IDnext talk by Martijn Roeling (ASML), Gerard Hartsink (Chairman ICC DSI Industry Advisory Board at International Chamber of Commerce), Martin Sandren (IKEA) and moderated by Peter Hoogendoorn (Cap Gemini)
This is recorded during the annual IDnext event (4 December 2023 ) organised by IDnextplatform in close collaboration with SIDN.
Title: Technology (push or pull)
Who is Martijn Roeling?
Martijn is currently working Identity & Access Management Product Owner at ASML. He has over 10 years of experience in the domains of information security, IT Audit, Digital Identity and Risk Management. It is his goal to balance usability of IAM processes and security measures. As Product Owner IAM, he focuses on the implementation, roll-out and maintenance of Identity Governance related services. Martijn holds an BSc in Computer Science and MSc in Business Informatics (Utrecht University) and holds the CISA and CISM certification. Prior to ASML, he worked at Deloitte as IT Risk and audit professional. He is always open to exchange ideas, thoughts and experiences on Digital Identity.
Who is Gerard Hartsink?
Gerard serves in organizations developing and promoting (legal and technical) standards for the international supply chains and for e-commerce. (B2B and C2B). He serves as the Chair of the ICC Digital Trade Standard Initiative Industry Advisory Board to realize further digitalisation of the international supply chains.
During his career he acquired a broad experience in identity-management and the payments, forex and securities industries. He served as the Chairman of the Boards of GLEIF, CLS Bank International, the European Payments Council and as Convenor of RMG of ISO 20022 and as Board Member of SWIFT, LCH, Euroclear Netherlands, Euro Banking Association (EBA) and Electronic Commerce Platform Nederland.
As former Senior Executive Vice President of ABN AMRO Bank he has a broad experience in sales, product development, regulatory affairs, information management and operations.
Who is Martin Sandren?
Martin Sandren is a security architect and delivery lead with over twenty years of experience of various information security related roles. Primarily focused on security architecture and digital identity including global scale customer, privileged and internal IAM systems using Microsoft Azure Active Directory, Sailpoint, Saviynt, Forgerock, IBM and Oracle security stacks.
Experience includes architect, onshore and offshore team lead as well as individual developer. Wide international experience gained through having lived and worked in Sweden, Germany, UK, USA and the Netherlands. Martin is a frequent speaker at international conferences such as Consumer Identity World, MyData and European Cloud Conference.
In my role as IAM manager at AholdDelhaize I am responsible for IAM business analyst and engineering team and delivery of IAM services to our 450 000 users globally. Martin Sandren is a board member of the IDnext foundation, founder of the Digital Identity Amsterdam meetup and active within IDPro.
Who is Peter Hoogendoorn?
Peter started his career as Software engineer in public telephony and datacommunications at Alcatel. He moved to Atos as software developer and became a Security Advisor for the public sector. At KPMG as IT-Auditor he became an Information Security Specialist and started as a Security Officer in the field of IAM, security architecture and cybersecurity at Achmea. Within ABN-AMRO he became involved in IAM and blockchain security. Currently Peter is working at Capgemini in the field of IAM and cloud security.
Outside direct work relations he is part of a thinktank dedicated to IAM at IDnext and was founder and chairman of the Insurance ISAC. At the moment he is part of the Dutch Blockchain Coalition. This working group aims for a trustworthy implementation of digital Identities using blockchain technology. They promote this at Government level.
What is IDnext?
IDnext is a Dutch foundation that is an open and independent platform to support and facilitate innovative approaches in the world of digital identities. Create awareness about Digital identities,provide a knowledge and networking platform for experts in IT, Business and marketeers as a European center of expertise. IDnextplatform provides a single point of entry for (leading) IT and Business professionals throughout Europe. IDnextplatform can be your starting point to connect, collaborate and find specific information related to Digital Identities and acts a community. IDnextplatform disseminates knowledge and experience by organizing events and workshops. On a variety of themes, using expertise within the world of IT, Business and Marketeers.
