[podcast] Part 1 - KuppingerCole Consumer Identity World Conference
Both Jeff and Jim have over a decade of experience in the Identity & Access Management space and guide companies on their IAM Program journey through Identropy's Advisory Services arm.
Part 1 of 2.
We hope you enjoy this episode and please subscribe to the podcast for updates on new episodes!
LISTEN HERE or read the full transcript below.
*Disclaimer from Identropy: These transcripts are produced using automated tools, so may not be an exact word-for-word transcription. (i.e. - if you read something that sounds wrong, it's the tool's fault!) As always, for a better experience, please listen to the actual podcast.
Podcast #14.1 Full Transcript:
Identity At The Center #14.1: KuppingerCole Consumer Identity World Conference Part 1
Jeff: Welcome to the Identity at the Center podcasts. I'm Jeff and that's Jim.
Jim: Here I am!
Jeff: You're there. Today was day one of the KuppingerCole Consumer Identity World Conference, that's a mouthful.
Jim: Good job announcing Kuppinger.
Jeff: Kuppinger I've said before coming herself. But it's Kuppinger, as I learned today, so already a successful conference, yes , we can now correctly say the sponsor’s name.
Jim: My attitude generally, I want to learn something new every day. Once I do a shuffle.
Jeff: So we learned that pretty early, so, that makes sense. Today was a day of workshops and there were a few different things that were talked about. There was a presentation by I-D Pro around Identity and Access Management, kind of like an intro to IAM, but some other good topics in there.
Jim: When I solved the topic on the agenda, I thought, OK, I'm in the industry for six years. I skipped this one. But it was a single track day. So I sat in the session, was swearing in. And they're both really brilliant people. And I got a lot of it. I think one of the things sometimes when you're so close to something is you don't see positive that you'll see the forest or the trees or basically. I think that's right now. But basically, what I mean by that is, they had a slide, for example, on IDP discovery or on Discovery. So as you know, if somebody is doing a federated log in, how do you know what I did pre to send them to? And they gave a good framework. As you know, there is three methods and I think that is religious. So I actually think what I'd like to do is get their slide deck and maybe even have one of them come on the show some time and really just go through what I do. Pro is all about meeting some of the soft and kind of dive into them.
Jeff: The end might be a Debbie Mack from the organization. Yeah, that's something we talked about in the past. I think as we've kind of grown into this podcast. And kind of learned how it works that we can start to figure out how to get some better guests and different guests from different areas and catch up near as you. But I do prose, great work. So I've been around for I want to say this is the third year. It started at Ping Identity Conference, which became Identiverse, I think was 2016. It was in Chicago. And so I'm a founding member of the organization, just like a bunch of other people. And I also served last year or the situation, say, on the board nomination committee. So I do have some relationships there that maybe, you know, might be helpful to bring on to the right one. I think that would be a good, well-run, well-managed and kind of well executed organization.
Jim: It feels like they're trying to make significant change for the good in the industry. So one of the things they were talking about is how to help people get up to speed quicker. And I think that it was put was it takes people between five and 10 years to really know the industry. And that was based on survey responses and other people self-grading. So, I think you could look at as, If you've been in the industry fifteen, 20 years, like you will know as much as I know for so long. But those people grading them and I think the thought pattern went well. Most of those who get into IAM start with a single product. So we're not really industry experts for you know, during that period, we're really working with one product because we get very product focused and how that product solves a particular problem.
Jeff: I remember that when that survey went out so that it was a poll of ID pro members and kind of get that sense of when to feel. When do people feel proficient? And it was that five to 10 year mark.
But, even people who have been in the space for 15 plus years, like you and I, I still feel like there's always something new to learn, Technology is always changing. I think there's the core concepts, right, that maybe now we take for granted. There are people who don't have that experience. We have Morgan on a few weeks ago. She’s relatively new to the IAM space. Its people like that how do we groom the next generation? I know that is a topic that actually, someone wrote in looking for us to talk about. I think at some point in the future, once we get through this little travel step, you'll be a good idea to get those folks back into a room and really kind of talk about how do we get the young folks who don't have as much experience with IAM. Snag him in college and see no other areas, younger folks or people were just looking to make a change and trying to help them along the path, totally. IDPro has this project they're working on called The Body of Knowledge, which is essentially.
