De toekomst van IAM is voorspelbaar Voor NORA werkgroep IAM 27 Februari 2020 Utrecht Maarten Stultjens [email protected]
May 20, 2020
De toekomst van IAM is voorspelbaar
Voor NORA werkgroep IAM
27 Februari 2020
Utrecht
Maarten Stultjens
2 | © iWelcome BV 2020 | Confidential in commerce
Europe’s #1
Identity Platform
B2C & B2B
iWelcome is the European based and hosted IDaaS Provider, designed from the cloud for the Enterprise.
3 | © iWelcome BV 2020 | Confidential in commerce
Maarten Stultjens
VP Sales & Bus Development
7 years at iWelcome
20 years in IAM at BHOLD & Microsoft
From identity governance and roles to Customer Identity
From Software to SaaS
Econometrie
4 | © iWelcome BV 2020 | Confidential in commerce
5 | © iWelcome BV 2020 | Confidential in commerce
6 | © iWelcome BV 2020 | Confidential in commerce
7 | © iWelcome BV 2020 | Confidential in commerce
Wat is
De meest gebruikte
Login methode?
Wat is
De meest gebruikte
Login methode?
8 | © iWelcome BV 2020 | Confidential in commerce
9 | © iWelcome BV 2020 | Confidential in commerce
The full IAM landscape
eID, DigiD, eHerkenningSuppliers, Customers
Buyers, insured, patients,..
Salesforce, Office365, Google, SAP, …
Guest, researchers, …
Shop staff, outlet staff, Factory staff,…
Employees & on premise applications
(Social) Registration
Consent Lifecycle Mgt
Self-service
Authentication | MFA
SSO | SLO
Provisioning
Delegated User Mgt
Identity Intelligence
Identity Proofing
(Social) Registration
Consent Lifecycle Mgt
Self-service
Authentication | MFA
SSO | SLO
Provisioning
Delegated User Mgt
Identity Intelligence
Identity Proofing
10 | © iWelcome BV 2020 | Confidential in commerce
IAM begint met login gemak voor de eindgebruiker
Active Directory
SSO
Groups
Roles
Delgation
Workflow
Segregation of duties
Volw
assenheid
Facebook login
SSO
Privacy
Know-Your-Customer
Risico gebaseerde toegang
IDP & Federaties
Customer journey
Yr. 2000 Yr. 2010 Yr. 2020
login
SSO
…
11 | © iWelcome BV 2020 | Confidential in commerce
Consumer IAM B2B IAM Workforce IAM
Focus user group Private personsStaff from other companies /
organisations Staff
Characteristics
• Millionsof users
• ‘FrictionlessCustomer Journeys’
• Digital transformation & Digital
business, owned by head of online
• Business value driven,
• Hundreds to hundreds of
thousands of users
• Consumer alike interaction
• Company profile, preferences
• Business value driven
• Also B2B2C use cases
• (ten) thousands of users
• Join – move – leave
• Provisioning & user management
• IT operations and efficiency
• Cost driven,
Key capabilities
• Profile, preference & consent mgt.
• Self service,,
• Social registration, validation /
proofing
• Mandating, trust & access mgt.
• Delegation
• Invitation & elevation
• Coarse grain access
• Provisioning & user management
• Security (MFA / RBAC / IGA)
• Fine grained access
Privacy
Extremely important. In Europe with
GDPR and now a global reach as
other regions implement ePrivacy
Important as users may get access to
PI data and PI data of the external
user needs similar protection as for
consumers
Not a primary concern as staff
providesconsent by nature of the
employment agreement.
Things
Connected houses, mobility &
personal wearables will exponentially
grow usage and user numbers
Connected Offices, mobility, service
management
Things are integrated in workflow
Preferred delivery
modelIDaaS On-premise (DIY) and IDaaS.
On-premise and IDaaS.
Combined with IGA
iWelcome focuses on all user categories that are not having their authorative source in HR and thus require processes for on boarding,
lifecycle management, eprivacy and a separate identity store.
12 | © iWelcome BV 2020 | Confidential in commerce
Consumer IAM B2B IAM Workforce IAM
Focus user group Private persons Staff from other organisations Staff
Characteristics
• Millionsof users
• ‘FrictionlessCustomer Journeys’
• Digital transformation & Digital
business, owned by head of online
• Business value driven,
• Hundreds to hundreds of
thousands of users
• Consumer alike interaction
• Company profile, preferences
• Business value driven
• Also B2B2C use cases
• (ten) thousands of users
• Join – move – leave
• Provisioning& user management
• IT operations and efficiency
• Cost driven,
Key capabilities
• Profile, preference & consent mgt.
• Self service,,
• Social registration, validation /
proofing
• Mandating, trust & access mgt.
• Delegation
• Invitation & elevation
• Coarse grain access
• Provisioning& user management
• Security (MFA / RBAC / IGA)
• Fine grained access
Privacy
Extremely important. In Europe with
GDPRand now a global reach as
other regions implement ePrivacy
Important as users may get access to
PI data and PI data of the external
user needs similar protection as for
consumers
Not a primary concern as staff
providesconsent by nature of the
employment agreement.
