Let’s talk about digital identity with Ubisecure IAM Academy hosts and Vinay Sawarkar.
In this shorter bonus episode, Oscar discusses IAM Academy – Ubisecure’s free training on Identity and Access Management (IAM) and our Identity Platform for our partners and customers. Listen to the episode to find out why we launched the courses, how they’ve evolved over the years, a clip from the training, and why it’s so important to keep up to date on IAM.
“Understanding IAM well is crucial for professionals across companies, not only for the IT folks as it used to be in the beginning of the century.”
We’ll be back to the usual schedule next week! In the meantime, catch up on episodes with guests featured in this episode:
- Creating an open-source IAM wiki with Open-Measure Founder, David Doret – Podcast Episode 45
- Digital transformation and identity compliance in India with Vinay Sawarkar, Claidroid – Podcast Episode 47
- Identity management in Mergers & Acquisitions with Keith Uber, Ubisecure – Podcast Episode 53
Or subscribe with your favorite app by using the address below
Let’s Talk About Digital Identity, the podcast connecting identity and business. I am your host, Oscar Santolalla.
Oscar Santolalla: It was the early 1960s when Identity was introduced to the digital world, way before computers became an essential part of our everyday life. Computer scientist, Fernando Corbató, introduced passwords into the computing world as a method to secure access to files. Yes, identity is much older than what we normally think.
David Doret: I think my oldest bibliographic reference in IAM dates back to 1967. That sounds absolutely amazing, no?
Oscar: Indeed! That was David Doret who created Open Measure, a wiki that has built and maintains a dictionary of accurate definitions of Identity and Access Management terms.
Another word that is in everyone’s vocabulary today, the Internet, only appeared in the late 80s. The 90s saw how Internet became commercial and global. The original Internet’s Identity and Access Management infrastructure was based on RADIUS, a protocol that did authentication, authorisation, and accounting. As more and more companies built web applications that allowed access to outside users, companies opted for developing their own identity solutions to handle their own needs. Such in-house solutions were easy at first, (such as a web form plus a SQL database) but later they became complex, and expensive and difficult to maintain.
Later, in the 2000s, a massive number of people got online, reaching the billion mark. However, the world was not yet familiar with the term Identity and Access Management.
What did IAM really mean? What were the business benefits? During those years, Finland was one of the pioneering countries building the IAM that the Internet needed. That’s how Ubisecure was founded in 2002. After years solving problems and developing a mature IAM platform, one thing was noticed: the lack of knowledge and understanding of the key concepts around the Identity and Access Management world. Let’s hear Keith Uber, who experienced those days working for Ubisecure.
Keith Uber: When I joined the company in 2009 a training system was in place for our partners and for our customers, and we would use that for providing custom training together with the implementation projects on a one-one basis. Around that time, we started to think about productising that training and making it more generic. What we found in the sales process was many of the buyers, or even partners at that stage, were unfamiliar with many of the new concepts in this rapidly changing Identity and Access Management world. A lot of the terms were unfamiliar, a lot of the ideas and concepts were new.
Around that time, the then CEO, Juha Remmes, had the idea to productise the training and create a separate brand around the training called the IAM Academy. With this brand and with this product, we could provide training for groups of individuals, organisations, and provide group training both in a classroom environment but also customise training in a customer’s premises.
So we provided then training on principles and ideas, best practices that go far beyond our own product and are generic for Identity and Access Management. We created 5 different programmes and the customers and partners could choose different modules of that programme and use that to decide who within the organisation were trained perhaps in a more technical part of the product or in more conceptual or business focused ideas. We also had a specialised course for sales.
Oscar: Ubisecure’s IAM Academy was indeed a pioneering training programme on the industry. As time went by, and with the experience gained through several training sessions, Ubisecure IAM Academy grew and perfected itself and the professionals attending left the training room with a deeper understanding of IAM and how it makes our lives easier.
Keith: My favourite part of the training is the technical hands-on training where we provide each student with a personal environment that they can log into and it’s their job to configure their environment according to an example customer. We have quite a complex customer example where you first can customise the look and feel, the languages, the layout, how the system would work, and then you go through the various steps that would be used in the implementation project to make that environment work to solve the needs of the customer. Examples of this are for example customer registration, password management, access to your own user account, the ability to invite other users to the system, the ability to have a user administrator, who is able to manage other users and help them in the system, and of course overall administrative tasks from a system administrator point of view.
The training had traditionally been done within Finland but we got more and more requests to do training abroad and we have done training in many different countries. Across the Nordic countries, in the UK, for example, in Europe, in Germany and also as far as the Middle East. We’ve had visitors coming to our premises for training from as far as Australia and from South Africa and we realised a need to be able to provide the training also in an online environment. And we are able to provide now the IAM Academy series completely remotely.
Oscar: We’ve been already talking about IAM Academy. Let’s now hear IAM Academy in action. We’ll bring you now to the classroom where Jesse Kurtto is presenting.
Jesse Kurtto: As Oscar said I’ve been the Data Protector Officer here at Ubisecure since 2018. Entire books have been written about how data will be the most valuable commodity in the world and it has certainly launched many companies to trillion dollar level revenue – for example Alphabet (the mother company of Google), Microsoft, Facebook, even Twitter… They are all humongous companies, and they all deal with data. And some go even further. That no data is not just the new oil, but data is gold and needs to be horded, just like the California gold rush. So, if we take this that data is the new gold for this century, then personal data must be at least platinum.
The GDPR means that personal data must be collected and processed fairly and transparently, that the personal data should be kept accurate and up to date, be held for the minimum time necessary, and of course, be secured from any unauthorised access.
