Event Recording

Robert Byrne: IGA in the Cloud without Compromise

Log in and watch the full video!

Attend this session to learn how One Identity’s cloud-first solutions portfolio enables organizations to let business needs, not IT capabilities; drive how they implement their Identity Governance and Administration strategy. There is no single right way to do cloud-based Identity and Access Management services. Not only is every organization at a different place in their journey, and each will prioritize cloud benefits differently. So, no matter where you are on your cloud journey, modular and integrated solutions can strengthen your identity security, help you achieve governance and a Zero Trust model, and get compliant. Join this session, led by One Identity Field Strategist Rob Byrne. He’s worked with clients from many different industries with a wide array of Identity Security challenges and helped them successfully implement a secure and efficient IGA program.

Log in and watch the full video!

Upgrade to the Professional or Specialist Subscription Packages to access the entire KuppingerCole video library.

I have an account
Log in  
Register your account to start 30 days of free trial access
Subscribe to become a client
Choose a package  
So I'll do my best to follow. Martin's very excellent, you know, exposition of zero, trust my topic for today. I'm announcing it in bold, you know, no subtle overture here. So just, you know, my main message is that you should be able to consume modern IGA capabilities, innovation in the IGA market space. You should be able to consume them however you want. Okay. So if you need to consume them in the cloud, you know, as a SaaS, you shouldn't have to compromise and give up options for that. Let's say the main theme, and I'm gonna talk about other aspects of modern IGA capabilities and the way in which the cloud is, is playing a role there. But that, that you'll, you may be fed up, but of the message at the end, but that that's, that's my main message. So let me start as is the right thing to do.
I think always just to frame the business drivers for identity governance administration. So those of you who are, you know, familiar with it, you'll see the classic drivers on the right hand side there dividing roughly into like a security conversation, compliance to various levels. And then on the other side, the agility conversation. So optimizing, you know, it operations, making things more smooth and also nowadays an accent on user experience. So these, these are pretty much, I think every driver for IGA falls into one of these categories. Okay. Now what I am presented here in the context of change in the context of modern IGA is what are the, as I call 'em winds of change, what are the things that are coming to perturb the, these, this world that we've created for ourselves over the last decade? Right? So what's coming to rattle our cage, right?
Ruffle our feathers, right. Kind of upset us a little bit. So some of the things I'm calling out here, guys, you, you may have other, other points as well that you might like to share, but these are the ones I'm gonna call out. And the first one is an evolving environment that we find ourselves in our it environments are evolving. There's no need for me. I think, to reiterate what happened last year, all the ins and outs, I think just saying the words, remote, working sums up so much of the impact and the ask that's being put on us now as identity governance people, meaning how can we secure those remote, you know, workers, we have a distributed environment. How can we, and I'm gonna start to introduce already the notion of privilege, right? How can we specifically secure remote privilege access, right? Because those are things that bring most risk.
So that I think is a given the fact that our businesses are also themselves transforming the way that they're interacting with their downstream customers and clients and partners. These are all things that are bringing pressures, right? The second point, I think that's, that's actually really important when we talk to organizations. And when we look to ways for us all to get more secure is around this understanding of, of maturity. Now maturity levels, I would say expectations are expanding. I'd like to believe. And I think it's true that understanding, right? So really a, a deeper understanding is maturing, but definitely the expectations are there. And actually it's interesting, although Martin and I didn't specifically align on our presentations, the fact that he underlines the importance of IGAs role in a zero trust as cyber security architecture. Right. So I was thinking about how to express this today and the way I, I would say like when I go to a barbecue now, right.
With my neighbors, right. And they say, what do you do? I say, well, I work in cybersecurity, right? And in the old days, I would say, well, work in identity management or what's that, well, you know, someone joins a company in the eyes glaze over and now I just say, Hey, it's I work in cyber security because I really do believe that from being a back office functionality, IJ has been pushed front and center stage. And it's really taken its place as, you know, a first class, cyber security citizen. You know, it's always been there, but it's always been in the kind of chorus line at the back. So, you know, we're up there now with the virus checkers, the malware scanners, the, you know, the threat Analyst and so on. I think that's a really important point in the context of cloud, another maturity point that I'd like to underline.
And I think this is very, very positive is that I already see organizations talk, correcting me. When I tell them they have a cloud first strategy, they they're correcting me and saying, no, we don't because we didn't find that helpful. We found that much too directive. They're much more in a position of saying we have a cloud strategy and we're gonna evaluate what that means for us. And for each of our individual business business lines or each of our individual security approaches the security. Right? So that, to me, I was very happy to see that, right, cuz that's also a sign of maturity, definitely like SAS and perceived benefits of SAS, of pushing people into, into cloud situations. What I think I'm open to correction, but what I think is, is really attracting people. There is ease of deployment, agility. The fact that they'll get a lot of things for free, you know, availability, you know, scalability, the ability to wind up or, or tune down.
I don't believe open to correction that it's looking for cheaper TCOs total cost of ownership. I think it's more about predictable cost models from a cost point of view. Again, that's open to discussion. Last point I'm just gonna make here. Is that what we're also seeing? And that's also driving change in IGA and forcing us as vendors to adapt is the fact that, you know, smaller and smaller organizations are, want to get a piece of this IGA action. They, they as Martin and I have just explained, see the role of IGA and its importance in, in attaining cybersecurity in this new world. And they want a piece of the action, right? But they don't have massive amounts of technical resources on hand to do that. So these are things that are perturbing us. There may be others. Now in terms of our view of securing this world, it probably goes without saying that we have an identity centric approach to this and you know, I won't go into why that's a good idea, but spice to say, you know, like in the distributed world, identity is one of the, the few things that you have to hold onto.
And our strategy really is focused on the identity as that central piece. And you may be surprised to see privilege, right privilege access management listed. There is part of that, that picture, but we really do. And this is part of the shift in the adoption world going through. And again, very much links into to Martin's presentation about that notion of an end-to-end security. So I mean, Martin presented, let's say the whole spectrum of like endpoint network, you know, all the way through to applications. You know, what I'm doing here is just specifically looking at a privilege and, and, and thinking about how can privilege integrate with, with, with IGA. What does, what does zero trust mean? You know, for example, just to, to, to pick up the point from Martin, what does zero trust mean in the context of IGA and privilege? Right. So that to me is a new evolving capability.
