Planning for future is hard but is also the best way to keep your technological debt under control. Same apply for the Digital Identity strategy. Learn from the future and act now.
2. Montreal Executive Forum 2018
Future-proof
your Customer
Identity
strategy
To keep in touch
https://twitter.com/IdentityMonk
https://ca.linkedin.com/in/jflombardo
https://x-iam.com
13 years of expertise in IAM
35+ projects:
Strong Authentication,
Identity Management,
Access Governance,
Information Protection.
Proud member of a versatile team of 25+ expert
consultants ready for innovation
3. Did you ever meet a crazy guy
with a future-proof strategy?
5. A ton of customer expectations
Better User
Experience
Efficiency
One set of credentials
Single Sign-on first
Local backup/step-up
mechanisms if necessary
Self-service oriented
Context-based ruling and
decisions
Cross device consistent
Privacy
Consent to use data
Protection of data
Control and traceability
of data usage
Trust
for now and the future
7. Here are the ripples
GDPR was just a first step…
Russian Data Privacy Laws are operational
Australian Data Privacy Laws are
operational
<Insert your country> Data Laws
are coming up
Chinese Data Privacy Laws are drafted
(some) Canadian Data Laws are enforceable
November 2018
8. User control
Low
High
LowHigh Portability
Based on Christopher Allen, stages of online identity
http://www.lifewithalacrity.com
User Centric
Self Sovereign
Centralized
Federated
Strong push for Decentralization
to give full control to the owner of
the data
You
should
be here
Want to know more on SSI?
But TRUST is a foundation of any
business relationship, how will
we maintain it in this model?
To boldly go where nothing is centralized
9. A Decentralization is necessary
B Trust management is fundamental
Always in movement, the future is...
…but we can establish that:
10. Being Future-Proof
1 Not a will to handle all future use cases
2 But a will to act as a foundation for
the future
3 While easing evolution towards modern
postures
11. Great, we already know how to establish trust!
My
company
Trusted
bridge
Trusted
bridge
Trusted
bridge
Trusted
bridge
12. And each one of us knows how to manage Employees’ Identity
This is far more difficult for external people
My
company
Trusted
bridge
Trusted
bridge
Trusted
bridge
Trusted
bridge
Lifecycle
Authentication
Authorization
Governance
Lifecycle
Authentication
Authorization
Governance
Lifecycle
Authentication
Authorization
Governance
Lifecycle
Authentication
Authorization
Governance
13. We are all individual
customers
I’m not
We are often biased when we look at our customers…
14. We are all individual
customers
I’m not
… because many of them are someone else’s employee
15. Then, it makes sense to leverage our Trust capabilities
to decentralize what we control the least
My
company
Trusted
bridge
Trusted
bridge
Trusted
bridge
Trusted
bridge
Lifecycle
Authentication
Authorization
Governance
Lifecycle
Authentication
Authorization
Governance
Lifecycle
Authentication
Authorization
Governance
Lifecycle
Authentication
Authorization
Governance
trust
trust
19. My
company
Trusted
bridge
Trusted
bridge
Lifecycle
Authentication
Authorization
Governance
Lifecycle
Authentication
Authorization
Governance
trust
How to handle the privacy in such a model?
1) Establish consent when joining the
corporation, including for the sharing
with a 3rd party
Consent to
• Collect A
• Collect B
For Internal
use and
sharing with
my company
Valid until
01/01/2019
4) Regularly check for
expiration of consent,
flush is not renewed
3) Ease the first
access of the user to
my company
2) Use asynchronous
provisioning/synchronization of
account information and related
consent metadata
Consent to
• Use A
• Use B
For Business
Analytics at
my company
Valid until
01/06/2018
20. My
company
Trusted
bridge
Trusted
bridge
Lifecycle
Authentication
Authorization
Governance
Lifecycle
Authentication
Authorization
Governance
trust
How to handle the privacy in such a model?
1) Initially, consent may not include
sharing with a 3rd party
Consent to
• Collect A
• Collect B
For Internal
use
Valid until
01/01/2019
4) Regularly check for
expiration of consent,
flush is not renewed
2) Establish specific
consent during checking
for the new usage on 1rst
use
3) Propagate back to his/her
authority the new consent given by
the user
Consent to
• Use A
• Use B
For Business
Analytics at
my company
Valid until
01/06/2018
Sharing with my
company
Valid until
01/06/2018
+
23. Frédéric Parthenais
VP Consulting and Sales
fparthenais@facilite.com
+1 514-262-2328
Jean-François Lombardo
Digital Identity, Trust and Privacy consultant
jflombardo@facilite.com
+1 514-778-5565
Montreal Executive Forum 2018