Good afternoon now, everyone. And welcome to today's KuppingerCole webinar today. The subject is access governance for today's agile connected business, and I'm Mike Small. I'm an Analyst with KuppingerCole. And my co speaker is Ravi, who is a director of IBM security strategy. Ravi is in fact, in, in Austin, in Texas, and he is in charge of IBM's identity access and mainframe security portfolio. And he has a product management responsibility for these, these things. So a little, a little bit of background copping Cole, as you perhaps all know, is an industry Analyst focusing on the security aspects of it. And we provide three basic things which are research services, advisory services, and events, and a couple of upcoming events that you might be interested in is that as usual in May, 2015, we will have the European identity and cloud conference in Munich. And this year we are also having a digital risk and security summit in sheen, in China at the end of January. And for those of you in England, I will be giving a seminar on managing risk and reward in the cloud and managing risk and reward in the internet of everything and everyone in London at the end of January.
So some of the basic guidelines for this webinar is that you are all centrally muted. You don't have to unmute yourself. You will remain muted under our control. If you have any questions to ask, then you can use the question and answer facility in the go to webinar boxes. And if we don't manage to answer your questions during the webinar, then we will endeavor to answer them by email tomorrow or later, and this webinar is being recorded and there will be a podcast available tomorrow. So the webinar is divided into two halves. I will start off by describing the generic challenges that today's agile businesses are facing and how the threat landscape is changing as a result of enterprises opening themselves up. And in the second part, Ravi will describe how IBM understands these challenges and how IBM is providing security for this new agile business connected to their customers and partners and associates by supporting access governance in the context of business processes and integrating with real time cyber threat intelligence.
So straight into the first part. So today's businesses need to be agile in order to exploit the existing opportunities and new opportunities coming through the connection of everything together. And to give a real example of this in the UK, there is a TV channel that is basically selling advertising based on knowledge collected during a 60 minute TV program of who exactly is watching that program. And this information comes through the use of Twitter feeds through the monitoring of social media and through other information that allows it to identify the kinds of people that are watching the program. Now, clearly it's always been possible to gather this kind of information, but the speed with which this can now be gathered and the speed with which it can be exploited is changing. And this is in, in, in also causing many challenges. So the ABC imperative that we call it is that in order to do this, what is happening is that enterprises and organizations are getting closer to their customers, partners, suppliers, and associates, using all of the technology that everyone is using to interconnect themselves.
And this is leading to a massive increase in scale that if at one time there were a thousand employees and a couple of thousand partners that were trying to connect to the networks and then perhaps 10,000 or a hundred thousand customers, which were quite specialized. We now have millions of consumers connecting to do business with, with organizations and to get services from governments and other like organizations. And we also have hundreds of millions of things that will shortly be connected. And in order to be able to manage and do business with these different things and people, we actually need control of their identity and we need control and governance of their, their access.
So the problem, one of the problems is that often it is part of the problem rather than part of the solution, because there is a tendency in it to focus on the technology rather than the business requirements. And usually the business requirements are very straightforward and very simple. They want to exploit these new opportunities to facilitate business using these new opportunities, using these new, new connections, using these new things that are connected whilst at the same time, protecting the business assets, the business reputation, the information that they hold about the customers that is sensitive and doing this in a way, which also ensures that the business remains compliant with the ever expanding number of rules, regulations, and laws. It, however has had a perception, which is focused on the implementation of new technology, which is important, but often is not explained properly to the business.
They have focused on the tooling of IAM rather than on the actual business needs. And we have many examples of projects that have gone down that line, and now things have become even more challenging through the interconnectedness leading to these new increased cybersecurity challenges. However, it, in spite of this tension, in spite of this imbalance business really does need information security and it does need the technology. And it does need the expertise of the it departments that in order to drive, meet these business drivers of innovation and agility of being able to collaborate and communicate with your customers, your partners, and your suppliers, and in order to save cost, they are actually having to deal with these changes in the, in, in the way that it is delivered through the cloud, through the use of social media and through the use of mobile computing devices.
So the security drivers that businesses can understand is understanding the value of information, of understanding the need for compliance that security can deliver. And from recognizing the large cost that is incurred when data breaches occur. And so these security challenges are, it made even worse that the, the, the model of the past was we will build a secure perimeter. We will prevent any kind of security problem. And I have seen and spoken to many organizations who have spent millions of dollars on trying to achieve that aim. But the reality today is that you cannot keep people out that the, that, that most organizations have already been breached and even worse than that, that the evidence shows that most breaches are detected not by the internal security people, but by external agencies, such as law enforcement, your partners, or even worse your customers. So the idea of simply being able to build a fireproof network perimeter just no longer is a reality.
