HID Connects Podcast Episode 6: Access Management in The Cloud … Are We There Yet?
The “cloud” means something different to everyone… sharing a drive with your coworkers, storing family photos, and now, managing your identity. What does identity and access management in the cloud even mean? How did we get here? Where do we go next? And what’s the hold-up? Take a minute to listen below. And while you’re at it, be sure to subscribe to receive future episodes.
Matt Winn:
Hello everyone. Good morning, good afternoon, good evening, whatever time it is, and wherever in the world you may be. My name is Matt Winn, your podcast host and resident secure identities nerd. Welcome back to the HID Connects podcast. Now, today we're gonna talk about the topic that seems to be everything, everywhere, all at once — the cloud. And as more and more of our lives are being uploaded into the cloud, we want to spend the next half hour or so discussing what the cloud means to identity and access management. Where are we today? How did we get here? What comes next? And how do we get to that point?
This approach will be the core driver of our industry moving forward, which begs the burning question for today's episode: Identity Management in the Cloud… Are We There Yet? And while it's just me in the studio today, I am not alone, never alone — as we have two expert panelists joining us to drive our discussion. Dialing in from oh, so beautiful Stockholm, is someone I've had the pleasure of working with for several years, and quite possibly the best dressed man at HID, Hilding Arrehed, Vice President of Product Management and Cloud Services. Hilding, thanks for joining us. How are you?
Hilding Arrehed:
Good, thank you. I'm great, and I realize I should have dressed up even more now when you're introducing me that that nicely. So kind words and absolutely pleasure to be here Matt, and good to see you again.
Matt:
You look great. Thanks for joining us. And joining us from the land of tulips and stroopwafel, AKA the Netherlands, is Paul Jones, our Senior Director of Technical Services, and all-knower of all things cloud-based identity management. Paul, thanks for joining us. How are things in your world today?
Paul Jones:
They're brilliant. I'm looking forward to the podcast and helping answer all the questions.
Matt:
Excellent. I will put you on the hot seat. Alright, thank you again both for joining. Now that we've got our intros out of the way, let's get to it. Alright, Hilding, first question is for you and then Paul, we’ll ask you the same thing. How do you define cloud-based access management and what would you say is the key difference in benefits from more traditional on-prem access management? Tell me what is this all about?
Hilding:
So, I think the question will, or the answer to the question will evolve even more with time. But I think the simple answer as of today — of what a cloud-based access control system is — is when you take a PACS head, uh, so the type of PACS software that you normally install on-premise, on a server. And instead of having that on-premise on a server, you would run that software in the cloud. So that's, I think a simple definition, about what it means today. But I think in the future that will probably evolve and mean also many other things.
Matt:
Paul, what's your take on that definition? Agree, disagree, something you'd like to offer?
Paul:
I agree with Hilding's point of view, but I have a slightly different point of view as well. I work in a different part of the business, as you know, in consumer authentication. From my perspective, like Hilding said, we take the access management solution and put it in the cloud. And the reason for doing that is to really reduce cost and realize the quickest time-to-value for the customer. So yeah, if you deploy something on-premise, then it's going to take a long time. You make it available in the cloud, and then you can rapidly go to market. Also, I think, you know, cloud-based access management is more than just PACS headend components. On my side of the business, it's about, you know, identity onboarding. How do you visualize a person, how do you guarantee they are who they say they are. Providing single features, providing multifactor authentication. And all of that is kind of stuck together and combined with an access control policy, which would also be valid, obviously in PACS and then probably the boring side of it, you know, you're gonna have audit as well, but we'll avoid that for now.
Matt:
We'll avoid it to potentially come back. Well, Hilding, Paul talked on about some of the key benefits from cloud-based access management. What do you see as some of those key benefits and why would organizations want to take this approach as opposed to perhaps the more traditional route?
Hilding:
Yeah, I was gonna say, I think Paul was cheating justly straight into the benefits here. I was sticking to the boring definition. No, I think Paul, mentioned a few really important ones. I think that the benefits for why you would wanna move access control into the cloud is the cloud is very similar to the benefits of why very many companies are moving their, their software and services to the cloud. So obviously, cost impact, way easier to maintain. You don't have to install software on-prem. So many of those kind of, basic, just like, common sense reasons. But then I think, when it comes to access control, specifically, I think there are a lot of additional benefits that go beyond the traditional cost infrastructure and maintenance benefits, when it comes to integrating access control systems more easily into other cloud platforms and things like that. So I think that's where we'll see an evolution. And I think where some of the challenges we've seen with moving into the cloud will be you know, over trumped by the value and the benefits additional integration capabilities bring. And then I hope we we'll have some time to talk a little bit more about that.
