You have more and more a blend of the two things. And also at the same time, a blending of identity provisioning and access management. So there are at least two access of hybrid, so to speak, capabilities, depending on the way you look at the identity solution market. So dealing with this sort of thing, we define the new B2B SIEM conversation, basically belonging to three major categories. So actually, when we talk B2B, we actually don't have a single conversation, but rather three conversations at the same time. Let me briefly recap them one by one.
The first one is what we call the enrollment experience conversation. They're usually something triggered by the chief marketing officer or head of digital. It sounds like, well, we should delight our customers, so to improve retention and conversion, conversion meaning from prospect to customers. That's kind of classic SIEM conversation. There's one more conversation, which we call the extended team one. And it goes with, well, head of digital or COO originated and is very much about, well, we need to streamline the way we manage the ever-increasing number of external user and gig workers.
They outnumber three, four times the number of employee we're dealing with. So that's relevant in many ways for business flexibility and also for cost control. Third conversation is very different. That's actually a CISO or maybe an enterprise architect conversation is around the contextual authorization.
And that comes in place where you need now also to look at your application landscape and you need to maybe centralize and do a better job in the way we manage and enforce access and policies across your application portfolio now because of the extended set of constituents that are getting access to them. So each of those conversations have some specific capability behind.
So, for instance, when it comes to the enrollment experience conversation, that very much belongs to the notion of orchestration, orchestration of capability such as identity verification, authentication, profiling, notification, consent. Those are to be bound together to deliver the user experience that we want to build for our consumer or business customers or constituents that we want to tackle. So in this case, again, the key word is around orchestration. And this is the closest to the original SIAM conversation in a way. Second one is the extended team.
And that's very much about having one more business application to be provided our business customers with. This time is a business application not to manage invoicing or stock or whatever, but rather to manage other people. But it's still a business application. It's not a technically flavored admin UI of any source. It's a business application for business user to manage identity, access, and delegation of identity and access management to other constituents. The third conversation, the centralized, the contextual authorization one, as I said, tends to be more technical and architectural.
And that's why I brought up an architectural slide. From a logical standpoint, in the middle between the users and the web applications and services you deliver, there is a SIAM solutions, which captures identity, relationship among them, consent, okay? And of course, provide single sign-on, at least single sign-on, which is a very coarse grain, go, no-go level of authorization.
But if you want to go to the next level, you can actually add to this conversation one extra component, which is the authorization engine, which can either inject on the fly in the access token, for those of you who are familiar with what I'm talking about in terms of technology jargon, the scope belonging to that applications with minimal integration. So this is applicable to any application which is featuring the ability to be sensitive to claims.
Or if I have code control of my application and I can manage the way authorization is enforced with that application, I can also use the central engine to query and get responses on authorization decision. So there are different degrees of integration applicable depending on what kind of granularity I want to reach in terms of authorization level. I do realize this might be a bit too technical, but the key thing is that, as Martin said, B2B stands out in terms of complexity. My way to say the same thing is that if you can do B2B, AIM, you can do it all. It's the same thing.
When we talk B2B with our customers, we usually have at least two of these three conversations, any combination applies, more frequently lately than ever before, the three of them are what constitutes the conversations around B2B AIM. So this kind of conversation, though, is still struggling because of the lack of a unified way to call them. So we are still in a day where what we are discussing even here today can be defined as B2B AIM or external user management or partner AIM and so forth.
I just collected a few of, probably it's not even a complete list of the various ways different providers are nominating this sort of capabilities. So we still lack a single way to call it to understand each other in an easier fashion. And that confusion is maybe also the reason why we still assist two different ways for our selected customers to leverage this sort of capability. So I thought it would have been interesting to kind of recap what are common patterns that we assisted lately. So in this example here, I'm representing a company before going B2B, so to speak.
So still leveraging something they had before, which is an IGA solution. In this example here is an on-prem one, but doesn't matter if it was a cloud one, same story apply.
Of course, IGA was there because of managing internal users primarily, so HR fed in an automated onboarding fashion with an admin persona looking at them and provisioning users and managing users on the various on-prem and cloud applications. It comes the day to deal and expand to business organization, B2B customers or B2B entities, meaning users and delegated manager, they're included, more than one. So the first take very often, the first intent is, well, we already have an IGA solution, let's use that for the job.