The intent is to be kind of a training manual for IAM.
Jim: What interesting was it was meant to be kind of things the way Siri was putting it. Was it slight? So first off, PMP, so that's project manager for Rational, does the group that PMI that built the pinback project management body of knowledge. So I actually had to know it like down to the job title at one point. And what you're saying was that they want to create a body of knowledge, but they don't want to dictate best practices.
And my thought was a pinback, definitely. So it does the best practice or just not agnostic from that sense. But I do think that. In IAM it's a little dangerous to, try to say this is the best practice. I think so many different people have different perspectives on what the best practices.
Jeff: Well, they change, though. I mean, they can change relatively quickly. You think about it like, what was that like two years ago? I said this is fine. Maybe three years ago, but that's much as fine for one time password. Now, it's not even recommended by any standards. And I don't think historically Nests just moved as quickly, maybe, the industry. But even Nests is saying, we're deprecating that and it's no longer considered a secure form for authentication. That being said, if you're only using an idea in a password and the only option you have available is to use some sort of SMS, OTP, then it's probably better that nothing other than nothing. But, things move so quickly that I don't know if you want to set a best practice today without having to have several pages of. This is a point in time.
Jim: Right, exactly.
I mean, no matter what you do, you're going to update it. That's one thing about identity management has been cool since I first got into industries. The first conference I went to was called Digital i-D World and it was like I think it was there because he's been around for a long time, but it was like they talked about? , IAM from the standpoint of like, what is the Identity?
It was really cool.
I loved that about it. I was like, you know, I never really thought about like, what is an identity mean to me? Almost official discussion, philosophical discussion about I.T..
There are so many different industries where they've kind of disappeared as industry and they've just become like, could you imagine a CRM or an ERP industry event? I don't think those exist.
I think they're all focused on their one product focused. So it's important, you know, Salesforce or SAP or one of those guys or maybe it's like Microsoft or something. But, Identity Management still has vendor agnostic conferences,
Jeff: I think it's great. I mean, there are so many products out there, sometimes I feel like fundamentally they do pretty much the same thing. They help me understand who has access to what and if that is appropriate. But it's a basic level that's pretty much all aim is right. Those are things that could be around the authentication site authorization side, whatever it may be. But there's so many still good conferences, like you said, that you can see the compare and contrast the different solutions because each one has an area, I think that they're really good at where other specialized maybe in another area of IAM or even just down to, I'll call it like simple things like IGA, Identity Governance and Administration doing just the basics of plumbing, of provisioning accounts, deep provisioning accounts, certifications, SailPoint does it this way, Saviynt does it this way. Oracle does it another way. They all have different strengths that they'd like to.
Jim: I asked a question and it wasn't like an order who stumped these guys because I'm really interested to see if they had an answer.
But, it's like we talked about Samuel 2, and we talk about, OF2 and OpenID Connect. And I asked a question, what what's next? And humor was mentioned. That's definitely one that has people's interest.
And then there are a few proprietary things, but it's a little bit hard, I think hard question to answer. You don't think there's anything virgin that's like finding the next. Here’s the thing. I don't know what it is. I can tell you that 10, 15 years down the road, simply something else.
Jeff: Let's kind of feel like about active director. Somewhere someone has replaced active directory. We just don't know it yet. It's kind of the same way that what Novell, all of a sudden was gone and replaced Novell essentially, right? Yeah. So something's out there and replaces it. I'm curious to see how the blockchain plays into this. I think there are some sessions and next couple of days around that decentralized identity. Siri did have, you know, interesting use case around humor. You may know where it was kind of like a point to point it dedication, which I think is interesting because in the age of privacy, you don't necessarily need to know someone's birth date or you just need it. Are they old enough to do what they're trying to do? Is it by a beer, by whatever where they need to be 21 or maybe to vote? You don't read all that information. Just. Yes or no, so it's a binary.
