Welcome to the KuppingerCole Analyst Chat. I'm your host. My name is Matthias Reinwarth, I'm the director of the Practice Identity and Access Management here at KuppingerCole Analysts. This is the final episode for 2022 and for this episode my guest is Martin Kuppinger. He's the Principal Analyst and one of the founders of KuppingerCole Analysts. Hi, Martin. Good to see you.
Well, welcome. Yes, pleasure to talk to you again.
Great to have you. And we want to take a look back at 2022. And looking back always, it means also looking into the future, what will be relevant next year. So if you look back at 2022 as an analyst at the topics that we cover at identity and Access Management, at cybersecurity, what was most striking and what might have the most influence also on next year?
Yeah, I think that’s a tough question because there are a couple of aspects, some more on a strategic and generic level, some more on a sort of specific technology level. But when I look at some of the major things that we have observed that we see happening side of old and broke organizations still have to do in the foundational aspect of IAM cybersecurity in modernizing what they did over the past one or two decades.
I think there’s still fewer trust as one of the most relevant topics. I think that the important thing nowadays is, not just what is Zero Trust and why do we need it, but to really put it into practice. And this is the task where it really becomes challenging because it means we need to go from a high level paradigm to concrete architectures and understand which capabilities of different types of technologies such as IAM capability, certain cybersecurity capabilities contribute to, which extends to a zero trust technical architecture. Which tools does that would finally require and to sum up, what your organizations have in place, what do they need to do first, etc..
So, I think, the interesting step is starting now. So we see organizations working on that, but it’s also obvious that there’s quite some way to go from the concept and saying, okay, we do a zero trust strategy, to a concrete implementation. Something which really could be named as a Zero Trust IT-security architecture in place.
Our colleague Alexei mentioned at one of the earlier episodes this year that the Zero Trust is a bit like feng shui and an existing IT specific type of security architecture. The components are already there. They just need to be put in the right manner so that they work properly together and then really are the full picture of zero trust.
And I like that image, although it’s…
I think it’s a bit of a oversimplification because yes, a lot of components are there, but usually not all of them. So because it requires some of the more modern things. So Zero Trust network access if you need it instead of traditional VPNs, it requires fraud reduction intelligence and adaptive authentication instead of traditional authentication over MFA, it requires a lot of work around policy based access, which, by the way, is another topic I see is very high and hot on the list.
Absolutely. So moving away from the traditional role based access control towards more context specific, more real time access management decisions, access decision. So this is really something that is embedded in the concept of zero trust, but this is something that has also a broader picture. It is more and more important also in traditional instruments strategies and also in application strategies. We’ve been talking recently about Passwordless. Is this also something that comes into play there and for the future and for the last year?
So I see we saw a huge uptake of passwordless in different regions from what some interested call a true and phishing resistant passwordless authentication to passwordless, something which is also supported. And surely here there is a blurring line between what is, so to speak, really passwordless and what not. And I think user experience of security count here or convenience of security, but we see this momentum behind Passwordless.
And I think the thing which is increasing digital learning is that there are two elements of that. So the one is what you do for before for the broad mass of many of you of use cases, you have like built in support for passwordless authentication, what do you do for the extended use case or to ensure that a user, regardless of which system in the back end is used, always can use the same type of authentication?
So we see an evolution here and I think the good message is that the relevance of passwords is going down specifically in enterprise environments. So unfortunately, it takes a bit longer, but even there we see some, some uptake in consumer centric use cases. So I get more and more situations where apps say, okay, do you want to integrate as was touch I.D. or face I.D. or whatever else to get passwordless.
So we see an evolution here. We are on track. And even while we will have passwords for probably many, many years, I think the relevance of passport of passwords is really finally going down, which is a good thing.
Absolutely. And this is also the transition line between our two topics we talked about IAM mainly, but until now, if you look at the cyber security aspect of things are there other aspects that you consider to be relevant for 2022 and maybe also overlapping into the next year?
So cyber security, I think I already touched on Zero Trust, which is surely one of these, these really important areas there are a lot of elements that what we see is also this evolution of all these ER technologies, EPR, EDR, XDR and MDR or whatever, and also the convergence here into something where we have technology and services combined.
And this is, from my perspective, a very central thing for the maturity of organizations. So most businesses, most organizations can’t do all the security themselves. They need partners for their SOC, their SIEM, their SOAR for operating this and the conversion of both technology and to the uptake of more better service offerings is in part because it serves these needs of having sort of Tech enabled managed services in place.
And I think that also goes beyond what you just described. This is an important aspect that you just mentioned, but we see it also in existing infrastructures that have been run on premises by own teams within larger organizations. And those organizations are really looking at this existing infrastructure and that this existing operating model and think of modernizing that for various reasons, including the skills gap, the people are just not available.
So why not hand that over in a proper manner over to a managed service provider? And I think this is a trend that will continue in 2023 as well, right?
Yeah. But the key term is “proper manner”. So you can do a lot of things really badly wrong here because you still need internal teams that have worked with the provider. You need to have an exit strategy or transformation strategy to other service providers. You need to have some level of skills and you need to have control about what a service provider does.
… the right way to do it. Does the service provider cover what we need? And so what I see far too frequent is lack of understanding of what needs to be done internally. Also, how does this integrate with process? So if you have a SOC as a service, you still need a business impact analysis done internally.
