[podcast] Part 2 - KuppingerCole Consumer Identity World Conference
We hope you enjoy this episode and please subscribe to the podcast for updates on new episodes!
LISTEN HERE or read the full transcript below.
*Disclaimer from Identropy: These transcripts are produced using automated tools, so may not be an exact word-for-word transcription. (i.e. - if you read something that sounds wrong, it's the tool's fault!) As always, for a better experience, please listen to the actual podcast.
Podcast #14.2 Full Transcript:
Identity At The Center #14.2: KuppingerCole Consumer Identity World Conference Part 2
Jeff: Welcome to another episode of Identity at the Center Podcasts. I'm Jeff and I'm here with Jim in Seattle.
Jim: I'm Jim in Seattle.
Jeff: Today was the last day of the KuppingerCole Consumer Identity World Conference.
Jim: You said it better than anybody at the entire conference.
I am a professional podcaster. So, yes and you can tell about my professional podcast voice.
Jim: We should remember it. This is the upper echelon of microphones. Right?
Jeff: No, I would say this is beginner hobbyists, but I like it because it's portable and it fits into a beggarly well.
Jim: I don't want to start off as a complainer, but I'm going to.
One of my biggest complaints at the conference this week was that people didn't hold the microphones up to their mouths. And they had the speakers turned up very loud. So if you weren't sitting in the first couple of rows, really couldn't hear what was being said. There are a lot of quiet talkers, quite a talker, is fine, but hold the microphone up to your mouth.
Jeff: My favorite was one of the panelists, and one of the things at where he's up on a panel. And talking and he's holding the microphone down by his legs.
Jim: In one point. He put the microphone in his lap to do hand motion. I think you've already figured I wash it. Joe Rogan podcast or I listen to it. Sometimes I watch him on YouTube and he'll remind his guests, put the microphone to your mouth. I feel like doing that during some of the meetings, like. Hello? Hold the microphone to your mouth.
Jeff: Anyway, it's an epic. It's something that once you see it, it's hard to see right or on here in this case. Yeah.
I didn't hear everything, but I heard enough to kind of summarize. So first off, this was not a tech conference. It wasn't. I mean, there were a lot of code examples shown in a rest API, things like that during the conference. So I got to dig out a little bit. For the most part, I thought of the three major themes were privacy, concerns and data breaches and what does it do in the course of a data breach? A lot of privacy regulations that are coming down the pipe, how they're affecting consumer IAM. And then how to handle consent and what's the right approach.
Jeff: And conversation focusing around GDPR, BSD too, which is BSD to the banking directive due to the European Union and the California Privacy Protection. So I think there was a lot of questions around, what does it mean for companies now that we've kind of gotten past this first part? OK, now it's in place. Now what? Right. There's been some breaches, which means there's been some fines. Now it's how do we address it more proactively than just the kind of mad scramble it's been around for the last couple of years just to look like, OK, we're compliant. What does that mean?
Jim: It's going to be interesting to see what happens. Somebody ask. What are the benefits that come from GDPR? And another have been some funds already totaling, I think, less than a billion euros.
But imagine the amount that consulting firms and law firms have made already on this regulation. As the thing ramps up and finds it every year and more, there's a higher quantity of fines. It's just like Sarbanes-Oxley. I think that was like the best thing to ever happen. I think that was what Luis said. I guess, a couple months ago it was Sarbanes-Oxley was the best thing that ever happened in IAM.
Jeff: I think GDPR is gonna be a more driving, that seemed to me caber, because it's not a static fine. It's a percentage of revenue. Which if you're a huge company, Google, Microsoft, whatever it may be, you're not getting away with just kind of a standard fine that is the same no matter what size you are. So it can be pretty expensive. And the British Airways one, I think was, what, half a billion dollars or something like that right now is just one of the first ones. So it'll be interesting to see what kind of fear that puts into companies. Are we treating privacy correctly, the consent and being able to manage the customer data in a way that protects them and mitigates any risk
Jim: There's a woman from Salesforce who is talking about.