And if I said to you, okay, you have a privilege system. Okay. That's great. Right. You're in a much better position than you were two years ago, but of those accounts who are the third parties, right. That have access to those privilege accounts. Oh, okay. Which of those privilege accounts are actually machine identities, right. Oh, okay. Which are service accounts who owns those robotic or machine identities, right. Who's responsible for the credentials in the app to app communication that you've got configured in your privilege system. Okay. What happens to anomalist privilege events? Where do they go? Do they disappear into your sea black hole? Never to be seen again, or are you surfacing them the way you should be. Right. You can see where I'm going, surfacing them into your IGA platform, where they can be governed and responded to in a timely way, right by the security offers officers and the people who are using the IGA platform in the right way, right.
To collaborate around security events. So privilege CA privilege access governance for us is, is fundamental to achieving, you know, zero trust stance. And it's, it's a fundamental part of these modern capabilities that are evolving to respond to that. The other, the other area that I would like to call out is the role of the application. And so you might be thinking, well, that's hardly new. We've been controlling, you know, access to applications for some time. Yes. But have you had the ability to see the application, you know, in terms of visibility as a first class citizen, have you had the ability to see the KPIs specifically for that application to assign owners to streamline the onboarding? Right. And so I see again, I'll touch on this in a minute, but the part of the ease of integration with the likes of the IDPs, right? So the likes of the, the, the Okta and the, the Azures and the, you know, the ping federate, those guys very important source of application applicative data for the IGA platform.
These are new capabilities that are evolving, I suppose I have to, and I want to mention analytics, identity analytics, and that ability of analytics to learn, right. To help requesters as they look for access, to help approvers as they come in and, you know, approve access. So please make access recommendations. This looks like a sensible thing to approve or not. And, you know, I mentioned the democratization, right? The fact that smaller organizations really, they expect this right from the platform, they expect the platform to help them to get value, right. To get more value from the platform and to get it in, in a more, more timely way. Okay. So what I'm saying here is this is our vision for the way we see, we think it's a very helpful way identity centric, but, but, but, but privileged very much playing an, an important part of, of, of that story.
Right. And, and fitting very much and very neatly into a zero trust perception right. Of, of the world. So the thing that I wanna say is this is IGA. We've seen the things that are preturbing, there's a lot of goodness that we want to, to get hold of, to get access to. I, what I'm saying here is that there, you know, there are barriers to the getting between me and this, this goodness that's there. Now, I suppose I should be clear that IGA as, as a program is a multi-stakeholder program. So it's not a trivial endeavor by any means, but the barriers that I'm talking about here, the barriers that the solution itself is bringing, right? So these are the ones that I want to talk about because these are the ones I think of objective risk, right? Objective risk is something I don't control.
Right. So it's just, it's just by the nature of my organization complex. Okay. So I can't really do a lot about that. Could work around it. I can understand it. I can have good program management, but, but there's nothing like, so that's objective risk, but, but the risk, you do have some control over the barriers you do have is in your choice of, of solution. Right. So does the technology matter? Does the, yes it does. Right. So it's not the only thing I started with business drivers, but the, but that your choice does matter. Right. So let me just go through some of these barriers that, that I'm seeing. And again, happy to exchange if there are surely others. One of the things that we do see is that there's limited choice, right. Being presented in certain cases, particularly, and it's a binary choice, meaning, Hey, yeah, you can have some SAS, IGA, goodness.
But if you go that way, you have to give up. And this comes back to the theme, the main theme of the talk, right. Which is to say, you shouldn't have to give up or take a water down version of IGA, right. Because how can you possibly achieve the kinds of integration and levels of security, particularly with this end to end approach, right. That I'm talking about and privilege that Martin's laid out. How can you do that with something that offers you a drop down with like four workflows and that's your lot, right. It might be okay for its Greenfield small organization and that's fine, but really that sort of binary choice seems, seems implausible to me. Right? The other thing, then you say, okay, well, I'll have a binary choice. If I am stuck on premise, you know, with all that complexity and some of these again, solutions are lumbering and they do bring complexity.
And the distinction that we make is between complexity and power, right? So you wouldn't get into a Ferrari and say, Hmm, this is a complex car. Right. You'd get in. And you'd say, wow, this is pretty powerful. I can see this can do a lot. Right. And I think the challenge for us as, as vendors is to, you know, very clearly you remove that apparent complexity, right? So again, change right. The UX, the modern UX should, should, should, should facilitate smooth change for our end users. And in terms of that limited functionality, if, if, if, if it gets me off to a quick start, but then I run into a dead end, it's not a good thing. Now, the good news, right. So good news is there are ways through this. So if you have an identity centric, modular approach, that's nevertheless, you know, well integrated, what you can optimize for your specific situation can start with privilege.
You can start securing your directories and you can move out from there with your directory centric, use the 80 20 rule, and you can get most of the governance you need, you know, that's you, you're onto a winner. I'm calling out unifying identity, deceptively simple concept. We all think we know in an identity is what if you've got multiple identities, multiple roles, machine identities, service, you know, how are you gonna manage that? You need a powerful data model, right? So that you're not jumping through hoops and torturing your, your solution in order to model those things. And again, you know, API's openness, meaning, okay, it's rather technical way to say it, but just ease of integration, right. Just, just make it easy. And, and, you know, it's not purely technology. There's the technology partnerships that vendors will engage in as well. So I think that's an important thing to look to is my vendor going out there and, and, and making those, let's say upfront efforts to engage with other security vendors to help me, right.
As a, as a, as an organization, it get closer to that zero trust, you know, stance. Right. So to make that journey easier, remove those obstacles, then finally, again, looping back to the fact that you should not have to sacrifice, right. You should not have to sacrifice the things that matter to you right. In order to do the right thing. Right. So we don't wanna be like Abraham, or maybe we do, we're saved at the last minute. Right. So just little artistic reference to, to underline the point. We shouldn't have to sacrifice all that goodness. Be because of a, a consumption model. Right. Just wrap it up here so that maybe we can have some time for, for questions or discussion, but the results take it as identity centric, no compromise approach kind of results. We can realize, yes, you can start the place that matters to you.
You can then grow and evolve into that, that, that capability to, to achieve the, the security that you need. You get rapid time to value cuz you start in the place that matters to you. Right. And then you achieve that. And then, you know, you can do all that good stuff about communicating your project. Well, which is so much part of the program, modern, you know, UX, all that good stuff will, will help keep the users happy. And then ultimately cause where we're going looping back to the zero trust. We are now all cybersecurity guys, you know, increasing the security profile and posture stance to our organization. So that's what we feel you, you can achieve if you, if you go at this problem in the right way. And, and that's really all I had to say in terms of, you know, just kind of me spouting on, you know, any, I dunno if you, if you wanted to have a conversation then or, you know, questions around that.