Jim: So then you start having the idea of like an identity provider being in government agency and things like that, which that ideas and getting somewhere else to try these national ideas. And, it's like as much as it seems to make sense and never really actually seems ever happened. I think part of it is, I'm not an anti-government person, but, I think the government moves too slow to keep up with the pace of technology for consumers.
Jeff: Isn't it? I think its Estonia. They've gotten all digital ID.
I don't know enough about speak intelligently. So going to stop right there. I'm pretty sure it's Estonia that has gone to like an all-digital identity to other voting online. I'm not sure how secure it is, but that could be something that becomes a case study of here's what works and here's what doesn't work, because like anything else, technology, people, processes, often tend to evolve, mature, etc. based on the needs of humans, until the robots take over.
Jim: So one last thing I want to do is mention something about that discovery. I went back and looked at the slide. It's a picture of it. So the three forms were first one they called NASCAR, which I thought was really cool. NASCAR was the log in screen. It was awful, cool icons, sponsored by Google or Yahoo!, so I thought that was pretty cool.
That was method number one, ASO's IDP discovery. Let's say one was NASCAR. Method two was what they call Idp Discovery, which was you just put it in your domain or you had a dropdown. So select your domain. And then the third was user base, which is where I say this is private most common you type in an email address type, so user name and may truncates of, whatever that domain. And then it will send you back to the right one.
Jeff: That's interesting.
Jim: So anyway, more to come on that probably the other part of the afternoon is focus on a workshop around how we manage through a data breach. And this was truly a workshop.
So when I saw it on the agenda, I didn't really distinguish it. Workshop means there's going to be a lot of participation by folks in the in the audience. So it wasn't just watching a bunch of presentations and actually thought that was going to be kept from being too boring, at least for me. But the Casey guys were Richard Hill and John Tolbert. I thought it was a really good session.
I think that’s what the big message was.
Jeff: It was handling of identity breach.
Jim: Customer identity breach, so the way they went through the workshop was they went over kind of a lot of, here's kind of the problem. One of the problems is if you look at handling a breach, there's how you can prevent it, how you can detect it and how you can respond. Most of the investment that at least they did a survey of companies in the U.K. and like 90 percent of those companies had invested in prevention. Fifty five percent had done some level of investment in detection. Only 13 percent invested in response, some of the planning for the response. And the problem is like the data breaches, I think occurred, like 50 percent of companies or something like that, it's a really high percentage.
I don't know who said it, but there's that the old adage of either you've been either you've been hacked or you don't know yet.
Right, exactly. And then what they're also saying was like, there's common patterns that they're that they found in their survey. There's a survey by this Institute, this one by IBM. And a lot of the numbers are the same. And one of the shocking statistics is it takes about a half year on average. So even detect that you've been hacked.
Jeff: This is why it's such a big fan of things like machine learning and A.I., because I got to catch that stuff. There's no way that it makes sense to staff dozens, hundreds of analysts, just to try and pore over logs. And you know what it may be. So I think that's what you're seeing now is the kind of the leading edge of IAM. There's a lot of this focus on machine learning. I get products like Exabeam, for example. And that kind of works I know is getting into it.
Jim: Well, especially when a lot of these data breaches start with a phishing attack, you're getting somebody's credentials one way or the other. If you're a hacker, you start accessing the network in a way that would be normal all day. I do. And in that case, you say, OK, while you're accessing the network in a way that's normal, you're actually seeing it from China or you're actually seeing from the VPN and you're on the network at the same time, from two different devices that doesn't make sense.
Jeff: Right. Or you're, trying to access different things that you normally don't try to access.
Jim: Exactly, so search kicking off a weird pattern and it will require some moves to go look into it further. But I think that was the thing is that so many of these cases happen and then organizations don't have a plan to deal with data breach. And then one occurs and they're trying to fight a battle without a plan, right? , so things start moving very quickly on you.
