As the Digital Economy Ramps Up, Expect a New Identity Management Vision to Leapfrog Passwords
As the Digital Economy Ramps Up, Expect a New Identity
Management Vision to Leapfrog Passwords
Transcript of a BrieﬁngsDirect podcast on how enterprises need new standards to deal with a
lagging effort on identity and access management as the world moves to the cloud and mobile
Listen to the podcast. Find it on iTunes. Sponsor: Ping Identity
Dana Gardner: Hi, this is Dana Gardner, Principal Analyst at Interarbor Solutions, and you're
listening to BrieﬁngsDirect.
Today, we present a sponsored podcast discussion on why a stubborn speed bump for the digital
economy has resisted ﬁxing for so long. We're referring to the outdated use of passwords and
limited identity-management solutions that hamper getting all of our devices,
cloud services, enterprise applications, and needed data to work together in
anything approaching harmony.
The past three years have seen a huge uptick in the number and types of mobile
devices, online services, and media. Yet, we're seemingly stuck with 20-year-
old authentication and identity-management mechanisms, mostly based on
The resulting chasm between what we have and what we need for access control and governance
spells ongoing security lapses, privacy worries, and a detrimental lack of interoperability among
cross-domain cloud services. So, while a new generation of standards and technologies has
emerged, a new vision is also required to move beyond the precarious passel of passwords that
each of us seems to use all the time.
The fast approaching Cloud Identity Summit 2014 this July gives us a chance to recheck some
identity-management premises and perhaps step beyond the conventional to a more functional
mobile future. To help us deﬁne these new best ways to manage identities and access control in
the cloud and mobile era, please join me in welcoming our guest. We're here with Andre Durand,
the CEO of Ping Identity. Welcome, Andre.
Andre Durand: Thank you, Dana. Happy to be here.
Gardner: I'm glad you are with us on BrieﬁngsDirect. As I said in our setup, the Cloud Identity
Summit is coming up, and at the same time, we're ﬁnding that this digital economy is not really
reaching its potential. There seems to be this ongoing challenge, as we have more devices,
varieties of service and this need for this cross-domain interaction capability. It’s almost as if
we're stymied. So why is this problem so intractable? Why are we still dealing with passwords
and outdated authentication?
Durand: Believe it or not, you have to go back 30 years to when the problem originated, when
the Internet was actually born. Vint Cerf, one of the founders and creators of the Internet, was
interviewed by a reporter two or three years back. He was asked if he could go
back 30 years, when he was creating the Internet, what would he do differently?
And he thought about it for a minute and said, "I would have tackled the identity
He continued, "We never expected the Internet to become the Internet. We were
simply trying to route packets between two trusted computers through a
standardized networking protocol. We knew that the second we started
networking computers, you needed to know who the user was that was making
the request, but we also knew that it was a complicated problem." So, in essence, they punted.
Roll forward 30 years, and the bulk of the security industry and the challenges we now face in
identity management at scale, Internet or cloud scale, all result from not having tackled identity
30 years ago. Every application, every device, every network that touches the Internet has to ask
you who you are. The easiest way to do that is via user name and password, because there was no
concept of who the user was on the network at a more fundamental universal layer.
So all this password proliferation comes as a result of the fact that identity is not infrastructure
today in the Internet, and it's a hard problem to retroﬁt the Internet for a more universal notion of
who you are, after 30 years of proliferating these identity silos.
Internet of things
Gardner: It certainly seems like it’s time, because we're not only dealing with people and
devices. We're now going into the Internet of Things, including sensors. We have multiple
networks and more and more application programming interfaces (APIs) and software-as-a-
service (SaaS) applications and services coming online. It seems like we have to move pretty
Durand: We do. The shift that began to exacerbate, or at least highlight, the underlying problem
of identity started with cloud and SaaS adoption, somewhere around 2007-2008
time frame. With that, it moved some of the applications outside of the data
center. Then, starting around 2010 or 2011, when we started to really get into the
smartphone era, the user followed the smartphone off the corporate network and
the corporate-issued computer and onto AT and T’s network.
