CRN roundtable: identity management today

Michael: Not necessarily. When it comes to the legacy systems, there is a set of well-defined boundaries and systems that are already employed and people within the organisation have a clear understanding of how they use those systems. 

Within the greenfields environment we found that this becomes a lot more complex, because you’re faced with something that’s brand new. People have certain ideas about how they would like to change things outside say brownfields environments, when it comes to greenfield it’s all brand new, and typically you need to create something very fast in a short period of time.

There’s still a legacy thinking that people need those limits to build up with their solutions and all that they operate. The challenge was that we try and break away from that legacy thinking and not just create legacy systems which then we have to fix later, using typical legacy improvement models.  What we have found is that the systems end up going down that legacy path, so we then have something somewhere in the middle.

Reno: We’re seeing some examples of that in the finance sector where an established bank will launch a new banking environment. Are we seeing the bank is leveraging the old processes or security frameworks that they’ve got as a vehicle for that, as an enabler for the launch of the new environment or are they developing new policies and new security systems as a component of that new business that they’re building?

Gabriel: No I think is the short answer. In a lot of instances they do use the existing infrastructure, the existing frameworks, the existing mechanisms to actually prove people are who they are, and give them the entitlement of what they want to do.

Equally I think people are starting to adopt very radically different approaches to proving who people are and there’s a lot of opportunity, particularly I think in the social media, and whether they’re effectively allowing payments through Facebook accounts or email addresses, that kind of thing.

It opens a lot of doors in terms of how you establish who somebody is, who they claim to be and what people should be allowed to do within a given set and range of transactions. And so I think as professionals in this area, we need to move with the times, and effectively be aware that there are far better ways than say asking people for their date of birth.

Richard: That is an interesting point regarding the legacy thinking about identity management, you know the on-boarding, off-boarding, the actual life cycle of an identity. Gabriel one of the things that you raised regarding the next level of interaction is that you need to have a relationship with third party users. How is the old 100-point check? How important does that become to engendering confidence in that identity?

Gabriel: In government it takes a little while for the thinking to shift, but with corporate clients, I think they’re probably adopting faster. We have one client who deals with a lot of members of the general public, and they have risk assessment done around basically their password system, and the passwords came up as ‘not terribly well controlled – need to do something about it’.

We suggested just getting rid of the password, you don’t need it. Now that was a bit too radical for them, and they said ‘how can we actually do that?’

The reality is that you can use things like their Facebook Account – other attributes of their identity – to get a much stronger profile of who they actually are on a recurring basis if you think a little bit out of the conventional square of the 100-point check.

Michael: If we take a look at identity management now, to identity management 15 years ago, it hasn’t really changed as far as computing goes. Identity, in my opinion, underpins everything relating to the computer – absolutely everything you do.

If you are in a discussion nowadays and talking about cloud regardless of the type of software service, security comes up forefront of those discussions, whereas previously it wasn’t brought up until much later in the cycle.

But if you look at the solutions that were put in place five or 10 years ago, they were all very based around the double-directory or single directory or domain within the organisation – so that was primarily where the identity was. 

So you look at the banks 10 years ago, they were putting in identity management solutions because people wanted to do their banking from home, branches weren’t open all that often, and the convenience of working from home is pretty good. So it forced the banks to look beyond their own domain and they needed to start accepting credentials and identities from beyond that domain.

Today if you take that concept and scale it out dramatically, you have the BYO of our own devices. Those devices aren’t configured in any one domain. They’re distributed across multiple domains, so the deperimiterisation that Richard mentioned earlier and the BYOD is what’s driving this dramatically. Organisations just can’t sit back and go ‘we have active directory, everything authenticates to that then we have identity management’.

So the concepts of the multiple domain and the multiple perimeters in identity management are the same.

Richard: Michael spoke earlier about how security was always an afterthought in a project. Customers say ‘yes we want to deliver this outcome, this is great, the business is driving it, we want to generate more revenue, and bring on more clients and then we’ll talk about security’, or then we’ll talk about how they access the information, the identity management.

You spoke earlier about how you’re seeing security now leading the discussion in projects because the discussion’s not about just delivering new services, it’s about how they do it, and do you see much opportunity from your business in how to help your clients in that dialogue?

