Evolving Identity and Access Management for the Digital Era

Welcome to our webinar, evolving Identity and Access Management for the Digital Era. This webinar is supported by Broadcom and the speakers today are William Lender, who is identity security, CT O and distinguished engineer at the Semantic Identity Security Group, which is part of Broadcom. And the other speaker today that's me is Martin Kuppinger. I'm Principal Analyst at Analyst. We have a big topic for today, so we will have a lot of information, a ton of slides on, maybe not 10 many slides, but a ton of information on the slides I think is probably better phrased. So no desk by PowerPoint, but really a lot of, lot of stuff we want to tell you want to talk about before I start. A bit of housekeeping. So audio control, you are muted, central, you don't care about it. There will be a q and a. The more questions you raise, the better it is.
Then we can have have a very lively, very interactive q and a. We will do some polls too, exactly one right after that slide and one after my part of the webinar. And we are recording the webinar so you don't have to care about sort of writing everything down, but you always can access the slides, which we will provide you for download afterwards. As far as the podcast recording of the webinar, you also truly can share it with your colleagues. Having said this, I'd like to start with the first poll, which is a more generic one, which is about how is your, IM budget changing, so it's growing strongly this year. So more than 20% growth, or it's some growth somewhere between five and 20 or more stable plus minus five, or is it decreasing? We'll give you whatever a minute or so to provide your responses. The more responses we have, the better it is.
So come up with your input and tell us how your I am budget is about to change this year, so, so that the more responses we have, the better it is. I'll give you another 15 seconds. Okay, thank you very much for participating in this poll. And now let's have a look at the agenda. So I'll talk a bit about the evolution of identity fabrics, which are concept we we brought up a couple of years ago and which sort of provides a more comprehensive perspective on Im, this is very important in this context of the how to evolve with in the context of the digital era. So what we do we need to do to make our, IM ready for the future and when I'm done, we'll look at how to transform. Im without a rip and replace approach and provide a lot of insight here on what to do and how to make this work.
And given that probably most of you have some Im in place and it's how do you deal with, there need to be changes, but there's also lot of stuff here. How do you find the best solution here? And then we do the q and a session as of management. And so let's get started. Where, where are we today? Where we are is we have identity management as an established discipline. We have iga, so identity, go think governance administration very frequently. So the user lifecycle and provisioning stuff and access governance. We have access management federation, authentication mfa, we have privileged access management for you. That means for the highly privileged users. And this, this has started as a workforce, as a workforce focus. It tends in many organizations today also address consumer identity and partner use cases. And there's some covers usually for each of these four, very traditional as which are administration, analytics and risk authentication and authorization.
And they are, they're quite a number of different building blocks for an im. And what, what I show you here on the screen is our, IM reference architecture we have created also several years ago in which we are updating regularly to keep it so, so to reflect the, the ongoing changes and ongoing evolution in the identity measurement space. So usually there is some Im, but also when we look at it more in detail than probably most of you will say, okay, we have some of this, we don't have everything. More modern capabilities like the L capabilities, like decentralized identity support, policy-based access controls, et cetera, are way really found than sort of the baseline capabilities and also for the baseline capabilities. So I, I see really a lot of projects, some organizations are better, some are really baseline and even struggle a bit with the baseline.
So we, we are somewhere on the journey. Most organizations are. And, but there's I am, it is a churn, it's never ending and it means we need to continue. And so the next question is what, what is the core focus we are looking at? And I think that the thing we need to cover is we need to expand to extend I am, we need to go beyond that and beyond what we traditionally had. We, we have the zero trust paradigm. We usually, most organizations are going to or shifting towards some sort of identity as a service. We need to get better in serving digital services. When you look at the top of graphic on the right hand side, then there are the digital services. And this is I think also very interesting because they're two, two flavors of how we can deal with digital service.
So one, as we continue, as we do in traditional identity management, we manage the digital services. So we do sort of use identity management to manage identities and access entitlements, et cetera in these services. Or we provide an way away a means for digital services so that they can consume identity services. That they can say, okay, I need a new user to be onboarded. They call APIs, they trigger these actions. And this is a, this is a paradigm shift because it means we are not working sort of inside out from the identity management anymore only, but also outside in being a service provider or platform for all the digital services. And this picture, this graphic shows sort of a high level structure of the identity fabric, which is meant to provide the services backed by tools that deliver the capabilities that we need for a very simple task at the end of the day, provide seamless yet secure and controlled and well governed access for everyone at every single, that's the left hand side of the graphic to every service.
