Let’s talk about digital identity with Simon Wood, CEO of Ubisecure.

In episode 22, we’re featuring a bonus lockdown episode in which Oscar talks to Simon about how the current pandemic has changed, and is still changing, the digital identity landscape.

[Scroll down for transcript]

“Now is the time for the digital identity industry to practice what we preach – security, efficiency, user experience, regulatory compliance.”

The conversation covers the key issues surrounding remote working and digital-first strategies, exploring both the commercial and governmental sides of the situation we all find ourselves in. Simon touches on the privacy aspects of contact tracing, the now ‘blurred lines’ of internal and external users from an identity and access management perspective, and the key role of SaaS to enable fast routes to digitalisation.

As Group CEO at Ubisecure, Simon Wood is responsible for planning, communicating and delivering Ubisecure’s overall vision and corporate strategy to enable the true potential of digital business through modern identity management solutions. 

Connect with Simon on LinkedIn.

As mentioned in the episode, Simon joined a previous episode of Let’s Talk About Digital Identity. Catch up here: https://www.ubisecure.com/podcast/simon-wood/.

Ubisecure provides feature rich customer identity management software and services to help companies reduce identity data breach risk, improve operational efficiencies, and improve user experience.

Find out more at ubisecure.com.

We’ll be continuing this conversation on LinkedIn and Twitter using #LTADI – join us @ubisecure!

Go to our YouTube to watch the video transcript for this episode.

Let's Talk About Digital Identity
Let's Talk About Digital Identity

The podcast connecting identity and business. Each episode features an in-depth conversation with an identity management leader, focusing on industry hot topics and stories. Join Oscar Santolalla and his special guests as they discuss what’s current and what’s next for digital identity. Produced by Ubisecure.


Podcast transcript

Oscar Santolalla: Let’s Talk About Digital Identity, the podcast connecting identity and business. I am your host, Oscar Santolalla.

Hello and thank you for joining today to a new episode of Let’s Talk About Digital Identity. And I am sure many of you, if not all of you, are remote workers right now, so we are going to talk about some of the implications of remote working and what other things have happened because of COVID-19 in this area of digital identity.

And for that, I’m going to introduce for the second time, our guest who has been on exactly 11 months ago, Ubisecure CEO, Simon Wood who was here talking about many aspects about what happened in digital identity in Ubisecure and giving some predictions. And let’s see what happened not only in these 11 past months, but especially in the very recent weeks.

So, let’s welcome Simon Wood. Hello, Simon.

Simon: Hi, Oscar and thank you for having me back again.

Oscar: Yeah, it’s great having you here now. We’re going to discuss a bit different topics because we are living in quite different times, given what happened last year. So let’s jump directly into this. So now that COVID-19 has affected every single industry, how do you see it has affected particularly the digital identity industry?

Simon: Yes. So I mean obviously right now, we are in quite an unprecedented time for all industries. We see a landscape where businesses are having to adapt quickly to this new unfolding situation, start planning for what the situation will become. And we don’t know that yet, but there’s fairly wide acceptance that we will arrive at some new normal as we go forward. Certainly, how interactions have taken place, the default models I think will shift as we go forwards. Priorities will have to be slightly different as well.

Right now as employers, we’re looking after employees as the first priority. We’ve got to serve our customers and make sure that they can continue receiving services that they need. And then kind of the core business itself.

In the general sense, it’s interesting to see how businesses are behaving relative to their stated values, that a number of businesses published. And these are complex times and for all industries, we have to kind of practice what we preach and I think for the digital identity industry that couldn’t be more true. We have the technology base and arguably the responsibility to be flag bearers for the four key aspects that we look to from digital identities – so security, efficiency, user experience, regulatory compliance. Those are areas which will remain key, which are key and that enablement through digital identity is one of the ways that I will see this industry as a whole adapting as we go forward.

So I think that’s going to be a specific requirement for us to essentially practice what we preach around that, and there are some vague silver linings around this as well. And again, in the more general sense, what we see with the ongoing globalisation, which all industries have been going through in recent years, is that brings remote working. And what we see now is somewhat enforced fast track adoption of that. And again, I think it’s down to the digital identity industry to assist organisations with that and help lead the way on that.