Here is a good example. This company, Acxiom, and like many others, it is US based, based in the Silicon Valley (California). Consumer analytics provider. And in their own web pages they proudly list their data sources. It includes governmental data bases, data aggregators and de-anonymisers (interesting), mobile apps (surprise, surprise), social media and, perhaps a bit surprisingly, payment industry.
Basically, what they do is that they aggregate all your purchases together, for example based on your zip code or street address, and sell that information in bulk. In the image here you can see an example of the three thousand attributes and scores that Acxiom provides for their paying customers. And there are quite many interesting attributes here. Purchases made of course, age, gender, education, employment, political views, loans, income, net worth, religion and, of course, one of the nearly 200 ethnic codes.
Of course, it goes much deeper than that. This is a famous case, if you take closer look, it was from 2012. And this was before the age of machine learning. How Target, an American supermarket chain figured out that a teen girl was pregnant before she actually told anybody about it. Her hospital visits, the morning sickness pills she bought, the baby clothing she browsed online… That painted clearly a picture that hey this woman is pregnant so let’s start spamming her like crazy about baby-related equipment. And of course, her parents were confused. Why do they suddenly get tens and tens of brochures about baby carriages, new baby health insurance, such things… And it turned out that she had not told everything to her parents yet. And in the end the parents actually apologised Target which they first accused of mis-profiling her. GDPR seeks to change all this.
Tips: how to survive the GDPR ordeal? First of course is to keep in mind that it’s not rocket science. It is basic sense. If data is a valuable asset, then it should be safe guarded, like any other valuable asset.
Many of the issues with the GDPR, like how to ensure that data is accurate, up to date, how to ensure that people can exercise their right to be forgotten, is to simply let the users manage their own data. And in order to do that, one of course thing is to authenticate the user and then authorise them. And surprise, surprise, as somebody working in a CIAM company, CIAM seems to be a perfect job for this. Don’t you agree?
The second point is of course to give any application services, third parties, only the data they absolutely need. For example, using authorisation policies in SSO. They can’t leak what they don’t have, they can’t be hacked for what they don’t have to begin with.
Oscar: Fast forward to 2022, billions of people are enjoying Internet services, playing games, shopping online, trading stocks from a mobile phone, with the security and user experience that IAM has brought. However, on the flip side, the companies and organisations that run these services are facing higher complexity: deploy cloud or hybrid, how to secure an API, how to balance security and user experience? To make things worse, new buzzwords have invaded the language around IAM: zero trust, self-sovereign identity, IDaaS, Web 3.0, etc.
Understanding IAM well is crucial for professionals across companies, not only for the IT folks as it used to be in the beginning of the century.
To hear an opinion about the future of trainings about IAM, we invited Vinay Sawarkar, CEO and Founder of Claidroid in India to share his views.
Thinking of today’s Internet services and looking towards the coming years, how important is it for professionals, especially IT professionals, to understand Identity and Access Management?
Vinay Sawarkar: In the pre-pandemic days, remote access used to be provisioned by organisations only for select employees through VPN and that too from a few identified highly secure desktops or laptops. The importance of Identity and access management was realised by the organisations during the recent pandemic when practically all interactions of the organisations went online, and several unprepared organisations were cyberattacked. With no identity governance and audit, coupled with misconfigured devices, a large number of incidences of compromised privileged access have been reported, which allowed hackers to gain unrestricted access to critical resources of the organisations.
It is, therefore, very important for professionals to understand IAM solutions, since Identity and Access Management today is the first cybersecurity mechanism at the perimeter of the organisation to prevent access to unauthorised intruders by authenticating the identity of the individuals. IAM solution provides an enhanced level of security with multi-factor authentication with mechanisms such as one-time passwords or biometrics etc. to ensure that the right resources are accessed by the right users.
Since the organisations have access to sensitive and personally identifiable information of users, it is the responsibility of the organisations to deploy robust and industry-leading IAM solutions to ensure compliance with regulations such as GDPR or its variations across other countries – for example upcoming Data Protection Act in India. A good IAM solution avoids storing such personally identifiable information, using third-party identities.
The current trend is that organisations insist on certifications of the professionals and ongoing renewal of these certifications on the relevant platform as a prerequisite qualification for the job or, many times, for executing customer projects. Having a certification also demonstrates the commitment of professionals to continuously enhance their skills, helping professionals to be more efficient on the job.
In the area of IAM, for example, the certification ensures that the knowledge of the professionals is upgraded constantly and is in line with the evolving standards in the IAM space. It also gives the confidence to the customer that the professionals are well trained and technically proficient to implement leading IAM solutions for the organisation.
Oscar: Identity and Access Management never stops evolving and creating innovative solutions. That’s how today we already enjoy getting rid of passwords and authenticating with our faces from a mobile phone. Some of us can order a new passport or driving license 100% online and securely.
To make sure all the innovations in IAM become successful Internet services, training is the key to making sure that all the professionals (developers, designers, UX specialists, business owners) are well equipped to provide their customers with the best experience and solutions on the market.
The good news is that— unlike the beginning of the century — today one can easily find pathways to learn Identity and Access Management. Today there are universities teaching IAM, there are masterclasses, there are trainings with certifications.
So choose your pathway and join us in this learning adventure. The best of IAM is still to come!
This was a special story episode of Let’s Talk About Digital Identity. Thank you to our guests David Doret, Jesse Kurtto, Vinay Sawarkar and Keith Uber. The story in this episode was produced by Elena Sanz, with help of Francesca Hobson and me, Oscar Santolalla.
[End of transcript]