And in order to detect what is actually going on inside your network needs understanding of more than simply the network traffic. You need to be able to correlate this traffic with user activity. You need to be able to know what is going on inside the enterprise, not simply in terms of network protocols and kinds of traffic, but also in terms of the higher level of who is really trying to do what and whether or not they have the right to do that, or whether or not they are usually doing that kind of thing. And this is also challenged by an enormous scale that many large organizations measure the number of security events that they detect at their perimeter in billions. For we, we spoke recently to one large organization that said that they were actually handling 4.5 billion security events per day on their, on their perimeter. But they recognized that the real number was roughly 20 million, but they were currently only able to handle the 4.5 billion.
So how does governance fit in with this? And many people are confused over what is governance. And so I will give a short explanation of what I believe governance is, which I've taken from. COVID five, that governance is different to management management actually does the job management plans. Things builds, things, uses things and assures things. And they do that based on business objectives, which have come from the governance process. So governance is engaged in saying, this is what the business objectives are of setting the targets, and then making sure that the plan, the doing the building, the technology that you create and its use actually meet those objectives. And so that means that one of the things that is essential for good governance is being able to relate the details that you find inside the security products and the identity and access products, and to relate those back to what the real goal was, and governance needs to be able to do that. Governance needs that information to be able to show that the technology and the it systems are in fact, achieving the business goals that they were set.
And the other challenge that the it systems have to deal with is reducing risk to help the organization, to manage risk and to manage compliance. Now there's all different kinds of risk, but in this context, we are talking about the risk of bad things happening and those having bad consequences upon the organization. And so you can look at a risk as being something that has a probability, and it has an impact. And I accept that it's rather difficult to be able to judge those to two dimensions. And so that's why I drawn this as a, a little ellipse that there is uncertainty about the uncertainty. But what we do know is that the purpose of these technologies, the purpose of the governance and the purpose of the identity in access management is to reduce either the impact or the probability or both of those things, and hopefully to reduce uncertainty. And that is what we are expecting from the technologies and the use of these technologies. And that is justifiable in business terms.
So let's now look at how access technologies are changing in the light of these new things. The point of access technologies is to prevent and to manage access to applications and data. And this is done through the forays of authentication, knowing who the users are, authorization, making sure that the users can only do what they are supposed to do, that those users are properly administered. And that after the event we can audit who has what and who did what, and that was what we were expected to do 10 or 15 years ago. Now the world is changing. And what we find is that because we are connecting to these millions or hundreds of millions of things externally, we have opened up the, the organization systems to do that. And so these technologies, these processes need to enable access to this scale of external people at the same time, protecting them.
And in order to meet the cybersecurity challenges, these technologies also need to provide, provide information and integrate with the real time security intelligence that is essential to be able to detect the bad things that are happening inside your organization and inside your systems. And if we just take something like managing entitlements, you know, let's take a simple case where we have Alice, who is a manager and Bob, who is her subordinate at one time, everybody viewed the idea that role-based management was what was needed. The example being that if Alice is a manager, then she can approve Bob's expenses. But in fact, that is itself a simplification because you also have to take into account attributes, like for example, where Alexei is based that various entitlements that she will have will come from her attributes of where she lives and things like that. There is also the processes that she may be engaged.
In, for example, she may support marketing and have need of access to social media. And then final complexity is that under certain circumstances, the things that the role based entitlement may have given her will no longer be acceptable. For example, if Alice tries to approve a, a payment that was made by her subordinate, for something that she has benefited from, for example, if Bob bought her a meal, then it is no longer acceptable for her to sign off that expense. So all of those complexities need to be managed by today's access governance technologies. At the same time, we have the problem of managing privilege. And here are some examples that we see from abuse of privilege and these range from the mistake. And I often think that Downing street in the UK is the most dangerous street for data leaks because cabinet ministers and senior officials continue to walk down down the street, carrying uncovered paper documents, which are photographed by the paparazzi.
Then we have many cases where people who have valid access to data, in fact, through greed or other, other human failings abuse that trust to steal the data or to sell it. And finally, we have the criminal use of data for which they have entitlement to as example, by for example, the Edward snowman affair. So in addition to that, we have a move of the way in which authentication works. And I call this the move from authentication to trust. When, when we started off the normal authentication was that an employee had a username and password. They accessed the systems from a fixed point. And so the risks were understood and were fixed. Now we have the mobile employee that is accessing corporate systems or enterprise systems while on the move from a variety of devices. And that is, it is no longer sufficient to say that that is subject to the normal, simple risk based authentication of what is needed is a more risk based way of approach to doing it.
And finally, we have the third party where in fact, what you have to do in order to accept that authentication is to trust someone else. For example, the customers that are logging in using their Google account, their Facebook account, their Twitter account. And so for these reasons, the world has changed and cybersecurity needs identity and access management. And the reason for this is that the cyber criminal needs access and they may get in through a hole in the application firewall, but once they're in their activities will almost certainly be subject to some of the controls from identity and access management. They need to re what there is in order to be able to access the things that they want to get at. And access technologies provide a vital if, if not final line of defense and finally access monitoring is the key to early detection.
