Hitachi Systems India & 1Kosmos Bring Next-Gen MFA to Hyderabad

Mrigank Mishra:
Good morning, everybody. Good morning, Hyderabad. Welcome to this 1Kosmos and Hitachi Systems India presented webinar on next generation, multi-factor authentication. I really thank you, all of you to joining this webinar and taking out your time during a busy day morning, 10:00 to join this webinar. It's a commitment that we will ensure this time of yours would be put to the best use and you will see something very fascinating today during this webinar. Now, before I hand it over to my colleague Kavish, I would like to give you a small background in terms of why we are here. Now today, if you notice the biggest challenge today, when it comes to cybersecurity, apart from various other facets within the cybersecurity, there's one thing which is being pegged as attributing close to about 80% of the breaches globally is because of compromised or a weak password, right.

Mrigank Mishra:
Now, there is no general silver bullet to security. But what we are trying to do is find an alternative in terms of how do we secure an identity access issue, or a password related compromise from being done by a respective hacker. So what we are trying to achieve today is to take you through a journey where my colleague Kavish from 1Kosmos would take you through an introduction in terms of how 1Kosmos is enabling this entire platform in order to allow organizations to safeguard their respective users, safeguard the respective applications, safeguard the respective identity of users from being compromised, right. My name is Mrigank Mishra. I take care of the business for Hitachi Systems India based out of Hyderabad and I welcome you all. Over to you, Kavish. Kavish Engineer, who's the channel sales director for 1Kosmos, India. Kavish, without the further ado, thank you so much for joining, over to you.

Kavish Engineer:
Thanks Mrigank. Good morning, Hyderabad. I'm excited to be here today to talk about 1Kosmos and the passwordless authentication journey. Since I'm going to be sharing my screen, I'm going to go off camera, but, do quote any question that you might have. So what we are here today to talk about is your journey to move away from passwords. We all know how bad they are, and until very recently, we have been... we have seen that, that's the only way of authenticating into the various systems, applications, or devices that we've been requiring to authenticate into. So let's see how bad it is.

Kavish Engineer:
Recent cyber attacks in India that have been going on since the last about couple of years have been in the media news. First one of them, Indian aviation company faced a data breach where about 45 lack information of the flyers, the PII information was hacked and leaked over a period of 10 years. Another report talked about the Indian railway's ticketing system company where seven lack customer data had been breached or rather stolen from one of the servers, which were exposed to the internet over a period of three days. Yet another example was over a couple of months, one of the largest food services company in India saw a data breach where 13 terabytes of data was stolen and leaked onto the [dark web 00:03:49] at annual being sold or rather had been kept for being bought at approximately four crore, to be meant to be bought by a single buyer.

Kavish Engineer:
This data included lacks of companies, Indian customer, and employees PII data. We just want to bring out these examples to talk to you about the, cyber attacks are on the rise in India. And, especially during this pandemic in the last couple of years, globally we've seen incidents around... security incidents around cyber attacks, which have been reported by research facilities involved in the development of vaccines against COVID-19. In fact, we also have seen media reports around two such facilities in India, one in Mumbai and the other in Hyderabad, where there were information security incident which affected the IT systems, and they had to actually isolate their data center services. So, the issue is quite real. A little bit about 1Kosmos, so we are about a four year old company, headquartered out of New Jersey. We have majority of our engineering and development team sitting out of in the India office.

Kavish Engineer:
We are present in four continents, and very recently we have partnered with a leading cyber security focused in a venture firm with about a $15 million series A funding. A little bit about our leadership team, the leadership team come with a combined experience of more than 100 plus years in the digital identity space. Our CEO, Hemen Vimadalal, who started 1Kosmos, this is his third company before that he had started Vaau and Simeio, both of these companies have 1,000 plus employees. They are part of the Gartner's Magic Quadrant leaders. And, they have successfully exited to Sun Microsystems and a private equity firm. We also have an advisory board where we have players from the US government. They are former heads of Department of Homeland Security and Department of Defense. And, we also have players from the tech, info and security enterprises in the US. A little bit more about the innovative part about our product is that we actually are leveraging the identity of the user and allowing the user to use his own identity to authenticate into the various systems.

Kavish Engineer:
We take the... we leverage the advanced biometric and we also use the private blockchain ecosystem to ensure that all the data that we are actually storing is securely stored, and immutable. A little bit more on the product side. The product is in production for more than three years. And, we do about a million authentications per day, Verizon, which is one of the largest telecom provider in US has partnered with us where we have white-labeled the BlockID product as Verizon ID, which is there on the Play Store or the App Store. This product is being sold to the Verizon's 600 old B2B customers. Last but not the least, we have global partners in the form of RSA, Hitachi, Wipro, to name a few. We also have outside-in analyst engagements with Gartner, Forrester, KuppingerCole 451 Research, which have recognized 1Kosmos as one of the leading identity proofing and passwordless authentication solution available the market today.

Kavish Engineer:
Now, let's look at the history of authentication. We would be surprised, but the first password was created in 1960, which is 61 years back. And, this was to protect the mainframe of MIT. About a decade later, when it was realized that passwords were the weak form of authentication, we also introduced in 1973 encryption by hashing the passwords. Smart cards were introduced in 1974. And around, say in 1993 was when the first hardware token [SecurID 00:08:14] was introduced to the world. Say about 20 years of... in fact, 50 years, if we fast forward to somewhere in the mid 2000s is when the banking industry introduced SMS-based or email-based OTP. Until today, we are still using the same SMS-based or email-based OTP for authenticating into various systems as a second factor of authentication. Now passwords, and the second factor of authentication is what we called HBA or hope-based authentication.