And doing so, okay, we can still open up to the delegated manager the ability to manage their user tool and to deliver them access. That kind of approach, in our experience, get rejected after a few months for a few core reasons. First of all, because of course, such an approach doesn't feature some of the core capability, they are very much relevant for a B2B conversation, such as the presence of single sign-on, but also terms and condition acceptance, read, consent on document and or attribute. Not to mention that the registration process is not provided by IGA solution.
So in this approach, too many things lacking, it is deemed to fail, is deemed to be just a step one in a longer journey. What is the step two? Step two is involving a science solution. I call it here for the purpose of this conversation, a generic science solution.
Well, things are already much better. Now I have in this example here that the users can be on boarded through a registration process, because that's what a science solutions provide. They can bring their own identity, maybe a national ID, maybe social one. And of course, they can be signed on on the various application. This is much better, but there's still room for improvement. Why that? Because very often the delegation capability for those delegated manager are pretty, well, not business friendly. They are coming maybe from repurposing an admin UI and you can still fill it.
And that's a generator of help desk call from the delegated manager. Most importantly, because the creation of a new B2B entity managed within the system tends to be still a technical thing. Something that I need to call the IT office to make that happen is not something that a business user can do. They cannot say point and click. There's a new B2B entity I want to deal with. And John Smith is going to be the delegated manager. Off you go. It's not that easy. And so that creates a limit in the flexibility of the solution. That is a yes.
But of course, there are native B2B science solutions, which are in for the purpose of this representation. And just to make things easier, adding one more business application, as I said, at least for delegation management. Right. And making easy for through that also the point and click creation of new organization, new B2B entity, and the ability to delegate in a downstream fashion to a nested notion of B2B entity among them. So this to say that things change and we are assisting to more pattern tree, not rather than two and less and less one lately. But this is how it started.
Because again, there's been a lot of evolution over the last few years around this subject. And I like to close maybe with what my short version of the last 20 years on what this domain went through. So at the beginning was very much, as I said, before digital transformation, they said B2E focused AIM offering was very much about cost and compliance in-house. Then we realized later, and I'm among them, there is a totally different set of use cases when it comes to do consumer and customers to the point that there were different vendors doing B2E and SIAM.
Then later we realized that SIAM with C meaning customers or consumer was possibly the worst acronym ever, because to just talk consumer is limited. It's not just that. It's also B2B users and gig workers. So maybe we could have come up with something like external AIM rather than just SIAM.
But now finally, and it just took, so to speak, 20 years, we realized that we can safely bet on having a single solution that does it all, which we call a conversion, meaning same solutions for addressing the spectrum of capability that ranging from the external to the internal in between the B2B can serve the different use cases. So back to the question from where we started. I think that the answer to why is B2B different can now be answered.
And the reason is that B2B is indeed standing out in terms of complexity because it also requires notion of organizational onboarding and delegation management and flavors of authorization management, which are on top the SIAM one and different from the B2E ones. So question number two, do I need another solution to deal with B2B?
Well, most likely you do, though you might have already some SIAM and IGA solution in-house. This would be my scenario number two before. If those solutions are featuring the right level of usability, then you are probably, you don't need any specific solutions. Number three, are there solutions that does it all?
Well, there are. And of course, we claim to be among them. Is that not a coincidence?
Okay, meaning that we learned that the hard way through mistakes that we have been doing before during the last few years and now fixed since the changes in the evolution of the platform over the last five years, specifically devoted for B2E use cases. Again, what we rebuilt was given that was driven by the mantra, if you can do B2B well, you can do it all. Closing from where we started.
Again, digital transformation is why we're having this conversation in the first place. Identity has a big say in how to approach that. And the modern SIAM solution is essential to help drive and accelerate that. Or maybe rather than a modern SIAM, again sticking with what I just said, a modern B2B AIM or SIAM, or still lost in translation, to be defined.
Martin, help us with that. Let's find a name for what this subject should be called like.
Okay, with that, thank you very much for your attention and back to you, Martin. Thank you, Marco.
So, we've been talking about some conceptual aspects and then really how it is evolved and how to do that. And right now, before we go to the Q&A session, I quickly want to launch the second poll.