Things
Connected houses, mobility &
personal wearableswill exponentially
grow usage and user numbers
Connected Offices, mobility, service
management
Things are integrated in workflow
Preferred delivery
modelIDaaS On-premise (DIY) and IDaaS.
On-premise and IDaaS.
Combined with IGA
iWelcome focuses on all user categories that are not having their authorative source in HR and thus require processes for on boarding,
lifecycle management, eprivacy and a separate identity store.
13 | © iWelcome BV 2020 | Confidential in commerce
Consumenten identiteiten – Nu en in de toekomst
SOCIAL NETWORKS
Product or service
PERSONAL DATA
CONSUMER
Identity
CONSENTS
1. Consent
2. Privacy by Default
3. Preferences
4. Purposes of use
5. Extending the cause
6. Right of access
7. Transparency
8. Right to withdraw
9. Data retention
10. Data portability
GDPR
ThingsRelations Interests Mandates
14 | © iWelcome BV 2020 | Confidential in commerce
The lessons of the two-sided market
for self-sovereign identity and 3rd party Identity providers
o Members of one group exhibit a preference regarding a high number of users in the other
group - this is referred to as cross-side network effects – f.e. credit cards
o To attract users from the other group usually one group invests most in the development of
the two-sided network. – f.e. merchants accepting credit cards
o Governments and banks have the power to play the long-game and subsidize the other group
o SSID initiatives will not grow beyond technical proof and achieve the scale required as long as
there is not a party subsidising the other. So far there is no business in being an identity
provider – f.e. TTP around 2000
o BankID, GovID & SocialID have solved one side of the two-sided market and will be the 3rd
party Identity providers of the 20’s
15 | © iWelcome BV 2020 | Confidential in commerce
And what about Facebook?
I can assure Service providers, the other side of the two-sided market, that my account is reliable:
o My account lives since 2010 and has been verified by 375 friends, most of whom have been
verified 100+ times as well
o As there has been activity during the last month, it is most likely an active account.
o Part of my private reputation is build up around this account so I will protect access to my
credentials better than my professional account.
Facebook as Identity provider has the ability & motivation to keep their community safe:
o We are living in a call-out culture and Consumer opinions are far reaching for the platform and
their shareholders.
o At the same time governments are increasingly applying regulations.
16 | © iWelcome BV 2020 | Confidential in commerce
Samenvattend: Identity & Attribute providers
Categorien:
• Sociale netwerken
• Overheden
• Banken
• SSID
Acceptatie criteria:
• Subsidizing the 2-sided market
• Convenience
• Purpose
• Culture
• Costs
17 | © iWelcome BV 2020 | Confidential in commerce
Meta-data & identity data voor Consent & Know-Your-Customer
FIRST NAME
LAST NAME
STREET NAME
PHONE NUMBER
GOLDEN RECORD
• Last Update: 22-mar-2018
• Mandatory field: Yes
• Provider name: Facebook
• Consent given: Yes
• Consent reason given: To send you our…
• Consent data: 22-mar-2018
• Verifier: not verified
• Classification: confidential
• Date deletion date: 12 month after last login
• Expiration date: 22-mar-2019
• Parental control: yes
• Parents allowed for consent: UID;UID
Policy driven data management & Consent managementAPI
Applications
META
NIST 8112
CITYSHOE SIZE AUTHZ
GROUPMEMBER PREF.
DATE OFBIRTH >
n
18 | © iWelcome BV 2020 | Confidential in commerce
Interactie - Op het juiste moment op de juiste manier
Consumer data capturing JIT Consent capturing Self-service overview
19 | © iWelcome BV 2020 | Confidential in commerce
Customers are offered different apps &
portals for different services
Customer data is stored into a wide
variety of systems and applications
Data reports and analytics need to be
manually extracted per system
Customer Care
DPO
Customers are not offered the option to
view, edit or delete their data
Traditional landscape
20 | © iWelcome BV 2020 | Confidential in commerce
Customers can easily manage
their personal information,
consents and purposes
Applications are relieved from Identity &
Consent Mgt complexity
Customer analytics are at
CDO/CSO/DPOs fingertips
Customers are offered one frictionless
multichannel experience
Integrated landscape
21 | © iWelcome BV 2020 | Confidential in commerce
Insurance UtilitiesRetail/E-tail &
consumergoods
Media & Publishing
Travel & Services
Non-profit
6 verticals – 8 GDPR requirements - 89 organisations
1. Consent
2. Ability to withdraw
3. Right of access
4. Right of rectification
5. Right to erasure
6. Data retention period
7. Privacy by default
8. ‘Special categories of data’
22 | © iWelcome BV 2020 | Confidential in commerce
How to get there?