Kavish Engineer:
And why we call it hope-based authentication? Because we certainly rely or hope that the passwords and the second factor of tokenization are not going into the wrong hands, are not being forgotten, are not complex enough for people to manage and last but not the least, they are not shared by the user with anybody else. And hence we say it, it is hope-based authentication. Now let's fast forward to 2013, about 10 years back, we had alliances like FIDO, where FIDO stands for fast identity online, coming up with second factors of authentication protocols. Somewhere in 2017, we saw the NIS, EU and ISS standards coming out for identity proofing of a remote employee, or a customer, and then using identity proofing and the FIDO based web authentication to ensure that an identity-based authentication can be established where the user himself would prove his identity using government documentation, and then use these identity to authenticate into various system's application using the biometrics.

Kavish Engineer:
It could be device biometrics or in certain companies, people also have live biometrics in the form of Live ID. We call it ours as Live ID. And I'll show that to you in a while when I'll be doing the demo. So let's look at a journey from hope-based authentication to an identity-based authentication. When we say hope, in both the hope-based authentication and in the identity-based authentication, the A is what really matters, the authentication. And we hope that the person in a hope-based authentication is real. He actually is the same person whom he claims to be. We hope that he successfully gets logged in into the various systems and applications. And we hope that nobody else, apart from him gets in. Now to make this a more stronger, we introduced to 2FA, which is second factor of authentication or MFA.

Kavish Engineer:
We introduced knowledge-based authentication, risk-based authentication, and some non-As, such a single sign-on and password managers. But we still see that these have not really been effective enough. So what is the answer to this? The answer to this is migrating from an hope-based authentication to an identity-based authentication, which is enabled by the NIST 800-63-3 standards in our system. Now the NIST 800-63-3 standards again is broken into three sections. The first one is the NIST 800-63-3A, which talks of who the person is or proofing of the identity of that person using government documentation and cross triangulation.

Kavish Engineer:
Now the most common of the identity assurance level or the most widely accepted is the IAL2, where our system itself is capable of identity proofing the user in the mobile app itself and able to give a correct match. The second section of the NIST is the NIST 800-63-3B, which talks of using those biometric which the user has enrolled to authenticate the user and meeting the authentication assurance level too. How do we do that? We use the KANTARA Certification and we use the FIDO public-private key, way of based authentication.

Kavish Engineer:
So what is the solution? What is identity-based authentication all about? So we actually give the user control of his identity by allowing him to enroll his biometric and on his consent, he would be allowed to present his biometric and I'll show that to you in a minute, when I'll be doing the live demo. The biometric that is used is then allowed for authentication. And since it's a built-in MFA, we don't require to have a username password. And every time the user will be authenticating, he'll be continuously verifying himself. So, without a username password and with flexible level of identity assurance, we are able to ensure that there is no behavioral, or session fraud detection, or there is no way a compromised identity is logging in. What are the results? We look at the result in three forms, a better user experience because every time the user will log in, he will have a consistent way of logging in by using his biometric.

Kavish Engineer:
And while I'll be showing you the demo, you'll actually see what I mean by that. And with this, we are actually able to increase on an average, the Net Promoter Score for the organization by 30%. In fact, for a few of our customers, we've done this exercise where when we move them to start using biometric based authentication for the VPN use case itself, there was a 30% increase in the Net Promoter Score. And that's a huge thing for a user experience perspective. Obviously, the side benefit is no passwords are required and hence they cannot be stolen. The second one that we talk of is the low Total Cost of Ownership, and why do we say that? Because, we are giving the entire owners of managing the identity back to the user, and hence you don't have to maintain or manage identities. You don't need to have in-house experts in the form of [IAO 00:14:40] experts.

Kavish Engineer:
Hence, again, Total Cost of Ownership goes low. And, obviously you pay as you grow, type of pricing and the last but not the least, we look at the high Return of Interest or investments because when we start using biometric-based authentication, we have seen that there is a 30% deduction in help desk, password reset cost, and obviously the resources which you save while they are not doing the password help desk reset, they are actually being used for leverage and use the leverage for other important functions on the help desk. Now, with this, let me just jump into the live demo.

Kavish Engineer:
So what I'm going to do is I'm going to present my mobile screen. So what you see on the left is my mobile screen, and I'm going to first show you how I'm going to be enrolling my identity. So for that, let me just first log in into my mobile app, BlockID mobile app. And for that, I'll have to first give my biometric to set the app ON. Now, what I'll do is I'll go and see if my identity or I'll be able to show you that while I actually enrolled, I have enrolled my passport. I have enrolled my Touch ID, Face ID, and I have enrolled my Live ID. What you see on the right hand side, for enrollment, the documentation enrollment process, I've already followed and done all this. And, now what I'm going to do is, I'm going to erase my old identity, which is [quoteKE 959 00:16:21]. I'm going to remove this account and I'm going to re-enroll myself. So this account has been removed. I'm going and re-enrolling myself. And for that, I'll be asked to scan a QR code. So here I'm scanning the QR code.

Kavish Engineer:
If you see, it has taken my name, it has taken my passport number. And now I'm giving my consent and it'll ask me to give my biometric. So, I'm blinking my eyes and I'm smiling. This is the Live ID biometric-based authentication that we have in our solution. What it is going to do is, it's going to pass on this information to my HR system. Since there is information on passport and my Live ID that needs to be passed, it takes a little bit of time, but it goes, and now if you see on the screen, what you see is my user information. So my first name, my last name has been captured. The location, at that point of time, my Live ID which was captured, also has been... is shown over here. Obviously, I have not enrolled my driver's license, so that information is not there.

