L’Année de la Gérance des Données d’Identité : Le Top 6 des Prévisions 2021 pour la Gestion des Identités

Hi, it's Lauren Russin from Ping.
I'm here with Christian.
Christian, do you want to introduce yourself?
Yeah, absolutely.
So I'm Christian Al Singh.
I run digital identity for Accenture across Europe.
Yeah, and I run our Product Management group here at Ping Identity.
Christian and I are here to, you know, I think invite you into our conversation we've been Having fun for a little while, and it's real around how I think we've seen.
The way organizations are looking at consumer data, and it’s really evolved.
I mean, it's now to the point where I think consumers really have no recourse for Protecting the privacy of their data, and it seems, it seems almost kind of an abysmal state.
Yeah, absolutely, I think we're getting to a point where Big Data is almost like the Consumer has become a means to an end.
The consumer has become Become a part of Something bigger, uh, which is effectively supporting big corporations, Making money, supporting advertisers, you know, direct their advertisement, But the consumer has been lost a little bit in this.
Yeah.
I think, you know, consumers expect something.
I mean, they really are kind of at their wits' end, and I remember reading a report or, It was really a survey that The Guardian did, and they said 83% of the consumers really Expected organizations to protect privacy, actually control their data.
And I thought that was kind of an interesting statistic.
Hm.
No, absolutely.
I think, um, I was on a panel For cybersecurity at, at a point in time a while ago.
And I talked about how consumers wanted to have control of their data, and actually somebody Questioned it and said, look, consumers got nothing, they've got no recalls.
Um, what I'm seeing though, what I think is happening at the moment is that we're actually Seeing, we’re seeing that Big Tech and corporations and advertisers and digital Advertisers that they might be getting a bit greedy and, And frankly, the legitimacy of what they're doing is starting to, to, to fall a bit and regulators are starting to see this governments, State governments, and so forth.
So we're seeing a lot of regulation at the moment, which is an attempt to try and counter the, the balance of power there between Corporations and the individuals.
Yeah, no, that makes sense.
I mean, it's almost like, You know, the regulations are signaling to the organizations to say, Hey, you've got to do something about this, and you know, You think about it.
I mean, if organizations continue as is, Don't comply with regulations, you know, really what they're going to lose their consumer trust.
And I think that translates into losing business.
I mean consumers aren’t going to use them, they’ll go to somebody else who actually has their personal data in mind.
Mm.
Yeah, and I think, look, it really opens, like, it starts to open a, An opportunity, right?
And it used to be that it was just, You know, I owe my shareholders a share to make more money.
But, but I think a lot of proactive and progressive organizations have started moving Beyond that and looking, well, what's the impact we have on society, What's the impact we have on our customers, on, you know, On the exposed individuals in society and so forth.
And I do think that there're a number of progressive organizations who are starting to Say, well, actually we need to be a bit on our customers' side on this.
Um, so, so that's definitely something that's happening, it's not everywhere, But it is happening.
You can tell I read a lot of reports and a lot of articles because it's certainly looking for Data to help make some of these decisions, and you know, I remember a report that Forrester did recently and they were talking about some of the top Trends that they were seeing, and enterprises are aware of this issue.
And Forrester said it's roughly 66%.
Many of their consumers now demand some change.
They're demanding that they actually provide some kind of control or, Or at least support some of the regulations for protecting their data.
So I think it is important, uh, but is there things that organizations can do, Do you think?
There's definitely an opportunity for Organizations to start thinking about that customer relationship at every level, Much more holistically.
You know, however much I like lawyers, you can’t just have your compliance people and your Lawyers, um, defining what it looks like from a security and privacy point of view.
You should actually listen to your customers, You should be talking to your customers, Do focus group, read the reports that you mentioned.
Um, so, so absolutely move away from this letter of the law approach and actually try and Figure out what makes a difference to the customers and the, and the psychological experience they have of their interaction with you, With your brand, your website, your channels, and so forth.
Yeah, it’s such a good point.
Well, I think customers or consumers really are Expecting more from these organizations and.
Ping, we put it in simple terms, and if organizations can delight as well as protect Their consumer data, they win.
And so you consider if they were just Protecting, that would satisfy many customers and consumers to say, "My data that I hold." Important, that I think is valuable as being protected.
