Let’s talk about digital identity with Keith Uber, VP Customer Success at Ubisecure.

In episode 53, Oscar and Keith explore the role of Identity and Access Management (IAM) in Mergers and Acquisitions (M&A). With the importance of customer experience at the centre, Keith and Oscar discuss standards considerations, available options and practical steps for successful consolidation of IAM systems.

[Scroll down for transcript]

“The most important part of mergers and acquisitions is that the customer is the value of the company.”

“Take advantage of the opportunities that moving to a new identity and access management system can provide for customers.”

Keith UberKeith is VP Customer Success at Ubisecure. As an Identity and Access Management product expert, he leads the Sales Engineering team and is involved in many stages in the planning and design of demanding customer implementation projects. Keith is active in various industry organisations and has a keen interest particularly in government mandated digital identity systems. He holds a bachelor’s degree in I.T. and a master’s degree in Economics, specialising in software business.

Check out Keith’s blog and comprehensive white paper on the topic of IAM in M&A:

Connect with Keith on LinkedIn and follow him on Twitter @keithuber.

We’ll be continuing this conversation on Twitter using #LTADI – join us @ubisecure!


Subscribe to
Let's Talk About Digital Identity

Or subscribe with your favorite app by using the address below


Podcast transcript

Let’s Talk About Digital Identity, the podcast connecting identity and business. I am your host, Oscar Santolalla.

Oscar Santolalla: Hello and thanks for joining today. After some time we are having a guest from the house, from Ubisecure, and he is a guest who has been in Ubisecure for 12 years. So let me introduce to you, Keith Uber.

He is the VP Customer Success at Ubisecure. As an identity and access management product expert, he leads the Sales Engineering team and is involved in many stages in the planning and design of demanding customer implementation projects. Keith is active in various industry organisations, and has a keen interest particularly in government mandated digital identity systems. Having been involved in dozens of IAM implementation projects, he is quick to identify organisation’s needs, and provide suitable configuration, integration and roadmap guidance.

Hello Keith and welcome.

Keith Uber: Hello, Oscar. And thank you very much for having me. It’s a pleasure to be here.

Oscar: It is really great talking with you. You had really long experience in Ubisecure and in the industry so have super interesting things to tell us. We will talk about mergers and acquisitions today. But before that, we’d like to hear a bit more about yourself, so please tell us your journey to this world of digital identity.

Keith: For me, digital identity became part of my career when I moved to Finland in 2000. So this was the height of the .com boom. I got a job working for Sonera, which is now Telia, one of the largest Telco operators in the Nordic countries. As part of that role, one of my jobs was to help Telia to combine the login systems for various small start-up companies, various small projects that they had acquired during the .com phase. They acted as a kind of a technology incubator for many small companies too so they had a huge portfolio of disparate services, all with different ways to sign in and authenticate. That’s where my journey started.

So I have a background as a software engineer. I have a Bachelor of IT and previously worked in logistics field as a software developer. But after moving to Finland, I later studied software business then continued after graduation joined Ubisecure and I’ve been working with identity and access management, particularly customer identity and access management ever since then. So in various roles I have been involved in so many different customer projects, not only individual customers, but also entire industries or government services that are going online. So I’ve been really fortunate to have a wide range of experience in quite a short amount of time.

Oscar: Very interesting. Sounds to be your first contact with digital identity there in Sonera – was the previous name for what is Telia today. So you mentioned several small companies that they had these challenges of authentication, login, registration, this kind of stuff. I’m guessing, we talk about 2000 is that there were not standards like we had today about digital access management. So well, I can imagine challenging has been that time, today, still challenging, but we have standards, and that is great.

But also that comes to the topic of today, right? So company can acquire smaller organisations. And one of the challenges is, for instance, if a company – let’s move from Telco to, let’s say e-commerce – can be a big e-commerce place acquires a smaller one, another e-commerce place, and what the customers would, by knowing that if they read that on the news, they will expect that “OK, and now I can log in from one place to another automatically, right?” That’s what the customer would expect. I think that’s one of the challenges I guess you are going to tell us more. But in your opinion, why is identity an important topic when it comes to mergers and acquisitions?

