The Right Time to Invest in Identity and Access Management with Jesse Kurtto, Ubisecure – Podcast Episode 101

Podcast: Play in new window | Download

Subscribe: Apple Podcasts | Spotify | Pandora | Email | TuneIn | Deezer | RSS | More

Let’s talk about digital identity with Jesse Kurtto, DPO and Data Scientist at Ubisecure.

Is now the right time to invest into Identity and Access Management (IAM)? Join us for episode 101, as Oscar is exploring why now is the right time to invest into IAM with Jesse Kurtto, DPO and Data Scientist at Ubisecure – as they delve into the current economic situation and some of the key factors of investing into identity management.

[Transcript below]

“Digitalisation is ongoing, it’s accelerating, it’s unstoppable.”

Known as the guy who shortened the world and lived to tell the tale, Jesse’s career is gradually arching from the Wild West world of finance to his current position as the DPO and Data Scientist at Ubisecure. Learning to program before learning to read Finnish and visiting 25 countries before 25, he’s no stranger in exploring uncharted waters and discovering connections that others might miss. Surrounded by a delicate balance of the latest technology and dozens of carefully tended houseplants, his secret hobby is putting the hiking boots and RPGs aside for a moment in order to write to his beloved snail mail friends across the world.

We’ll be continuing this conversation on Twitter using #LTADI – join us @ubisecure!

Go to @Ubisecure on YouTube to watch the video transcript for episode 101.

Podcast transcript

Oscar: Is this the right time to invest in Identity and Access Management? This week Jesse Kurtto from Ubisecure has joined us to answer this question and discuss the current economic situation. Stay tuned to find out more.

Let’s Talk About Digital Identity, the podcast connecting identity and business. I am your host, Oscar Santolalla.

Oscar: Today’s guest is Jesse Kurtto. Jesse’s career has gradually arched from the Wild West world of finance, to his current position as a Data Protection Officer and Data Scientist at Ubisecure. Learning Program before learning to read Finnish and visiting 25 countries before 25. He is no stranger to exploring unchartered waters and discovering connections that others might miss. Surrounded by a delicate balance of the latest technology and dozens of carefully tended houseplants, his secret hobby is writing to his beloved snail mail friends across the world. Welcome Jesse.

Jesse: Thank you for the invite, Oscar. Nice to be here.

Oscar: Great having you, Jesse, definitely. We’re going to have a super interesting conversation about the market in Digital Identity and Identity and Access Management.

First of all, we always want to hear more about our guests. So please tell us a bit about yourself and your journey to the world of digital identity.

Jesse: All right. So, like many or even most of us in the digital identity field, I actually never really actively sought to be a specialist, IAM specialist, on purpose. And my personal background is actually nothing technology even, but in finance and investing more specifically. So, a chance encounter and I liked the people who interviewed me and decided to stay for a while, and that while has been over seven years now. And I’m still learning something new every day, checking out how we really the world of digital identity like and frankly haven’t ever regretted decision. No two days have really been the same and the field continues to evolve and develop quite a bit every year.

Oscar: Yeah, excellent and definitely hearing at Ubisecure, we definitely appreciate having this – well call it, like a blend of knowledge – the financial market, not lesser than what you bring with the security and digital identity knowledge, very practical knowledge you also had. So, it’s always super interesting having those conversation with you.

And for the first time here on the podcast, we are going to have that, a bit more financial touch on that – What is coming, especially in this well this year, and I think also the years to come. The previous year and the year to come I think, we are already end of 2023 in which – well the financial situation is not good we’re going to talk about. But of course, no matter how the economy is, the companies organisation has to protect their services, have to upgrade the services, maintain them, so they have to invest some money in that.

So, from the perspective of companies who today need to upgrade their digital capabilities, what would you say is the piece of the current macroeconomic situation that they should know well? So that was at least what they should know well, from what is happening now?

Jesse: Well, first of all, we all know the macroeconomic situation hasn’t really been dancing on the roses over the past few years. But first, we had a massive shock with the COVID pandemic starting from spring 2020. Then we got massive economic stimulus to recover from that slump. And right after we were starting to climb up, then the war in Ukraine saw that all kinds of new problems everywhere around the world seemed to emerge just within three or four months.

The energy uncertainty in Europe and the economy went down the drain, and macroeconomic in quite a difficult situation here in Europe. But we would actually want to have some kind of stimulus in order to recover. But at the same time, we are suffering from quite persistently high inflation, which makes any kind of stimulus package basically equal to pouring more gasoline to the flames.

So, the European bank is really between a rock and a hard place here. And I can only look over the Atlantic to the States and be very jealous how they are able to both fight inflation and with high interest rates, five and a half percent this talking and meanwhile still have a blisteringly red-hot labour market all but there.