So you have the application outside of the data center. You have the user off the
network. The entire notion of how to protect users and data broke. It used to be that you put your
user on your network with a company-issued computer accessing software in the data center. It
was all behind the ﬁrewall.
Those two shifts changed where the assets were, the applications, data, and the user. The
paradigm of security and how to manage the user and what they have access to also had to shift
and it just brought to light the larger problem in identity.
Gardner: And the stakes here are fairly high. We're looking at a tremendously inefﬁcient
healthcare system here in the United States, for example. One of the ways that could be
ameliorated and productivity could be increased is for more interactions across boundaries, more
standards applied to how very sensitive data can be shared. If we can solve this problem, it seems
to me there is really a ﬂood of improvement in productivity to come behind it.
Durand: It's enormous and fundamental. Someone shared with me several years ago a simple
concept that captures the essence of how much friction we have in the system today in and
around identity and users in their browsers going places. The comment was simply this: In your
browser you're no longer limited to one domain. You're moving between different applications,
different websites, different companies, and different partners with every single click.
What we need is the ability for your identity to follow your browser session, as you're moving
between all these security domains, and not have to re-authenticate yourself every single time
you click and are off to a new part of the Internet.
We need that whether that means employees sitting at their desktop on a corporate network,
opening their browser and going to Salesforce.com, Ofﬁce 365, Gmail, or Box, or whether it
means a partner going into another partner’s application, say to manage inventory as part of their
We have to have an ability for the identity to follow the user, and fundamentally that represents
this next-gen notion of identity.
Gardner: I want to go back to that next-gen identity deﬁnition in a moment, but I notice you
didn't mention authenticate-through-biometrics to a phone or to a PC. You're talking, I think at a
higher abstraction, aren’t you? At software or even the services level for this identity. Or did I
read it wrong?
Durand: No, you read it absolutely correctly. I was deﬁnitely speaking at 100,000 feet there.
Part of the solution that I play out is what's coming in the future will be stronger authentication
to fewer places, say stronger authentication to your corporate network or to your corporate
identity. Then, it's a seamless ability to access all the corporate resources, no matter if they're
business applications that are proprietary in the data center or whether or not the applications are
in the cloud or even in the private cloud.
So, stronger user authentication is likely through the mobile phone, since the phones have
become such a phenomenal platform for authentication. Then, once you authenticate to that
phone, there will be a seamless ability to access everything, irrespective of where it resides.
Gardner: Then, when you elevate to that degree, it allows for more policy-driven and
intelligence-driven automated and standardized approaches that more and more participants and
processes can then adopt and implement. Is that correct?
Durand: That’s exactly correct. We had a notion of who was accessing what, the policy,
governance, and the audit trail inside of the enterprise, and that was through the '80s, '90s, and
the early 2000s. There was a lot of identity management infrastructure that was built to do
exactly that within the enterprise.
Gardner: With directories.
Durand: Right, directories and all the identity management, Web access management, identity-
management provisioning software, and all the governance software that came after that. I refer
to all of those systems as Identity and Access Management 1.0.
It was all designed to manage this, as long as all the applications, user, and data were behind the
ﬁrewall on the company network. Then, the data and the users moved, and now even the business
applications are moving outside the data center to the public and private cloud.
We now live in this much more federated scenario, and there is a new generation of identity
management that we have to install to enable the security, auditability, and governance of that
new highly distributed or federated scenario.
Gardner: Andre, let’s go back to that next-generation level of identity management. What did
you mean by that?
Durand: There are few tenets that fall into the next-generation category. For me, businesses are
no longer a silo. Businesses are today fundamentally federated. They're integrating with their
supply chain. They're engaging with social identities, hitting their consumer and customer
portals. They're integrating with their clients and allowing their clients to gain easier access to
their systems. Their employees are going out to the cloud.
All of these are scenarios where the IT infrastructure in the business itself is fundamentally
integrated with its customers, partners, and clients. So that would be the ﬁrst tenet. They're no
longer a silo.
The second thing is that in order to achieve the scale of security around identity management in
this new world, we can no longer install proprietary identity and access management software.
