Interview: Ralph Horner, Vice President DACH

What role does Identity and Access Management (IAM) play in the context of digitisation for businesses and the public sector?

An increasingly important role. More than ever, companies are facing the challenge of protecting their assets and making access to them as safe as possible – both online and offline. The digital and analogue worlds are increasingly intertwined. People have become accustomed to taking care of much of their daily lives online – preferably via a smartphone. They also carry these expectations into the companies as employees. For example, flexible working arrangements and home office require remote access to corporate resources. The foundation for all these activities are unique and secure digital identities. Managing those efficiently in an increasingly complex world is a major challenge. Without the help of a professional, well thought-out IAM system, you have no chance.

Where are digital identities already in use?

Trustworthy digital identities are the basis for all kinds of online services. If your insurance company allows you to report a damage claim online, they have to be sure that you really are who you claim to be. A second important area is the mobile workplace, which requires secure access to corporate networks and the company’s digital assets. The Cloud plays an important role here. Things are moving in the public sector as well. For some time now, Germany has had the electronic identity card, which enables citizens to identify themselves not just offline, but online as well. Unfortunately, to date only a small fraction of people actually use that function. The Swedish are already one step ahead: in Sweden, a majority of the population uses the so-called BankID to take care of administrative tasks online. Using their BankID, people in Sweden can apply for nursery schools or building permits without having to physically visit a public authority.

What should companies consider when it comes to selecting an IAM solution?

The boundaries between security in the physical and virtual world are blurring. We use the term convergence to describe this process. The two areas can no longer be regarded separately. From the perspective of IT security, this means that both physical access and digital access must be secured. This requires identities that can be used in different contexts and sectors. People, devices, transactions and processes are all affected. The identity that an employee uses to enter through the security gates at various company locations should, for the sake of efficiency and usability, be the same one she uses to log onto her computer, sign contracts, pay in the cafeteria or retrieve her payslips online. A supplier who enters the company grounds on a regular basis also has an identity, but not the same entitlements as an employee. To handle this complexity, businesses need solutions that are equally able to deal with physical and digital identities – and we provide them.

What technical options already exist for protecting assets in business and government effectively?

There is a broad range of possibilities. For securing physical access to buildings or systems, the multi-functional ID card or “smart card” still plays an important role. So-called Public Key Infrastructures (PKI) are often used to secure access to digital resources. They ensure the trustworthiness of digital identities by issuing, distributing and verifying them in a secure way. Based on such digital identities, people and smart devices can authenticate themselves, communicate in an encrypted manner or digitally sign documents. In order for trusted identities to work in both the physical and digital world, we need technologies that enable an integrated approach. Of course, new technological developments also influence developments in IAM. One example is the increasing use of mobile devices. Smartphones can already be used as smart cards and we expect that this will continue to catch on.

How should organisations approach the issue of security and what should they keep in mind?

Both companies and public sector organizations should first recognize that security is not a necessary evil, but an absolute must in day-to-day business. Therefore, full commitment at the executive level is very important. It is about creating the right culture and communicating it to the employees. No technology is one hundred percent secure. Human beings are still an important factor, so raising awareness of security issues is really important. The wave of ransomware we experienced in 2016 speaks volumes in this regard. Nevertheless, organizations can achieve a lot by choosing the right technological infrastructure, and this is where Nexus’ expertise comes in: we offer highly secure and user-friendly solutions that are easy to use even for “John Doe”, so there is no need for him to sidestep to insecure processes like name and password. Our new app “Personal Mobile” brings two-factor authentication to the smartphone, making it more comfortable and easier to use, which in turn increases security.

Where should companies start – and what are the most important steps?

The aforementioned convergence of physical and digital security should also determine the approach to a new IAM project. First, it is important to carry out a thorough analysis based on a 360-degree perspective, which means looking at physical and digital security as one area. Where might be risks? And where are the greatest security needs in the organisation? Only when there is clarity about the answers to these questions should processes and responsibilities be defined. In many cases, the requirements for an IAM system are clearly outlined. The advantage of this is systems can be implemented very quickly, for example with standard solutions that meet these requirements “out of the box”. In addition, there is a trend towards the consolidation of the system landscape in companies in order to avoid shadow IT, improve usability and fulfil compliance regulations. Hardly any organisation reinvents the wheel – oftentimes, IAM systems are already in place and must be integrated into an overarching architecture. It is important to choose a provider that can provide this integration in a consistent manner.

What issues should companies keep in mind – what are important topics for the future?

Trends like cloud computing or the Internet of Things (IoT) offer great potential, but they also present challenges – especially in terms of security. Take for example the IoT: More and more devices are networked together and communicate with each other. This interconnectedness is also the Achilles heel of a networked economy, because it increases the number of potential points of entry for cybercriminals. In order for companies to realise the benefits of the IoT, the interconnectedness needs to be secure. Again, trusted identities play a decisive role in making that happen, for example for encrypting communication or preventing the manipulation of smart devices. According to Gartner, the number of connected devices will be increase from about 5 billion today to an estimated 20 billion devices by 2020. To manage all the digital identities over the course of their entire lifecycle and in a secure way, a highly scalable infrastructure is required. This is a task that more and more companies will have to face going forward.