Let’s Talk About Digital Identity with Ilkka Hyvönen, Head of Cyber Security at Sogeti Finland.

In episode 34, Oscar talks to Ilkka about the challenges that financial services face with digital identity, how CIAM helps with those challenges, the Zero Trust model and its applications for remote working, security in digital payments today, and his predictions for the near future of FS.

[Scroll down for transcript]

“Customer Identity and Access Management can enable financial services to do business in this digital world, especially now that people are not able to go to their branch.”

Ilkka HyvönenIlkka Hyvönen works as the Head of Cyber Security at Sogeti Finland and has ten years of experience in security consulting. In his free time, he likes to do sports such as running, biking and swimming. Find Ilkka on LinkedIn.

Sogeti is a part of the Capgemini group and offers advisory, implementation and managed services in 15 countries. In addition to digital identity, Sogeti’s cybersecurity services cover cyber security strategy, application security and detection & response. Find out more at www.sogeti.fi.

We’ll be continuing this conversation on LinkedIn and Twitter using #LTADI – join us @ubisecure!

 

Subscribe to
Let's Talk About Digital Identity

Or subscribe with your favorite app by using the address below

 

Podcast transcript

Let’s Talk About Digital Identity, the podcast connecting identity and business. I am your host, Oscar Santolalla.

Oscar Santolalla: Hello and thanks for joining today. Today, it’s time to talk about financial services and what are the implications for digital identity. For that, let me introduce you to my guest today. Ilkka Hyvönen works as the Head of Cyber Security at Sogeti Finland and has 10 years of experience in security consulting. In his free time, he likes to do sports such as running, biking and swimming.

For the ones who are not familiar with Sogeti, Sogeti is part of Capgemini group and offers advisory, implementation and managed services in 15 countries. In addition to digital identity, Sogeti’s cyber security services cover cyber security strategy, application security and detection and response services.

Hello, Ilkka.

Ilkka Hyvönen: Hello.

Oscar: Very welcome to have you here, Ilkka.

Ilkka: My pleasure.

Oscar: Nice. I hope you’re having a good day and you told me, we are both in Finland and we have a sunny day. You’re in Helsinki, correct? Somewhere…

Ilkka: Yes, correct.

Oscar: Yes, so we can see the same almost sunny, autumn morning.

Ilkka: Yes, it is very nice weather for Finnish autumn.

Oscar: Exactly. Excellent. It’s really great having you here. So, Ilkka, let’s talk about digital identity and the first thing I would like to hear is what was your journey to this world of digital identity.

Ilkka: Yes. So, I have a background actually in telecommunications so not a security background originally. And after I graduated, I went to work for a big technology consulting company. And I got assigned to a digital identity project as one of my first projects. And I guess I sort of got hooked into the world of security and digital identity. I like security and digital identity because you get to work with a lot of different things, like you have to understand the technology such as protocols and applications that you are securing, you have to understand the business drivers and the sort of assets that you are protecting, because it’s really important to understand those as well.

And then especially in digital identity, you have to understand the human aspects such as usability and how the users are behaving. Because if you, for example, had to enforce too strict rules the users can find some clever workarounds for things such as using the same passwords everywhere. So, I have been working in security for about 10 years now and I work a lot with digital identity especially in the financial services industry. So that’s my journey so far in digital identity.

Oscar: Yeah, excellent. So, you started in telecommunication, but you got somehow enchanted, if you can call it, with cyber security and now, you are into digital identity.

So I would like to know from this perspective, you already have few years working continuously on this, what do you think are the main challenges in digital identity, especially in financial services, that happen today.

Ilkka: So, let me explain a bit more about the sort of macro trends that are happening in financial services. So, of course, the regulation is there because financial services is a very regulated industry and that has been a big driver also for security, such as anti-money laundering and acquiring strong authentication for end-users, because banks are all about the customer trust and protecting their money. So that’s a very big driver that has been there for a long time and the regulation is changing all the time, becoming more strict.

And there are also other changes such as the banks and other financial service companies like credit card or payment processors are becoming challenged by these start-ups often called Financial Technology companies or FinTechs. And they can offer very easy to use, convenient services without any of the legacy that these banks or insurance companies have to deal with such as compliance and regulation. And also, legacy technologies because many banks are for example still running their core banking system on mainframes, for example.