Matt:
As well. Absolutely. Yeah, hold that thought. We will definitely get to challenges and barriers to adoption soon. Paul, back to you. So we've outlined and discussed several key benefits. Let's take a step back in time though. How have we seen this technology evolve over the years, and how did we get to the state of where we're in now where it's becoming a lot more mainstream — again, based on the benefits that you discussed? How did we get here?
Paul:
I think it's a good question. So access management-as-a-service, or in the cloud, has over the years, kind of driven initially by the fact that we are looking more towards cloud computing. We are looking to put things out there, we are looking to reduce our costs, and we are looking to change how we pay for things. You know, we only want to pay for what we are using rather than buying, buying the car with all the options in it today. If you don't want, I dunno, a third windscreen wiper, then don't pay for it, don't enable it. It's there, it's available for you and then you turn it on as you need. Importantly, legislation has also driven cloud over the years and access management solutions is changing more rapidly today with the business. And for businesses to keep up with that kind of transformational change, they have two choices. Either I download things, I update hardware in Hilding's world, and it takes me a long time to do so, or my vendor simply updates the solution they make available, available to me in the cloud, and it's available to everybody to use instantaneously.
Matt:
Very good. Hilding, anything you wanna add or agree or disagree with?
Hilding:
Yeah, no, I think I have to agree. But, in term of, because I wanna tell a little bit the story. I think, I feel sometimes like a dinosaur, you know, having been through, both some of the, the IT evolution and, and the PACS, I didn't mention it in the introduction, but my, my background is actually not in PACS, in physical access control. I come from the IT side. And I was fortunate enough to see some of the kind of IT and internet evolutions happening there. And then I came into HID in 2010, but continued working in more of the IT and IT security and cloud side, and then moved into to physical access control business area in 2015.
It's not too long ago, but, I'd say when I came in to PACS in 2015, you know, the movement of cloud was still in its very early days. So back then we were basically, tasked with laying out a strategy for how to bring access control into cloud. And there was a lot of resistance. I remember, customers were hesitant, of course, no problem moving something like Word or using Facebook or LinkedIn in the cloud — those are obvious ones — but you know, when you get to access control, no, no, no. We're talking about security and access control rules and things like that. So there was a lot of hesitancy and, in the beginning, focus was mainly around mobile keys and mobile access.
I think that that was the first area where it became really obvious that cloud has a role to play. It’s easy to issue an access control credential over the air into a mobile phone. It makes sense. The use case is really neat. So customers could accept the cloud from that perspective, but maybe not from any other perspectives. And, you know, fast forwarding now to where we are today, eight years later, loads of access control companies have started bringing solutions to the cloud. Loads of customers accept it. And we've seen a general evolution towards cloud acceptance also in the most stringent environments. I remember like large governments, I won't mention any names, but large governments around the world, back in 2015, 16, they, they would basically refuse to put critical services in the cloud.
And in order to get an exception, you had to fill out a lot of forms and ask for permission. These days, many of the same governments would ask for an exception if you do not want to put your stuff in the cloud. So basically cloud becomes a default. And if you don't want to use the cloud, then you need to fill out the same forms, but to explain why you would not use the cloud instead. So that's been a really strong evolution in the industry in general. General and in particular in the kind of access control space, where we are.
Matt:
Very good. We talk about evolution, we talk about timelines. We talk about how things have changed. And I think that one thing that's really interesting around the cloud, and of course, cloud-based identity and access management, is the convergence, Hilding, of the physical world. And then Paul, the convergent of the logical network authentication world. So tell me more about that, Paul. How does cloud play into the convergence of physical and logical access, PACS and LACS, and what other types of ecosystems does this support? Tell me about this convergence and this whole idea where everything can kind of live in one space.
Paul:
I think that's an excellent question, honestly. And you know, as Hilding said, we basically worked together for years, and we started yeah, in a company that HID acquired in 2010. So we've been singing the convergence song for a long time. Um, and it was all about, or originally about putting a logical access credential on a PACS cut. Now we've had different levels of success, in companies that were highly secure, and they assisted when you walk away from a machine that it would lock the machine. They definitely went that way. But otherwise, it was getting IT teams to kind of understand what the physical access team needed to do. And they didn't always play very nicely. Before I address the cloud side of it, and our view of the access management, I think the whole industry has changed.
