de toekomst van iam is voorspelbaar€¦ · de toekomst van iam is voorspelbaar voor nora werkgroep...

De toekomst van IAM is voorspelbaar

Voor NORA werkgroep IAM

27 Februari 2020

Utrecht

Maarten Stultjens

[email protected]

2 | © iWelcome BV 2020 | Confidential in commerce

Europe’s #1

Identity Platform

B2C & B2B

iWelcome is the European based and hosted IDaaS Provider, designed from the cloud for the Enterprise.


Maarten Stultjens

VP Sales & Bus Development

7 years at iWelcome

20 years in IAM at BHOLD & Microsoft

From identity governance and roles to Customer Identity

From Software to SaaS

Econometrie


Wat is

De meest gebruikte

Login methode?

Wat is

De meest gebruikte

Login methode?


The full IAM landscape

eID, DigiD, eHerkenningSuppliers, Customers

Buyers, insured, patients,..

Salesforce, Office365, Google, SAP, …

Guest, researchers, …

Shop staff, outlet staff, Factory staff,…

Employees & on premise applications

(Social) Registration

Consent Lifecycle Mgt

Self-service

Authentication | MFA

SSO | SLO

Provisioning

Delegated User Mgt

Identity Intelligence

Identity Proofing

(Social) Registration

Consent Lifecycle Mgt

Self-service

Authentication | MFA

SSO | SLO

Provisioning

Delegated User Mgt

Identity Intelligence

Identity Proofing


IAM begint met login gemak voor de eindgebruiker

Active Directory

SSO

Groups

Roles

Delgation

Workflow

Segregation of duties

Volw

assenheid

Facebook login

SSO

Privacy

Know-Your-Customer

Risico gebaseerde toegang

IDP & Federaties

Customer journey

Yr. 2000 Yr. 2010 Yr. 2020

login

SSO

…


Consumer IAM B2B IAM Workforce IAM

Focus user group Private personsStaff from other companies /

organisations Staff

Characteristics

• Millionsof users

• ‘FrictionlessCustomer Journeys’

• Digital transformation & Digital

business, owned by head of online

• Business value driven,

• Hundreds to hundreds of

thousands of users

• Consumer alike interaction

• Company profile, preferences

• Business value driven

• Also B2B2C use cases

• (ten) thousands of users

• Join – move – leave

• Provisioning & user management

• IT operations and efficiency

• Cost driven,

Key capabilities

• Profile, preference & consent mgt.

• Self service,,

• Social registration, validation /

proofing

• Mandating, trust & access mgt.

• Delegation

• Invitation & elevation

• Coarse grain access

• Provisioning & user management

• Security (MFA / RBAC / IGA)

• Fine grained access

Privacy

Extremely important. In Europe with

GDPR and now a global reach as

other regions implement ePrivacy

Important as users may get access to

PI data and PI data of the external

user needs similar protection as for

consumers

Not a primary concern as staff

providesconsent by nature of the

employment agreement.

Things

Connected houses, mobility &

personal wearables will exponentially

grow usage and user numbers

Connected Offices, mobility, service

management

Things are integrated in workflow

Preferred delivery

modelIDaaS On-premise (DIY) and IDaaS.

On-premise and IDaaS.

Combined with IGA

iWelcome focuses on all user categories that are not having their authorative source in HR and thus require processes for on boarding,

lifecycle management, eprivacy and a separate identity store.


Consumer IAM B2B IAM Workforce IAM

Focus user group Private persons Staff from other organisations Staff

Characteristics

• Millionsof users

• ‘FrictionlessCustomer Journeys’

• Digital transformation & Digital

business, owned by head of online

• Business value driven,

• Hundreds to hundreds of

thousands of users

• Consumer alike interaction

• Company profile, preferences

• Business value driven

• Also B2B2C use cases

• (ten) thousands of users

• Join – move – leave

• Provisioning& user management

• IT operations and efficiency

• Cost driven,

Key capabilities

• Profile, preference & consent mgt.

• Self service,,

• Social registration, validation /

proofing

• Mandating, trust & access mgt.