But we're starting to see some of them say, well, I'm happy if you use my data to create a Delightful experience.
I love that moment where they, It feels like they know me, but more so they know what to protect about me and use that in a Positive way.
So I think that is a good key.
Are you seeing some of the same things, in your experience?
Yeah, I was involved in some, some research for a specific client in the, In the financial services sector, and it was really interesting because, What we were told was they didn't actually mind security; they didn't mind the friction, But they wanted the friction when, when they felt it was very important.
So paying like the first deposit for a, for a house feels very important.
You actually want a lot of checks.
But, you know, moving between channels when you're interacting with your bank, Moving from.
A call center to an app shouldn't be full of Friction because it's a relatively low, low or perceived relatively low-risk action, Right?
So, so organizations can engage in that space.
And I think, I think there's a big opportunity there.
Yeah, no, it, it is.
I, I think being in the identity and access Management business is exciting right now because we see, You know, identity is that cornerstone.
It's really that foundational element that, you know, allows companies to make those choices.
I mean, you set policy and leverage, knowing more about that user and knowing information About that user, too either, as you said, increase the friction.
For those high-value transactions and then reduce the friction when it's not as high value Or it's a lower-risk transaction and, um, it's interesting, you know, It's that if I know you better and I am able to understand what the consumer wants, I can personalize that experience and Identity Management really helps to do that.
I think.
So, Christian, you know, when we look at Identity and access management as that foundation, I mean, How does it apply?
Like, how can we use it, I think, To improve that customer experience, essentially delight and protect them.
And, uh, make sure that organizations are really, you know, Better protecting that consumer data.
That's a, that's a good question.
So from my point of view.
You know, I think too many organizations look at at items and access management as a single sign-on problem.
It's not, it's a, it's a whole customer Experience and a whole customer journey that you need to understand.
And there's definitely, there's definitely a return on investment when you're actually Starting to invest in the user experience.
Um, you start to invest in the, I would say the feedback that a customer gets around security Actions, whether it's step-up authentication, you know, Um, extra authorization for high-profile, uh, transactions and so forth.
Um, but there's also a real tangible benefit that can be achieved in terms of actually Reducing your risk, reducing your, your exposure both to fines, Uh, with GDPR, and similar regulations, but certainly also in the reduction of, of risk of actually being hacked, having scandals, you know, Um, the reputational risk that your organization is, is subject to, um, post a breach, right?
These are very significant challenges that all organizations should take seriously.
Yeah, no, I think it's great.
I mean, it’s really, they're accountable now.
Um, for their consumer data, and I think, you know, we see quite often, You know, in the industry there's almost a social awareness.
It's, you know, Personal Data now isn't just to collect for your own use.
You actually have to.
You know, be accountable, I think, for what, um, you know, That consumer data is used for and really, you know, help protect, You know, their consumers.
I think it's, you know, If they don't, they're going to lose business.
I don't know what you think about that, that notion of accountability.
You know, do you think organizations and really those leaders of those organizations are now Accountable for that data?
Well, I think it's really interesting because accountability and legitimacy, I think they are very, very close to each other.
Legitimacy is sort of the macro, macro view of what an organization should do.
Um, accountability is in every interaction, Are we actually helping our customer?
Uh, our, you know, whether it's a citizen, a customer, whatever it might be, Consumer, are we actually aiding them, but also are we, Are we doing the right thing by them, and that's where accountability comes in.
And I think, you know, for me this is really all about.
Becoming the steward of your customers' data, right, stewardship of customer data is Absolutely where we want to go, um, and like I said, some organizations aren't ready, but the progressive organizations, the, the leaders in, In customer, um, in various customer businesses should absolutely be focusing on this.
Yeah, I love that concept.
I mean, what if Leaders did become the stewards Of that data, you know, how important would that be?
And I think really how much business could it drive for them.
So great concept.
So Krishie, as we talked about identity and access management being really that Foundational element and how it's able to really protect and delight consumers, I mean, it does have an impact on organizations and it really, I think, um, leads into how organizations, you know, Leverage identity and access management to make this user experience better.
What do you think?
Yeah, so I think absolutely there's um, You know, we, we talked about a holistic approach to customers.