It's no longer… you, you don't walk into a bank or a government anymore and say, okay, can I speak to the guys in charge of physical access? And now can I speak to the guy in charge of it? The protocols have changed. It's no longer… everything's going over the network infrastructure. So the IT guys are in charge of it, and more importantly, tend to filter up to the chief security officer, one person responsible for the whole infrastructure that made the convergence story easier as a whole. Now, as we move to cloud, we can update things a lot more rapidly. We can actually start adding different technologies onto the same physical card, but also looking at maybe how we can do that with mobile as well.
On my side of the business, it's more about FIDO these days — how do I authenticate to a machine? How do I authenticate to a service? Get rid of that password, because that's the inherent problem that we've always had. And then as you move into the cloud and it becomes maybe predominantly a mobile world, you can have a lot more impact. How can we change these technologies? What can we do to update you? How can we address things like, you know, somebody leaving a company rapidly, new starters, temporary issuance. There's a whole load of things we can do there. And I think the bit that kind of excites me and is a challenge is not only do we see the technologies coming together, but we see the technologies playing the same role. So like Seos on Hidling’s side of the business, great, from a security perspective, very, very good physical access. But we now have solutions where you can actually use Seos to get into your PC and FIDP on the other side, you know, you could argue we could use a technology that's used to protect authentication to systems, to access a building in the future. I think it's become a very, very exciting time for converged credentials.
Matt:
Excellent. And of course, Seos being a credential technology. Thanks for that Paul. Hilding, I saw you smiling and nodding a lot, so I wanna get your take on the convergence topic, but also would love for you to talk about maybe the present or future state in terms of the new ecosystems. This is driving, I mean, Paul mentioned about all the different use cases that are now possible. Let's talk more about that. So a twofer of convergence and the new frontier of ecosystems.
Hilding:
Sure. And, and you have to promise to remind me about the ecosystems if I don't get there, but let's start with the convergence. And I agree with Paul. I mean that was a part of a strategy and a vision we've been after for, for quite some time or maybe more like, a vision in term, we know it's gonna happen. And then how do you kind of position yourself to support that, rather than something that you, you're trying to push to forcefully? Because it's something that I think organically is starting to happen in the marketplace out with the customers with the large enterprises. I see cloud in physical access control to really be that bridge, to bring them together, because that the IT systems are already, you know, in the network.
They're IT systems. What, where you have, the challenge has been, how you tie that together with the physical access control systems. And the moment you put a physical access control system, in particular like a PACS headend system in the cloud, then you make that type of integration so much easier. So, one area I think is in, in particular interesting in this regard is the access and management of identities. Because in a traditional PACS head system that's on-prem, you would typically have a separate database with the users, and you manage those users in the PACS system, and then you have another database, a Microsoft active directory or some assure service or something where you have the users for your Windows accounts and the active director login and all the networks and stuff. Now, when physical access control moves to cloud and those systems move to cloud, it's much easier for those systems to tap into the same IT systems that have been used for network access and other things.
So we're, and the other way around, actually, if a company would choose to use the physical access control system as the master directory, that's fine too. But the moment these systems coincide, in cloud environments, just imagine how much easier that integration between the systems becomes. And I'll mention one example that was pretty impressive. I was in Sri Lanka the other week for a partner event. And I spoke to this partner who've built a really cool kind of access management system that allows people to book conference rooms access those rooms really easily. And they've, they've certified the solution. It's really secure and everything. And they managed to get that integrated with Microsoft Teams. So now through a plugin in teams, and they were one of the first that, that managed to get this, 'cause you had to get quite a lot of certifications and stuff.
So through a plug-in in Teams, they can go in now and enable access for a user that existing team to a room or any other asset. And immediately at that point, when you show up at that asset, you can use your physical access control credentials, your mobile key or what, whatever it might be, a mobile ID, and access that part of the facility. So that type of integration has really not been there before, those systems were not integrated to that extent. So, if you booked a room, then either a person manually would have to make sure that your card has access to that room, or they would need to be a lot of backend systems connected to create that type of experience.
But here we're talking about integration straight into Microsoft Teams, and we're seeing much, much more of that in general. I think this is starting now to move into the more general ecosystem side, which is broader than just the convergence piece. But one really big trend of course we're seeing there is mobile wallets. So looking at that experience where you as a user select to add your identity to the mobile wallet in the same way you would add a payment card. And, the moment you do that, within seconds you have received your credential and you also have access to the specific parts of a building that you should have access to. Now, it just looks so simple, but I think what people don't realize is the number of transactions that happen behind the scene, between different cloud connected systems and sometimes also some on-prem systems, it is just tremendous.
We're talking hundreds of different transactions between different systems to create that experience. And of course, moving things to the cloud just enables more and more of those types of experiences. So remove all that complexity from the people who manage credential from the use themselves, remove it from any human being, and just create a seamless experience between those connected systems instead. So, that's a piece of the ecosystem. And I could go on, but Matt, if you wanna put something in there.