More information is available via www.idnext.eu
If you ask me uh from K Gemini is technology a push or a pull uh then we will push technology into the business but we are pulled into that as well uh because business transformation is currently the most challenging uh thing that we need to do uh also challenging
For Martin ruling uh who is the next speaker uh from asml where uh apart from the normal things also geopolitical uh aspects uh play a big role so I give the word to my time thanks all for having me thanks all also for being here uh today I would like to
Take you through the digital identity Journey that ASL is going through and as you might know it’s a very Dynamic engineering company for those of you who do not know ASL ASL is everywhere I think everyone in asml is wearing a sweater stating a quote from the the B
BBC they made it in 2020 or so that we were the most obscure Dutch company uh that was in 2020 I think nowadays we’re not perceived as obscure anymore we’re necessary to run the world right you see us in smart watches phones self-driving cars you see is everywhere because we
Make machines that facilitate the making of chips so we are not the only machine in the process I want to make that clear we’re part of the chain and with that we try to keep up with more law uh so that’s really important for us we still
Try to there’s a lot of uh bright Minds that are helping us with that and we don’t only do that in the Netherlands we do that across the globe as you can see we have people in the US but we also have people in uh Singapore Japan
Germany so we have a lot of presence worldwide and this is how that looks like so in total right now I would say we have about 75,000 let’s call it identities in asml those are not only Workforce it’s more than just that most important one that
Will come back in the story is we have 3,000 people uh that are a PhD so there’s a lot of really smart people in the company and that also defines how we do business with them and that also defines which challenges we have so these 40,000 I would say they
Work force they’re registered in an HR System uh and can be considered regular employees or contractors but if we go to the 75,000 you would see we also have construction workers as you may have know I I saw news article stating fover will no longer exist it will become asml
City right they’re buying these houses for immense prices so we have a lot of construction workers in fover building the new clean rooms building the new factories where we are building our latest machines we have also customers we don’t have a lot of customers maybe like uh uh
Any clothing company or whatever but we do have customers that pay a big amount of money right like the intels the Samsungs they pay a big amount of money for the machines that we are making we have suppliers whether they are in warehouses or whether they are helping us pushing the boundaries of
Technology we have a lot of them and they’re collaborating with us we are not seeing those as being external suppliers and we’ll see we collaborating together to bring the technology to the next level and we have non-human or nonpersonal however you want to call it work workload identities I machine
Identities I have many terminologies for it I won’t handle that so I grade it out because that’s way too complex for now so the journey where did we go of course it’s always about the right the right right whatever I think the major Point here is adding uh taking into
Account the right context right in which context are they operating and that in case of ASL in the geopolitical world that we are now living is key for ASL so we are no longer able to just look at this picture so this is how it started
When I came in and just for your perception maybe like five years ago I joined four years ago at asml if we talk five or seven years ago this was the picture and it still is a picture someone wants to have access to a application or a entitlement they just
Go to a simple application an IG application they request access they get the access to the application but this is like five to seven or maybe 10 years ago right or they sent emails whatever but we have a lot of persons that are actually smart and they already think about IM Concepts
Before you even know it and for us it’s all makes sense right it should be role based so we get this person that is now a finance manager who wants to have access and they want most access that they need for that role so we call that
Of course role based do we have that a lot in ASL no I can tell you that for sure because asml is changing every day departments are created Department are merged departments are split up uh because we’re growing so fast so can we compare ourselves to a bank for sure not
Our HR department is not made for it I reached out to them I said to to them can you please hand us or give us an API or anything that we can uh get all organizational changes in and they said no they are there are too many and we do
Them whenever someone request it we just push it so for us role based yeah it’s not really a model that we adopt but if people want to combine authorizations to Define their role fine right but it’s different than having a role based from a HR perspective then ASL had another great
ID we’re going into an agile transformation right so what is challenging about an agile transformation is that this data doesn’t for us agile teams don’t exist within the HR System they don’t exist in the HR landscape so I can be part of three agile teams I’m product owner of three
Agile teams how is that defined who’s defining that so we get into a new challenge whereas you would then need to in your IG application need to get teams into play whether that is team as an attribute that you would provide governance over or whether you say well
We can also instead of a role in your IG application we just call it a team so and that team gets certain access well that all works fine right but it’s making it even more complicated because all these teams let’s say you have this development team I I saw BWC
Presenting right if you are running all these tools and you need to have access to all these tools then you can imagine how many roles you will need to create because each team will have their own gitlab well or well they have the same gitlab environment but they all run
Their own pipelines they all have their own codebase they all have everything themselves right so you create a lot of teams you create the r of roles and the governance on top of it challenging very Dynamic especially in asml we have a new problem at hand
For the machine we create a new team they will be funded they will solve it so team based then ASL as I mentioned we’re collaborators and collaboration is what made ASL great that’s what they will also say in the documentaries it’s very important that we look across the supply
Chain not only when it comes to Pure pushing technology boundaries but also when it comes to Iden in access management and helping them out in their cyber security so we have a lot of suppliers that need access to environment and we all know Concepts around uh Federation or decentralized