So, my first point would be that not all markets are equal. And the second important point is that now is actually a really great time to invest in any digital capabilities, including digital identities. Because now, we are in the middle of a small recession in Europe and investing in recession has historically been the very best time to invest in growth.

And if we think for a while, it actually makes perfect sense. After all, the alternative is to invest in the middle of a growth season when everybody else wants to invest in growth as well. Pushing prices even higher and reducing the availability of experts to help with these transformation projects. But now it’s still for a while kind of a buyer’s market.

So best time to invest in future growth is now.

Oscar: So, time to invest is now.

Jesse: Yes.

Oscar: Okay. So, let’s go into what – because there are many things that the company can invest now and many things that many companies might need. But if you were one of the – chief executive, like CISO, or someone who is top decision makers in companies and there has to be some budget for digital identity. Thinking of – first of all broadly. Broadly but in digital identity, what would be the most important products that today would be the top priority for buying now?

Jesse: Today I would say that the absolute top priority would be – to establish really low friction user journeys from the very beginning account registration to the actual purchase, including solid online self-service. And now this low friction user journey is no way exclusive with security or compliance, but it is actually reaping the benefits of digitalisation. Digitalisation is ongoing, it’s accelerating, it’s unstoppable.

So, the question is for every organisation – should they try to fight this change to the last or embrace it and be among the first to actually reap its benefits. It’s actually interesting because my background in finance, the many finance sector operators were among the first to embrace digital identities, but they kind of stopped it halfway there; “Okay, we can build self-service portals for our users, but for many, many procedures we still require hand signed paper documents being sent via physical mail.” And this is really only reaping a very small part of the benefits of digitalisation. So, there is plenty to go.

Oscar: Yeah. Interesting what you say in finance services. That’s correct. For reasons of security had to be always in the latest of technology for security. But some of the process has been, as you say, very old fashioned like the old school, many paper fax I think still use or cheques. So, these kind of.

Jesse: Oh yes, those ones to.

Oscar: Still alive.

Jesse: Yes. And it truly hurts the user experience a lot. It even causes direct missed opportunities. Let’s say new bond is coming to a market and you wish to buy a piece of it and participate. But if it takes three or four days just to do all the paperwork, then the opportunity has simply passed.

Oscar: And indeed, the price changed completely. Okay, so you say that the top is to – the user journey has to be digitalised. So, what is the category of products that address that?

Jesse: Would say a real CIAM system would be the one to go here, and not try to build the user journey from, let’s say 4 to 6-point solutions and then somehow glue them together. I think the best solution would be an IAM solution that’s designed for a whole user journey from the scratch and not something homemade or batched together.

Because when business grows, as it will eventually grow, no recession will last forever. And to user numbers pick up and suddenly there’s a nightmare of issues of having 4 to 6 different vendors and trying to keep their products up and running with ever increasing user numbers. And that again, is doing digitalisation the wrong way, if I may say.

Oscar: Yeah. CIAM being – so how, well the evolution of the more broadly speaking, Identity and Access Management. Maybe you can give us an overview of that evolution of the Identity and Access Management, what – how we started and what we have today.

Jesse: Yeah, that’s a very interesting topic. Through the IAM are from big enterprise internal needs at once to employee numbers just grow to a certain level, they can’t be managed with excel sheets or pen and paper before that. But these kind of internal IAM solutions scale and fit really badly for end customer facing journeys. Internal users can always be taught how to use some kind of system, even if it’s not immediately logical or it feels unwieldy.

But for the customers, it’s not realistic to expect that they would spend tens of minutes or even hours to learn how to use some kind of system to log in. And no, they would simply instead put down their laptops, pick up the phone and call your customer service. So, it will actually just cost you more money to have this kind of system.

And now, in the past ten years, there have been massive uptake of different CIAM systems. And lately, let’s say after the pandemic, it’s interesting to see that now the full circle is coming back towards internal users with remote working. Remote working, different kind of partnerships, there are more kind of internal and kind of external users than ever, and trying to keep these as fully separate groups is very challenging.

Oscar: Yes. So, what about the investment of a company in Identity and Access Management? So what does that imply if the company does not have even, let’s say, a first personal CIAM or open source, something that they started, if they if the company really doesn’t, which actually to me surprise me that, you discover companies don’t have it, don’t have it, almost anything like identity access management and they are looking for some solutions or they are or they know that they need it. Maybe the decision has not come.

So why would you say is important for the buyers to know about the product, the Identity and Access Management product?

Jesse: That’s an interesting detail what you said that there’s still about 20-25% of companies in Europe that do not have any kind of Identity and Access Management system in place. So, one could argue that every IAM’s companies’ worst competitor is doing nothing. But to the question at hand, I’d say scalability is one very important thing, and compliance. If one doesn’t have any kind of identity management system in place, then it’s extremely hard to tell where and by who are the user identities actually stored.