Kavish Engineer:
But if you see the passport information, including the document ID, the expiry date, gender, and the snapshot of the passport also has been captured. Now the solution is capable enough of ensuring that the passport is the legitimate passport. It's not a expired passport. And hence, it'll only allow a valid passport to be enrolled. Now as per my processing, I will do a continue over here. And if you see all that particular information that are required to be filled, have been copied, and they have been pre, sort of enrolled. Now I just have to put my email ID. I just put my mobile number and I will say, I want to verify and attest this. So I'll go ahead and I'll verify and attest. And what I'll receive is that I will receive a email on my mobile, on my email ID. That's my... what I've received it. And I'll say, let me go ahead and register for passwordless authentication. It'll ask me to open my BlockID app. I'll open it. And the moment I do that, I give my biometric and it'll say that the account has been successfully added.

Kavish Engineer:
Thank you, the new account has been added successfully. So now if you see there's a new account called [KE 7097 00:19:11]. So let me select that to show the rest of the demo. Now I go to the demo choices. I'll first go and show the workforce demo wherein I will be going and scanning an intranet portal of mine. So there I'm going ahead. If you see it has taken my name, it's taken my new user ID. I give my consent, I give my Live ID and this will log me into my intranet portal. If you see over here, we have few of the applications which are part of our internet portal, all these are web applications. So let me just show you one of the web applications. Let's assume, I'm a sales guy and I need to log in into my CRM. So I'll simply go ahead and I'll select employee login, which is my domain.

Kavish Engineer:
And it'll redirect me to my login page. I'll scan that. I'll give my authentication, and this time it is asking me for a device biometric. So there is an option in the solution to configure whatever way of biometrics you want the user to present. If it's a critical application, you may want to have a Live ID, in form of a normal application, you can have any other form of identity as well. Let me now just jump back to my BlockID page and here if you see, if I now click on Okta, it'll single sign me on into Okta because of the web application's single sign-on functionality. The next use case, which I want to show you is my Windows login. So normally if I go to my Windows, I do a control, alt, delete. And here I'll be asked to... I have the option of either putting in my username password, or I can log in using BlockID. So I'm going to select BlockID as an option. And, there's a QR code which has got generated.

Kavish Engineer:
I'll just go ahead and I'll scan the QR code. Again, it has taken my user ID. I'll give my consent. I'll give my device biometrics and it'll log me in. So it just log me in. Now, over a period of the entire day, I may want to go ahead and I may want to go for a tea break, coffee break. In that format, I may want to lock my... as best practices, I may lock my machine. So I've gone ahead and locked my machine. And when I come back, I simply go ahead and do a control, alt, delete, and I go to the locked part or the locked option. And what it'll do with, it'll send me a push notification. I've got a push notification on my mobile. I'll click on that. I'll give my consent, give my biometric and will log me in. So if you've seen, it's a consistent way in which I'm logging into my... whether it's my web application or my Windows use case. So it increases the user satisfaction, user experience.

Kavish Engineer:
Now, let's see one more use case. What I'm going to do is, I'm going to show you the use case of consumer onboarding. So we have a consumer facing option as well. Now, this is want to show you by next... Next-Gen MFA capability. And, for that, I'll have to select my other persona. So I'm going to select my consumer persona. [One bank KE9509 00:22:51] is my consumer persona. I'm going to add that or I'm going to just enter that as my username.

Kavish Engineer:
And, I'm going to say, let me log in using password. So if you see over here, it says, okay, password with a 2FA, so I'm going to put in my password. And, the moment I say, I want to enter, it'll log me in, but, it'll ask me for different options. And, we have configured these six options. You can have either of these options, or you could have multiple of these options. We would rather have single option. So let's say... I say I want to authenticate using a time-based OTP, instead of a SMS, email-based OTP, which we already all know, is there. So I'll select time-based OTP. And if you see it is asking me if I verify the OTP code. On my BlockID mobile app, now I'm going to just go to the next section. And, if you see there's an OTP which is displayed. So I'm just going to enter this OTP, 8-3-5-8-3-4, and it'll log me in.

Kavish Engineer:
If you want to see one more option, let me just do once more, logging in, and I say you the password. I'll enter my password. And I say login, and now let me say, I want to have, maybe a push notification to my app where I only need to give my consent. So I'll select this option. And the moment I do that, I'll get a push notification on my BlockID mobile app. I'll click on that. And now, since I've only been asked for a consent, I'll give my consent and it'll log me in. So this is what I've to show you all today and I'm just going to stop sharing. I'm going to switch on my video and Mrigank, over back to you.

Mrigank Mishra:
Right! Thank you. Thank you Kavish. It was really, really interesting. And I'm sure this is eye opener to a lot of attendees who are seeing this particular demo in terms of how do we look at ensuring immutable way to securing a one's identity, right? And, moving away from the traditional siloed-based, password-based authentication. So I'm sure people here who have seen this would be excited to see that there is an alternative, there is in a way, a silver bullet to securing the identity and access management, right? And for those who wish to look at this demo, once again, we would be more than happy to talk to you, to come across to you and set up a separate session for you. You have our coordinates, and I will also share our coordinates for you to reach out to us.

Mrigank Mishra:
Now, thanks, Kavish. Thanks once again, for sharing the presentation and the demo, now we would move...

Kavish Engineer:
My pleasure.