Jim: Marla, right and talking about GDPR and talking about, intent versus the letter of the law and in other words, are companies trying to implement around the spirit of GDPR or just be compliant just to check the box. And I think that's a bigger danger, a lot of the people in our industry that I've met over time, they really want to get in alignment with the spirit. At the same time, they know they need to check all the boxes. But I really do think the spirit is heading in the right direction. I think it being limited in certain ways in terms of its scope, not being a global directive, not having something that's, pretty much equal with it in the United States and in other major economies. I think is where it's going to miss. And hopefully, coming from my perspective, hopefully this is something. Yes, it's driven down a lot more, I think, from a company perspective; they need solutions to GDPR or to be productized. They can't solve all these problems themselves they need. And it's initiatives like this and complexity like this that will drive adoption of cloud solutions if they can meet the use case requirements that the company has in terms of the core functionality. They just don't want to have to take on the complexity of something like becoming compliant with privacy regulations.
Jeff: I think most companies struggle with from a financial perspective. They have to start somewhere. They don't have the luxury of going in and saying, let's build the ideal state. This is the way the state is today, meaning our current environment, our current business processes. They have to start almost with checkbox compliance because that's the minimum viable product that they can put out. Would they like to design? Ideally, yes, probably, but there's very few companies that one have the funding to do that right away or the really the corporate desire or organization, does that do it? So I see it as a stepping stone. It was OK. Let's get the basics in place. Now, let's start to expand from there versus you a product that maybe goes into it with a product or a company or service that goes into it with security design first. What you are starting to see more of those, but not enough. I don't think know. I think of several services that I use that are, you know, Web 2.0 and later, products that still support MFA.
Jim: And I think you actually are starting to reach your groundswell where people expect to factor. I don't know, part of it is I feel like being in this industry, I lose touch with the common man. I would not bank at a bank that did not have to factor. I just wouldn't do it if I didn't feel like there is sufficient security around my account; I wouldn't bank there, with the average show on the street. I don't know. Every time I tell people I like a song like the last guy, I somehow very social. I like to talk to everyone. I'll talk to folks sitting next to me on the airplane. Invariably, though, to know what I do and I try to explain it was in a context that I think so understand. Usually explain it as an impasse.
Jeff: I hate that they put their earphones in.
Jim: I hate all these Password standards. You does it best. There's one company where I didn't even ask for a password. They just recognized your phone. And it's two factor because it's you in the phone, whatever makes you happy, if you want your phones in your entire financial future, depending on lack security policies, that's up to you, but I thought, there's some really good conversation around consent. That the whole user manages access or UMA's standard. I think, we didn't talk too much about adoption and how far it's gotten in terms of adoption. It seems like, Alan Foster gave the talk and I remember Eve giving even mentoring, who has really been spearheading the standards for as long as I've heard of it. I guess her out a lot longer than I was aware of it. But, I've been aware of it since maybe 13 or 14 and did it.
Jeff: before we get too far what is UMA.
Jim: UMA is user manage access, the idea is that a user would be able to control who gets access to their data. The use case example that is often given is in the health care industry. If you wanted to give somebody enough access that they could look at some records or be able to pick up certain prescriptions for you, but not just black and white.
There you can see everything or you can see nothing.
Jeff: More like the entitlement or individual data level than at the account level.
Jim: Right, it's an entitlement level to see a way to permit people to have just certain access, not others. And also a whole ecosystem around, granting but also being able to revoke seeing what access you grant to whom. And changing that list at any time and having receipts for having granted the access. So it is thought out strategy.
jeff: It sounds an awful lot like blockchain or what blockchain promises, receipt's individual access. You control it. Sell sovereign identity, those types of things.