Every interface for how security and identity is managed in this federated world needs to be
So we need open identity standards such as SAML, OAuth, and OpenID Connect, in order to
scale these use cases between companies. It’s not dissimilar to an era of email, before we had
Internet e-mail and the SMTP standard.
Companies had email, but it was enterprise email. It wouldn’t communicate with other
companies' proprietary email. Then, we standardized email through SMTP and instantly we had
I predict that the same thing is occurring, and will occur, with identity. We'll standardize all of
these cases to open identity standards and that will allow us to scale the identity use cases into
this federated world.
The third tenet is that, for many years, we really focused on the browser and web infrastructure.
But now, you have users on mobile devices and applications accessing APIs. You have as many,
if not most, transactions occurring through the API mobile channel than you do through the web.
So whatever infrastructure we develop needs to normalize the API and mobile access the same
way that it does the web access. You don’t want two infrastructures for those two different
channels of communication. Those are some of the big tenets of this new world that deﬁne an
architecture for next-gen identity that’s very different from everything that came before it.
Gardner: To your last tenet, how do we start to combine without gaps and without security
issues the ability to exercise a federated authentication and identity management capability for
the web activities, as well as for those speciﬁc APIs and speciﬁc mobile apps and platforms?
Durand: I’ll give you a Ping product speciﬁc example, but it’s for exactly that reason that we
kind of chose the path that we did for this new product. We have a product called PingAccess,
which is a next-gen access control product that provides both web access management for the
web browsers and users using web application. It provides API access management when
companies want to expose their APIs to developers for mobile applications and to other web
Prior to PingAccess in a single product, allowing you to enable policy for both the API channel
and the web channel, those two realms typically were served by independent products. You'd buy
one product to protect your APIs and you’d buy another product to do your web-access
Now with this next-gen product, PingAccess, you can do both with the same product. It’s based
upon OAuth, an emerging standard for identity security for web services, and it’s based upon
OpenID Connect, which is a new standard for single sign-on and authentication and
authorization in the web tier.
We built the product to cross the chasm, between API and web, and also built it based upon open
standards, so we could really scale the use cases.
Gardner: Whenever you bring out the words "new" and "standard," you'll get folks who might
say, "Well, I'm going to stick with the tried and true." Is there any sense of the level of security,
privacy control management, and governance control with these new approaches, as you describe
them, that would rebut that instinct to stick with what you have?
Durand: As far as the instinct to stick with what you have, keep in mind that the alternative is
proprietary, and there is nothing about proprietary that necessarily means you have better control
or more privacy.
The standards are really deﬁning secure mechanisms to pursue a use case between two different
entities. You want a common interface, a common language to communicate. There's a
tremendous amount of the work that goes into it by the entire industry to make sure that those
standards are secure and privacy enabling.
I'd argue that it's more secure and privacy enabling than the one-off proprietary systems and/or
the homegrown systems that many companies developed in the absence of these open standards.
Gardner: Of course, with standards, it's often a larger community, where people can have
feedback and inputs to have those standards evolve. That can be a very powerful force when it
comes to making sure that things remain stable and safe. Any thoughts about the community
approach to this and where these standards are being managed?
Durand: A number of the standards are being managed now by the Internet Engineering Task
Force (IETF), and as you know, they're well-regarded, well-known, and certainly well-
recognized for their community involvement and having a cycle of improvement that deals with
threats, as they emerge, as the community sees them, as a mechanism to improve the standards
over time to close those security issues.
Gardner: Going back to the Cloud Identity Summit 2014, is this a coming-out party of sorts for
this vision of yours? How do you view the timing right now? Are we at a tipping point, and how
important is it to get the word out properly and effectively?
Durand: This is our ﬁfth annual Cloud Identity Summit. We've been working towards this
combination of where identity and the cloud and mobile ultimately intersect. All of the trends
that I described earlier today -- cloud adoption, mobile adoption, moving the application and the
user and the device off the network -- is driving more and more awareness towards a new
approach to identity management that is disruptive and fundamentally different than the
traditional way of managing identity.