• Delegation

• Invitation & elevation

• Coarse grain access

• Provisioning& user management

• Security (MFA / RBAC / IGA)

• Fine grained access

Privacy

Extremely important. In Europe with

GDPRand now a global reach as

other regions implement ePrivacy

Important as users may get access to

PI data and PI data of the external

user needs similar protection as for

consumers

Not a primary concern as staff

providesconsent by nature of the

employment agreement.

Things

Connected houses, mobility &

personal wearableswill exponentially

grow usage and user numbers

Connected Offices, mobility, service

management

Things are integrated in workflow

Preferred delivery

modelIDaaS On-premise (DIY) and IDaaS.

On-premise and IDaaS.

Combined with IGA

iWelcome focuses on all user categories that are not having their authorative source in HR and thus require processes for on boarding,

lifecycle management, eprivacy and a separate identity store.


Consumenten identiteiten – Nu en in de toekomst

SOCIAL NETWORKS

Product or service

PERSONAL DATA

CONSUMER

Identity

CONSENTS

1. Consent

2. Privacy by Default

3. Preferences

4. Purposes of use

5. Extending the cause

6. Right of access

7. Transparency

8. Right to withdraw

9. Data retention

10. Data portability

GDPR

ThingsRelations Interests Mandates


The lessons of the two-sided market

for self-sovereign identity and 3rd party Identity providers

o Members of one group exhibit a preference regarding a high number of users in the other

group - this is referred to as cross-side network effects – f.e. credit cards

o To attract users from the other group usually one group invests most in the development of

the two-sided network. – f.e. merchants accepting credit cards

o Governments and banks have the power to play the long-game and subsidize the other group

o SSID initiatives will not grow beyond technical proof and achieve the scale required as long as

there is not a party subsidising the other. So far there is no business in being an identity

provider – f.e. TTP around 2000

o BankID, GovID & SocialID have solved one side of the two-sided market and will be the 3rd

party Identity providers of the 20’s


And what about Facebook?

I can assure Service providers, the other side of the two-sided market, that my account is reliable:

o My account lives since 2010 and has been verified by 375 friends, most of whom have been

verified 100+ times as well

o As there has been activity during the last month, it is most likely an active account.

o Part of my private reputation is build up around this account so I will protect access to my

credentials better than my professional account.

Facebook as Identity provider has the ability & motivation to keep their community safe:

o We are living in a call-out culture and Consumer opinions are far reaching for the platform and

their shareholders.

o At the same time governments are increasingly applying regulations.


Samenvattend: Identity & Attribute providers

Categorien:

• Sociale netwerken

• Overheden

• Banken

• SSID

Acceptatie criteria:

• Subsidizing the 2-sided market

• Convenience

• Purpose

• Culture

• Costs


Meta-data & identity data voor Consent & Know-Your-Customer

FIRST NAME

LAST NAME

STREET NAME

PHONE NUMBER

GOLDEN RECORD

• Last Update: 22-mar-2018

• Mandatory field: Yes

• Provider name: Facebook

• Consent given: Yes

• Consent reason given: To send you our…

• Consent data: 22-mar-2018

• Verifier: not verified

• Classification: confidential

• Date deletion date: 12 month after last login

• Expiration date: 22-mar-2019

• Parental control: yes

• Parents allowed for consent: UID;UID

Policy driven data management & Consent managementAPI

Applications

META

NIST 8112

CITYSHOE SIZE AUTHZ

GROUPMEMBER PREF.

DATE OFBIRTH >

n


Interactie - Op het juiste moment op de juiste manier

Consumer data capturing JIT Consent capturing Self-service overview


Customers are offered different apps &

portals for different services

Customer data is stored into a wide

variety of systems and applications

Data reports and analytics need to be

manually extracted per system

Customer Care

DPO

Customers are not offered the option to

view, edit or delete their data

Traditional landscape


Customers can easily manage

their personal information,

consents and purposes

Applications are relieved from Identity &

Consent Mgt complexity

Customer analytics are at

CDO/CSO/DPOs fingertips

Customers are offered one frictionless

multichannel experience

Integrated landscape


Insurance UtilitiesRetail/E-tail &

consumergoods

Media & Publishing

Travel & Services

Non-profit

6 verticals – 8 GDPR requirements - 89 organisations

1. Consent

2. Ability to withdraw

3. Right of access

4. Right of rectification

5. Right to erasure

6. Data retention period

7. Privacy by default

8. ‘Special categories of data’


How to get there?