Oscar: Yes, definitely as you said, we should do what we preach and now is a good time to put many things that the digital identity industry has been offering, and with relatively low adoption now is the time to put them in practice in both businesses and for the organisations that the people also need.

Simon: Yeah, absolutely.

Oscar: Another thing that we discuss recently in one of our podcast has been the digitalisation. And digitalisation, one of the conclusions let’s say, we had with our guest, Marjukka Niinioja, and that many organisations already adopted digitisation already for many years, but many are still in the halfway let’s say, so that’s very clear and that’s something that’s halfway and there’s still a lot to do on that. And digitalisation has been a concept that has been talked, discussed and also put into practice of course during the last 10 years at least. So how have things changed today related to digitalisation?

Simon: Yes, I mean digitalisation, does it mean something different today? I don’t think it means something different. How organisations approach it now, I think that’s radically changing right now. As you say, there are varying levels of adoption around the world right now in terms of where organisations are with a digitalisation strategy, with their online virtual service enablement.

I think it’s fair to say we’ve been through a slow evolution over the last what, two to three decades? 20 to 30 years or so? Digital services are being brought alongside existing physical services. So retail organisation has started with high street presence. And then they brought on e-commerce capabilities alongside that. Now I think some people might challenge my use of the word slow. We are living in a time of rapid technology change, but I think relative to right now, what we’ve seen before and up to now has been a slow evolution. Whether we would classify this reflection point right now as a revolution or not, I’m not sure. We’re not particularly talking about new technology at this point. We’re talking about a much broader scale adoption. So I think that’s kind of the underlying landscape behind this.

Without a doubt right now, we’re definitely in a digital first time. We see limitations on physical interaction right now. Many of the countries around the world are in physical lock down right now. We have restrictions on us for the safety of our citizens, people, for protection. Of course, that will evolve over time and that will change. But right now, if your customer engagement strategy relies on you interacting with people, that face-to-face mechanism is no longer there and organisations have to adapt now and really do need to adopt that digital-first approach. So in terms of the interaction mechanism, in terms of how that relationship builds, develops, grows and then ultimately transacts has to move to digital first and eventually face-to-face if necessary as a second supporting piece on that.

And this is not, in itself, new. We’ve seen a number of organisations, a number of sectors, looking towards that model already. Here in the UK, and the UK is certainly not unique in this, we see the rise of online banking. They are not from the established place but from new online only bank providers. They are challenging the market. They don’t have high street presence. They are essentially mobile-first, digital-first touch points for all of their customer base. And the high street banks who’ve been trading with face-to-face customer service there benefit, and are now having to catch up on that really quickly. So we can see already the separation between those who adopted that digital first strategy and those who haven’t.

The second side to this is, it’s actually really interesting to see the effects of digital citizenship as well. So not just looking at commercial supply but also government interaction as well. We’ve spoken before about some of the differences that we see between countries that are based on digital citizenship and countries that aren’t. Obviously from a Ubisecure point of view, we have a very strong footprint in Finland. Finland he’s very much a digital citizenship-based country.

That presence of a strong highly assured identity has been the norm for a number of years. And now of course, all of the services there, not just government services but private industry as well, leverage that identity. So there are countries that have had a digital first approach for quite some time. If you look at the national culture in Finland, it is digital-first. Everyone expects to interact with services through their mobile device, through their web browser. So there are places in the world where the absolute impact of this has been reduced slightly. Of course, none of that mitigates the human aspects of this. But from a digital first proposition, there are significant benefits from that underlying digital citizenship ecosystem that’s in place and it’s interesting to see the differences in the leverage there as well.

Oscar: Yes, so definitely digitalisation is something that now is becoming more and more important and it makes evident the organisations that had already put more effort into that. Not only on the business side as you said, the supply chain et cetera, but also on the governments. For instance, today with this crisis, all governments are trying to help their citizens one way or another. There are definite types of crisis in every country. And the ones who don’t have a strong e-government, digitalised services, are struggling more to not only to give their support to their citizens, but also even to communicate with them.