Mrigank Mishra:
... Yep. Thanks. So we would move to the next phase of our webinar today. You're exactly on time. Now we are going to have a panel discussion with some of the senior fraternity from the enterprise market of Hyderabad. I'm most happy and excited to call the panelist right now. I'll also have Mr. Anuj Gupta, who's the managing director for Hitachi Systems India to take over the panel discussion. But before that, let me quickly introduce you, the panel members. We have Mr. Susheel Walia, who's the deputy director for information security from Advance Auto parts. Mr. Susheel Walia brings with him 20 years of leadership experience in information security, governance, risk management and audit, and service delivery roles in large organizations and across regions like India, Mexico, etc. He's a certified information systems auditor, CISA and certified in risk and information systems control.

Mrigank Mishra:
We have Mr. Srikanth Appana, executive vice president for Bharat Financial Inclusion Limited. Mr. Srikanth Appana is a technologist with rich experience in identifying and building consensus for enabling technologies that facilitate business priorities, processes and strategic objectives. Then we have Mr. Jagdish Kumar, senior vice president at Cigniti Technologies. Mr. Jagdish is a business visionary professional with experience in defining and implementing [inaudible 00:27:33] enterprise IT strategies, integrating IT with business and delivering profit-driven technology solutions. He has over 25 years of experience in various global roles, spanning IT strategy, governance, operations, compliance and information security.

Mrigank Mishra:
Finally, we have Mr. Amit Rustagi, vice president- information technology at Aragen Life Sciences, formerly GVK Biosciences. Mr. Amit Rustagi joined Aragen in 2014. And, he has a total experience of about 27 years, with 17 years of experience in managing drug discovery companies. Prior to Aragen, he was working with Jubilant Biosys and TCS. He was involved in a lot of digital initiatives, started by Government of India, like digitization of Indian sensors and electoral rolls of India. I, wholeheartedly welcome all the panelists. Thank you for taking out your prestigious time and precious time on a week day, on a middle of the week and over to you Anuj.

Anuj Gupta:
Mrigank, and welcome everyone on this panel. I think we have Siddharth also on the panel. Mrigank, You've [inaudible 00:28:38] to introduce Sidharth, looks like.

Mrigank Mishra:
I'm so sorry. I'm so sorry. Yes. Siddharth, my bad. Siddharth is the chief operation officer for 1Kosmos, India. Siddharth, my bad.

Siddharth Gandhi:
No problem, Mrigank. This is absolutely fine. Good morning, everyone, and welcome all the panelists.

Anuj Gupta:
Right! So, as we saw in just some time back and the whole discussion now we are going to do today is on the Next-Gen multi-factor authentication. Right, today, where we stand and what we are seeing that, the last special year and a half has been fairly crazy, right? We went from an environment which was coming to the offices, the focus was our office, right, and everything was secured at a centralized place. For coming COVID, we went into a completely decentralized manner, right? We never thought that the edge would become that powerful, the way it is today, right? And we never thought that people would be logging in from their houses into a highly secured environment from a very, very unsecured environment. But that was the reality, right? And to that, I think somewhere last year in October, November, we thought everything has come back to normal.

Anuj Gupta:
Offices, started opening up and things started looking like, COVID is over, right. Especially in India. And then boom, we came to the second wave, right, which gave again, put all of us back in imbalance because I think that by that time we are already decided it'll be hybrid and we will... some work from office, some will work from home and things were looking like it was getting in control, and the second wave actually just shook us completely. Now, again we are in a situation where we are coming back to normalcy, but now all of us have that fear that we don't know how long it's going to last, right. Every day in the morning, the first thing we first see is, are the COVID cases rising, are they going down or are they steep?

Anuj Gupta:
And it's actually defining the way the enterprises are going to work, right. Because we are all now at that cusp, or we are sitting on the edge that tomorrow, we don't know which government, which city, which state will announce a lockdown. And most of you all are multi location [inaudible 00:30:30] you all have people working in different offices. It's just so much uncertainty. Now in all of this uncertainty, what we've seen is that especially authentication has become a big problem because now we are all remote, identity of the individual authenticating is a problem. The way he's authenticating is the problem.

Anuj Gupta:
I think there are enough and more cases, which has been shared by Kavish in the beginning of how passwords have got compromised and how the threats have happened, right. It's just unbelievable, the quantity and the qualitative data that got out by because of a weak password that was being used, and of course, then there has been identity theft. There has been all kinds of theft, right. So I'm going to go around the panel first and I'm going to just quickly understand from you all, what you all feel is the situation today and what is the need for the next generation MFA, right. Susheel, let's start with you first in your organization or in your business line, where do you see the MFA market going?

Susheel Walia:
So, thanks Anuj and good morning, everyone. So yeah, I think, Anuj, you've rightly mentioned, I think, pandemic has broughten a completely a new, unique kind of use cases, problem statement in front of us, which we never faced earlier, in terms of identification and authentication, like starting from the hiring of the resource till kind of provisioning all the required accesses to that individual. I think, we had to innovate quickly making sure, even from a physical process in terms of making sure that we are shipping the laptop to a new joinee who is remote, or maybe within Hyderabad or outside Hyderabad, making sure that there the identity is verified of the individual before we are assigning the asset, before we are sharing the credentials with them. So certainly, it did add onto the additional operational overheads from IT service operations perspective, and certainly like, I think I like the demo, what we had. So if we would've had that kind of an remote identification model, I think it makes job much more easier in terms of overall identification.