That's the right hand side. This is what I am supposed to do, enable people, enable things, enable devices to do what they need to do with services in a controlled, secure manner. And for that, we need a quite a number of capabilities. So some of the characteristics are, it is modular, it's flexible. It's adaptive, it covers all identities. It has an I identity API layer. It provides a transition, a means of transition. So how can I go from my traditional I am to this modern world? IT supports as a service deployment and modern target operating models. And it also accepts and supports the fact that most IT environments today are still hybrid. So it doesn't basically what is behind our, our idea, our concept of identity fabrics. And this also maps very well to zero trust at the end of the day and beyond that.
So it's all identities. It has an identity API layer, it's about legacy. Im trans transition. It supports us, it delivers assess, it supports hybrid it and it delivers a verified identities and verified access for zero trust. And so this is, doing this good is a key element also if we want to succeed in our zero trust strategies, this all comes with challenges. It's not of something where you go, okay, one stop shopping, I buy a tool and this tool will do everything. There's always browsers and people, et cetera. There are tools which can serve a lot, but you still need to figure out how do I move there for my, my existing work. There are also the scenarios that you say, okay, I have a core tool or two and I add to, I need some compliments to, to cover areas which aren't covered at maybe at all or at that level I need.
So we need to think about challenges. And this is about what do we need to do in in identity generals? Our requirements are changing, we also need to, to build it in a way that we can deal with all these things work from anywhere. Cloud services, not that new anywhere or the digital service I already mentioned needing, supporting consumer identities, supporting consumer devices, things, the connections between all this. And also what what happens with web three metaverse, whatever it will be. It's a bit of fasting and we all know how do we support decentralized identity. So when we, that all needs to be done while we keep still cost as a sort of in, in focus. How can we do this with an optimal, with optimizing cost? How can we protect better against identity based ethics, which are the maturity of ethics we are facing, serving the need digital services, fulfilling regulatory requirements, serving every single to the old staff, supporting this work from anywhere, onboarding employees that never have seen an office from the inside for instance, or partners.
And this needs to be dynamic and flexible. So it it, it's not that something we built and construct today, we built it in whatever X months or X years, then we are done. No, it will evolve. So the identity fabric perspective you have today will have changed in 2025 or in 2028. It'll evolve that It must evolve and it, that's the way, reason why we define this paradigm in a way that it's modular that can grow because we need to be ready to also support future innovation. Modern arch, modern architectures, microservices based, container based, help us in doing that. But we always must be clear about this. So solutions, identity, fabrics to, in the way we define, we strongly believe they are a fundamental, fundamentally a fundamental or foundational concept for what we can do. And they, they can serve island. It's in some way, it's a paradigm, it's a methodology also that helps the architecting when you walk through the different capabilities and understand what do I have, where are my gaps?
What do I really need? This, you can really build very easily methodologies, we do this day by day in, in, in the, in the advisory of our clients. It's also a bit of a high level architectures, but it's not that there's the architecture, the the identity fabric that always looks the same. It must be adaptive and it must evolve. But the basic principle applies. And I think also from an understanding perspective, so the this, this term fabric has different meanings and the identity fabric is for instance both. It's a mesh, it connects everything. It's a mesh, but it's also about production. It produces the identity services you need. What it isn't, it's not just a pile of Lego bricks, no, it's more something like that. Oh, maybe not, not that complex, but it's something which is constructed, which is ready to use or in case would be probably more ready to look at.
So it's what you do out of this, it's the result and it's about conversions, integrations and looking at how do you deal with that. And this is, this is an interesting question I discussed quite frequently with suppose vendors and with end user organizations. So, so when we look at the identity fabric, how many tools do we need? It depends on, it depends on which capabilities you need, which services you need, which tools you need, what you have in place from history. It depends on, on different, and my general recommendation is to start with a, a very limited number of core elements. It could be one that could be two, that could be three, but keep it really restricted and then to compliment it where needed. But it all starts with saying, okay, what are the capabilities you need? You need to prioritize them, you need to understand what is it, what do you need?