Multip le cons ume r apps & po rta ls

360 deg re e cus tome r v iew

Offe r option to v iew, ed it, down load

and de le te cons ume r data

GDPR -proo f fric tion le s s cus tome r jou rne y s

Scatte red IT lands cape with

IAM func tiona lity

Key findings:

‘Checklist’ implementations

Consumers not in control

34% of organisations

uncompliant in most areas

only fulfilling ‘some’ GDPR requirements

Retail/E-tail & Media/Publishing

Best performing industries

Basic GDPR requirements are in place:

Ability to withdraw (92%),

Right of access (96%),

Right of rectification (95%).

UK & Germany

Best performing countries

Core GDPR requirements are not in place:

Data retention period (43%),

Privacy by default (59%),

Consent (12%).


Overall GDPR-score - European countries & US compared

GDPR: “Freely given, specific, informed, unambiguous and clear affirmative action”

• Is consent being asked for in a straightforward manner?

• Are the purpose(s) of use mentioned at all?

• Does the organisation clarify for what purpose(s) the personal data will be used? Is it crystal clear?

• Are the purpose(s) of use specified per attribute – rather than a consent ‘blanket’?

Thank you for your attention!


EXAMPLE USE CASE: A smart Thermostat


FIRST NAME

LAST NAME

RELATIONS

Registration of the owner of the device to the

thermostat web service.

AuthZ

For Therm1:Owner = full control,manages users, manages mandates

UID EMAIL

Device relationship= Owner for Therm1

Today


Give consent to use the thermostat data to advise

me on better use of my energy.

AuthZ



Company X read data

Consent given to X:DatePurpose of proc =advice energy use on basis of analytics therm dev.Device = Therm1

FIRST NAME

LAST NAME

RELATIONSUID EMAIL

Today


Add relationship and set mandates:

▪ Spouse can change settings

▪ Kids can turn on/off thermostat

AuthZ


Relationship: FamilySpouse: UID xxxKid 1: UID xxxKid 2: UID xxx

MANDATES

For Therm1:Spouse = changesettingsKids = on/off

FIRST NAME

LAST NAME

RELATIONSUID EMAIL


Company X read data

Consent given to X:DatePurpose of proc =Advice energy use on basis of analytics therm dev.Device = Therm1

Today 3 month later


ENEN

Timeline

My Apps

Family

Security

Privacy

Profi le

Preferences

Devices

Spouse

Owner

Change settings, Turn ON/OFF

Full control, Manage users,

Manage mandates

Turn ON/OFF

Turn ON/OFF

Child

Child

Add member

Paul Hughes

Marion HughesMH

LH

KH

Leo Hughes

Katy Hughes

Family

Remove | Edit

Remove | Edit

Remove | Edit

Edit


Set mandate:

Electricity company can use data to email yearly

trend report and incorporate depersonalised data

to data-warehouse.

AuthZ



MANDATES


X = use depers. data


Company X read data

Consent given to X:DatePurpose of proc = send yearly trendreportDevice = Therm1

FIRST NAME

LAST NAME

RELATIONSUID EMAIL

Consent given to X:DatePurpose of proc =Advice energy use on basis of analytics therm dev.Device = Therm1

Today 6 months later


Add interest:

Inform me on heat pump development, by regular mail

AuthZ



MANDATESADDRESS

Consent given to X:DatePurpose of proc =sending info heat pump dev.

Consent given to X:DatePurpose of proc = send yearly trendreportDevice = Therm1


X = use depers. data

FIRST NAME

LAST NAME

RELATIONSUID EMAIL


Company X read data

Consent given to X:DatePurpose of proc = advice energy use on basis of analytics therm dev.Device = Therm1

Today 1 year later

de toekomst van iam is voorspelbaar€¦ · de toekomst van iam is voorspelbaar voor nora werkgroep...

Documents