And also, the competitiveness of the market, the interest rates are for example very low and the banks have to really find ways how to be competitive. So they have to think about things like user experience, how to seamlessly use the services in different channels like mobile or web or even smartphone devices, for example.

So there are a lot of different trends that also affect digital identity when you think about the consumers, what are their requirements and what are the regulations driving the industry and so on. And also, the regulation affects not only security but the business enablement, for example, the banks have to open up some of their APIs to competitors. And these FinTechs, for example, in EU there’s this PSD2 regulation. It means that the banks have to open some of the payment APIs to other companies. So there are a lot of changes involved in the financial services which has been traditionally very conservative industry actually.

Oscar: Yeah, exactly. I think it’s a good summary of what’s been happening in the last years in the financial industry. And then of course show some of the challenges. And if we focus on how identity and access management, CIAM particularly, and of course, who are facing the customers from the banks or financial services, how do you think CIAM is helping into these challenges?

Ilkka: So, if you think about the regulation for example the general data protection rules, for example, you really have to manage the customer’s data securely. So you might have millions of customers – you have to manage their digital identity and how their data is being accessed and managed. So you have large amounts of customers you have to manage. You have to offer authentication methods that are user friendly if you think about that usability perspective. You have to support services in different channels like mobile, tablets, web, smartphone devices. So you have to manage the relationships between users and different devices, different channels.

And then these companies might be working in many different geographical regions that might have different regulations, which affect digital identity as well. What are the rules for authentication methods and so on in different countries? So, customer identity and access management can sort of be an enabler that actually enables these financial services companies to do their business in this digital world. Especially now that people are not maybe able to go to their branch office, so they need to be able to securely handle the business from different places. They need to have strong ways of authenticating to these services. And they also are used to a good user experience, so Customer Identity and Access Management this is a technology that can help with all of the sort of regulatory challenges and the sort of technology enablement that you need today, in today’s market.

Oscar: OK. This is how CIAM is helping the financial institutions – as you said that one concrete example is that people are, because of the pandemic, it’s more difficult it has been at least for some time to go to and visit the branches so people who were used to do that cannot do it or were not able to do it for long period or was more difficult or more risky. So, having all these processes online and very easy and very secure way so it’s very powerful and I’m sure that financial institutions that were already prepared for that, that already had these processes online, took advantage of that.

Ilkka: And especially in the Nordic countries we have been very sort of advanced in this way. We have been able to do online banking for maybe 25 years but even in Central Europe things are a lot behind. But on the other hand, in for example, in India and Africa, for example, there is no traditional banking infrastructure, so they are going straight to digital or mobile, so to say.

Oscar: Yeah, yeah, very interesting. So you have differing also among countries.

I also know that your team is working with another one of the challenges that came especially with pandemic talking about the remote working and a concept that is becoming more and more, you hear it more and more, you see it more and more, “Zero Trust”. So, if you could tell us what is Zero Trust?

Ilkka: So, Zero Trust is more about the sort of employee identity and access management. So the traditional sort of security architecture has been that the people used to work from corporate network, accessing the resources in their corporate data centre usually. So, you are basically allowed access to different application data just because you were in the corporate network. So, Zero Trust concept originated maybe 10 years ago from companies like Google that used it for their internal network. And it’s about managing access in a fine-grained way.

So your data might be in different cloud services, you might be on-the-go working from a café, or in this situation, people working mostly from home. So, they are not in the corporate network and the applications and data are much more dispersed instead of just being in the corporate internal data centre. So, you need to have a different way of managing access than just that you are in the corporate internal network accessing these different resources. So, you really need to identify the user continuously, so you need to know who the user is accessing different things. You need to have fine-grained access to data and applications. You need to manage the devices.

So what are the devices that the user is accessing the data with? So you need to know them, you need to be able to trust them.

So, it’s all about identity and authentication and authorisation as well. So, in this situation you can easily see that when most people are working remotely, the sort of old castle and moat architecture doesn’t work but you have a clear perimeter – that when you’re inside the perimeter, you are trusted and if you’re outside, you’re not trusted. So, Zero Trust is about changing the while mindset to be more fine-grained that you are never explicitly trusted, that you have to continuously validate the trust in different ways. And digital identity is one of the technologies enabling Zero Trust.

