With in-person events coming back in full force these past few months, we have had lots of face-to-face conversations with customers, prospects, partners and analysts. It is so refreshing that we are now able to bounce off ideas again with all these talented people in our industry. We talked to TrustBuilder CEO Frank Hamerlinck about the latest evolutions.
These past few months, TrustBuilder has participated in several industry events, either as a visitor, organizer or exhibitor. What stuck when it comes to the Identity and Access Management (IAM) market?
Frank: Participating in the events by Gartner, Kuppinger-Cole and Heliview, as well as Cybersec Europe made it very clear to me that IAM and, more specifically, Customer Identity and Access Management (CIAM), are at the heart of many IT architectures nowadays. To me that was confirmation that customer-facing organizations cannot do without IAM. IAM is no longer simply about security. IAM has become a business enabler in delivering digital services, making these services more customer-friendly, and enabling the fast rollout of new services. IAM is key in making enterprises more agile. That’s what transpired clearly through all keynotes and customer stories.
TrustBuilder has been promoting the development of digital ecosystems for some time already. Do you see confirmation that the idea is catching on?
Frank: Definitely. I was very happy to see that the Flemish Government chose ‘digital ecosystems’ as the theme for their ‘Trefdag Digitaal Vlaanderen’. Ever more analysts and researchers are now paying attention to the advantages that digital ecosystems are offering to organizations in all different industries. These analysts also recognize the fact that IAM vendors who are instrumental in building digital ecosystems need a focus on Europe and European Identity Providers (IdPs) and service providers, and a good understanding of European regulations concerning privacy and data security. This clearly puts TrustBuilder in a good position. As a European IAM vendor, we understand the local sensitivities. We protect end-user data in the GDPR context, but also cater to the specific requirements for each individual European country and every industry. Taking the geopolitical situation into account, it is clear that we need a strong European cybersecurity industry, as I recently argued in a blog. It is imperative that we have the right knowledge and skills level in Europe.
RBAC is dead, long live PBAC
We recently had an interesting conversation at the watercooler in the TrustBuilder office. You stated that there is no longer a clear-cut distinction between Business-to-Consumer (B2C) IAM, also called CIAM, and Business-to-Employee (B2E) IAM. The modern world dictates a B2B2X approach. Can you expand on that?
Frank: Traditionally there has been this big divide between the worlds of B2C and B2E. Splitting the IAM market into these two markets is outdated. I believe Identity is the central component, and that one identity (being one person) can be both a customer and an employee, a broker and insurer, an alumnus and a guest lecturer, a citizen and company owner… Splitting up these worlds is no longer in line with the complex world outside. This evolution poses several challenges to traditional role-based architectures. In their line of thinking, someone is either a customer, or an employee, or a contractor, or an external partner. In our modern world, everything is blurring, and multiple personas can easily be taken up by just one person. We have built a new Identity and Persona Management module that is identity centric by nature, putting the identity in a central position and where we work with personas that are defined dynamically by the context that a person finds himself in at a certain moment. This allows a user with a single account and a strong authentication mechanism to access the different resources required for his multiple roles.
OK, so it’s all about identity, context and personas?
Frank: In a classical RBAC system you assign specific rights to a specific role. If you are an accountant working for four different companies, you have four accounts with specific rights to audit those four different companies. From an administrator point of view, that’s a nightmare. We look at it differently. This accountant has a mandate for a certain company. TrustBuilder will verify which mandates this accountant has at an authoritative source where those mandates are stored, TruliUs for instance, or an internal database. Based on the answer we get from this authoritative source and other contextual elements, we apply the right policies. That is what we call policy-based access. When using this dynamic policy-based authentication that we talk about, you supersede the B2C vs. B2E discussion, create an identity-centric B2B2X situation and avoid an explosion or roles that, otherwise, would lead to security hazards. This one identity can do many different things, either in business or as a consumer, so taking up different personas.
Buy-in for new capabilities at customers and partners
How are customers reacting to the addition of new capabilities in the TrustBuilder solutions?
Frank: We see a lot of enthusiasm from our customers, and several of them will start implementing the latest versions after the summer. Everything is going according to schedule there. There is a lot of demand for the newest capabilities on offer, including the Identity and Personas Management mentioned above. But we are also signing up customers for our Multi-factor solution from inWebo, and for our self-service solutions. On the partnership front, things are moving too. We are expanding our service catalog and see that our partners really buy into our vision on identity-centricity and policy-based access control.
So at TrustBuilder we are predicting a long, hot summer, with all these things going on?
Frank: Things are going to get busy, that’s for sure. But I think most of us are also up for a refreshing and well-deserved break over the summer, to recharge our batteries for an exciting second half of the year.