Um, from my point of view, think about the customer journey end to end, Think about all the different channels, all the different products they engage with and so Forth, and there's definitely a return on investment.
Um, and there will be a bottom line around that user experience that you can actually achieve.
Identity and Access Management also gives you something very important around risk Reduction, you know, avoidance of, of, uh, significant breaches and the liabilities, But more importantly, around the impact that that getting this wrong can have on your brand.
And your reputation.
We're trying to build long-term relationships with our customers.
Uh, we're trying to build trust with our customers; we're trying to have them connect with our brand, and if our security goes, goes, well, breaks, Um, if that happens, then we've got an issue.
And that's, that's really where the opportunity is, actually becoming the steward of your Customer data, of the security and relevance of the data that you are serving and managing For your customers.
Oh yeah, I considered organizational Leaders now are the stewards of their cus consumer data.
No longer is it just the collectors or harvesters of uh consumer data, But really they're the stewards of it.
That's a great concept.
Well, Christian, this has been a great conversation, you know, I really appreciate it.
I, I think I appreciate all the times you and I Get a chance to talk, um, so until next time, I'll say goodbye.
Brilliant to see you and hopefully we get to see each other face-to-face at some point, Um, in the not too distant future.
Yeah, I hope so too.

Hello, everyone.
I'm Rob Otto from Ping Identity.
And I'm here today with Ben Bulpett from SailPoint.
We want to talk about the new normal of working from home.
Hi, Ben, always good to see you again.
>> So good to see you as well.
And obviously a shame that we can't be face to face in these strange times, but great to have a chat with you this morning.
>> Yeah, it does feel like a while since the last time when I saw you or anybody else in person, really, but as you say, here's hoping that.
[LAUGH] >> Yeah.
>> That we might get back to that at some point.
That said, though, Ben, I mean, remote working really is becoming the new normal for a vast majority of organizations.
Here at Ping Identity, we've obviously been speaking to a number of our customers and a number of prospects around this new paradigm, this new model.
And there are certainly challenges that these organizations face.
So I'm sure you've probably heard of some.
>> Yeah, so look, I think the statistic is something like 16% of workers prior to COVID were working from home.
I think currently, the statistics say it stands at 84%.
So the shift of that remote working challenge that organizations have had to do in the, what, three, four months has been quite phenomenal.
Are they gonna be coming back to this traditional office-based environment?
They've demonstrated that they can work from home.
They've demonstrated that they can be proficient and efficient as well.
So I think we're gonna see this working remotely, this adoption of Zoom, which has obviously now become a verb in the English language, something that's gonna be here to stay, I think.
>> This, of course, does tend to reinforce things that we've been talking about for some time.
It puts a lot of strain on some of the more traditional ways in which application access is enabled and, of course, in which applications are secured.
A lot of organizations today work on the assumption that the people who need to access things are in a known location.
They're in the office.
And as a result, you have that, if you like, that safety net of the secure perimeter that organizations can use as a proxy in order to determine who should be allowed to access things.
Obviously, we're both in the identity and access management space.
And this is a message for us that's been a part of our standard discourse for many years now that organizations really need to be focusing on the identity of those individuals.
They need a security policy that starts with a strongly verified and a strongly authenticated identity in order to ensure that the correct users are able to access the correct things, right?
>> The challenge I think organizations face is that the identity and the perimeter that they previously secured is now actually coming down to the individual identities in their organization.
You and I, Rob, have talked about the concept of Zero Trust, and I think Zero Trust has never been more appropriate in what has happened.
You need to now know who has got access to what applications, what they're doing with that access.
Is it appropriate?
And actually then be able to audit that and clearly demonstrate to the auditors and the regulatory bodies that you are in compliance and you do have control of your application and your data.
What we've seen with COVID is a bit of a break glass approach, where we've had companies just sort of give access and they've got people online to be productive.
They now have to go back and put this identity governance and this access control in place to sort of ensure that they have got controls.
Because as people do transition back into this new way of working and say, well, actually, I'm not gonna come back to work.
I'm not gonna spend time on the 6:30 train just to get into London.
I think the whole concept of identity governance and putting in a Zero Trust approach around that is gonna become critical.