Identity or whatever but the main challenge here is like if you have now an IG application there in the center how do your suppliers that do not know anything about identi X management how do they get actually access to your environment so do they request it themselves or and there you see the
Colors coming back blue and green right have someone in the middle who’s requesting the access for them and how do you then operate from a zone of responsibility we’ve all seen maybe like the OCTA hack which also uses a third party for their services I mean how did
They get access how do we get access to those environments probably you have like a man in the middle which we then call A supplier delegate maybe you have a different name for it but they need to request on behalf of the same concept holds also for customers but could also
Hold for non-human identities it’s all the same there is something in between that’s managing it for them and we are really thinking about zone of responsibility so the zone of responsibility would be if you’re a warehouse provider or let’s say you provide a warehouse to asml with a lot
Of components that need to go into the machines then what xes do you really need you probably need access to PDA to something else you have a vender contact person for that and that vender contact person only is allowed to select two or three roles for those persons that work
For that company nothing more than that this is Big Challenge Big Challenge and then we only talked about admin time authorizations and I know you probably are all interested in the geopolitical situation because now we have people working worldwide and they’re going to fly and then they end
Up in countries well we can all name a few right but we we know we are doing a lot of business with the US with China uh and they all Force regulations on each other so admin time authorizations are not doing the job it’s still a lot of our business but
It’s not sufficient so going back to the first example let’s say we now have an employee that is a factory manager then this person wants to view dashboards for how is fact fact is doing normally you would say you give him a role and or him or her uh and they
Can go to that application and see the dashboard for how the factory is operationally doing nowadays we are running this via the runtime authorization checks so we’re actually going to a model which is attribute based whereas we would have data in the application itself let’s say
This is some kind of Hana database or whatever whereas it is determined what the relationship is between the factory manager and which Factory this person is the manager of so probably this person is the factory manager of fover right so then the person can view only the data
Of fover this is of course typically an example of attribute based um I think this is very limited because actually where we need to go to is policy based right this is what we’ve seen all the time um and that’s also what is important to ASL
So what we did we prevented a lot of roll explosions coming through because then otherwise you need to create a roll for each Factory um but it does not do the trick because we have a lot of system Engineers who are working on the machine and all these machines contain a
Lot of or are built based on a lot of Technology documents each of those technology documents contains like either a description of a screw or a bolt or maybe a panel or whatever they contain a lot of information those are considered our uh engineering secrets so a system engineer typically
Would need to have access to those documents but maybe not all of them and it also depends on the context when they are allowed to see it so in that case we are saying only view design documents when those conditions are met authentication we can also have a
Contextual datab or well a database containing contextual data so we say on authentication look at certain attributes for that person and determine if that person is allowed to access the application so we’re going to into policies so we get a policy enforcement Point policy decision points all these
Kind of things and you will have your externalized check I would say for that application you will have it here on the authentication layer the challenge here currently in my opinion is that many of the target applications do not really support uh an externalized check so you would need to
Accommodate for that so at this moment in time I would say that many of the checks are that are actually happening just State this person is allowed to have access to the application or not so translate this to the geopolitical situation we have technology documents that are us-based or are Europe based or
So they are basically created for an ex amount of percent in the US now there’s laws and regulations that prescribe that if that document is created in the US that you cannot export it to a different country you need to have a license for it there is a whole definition on the
Internet of which countries are allowed and which countries are not allowed so the Netherlands is for example Allowed no problem but we all know the countries which are more challenging let’s say the north koreas the Syria Etc so if you were to uh even as a person step into a
Plane you would land in North Korea and you would then need to open that specific document you should not be allowed to open it because it’s deemed then as an export and that’s the law that is now currently imposed and that’s creating the geopolitical situation that
We are in so in terms of context we are then blocking access to certain applications but this of course has an implication on uh how actually business can be done because this also affects continuity of course sometimes you would need to access the document so you actually wanted to have it more fine
Grained and then you’re looking into policy enforcement points policy decision points however you want want to call it on the target application side so you gather a lot of attributes into the target application whether that’s uh the device you’re on or uh where someone what someone’s regular work location is
ETC and then you can maybe build a little bit more of an advanced policy in the Target application so this is what is on our mind today right we need to protect the assets that we have as ASL I would say that for ASL as being Dynamic engineering
Company one model is not sufficient we need all of them still 80% maybe 90 95% is based on entitlements it’s not driven by roles it may be automatically assigned based on who you are uh but it will move into the direction of attribute based or policy based but the
Point with that is the New Concept never faces out the old Concept in our opinion we have a lot of Legacy applic or on Prem applications that will never go right they will be there for a long time so yeah maybe in 10 years i’ tell a different story but