You then define the functional services and then you look at which tools are needed to serve this. And that should be, as I've said, a, a reasonably low number. Suites have the advantage or or solutions to cover more capabilities that help you deliver more services after. Come on. Advantages. Lesser wes, consistent uiux, consistent APIs. It's easier to operate, higher level of maturity potentially you can achieve at the beginning, at the start of your journey. On the other hand, there are always best of three technologies that help you to fill the gap, to do some things better, to serve specific needs. And you have the legacy you don't forget about, you will need some integration to the legacy for a while because you, you should be able to transition your I am to a modern fabric at your own pace. And that also could mean that you're not let a, whatever an old IGA system run to just connect to the mainframe or some other legacy applications where you say, I will retire them.
Okay? Mainframes rarely get become retired. They seem to live forever. But anyway, I think you got what I mean. And you can that for instance, a wide complex migrations and that then provides you with an a fabric, a holistic concept to construct your modern IM, but also to transition your own pace. And that also provides you then some, some controlled planes where where you manage certain aspects, your technical architecture. So the identity fabric in fact serves or in implements includes several of these controlled planes. So it is when you for instance, think about what is my identity control plan? So the control plane I use to manage identities, stem, so all these identities, how do you manage them? Then it's about mainly the identity related capabilities, directory capabilities and all the stuff, onboarding processes, the related workflows. And you have an identity management service with I IGA tools and a bit of access management tools.
When you look at B2B identities for instance, or maybe CM tools even, I haven't added this here, that could be another area a bit or privileged access management for certain types of identities and accounts that come from sort of modern silicon and less sort human identities. You have an access control blame, which is about who can do what and how do I govern that, which is then supported by a couple of services building on tools like access management and privileged access management. You should have, when you go modern, you should have a policy controlled blame where, where you manage the policies that control all of what you're doing. So who can do what, which an entity can do what we need to move way more towards policy-based approaches. That's a fully separate topic, which could take us hours to discuss. And we will publish quite a bit of stuff around policy-based access for the sort of speak to modern world, but also how to, to support the legacy world in the modern policy based approach.
Soon it will be a very hot topic outside our upcoming European identity conference this year in May in Berlin where we'll talk, we'll talk a lot about that, so don't miss thence. And then there are also, for instance, integration con, security integration control base. How do you make this work with all of your existing identity management and all of your existing cybersecurity tooling, your SIM tool, your so tool, whatever else. So the identity fabric really delivers a lot of these elements you need for modern or future proof identity management. And what item also added here is a bit around measuring the maturity of identity fabrics because I think it's important to have something which helps you a bit understand what what should be in there. How does Candace evolve? I will not read the full slide. No, no worries. I structured in into the sort of the five pillar, the five columns or pillars which are common for the CMM or CM m I approach.
So one, two, three, four, five or initial, they call it repeatable, defined, manage, optimize. It's a bit fast here, but, but I think it helps to, to say these are the five stages and then what is, for instance, the architecture and even initially you need a high level group rate across all areas. I of Im, if you don't, if you just look at one part, it's not an identity fabric. So my baseline is relatively high if you want to call it an identity fabric. You need a holistic perspective. You need to look at a broad range of identities covering at least the most important I am services, have some sort of an API layer in place, having a bit of a Porwal for at least the co the key capabilities, a consist target operating model, including the organization across all of IM and stuff like that. So it's, it's not that you could say what I have in identity management today is an identity fabric. It may be or it may not be. So there, there are requirements and maybe this metrics, as I've said, the slides will be available for download, helps you a bit in also looking at where, where do I stand? What are the things where I, I'm further away or further back.
When you start your own journey towards a modern, IM based on the, maybe based on the identity fabric paradigm. And I think what's also very important is always look at it as an evolutionary, not a revolutionary approach because you will have something and you need to understand what is missing, what is the most important thing that is missing. You also can't do all the big migration transformation pro project at the same time. You need to to plan, you need to have a roadmap and you need to think about how can you integrate and migrate what you have and then how can you expand for the new requirements to serve the needs of your business. This is a bit of work, but it's, I also can assure you we did as many, many organizations, it's doesn't take as long, it's not as complex as it may seem. And it surely helps you to build such a concept to plan ahead and to have an identity management environment that is sustainable, that helps you over a long period. That's, it was my part was that I quickly trigger second Paul. So the question is do you have something at least do you have a blueprint at least? So not technically done everything but the blueprint concept that covers all major areas such as an identity fabric. So do you have it or is it work in progress or don't you have it yet?
So I'll give you a bit of time to answer again, the more answers provided, the better risk it is. Okay, another 10 seconds I say, so come on. Some more answers please. Okay, thank you. Perfect. With that, I'll hand over to Raim right now.