And something that I know you and I have spoken about for the last couple of years as a strategy that organizations need to start to adopt.
>> Yeah, absolutely right.
So I think something you've touched on there is really important around productivity.
And obviously, in the identity security space, this tends to be one of the things that we speak to organizations about a lot is: where exactly is that trade-off between employee productivity as opposed to security?
So again, what becomes really important is it starts obviously with understanding who your users are, ensuring that you are able to correctly identify those users.
And secure their access in such a way that respects the principle of Zero Trust, respects things like least privilege access and allows you to enforce defense in depth.
So one of the things that we're seeing as becoming really important is the ability, while still enabling remote access and while doing so in a way that moves towards Zero Trust, but that doesn't make decisions based purely on the user's location.
We do still need to try and find mechanisms to improve their productivity.
Things like not always making them go through a multi-factor authentication challenge for everything that they access.
I'm not sure if you're having similar conversations to those with your customers.
>> Yeah, look, we've had a number of conversations with organizations who are sort of now engaging in a more, what I would define as an executive engagement level conversation around identity governance.
How do you get your data back?
How do you ensure that you minimize that access?
How do you ensure that you control the people who have been accessing your systems are done correctly?
So this whole concept of trust no one, don't trust the network, and don't trust any device, I think is gonna become more critical.
And I would actually say that firstly, organizations need to put a really strong access control and governance process in place.
Get control of the access, get control of the identity, put that Zero Trust in place.
So for us, our conversation is actually do more, get secure, become more paranoid, get control.
Once you've got that and you've got your staff and you've got your policies, then start to let that go.
We're not advocating in any way, shape, or form at the moment that people should let their policies lapse or sort of be lenient with them.
Because I think the challenge is gonna be as the join or move or leave process kicks in and as we probably have more leavers than we do joiners.
>> Ben, look, I think you're absolutely spot on here.
You need to be in control.
You need to be able to show those important things around access governance as you've said.
Making absolutely sure that you know who's coming and making absolutely sure that those people are getting access to the right things.
I think the other thing that's interesting in what you've sort of brought up is that organizations more than ever are going to need to be more agile in the space.
I mean, we've seen, probably for most organizations within the course of two or three weeks, an event that meant they had to completely turn upside down everything that they did in terms of how their workforce is able to do the simplest thing, which is log in the morning and access their applications.
>> I think the reality is this is going to be the new normal.
As I said before, when you had that massive shift in such a short space of time with people working from home and actually trying to be and I think demonstrating productivity.
And you've seen organizations announced by Facebook and Google, this is gonna be the way that they encourage their staff to be.
So I think this is going to be a fundamental industrial shift that we've seen.
But rather than happen over the years that we typically experienced, it took ten years for the iPhone to sort of become really embedded in today's cultural society.
This has happened in three months.
And I think organizations need to adapt their security and access control and governance policies because this is going to be how it is.
And the firewall and that controlled environment around their perimeter, around their offices are fundamentally disappearing.
And they've got to be prepared to be adaptable and agile, but also have all the correct governance, security policies, and access controls in place to give their ability to allow their users and their employees to come in.
But more importantly, to continually demonstrate to the regulator and to the industrial bodies that they're a part of that they have control over who's got access, how they got access, and what they're doing with that.
Those three questions are gonna become board level conversations that auditors and CEOs will be asking CISOs: I need to have answers to that.
Because that is exactly how I'm gonna be asked by the committees, by the shareholders.
Have we got control of that?
And do we actually know who's got access to our systems and what they're doing?
>> It's interesting, though, as you say, this becomes a new way of working.
Many of those office-based roles are transitioning to remote and are probably going to stay remote for some time to come, perhaps forever.
What this really means, though, is that any investment now in a platform or series of platforms that allows strong identity-based governance and access really does become a strategic investment for organizations.
And they're going to reap rewards from those investments in the years to come.
It is obviously really important, though, that the tools that we use and the platforms that we put in place are able to allow us that agility over time.
Our access control systems need to be adaptable, need to be agile enough to recognize their changing behavior.
And to adapt themselves so that the first time I log in from home from an IP address that hasn't been seen before, of course, I should be prompted for a multi-factor authentication step up.
