CRN roundtable: identity management today

Mark: I think it’s just common sense.

Michael: If we look at ‘bring your own identity’, what we’re talking about then is the individual owning their own identity, where my identity resides. I may well have multiple identities depending on how I want to be perceived across different organisations – but let’s say I want to do my online banking.

I may want to do that via Facebook or Google or Twitter. That’s my choice and where my identity wants to reside. That is my identity provider, and then the banks will consume that identity. So within the context of that bank, my roles are then attached to it. IDM is just getting more and more complex.   You think identity, identity is owned by me and then I can determine what access the bank has to my entitlements.

Gabriel: I think certainly we need to move towards a world where it’s ‘bring your own proof of identity’ in effect, because increasingly now it’s not just a password you use to authenticate yourself, it’s something that can be stored on your mobile phone. Effectively you have something you know, the phone and the actual password, which gives you much stronger authentication anyway.  But anyway our clients need to be in a position where they can adapt to effectively prove and use those technologies to better establish someone’s identity.

Reno: With government, especially in the health sector, we’re starting to see one identity across government is forming around things like PCEHR and stuff we do and so I think over time we are maybe going to revisit the national identity card concept. I think it’s just naturally evolving in these cross-government things, and assuming identities of service is something else that’s also evolving, things like Facebook, Twitter and LinkedIn, and assuming your authentication authorisation of those things and then using it.

Richard: Picking up what Gabriel was saying, if we don’t coin the term ‘bring your own identity’ – organisations are going to be tasked with developing the frameworks to be able to consume identifiers that sealed a profile of identity integrity. So it’s not actually whether it’s a Facebook ID, or LinkedIn ID or Twitter, there’s actually an organisation’s ability to consume that to build a valid profile of an identity to be able to develop a level of evidence – it’s evidence and integrity if you like, that 100-point check.

Michael: And I believe that’s been the challenge of organisations over the years; the integrity of that identity. Previously large-scale identity management solutions, you know where federated single sign-on was born out of large organisations that internally you would pass that identity around and end up distributed globally. We needed to ensure the integrity of that identity. It’s now on a global scale, where people are under licence. 

So organisations need to consume that identity in a way that maintains its integrity to that organisation, but still deliver on the customer experience. I think the linkage between the integrity and the customer experience is paramount and where all the investment’s going to be.

If you look at PCEHR, for instance, the electronic health records, that has been programmed, the government has been undertaking it for a number of years. It’s only in the last two years they’ve applied the PC, the ‘personally controlled’ side of it, so it’s just bringing those two elements together. The next question is how do you extend that across government or how do you bring that integrity?

John: The shift to bring your own identity is also a shift in the legal framework, because if you’re saying that the level of assurance that you need is your responsibility, today the level of assurance is imposed by the organisation itself. They are saying ‘we’ll own the identity and we’ll have a level of assurance to get access to certain information’. But if you turn that around and say the individuals own the identity and it’s up to them for the level of assurance, then there’s a legal shift there.

Richard: Is the onus on the individual or still a risk management decision for the company?

John: Until the organisation actually relinquishes control on the level of assurance and says ‘it’s your responsibility’ then they still own the identity in their organisation really. If they say ‘okay we are going to turn it inside out and it’s up to you, and if you want to use Facebook, that’s fine, there’s a high risk profile, but if you want to use something that’s more secure that’s up to you’.

But your burden of risk then shifts from the organisation through the medium you took. There are major implications to doing that. Although people go ‘I’ll log in using Facebook’ you usually end up with a level of access that requires a lot of risk profile basically.

Richard: Yes, but you can have something that goes ‘okay I’m a uni student and I can see my timetable’, because it knows who I am. Or it knows that I’m a prepay customer. It can give me things but it doesn’t mean that necessarily I can get access to my billing account or something.

But it knows who I am to the point of being able to have a useful interaction with it. The question is whether those legal implications actually exist or not, because it’s still a business decision to what level of credential integrity they’re willing to accept for what content delivery or transaction value.

John: All they’re going to do is say ‘here’s a list of providers that we can talk to on Facebook and a bunch of other ones really’. But that’s really not releasing the identity. It’s just kind of going ‘okay we know who you are, but we still own the identity’.

Richard: Back again to the 100-point check, instead of turning up to the bank with a photocopy of your bank, passport and driver’s licence and so on, and doing a face-to-face proof, there’s a move into online verification, identity verification, which actually achieves the same result. 

The integrity of the 100-point check is still there. The banks can rely on it; therefore they can transact and deliver value.  If that’s the case, if that capability is available, doesn’t it still apply that the organisation has access to be able to consume that, as well?

