Identity management has become the cornerstone of any cybersecurity architecture. As ever more organizations are implementing a Zero Trust policy, we can no longer suffice by identifying an individual upon boarding. We need to verify their identity throughout their digital journey, using as many information sources as possible, without infringing on privacy or disrupting customer experience. We took some time to discuss this conundrum with TrustBuilder CEO Frank Hamerlinck.
Hi, Frank! In our last interview, you promised an exciting second half of the year. What has TrustBuilder been cooking during this hot summer?
Frank: Looking back at the past few months, it was not only the sun that was heating us up. I’d almost forget we also enjoyed some vacation. We took out quite some time to discuss our vision on identity management with customers, technology partners and analysts, and the feedback was quite positive. Our take is that while your identity is unique, your customer journey is dynamic, which means that verified identity will also be a continuous process. As a consequence, you need an Identity and Access Management (IAM) solution that follows the end-user throughout the customer journey, regularly verifying identity to ascertain that users are still who they claim to be and checking their rights and privileges against a dynamic context and the related policies.
You need a lot of information about a user to feed the decision-making in the policies, I guess?
Frank: Great question! Attributes play a key role in the identification, authentication and authorization processes that you set up. What you know about an individual depends on the number of attributes you have about them. Having more attributes means you have a better understanding about the context of a user and build more confidence about an identity, allowing you to make security even more fine-grained. As we are living in a dynamic world, those attributes change: you can work from home, from the office or on the road, use various devices, work at different hours of the day. Depending on the application being accessed, different policies may apply: a transactional banking may require additional security measures compared to reading the news via a news app. We have created a separate category of attributes called ‘personas’, indicating which mandate the user has temporarily or long term: representing an individual or organization, be it an employee or payroll administrator, a student or alumni, an insurance customer or broker. Users might have many mandates, so one single identity might have many personas.
The age of self-sovereign identity
And where do you get all these attributes from?
Frank: This is where decentralized data stores come into play. We have started an innovation project to explore the use of the Solid technology, developed by Tim Berners-Lee and also adopted by the Flemish government in their Data Nutsbedrijf. Decentralized data stores, or wallets, like Solid, allow a citizen to store and protect data that a government provides about you, for instance an education diploma, whether you are over 18 or not, whether you have a bank account,… An IAM solution can then connect to that wallet and use that data as an attribute, throughout a user’s digital journey. These data can change. On your 18th birthday, you become of age. A person can move from one city to another. A person may lose the right to drive a car. A person graduates and is no longer a student, but an alumnus. An employee can become a manager, with different access privileges. And so on. IAM has to be able to cope with these changes. In the age of privacy, and regulations such as GDPR, we will hear a lot about self-sovereign identity and individuals wanting control over their own information. And quite rightly so. That’s also why we are adding the concept of Zero Knowledge Proof when consulting that data. This means that when reading the birthday for example, we translate that to ‘adult’ or ‘minor’, use that in the security policies and forget about the actual birthday. This is also called data minimization, and by adopting this, we keep the user’s data confidential.
And TrustBuilder is ready to support this. Another topic we have been talking about a lot is digital ecosystems. That trend is accelerating?
Frank: It is. You see digital ecosystems popping up everywhere, in different markets. Just think of the trend of embedded finance. Non-financial organizations adding financial functionality to their services is a great example of digital ecosystems. And it was also nice to see that digital ecosystems is the theme of the ‘Trefdag Digitaal Vlaanderen’ that we are participating in on September 22nd.
With all these new evolutions coming our way, this certainly has an impact on the TrustBuilder products?
Frank: Definitely! That’s why we have implemented a microservices architecture in our solution. This gives us more agility in building new components and adding these seamlessly. For our customers this means a faster rollout of new functionality and faster support for new use cases that pop up. It also makes our solution a lot more scalable. And as we discussed previously, we are pursuing a buy-and-build strategy. This microservices architecture makes it a lot easier to integrate components built by other companies.
Values are more important than quota
Over the summer, TrustBuilder kept growing and becoming more diverse. Tell us a bit about that.
Frank: TrustBuilder has a unique open culture, where we encourage everyone to be themselves and grow their experience. Collaboration is one of our core values (besides commitment and celebration) and we see that everyone is learning from each other by working together closely, across functional domains. The nice thing is that diversity in our team is a consequence of that culture, not a checkbox item or specific goal. Values are more important than quotes. And it was nice to get recognition of JobRoad, who gave us the title of Inclusive Company, for contributing to the Sustainable Development Goals of the United Nations.
An extra benefit of being so diverse is gaining insights into the various cultures and markets. By working with different nationalities, and being based in Europe, we can easily respond to these local requirements. That’s also where our microservices architecture comes in handy. Microservices and diversity combine into a nice competitive advantage.