Oscar: And have you had many of your customers, the companies who work with Sogeti calling you, contacting you, telling you OK, we want you to enable services for our remote workforce, but we are struggling, we don’t find it easy. Have you been contact often, many times especially in the last months or even now?

Ilkka: So, yes I would say that a lot of the maybe more conservative industries have had challenge in the quick transition to remote work. Now, of course, it has been already about six or seven months of remote working so that they are now getting used to it but in many organisations, there has not been the sort of culture of remote working so that the norm was to just work at the office so they didn’t have the technology such as VPN or Zero Trust Architecture to enable every office worker to work remotely. So, yes, there has been a lot of changes in the whole technology and of course cultural mindset in remote working this year.

Oscar: All right. So that has kept you and your team quite busy as well.

Ilkka: Yes, that’s correct.

Oscar: And just to know also from your view having worked with several types of companies, which sector or type of organisation have been affected the most we would say when moved to remote working?

Ilkka: I would say that the more technologically advanced companies are already before this pandemic used to sort of remote work. But it’s definitely the more conservative industries like public services that have had most challenges because they are used to the sort of traditional office working culture and have not had the technology to enable large scale remote work.

Oscar: Sure. OK. Coming back to the financial services, something you mention already among the challenges is about payment, you mentioned PSD2, the regulation, payment regulation on the European union level. What’s right now the situation that you see in digital payments today?

Ilkka: Well, of course, also this current situation affects the payments since we are not able to go to all the stores and buy things and pay them with the credit or debit card so people are buying more things online which has also accelerated the use of digital payments in this situation. Of course, I would say that in this digital payments area also Nordic countries have been sort of the forerunners so we are almost becoming a cashless society nowadays.

But in Central Europe, for example, the development is a bit behind, but I would say that this digital payment will grow very quickly in the future as well. And people are sort of demanding more, if we’re talking about frictionless payments, so it’s becoming more easy. And of course, you need to manage the security in that digital payment as well. So you might be using biometric authentication or other ways to authenticate when you’re actually making the payments. And there is also things like anti-money laundering that you have to think about. So there’s also technology and regulation that you have to think about when developing digital payments.

Oscar: So you think for instance that they are becoming more, more secure, the digital payments because that’s one need, one requirement, because of there are more bad actors, there are more criminals also, you feel that they became more secure in these times as well.

Ilkka: Yes, I think they are becoming secure because they have to. There’s a regulation that sort of enforces accountability for the payment providers. On the other hand, the payment providers want to make things more usable for the end-users, so they have to figure out how to make the payment secure but very user friendly at the same time. So there are definitely challenges that will be there for the next years.

Oscar: Yes. And something else that I like to ask you as you have seen from many countries, Sogeti is in many countries. Something I discovered like 10 years ago when I was working for another company and I was setting up an online shop for software products, so I was checking how different are the payments in each country. I was so surprised, and I know it’s still not very different. So, for instance, if I want to enable the online shopping in Finland where they had some payment methods, if it’s in Germany, another list of payment methods, in France, another and if it’s Australia another. So, do you think the lists of the payment methods has become more harmonised between countries recently, what would you say about that?

Ilkka: I would say that globally there’s still a long way to go but at least in EU level, there’s a lot of effort to make it more standardised because as you mentioned it’s a big challenge for the online shops and the industries that you have to have different technologies in different countries. In EU level, there are a lot of efforts in standardising the payment methods. And of course in some countries, like the US, there’s also some standardisation but there’s a lot of incumbent players like credit card companies that maybe want to sort of protect their own sort of closed market, so they don’t want to make everything very open. But then on the other hand, there’s these big tech companies that are entering the payment arenas or are already there so Google and Apple and Facebook, they are sort of coming with their own payment services and then of course there’s PayPal that has been there for a long time already.

Oscar: Yes.

Ilkka: So, it’s possible that these big tech companies, if they gained the big market share that they will sort of create their own closed standards that are global.

Oscar: Yeah. Sounds like there’s still a lot to harmonise, but definitely there are efforts to make it easy for the customers. And also for the merchants for the ones who want to sell their products also make it easy to enable just a few payment methods and make it simple as well.