On the cusp
We're right on the cusp where the adoption across both cloud and mobile is irrefutable. Many
companies now are moving all in in their strategies to make adoption by their enterprises across
those two dimensions a cloud-ﬁrst and mobile-ﬁrst posture.
So it is at a tipping point. It's the last nail in the cofﬁn for enterprises to get them to realize that
they're now in a new landscape and need to reassess their strategies for identity, when the
business applications, the ones that did not convert to SaaS, move to Amazon Web Services,
Equinix, or to Rackspace and the private-cloud providers.
That, all of a sudden, would be the last shift where applications have left the data center and all
of the old paradigms for managing identity will now need to be re-evaluated from the ground up.
That’s just about to happen.
Gardner: Another part of this, of course, is the user themselves. If we can bring to the table
doing away with passwords, that itself might encourage a lot of organic adoption and calls for
this sort of a capability. Any sense of what we can do in terms of behavior at the user level and
what would incentivize them to knock on the door of their developers or IT organization and ask
for this sort of capability and vision that we described.
Durand: Now you're highlighting my kick-off speech at PingCon, which is Ping’s Customer and
Partner Conference the day after the Cloud Identity Summit. We acquired a company and a
technology last year in mobile authentication to make your mobile phone the second factor,
strong authentication for corporations, effectively replacing the one-time tokens that have been
issued by traditional vendors for strong authentication.
It’s an application you load on your smartphone and it enables you an ability to simply swipe
across the screen to authenticate when requested. We'll be demonstrating the mobile phone as a
second-factor authentication. What I mean there is that you would type in your username and
password and then be asked to swipe the phone, just to verify your identity before getting into
We'll also demonstrate how you can use the phone as a single-factor authentication. As an
example, let’s say I want to go to some cloud service, Dropbox, Box, or Salesforce. Before that,
I'm asked to authenticate to the company. I'd get a notiﬁcation on my phone that simply says,
"Swipe." I do the swipe, it already knows who I am, and it just takes me directly to the cloud.
That user experience is phenomenal.
When you experience an ability to get to the cloud, authenticating to the corporation ﬁrst, and
simply swipe with your mobile phone, it just changes how we think about authentication and
how we think about the utility of having a smartphone with us all the time.
Gardner: This aligns really well, and the timing is awesome for what both Google with Android
and Apple with iOS are doing in terms of being able to move from screen to screen seamlessly. Is
that something that’s built in this as well?
If I authenticate through my mobile phone, but then I end up working through a PC, a laptop, or
any other number of interfaces, is this is something that carries through, so that I'm authenticated
throughout my activity?
Durand: That's the entire vision of identity federation. Authenticate once, strongly to the
network, and have an ability to go everywhere you want -- data center, private cloud, public SaaS
applications, native mobile applications -- and never have to re-authenticate.
Gardner: Sounds good to me, Andre. I'm all for it. Before we sign off, do we have an example?
It's been an interesting vision and we've talked about the what and how, but is there a way to
illustrate to show that when this works well perhaps in an enterprise, perhaps across boundaries,
what do you get and how does it work in practice?
Durand: There are three primary use cases in our business for next-generation identity, and we
break them up into workforce, partner, and customer identity use cases. I'll give you quick
examples of all three.
In the workforce use case, what we see most is a desire for enterprises to enable single sign-on to
the corporation, to the corporate network, or the corporate active directory, and then single-click
access to all the applications, whether they're in the cloud or in the data center. It presents
employees in the workforce with a nice menu of all their application options. They authenticate
once to see that menu and then, when they click, they can go anywhere without having to re-
That's primarily the workforce use case. It's an ability for IT to control what applications, where
they're going in the cloud, what they can do in the cloud to have an audit trail of that, or have full
control over the use of the employee accessing cloud applications. The next-gen solutions that
we provide accommodate that use case.