Matt:
In a while — we're only in season one of the podcast, so we can always bring you back for another one. But you bring up a really good point that we actually talked about in our mobile ID episode, and that's that exact same point of there is so much going on behind the scenes, but the ultimate user does not care. They want it to be efficient, seamless and essentially effortless on their side. Paul, I did wanna make sure that you had a chance to jump in on the ecosystem discussion — anything you wanted to mention on that topic?
Paul:
Yeah, I think, well, Hilding's right, again, but yeah, I think, my vision of the ecosystem is it's going to grow further than just the technology enablement. So Hilding mentioned the wallet, but it's going to move all the way from, how do I identify you, how do I onboard you? Today you walk in, you fill out some paperwork, you join the company. But yeah, we're all working at home. Well, I am, at least. I'm sat at home. If I take on a job, then I need to have some kind of validated credential and the market to physically take someone's government-issued credential, compare it to their face, onboard them, and allow that credential to then be reused. Whether it's a PACS credential, one for logical access is going to help propel the market.
And then once you're actually inside the system, other people can make use of it more on, I think the logical access side. So — and you see this in Sweden already with things like bank ID and these federated identities where your identity becomes a digital one — and you say, I want to access a service, you don't have to register, you don't need another credential. You can make use of that same credential stored in the wallet in exactly the same way. And it basically calls home and says, is this person who he says he is? And what kind of level do I trust him to? Checks that, and then says, yep, of course he can go ahead, I'll authenticate you. I think that's where the market is going to evolve to, and I think it's gonna be exciting.
Matt:
Very exciting, indeed. So we've talked about all of the benefits, we've talked about how we've gotten here thus far. We've kind of talked about what the future could hold, but hold on that, I'm gonna come back to that question in a minute. Paul, sticking with you, why isn't everyone using this technology? What are some of those barriers to adoption and what's holding people back from actually leveraging to further unlock the potential of cloud-based access management? What are your thoughts on that?
Paul:
So honestly, I'm starting to see fewer and fewer barriers to adoption. Um, but like Hilding said earlier, they definitely exist. We have some customers, they simply don't trust the cloud. One way or another. You could gold line it and they still wouldn't trust it. It is a mindset, and it depends upon the person in charge of the security sometimes. And yeah, we can say what we want, but you're not gonna change that person's mind. You also have some countries where regulation is slower. So we do a lot of work in African countries, and the business side I work in is very, very highly regulated. We work with a lot of banks and for example, if I'm talking to a customer in Ethiopia, you mentioned having the access management in the cloud, they're gonna laugh at you and then they're gonna laugh some more, and then they're going to say to you, right, okay, now you work with our local regulator to try and get it through. And we've done that and we've helped some customers actually establish regulation to make sure they can put their solution into the cloud. So, I think that's probably the biggest barrier. And in some places, also the technology. I use Ethiopia as the example, but I can guarantee you that my internet signal is not necessarily the strongest if I'm traveling around such luxurious countries. So yeah, that's probably about it.
Matt:
All good points. Hilding, what's your take?
Hilding.
I agree with Paul. Privacy, compliance and infrastructure. Those are the two big things. But the way I look at those as technical challenges and I'm convinced if you draw the timeline long enough, those will be overcome. And there are solutions to most of those issues already today to regional hosting, which we're going after. And of course a number of certifications and compliance methods that you can use, audits, things like that. And on the networking side, it's improving every day and, countries are leapfrogging from poor network cable connections and fiber connections to 5G and things like that. So, I think it's moving pretty fast.
And with increased confidence, to Paul's point, in term of the security and privacy, I think we'll see less and less barriers. Uh, so then it becomes, we are debating this quite a lot internally. It's like, for instance, a hospital emergency room, would that ever rely on cloud for door openings or other critical things that need to happen to save time and, it's hard to give a yes or a no. But at the end of the day, most hospitals do rely on electricity and other systems that you wouldn't have relied on 50 years ago, but then you created the backup systems and eventually things will at least become more and more cloud dependent or cloud connected, but then with some smart local backups, where needed. In a general sense, I think most of the stuff will move towards cloud in one way or another.
Matt:
And as things move closer to the cloud in one way or another, those barriers of adoption continue to fall. Technology increases, user experience becomes more and more seamless. To our point earlier — Paul, you already touched on this, so feel free to reiterate or offer something new — what does the future hold for access management in the cloud? What do you see happening next?