Jeff: What I thought was interesting about that part where the vast majority to stand was on the prevention side and a very minimal spends on response. I think you see that today in some of the responses that you see for the companies where frankly, their trash responses are not good. They just do a terrible job, and every once in a while, I'll see a company, take my example off the top of my head. I can think of or say, OK. They actually I think they did a good job. Yes, they got half. That's bad, but at least their response is little bit better. And there was some interesting conversation of room around. Why do we think the response spend is so small in comparison to prevention, detection, mitigation, those sorts of things? And I don't know who said it in the room, but I was thinking the same thing is if you're spending that, then this is just a perception thing, right?, if you're spending a lot of money on recovery or response, isn't that self-defeating because the whole point of you spending money on prevention and detection and all this sort of thing is that you don't get to the response.
So what are you saying to your CEO and say, hey, I need a million dollars for prevention and detection and another million dollars for response? What do you mean? Why am I spending million dollars on prevention? If you're telling me that's already going to fail. I think it's an issue to in a dynamic that, you know, CISOs and CIOs, other folks will have to balance that. You know that. Yes, we're gonna do everything we can to stop the breach, but we know that inevitably something could happen. And we need to prepare for it as well.
Jim: The challenge that we have on that would be it should not cost you a million dollars, but I'll grant you that in some companies, maybe it would, because I think the parallel in I.T. is like a disaster recovery plan, you know? Yes. You go into your data centers; you build a ton of redundancy and geographic redundancy and things like that. That doesn't mean you could fall prey to a disaster. And every company's disaster recovery flattened it. And the disaster recovery plan. Could say, well, we have a hot site over here, so we should never be down. And the response plan like this for a data breach, probably we're trying to know like, no matter what we're covered. But at least you have a plan to say when we find out something's happened. This is the team that's going to run with it. And those folks are prepared. Know the role.
Jeff: I think what you spoke up on was ownership. Who owns this? And I think people kind of thinking around the room because Casey Faces was kind of like, , that's a good question. Who owns this?
Jim: So the way they approached the workshop, the KCI guys, was they set up a fictitious example. I guess they said it was based on something that really happened. But regardless, you could see how this could really happen. And they dribble a little bit of information as to how was playing out. So you're in the shoes of a new security analysts who've been with the company for a week.
And, you know. So slide one was like you start hearing about some issues where they helped us is getting slammed with all these questions about their accounts. And then you saw a social media post that some accounts have been posted to the dark web.
You're starting to become aware of it. And that's one where the reporter then got out of step two; a reporter calls you from some online media site and asks you what you know about.
Jeff: I think that's where things got really interesting in that room, right?
Jim: My perspective was security and so the company my role is not to talk to the media and never agree. Otherwise, I have media training employees. But, and the point I was making was answering that question even to say like, no, I don't know, but I'll have somebody get back to you. That could be a headline like a security analyst doesn't know this company is even know Axe, but a number of ways think he has spawned a number of ways I'm just looking for a headline.
Jeff: I think they'll take away that part, though, was that from a training perspective, making sure the organization knows who to send Media inquiries to one of the companies I worked for that was part of our training was if you receive requests from the media, send them to this person or this department or phone number, whatever it was. And we had to actually do that every year; it was because it would change in procedures, whatever. But it was something that was actually accounted for from a organizational level.
Jim: Somebody made that statement, I think, because, from that perspective, the data breach is not much different than any other type of accident that attacks you had a factory in the factory caught fire. And they if somebody found your number or they were just kind of work to get a corporate phone number, block they got you. I wouldn't know about fire. You’d have to know. Don't say anything. It's not your job. Send them to that corporate phone number. So even if you had a plan around how to deal with data breaches, it should include having them call a number. Because I think they would know how to say no comment, I'll return your call later or something like that. They would not. I'm sure they get all kinds of these calls all the time.
Jeff: That's why you see it when you read like a news article. Know reached up to so and so. Have not heard back or did not provide a comment, which is probably OK at that early stage. You're probably still fact finding and trying to figure out what the heck is going on. You would hope that the organization would be aware of things before it gets outside. But this is the real world and it doesn't always happen.
