At the Gartner IAM Summit 2023, Simon Wood, Ubisecure CEO, presented on the promising future of true B2B IAM. Attendees of the Summit can replay this session via the Gartner app. However, for those who didn’t attend, this overview will cover the key takeaways from the session.
Current B2B IAM
To understand why nobody is delivering true B2B IAM, we need to look at what is being delivered today. B2B IAM focuses on the external identities – i.e., partners, suppliers, consultants etc.
Delegated administration is a key (and very beneficial) feature of B2B IAM. When using delegated administration in B2B IAM, the entity that knows what the identities should be manages the external identities, so that they can effectively oversee the identity lifecycle management. Whether done through federated authentication or management monitored, the central point retains control over the authentication and authorisation of external identities.
Therefore, B2B IAM systems are still managing the identities of individuals. This leads us to question, how is this different from B2C IAM? Although B2B IAM makes identification and authentication simpler, it still follows the same processes as B2C. In these scenarios, transactions are made with organisations (perhaps shops, restaurants etc.), rather than an individual. Yet this proposes a security challenge.
The Challenge of Transaction Values
The security in a transaction comes from being able to identify the parties involved and using that identification to work out the risk involved in the transaction and managing that risk appropriately.
Higher assurance identities provide a lower risk, whilst the risk increases with lower assurance identities. With any given risk, we can choose what kind of transaction value we’re prepared to tolerate within that.
There are, and have been, many ways for individuals to verify they are dealing with verified organisations. However, there is currently no technical identification to verify a legitimate transaction. This is why highly assured organisational identities are needed to identify the endpoint in transactions with organisations.
Which Organisational Identity to Choose
There are many organisational identities that exist today. The World Trade Organisation are pushing an initiative for cross-border paperless trade, based on organisation identities. Within their toolkit they list the five preferred subject identifiers that will be used.
Only one of these identifiers represents a highly assured identity that is suitable for use in identifying the endpoint in transactions and reducing the associated risk. The LEI is globally unique, externally validated and has public access, meaning it can be looked up, at no cost, with full visibility for that highly assured organisational identity.
What is an LEI?
The Legal Entity Identifier (LEI) was created as a result of the 2008 financial crisis. It tells you who is who, and who owns who. Understanding this consolidated ownership is key to stopping the circular investment meltdowns that caused the financial crash. For more about LEIs, see: What is a Legal Entity Identifier and what can you do with it?.
Due to the LEI’s implementation through an open data framework, and the strict accreditation rules through the Global LEI Foundation (GLEIF), the LEI is a highly assured organisation identifier. The G20, with the FSB, have a target to grow the number of LEIs to about 20 million by 2027 (about 10% of organisations globally), at which point we’re beyond that critical mass stages of having that highly assured organisation identifier.
What can happen if you get Organisational Identity Wrong?
Having or representing the wrong organisation identity can have serious consequences and significant financial impact. Who remembers the Cuddy Group vs Liberty Mercian contract case, resulting in a 5 million GBP bill? Or the fake Eli Lilly Twitter account which cost $15 billion on their market cap?
These cases show how it’s critical that not only do you have a highly assured organisation identity, but that you can attribute it to the right person to represent that.
Why True B2B IAM is the Future of Digital Identity
The combination of a strongly authenticated individual with a highly assured organisation identity enables you to express who you are, who you represent, and the rights that you have to represent them.
- Strongly Authenticated Individual
The rise in reusable identity schemes globally means that reusable, strongly authenticated, highly assured identities are becoming easily available and accessible for individuals.
- High Assured Organisation
The LEI is available globally and is a highly assured organisational identity.
- Ability to Combine Them
To combine the strongly authenticated individual and the highly assured organisation is a technical operation.
Firstly, a form of assurance is required, a vetting of records – but that assurance is required to get identities. The second factor for combining them is delegation. But not just delegated administration that is seen in current B2B IAM, as discussed earlier, but generic delegation is required. Delegation chains, within operational workflows, are what adds value to the business proposition.
How Delegation Completes the Picture
Organisations are big tree structures, from a management and execution point of view, the rights to operate flow through that structure. The governance framework for the organisational flow is embodied within an individual’s contract or job description, but these checks and validations are usually administrative.
What if generic delegation, across all operations within the organisation, was implemented instead of delegated administration alone. Being able to do all business operations through the delegation chain is the true value that delegation brings.
Example: Payroll Operation Delegation
Many organisations outsource payroll to third-party organisations. Delegation allows the organisation to delegate its rights and responsibilities for submitting payroll and payroll tax to the external third-party organisation. They will then delegate internally, within the payroll organisation. This operational delegation allows for the whole system to run smoothly, providing the same efficiencies that we see from delegated administration, but on the operational side.
The combination of strongly authenticated individual identity and highly assured organisation identity, with true delegation at all levels, is True B2B IAM from our perspective.
How does True B2B IAM fit the Current Global Movement?
Several global schemes and frameworks are recognising the LEI as the highly assured organisation identifier of choice. Both the World Trade Organisation and the ICC are pushing to enable paperless trade leveraging the LEI. The eIDAS 2.0 EU digital wallet scheme will enable citizens to use the LEI to express relationships to organisations. The Globally Assured Identity Network (GAIN) also recognises the LEI as the entity identifier within its framework to allow for a transitive relationship between global networks.
The GLEIF has launched the verifiable LEI (vLEI) as both a verifiable credential and a governance framework. It has created an ISO standard which defines a jurisdiction-based legal role and enables the verifiable credential mechanism to express a relationship between; a highly assured individual, a highly assured organisation identity and the Official Organisation Role that bridges them together.
How Ubisecure enables True B2B IAM
As of March 2023, Ubisecure became the largest issuer of LEIs worldwide, alongside our status as a leading identity and access management provider.
We have delivered True B2B IAM in a solution that supported over 400,000 organisations, and this is just the beginning. Our insights have shown that the combination of highly assured organisation identity and broad delegation can achieve savings of up to 99%. Meaning that transactions previously costing €30, can be reduced to €0.20 by deploying true B2B IAM.
A broad range of use cases exist for this true B2B IAM. Watch the below video on how to authenticate an employee to a supplier, and then communicate the rights of that employee to represent his company. This simple use case shows how the RapidLEI platform and IAM services can digitise traditional, high cost administration.
We know that organisational identity is fundamental to the delivery of true B2B IAM. If B2C involves identifying the Cs, then B2B must involve identifying the Bs. Over the next few years, we expect to see a push from the legislation and organisations that are working on it. And this must impact what we’re doing as identity professionals, and how we think about B2B IAM.
- Learn more: B2B IAM solutions
- From the blog: Organisation identity, legal intent and the power of frameworks