And it's not that it's probably not a topic right now because, there is another blockchain trustingly. Okay. I still waiting for someone to productize it because I don't think it make sense to build on it yet. So what's the right for at least for an organization to adopt? Most organizations are gonna build their own blockchain. They're waiting for a product and a use case that matches up with. I understand the draw of UMA and it makes sense. But again, I think it's a very specific use case until everyone is on board with that and it needs more backing behind it. the school records, medical records, things like that make. Yeah. Make total sense, hospitals using UMA today.
Jim: So I feel I give large industry organizations, jump on it and say, this is how you get in compliance with HIPAA or, this is what we really support. We're going to pile some money in and pile some resources into those. I have always felt like that was really what UMA will get over the hump. And if you see one industry go all in on it like health care, then you'll see other industries who the same potential.
Jeff: To see someone like Epic or Cerner, they would drive UMA adoption through their software products, which are primarily used in medical, and who makes that product decision? Is it the hospital asking for it?
Jeff: Whose fault is that? Is it the consumer not being more aware of these types of issues, which let's be honest right now I am a still niche. It's not something that people think about on a daily basis. Or is it the job of whatever good or service that the person is accessing to communicate that? It's probably both, right. And if you're an educated consumer, you want to know where your things are going and whatever and how your data is being used. But does the common person really care? They just want to go to their website.
Jeff: In the ecosystem and now you're stuck.
Jeff: Birthright access for a human
Jim: I mean, well, the idea of utilities, water, electric, and I don't think they're considered utilities. At one point they were considered service.
Jeff: Right. They get classified by whatever government agency.
Jim: At some point along the way, it's like what everybody needs. So we you hear the conversation in public policy. They like Internet is like almost like a basic human right. Health care is a basic human right. OK. Well, whether or not you agree with that, its kings' a point where it's very hard to live without health care. It's pretty hard to live without the Internet. So you have and certainly hard to live without using ATMs or PayPal. And it's you want to use those services. Does that mean that it's OK for the company to sell your data to whoever they feel like it?
Jeff: I have what it is and it's never need to send it. Is that how hard they make it to opt out? I'll send you a thing and say by using this occasion to agree, if you don't want to do this, go write a letter, write or print this form out. And there's no electronic way sometimes to opt out of things. You literally have to go back to pen and paper and a stamp and mail, something somewhere to opt out; they make it really hard to not go along with their service. I'm sure. You can move services, but there is in the best numbers equal going to get locked in to you. It's difficult to make that change sometimes.
Jim: So brought up during other presentations around how many robo-calls people are getting training today. The average for what happened yet is a hundred and fifty year. How soon they're thinking. So it's not just me. That's not ok. Do I click on something stupid? Did I fill out some form somewhere on my number? Maybe the answer's yes, but apparently everybody's outside. I get these like text messages now like, men lives for a hundred and fifty years by eating this one route, you know, and then there's a link, I'm not coming to click that stupid link because you click that's constantly got a real phone number. Yeah. It's got some it has some token in the URL you say all right, that phone number is real. We should send more junk that way.
Jeff: The only answer is to just get off the Internet. Cancel your phone service.
Jim: I kind of remember back before the Internet, there was the idea that you could be on a no-call list.
Jeff: It still exists, but, does it work or doesn't that work it up into it was at three or five years. And then you've got like the Direct Marketers Association where it costs a fee to get taken off their lists. I mean, this is the thing. Again, it's too hard to opt out. These are not consumer friendly practices, which if you're in a consumer identity access management conference, this is why these types of things come up, from the UI perspective and the user experience perspective of being able to easily come and go from the services. .
Jim: each IAM conferences probably three conferences on how to send this junk mail to people.
Jeff: And the conferences are guilty, too. We're gonna get junk mail now from each of the conferences that we go to, because now worldwide we're going to be and we've attended something.
So now we're going to get e-mails. Hey, guess what? It's September. Next year. Make sure that you come up to this conference.