Susheel Walia:
Plus also, I mean, because of people who are working outside office premises, I think some of the MFA prompts are too often, which mostly... So one of the studies says that almost 75% of the users are always frustrated with typing their credentials multiple times, and I myself receive multiple messages from my user base in terms of, why do I need to punch in so many times the password and the MFA login? That's because they're working outside the office premises. So yeah, I think we had faced all those challenges and we are working on in terms of how we can build other controls, like always on VPN, build on more in terms of passwordless authentication and have more kind of a seamless MFA, now, in terms of having a more... creating a more trust-based environment, working remotely. So, I think, we are still kind of addressing that challenge.

Anuj Gupta:
Right! [inaudible 00:34:18] said, what is happening is, is all of us, I think are burdened with so many passwords to remember, right? It's just unbelievable. You have banking account passwords, then you have passwords of various apps you're using, now with the OTT platforms, you have those password. It's just that so many of them, it's just become a nightmare, right? Srikanth, in something like this, especially in the financial technology market, right, where we are seeing that you have a user who has been getting an OTP to authenticate or he's authenticating in different ways and the kind of compromises that OTP has happened, just by hacking a phone or OTP being compromised, or the man in the middle attack.

Anuj Gupta:
You are actually at that spot where I think, for you, password is a something which are you all considering? Second, Srikanth, I think, this is the second part of the question is, because you have retail banking, you have commercial banking, then you have home loans and then you have so many things and every time a user has to access, actually, you are creating that many identities for them. Are you looking at creating one digital identity for a [inaudible 00:35:17] consumer, for you?

Srikanth Appana:
Absolutely.

Anuj Gupta:
Go on, go on. No, no go on. I think it was pinned, I thought it was in mute, yeah. Go on.

Srikanth Appana:
Absolutely, Anuj. So, thanks for this particular question to me, what aligning to one of the slide which you presented sometime back, about the history of authentication and all that, it's absolutely very true because comparing 10 years back and now, how we design the systems in a way, what the traditional way of designing system is, you go to a... pick up a particular model, the way you design could be a factory pattern, single-Gen pattern, all that. While you develop the systems, it's more of, the third party dependency is very less, it's all about component architectures. The volume of transaction within the system is high, but the third parties, it's very less, comparing now, I'm saying. But, today you talk about, you have a simple mobile system where it's actually, you just put as a design, what you do, you are completely on an API architecture, which absolutely triggers to have a public APIs, which is open for any outside developers community.

Srikanth Appana:
You have partnered APIs, which are dependent on your partners to expose your system or your data to them. And, you also... internal APIs, as well. Your internal systems has to talk to each other, could be HR systems, CRM systems, and all that. So composite systems as well, so APIs as well. So with having so much of dependencies around, the transaction of a particular data, is always risk and compromise a different journey of a particular entire transaction from beginning to the end. So a different passwordless authentication experiences, we tried to provide organizations as well. It could be starting with a traditional authentication, internet authentications could be a single sign-on, then SMS OTPs. We also try to do something with mobile device managements, application management, QR codes.

Srikanth Appana:
And, we also [DLP 00:37:41], so many solutions around which we already have in the system, but, just imagine the kind of manage services you need to put around to manage this different products, for different business cases, this all what we are trying to do is to ensure that identity management and corporate data is highly... the sensitive data is highly protected and managed. So what happens... introducing the biometrics, position factors could be OTPs, SMS, and all that, hardware tokens and something with the magic links, the email address, the password resets and all that. But, what I'm trying to say is the FinTech industry, whether you need to align to any standard service security frameworks, maybe should have all this, but, the end of the day, you need an integrated system, it can manage all this.

Srikanth Appana:
When you design a solution, one for one particular application, or one for hardware, you go around, you run a design solution over there and you setup an L1 L2 L3 desk, help desk and all that, but just imagine the kind of cost in implementing these kind of solutions. Yes, the need of an hour is an integrated, seamless solution, is very much needed to manage all this, to have a unified experience for employees, or for customers, or partners. So in fact, we did a mini... a lab experiment while [inaudible 00:39:15] FIDO authentication, which has given an excellent result in terms of bypass, integration, SMS, and OTP, and protecting your hardware, your customer, employee, straight away taking to the sign-on transactions. Yes, totally with you, we need an integrated solution.

Anuj Gupta:
Okay.

Srikanth Appana:
Thanks Anuj.

Anuj Gupta:
So, you got to a very good point Srikanth, that unfortunately, if you look at this whole security domain and the security industry, A. The threats are very pointed, right. And, these pointed threats have come with point solutions to solve those problems. And those point solutions, and they've got integrated with some large organizations, they're trying to make a fabric or an orchestration layer, which honestly, even till date, I don't think anyone's got it right. But you are bang on that. The fragmentation that we see in the security domain, probably is not so much fragmented in cloud and dataset, right. It's just that in security domain, point products, point products, point products, every problem, you have a point product and you as a CCO or a CIO, or [inaudible 00:40:10] how many point products can you buy? There is a time that you need an integrated approach, right.

Anuj Gupta:
So, point taken. And I think, that that is something which we will see in the next two to three years as it goes forward, right. Jagdish, this one is for you, right. As an organization, I think you all do a lot of digitalization or you help organizations digitalize the assets around, [IOT 00:40:31] and you are doing a lot of work on a digital assurance. That's what I see. So, in this whole journey of digital that you're doing, is there a demand from your customers to have identity based digitalization of employees or identity based authentication, or are they really looking at making digital identities for their employees to consumers to extended teams?