Keith: I think the most important part of mergers and acquisitions is that the customer is the value of the company. They’re the consumer who is buying the services or the people interacting with the company. So in a merger or acquisition or divestiture, when a company splits into two, it’s important that you retain those customers, that you don’t by mismanagement or mistake accidentally isolate your customers, make it difficult for them to sign in, or make it difficult for them to start to enjoy the services of the company that you’re also acquiring. So that’s all about keeping that valuable asset, keeping the customer happy.

Oscar: Yeah, I agree because it might be that you, as a customer, one can be super happy with a service, with a company. And after that, after the merger/acquisitions, well, things don’t work so smooth anymore for the customer, right? And that can make as you said, have the customers unhappy.

Keith: In most cases, mergers are all about acquiring some type of complementary company or company that offers a service that is enjoyable for the current user population. So it’s all about allowing them to start to consume more and more services so you get more revenue for every customer.

Oscar: Exactly. So now if you put the shoes of company that knows that they are going to be merged or there is acquisition already in place and start to plan how we are going to merge the systems, et cetera. What are these, for you, are the top, the key identity considerations that this organisation has to go through?

Keith: You spoke about the importance of standards and how the industry has really standardised on some key identity standards. So for companies who are looking to grow through either being acquired or acquiring other companies, it’s important that they have their identity management under control. They’re using standardised systems, they’re using the same standards that other services use, that makes the migration and integration process much, much easier.

And part of that underlying is all about data quality. So making sure that you’re keeping your user information, your user database, not only secure but up to date that it’s full of verified and valued information that could be easily used to match accounts as you go through that merging process.

Another really important thing is to really plan carefully about how that merger will look from the end user perspective, what will they retain, which account will they retain, will become their core account, or will you allow the customers to sign in using both types of credentials that they already have? And then what’s the timeline, for example sunsetting the unused or the system that will be turned off.

Generally, in terms of mergers and acquisitions, you want to simplify the IT systems by merging them and then sunsetting or turning off the system that you don’t choose to continue with. And that’s all about reducing the overall costs for not only licensing of the system, but also uptake and management of the system and simplifying the IT architecture to reduce, for example, simple things like customer support, when somebody has trouble logging in, or resetting a password, or enabling a new authentication method that is common across the whole organisation.

There’s a slight risk there that by combining multiple systems, even two or three into one, you’re also putting your eggs into one basket so there’s of course a risk of having a single point of failure. But on the flip side, you have more people, more IT resources looking at one system, focusing on one system and having expertise in that one system and keeping that up-to-date and smoothly running. And all modern identity and access management systems are fully reliable at scale in that type of scenario.

Oscar: And I guess also, one point is we’ve been talking mostly about customers, but about the workforce, about the employees I think they are also important considerations.

Keith: Oh, absolutely. The backend staff, who need to access these systems, and as the internal employees also merge, you want to make that as smooth as possible so that the company that’s being required, they also feel like fully-fledged employees, as soon as we can.

During this mergers and acquisitions process, often the process is followed very, very closely, especially for publicly listed companies, and you want to try to achieve merging both IT systems as quick as you can, so that you can show that the corporate acquisition has been a success on both the technical level and on a sales level. So in terms of planning for an IT organisation, it’s important to start that planning very early in the process and getting ready and planted well, so you can do that quickly and efficiently, and move to that new common platform as quickly as you can.

Oscar: Yeah, I think you mentioned the fact that the system has to be consolidated, you know that that’s the biggest part of these projects of identity and access management, in cases of mergers and acquisitions. So to start seeing, what are the drawbacks and the benefits of consolidating these systems?