Yeah, thanks. Thanks for the great insight. Hi folks, glad to be here. I'm gonna give you a, a bit of a sort of technical perspective on what identity fabric is. We at Broadcom have imagined identity fabric going back a few years. And really what we saw was a significant amount of sort of projects and digital transformation modernization projects that our customers had. And, and a lot of it had to do with the fact that the modern night IT infrastructure, you know, has become or is becoming increasingly digital and, and hybrid and really in this world, we have moved for a while now, we have moved beyond a perimeter. You know, I compare back 20 years ago when we sort of, we as an industry invented identity management. The, it was characterized by a sort of enterprise boundary, by the perimeter, but there's no longer a perimeter, right?
If, if you look at this picture, we've evolved way beyond the perimeter where pretty much anybody can now access anything or wants to access anything anywhere. And, you know, and the question then of course is that how do you make this usable? How do you make this secure? And and ultimately what has happened is that the identity infrastructure, right, not only has become hybrid, it's become extremely contextual, right? Modern access is all about context. You know, who, what, where, and what conditions. And therefore, in order to sort of make this work, make this all these connections work, we have turned to significant adoption of standards. And if you go back last 10 years, there's been a tremendous amount of innovation in the world of standards where it was the, it was the open id, it was skim, it was fight. So lots and lots of great standards have showed up in order to make these connections possible and secure.
And so as, as Martin had talked about, that the, there's pressure on identity and access management to reimagine itself. Why is that? Well, it's because there's no longer perimeter, so we need to go to an identity layer, right? That is, that is pretty much, I call it a hundred percent API-centric. In order to deal with the kind of the new modern business requirements that not only ensure that in your infrastructure your applications are secure, you, you also have to address the omnichannel requirement. That for us as identities, we would like to see kind of the same, the same behaviors no matter what, what kind of channel we use. The zero trust now has to be accommodated as part of governance compliance infrastructure, right? And, and so when you look at what does it mean in terms of the architecture, it means that the identity fabric concept now has to basically extend itself right?
Into these various IM capabilities. You know, starting with identity onboarding, application onboarding, then identity authentication, right? And now has to be, has to have a very strong contextual authentication policy with every I am. There is a life cycle of authentication being followed by authorization. So identity authorization and managing authorization, right? Across all these different, different channels, identity lifecycle, the lifecycle of identity management, right? And as Martin have talked about, making sure that not only we can continue leveraging infrastructure that enterprises already have, which is where the extensibility comes in, right? But you also need to be able to plug in to the existing processes and plug those processes into identity and access management so that you don't have to necessarily deal with rip and replace. So I would say that the, the now in the, the, the, this decade will be really from the IM perspective will be measured, right?
By the transition from silo-based identity architecture, sort of more coordinated, you know, orchestrated, you know, API-centric identity infrastructure, and then identity integrations. So what does it really mean? So if I were to take a step back and look at the identity fabric, right? The reference architecture, right? You really need to think about in terms of capabilities and I I call them services, you need to ask yourself a question, do I have a strong authentication service, right? That, and can I apply authentication policy across my different channels? Do I have a session management service, right? How can I ensure that what I use, what customers use mobile and from the mobile they go to web app and from the web app they can go back to mobile or maybe they invoke APIs and then APIs, you know, end up somewhere else. How do we make sure that there's a consistent session spanning and, and, and securing user, user experience, you know, from the, from the end-to-end perspective, from the contextual management, from the context perspective, right?
Having a risk service has a lot of, has a lot of work to do in the, in the zero trust environment. Because in a zero, from the zero trust perspective, you have to ask a question, right? You know, are we sure we can allow this transaction? Are we sure we can, we can allow issues? And so being able to measure risk, you know, at every step of the way, being able to make decisions, right? Whether it's application authorization or any kind of decision on a basis of risk requires having a risk management or risk service that, that, that can, that basically maintains the risk assurance on an ongoing basis. The identity service, right? Being able to manage the life cycle of identities right? Is, is obviously very important. And so the point being is that in this sort of canonical architecture, right, as you look at your readiness, the the big, the question to ask is that do I have a capability and can I leverage this capability right across a number of my, my applications, my projects, my initiatives?
