Event Recording

Martin Kuppinger: Modern IGA Capabilities & Zero Trust Identity

Okay, welcome everyone to this introductory call a talk of our today's Casey life who went and as any already said, my topic is modern IGA capabilities and zero trust identity. So it's more focused on the IGA part of IM, but I'll take an overall a little bit broader perspective on how identity management, IGA and zero trust are linked together. And so at the end, why identity is so essential to zero trust and let's start, I think most of you have heard definitions of zero trust already and discussed this term. And so I'd like to look a little more on, on how zero trust has evolved from where it started to where it is today and, and will be in the future. And at the end zero trust, the main principle behind is don't trust, but always verify or maybe a little bit more detailed don't trust blindly.
So don't trust, trust a single component, and then assume everyone is good because someone who, who passed your, your remote access, your zero, your file wall or another component. Well, that, that should be all good. And then that person can do whatever the person wants to do in your network. Know why this letter movement, and don't just rely on a single entity. So verify regularly and at multiple places. This is I think, where, where does em starts? And when we look at how zero trust evolved over the past couple of years at the beginning, C trust was a term which usually was pronounced zero trust networks.
It became very, very quickly apparent that this is too narrow. Yes, you, you must not trust, trust the firewall, but by the way, yes, even in zero trust concepts, firewalls play a very wide role. You need them. You need a lot of components for security. Firewalls are, are one of the elements. It was about avoiding the letter and movement about also going into micro segmentation into smaller chunks of your network. From there, it was a broader security perspective. So, so beyond the, just the network security part towards system security, wise, security and verification at more levels than initially in this, this your draft concept and the next step of evolution then was identity. And probably a lot of you have heard this, this, this term, this notion of identities, the new parameter. I think we can argue about that. I believe that there are many parameters that identities, a parameter that devices are parameters that micro segments in your network are parameters.
And that the art of zero trust is to, to create well thought out parameters and protect these parameters and verify at various places. So identity access are essential, and I'll talk about it. Why in a minute, they are really super important element, managing the identities, managing the access adaptive authentication. So working with in a risk and context based model, very important. But I also see that, that we go beyond that already. So I think one of the, the major learnings of the solo ones incident last year, and the subsequent attacks, we have seen ons software supply chain over the past couple of months is we also must not blindly trust software software that we procure be it commercial of the shelf software, be it cloud services, be it software that is in syncs, maybe things we use as a manufacturer to create new things. We must not blindly trust the software.
We need to understand what is in that software. Is it at risk? We need to check it. We need to verify. And so we, we need to extend zero trust into everything as essential paradigm, the paradigm will not change. It's really just don't trust, verify, verify at many places, it's a foundation for, for the cybersecurity supply chain, risk management. It's a foundation for good cybersecurity across your entire organization. And we need to take a as broad as we can perspective for all, which might be in the scope of attackers and ever, which is connected. Is it the scope of the attackers? Having said this, let's have a look at where identity comes into play beyond what I already touched identity at the end of the day is where zero trust starts. It is where you can get a good grip in, in some way at the beginning identity and the, at the end access of what is happening with the critical assets.
You want to protect your data, your applications, your systems. And when we look at this picture, that is a, is a honestly a simplified perspective on what happens during access. We have let's take human access. We could do this as well with system to system, etcetera, but let's take just human interactive access. Someone, the user with the device comes through networks, usually a series of network, the wifi at home, some public internet connection, your corporate network or whatever else, the network of your SaaS provider to system at an application, you may have control about the system or not. If it's a SaaS service, you only see the, the, the app, the running service, so to speak, and then something happens with data. So this is what, what happens. And the question is where are along this chain? Can we get gain control? How, how, where do we get a CRI on, on what is happening?
And when we look at the user, then it starts as a user, the user authenticates the user as an identity, we can do identity wedding. We need to create accounts for the user. This is where I am in a broader sense, but also IGA for creating the accounts for life cycles around the user coming to blame. So that's where we have a good level of control. And that is where we need to where identity sort of already becomes clear that identity is a super, super central thing into, in every zero trust concept. Without that you, you, you're losing one of your major points of control. Then we have to device where it gets a little bit more complicated because yes, it might be corporate own device with good endpoint management and you have a lot of control or not. It might be a bring your own device device.
And so you're somewhat more limited here. When it comes to the network, you can build things. You can create your, your SD van environments. You can create your network segments and stuff like that. But if someone is traveling, if someone is using his wifi at home, et cetera, then it's frequently hard to get full control about the network. This is overall probably the hardest area to, to, to really implement well-working security. It needs a lot of touch points. It's not easy. There are things you can do. There are limitations, and there might be also limitations, take standard VPN access, which then just mean, okay, you can secure things, but at the cost of performance and convenience, next level, the system or application that's where access control come to play, where authorization. So who can do what in this application where your roles are, the types of entitlements become relevant.
So again, a very good control. And again, it's about identity and management about IGAs. That part, which helps you managing entitlements and IGAs the part which helps you also keeping the governance of who does what, who can do what at last, not least it's data. We need to think about data governance. We need to think about how can we better control what happens, not only with systems. So Martin is allowed to do that. He has that role in that system, but also which files is Martin accessing? Are these files encrypted? Where are they ending up? What happens in your analytics space? So data is the other field we need to look at. That's sort of the next level where we also, again talk about, I J about data governance about other forms of access governance, but it's very close to what we look at within the IM field.