But the tenth time that I do that, if it's happening every day at the same time, the application really needs to be smart enough to adapt to figure out, well, this is now a normal pattern of behavior for Rob.
So we're going to step down that friction, or we're going to increase his productivity by not making him do the fingerprint swipe on his phone every morning.
>> One of the concepts that we've talked about is this role or this capability called dissolving entitlements.
Look, if someone's not accessing a particular application or a particular file share or a particular team shared site, the application and the identity governance platform should start to take away that access.
With the capabilities of machine learning and an AI, we know what their access is.
We know what they have access to.
That can be stored into the identity governance and the access manager platform.
And then when they come back on to log onto that system two, three, four, five weeks later, they can be challenged.
And they can be, say, well, you haven't logged on to this.
We know what entitlements you had.
We know what access you had, but we're now gonna challenge you.
Because actually what we want to do is minimize and mitigate that risk.
Historically, people have logged into their machines when they've walked into the office between 9 to 5:30.
Well, now, people are working longer.
Maybe I'm gonna log in at 7:30 at night.
I've taken the dog for a walk, played with the kids, put them to bed.
And now I wanna log in.
Well, if I do that the first time, I want the system to challenge me.
I wanna be challenged by that because those entitlements that we typically see between 9 to 5 are now coming in at a different time.
I wanna challenge, I just wanna make sure who you are by asking you not only what you know, but also challenge you with something that you have.
And I think that's where the governance and the access tools that you and I talk about through Ping and SailPoint start to come in.
Which actually is we build in AI and machine learning into our platforms.
Have they got the right entitlement rights or do we need to look at the role that they're undertaking?
Is it something that we need to perhaps put a new policy in?
And I think that's where you start to see this autonomous identity, this whole capability of AI and machine learning.
That's gonna be the next evolution of this governance platform, which again, will further support the concept of Zero Trust.
Because the machines and the AI will start to put even more security around it, but actually you start to make decisions that are safe and secure, but again, fully authenticable.
>> Absolutely, the benefits of a strong security approach based on the concepts of identity and access management, of strong identity governance, of strong and adaptive access.
Not only do they allow organizations to cope with an unprecedented, if that comes along, such as the COVID-19 pandemic, which nobody really had much warning at all.
But certainly, they start to enable an organization to be a lot more agile in terms of how and where their workforce is deployed and where they access from.
And essentially, it's an investment in future proofing your business, allowing you to handle these new scenarios that might come up.
Any closing thoughts from yourself, Ben?
>> Yeah, look, I gave an interesting talk once about the free solo climb by Alex Arnold, who did the climb on the El Capitan without any ropes or harnessing.
I thought it was a fascinating insight into any individual, but very, very, applicable to our industry.
Everyone sort of looks at Alex and the way he climbed it and it wasn't that amazing.
But what people didn't realize is that he had a whole team around him.
He practiced that.
He had the best equipment available to him.
He tried, and there was even a story that the night before he climbed the free solo, he climbed up, dried some of the rock, made sure the chalk markings were on the rock for his footings.
But what was the most important thing is that he achieved that through working with the best teams and using the best tools and the best equipment that was available to him.
And what SailPoint and Ping have given and have clearly demonstrated by combining our technologies by taking a joint, combined, integrated approach.
We give people the best tools, the best equipment, the best chance of success at protecting their environment.
And for me, that's gonna be critical.
It's not about one-size-fits-all.
It's about having the best team, the best equipment, and the best integrated solutions that allow organizations to mitigate and protect themselves against this new way of working, this new norm that's gonna probably be here at least for the next 6, 12, 18 months.
And maybe, as I said, maybe we'll never go back to the 6:30 journey on the train with the trains packed.
Maybe people will start to sort of embrace a slightly more work/life balance because we clearly demonstrated that we can be as productive, as capable, and as efficient working from home.
>> Absolutely, thank you so much, Ben.
Again, yeah, really just to reiterate that, organizations can feel they'll be in really safe hands with Ping Identity and SailPoint.
Both organizations with a really long and proud track record of focus in this industry.
Ben, thank you so- >> Thank you, as always, good to see you, and catch up soon for a beer, hopefully.
>> Absolutely, let's hope so.
Do take care.
Thank you, Ben.
>> Cheers, mate, thanks, bye.
>> Bye.