And not only that, but depending on your business, the question to ask is can my customers or can my vendors, right? Can the partners that I work with use this capability? Can it be extended to them? So I wanna go over a couple of different concepts, right? I'm gonna start with the authentication. What drill down into a little bit of this sort of authentication policy. The key, the key point here, it's about being able to apply it across a number of different channels, right? So the question to ask is, you know, do I have the right policy, right? Can I use the different factors? Can I use modern passwordless factors? But at the same time, can I also delegate to an existing authentication infrastructure that my organization may already have and I have to use? So you need to be able to deal not only with the new modern, but you also to have, you know, deal with the fact that you have existing infrastructure and existing user experience and you want to be able to manage that.
Can I deal with the, with credentials, right? Can I deal with enrollment questions, you know, automatic enrollment, you know, offline enrollment, and how do I apply context, right? Does the tool that I have allow me to apply different kinds of context, whether it's the application context, identity, context, you know, maybe external context, you know, maybe it's something that we know about the identity somewhere else. So can I plug that context into the, into the policy infrastructure, right? And ultimately what you're looking for is to positively authenticate users based on their context poor than trying to access applications of the data, right? Doesn't really matter whether it's a mobile app, web app, API app, right? The, the, the need for authentication is consistent.
Another concept that you want to take a closer look at in your organization basically is the ability to, you know, orchestrate trust across identity providers. Whether those identity providers are internal to you, perhaps two lines of business are different identity providers. But for the most part, the question becomes is like, what are the identities that you're working with, right? Are they maintained inside of your elder infrastructure? Are they maintained inside of your trusted partners, you know, some somewhere else? And, and basically how do you then deal with the fact that the life cycle of identity management enables us to decouple, decouple use of identity from management of identity? And so while the use of identity is really about being able to accept the identity, authorize the identity, right? Use the identity inside you with different kinds of applications, but also the being able to delegate the management of identity to other providers and then accept that identity, whether it's a, you know, bring your own identity or whether it's, you know, on the fly delegation. So being able to work with identity providers and have a strong identity provider capability based on open standards such as open id, such as SAML or, you know, other kinds of, other kinds of standards. You know, very, very important for your sort of modern identity infrastructure to have this trusted identity provider capability.
Another critical element of any Im, and especially the architecture of identity based on identity fabrics, is being able to maintain sort of a holistic session, right? Being able to maintain a view of identity's risk, right? And it doesn't necessarily have to be in, you know, implemented or solely within, within your own infrastructure, right? When you look at sort of from the end-to-end perspective, being able to share signals between your identity environments or your identity silos or between your, between your, your, your, your partners, between you and your partners is very, very important. And so there's been a lot of work in this, in this space over the last few years focused on continuous access evaluation protocol standard that enables us to sort of communicate important events between different systems. And I think really for the first time in in identity management, it's this, it's this ability to share risk.
It's this ability to share signals in a unified sort of standardized manner that enables us to manage secur security while effectively while providing sufficient amount sort of a user, you know, frictionless user experience. And that's really where kind of the, the interaction between your, your application environments or your identity ecosystem ecosystems comes down to basically having this interoperability. And now I think really happy to report that we see a fair amount of progress in the industry about being able to consume different kinds of events and, and issue different kinds of different kinds of events. And at the end of the day, really what it enables you to do is create a much stronger zero trust based posture, right? Protecting your, your environment while, you know, creating much more useful and frictionless user experience.
Another element of an identity fabric that is sort of be, has become possible is this notion, and I think Martin talked about this, is that really we, we need to be thinking about identity management from two different perspectives. They're different perspectives, but they're, but they're very much, you know, tied together right into this sort of, this concept of having a control plane and having a data plane, right? So the control plane is all about management, right? It's the last a in the aaa, right? Authentication authorization administration. It's the management, it's the life cycle of onboarding identities, onboarding resources, right? Onboarding policies, right? It's the business of identity management is to understand how the identities are related to resources, right? Whether it's through, you know, direct entitlements, you know, whether it's through adaptive policies, where is through, where is rba, you know, aac but fundamentally having a control plane enables you to create the relationship between identities and applications.
That's really what identity is about. Identity manages is about, is being able to manage and secure that relationship while the data plane, right? The data plan of identity management is about enforcement, it's about enforcing authentication policy across a number of different channels. It's about enforcing authorization, right? Is there a connection, right? Is there a policy, is there a path from a particular identity in a people or silicon to a particular resource? And under what conditions? And whether that's something that's enforced in a, in a, in a, in a legacy system, whether it's something that's enforced in the modern system, you know, using, using tokens. Fundamentally, the notion of the control point in a data point is the critical component of this sort of modern identity management, you know, architecture and principles that at the end of the day, right, enables you to maintain and enforce the trust model, right?