And of course, that is a massive no in the eyes of the GDPR and this kind of adventures just don’t usually end up well. So first job would be to map out how many identities there are in the first place, how it has evolved over the recent quarters and where they are located, how many systems actually are connected, including partners, including systems like let’s say payroll providers, insurance providers, and usually the number is quite surprising. It can often be more than ten individual systems.

And now managing all these identities from a single centralised place is frankly a godsend compared to trying to manage this and plus sprawling network identity some here, some there. And of course, it also brings centralised identity management, also brings massive security benefits. For example, if you wish to revoke the access for, let’s say some external consultants that have already finished their projects, you only have one place to do it or you can even automate it.

But if the identities are in ten systems, 15 systems, then it’s really easy to forget just one. And who knows, maybe five, ten years later, one of those passwords will get breached and now the attacker gets to your system for free.

Oscar: Yeah, what is normally called silos, identity silos. Having so many data repositories and it’s -through the years it’s easy to forget at least couple of those are forgotten but they are still there somewhere in there in some machine, in some server. So, the data is there.

Jesse: Yes. And of course, I’ve heard many times the counterargument that it’s not wise to put all eggs in one basket, but when it comes to information security, we as the defenders must secure every single system that we use. But the attacker only needs to find one weak system to exploit.

Oscar: Yeah, yeah, exactly. They can just find the forgotten one, the one that nobody remembers that.

So, what the company – the buyers should ask for a technology vendor? So, for a CIAM vendor? So, what are the most important things that’s should be – has to be asked to the vendors?

Jesse: I would ask them to demonstrate the self-service capabilities first. What exactly the users can and cannot accept less without external help? Meaning customer service assistance. Because that sets quite stringent limits on the benefits of digitalisation. And of course, all the usual user journeys should be handled by the system automatically. So, I would guess that any IAM project touches deeply.

So, I would first describe the challenges we are facing. And then I’d ask vendor to explain, just in plain English, that – how does the solution work and how does it actually solve the challenge that we just presented? And after all, one should never invest in anything that one doesn’t understand.

Another point I would like to address early in any IAM project is to what is actually included in the price and what isn’t. In order to actually accurately measure the TCO and how it would evolve as internal and external user base grows. And for example, there are many vendors out that charge ten to even hundred times for internal users compared to external users, and that’s not usually put on a large print on the front page.

And finally, I would discuss any coming changes in legislation because I would be very interested to know whether any changes will be covered under the current proposal or will it occur additional project and additional costs in the future. Change is, after all, inevitable.

Oscar: Yeah, I think that’s very important. We know in – in the European Union it’s coming the digital wallet that’s going to come in. Well, how many years do you predict at this moment?

Jesse: I’m optimistic and say late ‘24 launch for some countries. ‘25 mass adoption and hopefully organisational identities soon after.

Oscar: Yeah, and that’s something that I think very few people would argue that that will be – that will not have some considerable success because there’s a lot of time invested in people preparing all these new standards in this part of the evolution. What we have been seeing before with Self Sovereign Identity (SSI), the wallet itself is something that is already becoming very popular in the commercial side. So that will come in.

Similarly, in other geographies, there will be similar initiatives, there will be new regulations. So that, through all this, the vendor has to offer that, has to tell whether we offer or not. So that’s definitely a good, good aspect you mentioned.

Jesse: Yes. And the commission has made clear goals here to avoid repeating the mistakes of the eIDAS 1.0, that was supposed to bring cross-border digital identities to Europe. Well, we all know that it was a commercial failure, but they have really learned from that, and I have great hopes for the EUDI. Both for personal identities and for organisational identities, and especially for the latter one.

I believe that the market is currently suffering from a kind of chicken and egg problem here, that everybody’s waiting for cross-border organisational identities and not building services because they aren’t here yet. So, we might see the floodgates open in the late 2020s.

Oscar: Yeah. I also believe that as a lot will change in more or less like the, as you say in the next 12-24 months is going to change a lot, in a good way I believe. So definitely exciting to be at this moment. We’ve been talking a lot about Identity and Access Management, other aspects, other type of technology that are also in the minds of the executives who are going to upgrade their technologies. We hear a lot about passwords in the last year. Well, ‘cryptocurrencies’ is getting a bit more quiet. Today we hear a lot about artificial intelligence.

Would you recognise some technology that is actually underrated, that not many people are talking about? But these business buyers should be aware, because the impact will be even bigger than those buzzwords. So, what would you say?

Jesse: I would say that the coming EUDI and its principle of Self-Sovereign Identities is something that might cause quite big ripples in the identity landscape. The very basic idea that it’s the end user themselves who collect attributes and control to whom and when they release those attributes. That that is very different from the usual data repository centric view that – okay, we have this database, and we control everything here. Everything is set in stone.