Simon: Absolutely. And we can see different principles applying around this as well. So a number of countries are looking into citizen trackers for example to understand spread of the COVID-19 virus and to understand who you might have been in contact with, so they can manage the gradual easing of lockdown situations. Of course, we need to be wary of the negative connotation of tracking as well. But those tracking scenarios are much simpler to deliver in a framework where a strong, regulated – so you know privacy is regulated into that strong identity as well. Where that strong identity exists, it makes those interactions much more practical.

Oscar: Yeah and most likely those tracing efforts are more secure and respect more privacy on their citizens when there is already a digital identity involved in the – already involved, already implemented in the e-government services.

Simon: Yes, absolutely.

Oscar: So switching to another thing. Actually, the first thing I was talking about in this conversation, putting attention into that – most of us are remote workers, some having partly remote workers, people have been doing remote work for a few days a week. But now, almost everybody in some industries has to do it. And that has put some pressure on the companies, to the organisations to also deliver services to allow the employees to access both internal and external services. And until recently, we were discussing very clearly the difference between traditional or workplace identity and access management versus what we do more in Ubisecure that is focused on customers – CIAM. But it feels like this difference is getting much more blurry in these times, so what would you say about that? The influence of remote working into that.

Simon: Yeah, absolutely. And that’s actually a really interesting point. I think what we’re seeing now, beyond anything else is actually a blurring of those lines between what were previously differently targeted segments of identity and access management. So we had a very strong separation between organisations providing employee (or probably more generally workforce) identity and access management and organisations providing external customer/consumer identity and access management.

I think if we take a step back and look at the history of digital identity and how it’s evolved. You know, if we go back to what was kind of the starting point, it was really basic single sign-on delivered by IT departments for the efficiency benefits and security benefits of organisations. That was very strictly for employees. It was highly mandated. It was, in reality, some fairly poor user experiences around that, but it was mandated on the back of security, on the back of corporate protection and so IT could demand this. It gave overall efficiency benefits, but I think it’s quite clear to see that in the initial implementations, the employee was a loser there in the experience and that friction was generated through those deployments.

What we then saw was a move to bringing external identity. So handling customers, being able to interact with customers in a known way, wanting to have an identity there so conversations could be aggregated, transactions could be undertaken more securely with those customers, with those consumers outside of the organisation structure. And we saw there that, what we still see today, obviously, low friction, customer experience, user experience, it’s critical. Abandonment rates of e-commerce transactions, online interactions, are high if there are challenges to that interaction. And that’s where the field of customer or consumer identity access and management came from.

From a Ubisecure point of view, I think we would now consider that external identity management. And we see that extending now not just to customers but also to partners, so supply chains, subcontractors, those kinds of entities who are working with the organisation to deliver services. We’ve seen a rise of cyber-attacks. We’ve seen the strengthening of the direct IT ecosystem, the cybercriminals and they’re going after supply chains as a target to come into organisations. And so, we’re correspondingly seeing the need for that identity management being pushed out to those supply chains as well.

So we’re now starting to bring together the different actor classes that we have involved with the organisation but if you step back and look at some of those supply chains you might use. If you’ve got contractors working for your organisation, they are a B2B supplier to you, but they could be sitting alongside your employees, in some cases doing very similar roles, and that equivalence of work is now kind of blurring that experience. So there are some remaining differences of course. One of the original differences between internal identity and external identity was simply scale. An organisation with 100,000 employees is quite a big organisation and an organisation with 100,000 customers is kind of just starting depending on what your customers are taking from you, that can be quite a small customer base.

Today, most organisations when they build are building for internet scale, so we’re thinking about hundreds of millions or billions of separate identities interacting with the platform, so scale no longer is the challenge that it used to be. Of course there’s complexity there, of course it has to be addressed correctly but that scale is now easier for all parties to handle, to deal with – we have established solutions around that. So the only remaining point you get is user experience, friction, and it would seem a very strange position for us to be in where we said employees didn’t deserve the simplicity and ease of use and capabilities that we give to our customers, to our suppliers, to our partners.

And I think on that basis, we will see this blurring becoming more and more prevalent as we go forwards and I think we will see more and more of the analysts talking about unified IAM, aggregated solutions. And whether in the first instance, they’re delivered through joint partnerships between what were traditionally external providers and internal providers, or whether they are single providers embracing all aspects we will see as we go forwards but absolutely I see that blurring and coming together and delivering the key benefits that we have from identity and access management in a balanced fashion between those internal and external identities.