What is the trust model? Trust model is very simple. It's about, it's about being able to answer questions such as right? Can who has access to what, you know, obviously that's the, that's the big Im, you know, that's the question in the IM space, but also it enables you to sort of model, right? What resources does a persona have access to, right? What personas provide access to a resource, right? What is the persona? Is it a, is it an identity in my ldap? Is it a set of, is it a set of generic claims that are sorted by a particular identity provider or is it a combination of something that, you know, we manage on behalf of an identity in a, in an identity store, while at the same time we take the context from those systems, right? That have something to something to confirm on the, on behalf of that identity through claims.
And when you put it all together, you have this notion that I call identity authorizer. And identity authorizer uses these rules, right? To determine whether or not an identity right at the end of the day has access, right? To a particular resource, right? So having the sort of view of identity management that has the notion of a control plane and has a notion of a data plane is very important construct. The other thing that the identity fabric, basically this identity layer gives you or should be giving you is observability at both at the business level and operational levels. Observability from the perspective I am is kind of a little bit simple, right? It's like, how do I know what, what my authentication is doing? You know, how successful are they? You know, how many factors, you know, does the identity go through? What is the, you know, what is the return of investment for passwordless, right?
Are they really using the passwordless or, or 90% of my traffic is still relying on passwords? And if they are, then how do I move them sort of towards more modern, secure and frictionless factors, right? So being able to gain this level of visibility into your KPIs or your processes is another sort of critical element that, that an identity layer based on this architecture, identity fabrics, architecture can, can enable for you. So with that, I want to talk a little bit about kind of how we see the fabric. Really at the end of the day, the fabric and the fabric based architecture means that it, it's, it's about connecting, right? Securely connecting any identity to any application, which has always been the main goal of identity management. It doesn't matter whether it's a packaged apps, native apps, mobile apps, you know, what are you connecting identities that are born in the cloud, let's say Azure, ID, you know, to, you know, to an e r p, like s a p or, or you can, or, or vice versa, it doesn't really matter, right?
The goal is to be able to apply these identity capabilities, authentication, you know, authorization where possible session session management across, across these channels and ultimately, right, you know, you know, try to cover right? The sort of the any identity to any application, you know, paradigm with this, with this architecture. And so last but not the least coming to the end of my presentation is this fabric that we've been working on helping our customers modernize, we call it security services platform, right? That enables us to sort of deliver the kinds of capabilities that both Martin and, and I have talked about, not while at the same time kind of, you know, embracing and extending the, the traditional classic identity management infrastructure to help our customers modernize the, the experiences and, and enable our customers to move forward with the digital transformation projects. With that Martin, this is the end of my, my presentation. I'm just gonna go through one slide so that we can capture the recording in case people want to look at, we have a little bit of content that we've been generating over the last few years. We started actually identity management fabric back in 2020, white paper sort of predicting the strength. And we've been doing a few, few webinars along the way that you guys can take, take a look at. Thank you.
Thank you madam, for this insightful presentation. And so instead I share my screen again where we can directly start q and a session. So to all the attendees, please enter your questions now. So you have weam here, you have me here with some background identity fabrics, so used the opportunity to squeeze us out, so to speak. So there, there's the, the first question, another one that goes to you VM that is probably a bit bit more, more, more technical one, which is, which challenges do you see related to session management? So what are the things you, you, you need to be aware of when dealing with that part of authentication access?
Great question. From a session management perspective, it's important to understand and ensure that you have control over session boundaries. That means being able to define the initiation of a session and then being able to get events or know of events when those sessions may potentially need or require termination. And the tokenization of trust that I talked about, you know, using jarts or using, you know, any other kind of token is really a great mechanism to minimize the amount to, to minimize the amount of lifetime an access contr, an access control layer deals with. So by tokenizing, by tokenizing access, by tokenizing trust, right? Session manager, you give session management a chance to ask the question, is it still the right user? Do I still trust the user, right? Should I allow that or should I terminate that?