John: It depends on the identity. I have a Facebook account. You can look me up as John Jones within the organisation and do a 100-point check. But whether or not I’m actually that person on Facebook is a different thing altogether. So Facebook has addressed this with organisations in the last year or so as more have moved to create their own Facebook pages. It’s only more recently they’ve gone and actually provided visibility of the index file, so now anyone can make anything.

Gabriel: I think we shouldn’t confuse two concepts here. There’s basically the matter of how you establish somebody’s identity in the first place, and I think that’s what Richard is talking about here with the 100-point check. What they’re doing there is accessing things like births and deaths records, to establish that a person of that name does exist and looking at other factors to identify. 

That’s how you establish them upfront, but then it’s how you actually continue to prove their identity on an ongoing basis, and to me that’s where there’s far more opportunity to adopt new and emerging technologies – things like the actual phone and other things they bring along to the party to say ‘here I want you to use this to prove I am who I am in future – I’ve established here now that I am who I am and this is how I want to be identified in future’.

Richard: It’s a good point.  How much of a market is there for consulting organisations like yours to deliver that to customers, deliver that thought leadership to customers?

Gabriel: I find myself in discussions around that all the time. I think it’s very instrumental for the business we’re in.

Mark: Because we’re at the start of that movement, I think we need to move towards a different way of looking at identity and access, because they’re two different things. 

There’s going to be quite a bit of opportunity over the next three years for organisations such as us to go in and hand-hold organisations and guide them through. Where those conversations lie or shift from the traditional technology chat, which is ‘come and play’ for a lot of technology companies, we’ll see more engagement with legal teams and talking with the business front and talking with HR.

CRN: The conversation’s been weighted very heavily around actual security and compliance and all these strategies for risk mitigation, but what about the productivity and efficiency benefits that can flow from an intelligently thought out and deployed IDM strategy. Presumably this is the harder part of the sell?

Mark: Yes, particularly when you’re talking about smaller businesses. So my history is not from technology and info security. It’s from service management, so I set up service desks and IT teams.

One of the biggest drivers for investment in security solutions was the challenge of resetting passwords in call centres. And it still hasn’t changed with all the technology that comes through. There’s an enormous amount of money spent on supporting identities. This is due to a cold-hard fact about business. It’s about retaining customers.

The more time staff are on the phone to a call centre, the less time they are in not generating new business. So getting ‘high-end’ organised and having the 100-point check is an enormous productivity challenge.

Richard: The biggest thing from our experience probably in the last three years, our largest growth in our business, with 50 percent plus year-on-year growth over the last three years, has absolutely been productivity and delivering.

The money is coming from the project; it’s absolutely where the ROI is. The biggest drivers in terms of ROI are customer acquisition and retention, and identity goes to the heart of that through customer experience, meeting customer expectations, exceeding customer expectations and product service delivery. So we’re seeing a huge amount of new money and continued investment. It’s not just a stand-up project to try and resolve this, it’s about continuous investment. 

David: So Richard presumably a large part of customer spend is within the firewall? Or is it outside? Are people spending it in their own domains? 

Richard: Our experience over the last couple of years has been two thirds one third.  One third around governance, provisioning, what I call the plumbing – on-boarding, off-boarding, business process. It’s maturing in terms of governance and gestation onboarding and offboarding, especially around applications.  

That segment has been growing at an industry average of 15 to 20 percent year-on year, but our biggest growth is actually in online. I call it online – both internal and external – because of the de-perimeterisation, the blurring of the lines.

I was sitting with the CTO of a telco last week. His major questions concerned his two key constituents: ex-customers and internal. He said ‘I don’t care anymore. They are the same. They are constituents. They are people and identities that I need to work and deliver products and services to’.

They may have different drivers, but from an internal perspective, the products and services being given by the business and productivity in that employee pool, products and services to deliver a new capability and revenue streams and jump on board, before being wiped out by your competitors in speed to market, it’s the same.

CRN: Are partners around the table here seeing exciting opportunities for small businesses with regard to marketing and deploying IDM solutions? Presumably in the enterprise and mid-tier companies there’s a reasonable understanding about IDM, but what are you experiencing further down the chain?

Mark: We are seeing some opportunities. However, at the moment the cost of an ID is prohibitive. So for SMBs to do that, a key option is ID as a service (IDaaS) where they can release that cost, and make it just an item on their ledger. 

Rene: Do you think there’s an opportunity for all of us here to look at providing Identity as a Service, or doing more of managed services, where the client still owns the infrastructure, but where our task is the responsibility of managing the infrastructure? Do you see that as a vehicle for getting into mid-market and smaller accounts?