The second use case is what we call a customer portal or a customer experience use case. This is
a scenario where customers are hitting a customer portal. Many of the major banks in the US and
even around the world use Ping to secure their customer website. When you log into your bank
to do online banking, you're logging into the bank, but then, when you click on any number of
the links, whether to order checks, to get check fulﬁllment, that goes out to Harland Clarke or to
That goes to a separate application. That banking application is actually a collection of many
applications, some run by partners, some by run by different divisions of the bank. The seamless
customer experience, where the user never sees another login or registration screen, is all secured
through Ping infrastructure. That’s the second use case.
The third use case is what we call a traditional supply chain or partner use case. The world's
largest retailer is our customer. They have some 100,000 suppliers that access inventory
applications to manage inventory at all the warehouses and distribution centers.
Prior to having Ping technology, they would have to maintain the username and password of the
employees of all those 100,000 suppliers. With our technology they allow single sign-on to that
application, so they no longer have to manage who is an employee of all of those suppliers.
They've off-loaded the identity management back to the partner by enabling single sign-on.
About 50 of the Fortune 100 are all Ping customers. They include Best Buy, where you don’t
have to login to go to the reward zone. You're actually going through Ping.
If you're a Comcast customer and you log into comcast.net and click on any one of the content
links or email, that customer experience is secured though Ping. If you log into Marriott, you're
going through Ping. The list goes on and on.
In the future
Gardner: Before we sign-off, any idea of where we would be in a year from now? Is this a
stake in the ground for the future or something that we could extend our vision toward in terms
of what might come next, if we make some strides and a lot of what we have been talking about
today gets into a signiﬁcant uptake and use.
Durand: We're right on the cusp of the smartphone becoming a platform for strong, multi-factor
authentication. That adoption is going to be fairly quick. I expect that, and you're going to see
enterprises adopting en masse stronger authentication using the smartphone.
Gardner: I suppose that is an accelerant to the bring-your-own-device (BYOD) trend. Is that
how you see it as well?
Durand: It’s a little bit orthogonal to BYOD. The fact that corporations have to deal with that
phenomenon brings its own IT headaches, but also its own opportunities in terms of the reality of
where people want to get work done.
But the fact that we can assume that all of the devices out there now are essentially smartphone
platforms, very powerful computers with lots of capabilities, is going to allow the enterprises
now to leverage that device for really strong multi-factor authentication to know who the user is
that’s making that request, irrespective of where they are -- if they're on the network, off the
network, on a company-issued computer or on their BYOD.
Gardner: We are going to leave it there. You've been listening to a sponsored BrieﬁngsDirect
podcast discussion on a stubborn speed bump for the digital economy, namely the outdated use
of passwords and limited-identity management technology that has resisted ﬁxing for so long.
We've also seen how a new generation of standards and technologies has emerged along with the
new vision for how to move beyond precarious dependence on passwords and a more abundant
identity schematic towards how we really live and work.
This all comes to a head, as we're approaching the July Cloud Identity Summit 2014 in
Monterey, California, which should provide an excellent forum for keeping the transition from
passwords to a federated, network-based intelligent capability on track.
With that, a big thank you to our guest. We've been joined by Andre Durand, the CEO at Ping
Identity. Thank you, sir.
Durand: Thank you Dana.
Gardner: This is Dana Gardner, Principal Analyst at Interarbor Solutions. A big thank you to our
audience as well for joining us, and don’t forget to come back for the next BrieﬁngsDirect
Listen to the podcast. Find it on iTunes. Sponsor: Ping Identity
Transcript of a BrieﬁngsDirect podcast on how enterprises need new standards to deal with a
lagging effort on identity and access management as the world moves to the cloud and mobile
devices. Copyright Interarbor Solutions, LLC, 2005-2014. All rights reserved.
You may also be interested in:
Standards and APIs: How to Build Platforms and Tools to Best Manage Identity and
The Open Group and MIT Experts Detail New Advances in Identity Management to Help
Reduce Cyber Risk
Effective Enterprise Decurity Begins and Ends with Architectural Best Practices
BYOD Brings New Challenges for IT: Allowing Greater Access while Protecting
Identify and Access Management as a Service Gets Boost with SailPoint's IdentityNow
Identity Governance Becomes Must-Do Items on Personnel Management and Security