But again, it starts with the identity. This is where we really can, can gain control about what's happening in our world. And so this is an essential element of every zero trust strategy. When if they look at zero trust a little bit more in detail, it's also important. And I think the previous slide already has demonstrated it in some way. There were many elements, and it's not that there's a single place where we can control security, where we can sort of implement the verifications, the proofs we need in our complex environment, where it happens today. We had the last 15 months with a lot of work from home with a speeding up, even more speeding, up shift to as services, the introduction of many new tools, for instance, for collaboration in many organizations. So there are more components and, and it's not that there's a single thing you can do to, to, to implement a zero trust model effectively.
So, and you obviously to understand, it's not about tools, it's about a concept, a paradigm and architecture, where you then can create your own zero trust sort of architecture environment strategy. So you need to understand what is all in that picture. You need to understand how this thing should work together, where your gaps are and what are the priorities to increase your security post, to get more secure than you have been before. This is a high level demo, high level picture of zero trust architecture components. As you see there's network. And there are many elements of network security in that such a threat intelligence, such as C and many others there's endpoint the device we already talked about and there's identity access management. And over time, you also might add more things around software security, for instance, to, to reach an even higher level this in your zero trust architecture.
But I am in that is one of the central elements. And when we look at identity management to go a little bit more in detail than there are topics like identity wedding. So how do you really verify that Martin really is Martin. I think in my case, it's relatively simple because ISA, there are, are, are hundreds of videos out there. And hundreds of pictures of me talking about identity, and it's always someone else or it's always Martin. So in my case, it might be a little bit simpler than, than for, for some others, but that's where it starts. It's about authentication. It's about data. It's about tracking user behavior, but it's also about IHA. IHA is very essential because it's managing the entities, managing the accounts, managing the access and governing the access we need to do. And we need to go beyond today's approach of governance.
We need to add the Gover data governance angle. We also need to think about new, new concepts, new paradigm. So we see a lot of talk, a lot of discussion about things like trust in time provisioning and even more important trust in time, deep provisioning. So Martin successes system, a or B or C, the entitlements are crowded during that access. And they are revoked when the session and, and we, we, we also talk more about policy based access control. So how can we at run time control based on policies, what is smart and loud to do or not? And if the policy changes, there's no need to deprovision static entitlement. So there's a lot of, lot of innovation there. There's also a lot of AI based capabilities coming into play here, capabilities that help in understanding where are anomalies, where are uncommon, unusual combinations of entitlements that might indicate a specific level of risk where other users that have many, many granular directly aside entitlements, instead of being managed through roles or groups, all these things come into play.
And so identity management in general, IGA and specific are central elements of every zero trust strategy. Okay. Let's, let's go one step further. And that, that was really about information and information. Also again, protecting information or even better enabling collaboration, but in a secure manner is even more important. And we at have created a while ago, a concept we call the I P C D information protection life cycle. This is something which adds to the zero trust concept is to this model, because it's about how do you then control this entire life cycle of access to information, to your critical data, to the ground rules of many organizations, be it financial data, be intellectual properties or, or other highly important data. And this is not, not the network, but sort of should go back to the picture I've shown previously. So to speak their right hand side picture of that, which was about the data.
So the identity, the device, the network, the system, and application and the data, that's again, another area. So where we need to understand what we have, but then we need to control access. Again, we need identities and their entitlements to protect that information, to understand what happens there. And then we need to implement that control to the various proof points we need in the zero trust concept to secure that data, to really protect so, to speak at the end, the ground rules of many, many organizations today. And for, for many organizations, it's really the information which counts most. So we need to also understand what to do there. And that also means there are many elements in that, in, in protecting really what we need to protect. It's not just a firewall or not trust an IM system. It's in our many elements, but I am, and IgE are at the very core of many, maybe most of the things we are doing when it comes to zero trust.
So how do you come to a zero trust approach? How do you, how can you end up there? The first thing is, I think you should understand really make you up your own definition of what does zero trust mean for you? How does it relate to SASI? How does it relate to an I P C information protection lifecycle? And then you need to look at the role of the different elements, identity, and access network, security, and point security and so on. And then it's about the architecture. So, so first create a blueprint before you start building the house, like live the, the likelihood that, that your house will not fall apart is way higher. If you have a good blueprint and it's modern zero trust networks, and it's where you start identifying your gaps prior to retiring your investments, starting your journey there, methodologies which really help you in guiding, help you in, in doing this process can guide you through that journey.
How do you, you identify the priorities? How do you measure the gaps? How do you come up with a roadmap? So they ask quick, start a quick start is adaptive authentication, because at the end you always will need multifactor risk and context based authentication. That is definitely not a mistake to do. And a good IGA, definitely also something you need. You need well defined processes more than just trying to move reliever. You need these processes to be well defined and well implemented. Don't forget to define them first before we implement them. So the questions you should ask yourself is, do you have your definition and vision already in place? Do you know your gaps? And do you have a planet or roadmap if you have that you are in a good way towards improving your overall security, cybersecurity, resilience. Thank you for listening to me.