For now we think we need a toolkit so whenever I would go out to the business as a product owner I would go and take all these models with me and I bring them the story on hey these could be your Solutions uh which one would reflect you
Best what will the future hold I put down three items so yes we are in need of extension of at based policy based kind of models uh how we deal with that also because of a geopolitical situation second artificial intelligence I see it going in two directions I heard a lot of
People talking about identity AI identity artificial intelligence I also would like to take it to organization artificial intelligence I think you do not only need to look at the identity you also need to look at the context of the organization they are in so with our agile transformation a lot of people
That are in different agile teams report to one manager because you don’t want the HR manager to be the product owner or to be the scrim master so what happens 100 people are now reporting into one person this means let’s say you pick an IGA team you have 10
Administrators that are uh having admin access to your IG solution but in Department there might be 100 persons typical in the nowadays the I the the AI solutions that we have you will see that uh you will need to define the threshold why do I expect this
Access to be there for these persons then 10% is nothing right 10% is very low so they would come up with a recommendation don’t assign this access or don’t let someone request his access whereas actually I would say uh the other 74,900 persons never would need this access and
Are not assigned this access so if 10 people within this department have this access probably makes sense that if someone in this department is requesting that access it might be a lower risk well actually it’s of course a highrisk application so we are also thinking about organization AI right how do we
Learn from it or do we do we start registering additional attributes for that last one asml is a company of smart Engineers that refers back to the phds like I heard stories uh about uh when you got an incident ticket in did you try switching
On and off the computer again or did you do something small to fix it what happens in ASL and I’ve seen real life examples we have people that are building their own solution and they really build it in full even last week someone called me and they said Martin
We are Hur you’re going to phas out some product and actually that’s a problem because we put an RPA Solution on top of it which is pulling data and then automatically assigning access to all the project leads that we have in ASL so we’re not allowing you to switch off
That application and I was like yeah but you never knocked on our door in the first place when you oh this is not great so they men they mentioned we’re going to block it and I said yeah what’s this for stupid you didn’t come to us in
The first place right so actually if they came to us in the first place it would have already been fixed but we have such smart Engineers they come up with a r ID they don’t only come up with a r ID they will implement it conclusions oh I already scrolled to
This one okay um so for me conclusion wise do not consider one model I see a lot of fenders out there stating you have to go atribute base you have to go po based I think every model still has value in asml they will for sure so maybe smaller companies it might be
Different right if you’re just a startup or mediumsized Enterprise might be different but for us every model holds understand the challenges that your organization has for me I have tons of conver conversations with these Engineers right you have to offer them something unique that they really want because otherwise they build their own
Solutions and last one build your toolkit we are building this toolkit we are offering all these type of solutions to them so that we get get them on board and not have them work around us thank you that was my presentation next presenter is um Martin
Sanden well known to most of us because he is speaking a lot in public uh he’s now going to share his experiences from eeka uh so it’s quite funny to be talking at inent like this this and you know before here we had these extremely complex machines that they build and
It’s very hard to explain what they do while I’m from Ikea so U my job here is to um Talk a bit about cyber resilience and what we see as the main connection to the state of identity and my real job here is to make you hungry so you are hungry you should
Go and eat some meatballs and then you should buy some some uh hangers or something like that there is a a I don’t actually know exactly where it is but there is um there’s an Ikea store here so you know get hungry go andite um yeah yes um so let’s start with something
Some good news um so I’ve been doing I am for about 20 years and when I started out one of the things that were really hard to solve was that you had a system here with users and a system here and you want that the users that were authenticated using this system here
Automatically get over to the other side because the business process you wanted to support was split and there really weren’t any standards of this say 20 years ago because everything was monolithic everything was sitting in their own system so one of the first things I did
Off the University was that we I was working for an Erp vendor and we built a a federation between sap and this other Erp system uh and because this was supporting basically manufacturing and maintenance of fight yet engines which are very very expensive uh we could take the cost of
We spent about a 100 days we took our University encryption manuals and figured out how to basically we did a bad implementation of s which didn’t exist yet but it worked and it all the business problem and what has happened over the last 20 years is that as you see here
You then have custom s started showing up about 10 years later and then you did an integration and then in theory everything should work automatically and then you discover that well IBM’s idea of how to implement certain encryption and Microsoft’s idea is yeah not entirely same you know something very
Esoteric like you know how do you you pad in your encryption or something like that but usually you know if you spend the time on it it works so you see here about half then these s will to become more standardized so usually you could
Just you know ship it off to a team in in India or some other low cost country and you can get it done and usually with a little bit of troubleshooting it worked fine sometimes a bit more sometimes a bit less and then today you get to the point
Where almost always if you buy a modern identity solution today it’s going to come pre-integrated which means that the only thing you need to do is to just get the metadata out just put it in place and it works and about 90% of your time will be spent
On just clicking in the you know service now or whatever is the system for handling tickets and approvals and stuff like that but this means that we’ve essentially taken a problem that used to cost about 100 days so say that you pay a grand a day or something that’s