So, we had one poll that talked about, looked at B2B AIM solutions for a second one. I'm curious to understand whether you already have an established and structured process for supply chain risk management in your organization.
So, yes, but it's really more paper-based approach. So, really more on the paper side or it's really based on an IT solution or no, there's still a gap.
So, looking forward to your responses before we then shift forward to the Q&A session. And as usual, the more people participate, the better it is and the more valid the results are.
So, please go ahead. Thank you.
So, let's move forward to our Q&A and we already have a couple of questions here for the Q&A. And so, let's get started. And maybe the first one is really primarily targeted to Marco. It's about what is the number of B2B organizations and the relative size of B2B users in these organizations compared to employees, for instance, you usually assist with.
So, which organizations are looking at these challenges of these use cases? Well, it's very, okay, good question.
So, which organization in our experience are, again, my example was in banking and maybe I could have brought up an example in insurance because in our experience that where it would start or at least where we started to the point that even these days we have quite a few insurance company which are dominating maybe our reference list, right? But this is totally incidental. It's probably historical.
So, we assisted two customers in pretty much in retail, in finance, in manufacturing. And so, there is no real any specific vertical that is more relevant than others.
Though, in terms of relative size, these types of needs tends to be more perceived as such whenever you have a proliferation of many B2B. I mean, if you just have two, three organizations you're dealing with and they're very static, you don't have that problem, okay? You end up treating them as you define them in employee type B2B constituents, okay? Things tends to be more relevant and more requiring specific solutions when you enter the volatile set of constituent dealer brokers or agents, right? Type of constituents.
So, that's why also my maybe tendency to look more at the go-to-market part of the conversation. So, from the company to reaching the customers because that's where you have a more volatile set of business organizations involved.
So, maybe to add here. So, what we see is, I think there are really two factors impacting this. The one is the industry and there are different reasons.
So, some industries, when you look at automotive vendors with all their suppliers, they already have some certain level of maturity also when it comes to some supply chain security aspects and managing identities. But still, in most cases, also some way to go. In the finance industry, we see the regulatory pressure being higher in this space.
So, this is really driving a lot in that space. And then we have others which have just very complex use cases. Interestingly, for instance, when you go to to some large healthcare institutions or which have some students and a lot of our extras or pharmaceuticals, then they have in tendency a very complex use cases.
So, they are again also frequently driven by regulatory pressure, are looking increasingly at how can I get better on this. And it's not that you could say there's a silver bullet yet. I think there are solutions like the one Mark had talked about that are coming to the market to help in this space. But it's definitely something which is still a challenge for most organizations. And depending on the level of regulations, also the sort of the size for organizations is a bit different.
So, the more regulation, the smaller usually the organizations are that need to care for this. Okay.
So, we have a couple more questions here. So, with all these new identity flavors and moving to one uniform IAM or digital identity solution, how would you arrange identification of identities, for example, to reduce duplicates?
Also, what is the difference between an identity and an account in your strategy? Oh, well, I think that it doesn't change that much compared to what, for instance, we're already familiar with in identity governance or light identity governance. You still have that dualism, identity versus account. Those are two separate things. Okay. And probably they should be kept as such.
Otherwise, you inevitably end up having nasty side effect, okay, if you don't have a clear distinction between the two. So, I don't revise any significant difference introduced by the B2B specific use cases with respect to what, again, we already kind of matured with over the governance evolution base.
So, in the past, I remember we had some discussions also about personas, so to speak, as a third one. So, you have a persona that has different identities or a person that has different personas.
So, it ended up in a very esoteric discussions, honestly, regarding terminology. But basically, the point is I, Martin Kubinger, I could be, take an insurance company example. I could be an employee at an insurance company. I could be a freelance broker for an insurance company, and I could be a customer.
So, I could be in all three roles at the same time with different accounts. So, I, as a person, would have three personas or identities with different accounts. That is a good point. The other part of the question was about the identification. Identification, I think, this is an interesting piece because what I expect to see is that we use more and more sort of remote verification approaches, maybe soon together with decentralized identity, but it would sort of go beyond our subject of today.
But even for the workforce, I think what makes a huge difference nowadays is we have a lot of people that are employees that never have been in an office of an organization. So, they are closer to B2B identity sometimes when it comes to identification, isn't it, Marco?