Keith: The benefits I would hope would be improved information security, probably moving away from an older legacy style identity access management system to a newer one. You bring with that new functionality, which might simplify the IT architecture. So for example, rather than having custom registration processes or custom tools for user management, you might move to out of the box solutions where those facilities are provided as a standard part of the package. In many cases, you might combine the move with a move from on-premises to cloud. Most companies are moving towards the cloud, if they have that on their corporate strategy for IT then they can make that change either at the same time or prepare to do that shortly afterwards.

The risks, as you say, is a very simple thing can be if, for example, consumer facing services, a lot of users are already logged in to devices, or they’re already logged in with their browser and different password managers, different browsers and applications remember the user in different ways. And if you start to upset the flow of how those passwords are remembered and presented to applications, you can very easily sort of lock your users out. For a wider consumer population, the sheer frustration of having to remember their password or go through a password reset process can be a big difference, it’s a difference between giving up and downloading the next app of your competitor, so it requires a bit of careful planning to make that flow as smooth as you can.

Typically in that system, you’d allow the users who are migrating off the old system to sign in ones using the old system. Ideally, you would be able to migrate any existing password hashes from the old system to the new system, or have a very smooth onboarding flow to allow them to either set a new secure password or log in using a strong authentication method, either government or banking ID used by users in that region, or some other existing strong authentication method that the user already has.

Oscar: That remembers me some cases of being involved in which the passwords have been hashed, has to be of course, but long time ago, and when there were less agreed standards about that, and that can be tricky if the system that is- the new system that is importing this hash passwords is not compatible with the old system. So that can create, of course, can create problems, so that’s why standards is- fulfilling the current standards, and of course, also having some backward compatibility. It’s super important into this.

Keith: There are really simple benefits, for example, in many older legacy systems, the username is based around either a randomly generated number or letter combination, or it’s provided by the user themselves. And for many end users, it’s a challenge to even remember what their username is.

In the extreme situations, we see corporate systems, for example, B2B systems where the customer needs to put in not only the customer number, but they also put in a user ID as well as a password. To migrate to a system where you maybe simplify that more like consumer facing services where you could either centralise around using your email address as your identifier, which is much, much easier to remember. Or allow the user to link their account to an existing account, such as a social media account, or LinkedIn, or other Microsoft account, for example, to allow the users to sort of move away from having a proprietary username format, and move on to having, for example, a corporate email address or their personal email address as their account identifier.

Oscar: Yes, and now moving to how to make this consolidation in a good way, how to have success in this CIAM consolidation, what are the – what’s a good approach? Could you tell us the main points about that?

Keith: Yeah, I touched earlier the importance of data quality. So to make sure that the data is clean before you start to do any type of migration, it’s really important to understand what data in each system is and how it’s validated and make sure that those formats are valid in the new system. There’s a very clear decision point of to which system you’re going to migrate, which system will be the ongoing system in the future. So typically, that would be one of the two existing systems, to the more modern of the two, to the one which is with the more capabilities and more features, longer lifecycle.

But it may be that you choose a third system, a new system to replace both and migrate those systems to the new. And that provider, for example, jump forward, for example, to support newer scenarios, such as not only different types of strong authentication techniques, or identity protocols, but also things like identity delegation, or electronic power of attorney, these types of services, which existing legacy systems might not support out of the box.

From the end user perspective, so whether they’re B2B users or consumer users, it’s really important to have very clear communications that, OK, the company has been acquired, the name is possibly changing, the brand is changing. Please be aware of this from the very beginning. And then very clear communication about when things change in the IT system. So allow the users to be aware that when they log in their login screen might change, might look different. They might have to set a new password or re-verify their email address, for example. It’s really important to have that communication in as clear user focused language as possible.

Oscar: Yes.

Keith: A lot of IT teams make the mistake of using the language that they understand and not the language that their user understands.

Oscar: Yeah, I have seen actually some examples like that. I don’t remember the names, but sometimes come one email saying “OK, we are having this transition to a new brand.” And it looks so simple that “OK, yeah, nice.” And other times it’s completely techie jargon, then “Oh, my God, what are you talking about?”