100,000 in cost you’re now down to 5 hours that’s a huge difference do means that you can essentially integrate with lots and lots of applications so if you look at an Enterprise today it’s not uncommon to have a thousand application integrated to ass even a couple of thousand is not uncommon in a
Larger Enterprise so good you solve the problem well done but usually when you solve a problem you create another one uh and one thing is that uh this is blow High uh I don’t think it’s part of our collection anymore my son really loves this blow high
And because we Sol the Federation a problem because we have we have lifted also all of these Network boundaries and other things usually today if you want to to break into a system you just log in and if you talk to people who work at in Enterprises see
You know what types of attacks are the most common ones well usually it’s fishing and uh I was speaking to a friend who who is the is part of the cyber security response team in a large corporation and lots of his time goes to basically every time they get a a
Fishing email into reporting they then go and see and then they see that you know there’s another 100 people who got this email and you know sometimes no one clicked on the link then you have very good Cy security training excellent um but often someone clicked and then they lost their access tokens
So then you have to trace them down and remove them so so hackers do not break in they log in and it’s not only your system so we have all seen the OCTA bridge for example that they also break into the people who manage a system that supplies you and
Identity systems are usually very interesting to break into because they usually get a lot of access to a lot of different systems so we have now one problem solved we have a a new issue which is these hackers and just like Martin was talking about that well once you have
The identity when the the Federation problem solve you have the authorization problem because just because you have access into that that pyramid those 75,000 users they shouldn’t have access to everything so we need to solve the authorization problem and the authorization problem as we saw was becoming more and more
Complex because we don’t only need to support the first use case we need to support all the six different use cases six different models so need support Dev St Ops you support lease privilege zero trust and itdr so how do we do this we probably don’t use a a
Card that you have to carry around and and show to the camera or something like that well what tends to happen is that when you have especially when you have old system is that you want to may make the old setup um and what tends to happen in
Complex systems such as for example RF or other Erp authorization models is that no one really understands who has access to what but they do know that U um if we do the same model then we give the same if Yan had access before then when you hire
Martin then you give Martin same axess as Yan um another problem we’re seeing and this is a bit of a new Twist on an old issue is that as more and more of the the access Parts authentication parts are centralized into centralized PPS and pdps um that means that more and more
Applications have automatic Integrations so if you buy a software today and if you are for example a Microsoft shop enter shop what you will see that most applications as enter Integrations great uh so you can set up the SSO and so on and they might even have a a provisioning integration
But then comes the question so if you look in those integration manuals what do they say well they probably say that I you know I would like to have Global Group right all because that’s the easy thing you probably only need like you know five 10 groups because that’s the
Only groups that you have but writing that instruction to explain the fact that you need a not all access but limited access is much harder so the man says I need write all and then you have a very fun discussion with that application team explaining why their their vendor is writing manual
So wrong there’s a little bit of a new Twist on the old fact that it used to be that everyone wanted to be root on the machines but the problem here is that in the old days okay if you have a root on your server what the worst thing you could
Kind of do was to break that server which was problematic for whoever supported the server but of course if you have raid right all ooh if you compromise that box or that identity suddenly you can destroy the entire coroporation so a few years ago there was this big hype around Sero
Trust that was the solution to all problems not entirely sure what the problem was but the solution was zero trust um I think today there’s a little bit more Nuance saying leas privilege because it makes sense you know you shouldn’t have more access than what you need you should don’t access to stuff
You need to do your part of of the system so you then try to enforce this privilege but as we discussed before there’s lots of things that makes this hard complex so what tends to happen is that um you go more for reasonable privilege so you know you don’t give out
Raid right to everything you give out raid right to at least a little bit smaller because that is how far you can take the discussion with application team and then at the end of the day you often end up with vaguely acceptable privileges most of the time so if the application
Teams don’t TR scream too loudly or have that much uh political power they will actually get Le privilege but if they scream too much oh then yes yes here you go go away I have other things to take care of the other challenge that we have is
When in the product life cycle we consider authorizations because if if you’re as an organization say that well this access management that’s something that the IM team does so at some point of course you canot the rubber needs to hit the road you really need to have the
Access that you need in the production system but what tends to happen is that you know in prepro you can get a little bit higher access is not so important so that means that whatever your product plan is the time when you actually look at this tends to happen just before go live
And then you have a very very problematic discussion because um are you going to stop this application from going live that will cost you know x amount of Euros every day that application team the development team needs to stay costs money so that is not the right way to do
If you want to have at least vaguely reasonable privileges so with all this you can see see that your IM teams if they get if you implement zero trust and don’t look at these complexities in culture and way of operating you seen three different variants of of IM teams you can see that