And I know of one case where interestingly, the person who detected that there was an infiltration and an exfiltration going on was the librarian who noticed that a senior executive who had never previously been accessing intellectual property suddenly started to access it to a great deal and his attempts to assist that person revealed that in fact, the person was not in in fact accessing the data, but it was an intruder who had stolen their identity. So in summary, the agile connected business needs access governance in order to securely meet the challenges of the 21st century and access governance is the foundation that enables business benefits to be achieved by the agile connected business in a way that is managed and we have managed risk. So that is my part of the presentation. So I'm now going to hand over to Ravi who will provide the second part over to you, Riley.
Thank you, Mike. So what I'll do is to share with you what IBM is doing in response to the growing concerns in tackling these cybersecurity threats, using access governance in an open enterprise. So I'm Ravi vain. In my role, I spend a lot of time with customers around the world. And one of the common questions I'm getting asked over the last least a year now is how to help organizations use identity as a security control, not as something that is traditionally managed, but something that I can actually use as a security control to enable the business agility while governing the access of all the different types of users interacting with the enterprise. So we believe from our perspective that organizations are implementing actionable identity intelligence with identity governance and administration, that becomes a core line of defense and underpinning line of defense as organizations open their enterprise to various business interactions.
So I wanted to take a few minutes to share with you the, the kinds of transformation that organizations are going through from looking at a traditional identity and access management capabilities, to what we, we are calling threat aware, identity and access management, traditional identity, and access management, as all of you know, has been very much focused on operational management, supporting the compliance initiatives and very static and trust based. Once I give access to someone, they have access to the environment on light or tire. Their access organizations are shifting with the leadership of directors of it, with the leadership of chief security officers, to a, of a world where threat aware identity and access management becomes a, a key line of defense for cybersecurity. You probably are wondering how can that be possible? Well, the core tenants of being able to deliver threat to where identity and access management is focused on using identity as a security control, being able to apply a more business driven focus, allowing the business owners to be able to determine who should have access to the environment and also making it a lot more dynamic in nature.
So that even employees who have had access to business critical systems inside the enterprise are now their access to the enterprise is controlled through context and a level of dynamic switching of access into the environment as organizations open their enterprise to a lot more application identities, bringing your own identities and even device level identities, connecting to environments. We believe organizations have to look at access governance beyond a role based solution. We believe organizations now have to really look at access governance with these three tenants of being secure from driving a risk management posture, being able to actually provide access governance, using business activities, and also providing the access enforcement in a context based manner.
What I wanted to share, if you look at the transformation that our organizations have gone through over the last three to five years, identity and access governance has also evolved from the traditional administration focus to where we are today in, in the state of using governance, as capabilities, as processes to better manage roles, certify access to people who have critical roles and reaching to more applications and more users from employees to partners and contractors. But what we are now seeing is organizations are shifting from using governance as a process to man to drive better management of employees, contractors, and partners to the world where they could actually use analytics to help determine and optimize the governance posture, to help determine and optimize the administration, posture analytics, such as if a user is not being able, not being using their access that they've been granted for over a year.
Why should we continue to keep renewing their access? Why can't we make changes to, to their roles so that they don't have access to the systems in the first place, how to detect anomalies by having a baseline view of what is normal, how to look at a risk based access control, especially as more users are coming from outside the enterprise, using mobile devices and gaining access to the same business, critical applications that they had access to from their laptops. So analytics plays a critical role in helping our organizations optimize their governance posture, but also drive simplified administration downstream. And we believe organizations can do that already today. They can do that by collecting and analyzing identity data from various silos of identities, even in the world of identity explosion, we could see organizations are collecting and analyzing identity data to one improve visibility into how access is utilized.
Two, to determine more of a risk based insights for prioritizing compliance actions and three, to look at a clear, actionable dashboard for better business decision making. So you're probably asking the question, what can actionable identity intelligence offer to businesses today? It's pretty simple one. It can offer the visibility that you need, especially around granted access and how it's utilized. The second key value of actionable intelligence is a view into risk, looking at a risk based insights that you can then use to prioritize your compliance actions and three using it, add to determine and improving controls security controls so that your, you, you have improved your security control with business driven decisions. As Mike highlighted early on, it's no longer cybersecurity controls are no longer just in network. We're seeing organizations now using better view of business activities to be able to shut down those, those accesses inside the enterprise so that you don't have the risk of unauthorized access gaining using that connectivity that you've established for those enterprises.