You still need an incident response management process that goes from the service provider to your internal teams up to your board, depending on which level of crisis your experience, etc.. And I think this is this is something which tends to be a bit underestimated by saying, okay, we do it as a service and we are done, but there’s always a split of responsibility.
Tenant and provider responsibilities we’re talking about is for decades more or less, and it remains very essential to have this well-defined, well sort out a split of responsibilities and usually in a good target, operating model, it’s not only tenant and provider because there might be a cloud provider and sort of technology used by a managed service provider that works with the internal tech team.
The tech team works with other entitled teams like business teams. So you have four or five or six levels you need to look at with different accountabilities and different responsibilities. And this is what you need to define.
I fully agree. And as you’ve mentioned, it’s the division of processes, of responsibilities, of the way people and organizations communicate with each other along the supply chain, which it is, and that and that aspect. But on the other hand, something that has proven really successful, and this is something that we, as I call out on this can be a bit proud of, is that we also have a tooling for, for dissecting architectures based on standardized methodology, standardized models and paradigms.
And these are the fabrics architectures that we introduced earlier. So a few years ago. But they really gained traction over this year and we used them in various contexts and they are also accepted and renowned within vendors and other organizations and consulting companies that understand that these are really valuable tools. So the identity fabric, the cybersecurity fabric, and I think we will work on that in the future as well, right?
Yeah. And I think, you know, I’m proud of seeing our, for instance, our identity fabrics paradigm being so widely accepted also by other analysts’ companies and incorporated many organizations, used by vendors because it shows that this is something which is really helpful. And I think it goes back a bit to Zero Trust and to other aspects. We need some sort of a holistic perspective, a bigger picture and something which is still flexible.
So that’s I think this is the one become a lot more holistic tool, but it is the framework in which we can decide and understand what we need and how we build our IAM, our overall cybersecurity, our zero trust infrastructure. And I think this is where these models have proven to be very helpful closer together with the reference architecture.
And so yes, it’s important to have these, these concepts and go away from, oh, I have a problem by a tool. I have my, my framework and I subsequently try to improve what I’m doing in identity and then cybersecurity.
Absolutely. If I think back one year to December 2021, I would not have dared to make any thoughts about the following year. Do we dare to make any expectations to tell anybody what we think will happen in 2023 in the cybersecurity and IAM or are we reluctant to do so?
So I think there are a couple of things where I expect some progress. So there are some of the things we just start to talk about, like we need to get better and ownership, like not only ownership of technical accounts from IGA to PAM, but also for integrating identity management to data ownership, integrating identity management co-ownership to have really consistent transfers and well working mover or leaver processes that care for transfer of ownership.
So this is more of the sort of the foundational side of things. We already touched policy based access and trust in time and we see a huge uptake here already happening in this space of developing digital services where we see more and more use of technology such as or standards such as OPA, but also we will hopefully see more in the sort of the standard applications of legacy.
As I always say, it’s not a new topic because IBM released ??? back in 1976, 46 years ago. And so that concept is not new. We need to make it work and we need to use it way more broadly. And policies are a key element to zero trust. So we only we need to get better here. So I think this will be something where we see quite some evolution and next year we will see further evolution around all the authentication stuff with some of the MFA methods being a bit under pressure for security perspective, we will surely see a lot of more integrate into what of fraud intelligence and generally speaking, a bit more of
the AI power solutions and also the uptake in using managed services will continue, including also using more as a service deployments. As I said, it still means you need to understand what you’re doing. You need to you have your own responsibilities. But we will see an evolution and surely we will see more happening and practical use of decentralized identity.
And one of the hot topics also is how can you optimize onboarding processes of for identities, for different types of hard and speed workforce in a work from anywhere world, be it for your customers and consumers there. There still is still a lot of room for evolution in 2023, and cyber security and identity will remain so important that organizations will need to continue and also benefit from their investments in these areas.
Absolutely. And that was really an extensive list of areas to watch. So for our audience, if you just rewind a bit and take notes, I think these are really important aspects to have a look at. And when it comes to predictions, I usually I’m a bit reluctant, but one prediction I dare to do from being a KuppingerCole analyst, there will be a new set of services, new digital services being made available early next year, early 2023.
So please watch out. Watch this space at KuppingerCole.com for new interactive digital user experiences focusing on decision makers and vendors, and that will be released early February I assume so some sometime early next year. So this is really something to look forward to. I don’t give away any names. I’m not allowed to, but there will be more to see and we will talk about that extensively early next year.
Yeah, and this will be empowered, so to speak, by all the knowledge, all the experience we have accumulated over two decades now. And it will seamlessly integrate with sort of the human services. So if you need stuff, input, talks beyond the digital services, there will be always a continuous flow to engage with us directly,.
Right. So no fears. We as analysts won’t be replaced. We will be there, but there will be more technology to support us, to augment us, to give better user experiences. Thank you very much, Martin, for sharing your insights, for having a look back at 2022 and the outlook on to 2023 and we will be back early January with a next episode of this podcast.
This is the final one for 2022, but watch this space. We will be back with a new episode very soon. Thanks again, Martin.
Thank you. Bye bye.