Jim: Right. So at that point, we're kind of at the point where it's like you're suddenly to become aware. We're starting to think there's something I need to look into before you were able even to look into it. You get this media call. Then it advances into you start having more information coming your way. I think the real key is if you have a plan to get involved and you start things going. That kind of fast forward, because even though it was a great session, what I want to talk about was there were two example videos that we watched here kind of news interviews. The first one was with the British Airways. When they got breached and it was two weeks after they hadn't come out, made a public statement at that point. So they had this guy home, kind of a talking head, there's so many talking heads on news channels, sports channels these days. And, he was just saying one thing after another. And it was they lost control of the situation. They didn't get out and proactively communicate and they lost the opportunity to kind of formulate the message and let customers know that we made whole. And they'll be taken care of in that. Not only that, that their planes are safe. This had nothing to do with the operation of their planes because I think was an airline, OK? It's got my credit card number, fine; I don't want to be on a plane that crash.
Jeff: Well, it's interesting because looks at what happened recently, the 737 Max. They grounded that worldwide because of the software issue. . So now we're starting to blacking out, blurred the lines between it's not just payment and billing.
Software issues can happen anywhere. And you certainly know what happened in the air for sure. So you have to be able to steer the message where you need to go, I just to want to mislead people. But controlling the narrative, which, is all over the place, politics, etc. sports, whatever it may be, is a key part of making sure that stories go the direction you're looking for somebody else.
Jim: The other video we watch was the CEO of TalkTalk. And it's interesting, the room. A lot of people had an opinion on whether or not the CEO did a good job. No, I watched the video. I thought the CEO did a good job in that. I felt like she was being honest. She was not trying to cover anything up. There was an attack journalism style. But I also could see the point some of the other people were making, which was she looked like she had slept in 48 hours.
Jeff: She probably had.
Jim: Her body language was pretty weak. And then there's this attack. Journalists just like peppering her with questions and rather than prosecuting instead of prosecuting. She wasn't let her finish her answers. The answers were never good enough. And it's like, the people who handled it best just basically put the reporter in their place and say one question at time, let me finish answering, So, anyway, we should try to find these videos add to the show notes. I think that, I know we're kind of jumping all over because we don't want the show to go on forever another day. But one of the other interesting conversations was around one to get law enforcement involved.
Jeff: And there was a FBI special agent in the room.
Jim: There was a special FBI agent for a note and spy fired.
Jim: I thought that was pretty cool. And, depending on the industry you're in. Depending on what the potential risks of the rich are. We were looking at a. I think we're led to believe that this particular company was in the in the business doing anything that would threaten the lives and safety of people.
Jeff: There is like an e-commerce type scenario, I think, really?
Jim: But it didn't seem like as e-commerce, like gun company, they weren't selling guns, redline or anything. But, imagine a scenario where your client is selling guns or public safety symbolics in some way. You need to be much quicker in terms of contacting law enforcement before you even have the full picture. if you're something where lives aren't threatened, maybe you take your time to try to, you don't want to, do a lot of law enforcement involved and then find out that actually you weren't breach. This was all a big mistake.
Jeff: I think the FBI is going to have a presentation on Friday and a couple of days. So we'll see what it worth if it's worth talking about that point.
But you certainly didn't want to spoil or steal his own thunder right ahead of that, What do you think of the show, the show?, the conference overall, because I have opinions. I'll let you go first.
Jim: it was very small. I like the style of today. No, I don't think the style of today is going to carry for, the way the comp soars. So I should call it comfortable. It's a floor on the hotel. But there are some other conflicts going on in the room next to ours. So tomorrow it'll be split process, two rooms. There may be more people. So I think to kind of make my call now would be premature. It's definitely a hot take. It's a hot day. But I'm having fun. And, you know, I met a guy named Dirk Warfield from Cognito Software. He's a GDPR expert. And one thing I didn't realize is that there are companies already paying fines GPDR, British Airways was one.
Jeff: And it's not an insignificant amount. It's based on reader gross profit or something.
Jim: It can be up to five percent of your gross revenue. So if you're a hundred billion dollar company it could be five billion dollars. That's nothing to sneeze at, so anyway showing me some data that's publicly available, and there are some large U.S. companies being fined for their activities in countries in Europe.