Yeah, and I think this, this is something which makes a ton of sense in the zero trust context because this is exactly the point, this civil session. And it also provides us an interesting opportunity, which is shifting more of your authorization to the authentication to, to the individual session instead of dealing with all these static entitlements with the standing privileges, which cause the biggest trouble in identity management, the biggest trouble in identity management stems from rose recertification and all this is based on static entitlement. So there's also logic to go more at the session level. I have a second question here where I probably start best with, with answering and then I hand over to you, Adam, which is I did not see identity proving being listed anywhere. It's still still being considered as a new area. Factually, it has been listed on my first context slide and one of the boxes in the reference architecture is there's identity proving because we believe it's a very important thing and it's increasingly important to my perspective, not only for consumer use cases, but also for for workforce and partner use cases, specifically in, in these days of work, from anywhere where we have way less for touchpoints of humans to the offices and where we need to do identity proving in a, in a proper way.
I also strongly believe that decentralized identity, if we integrated with our identity management, will help us massively in process optimization around identity proving a huge subject. We, we can't cover everything here, but surely this is for instance, something we will touch at D E I C this year and our occasions wedding. What do you wanna add here?
Yeah, I definitely, this is a good point. Identity proofing has a lot of, has a lot of weight. I think, you know, organization maybe should be a little bit sort of more, you know, interested in, in identity proofing for a couple of reasons. On one hand, it, it, it enables consumers especially to have a more frictionless experience, right? I don't mind, you know, you know, having someone, you know look up my reputation on, on the other hand, it creates a stronger, stronger security. The good thing is about identity proofing has been a lot of work in the open ID community defining interrupt standards for how identity documents, identity proofing documents can be incorporated into the fabric of open ID and be recognized automatically by, you know, through standard notations, by various policy engines.
Okay, great answer. Another question here. What are the metrics by which to choose touch whether what you do in an identity fabric is good, better, or best? So I provided my slide on the maturity levels. I think that could be a good reference. You can pick up, as I've said, you can download the slides after the webinar, it'll take a bit, but it's the latest tomorrow day should be available. But what do you want to add from your perspective to what is good, what is
Better? What I would that right, you know, how do you, at the end of the day, you know, what are the, you know, what are the, you know, critical, you know, factors and how do you know it's working well for you? The question is, you know, how long does it take for you to, you know, onboard new applications? How long does it take for you to enable a business to benefit, right? Does it take, does it take nine months? Does it take 12 months? Does it take, does it take a month? So the ability to get the work done, the ability to, you know, basically drive user experience, improve, use experience, and then connect people to applications. If you can do that effectively, you've got a good, you've got identity fabric in place. If you cannot do that effectively and you keep running into, you know, you know, issues, then, then you have something to, to, to look for and improve.
Okay. I think that fits very well. By the way. Your, your response already fits very well to another question, which is are there success factors to look for from an identity manage identity, fabric based Im architecture. So what are success factors? And I think you, you brought up some, some, some interesting KPIs or, or yeah, KPIs that, that help measuring where we are and, and I think at the end successes to my perspective very much based on on did you get it implement, do you get it implemented? And how does it help your organization to perform these things better, faster, more efficiently? So process optimization to my perspective, for instance, something which is one of the really important success factors because roses optimization also is something which is about cost reduction. Do you wanna add something?
No, I agree with that. We've seen, you know, we've seen customers who, you know, actually actively practicing the principles of the fabric. It's interesting they've been able to go from initial proof of concept to full production for 10 million identities. It's a telco right? In four months, like literally from nothing, knowing nothing about it, not, not never, never seeing it, never practicing it to full, full deployment for multifactor authentication, right? In four months. That's unheard of.
Okay, a few more questions here. Has the market identified concrete use cases requiring novel mech mechanisms such as decentralized identities? Madam, do you wanna start?
I think there are certain scenarios that are, you know, kind of being early drivers. One is sort of the audit compliance governance requirement for multifactor, right? There's a lot of, you know, regulatory pressure as well as sort of the, you know, kind of initiatives coming out of the zero trust coming out of MFA to make sure that basic, basic authentication, I call it basic off, right? Is not, it does not exist, right? We basically, we, we have to eliminate, and I don't necessarily say that it's passwords only, but we have to eliminate the, the weak security. And so multifactor authentication, step up risk-based adaptive con adaptive is a, is a very well sort of understood scenario, right? That's creating quite a bit of, you know, kind of need for, to apply identity fabric principles. So audit, audit, audit and governance compliance as well as user experience, right?