Yeah, indeed. But the way you answer the question now allow me to better understand probably what the original question was also about, right? How do you deal with the same identity, maybe having different hats, different personas, you said, depending on maybe an individual session for a specific service, I might be getting there for different reasons, right? Or maybe being, I don't know, maybe in one case a power user, another way an ordinary user.
So, depending on the context of authorization, depending what I required. So, the reason why I'm bringing this up and now probably better understand what you mean with that is that it's indeed a fairly advanced requirement, but we got that already and I'm happy to report that we understand and we interpret that, that there is a per session level of authorization that you might have and you might be subject to depending on which resource, on behalf of which other persona you're not getting access to, okay?
So, that may be probably another flavor of the answer to the same question. The same individual can indeed have different access to the same resource in different ways depending on session specific context. Another question I have here, you mentioned authorization management as part of B2B, is that frequently asked for and is that assuming that the organization is primarily building its own applications?
Okay, well, it's frequent, it's getting more and more frequent, okay? So, that's the thing. While delegation, which belongs to B2B, is about distributing the ability to manage people.
So, there's a notion of spreading out who can do what and making it closer to the beneficiary, okay, the delegated manager. On the authorization, we assist to the opposite. We assist to a tendency to centralize, to have a single place where I manage them all, okay? Authorization meaning having policy contextual information processing at runtime detected or depending on the identity relationship among identity, etc., harmonized to make authorization decision.
So, it's coming more and more frequent, okay? It doesn't belong to B2B only.
No, I think it's just made more relevant by B2B use cases but doesn't at all belong to B2B only, okay? And it doesn't require strictly to have control of the code. I think that question was also going, do I need to control the application, right, the application code?
Of course, if you have that, you can make the decision to defer to a central policy decision point or your authorization decision and this is a very advanced integration and very fine-grained control that you can have but even in an application that you don't have control with, as soon as they are SAML or IDC compliant and so they are sensitive to claim, you can still control functionally, centrally in an authorization engine what user are entitled to. So, there are different models that would deserve a conversation and probably a webinar per se, okay, to properly...
Yeah, I think for policy-based external control, we can spend hours. For instance, to the keynote at our European Identity Conference this year around my views on that. I think the point is we can use policies at many places and yes, the ideal would be if an application asks a policy system for authorization decision at a very fine-grained level but also for authentication for some more coarse-grained process, we are using policies and we are seeing increasingly, increasing use of policies. There's a follow-up question on that.
So, how do you see access modeling for B2B and B2C? Is this more traditional RBAC or is this really more attribute-based access control? And maybe the context of that is also as policy-based access control is effectively used.
So, we know exact model, not that much but for instance, on one hand, we see a lot of policies at the authentication level and we see a lot of policy use right now when organizations are starting to build additional services when they rely on technology such as the policy agent. So, we as analysts, we observe a very strong uptake here. What's your opinion on that?
Yeah, okay. Yeah, this is a very good question.
Again, it's really a blend in my experience. Again, role-based access control in B2B tends to be much lighter, much easier, not struggling with the challenges or maybe the implications that have in B2E, IGA, where you have role proliferation, explosion, and sort of. This doesn't happen in B2B. It tends to be, yes, you have a catalog of roles because there is discretionary access, multiple application involved. You want to build roles but there are not that many, are a fairly limited set, okay?
So, to that end, airbag is among the requirements that should be fulfilled and helps in talking the business language because that's what roles provide, abstraction in terms of the way they are named, okay? But there are just a few. That being said, the way they get delivered, okay, and assigned to different business constituents is very often policy or attribute-based.
So, both applies, okay? So, we're back again to the authorization conversation attribute when you have that geography matters or other identity attribute presence decisions are made.
So, that's where airbag is also applicable. So, I would say airbag applies much lighter than in traditional IGA. PBAC and airbag applies as well, different domains, yeah. I disagree on that. I think we already know what will be the next webinar topic we do together, isn't it? That would be a great one.
Yes, so much to talk about on that policy-based access. So, Marco, we are done with the questions.
So, that means thank you very much to you. Thank you very much to Carlos for supporting this webinar. Thank you very much to everyone listening to this webinar and joining us today. I hope to have you soon back at one of our upcoming other virtual events or physical events. Thank you. Thank you.