Jim: By the way, we gave your information to third party to the vendors who were. So we talked a little bit about the data breach stuff. I mean, there's a lot of discussion around that. Over the past two days, that British Airways data breach is something that may take and do further. They got nailed with a GDPR are fine because of that data breach. But also just I mean, I was aware of it, but it didn't really register to me as one that was as majors as apparently it did. So that's one of the other dig into further. And then we had a a meeting today where there was a presentation from someone from the FBI. I thought that was really cool.
Jeff: That was my favorite minutes, it's always cool to have Spy agencies are presenting etc. as he was Nathan He's part of the cyber task force. Whatever it is here in Seattle and really his presentation was around why you want to partner with the FBI, which there's always some hesitancy of working with the government on anything, I think. But I thought it was good. It was definitely one of the ones that I was certainly paying a lot of attention to and just listening to the message she was putting out there.
Jim: And to recap the first question I asked was around, would they? So say you had one of your systems hacked and it was a financial system. You called the FBI getting the data and the IRS asked them, hey, could we have that data sharing the data between the FBI and other agencies? He said that would not happen. And then the second one was if they discovered another crime in the course of going through your system. So, use kind of, we could even be an accident of crime, like not paying export tariffs or something like that. And he said, I don't think his answer was as black and white, but that.
Jeff: Would inform the company there is a crime here. And then the expectation is it is like that you would then inform the appropriate authority that, hey, the crime is here. But it didn't leave out the fact that I'm sure there are provisions where if there a crime is committed, the FBI can forward that tip to someone else.
Jim: I would say that, at that point you probably, so my thinking here as a practitioner would be one of the main things we need to do is put together a data breach plan, so in other words, if your company gets breach now.
Jim: When your company gets breached, this is what you're going to do. What are the players going to do with things like that? I think you need to circulate up within your company. And part of that needs to be. When you get law enforcement involved, who you contact, things like that, and in terms of reviewing the plan. One of the teams is to be your legal team. And I'd even go the extent to say, you know, do you have concerns that with the information that we may hand over, they may.
Jeff: I think it is a good idea, though, to have a relationship with the FBI, for example. It doesn't necessarily have to be a bad thing that you're sharing information. One of the companies that you used to work for in the past, they would have a quarterly meeting with local law enforcement, police, FBI, CIA, whoever it was, would get together and just share information, say here's what we're seeing, here's some things to keep an eye out for, etc.. And that was pretty much it. At least you knew kind of the people in the area and you wouldn't know where to go to for help, etc... And then you can ultimately decide, someone's to make a decision of, okay. Do we share this specific incident with the FBI or not? And I would think in most cases that our consumer facing because of the consumer aspect of it. You're probably at some point. There's gonna have to be some sort of, involvement by some law enforcement to be able to prosecute or to recover damages or whatever it may be from whatever the interest is.
Jim: I feel like you have a lot more to gain from a relationship with the FBI, and to lose because hopefully you're not committing crimes.
Jeff: Let's just assume that most things are good.
Jim: The example I brought up was maybe an accident or a crime. But let's assume that you have more to gain.
Jeff: I think that would apply for most folks. I asked them about deepfakes, it’s something I find very fascinating. Mostly for main usage, but I'm sure there's already cases of fraud taking place with a deepfakes process. And I read recently that the creator of deepakes thinks that in roughly six months or so, they're going to be virtually indistinguishable from a deepfake video versus being able to turn out deepfake video, which is kind of scary. You think about it because now when you start to think about things like biometrics that are using voice prints, even that comedic break. There was recently a bank transfer done that the CEO, their voice was deepfaked. They called someone doing in quotation marks that you can see and money was transferred because it was just a simple tribal knowledge of. Oh, yeah, that's what Jim sounds like. So, yeah, I mean, go ahead and sign this hundred thousand dollars to the SEC. Socially engineered with the aid of a deepfake voiceprint. Going forward, what is video look like? Audio look like, etc... And he admitted that they're really kind of behind the curve on that. It's difficult to track something that came up in our Black Hat podcast that we did a while back, but that was when the sessions I thought were interesting. And, there are companies that are trying to figure out ways to identify those. But he admitted that from his perspective at least, there's more that needs to be done and that it is a difficult task to identify.