Oscar: One of the aspects I read some articles on are the onboarding of new employees right now. So what are some of the challenges there, onboarding completely new employees on this right now?

Simon: Yes, onboarding an employee is a different process to onboarding a customer. Although that said, if you consider transaction value and employee transaction value is reasonably high for that employee in corporate terms. One of the points that I make quite regularly is that identity itself actually carries little value. I use the analogy of someone being on a desert island, you still have your personal identity but when you’re alone on that desert island, it’s not worth very much at all. Identity becomes valuable in the context of a transaction.

When companies onboard employees, they are looking to understand a significant amount around that employee because the transactions that they’re undertaking with that employee, be it from a risk basis or simply from a salary and delivery basis are materially high. When an organisation onboards an external customer, it could be for a low value transaction and therefore the onboarding process for that external customer is simpler but it could also be for a high value transaction.

So think about the complexity of a bank onboarding a business customer and the amount of KYC that has to be done is significant. It’s also regulated in that particular example but there is a large amount of Know Your Customer that has to be performed and in some cases, actually the onboarding process for the external identity can have a higher bar than the onboarding process for internal identities.

Now there are ways to look at those things and as we’ve learned through this podcast, there are different ways that can be done, for example LEIs that Ubisecure is also able to supply that can ease that KYC process from an organisational point of view. But when you look at the employee side, that kind of joiner/mover/leaver process is still part of that more generic Know Your Employee if you like, then there are still parallels there. So yes, traditionally, there have been differences between those processes. But as we go forwards, actually I still think that’s part of the blurring lines.

Oscar: Another particular scenario also is- imagine a company, well, many companies are, you don’t have to imagine- just think of the companies that today are suffering because the employees, the majority are now, if not all, remote. They cannot access the applications that they always used to run in the internal network, so the challenge is, okay, opening some of these applications to be accessed through the internet, and so for some business owners, they say “okay, talk to IT, to the CIO, do it immediately because we need this in order to keep the business running”. But what is the complexity behind that in order to do it properly, to do it in a secure way?

Simon: Yeah, there’s a lot of complexity behind that to do that securely. And of course, while the CIO may be wanting to open up and get everyone connected, it’ll be the CISO that’s raising a flag saying “Wait a minute, are we sure that we can do this in a way that’s safe?” I’ve already mentioned kind of four key areas that we see as prominent in a transition to an identity centric era, so security, user experience – whether they’re internal or external users, efficiency and compliance.

When you look at the traditional landscape enterprise applications, they ran inside a close walled garden of the IT infrastructure. IT ruled that from a security perspective with a fairly iron fist and that gave them security, gave them a perimeter which could be defended. But of course a number of the applications which then existed inside of that perimeter relied on that walled garden to give them their security.

We have of course seen a longstanding transition to cloud, to software-as-a-service and right now, that is really helping with business continuity, so people who have adopted for example Salesforce, that’s supplied externally, you can access that from home as easily as you can and as safely as you can from your desk at the office. So some of those systems are already working in that way. Of course we always have to remember that one person’s cloud is another person’s datacentre. So cloud is really ever a matter of perspective on this and we’re then reliant on these other organisations to make sure that that’s done in the right way. But when you reach the scale of the likes of Salesforce for example, then there’s good reassurance that they’re working in that way.

The main challenge that the CIO or the CISO will have in terms of deploying those applications beyond that traditional premise footprint or walled garden footprint of the IT is balancing those four key areas – so security, experience, efficiency, compliance – and balancing them with cost of delivering that. There are traditional solutions of extending the IT domain into people’s houses, so if you think about a VPN, virtual private network-based solutions, but there are challenges and risks with that because you’re basically extending the perimeter to particular endpoints.

So you’re dragging that perimeter essentially inside people’s homes by deploying a VPN on to a laptop. That can be a workable solution, but you then inherit the risks of mixing those two different environments, so you’re now mixing that home environment with that work environment. Some organisations have very strict policies that prohibit any external use of equipment – that might be viable. But these days with work life balance considerations and so on, there’s generally a blurring of those lines as well.