Jeff: And I know Google was just in the news recently because they won a lawsuit against GDPR. It's around the right to be forgotten part of GDPR. And what GDPR was arguing was that. If someone makes a request to be forgotten, Google or the search engine would have to remove it from their entire crowd, from all of their search engines, meaning even search engine, search engines and different regions not located in European country Google I’m sure I'll get appeal. Google won by saying they won the ruling from the judge. Was that no, that's not correct. They only have to remove it from the member areas of the EU that are falling under GDPR. So America is not covered under that are other areas. So I think that was a real interesting ruling on how that's going to kind of move things forward, because theoretically, if you're in, let's say, France, all you got to do is just change it to the US version and you'll be able to still find whatever it is you're looking for versus if you're in France version of Google, for example, the results won't show up.
Jim: I want to get Dirk on our podcast, because I mean, we get asked by customers all the time about GDPR and now companies are receiving real fines, are made real money and the sky is alive. So I'd like to get him on and share some of this information with service.
Jeff: So I'm going to agree and say that it's a very small conference. The format of the conference is three days. Today was really kind of workshop, so it's even though it's day one of the conference, it's really more like day zero.
So I'm curious to see how things ramp up the next few days because it then becomes more of a conference type thing where those different sessions, but it's still relatively small. I think from my count today, there were less than 30 people there today, which is a very small number, for it can say in identity world. Now, I believe this is a new conference to the US. I think it's only been around for a year that could be run at that. And I felt like today was really good. It could have been a webinar for sure. But by being in the room and being able to have interactions with all the other attendees and there was a pretty good mix from different people of, other consultants , companies in some fairly big companies as well that we're having the conversation in that room. It was I think that's the part. That room is like, OK. This was a good thing to be here for. I just hope that the next couple of days get a little bit bigger. But I think the content itself is is hopefully going to live up to my expectations, because I think that there's a there's something here. And it kind of strikes me as, it's a relatively new seems like the relatively new show. It's from a European based company. I think it's coming out Coal is in Germany, I think Munich, Germany, right, where they're based out of. So they're much bigger. I think on the across the Atlantic.
Now, my favorite thing of the conference today was what?
The food is really good. But specifically one item of food.
Jim: I guess the Brownies.
Jeff: It was potato chips.
Jim: They were unexpectedly good.
Jeff: They were dynamite. I'm going to consider it day one of success just based on learning how to pronounce KuppingerCole and the quality potato chips.
Jim: Yeah. Here's my problem is that I eat like six thousand calories a day when I go to conferences like those two just to get it.
Jeff: That's not something that normally happens. So usually we're eating better outside of conference.
Jim: But in the previous guests talked about Oracle world, remember, their lunch was gotten a long line behind a couple hundred people and picked up a bag lunch. And then you went and tried to find somewhere to sit and eat it.
Jeff: Force networking with other people. I know Gartner does that not to pick up Gardner, but like the other tables, right? Birds of a feather, I think, is what they call it. I know it's kind of false. People, as they write it all like, kind of sometimes awkward small talk for people who don't really want. Yes, social Party, but others that do. And you see faces that, so it's good and bad. But it definitely wasn't your typical.
Jim: I'm probably the person people like the quiet people, one of these are good potato ships, aren't they? You should try one.
Jeff: But I think as far as day one goes, no pretty successful. I'm curious to see what happens next couple days. So I think our plan is to record another one or two more of these just kind of cover it up. But, I’m cautiously optimistic; we’ll see where it goes from here.
Jim: Yeah, I mean, depending on how it goes, we might just want to do daily updates and then tag into the endless podcasts.
Jeff: kind of see like either the evolution of opinion.
Jim: You don't want our podcast to be like talking about this conference for like three months.
Jeff: All right. And then that's it,Yes. Who knows, maybe the potato chips tomorrow won't be good. I'm going to give a failing rating, well, I think that's probably it for today, and we'll wrap it there, `if you got questions, comments, concerns and accolades, send them to firstname.lastname@example.org, and we'll be talking to you in the next one!