Video Links

Stay Connected

KuppingerCole on social media

Related Videos

Webinar Recording

Zero Trust Is Driving the Evolution of Authorization

Verifying what specific applications, files, and data that a human or non-human entity has access to, is at the heart of cybersecurity in the face of increasing theft of data for espionage or other criminal purposes. Authorization, therefore, is extremely important to security, but it is…

Analyst Chat

Analyst Chat #138: Jumpstart Your Zero Trust Strategy With Zero Trust Network Access (ZTNA) Solutions

Zero Trust is rapidly gaining popularity as a modern alternative to traditional perimeter-based security. While it is (rightfully) mainly considered a concept rather than a product, a new market segment has developed. Those solutions apply this concept to network-based access to existing…

Webinar Recording

Multi-Cloud Identity Governance 101

In an effort to cut costs, improve efficiencies, and cater for a mobile and remote workforce, businesses are adopting cloud services from multiple providers. This has created a host of challenges in managing identity and access across multiple clouds, and has introduced several risks that…

Webinar Recording

Dealing Effectively with Modern, Industrialized Cyber Threats

The cyber threat landscape has become very complex, with state-of-the-art intrusion, ransomware, and cryptocurrency mining tools now readily available through online stores and service providers, and an expanding attack surface due to increased cloud computing and remote working. Keeping…

Webinar Recording

Making Zero Trust a Reality: Basing Decisions on Valid Identity Data

Cloud computing and mobile workforces have resulted in an expanding attack surface and a complex web of identify information. This means that traditional perimeter-based security models are no longer effective. A Zero Trust model of strict access control for every user and device enables…

How can we help you

Send an inquiry

Call Us +49 211 2370770

Mo – Fr 8:00 – 17:00