Jagdish Kumar:
Yeah. Thanks so much. Certainly, there is an increased, I think, ask and demand from not only the business, which is clients and customers, but also from our own internal compliance and the board and other stakeholders to be able to ensure... we are not really compromised on any of these identity management, and password breaches, or passwords that are compromised, etc. See, but I think as, Srikanth also has alluded earlier, see today, the challenge is not that we don't have solutions, but the challenge is we have too many solutions to manage, honestly. And, it's actually a nightmare for all of us as an IT fraternity to be able to strike the right balance among all those pointed solutions and which one is to be leveraged at what point of time, for what kind of application, for what kind of users, for what kind of reason.

Jagdish Kumar:
Oh my God! Don't ask me, the list goes and last, but then yeah, if you ask me, we have been on an increased demand. And then, we are trying to do also minimize these pointed solutions to a handful of tools, to be able to effectively and efficiently manage all of them in a right perspective in our last... particularly, if I categorize my life as pre-pandemic and post-pandemic, it has changed. The life of actually an IT administrator, or as the compliance administrator, because earlier, as long as you are able to establish the identity and manage all the security in terms of access and the information, within the office network, within the four walls of your office, that's largely catering to your requirement, at least 80%, if not, 100%.

Jagdish Kumar:
But now, with 100% remote workforce, right from your user provisioning to asset provisioning to administration and its compliance and assurance is a big challenge. Just to give... just to share some of the thoughts, earlier, like any new hire onboarding, it used to just take a couple of hours on the day one, when the person just joins the organization, in terms of capturing all the information, validating, and then creating those system records, and linking all of them, and then completing the whole task.

Jagdish Kumar:
But now, imagine now in the pandemic situation, if somebody has to be onboarded, HR has a challenge first, in terms of establishing the identity, then IT has another challenge in terms of provisioning the asset, linking that virtual identity to the corporate asset. And, in addition to this, linking these two to some of the personal devices that the user may like to use, like mobiles, or personal laptops, or some of the client given assets to access their networks, their instances, and so on and so forth. So just, to make mind, if you have one integrated solution, like what we have seen in Kavish's demo earlier, which can bring all of them into a simple, and easily usable, with a good experience to end user plus assuring all IT and compliance boards, their due confidence and comfort. I think, we are good. And, we are set.

Anuj Gupta:
I think you are bang on, Jagdish that, this last one and a half years, we've seen like a complete change in the way technology consumption, HR onboarding, right. So, I'll give you a live case. This happened with our organization. We were recruiting somebody, and of course, we've been doing virtual interviews. And, for some reason on that day of the interview, he said he was having some camera issues and we went ahead and did the interview. Because, you know how it is, we need two-three hundred people, now we hired the guy and the guy worked from home for five months, and the sixth month, the client said, just about two weeks back that, now we are open, please come onsite. Now the guy comes onsite and after two days, the client calls me and says, what guy have you sent me, he's supposed to be a Soft Administrator, but he can't even open Windows. So, we called him back to office and we asked him what was it, he said my friend did the interview.

Anuj Gupta:
And for last five months, my friend was working for him, right. He was... and till the time he went onsite, the customer had absolutely no complaint. He was extremely happy with the support and the day he hits onsite, this is the reality, right. And, so this is where we are, where digital identities have become even, even more important than how we actually get all of that together, right. Now, to you Amit, Life Sciences is a business, which I think, in COVID time, everyone's been looking at what you guys are [inaudible 00:46:03] doing, right?

Anuj Gupta:
And, I think, at a very, very steep level, I think, Life Sciences adopts a lot of security. Because, there's so much research that you're doing, there's so much confidential data. And, I know that a lot of these companies have these strong rooms where you can't even enter and there's no internet and there's all of it, but, in this one and a half years, you had to change the way you worked, right. You had to get access. You had to give them remote access, and no coming to office, but working from the home. How do you see the whole transition and where do you see this whole lifestyle security, really going?

Amit Rustagi:
I think, COVID impacted us very differently than any other vertical. So we are up and running from the, I think, seventh or 10th day of the first wave, because obviously we need [inaudible 00:46:51] that we need a manufacturing site to manufacture the APIs and do the drug discovery work. But, nobody had thought, I mean, even if we are a service organization, we do drug discovery for other organizations. Before any pharma organization start any drug discovery work, or we start the manufacturing with them, they do an audit. And, if we are making an API or another formulation company, we are even audited by the FDA. Can you imagine FDA because of the travel restrictions of the... between international travel restriction, even FDA is not able... the people from FDAs, they're not able to travel to us. And, the biggest change which we see in our kind of vertical is, all the audits are happening virtually and identity management is the most important part in our vertical.

Amit Rustagi:
They only look at our SOPs, whether we are following the SOP, because obviously there should not be any deviation in terms of the SOP. And, when we follow the SOP, they look at the integrity of the data and all of you know, that the integrity of the data can be proven to the auditors, only if you have a very successful, proven identity management system. And I think, with so many instruments having... some instruments are domain connected, some instruments work standalone. I think having a common [inaudible 00:48:38] passwordless system, which can be proved to an FDA that yes, this person has generated this data. And this data is not manipulated at any given point of time, makes a huge difference in Life Sciences business, and, I think the way our pharma organization works. So, I think, this is a good solution. And, I think going forward in the coming time, the way the digitalization is happening in every vertical, I think pharma organizations are bound to adopt such technologies.

Anuj Gupta:
So see, the more I look at it and the more I hear from all of us, I think we are all in the common consensus that digital identity is the way forward, or it is probably the way right now, right. The other thing that is coming out loud and clear is authentication, which is integrated. You can't have standalone authentication or you can't have, again, another level, another technology, which is not integrating with the enterprise application, not integrating with the other application. So, what we are looking at is digital identity, passwordless authentication, integrated authentication, and of course then spanning across talking to multiple things within the organization, right. So, Siddharth, you as an organization, that I always strongly think that any product company, or anyone, when you build a product, there's a need that you address, right. So as an organization, you are a still relatively young, and in a four year old organization. What was the need when you started and how much of it catapulted, or changed when COVID happened and where do you think today you feel as an organization is the need for the next two-fifty years.