But when the end users actually decide which attributes to release and which not. Then one can’t take for granted that, “Okay, we always have every single field in our database field. Every user record looks similar in a structural level.” That is no longer true and that might cause some changes.

As for technology, I have great hopes for machine learning and especially how it can help accomplish not zero trust, no. But zero friction user journeys. And I don’t mean a strong AI that is still decades into future, if ever. But simple things like; is the user using a different device to log in or the same device as before? And so on.

For example, I have a recently having a quick holiday in the US, and I was frankly quite shocked when I logged into some financial services – using a completely different device that I had never used, on completely opposite time of the day. I was even physically located on a different continent. And no MFA prompts, nothing. Just inputting my password, I was in.

And that’s a lot of missed risk management there, for both parties. For me as an end user and for the financial service provider. And I believe this is something that will change sooner or later. And of course, I would like, as an end user, for this to work for the opposite way as well. That if I’m logging in using the same device, about the same time of the day, from same city that I’ve done it for hundreds and hundreds of times – then perhaps I could be spared the MFA fatigue and just get in with my password managers embraced password.

Oscar: The technology doesn’t bother you when you are in the habitual way of interacting with, let’s say, the banks.

Jesse: Yeah, exactly. It should take always the context of the transaction into account. And frankly, what I would like to see many companies to do is; do a more thorough risk analysis at what they are actually trying to defend against. I can give a real-world example.

About a month ago, I drove to a gas station, put my car to charge, decided that I’ll have a coffee there. Opened the app and saw, hey, there’s an offer for a coffee and a doughnut €1 off. Great.

Okay, it seems that first, I needed to update the app to actually buy. Okay, well, I’ll do it.

Then they wanted to add the credit card directly to the app, alright. Got an MFA from that.

Then when I actually wanted to make the purchase, I got yet another prompt and confirmation, this time from my bank. That – ‘Hey, in order to buy this €3.50 product, would you please update our app again, and use it as an MFA to confirm this purchase’. For the third time.

And by that time, I already got notification that, ‘hey, your car has charged’, and my coffee was called by then and left it there.

So that was the opposite of Zero Friction. That was more of a zero trust like game. But the security solution that’s very fitting for, let’s say, authorising nuclear missile launch, is very different than the security that’s needed to confirm a €3 coffee purchased at the gas station.

And as discussed earlier, I believe this problem stems – that solution was built from very small parts and every individual vendor only looked after their own interest, only want to save their back in case of any kind of misuse. But nobody took a step backwards to actually see; What we are trying to defend against here? What is the attack vector here? That okay, somebody misuses this app and clones this coupon and gets two coffees and doughnuts for a €3 each. Okay, so how much is an attacker willing to put time and money into such attack? I guess nobody stop to think about it. And as a result, the whole user journey was just failure.

Oscar: Yeah, complete failure indeed. Very good way to bring back the very first thing you said, User Journey. Yeah, that’s a specific example how things can happen. Sounds like a marvellous opportunity, not to get a deal nice and then becomes complete failure.

Jesse, one final question I would like to ask you is – for all business leaders listening to us now, what is the one actionable idea that they should write on their agendas today?

Jesse: I would dream that every executive would dedicate one day, one whole day to actually be an end user for a day and go through their company’s entire flow. All the way from account registration to actually purchasing to product or service that they’re selling. And if there’s time trying out things like forgotten password resets. And then the next day repeating the same procedure for the top competitor and even more importantly, their newest competitor, because that is where the threat of digitalisation is coming.

Oscar: Going to be very revealing.

Jesse: Yes, and it’s important to go through the entire journey. If one, simply takes it piecemeal. And of course, every piece may look perfectly fine. Okay, this works like this. It has confirmations like this. Great. Next piece. Next piece, Next piece. All right. Everything looks fine. But then actually going through the process, one gets hit by four or five different confirmations, forced updates, all kinds of non-user-friendly things, and that won’t fly.

Oscar: Yeah, definitely a very good experiment, actionable idea. Absolutely. Well, thank you very much, Jesse for telling us all this about the – how the companies and why companies should invest in the digital identity and why today.

Let us know why people would like to get in touch with you or follow you or learn more about what we are doing. What are the best ways for that?

Jesse: All right. Thank you. First, I would ask everybody to check out ubisecure.com, and see how we are approaching these problems on the market. And if needed, I would be very happy to have a chat, over a virtual or real coffee, and I can be contacted at [email protected] at anytime.

Oscar: Excellent. Again, thanks a lot for joining us, Jesse, and all the best.

Jesse: Thank you, Oscar.

Thanks for listening to this episode of Let’s Talk About Digital Identity produced by Ubisecure. Stay up to date with episode at ubisecure.com/podcast or join us on Twitter @ubisecure and use the #LTADI. Until next time.