Jim: I fell if he answered your question. One was around just how difficult it is when you just addressing, the other was, is it a crime to commit to or to create deep-fakes, he created deep fake video of.
Jeff: I would say Fletcher, dressed as gritty.
Jim: Yeah. So you do a deep-fake of a celebrity it makes them look stupid and then publish that. Have you committed a crime or where does it become crime like let's just take it to a totally different type of Crime is you have a chop shop there where it's like your place suits to bring stolen cars. We're going to breaking down into parts of them, ship them out. Is that a crime? No. The crime is committed. When you bring the car there and you start breaking it. You bring the stolen property on or I guess there could be a conspiracy to commit the crime. But either way, you'd have to prove it, so I don't think just creating deepfakes.
Jeff: By itself is not a thing, but it's a tool, another tool that can be used against an organization.
Jim: I was going to ask Nathan the question of kind of what authority they act under with cyber-crimes, because he even mentioned at one point was a federal crime committed, others like those a local crime. FBI just don't have jurisdiction. I think the FBI operates a lot with the interstate commerce clause.
Jeff: It's also Title 18 to which is computer fraud. That's pretty that's pretty broad. He didn't go into a lot of detail with that, but most likely it's Title 18 that they will get you, which is pretty broadly stated as if you use the computer to do something bad. They call it hacking, but he even said he didn't like that term as much. But that's just what people notice.
Jim: I think it's you also if you're doing any kind of computer crime; you're probably crossing state lines at some point in your life, making it a federal offense.
Jeff: I don't it turns into a legal podcast, but overall, I think the conference was it was a lot smaller than I thought it would be in our first version of this podcast that we recorded. It was probably a little bit more down on it, but I thought the content was actually pretty good.
I was turned off initially by just because nobody here but it turned into there was actual discussion taking place in these sessions, which is not something that you normally see and good thoughtful kind of discussion around. What about this type of scenario, that type of scenario? How would we handle this type of thing, etc? So I thought that that was the end. For the most part, the sessions and selves were good.
Jim: So my first recommendation is if you're in Seattle or driving distance to Seattle, this is a great comfort to go to New Hampshire, and I think a lot of people at the conference are local.
Jeff: It seems like about half to a third.
Jim: At least West Coast people, and then there are folks who are coming in from Europe then, and maybe they just, they really enjoy Casey conversation, my recommendations were two. One was to have all this German food. You should German beer. And number two was to try to schedule it so that it's the same city and close some dates to another conference. One of the things I'd like to do is they did two conferences in the same city, kind like go from one to the next. And, so if you're flying again, it just really brings the cost down.
Jeff: I think Mike, just from a management perspective and having done this for years, it's a lot easier to justify, hey, we're going to spend an extra day, but we're also going to hit this other conference. So if there's a way to do Blackhat does this. So Blackhat is typically like Sunday through Thursday and then Def Con is Friday to Sunday. So most people will go to Vegas for an entire week and hit both conferences. There’s an IGA Vendor IAM vendor that is doing the same thing with Gartner later this year. So their conference days are Sunday, Monday. Gardner IAM conference is Tuesday, Wednesday, Thursday and really smart providing coverage of. Yes. Jim and I will be at both of those events. So I'm sure we will have podcasts and some guests maybe from around there.
Jim: Stay tuned to your friends.
Jeff: Right, exactly. And but yeah, I think this was a good conference. It's a young conference. So I've been around. This is the third year it shows. But I think as more people become aware of it, that it's, it's poised to grow as well, but the confidence self, which is really what you're looking for. I think it was good.