Paul:
Like I said already, what I think the most important thing for a customer or a consumer is, is that that user experience, you know. I think today I definitely have this tendency to focus on the technology, you know, from an end user perspective. And Hilding highlighted this — a user doesn't care whether there's a hundred calls, a thousand calls or whatever, or what's behind the cover. Yeah, it's the same as when I get into a car, I have no idea what's gonna happen. I push the button, the car starts, I drive it. I think that's the biggest thing. And the simpler we make things for the end customer, the more adoption we'll see in cloud and the more features we can add and they can utilize
Matt:
Hilding over to you. What's next?
Hilding:
Yeah, we started with, where I gave a fairly narrow, definition of what I think access control in the cloud is. And I said it's what I think it is today. And I mentioned that it's mainly when you put a PACS headend system in the cloud. I think, and we're seeing this already, it's not only in the future, it's also a little bit impressive, but I think we'll be seeing more parts of the physical access control systems going into cloud. There are examples in the telco industry the access control points are being moved more and more into the cloud as well. So there are cloud capabilities that can do some of the heavy processing for many things and becoming more and more reliable.
So I think that's, that's one aspect that's gonna, you know, impact PACS infrastructure credentials and things like that. And the other piece is really around the ecosystem. When we set up, when we started our journey in 2015, we had this vision that eventually there will be a lot of cool innovation built on cloud platforms for access control. And that new companies will come in and be able to create this amazing, regionally, vertically tailored solutions in local languages, specifically for the use case to create a really smooth user experience for whatever it might be, could be, for a school or hospital or a specific room booking system or whatever it be that with, with cloud platforms. And if we do it the right way, it will allow those type of innovations to create better experiences for users around the world.
And, to enable that, we decided to go API first with all our cloud platforms and initiatives. And back then we were talking about…. imagine if you had 20 or 50 partners who developed really cool, innovative solutions on top of that platforms and how cool those could be. And they could do access control and they could do mobile and they could do a lot of stuff. And today we already have, you know, over 150 different companies that have developed really amazing solutions on those platforms and they range from — I mentioned one example earlier with Teams integrations — but there's so much more with biometric integrations, really cool mobile experiences, all sorts of things. And that's only what we know today. So what excites me about the future is that, you know, we're just scratching the surface on that innovation today. What we're going to do is trying to enable that type of innovation, but we have no clue what our partners will come up with. But I'm very confident it would be super cool stuff that will blow our minds basically, and make access control so much easier in every aspect for users and customers.
Matt:
Very good. And what's also cool is not just the convergence of technology, but Hilding to your point, the convergence of the people who are driving this forward by putting their heads together, creating new experiences, and really making a change with that ultimate end user benefit in mind. So well said and totally agree. Now, Paul, final question — and that is the name of this episode — so quickly, summarize your thoughts here when it comes to harnessing the potential of cloud-based access management. Are we there yet?
Paul:
No, we're on a journey. Add I think, you know, we started the journey a few years ago, but the full potential has yet to be realized. What I would like to see is us utilizing the cloud as a larger kind of enabler for HID, combining physical access and logical access, delivering it to the end customer, and then like Hilding said, build out the whole ecosystem. We've touched on such a little part of the ecosystem so far. Think what you could do if you were literally the company issuing the credential that gives you access to your building, access to the internet at the same time, you know, and being able to prove that it's you.
Matt:
Hilding, Paul says, not there yet. You've been driving this bus for quite some time now, in your perspective when it comes to cloud. Are we there yet?
Hilding:
Uh, no, I agree. We’re definitely not, but I think we're at the points where we're kind of, we built the launch pad, you know, so now we're finally ready to take off. So there's some foundational stuff that had to be kind of built and now starts the, you know, the exciting ride. And that's, that's like with any good innovation. It needs a few years to settle a bit and have some successes to celebrate. We've seen some big ones with mobile wallets and with all the partner integrations, some significant rollouts. But that's just early adopters, in my view, still. So I think it's way too early to say that we've seen the scene, we've seen the end of this. I mean, it's a lot more to discover and enjoy.
Matt:
Exciting, right? Indeed. So buckle up folks. Only more to come. So thank you both, Hilding and Paul, for sharing your expertise and perspective on this topic that has, is and will continue to redefine security and identity management as we know it. Thank you both so much and as always, an even bigger thank you for joining us on this episode. We really do enjoy creating this podcast and hope you equally enjoy listening, and while you're at it, be sure to subscribe to HID Connects. Doing so will ensure that you stay connected and not miss future episodes. You can subscribe wherever you get your podcast. And in the spirit of connection, please do send me your questions and topic ideas for future episodes. All you have to do is drop me a line at [email protected]. Until our next episode, thanks again for listening. May your identities forever be secure.