Michael: Yes, absolutely. One part of it is that there’s a mindset when it comes to security and risk that when you talk to the security risk people they’re only going to tell you what you can’t do. The business doesn’t want to hear about what it can’t do. Security and risk, and it goes largely into the minds of the security and risk people as a generalisation – were there just for the business and to help the business understand what they can do. 

Gabriel: We find there’s radical differences between one organisation and the next. I think a lot of organisations have security groups that are very much stuck in the old world of thinking, but their role is really that of a policeman, and they’re there to say ‘no’ and to issue fines, slap people on the wrist and basically prevent them damaging themselves.

The opposite extreme I guess is we have one client of whose security risk motto is to ‘embrace risk to create value’. I really love that. Your role is to effectively allow them to do things they couldn’t do yesterday, and so if you adopt that mindset you end up with a very different set of conclusions.

Mark: What I’m getting around the table is that awareness is very important for effective ID. It’s not just about looking at old drivers like risk.

We need to be getting out there to organisations and doing some education sessions around the responsibilities of people as corporate citizens in a social landscape. I think that’s going to be more understood over the next five years as people start to access more from their mobiles.

The individuals, all they want to do is get on, do their activities, do their transactions and get off.  It’s as simple as that, and they want control of that. If they move from location A to location B, they want to be able to change it. So usability is going to drive a lot. I think that’s going to be largely dictated by consumers. But making sure the identity is safe is really the responsibility of an organisation I think.

So I think it’s about education and getting in with the respective clients and starting to chat with them about why do you manage identity. This is going to the point where it’s not just about vigilance and assistance. It’s about making sure that customer A can do what they need to do.

Reno: That’s interesting Mark, you’re talking about a single view of the identity and you carry that around. With cloud and now people are touching everything, different environments and different applications, different interpretations, geographies, I see that as bringing a whole lot more complexity to that single view.

Mark: Well it is. You can take it one step higher up. I am the owner of my identity and it’s how I choose to engage with the government, with the vendors of my choice. It’s all going to be based upon the experience that I want to obtain. The customer experience is driving a lot of these challenges to catch up and deliver on the optimum customer experience. It’s all about optimising the engagement and enablement.

And it’s not just engagement, but two-way enablement of our customers. It’s becoming more and more powerful as a tool, you know my Facebook credential, my LinkedIn credential being used to connect to the bank.  Who would have thought of that five years ago or even two years ago? But if that’s the case, as a bank, how am I going to manage that?

Role-based access is something that organisations have been trying to do for a long time and invariably most people have failed at it.

There is a bank we’re trying to help now with theirs. What emerged in 2006/07 when the bank went public in the US and we had to comply with SOX, one of the drivers there was the desire for a control framework to revalidate the users.

The approach they took at the time, which was just an IT legacy approach, was to go from the application and get application owners to revalidate endpoint users. IT has traditionally controlled IDM and always seemed to play a part in it, but I think that’s going to change.

You are going to have people in legal getting control of it and HR and all that sort of thing. This was an example when we walked in they were doing that and we had a disgruntled workforce from people doing the testing to right through to the application owners, because of the sheer work load involved.

So we scrapped everything and we went back to basics. We went back to business processing. We interviewed the business, from tellers to the CEO, and figured out it was like a family tree structure.  That’s how identity is too. So the individual who is the individual, does he understand what they need access to? Now my parents they know what’s best for me, and they know what I need to get by, so they can attest, and that goes right up the tree to here.

We made that business process and they’re now on to their seventh year of doing this access re-evaluation quite successfully.

Understanding what everyone does and their identities and separation of that is important, and I think that’s exactly what identity is going to be. You are going to have to go to your client and interview them for a second touch, which is the internal guys, which is the front guys, which is the sales guys.

Mapping the roles within an organisation and looking at it from an application point of view as well, is probably key.

Michael: So we’re talking about BYOD, bring your own device access to my phone, my tablet, my banking accounts, I can access and provide authentication to my bank. I can do what I like within reason with my accounts.  Are we starting to talk about on the back of that BYOI, bring your own identity?