IM teams just need aliens who flies around somewhere in their Sorcerers and just say no to all the projects or at least make it impossible to get any project through the pipeline um this is very very cute animal that’s actually part of the collection so you can go to eat some
Meatballs and buy your kids some uh some animals um and this tends to create a lot of friction especially with your your security teams who doesn’t either really understand this this leas privilege so they have approved the solution and the application teams comes to say that yes we have this solution is
Approved by by by security okay what did they actually approve um you get the Hot Potato effect and that is never really good in the in organization there’s another way um your am T into Goose so GES are very good at at you know you throw water on them it just rolls off
Um there are some people who are very good at this and it’s a very good skill to have uh but it doesn’t really solve the Enterprises problem the third variant is that your IM team sech into alligators that is they develop very thick skins very small
Ears and a big mouth so they can bite back now neither of these kind of three types of IM teams are very useful for an Enterprise if you want to deliver this privilege and you want to deliver new Solutions so how do you do it better well you look at two important
Parts one is share responsibilities and one is shift left so Shar responsibilities is all about you know just like you do the training on the the fishing you need to talk about this with your larg organization this can be that you go out and talk to application teams and talk about this
Challenge because in most cases it’s one of you know 100 things application teams try to think about so if if you don’t kind of go out and make a little bit of a show and talk to them there’s a very big risk that this kind of gets very low priority and it’s not
Really being discussed if you do go out and talk to them I think most application teams application goes like yeah this privilege sounds good because I don’t really want to be the application that people use to attack the entire Ikea likewise if you inform the application Architects up front there’s
A good chance that they they do get it likewise with information security if you try to explain it to the the information security teams it’s there’s much better chance that they actually will have this conversation early in the process and not in late cyber security and IM are two teams
That traditionally didn’t really work together as much but they really need to because if identity is the way to protect the company if you only have half the puzzle either security side or identity side you’re not going to be successful when should we care about
This so there should be a part in all the designs that talks about authorizations what authorization does this application need to work most applications don’t really need anything exotic but for a lot of applications the problem is that if you don’t look at that early and say you know you’re non
Exotic so no problem or you’re exotic and then we need to figure out how to do this with reasonable privileges but if the discussion happens here instead this is going to be much much harder both from a political standpoint and from a a practical standpoint so thank
You um my name is k Hing um I’m the chairman of the IC industry Advisory Board of the DSi program and digital standardization initiative um ICC has 40 45 million corporate members they are mainly exporters importers and the service providers Banks and uh logistical firms um and I
Created a set of slides um uh without locco uh because I also include some uh developments of the uh world of identity management for legal entities being the cly foundation with a mandate of the G20 and of iso so it’s a mixture so no logo
It’s my story um this is the content of of the slides I will move because we only have not even 15 minutes I understand um yeah about 15 minutes if you take an in individual firm then uh you are if you talk about identity management of legal entities
There is always a legal View and there is a technical View and sometimes they don’t cooperate enough within a firm and many firms are part of a larger uh Co Corporation but even in a small firm one men’s band is maybe too much you are faced with these legal issues and with
The technical approaches probably you will recognize it uh yourself so and they all all have to deal with relevant topics and these World worlds are coming more and more together legal entities what is a legal entity I have to explain it several times in ISO communities because some people do not understand the
Legal difference between legal entities and natural persons and do not understand the difference between subjects with rights and obligations and objects without rights and obligation so all uh each UN member of course has entity Leal forms I will explain it a bit more in the Dutch system
And Etc that’s through for any um UN member around the world many legal entities belong to corporate structure IFRS is the system in the majority of the countries how to consolidate legal entities and US C us does it different they look alike but they are different
Um they are based on the legislation of the country involved and created for that purpose of that country the majority of legal forms are not created for a global audience there are some exception but but that is the the the practice in in general they are included in the business register the Dutch
System is there is only one business register that’s not true in Germany or in many countries around around the world and of course they have also to deal with corporate actions if you do not know the word companies are being split or being combined merges and that’s the word for corporate actions
And business register have to take care of it and they are all based on National rules and also national standards not Global standards they are not and that creates a lot of uh problems for crossb business so for exporters importers and their service pro providers because they
Are faced with all these national uh approaches and the International Supply Chain by definition crossborder payments Etc but also the capital and Forex markets they are by definition global and so the public sector also is faced with this Global uh or multicountry uh element and that results
That that several parts of the public sector create their own identifiers to get the stuff reported to them of legal entities of more than one jurisdiction that is happening so the G20 in the end decided for certain uh developments around the world we need a better approach they created uh the the concept
Of the global legal entity system system C uh that’s a G20 initiative in 20122 and they created two legal entities The Rock which is taken care of policies and taking care of oversight of a Swiss Foundation that was created in June 2014 I was the first chair and that
Foundation has to take care of a unique legal entity identif ification worldwide of any un country only focused on legal entities and they those data may be used for businesses to government purposes reporting Etc that’s happening for instance in the Forex markets derivative markets in Europe but also in the US or