Siddharth Gandhi:
Absolutely, Anuj. I think, a lot of the answers have been given by the panelists, right, and I've been voraciously making some notes of the panelists talking, right. So I'm going to just call out some of the points to recap, which will eventually answer the question. So I think the first premise, which we started off is the trust factor, right. What is the trust consideration which starts with, is there anything better available than passwords today? What Kavish indicated has been around for 70 years, and it's been 15 years since the soft token, hard token have been introduced, but we've not really made any significant progress, right. And, that got us thinking, majority of the founders come from the identity and access management space, having spent about close to 15 years, 20 years in the space, right. So that is something that we started questioning, right, and subsequently, I think what Jagdish Sir indicated providing the right balance, right.

Siddharth Gandhi:
The striking the right balance is important in a remote world, the need to identify the person still remains the same, right. I mean, typically in a normal scenario, you would take into account the identity of the person when they come to the office, right, the gate. But now it's not possible anymore when the employee remains remote, but the principle still remains the same. You need to identify the person who's accessing data of the organization. Subsequently, I think, Srikanth Sir mentioned that it needs to be an integrated solution when we've worked over the last decade or so, there have been SSO solution, there have been MFAs, we all know that SMS and email OTP aren't really the strongest ones today, right. So what is the... and there are enterprises which are using multiple options, right. We've had the people using multiple soft tokens for different applications, and that's where the need for a integrated solution comes into play.

Siddharth Gandhi:
And last but not the least, I think Mr. Susheel also indicated that it needs to be seamless, right. What can you provide to the user at the end of the day to make their life easier. So I think combining everything together, what we wanted to ensure is a right balance between user experience, as well as also bringing in that security aspect, where we are asking the person to provide who they are rather than providing what they know. And, that's where the whole being... coming of BlockID came into existence, right. And the last 15 months have been very interesting, right, because we've had customers willing to listen to what we had to say, given the current scenario, this was a need of the hour. Right, so that's where I think, we've been coming in from, and eventually I think it leads to a better user experience, lower cost to the company, better NPS from a customer standpoint.

Anuj Gupta:
Great point. I think Sid, what you rightly said is, now, let's look at what we are coming to as a user experience, right. All of us, I think, and Susheel made that point for us, all of us are burdened with the amount of password, we made it complicated passwords, eight digit, 10 digit, lowercase, uppercase, special character, right, alphanumeric. And, more we make it complicated, somewhere I feel, easier it is getting to get hacked because it's become very predictable of how you're going to do it. 1, 2, 3, 4, hash, the colon, it's just, when we've come in, unfortunately, we don't have too much time, so I'm going to do a quick round of fire chat here, right. Of course, I'll start with Susheel first. Susheel, will passwordless authentication of biometric-based authentication, will that only exist in two years from now?

Susheel Walia:
No, I think, it's already existing. I think, in many of the... so it has started long back, but the focus was primarily on the mission critical or the sensitive application platforms only. But I think, now with the complexities inward and the ease with which a password can be hacked, I mean, within $5 to $6, you can go and buy a tool which helps you in a brute force attack to breach the passwords. So, with the advancement of technology, even the availability of the hacking tools have also become easier in the market right now. So the need already exists and these products were widely used on the government, or the military platforms. I think that more and more such passwordless authentication technologies coming into the market, being more affordable, easy to integrate with the existing and the legacy applications, platforms that we have, I would say now we can immediately start getting onboarded onto these technologies.

Anuj Gupta:
Well-said. I think, it is the need and it is right now, the present, it's just about how currently probably they'll coexist and eventually it'll get phased out only passwordless. Srikanth Sir, to you, do you think in one year or one and a half years from now, you'll actually get rid of OTP and you'll have step-up authentication, which is biometric-based.

Srikanth Appana:
I think it's a culture change needed at the organization and the confidence we need to give to the business management and the business stakeholders, sponsors as well. Moving away from a traditional OTP and SMS will take some time, unless you view a solid POCs and backup with a perfect ROIs and all that, I think it definitely is possible, but it would be a slow absorption, I would say. And, [inaudible 00:56:19] transaction, you have four checkpoints to finish a life cycle of a transaction and you have minimum three, or four OTPs, SMS required to finish one particular transaction. It could be onboarding or finishing a digital transaction, even whatever it's, but you're highly depend on SMS and OTPs. So, definitely, as a technologist, yes, we would want to move away from OTP and SMS, but there's a small culture shift need to be needed in the organization. It'll take some time, but that is the future, I would say. Definitely.

Anuj Gupta:
What I hear is currently in coexist, but you can actually pick some applications or it could be like, example, a step-up authentication, if you're doing a 100 rupees, you can do it over OTP, you're transferring 5,000, you can actually step-up and say, you need biometric-based authentication or passwordless authentication to actually get through that transaction. Right, we can also look at those kind of models.

Srikanth Appana:
That's correct.

Anuj Gupta:
Right. Yes. Jagdish, you guys are now really doing a lot of good work around digitalization and when you go back to your customers, would you really stress that digital identity is the way to go? And, would you really emphasize on this is how you should make secure digital platforms?