So we see devices having to handle web browsing sessions for someone to top up their latest Amazon purchase or whatever at lunchtime along with carrying on their normal business function.

So it’s hard to maintain that separation between those two different personas, if you like. And that then leads to those walls getting a little bit weaker as you rely on VPN type technologies. So the other approach, the alternative approach, is to use a strong identity-based approach and have Zero Trust on each application that you’re connecting to. And of course that’s the identity and access management-based proposition around this.

So each application requires authentication of the user and delivers services only as required to that user, it doesn’t rely on running within that walled garden of IT to inherit its security, it will expose a Zero Trust interface, you need to authenticate, it needs to be able to find your authentication details, match them to authorisation for whatever features, functions, capabilities you may have and deploy in that fashion.

Once you’re at that point, of course then you can deliver to every party that’s involved, be they internal or external, in a very symmetric fashion. But it’s not a simple challenge, it’s also not a challenge that organisations should rush into either. And so while people feel under a lot of pressure to deliver continuity right now and of course there’s always significant business pressure. These changes are fairly large changes, they’re not small projects, these kind of digital transformation, digital-first projects. They need to be handled carefully, they need to be handled correctly, you need to work with experienced trusted parties in this and that’s where the various players within the identity and access management ecosystem can assist with that.

Oscar: Yes, but in the second way of solving this problem, yeah, it’s of course identity and access management. And it’s a good time – as you said, it’s not something that you can enable immediately but it’s a good time – to start planning that and doing that.

Simon: Absolutely.

Oscar: Thank you, Simon, for all this. I will ask you a final question. As always, something practical but now focusing on how we are living today – there more and more digital interactions instead of face-to-face interactions and as you already have explained, there are more cybersecurity threats. So thinking of this, please leave us with a tip, with practical advice for anybody to protect digital identities.

Simon: Absolutely. And I’m afraid, unapologetically, I’m going to actually give the same tip as I gave 11 months ago when I was here. And it ties into the previous point, these aren’t things to be rushed into and the tip that I gave last time is whenever you’re about to make a decision, you get a popup in front of you, just pause, take a few extra seconds to think about what is it you’re clicking on, who is actually asking you to enter credentials, does it look sensible? Just take an extra second to understand the action you’re about to undertake. Does it look real, does it look valid?

There’s an old saying, “Act in haste, repent at leisure,” and I think that’s very true right now. It is a sad state of affairs that we see arise in cyberattacks at this time, the cybercriminals are exploiting the fact that the people working from home, that people are using not 100% optimised systems to deliver that, there is a reason why we refer to these people as the bad actors. So just take that extra second to think about it.

Of course, the right systems and solutions can help with that, an effective digital-first transition can give benefits around that. It would be remiss of me not to point out that Ubisecure is ideally placed to assist organisations with that transition. We’ve got a lot of educational material on our website, we’ve got long term customer case studies there that show the effects, the results, the benefits of those digital-first approaches and the savings that can be made around that. So from a Ubisecure point, from a personal point, I’d love to provide assistance to anybody looking into this and hopefully become one of those trusted advisors as we go forwards and start to move into whatever that new normal will become.

Oscar: Yes, thank you, Simon, for that final advice. Definitely to take an extra second or minute but yeah, not being rushed to do everything that is prompted, yeah, you never know what’s going to happen. So it’s always good to take this extra precautionary moment. Simon, please finally remind us how we can get in touch with you or follow you, what are the best ways?

Simon: Yeah, absolutely. So we have, as I mentioned, a great website with lots of information on www.ubisecure.com or you can follow us on Twitter as well, we publish a lot of information on there. So there are a number of standard touchpoints that you can get hold of us on, so we’d love to hear from anybody interested.

Oscar: Great. Thanks a lot, Simon, and all the best.

Simon: Cheers. Thank you, Oscar.

Thanks for listening to this episode of Let’s Talk About Digital Identity, produced by Ubisecure. Stay up to date with episodes at ubisecure.com/podcast or join us on Twitter at @Ubisecure and use the hashtag #LTADI. Until next time.