In the capital markets in Europe so there is at least 100 pieces of legislation you can find it also all on the web um but also for business to business purposes so this was a statement of a famous guy Mr CL Jean CLA Trier the former Governor
Of the European Central Bank I don’t re read it myself but uh you can look at it you needed only one and you need one that can be used everyone everywhere around the globe So based on the program of the G20 it was asked to um ISO to create a standard
For the legal forms this is the standard ISO 20 2275 entity legal form so uh that means that there is a register Clive was mandated to take care of the register and around the globe there are over 3,800 legal forms so for the Netherlands only 20 but within certain jurisdictions
France for instance there are 270 legal forms all data is available free of charge you can download in these technical languages that is very important to understand what type of legal entity uh a French Sr looks like a Swiss Sr but it’s really very different if you look to the content of the
SR delay uh that’s the unique I identifier ISO 7442 um uh that for legal entities around the world so it’s a standard in the data 20 characters there is no intelligence by definition by Design um the index uh you can even and use your smartphone and find it uh what the facts
Are today is 2 and a half million last Friday and uh of the Netherlands over 31,000 all is downloadable free of charge for anyone and there is an API AA available every day a lot of companies already uh download their part of the data they are interested in a company has official
Representative of the company buers the word CEO CFO is not included in any legislation around the world so the official roles standard was developed again on behalf of the G G20 you can find the standard o over there um there is a register there all those roles and there are globally over 2,000
Roles available so for the Netherlands about 40 40 all data is download downloadable this is a new development it started it was launched last year it’s very important to understand not only who is who who owns whom parent ultimate parent but also that you are able to verify validate
Cryptographically if the cter party is indeed counterparty that’s the model um I don’t want to go into details there is a video available on YouTube YouTube with the uh launching customer Pharma leer Pharma leer is basically a club of the big boys in the pharmaceutical industry and they
Exchange data on a blockchain n network so look if you are interested in that um you can find a lot of the information business register if you only have the perspective of the Netherlands then you think well there is only one entity taking care of all the registration of all the legal entities
That’s true in the Netherlands that’s a bit true in France but it is not the standard around around the world you can find a lot of information over o over there on the on the website also um and there are over thousand formally approved registration authorities uh by The Rock
So that means the rock is 60 Regulators around the world take care of rubber stamping that a new organization is added to this list of course all the documentation is available this is an initiative that started here in the Netherlands and that also had to do with certain developments
Basically it started at the Dutch blockchain Coalition when they had this one of the three priorities had to do with identity and the identity in a blockchain environment has also to do with ident identifiers for multiple per purposes so that resulted in uh the document that was published in on in
June this year um and it has a very comprehensive overview of all ID identifiers of subjects around the world and their standards and registers but also of objects so it’s not only about subjects legal entities and natural persons but also of objects so if you
Like to know a lot about uh for instance I numbers I codes there are more than a million having to do with Bond and shares or IMO with shipping in Industry all vessels do have an IMO number all containers do have a unique number this
The register in in Paris Etc so you can all find all the those identifiers to be used within blockchain from blockchain to blockchain but also from blockchain to classical leer system they are the data connectors uh in technology you so Clive is a Swiss Foundation uh fully transparent based on the
G20 um decision all board minutes Etc are available on the website if you are interested unique legal entity identification worldwide but they do not do all the work themselves they have Partners there is a rule book and all the partners are accredited and there is a process for
Checking multiple times a year that their quality of the data still okay um and all is subject to oversight of the regulatory oversight committee they deliver a lot of services but the core is all services are free of charge for any user that’s the model
It’s a decision of the G20 how is the funding done the organization is nonprofit not for profit so the partners not for profit um and if you need based on legislation or you want to have an Lei business to business then you have to pay a small fee I think the current
Fee for uh the cafe care in the Nethers is one of the lay issuers of the 131,000 I think that 110,000 are issued by them uh I think it’s 50 bucks currently something like that uh to get an Lei you can get it on your smart files there’s a golden copy
Delta files every day you can see the history what’s very important for certain use use case cases um uh mapping Services mapping to other identifiers the big probably know to you Mick has to do with the trading World API so the best is that you take your smartphone you c.org
And search you find a lot already over there but all the documentation is uh available in 14 languages of the G20 by Design International Chamber of Commerce um basically the world of exporters and importers and everything what is in between banking but also the logistical firms um the
Um the organization exist for over 100 years um currently we are working on reviewing all the 40 trade documents bills of lading letters of credit ATA Carnet many of those documents used in the international trade some of them are still paper based based on legislation in some or more
More countries so we are reviewing all the data elements in all those documents and we are in process to define the core data set legal entities is one of them but also date and some others and the planning is that we uh publish the final report uh early next year we already
Published some time ago the identity management card I know it has to be upgraded you can download it for free three and this is one that was published in March this year trust in trade that is basically based on the Vay concept verifiable uh identity this is my last