Jim: Right now, we don't want Casey to give up on the phone rings just yet. Keep pushing and maybe try to tweak some things so that more people can like the whole idea of scheduling one pope or something else. Yeah. Or, you know, another idea is put out there. But, they cover not only too. So this is consumer IAM world. They also cover other areas of IAM in other areas of A.I. and everything. Just have all those conferences together in one place and get more people there and allow people to switch tracks and things like that. Plus, you can. So let's say you had four different areas that were covered, so internally IAM, consumer IAM, infosec and you pulled in 300, 400 people. Then you can give a keynote speaker of somebody who's in India shifts for somebody who's completely outside the industry, who's like, a higher level speaker. I think that's one of the great takeaways from many conferences to get a keynote for somebody who's outside of the industry gives you different ways to look at things.
Jeff: Like Bill Nye at the Gartner catalyst conference about five years ago. The Science Guy and it's not really an identity conference, but it's sort of like the cut, here’s what's next from a security perspective. And, Gartner got Bill Nye be the closing speaker. I had a great time with it. Yeah. Dana and I were got a selfie with them. I took a faraway selfie, but it was kind of cool.
And it was it was a great experience, listening, him talking. He's funny, he's entertaining, you know. But, you know, his ideas gelled really well with the conference message,
Jim: And you have to have a certain number of people coming to the conference or just.
Jeff: They can be expensive.
Jim: It can be really expensive.
Jeff: So how did you do with your conference attendance strategy? We talked about it a couple days ago, kind of going into it with Jamie. Did you hit the tracks that you wanted to have? Did you do everything you're looking to do?
Jim: What I did was I hit the A.I. Track. So, we also talked about doing customer calls and work calls. And I do wind up getting sucked in to more that I wanted, but I still felt like I made it good, give it a good go. And I attended the majority of each of the last two days. I went kind of outside of my lane and tried to do the sessions that were things that are I'll think about all the time. I mean, soon the authentication session I've been thinking about of authentication for 15 years straight. So I did the A.I. I did a lot around to sand and privacy and, I think I made the right choice anyway. I would love to have been in the other meetings as well, but I really wasn't an option.
Jeff: I was done with the slides.
Jim: Hopefully. And how will you.
Jeff: I feel like I was inconsistent. First day went well. Second day I just had a ton of meetings and responsibilities that I had to do. But I think that's part of juggling, being able to justify attendance. That doesn't take away too much from the data. I think today that I was able to spend roughly half the day at the conference outside of customer calls and dealing with different issues that tend to pop up last minute. But I think it did OK and it certainly made an effort to set more on the GDPR side of things so that I could see what some of the struggles were around. That's something that we typically get as much exposure on the US side. So I think I would give myself a B, I would say.
Jim: What did you think of the scheduling of the conferences all day Wednesday, Thursday and Friday? I mean, all day Friday, like the comfort zone to a 4:30 pacific on Friday.
Jeff: Yeah, it's a little less normal to go full day on the last day because it limits flights back for a lot of people who basically, I thought it was OK. I think if you plan around it, it is what it is. I would. I don't know if I have an opinion either way. Now, it gives me a night in Seattle where I can walk around, which is a great city and do some sightseeing or do whatever I want to do or most likely get buried in e-mail in a week, but that's OK.
Jim: I think that, if they were to redo it better off ending at the end of the day Thursday or half day Friday,.
Jeff: If you do something like Tuesday through Thursday.
Jim: Tuesday through Thursday, then yeah.
Jeff: But. It is what it is. I'm not going to.
Jim: Or Monday afternoon through and Tuesday, Wednesday.
Jeff: Or maybe just do it Friday and Saturday, and then there you we only have seven days. There's only a certain combination.
I will say, though, that one of the things they absolutely have to do, though, is bring back those potato chips.
Jim: Getting users to go and they had these used to have the soft pretzels, they didn't know. I tried not to eat 500 grams of carbs a day, but when I was here, I did. And there's the various soft pretzels were ridiculous, They had a cheese sauce. They did not have beer. If they had beer, I probably would have just sat there and liked it.
Jeff: No one would've been awake for the final meeting. That's right. All right. I think that's probably a pretty good way to leave it. Overall, I think it was a good conference. Go for the chips, stay for the content. So we'll be talking to you down the road. And thanks for listening.