As advisors, we at KuppingerCole Analysts have regular contact with our customers. The topics discussed range from strategic directions to operational challenges in different IT security and IAM topics. We often encounter similar, ambitious questions and challenges - an example from the Zero Trust environment: How can we implement Zero Trust? What do we need to do in order to have implemented the Zero Trust initiative to a large extent by the end of the year? This attitude is not limited to Zero Trust, but can be found in almost all subject areas.
Even if the ambitions behind it are respectable, it is nevertheless always equally concerning how often buzzwords are chased without understanding their substance and creating the appropriate basis. Let's stay with some Zero Trust examples: Does device management exist? Are all identities that want access known and recorded? How is the zoning of the networks done? It is not uncommon to get questioning faces in reaction to these questions.
The realization of trend themes often requires operational excellence
In the resulting discussion of the experiences listed above, it often turns out that the customer has not yet dealt with the topic well enough. In fact, this is not a problem, because it is our task to sensitize our customers accordingly and to provide them with the necessary knowledge. Nevertheless, organizational, functional, and technical weaknesses are uncovered in this process. Customers have discussions with us about Cloud Identity and Access Management with third party involvement, but they have not yet managed to execute an end-to-end joiner-mover-leaver-process for internal employees without any media discontinuity and without manual activities. Another example is application onboarding, which is often planned without a list of all applications and their responsibilities. Such circumstances make it not only significantly more difficult but also more dangerous, as sensitive information can be exposed. Therefore, the realization of trend topics often requires that companies have operational excellence or at least a high level of maturity in the corresponding areas.
Automation is the operationalization of formulated structures and rules.
When designing their IT landscape, many companies claim to be individual and special. However, this attitude does not stand in the way of successful automation to increase overall efficiency. Regardless of the degree of individuality of a company, decisions are always made according to certain rules and contexts in both manual and technology supported implementations. As soon as a context can be captured by a rule, it can be operationalized and automated. Technically, nothing stands in the way of such automation!
Use case: Policy based access control (PBAC)
A classic example of automation in the IAM environment, is the move to Policy Based Access Control (PBAC). Historically, many applications that were previously hosted on-premises were managed locally by an administrator. This type of access management is typically very costly, difficult to keep track of, and prone to error or manipulation. In line with the complexity and workload, departments were also made accountable and empowered to manage themselves via a Role based access control (RBAC) approach. The delegation relieved the administrators, but only shifted the workload and further increased the complexity. To relieve complexity, attribute-based access control (ABAC) is used to assign access rights based on functional decisions, which are based on attributes of identities, in an automated way. This is the first step towards automation!
Rapid digitalization has made it increasingly easy for companies to obtain more information and data about users. User Behavior Analytics (UBA) are capturing more and more processable context about users that can be used in automation. Location and time of a login, device of access, destination of the request can all be captured, processed, interpreted and used to make an informed and rule-based decision. If this decision is mapped technically, a policy is created to control access (PBAC). Operationalizing and organizing these policies not only dramatically increases efficiency, transparency and agility, but also sustainably reduces costs and risks.
Identity & Process Automation: Where and How to Find Efficiencies?
If we return to the initial question, the answer is relatively simple and yet difficult to grasp: Automation potential can be found everywhere!
The challenge is often to identify and formulate the implicitly applicable rules that may already exist and have applied for a long time. The actual automation of a formulated rule is then usually the smaller step.