Multip le cons ume r apps & po rta ls
360 deg re e cus tome r v iew
Offe r option to v iew, ed it, down load
and de le te cons ume r data
GDPR -proo f fric tion le s s cus tome r jou rne y s
Scatte red IT lands cape with
IAM func tiona lity
Key findings:
‘Checklist’ implementations
Consumers not in control
34% of organisations
uncompliant in most areas
only fulfilling ‘some’ GDPR requirements
Retail/E-tail & Media/Publishing
Best performing industries
Basic GDPR requirements are in place:
Ability to withdraw (92%),
Right of access (96%),
Right of rectification (95%).
UK & Germany
Best performing countries
Core GDPR requirements are not in place:
Data retention period (43%),
Privacy by default (59%),
Consent (12%).
23 | © iWelcome BV 2020 | Confidential in commerce
Overall GDPR-score - European countries & US compared
GDPR: “Freely given, specific, informed, unambiguous and clear affirmative action”
• Is consent being asked for in a straightforward manner?
• Are the purpose(s) of use mentioned at all?
• Does the organisation clarify for what purpose(s) the personal data will be used? Is it crystal clear?
• Are the purpose(s) of use specified per attribute – rather than a consent ‘blanket’?
Thank you for your attention!
25 | © iWelcome BV 2020 | Confidential in commerce
EXAMPLE USE CASE: A smart Thermostat
26 | © iWelcome BV 2020 | Confidential in commerce
FIRST NAME
LAST NAME
RELATIONS
Registration of the owner of the device to the
thermostat web service.
AuthZ
For Therm1:Owner = full control,manages users, manages mandates
UID EMAIL
Device relationship= Owner for Therm1
Today
27 | © iWelcome BV 2020 | Confidential in commerce
Give consent to use the thermostat data to advise
me on better use of my energy.
AuthZ
Device relationship= Owner for Therm1
For Therm1:Owner = full control,manages users, manages mandates
Company X read data
Consent given to X:DatePurpose of proc =advice energy use on basis of analytics therm dev.Device = Therm1
FIRST NAME
LAST NAME
RELATIONSUID EMAIL
Today
28 | © iWelcome BV 2020 | Confidential in commerce
29 | © iWelcome BV 2020 | Confidential in commerce
Add relationship and set mandates:
▪ Spouse can change settings
▪ Kids can turn on/off thermostat
AuthZ
Device relationship= Owner for Therm1
Relationship: FamilySpouse: UID xxxKid 1: UID xxxKid 2: UID xxx
MANDATES
For Therm1:Spouse = changesettingsKids = on/off
FIRST NAME
LAST NAME
RELATIONSUID EMAIL
For Therm1:Owner = full control,manages users, manages mandates
Company X read data
Consent given to X:DatePurpose of proc =Advice energy use on basis of analytics therm dev.Device = Therm1
Today 3 month later
30 | © iWelcome BV 2020 | Confidential in commerce
ENEN
Timeline
My Apps
Family
Security
Privacy
Profi le
Preferences
Devices
Spouse
Owner
Change settings, Turn ON/OFF
Full control, Manage users,
Manage mandates
Turn ON/OFF
Turn ON/OFF
Child
Child
Add member
Paul Hughes
Marion HughesMH
LH
KH
Leo Hughes
Katy Hughes
Family
Remove | Edit
Remove | Edit
Remove | Edit
Edit
31 | © iWelcome BV 2020 | Confidential in commerce
Set mandate:
Electricity company can use data to email yearly
trend report and incorporate depersonalised data
to data-warehouse.
AuthZ
Device relationship= Owner for Therm1
Relationship: FamilySpouse: UID xxxKid 1: UID xxxKid 2: UID xxx
MANDATES
For Therm1:Spouse = changesettingsKids = on/off
X = use depers. data
For Therm1:Owner = full control,manages users, manages mandates
Company X read data
Consent given to X:DatePurpose of proc = send yearly trendreportDevice = Therm1
FIRST NAME
LAST NAME
RELATIONSUID EMAIL
Consent given to X:DatePurpose of proc =Advice energy use on basis of analytics therm dev.Device = Therm1
Today 6 months later
32 | © iWelcome BV 2020 | Confidential in commerce
33 | © iWelcome BV 2020 | Confidential in commerce
Add interest:
Inform me on heat pump development, by regular mail
AuthZ
Device relationship= Owner for Therm1
Relationship: FamilySpouse: UID xxxKid 1: UID xxxKid 2: UID xxx
MANDATESADDRESS
Consent given to X:DatePurpose of proc =sending info heat pump dev.
Consent given to X:DatePurpose of proc = send yearly trendreportDevice = Therm1
For Therm1:Spouse = changesettingsKids = on/off
X = use depers. data
FIRST NAME
LAST NAME
RELATIONSUID EMAIL
For Therm1:Owner = full control,manages users, manages mandates
Company X read data
Consent given to X:DatePurpose of proc = advice energy use on basis of analytics therm dev.Device = Therm1
Today 1 year later
34 | © iWelcome BV 2020 | Confidential in commerce
35 | © iWelcome BV 2020 | Confidential in commerce