Stay Connected

KuppingerCole on social media

Related Videos

Analyst Chat

Analyst Chat #151: Identity Governance and Administration

Identity Governance and Administration (IGA) combines the traditional User Access Provisioning (UAP) and Identity and Access Governance (IAG) markets. Nitish Deshpande joins Matthias for the first time on the occasion of the publication of the Leadership Compass IGA 2022 , which he has…

Webinar Recording

Multi-Cloud Identity Governance 101

In an effort to cut costs, improve efficiencies, and cater for a mobile and remote workforce, businesses are adopting cloud services from multiple providers. This has created a host of challenges in managing identity and access across multiple clouds, and has introduced several risks that…

Webinar Recording

Dealing Effectively with Modern, Industrialized Cyber Threats

The cyber threat landscape has become very complex, with state-of-the-art intrusion, ransomware, and cryptocurrency mining tools now readily available through online stores and service providers, and an expanding attack surface due to increased cloud computing and remote working. Keeping…

Webinar Recording

Mitigate Risks, Cut Cost, and Achieve Compliance With AI-Driven IGA

Effective Identity Governance and Administration (IGA) is becoming increasingly important as digital transformation, cloud computing, and remote working increase the scope and complexity of Identity and Access Management (IAM) to new levels. But legacy role-based access control (RBAC)…

Webinar Recording

Sicherheit für SAP und mehr: Wie IGA-Systeme unterstützen können

Access Governance-Tools sind in der heutigen Business-IT ein unverzichtbares Element. Sie dienen dem Management von Benutzer- und Berechtigungsworkflows, der Vergabe von Zugangsrechten, der Durchführung von Kampagnen zur Zugriffszertifizierung und der Implementierung und Prüfung…

How can we help you

Send an inquiry

Call Us +49 211 2370770

Mo – Fr 8:00 – 17:00