Keith: That’s right, yeah. Then you have to decide whether to move everything in one go. So have a certain date where you migrate everything in one go, do a big bang approach. Or you’re migrating applications, sort of one by one or user groups one by one. Some of that can be done, for example, as the user logs in, you can migrate users on a user-by-user basis. Or it kind of depends how much the applications are shared across the different companies; how many users use applications from both of the companies involved in the merger.

Oscar: So those are the main points for consolidation of identity and access management systems.

Keith: From a technical perspective, it’s important to try to identify if there’s a common attribute between those two systems. So if you have a trusted attribute from each of the user repositories, for example, an email address that has been verified or a phone number that has been verified, even identity number, social security number or national identity number. These can be used as common attributes to allow automated migration of users so that they can log in automatically. In cases where, for example, password hashes can be migrated, or where the user is signing in using a government or national ID platform.

Oscar: Yes. And in terms of compliance, normally, what are the compliance points that are relevant in this type of projects?

Keith: Yeah, so particularly, it’s around collecting consent where required from the user about other data is going to be, maybe data controller will be processed or will be changed during that process. So using again your IAM tools to collect that as the user signs in again, explaining that and communicating any changes to the terms and conditions. In cases where the system is in different geographical areas or different legal jurisdictions, there may be requirements, for example, for storage of user data within certain countries’ boundaries. So you may have to replicate data or have data stored within a region, you have to think carefully about those situations, especially in global or cross regional mergers and acquisitions.

Oscar: Yeah, yeah, certainly. And we’ve already touched in several aspects beyond the technical, the technical side, of course. We talk about standards, we talk about security, but we also talk about compliance for instance. And we talk about branding and how to communicate these things. Many people are definitely involved in all these projects that are connected to the migration of identity and access management. But this is way beyond what identity people work on that. So if you can close telling us what is your ending piece of advice, advice for companies that are today planning on mergers and acquisition?

Keith: I’d say definitely take advantage of the opportunities that moving to a new identity and access management system can provide for customers. So for example, if you haven’t been able to take advantage of things like linking accounts to existing user accounts, allowing users to have federation – meaning that when they’re signed into your system, they can also sign into complementary services, giving the users new tools around managing their own account, having a really good user dashboard and a way to agree or modify their permissions for the system.

I think beyond just the roar savings in turning off one system, or reducing the support costs for having to deal with multiple different systems, there’s real advantages in moving to one common system that has the new corporate brand, is smooth and secure for the end user, and gives them also new functionality.

They see that, “OK, it’s the advantage is I get to sign in. But oh, I also get this new thing. I also get a more secure account or easy way to sign in.” I think that’s something to use as an advantage in that. Also, a real big move and a real good opportunity is to think about at that stage moving to the cloud, if you’ve been hesitating about moving your identity and access management system to a cloud-based service, it can be a good time to do that during a merger and acquisition.

Oscar: Indeed. And as one of these last things you are talking about and – is one of the first things you talk about today is a customer, taking the opportunity to bring a better experience to the customers.

Keith: The way you sign in is often the front door for the service, the first place that the user ends up in when they click on a link from marketing or when they’re trying to login to their own account and you want to make that as a smooth process as possible.

Oscar: Yeah, exactly. Well, thanks a lot, Keith, for telling us this about mergers and acquisitions. And for the people who would like to follow, continue this conversation with you, what are the best ways to follow up or get in touch with you?

Keith: Yeah, the best way to get hold of me is in LinkedIn. Look for my name, Keith Uber, you’ll find me there and please send me a message via LinkedIn. It’s been a real pleasure to talk to you today, Oscar. I look forward to hearing more episodes with you in the future.

Oscar: Thanks a lot. It was a pleasure talking with you, Keith. All the best.

Thanks for listening to this episode of Let’s Talk About Digital Identity produced by Ubisecure. Stay up to date with episodes at ubisecure.com/podcast or join us on Twitter @ubisecure and use the #LTADI. Until next time.

[End of transcript]