Frictionless, more frictionless user experience leveraging passwordless factors are too. But I'll also point out that, you know, and that's sort of the scenarios that are, that are kind of, you know, driven by, by the business. But fundamentally if you take a step back, right, the fact that 20 years later after, you know, having invented identity management as an industry, we're still dealing with silos, we're still dealing with spaghetti code. Why is that? And to me, that's really the realization that the, the right way to think about identity management as an it, it area is from what both, you know, mark and I have talked about having the control plan and the data plan perspectives and that requires sort of this taking a fresh look at what is the right way, right? And identity management as an IT area needs to be delivered. And that's where the concept of identity fabric, you know, API based layers, interoperability comes into the picture.
Yeah, may maybe to add, and I think it was interesting at last year's e i c it was the first time that we really started talking about the practical use cases, the practical implementations of decentralized identity. I think, I think some things are already happening, which is more the consumer space where we also see a huge potential to, to improve KYC processes. If you have all the proofs, the various proofs, then you can really simplify KYC processes and K YC processes are extremely costly for the regulated industries. And the other side of it is there's also a huge potential in onboarding. I think this is one of the, the trigger use cases for, for workforce and partner identities, simplifying onboarding and from there, maybe even authentication authorization because every proof at the end is an attribute I can use in authentication and I can use an authorization. So we definitely have a, have a very significant potential here and we are seeing people really discussing more, thinking more about these types of scenarios, these types of use cases. And I'm absolutely confident that we will see some significant adoption of decentralized identities also as part of what we do in our identity fabrics for each and every type of identity.
Another question here, and I think this goes a bit back to, to what you talked about wedding, which was around authentication and, and attribute based et cetera. So, so what are privacy implications here related to using more and more dis attributes in the authentication authorization audit use cases? So, so is there something from a privacy perspective we should, should be aware of?
There's definitely, you know, the, there's traditional, you know, kind of privacy implications, which is, you know, having, you know, having the, the information, you know, being able to secure that information and expose that information, you know, on a need to no basis there's, you know, traditional privacy. But I think also when it come, comes down to sort of, you know, us as identities being able to sort of give our consent. And so with the identity fabric architecture and the standards based architecture there, there's, there is technology, right? Enabling applications, enabling your projects to take, you know, privacy into consideration through the notion of consent. There is, you know, whether, you know, content is granted by us, that's obviously up to, up to people. They decide whether they allow use of that information or not. And of course if the, if we don't allow then we don't get the service. So, so from from their perspective it's, it's our right. And so where it makes sense, you know, use using, you know, consent to drive sort of better user experience and more trustworthy right. Relationship between identities and service providers, you know, makes, makes, makes a lot of sense.
Okay, I think we have one final question here I wanna quickly grab, which is, how, how does the identity fabric support sort of the identity related threat intelligence? So what, what is, how, how does it help in in getting better here and, and may maybe I start you, you continue. So, so what what I see is we have consistent environment so we can, and we have consistent I APIs if we do it right, so we can access event from all different areas and we also can consume internally events, for instance in authentication, other use cases in, in a more consistent manner. And that provides us insight into which is way easier to implement than a, than in a silo-based identity management environment. Pardon?
Yes. So what from the threat management and in, and I call it intelligence from the sort of of analytics perspective, an identity layer that's rooted in, you know, in using tokenized trust, in using, you know, APIs, it's much more open to being, the information is much more open to being collected, collected and analyzed to in order to detect patterns. You know, for example, if, if you see that tokens are continuously getting rejected or con or there's too many or there's too much, too many privileges, that that information can be harvested and understood and then, and then look for example, for anomalies in, in terms of, you know, co coordination with my, my peer group. So it's much easier to collect the data, it's much simpler to, or, you know, or to analyze and determine patterns and then once the patterns are determined, they can be brought back into the policy infrastructure to, to say that hey, you know, this particular, you know, identity seems to be, you know, out of comp, out of compliance with the peer group, maybe we need to step up, right? Maybe we need to block, right? So you have a lot more control while, while, you know, having sort of more, more and more effective collection, you know, capacity.
Okay, perfect. Thank you. And was that a time to say thank you? Thank you to you, Adam, thank you to Broadcom for supporting this Nicole Analyst webinar and thank you to everyone attending this webinar, listening to it, sharing the information you've learned about here. Hopefully I see you soon back at some of our webinars or at EIC in Berlin. We have a great venue there. It's has been really fun last year and it'll be a lot of fun this year as well. Thank you.
Thank you.