Ruwan, on the right, participating in a badminton competition in WSO2
If you bump into Ruwan outside WSO2, you’re most likely to meet him along a hiking trail or underwater, scuba diving somewhere in Sri Lanka’s southern coast. He’s also a vehicle enthusiast and loves technology. Inside WSO2, Ruwan currently looks into product stabilization efforts of WSO2 Identity Server that results in improving the overall architecture of the product.
In this interview Ruwan sheds light into his journey at WSO2 so far, identity and access management (IAM), and his view about software.
1. How did you enter this industry (was it by accident, why IAM)? Tell us about your journey at WSO2 so far?
I started off as an entrepreneur after grad school, working in the telecom and retail sectors. My expertise lies in telecom signalling and it’s been one of my interests for the longest time, in addition to high performance computing and IoT. Subsequently, I joined WSO2 where I was a part of the App Manager team, which is now the WSO2 Identity Server team. Every change in my career was based on calculated decisions at critical junctures and I’m very pleased at how everything has turned out.
2. What are some of the interesting projects you’ve worked on recently?
Adaptive authentication is one of the latest features we added to WSO2 Identity Server. What’s different about how we offer adaptive authentication is that it’s based on scripting language similar to ECMA. This is also involves user behavior analytics based authentication.
WSO2 Identity Server analytics is able to monitor login and logout sessions, and provide analysis based on a user’s behavior which helps with providing an additional security layer when authenticating them. This is what adaptive authentication is ultimately about.
Adaptive authentication is very important right now and not because of user convenience alone. Major financial institutions use adaptive authentication to provide advanced user experiences while providing Open-Banking APIs.
3. Do you see adaptive authentication as a game changer and how so?
People always want easy access to applications and systems. Making this process difficult means users will either move away from the business or they will have weak security methods. For example, enforcing people to use long and complex passwords can lead to them writing their passwords on a piece of paper somewhere, which isn’t a smart thing to do.
On the other hand, security experts want to limit access to resources and systems as well. Hence there is a need to find the right balance. And a need to detect risk and limit access while allowing free access for legitimate cases or users. This involves evaluation of many parameters and behaviors than simple static rules that are offered by most IAM solutions. In the future, we’ll also need to embrace AI on the authentication process.
4. What trends do you see in the IAM market? Where do you think we’re heading?
I’m going to provide a very brief overview of some trends that I’ve observed. For one, there’s an increasing dilemma between whether or not we should opt for a centralized IAM system. But given privacy concerns, it’s quite evident the IAM industry is heading towards a decentralized identity and access management system. Another trend is sovereign identity, where an individual decides what can be done with an identity. Although there’s a growing need for increased privacy, people must be able to share and delegate easily. Another is space-time-bound edge device security with identity of a person.
5. We now keep hearing that IAM is an enabler and it’s more than just security or an IT project. What’s stopping enterprises from embracing this? Why do you think they should?
It is easy to start an IAM system with a homegrown solution of simple databases. There are a plethora of libraries available to kick start a homegrown IAM system. But it gets into an inescapable vortex when more and more functionalities are needed in today’s agile businesses. Enterprises need to detect this at an early stage and adopt a proper IAM solution before the vortex grows into an unmanageable beast by itself.
6. Two things you’ve learned in your career that you’d like to share with a newbie?
First, think of software as a medium of communication between both systems and people. This could be system to system, system to person, and person to person. Second, learn to unlearn. No software practice has lasted for more than a decade. New languages and methods keep propping up and your openness to learn is what helps you progress.
Ruwan on one of his many scuba diving adventures!