Jagdish Kumar:
Yeah, certainly, I do see the value and the importance of this whole digital identity being used more widely and more commonly. So today, of course, some of the clients have already started asking us in two ways, one is how do we enable and help them with this digital assurance, which includes the identity management as well, in addition to their... the application and business process assurance? Okay. The second part is there are already people who started kind of demanding, how can you ensure that digital identity is, or your employee identity is very tightly managed and integrated to the access of their environments, their data, which is obviously having the bearing on their IT and data compliance? So, all in all, I think, there is suddenly increased need and also demand.

Anuj Gupta:
I think, you are quite right at this, just, how every again... every domain would be a different domain. So, how the need is and how they can consume that is what was more important, right?

Jagdish Kumar:
Right.

Anuj Gupta:
Amit, to you, I think, you've got a very important point that FDA doing remote audit, unheard of, right. FDA is like the FBI, right? They come in... they come in with all the tantrums and I think, whatever I hear from all my former friends is that, FDA is one thing, which they want to keep away and imagine FDA doing a completely remote audit. So, and you emphasized on digital identity. So do you think that FDA would probably, or your compliances would actually lay down saying that everyone should create a digital identity with all the credentials, all the authentications so that there is no compromise on the identity?

Amit Rustagi:
Yes. I think I was speaking to one of the senior consultant, who closely worked in a very large pharma company and with the FDAs. I think, they're planning to change even the computer system validation to computer system assurance.

Anuj Gupta:
[Inaudible 01:00:01].

Amit Rustagi:
And, that thought process will start, the way we look at the, data, the way we look at the risk will completely change the landscape. And I think, these kind of technologies will make a big impact and will provide lot of assurance to auditing organization like FDA and some other European and Japanese audit organizations, but they would be able to trust remote... they would be able to trust the, or do the access or [inaudible 01:00:39], remotely. Apart from that, I think, there is lot of confidential data, which gets shared between two pharma organizations, between a drug discovery and organization, and we try to stay away from cloud, just because of the confidentiality of the data and not able to have very, very proven identity management system. And I think, once we have these kind of system, that will make our life more easy, than before.

Anuj Gupta:
I think again well-said, so see again, as a system integrator, we cut across all domains, right. We talk to pharma, IT/ITES, pharmaceutical, banking and everywhere, I think, the crux is coming to that, it is important of how we create the digital identity, how we onboard the identity and what you said, the word assurance, now it's actually coming, even in IT/ ITES, it's not only in pharma, it's not about validation, but it's assurance, it's the right personal and the right credentials, actually getting into the right environment. And you know, we talk about Zero Trust. We talk about various ways of now getting into the corporate of the enterprise data. So yes, digital identity will play a role. Passwordless will play a role, and I personally feel there's a lot of evolution that is required in the next two to three years.

Anuj Gupta:
And we'll see, again a lot of fast track and then God forbid, if we don't have the third wave, it'll be great. But, if we have that, it'll again change the way technology will get consumed again, right. So, it's going to be an interesting time, and Sid, there's a lot on your hand because you guys have to... you heard it from all of them, right. You have to be integrated, you have to have enterprise great product. It has to have stability, compliances. So there's a lot on your table and lot on your plate, right, and I think Sid, you can give your views on how you're going to tackle with that.

Siddharth Gandhi:
Absolutely, Anuj. One thing that I did miss out and I'm glad you bring this point up is the privacy aspect, right. I think compliance, increasingly around the world is increasing, we are, I think, having a draft of our own data privacy law in India coming up. So it's going to be very important on how the data is managed, and that is one thing that we've taken into account is privacy by design, right. So, we've ensured that the PII information of the end users are secured. In terms of the future, I think, one of the biggest thing that has happened in the last few weeks is Microsoft coming out and announcing their passwordless entry, right. And that is really music for ears because everybody in the world today uses passwordless. And, when one of the big boys says that, yes, this is here to stay, we all need to really take it seriously. So we are very glad that that has happened.

Siddharth Gandhi:
And the second piece really is always a journey, right? We've always educated all our enterprise, customers, historically identity and access management is not a one-zero game, right. You have to go about it slowly over a period of time. Right, and that's what our solution is able to bring to the table, that we can start off with a step-up authentication and as the enterprise matures, we can make them completely passwordless over time, we can integrate a few applications, critical ones, and then bring in additional applications as well, right. So to me, I think, the future is definitely passwordless.

Anuj Gupta:
[inaudible 01:04:03] Thank you so much. I think we have eight minutes above the scheduled time, and that's the beauty of this new normal, right. We come two minutes late to the meeting, we apologize, and if we're seven minutes late, we really feel sorry. Other than that, we would've probably waited two hours in the lobby or we were okay doing a one hour meeting to two hours, but yes, we respect everyone's time. I would thank you, everyone who attended and joined this session and thank you to my panelist. I think it was very, very insightful. Susheel, Jagdish, Amit, Srikanth, thank you so much for your inputs, and we would really like to again take it offline with you, understand a little more and what we can do together in this phase. Thank you once again, Siddharth and Mrigank for hosting this. Thank you.

Mrigank Mishra:
Thank you, Anuj

Panelists:
Thank you, Anuj, thank you.

Siddharth Gandhi:
Thank you [inaudible 01:04:44] Anuj.

Mrigank Mishra:
Thank you Srikanth Sir, Susheel Sir, Jagdish Sir, Amit. Thank you so much. Thank you Siddharth, for taking out time and I'm sure this was extremely insightful, invigorating for everybody who's listening to us. We will also be having a recording of this webinar, shared across the various platforms for people who have... who missed out. Once again, thank you everybody and wishing you all a happy festive season, upcoming festive season. Stay safe, take care. Thank you so much.

Panelists:
Thank you. Thank you.