Ilkka: Yeah, definitely because it is a big challenge for the merchants to implement different payment methods in different countries. There’s a lot of technical work there and different regulation that you have to follow in different countries. So, it’s a challenge nowadays.

Oscar: Yeah, but I’m sure now the situation is accelerating because as you have said earlier, more and more people are buying online, so that’s a big motivation for that.

Ilkka: Yeah.

Oscar: So, what is the prediction or what you see in the near future for the financial service? So what is coming? We are talking how is it now, so what challenges, what will you see is coming both on the technical side and also on the business side? So, what do you see coming?

Ilkka: So, from the technical side, I would say that everything is becoming more API-driven, and the change is already happening there. And probably there will be more, if you think about security or security analytics and analysing that user behaviour in the financial services industry because we want to detect the sort of abnormal behaviour to prevent money laundering or phishing attacks or this sort of unwanted behaviour. And if you think about digital identity and strong authentication, I would say that probably continuous authentication and behaviour authentication are some of the technologies that are becoming more popular in the near future.

And if we think about the market, I already mentioned about the big tech companies, of course, in EU and US there’s a lot of effort to sort of regulate and limit the big tech companies’ power, so let’s see how that happens. But probably in the financial services, the financial technology companies, the small start-ups will probably disrupt the market in the future and challenge the banks and insurance companies and payment companies. So, probably the services can become more affordable for the consumers.

But on the other hand, for example these big tech companies might be more interested in making money with the data instead of the services. They want to analyse your purchasing behaviour for example and generate targeted marketing based on that. Instead of banks that are more interested in making money with the services that consumers are using. So, I would say that there’s going to be a lot of interesting changes in the near future in financial services.

Oscar: Yeah, definitely. That last thing you said that yeah, so for instance, if the big tech companies have more dominance into this, financial services and payments, well they can use the other way to monetise that is well the customer doesn’t pay directly but pays indirectly with their data. Well, personally, hopefully that’s not the one that wins. But let’s see in the future.

Ilkka: Yeah. At least in EU the consumer privacy is taken very seriously but that’s not the case in many other countries, at least yet.

Oscar: Yes.

Ilkka: So, let’s see how that happens.

Oscar: Yes. Ilkka, could you finally tell us, give us a practical advice, a tip for anybody to protect our digital identities?

Ilkka: So, I would advise everyone to use password managers, for example like LastPass or KeePass, there’s many different options. So, they enable you to generate strong password for every service that you are using, so if there is a data breach in one of your services that you use then the hackers cannot use the password in the other services that you use. So usually, they try to use your user account then this password combination to different services and try to gain access to those. If you generate strong passwords for all the different accounts you use online, so then that sort of data breach doesn’t affect your other services. So, that’s one tip and also using multi-factor authentication is an easy way to mitigate different types of threats like phishing or these data breaches. So those are my personal tips for protecting your digital identity.

Oscar: Yes it’s definitely good. From time to time I receive emails from service that I have been using for some time and they tell me, “OK, now we are offering two-factor authentication”. So, for everybody, if you get this email that finally one service that you’ve been using is offering multi-factor authentication, you have to act immediately so you have to enable it. And of course, there are many services that have been offering that for years already so it’s available. And hopefully, more services will be offering more and more of that. And what is your password manager, what is the one you use, what is the one you prefer just for curiosity?

Ilkka: I use one called LastPass which is maybe one of the more popular ones, but there are many different options, for example KeePass is an open-source version so there’s a lot of good options there.

Oscar: Yeah, OK. Excellent. Great. Thanks a lot Ilkka for telling us all of what’s happening in the financial services. We touched with the cyber security and digital identity. And please let us know how people could learn more about what you’ve been talking or get in touch with you if they want. What are the best ways for this?

Ilkka: So, you can contact me on LinkedIn, so I have profile, Ilkka Hyvönen. You can access our website which is www.sogeti.fi . You can find my contact details from there or directly in LinkedIn.

Oscar: Excellent. Again, it was great talking with you, Ilkka, and all the best.

Ilkka: Thank you.

Thanks for listening to this episode of Let’s Talk About Digital Identity produced by Ubisecure. Stay up to date with episodes at ubisecure.com/podcast or join us on Twitter @ubisecure and use the #LTADI. Until next time.

[End of transcript]