Slid so if you have a manufacturer somewhere around the world think about the far East exporter over there importer here in Europe for instance the distribut are Merchant or web Merchants there are customers business or consumers and you have the physical supply chain where logistical firms but
Also the harbors the airports and rail those guys are all in my board uh at the senior level Financial supply chain mostly enforcing processes uh but also crossb payments sometimes domestic payments and be aware that the financial stability board uh published a document uh it’s on behalf of the G20
Enhancing crossborder payments with 1919 building blocks to uh to get away of the barriers in crossborder payments there are still a lot lot of them uh the idea identity is one of them also in relation to the feta Financial action task force AML CFT Pro problems around the
World data of subjects and objects are of course very very important for that and the last but not least is of course the the trust layer so it’s a mixture of um yeah the world of IC the CLI the iso standardization but it is all centered around businesso business business to
Government uh that is the story I wanted to share with you and and all the data is free available for you if you wish thank you g it’s time for a few questions uh if and from the audience hello my name is B gardar from
Ubq I had a question for uh so the last speaker was talking about ver fiber credentials and the first two speakers had very interesting uh conversation but I was wondering uh if they could comment on their wallet initiatives and the uh maybe the role of wallets in the corporate environment yes
So on the wallet side um the main challenge for Ikea is that we’re a global Corporation so if you look at wallets are very successful of course in certain parts um so for example in the nordics with bank ID and so on but if you look globally at all our markets
It’s very hard for us to still be able to justify an investment into wallets because the fact that it’s only going to be a very small part of our business that’s going to be impacted now that being said um of course I know that um the in the markets that we operate where
They are there is a significant penetration we are looking at at rolling out the wall as as authentication formats um and don’t can’t really go into too much detail um but I I do think that for most what we will see over the next couple of years is that wallets is
Going to be a way to authenticate especially outside of your own Corporation um and we have seen that as well as part of onboarding both for employees and contractors so uh that’s basically the consumer side of of the wallets but as a corporation that using wallets internally gives you an additional uh
Trust model that you might leverage for complex use cases well it’s not only for Consumer side so basically in all cases at some point you have to authenticate the user that you take in as an employee and that is today done with basically usually copies of passports or
Similar uh and there’s of course a good there’s a very good reason not continuing that approach in pleas and for contractors it becomes that we have a shorter lifetime you know you can take the the current approach Works more or less for employes but hey wouldn’t it be
Very nice if you could do this more efficiently yeah so I pretty much agree with M Martin is stating I do want to add that I think as it comes to Identity proofing that I’m really interested in when the LIE gets combined with wallets so that you can also cross supply chain
Check is this person really working for the company they say they are right are we and if they would leave that company and the wallet gets updated can we then also link it to our join move leave life cycles so I think yes that will be the part where it gets
Interesting uh I think the adoption is not there yet I also uh believe that uh at ASL we’re not a first adopter here I think we will look at Financial Industries or government to go first uh before we take the steps there I will add two
Points uh I would recommend you to look at the video of the F that’s absolutely because it will give part of the answer second there’s a development I did not mention it in the slide it is mentioned NPI that has to do with a new standard on natural persons the standard is
Already there so work is now being done to accept authoritative sources passport or whatever or identity card and combine it with the NPI and a global Organization for that uh I’m part of the dialogue but it is not yet there so the standard is there but not how to move
Forward forward so if you are interested uh I can show you the way uh to have this dialogue and I completely agree that the combination with being able to do both the Lai and the wallet that gives some fantastic abilities and we actually already seen that I did a project in in
Sweden about 5 years ago and uh in Sweden you have the bank ID being rolled out and because of how Swedish small corporations so if you’re very very tiny you can run your corporation as a natural person and what we found out in that specific implementation it was for a a
Large wholesaler in or large retailer for farm equipment so if you want to buy a tractor you can buy them from them or you know half a ton of of fertilizers and there we had about 25% of the customers were of this specific kind that to run their own company and there
We could actually close the entire gaps we could have a very very nice efficient and also very secure process for on boarding customers because we could do bank ID identification and we can then tie that back to the company that they’re working for last question
Yes uh so thank you so much let me create a context for uh my questions we have aost for personal data documents ha apostal convention we have a method to regulate personal edification of natural person right and U all this presentation about identification IDs like lay is pretty important but what about
Something like apostal for corporate documents why I’m asking in our industry in private banking we have a very huge problem about how to De with documents between malan European citizen mavan C Island USA this is our jurisdictions and okay you have identifi like but L European only we have this
ISO this is amazing but what about documents itself as far as I know only Oasis working in this direction trying to provide a schemas for the documents so so what what if we extend this ID question to question about document schemas could you comment out somehow yeah well uh very short the L
Has a very the Clive has a very specific mandate based on the Mandate given by the G20 and the FSB and basically it’s D data it is not about documents of the individual legal entities the source of those documents is often in business register but I hope
You are able to read Chinese or Japanese that’s very hard to get so uh and you have to pay for that uh mostly in many of the business register Le has no mandate for individuals thank you thank you very much I think we have to leave it uh
Because the time constraints uh I thank you uh very much U and for the presenters