This is where IBM's really pleased to announce our solution in the marketplace for delivering actionable identity intelligence. Our capabilities in the marketplace is called IBM security, identity governance and administration. And we deliver a, a platform for organizations to be able to align auditors lines of businesses. And it perspectives in a consolidated identity governance and administration platform. We're clearly focused on the business driven activities, going beyond roles to be able to help businesses capture their employees, activities and easily launch access certification and access request to meet your compliance goals. We've also looked at the platform in enhancing the platform to be able to deliver role management and separation of duty reviews to give you that visibility that you need in terms of a dashboard on how these various business activities are mapped to the various roles and abstractions you have within the enterprise. As I said before, governance is not the only place where you look at driving a better control over your enterprise.
We see organizations looking at governance as a starting point to then go beyond governance into administration and fulfilling those accesses so that you have an ability to demonstrate that you are in control of your environment. We see organizations wanting to do in depth. So SAP governance, especially when they wanna be able to look at the granular controls users have within critical platforms like SAP, so that they're able to validate separation of duty violations, even identify access risks and shut them down before attackers have access to that same connectivity. And what's new for IBM is how we're delivering a lot of these identity governance and administration capabilities in an easy to deploy virtual appliances to support multiple customer adoptions. So what I wanted to do now is to take a few minutes and cover some specific examples of how customers are using identity governance and administration, to be able to drive the governance posture.
Let me take the first example of how organizations are able to improve visibility, to govern and manage user access. Here's an example of a dashboard where you're seeing how an organization's able to determine a set of business activities by applications, by organizational units and even time based view so that they can determine some key insights of who has access to these critical systems and use that to then determine how to remediate accesses or make changes to the policies or even revoke access as you determine them to be higher risk. This gives an clear starting point for an organization to optimize their governance posture.
Let me share another example of here's an example of getting some risk based insights for prioritizing compliance actions. Again, here, you're looking at a dashboard where Alice is an org who has access to the critical system to be able to create purchase orders. We also find out that Alice in her role not only can create purchase orders, but can also perform a half a dozen other activities that are deemed to be high risk, like issuing an invoice, identifying expiring invoices, being able to pay payment order, arrange for payments as well. So being able to determine these activities at a very granular level and saying those conflict with her role as being able to de create purchase orders allows business managers to be able to take follow up action items in terms of whether to certify it and continue to have her access the system in this manner or delete or change access.
The third example I wanted to highlight to you is how customers are able to organizations are able to improve security control in this world of cyber threat with business driven decisions. We're no longer waiting for the network administrator or security operations center, or even it managers to react to a, a threat and attack. We're providing an ability for business managers to be able to identify key access risks that they can take action on. And not only at the governance level certify and modify the access, but also go that last mile to be able to perform the right backs and close the loop with provisioning and fulfillment. So this is one of the areas that IBM spent a lot of time in taking the governance capabilities and integrating them with an existing identity management system. So for, for the audience who have identity manager from IBM, we have the ability to take our governance functionality and integrate them tightly with that identity management system, so that you're not having to modify your last mile integration into numerous on premise and off applications and services.
What I wanted to do was to close out the, the conversation on this part of the, the section with highlighting to you the, the last scenario in terms of monitoring and detecting anomalies with security intelligence, again, early in, in the call today, there was a conversation highlighted about how organizations need to improve a level of real time monitoring and correlating the activities, even when there are large number of events so that you're able to detect anomalies and proactively respond in improving your security posture. So here's an example of how IBM is able to deliver monitoring and detecting of anomalies using our Q eight, our security intelligence platform. So in this graphics, you're able to see how organizations are able to use Q eight as a security intelligence platform to determine what source IP and the destination IP is that connectivity happening, and what are the events happening in that connection in that process?
This is what we would typically see in the network. This is what a security operations center would see. What we've done is we've enriched the activities with information from the identity governance and administration platform, providing insights in terms of the, not only the log sources, but also critical insights enriching the view of in what role in what user access did they gain access into the enterprise. And that's what you see on the far right, right hand side of this graphics, where you see a user logging in as a Linux administrator switching to a real user as Dipti oh three, and then switching to route and performing these activities. So this enriched trail of information is what security operations center can use as they're detecting anomalies, or even determining a baseline normal behavior for the enterprise. So we believe our organizations can today use closed loop monitoring of user activities across enterprises and cloud infrastructure, to be able to improve that security posture in an open enterprise.
So with that, I wanted to take a few minutes to summarize what be covered today. On the, on this webinar, we talked about using actionable identity intelligence with identity governance and administration as a key line of defense for improving security posture in an open enterprise. That's been our strategy here at IBM with investing in IBM security, across a lot of key foundational areas from people, data, application, and infrastructure, bringing them together with a security intelligence layer on top. We've more recently also invested in advanced fraud prevention capabilities as well. So our focus is on helping organizations use the intelligence, apply the integrations of the technologies, and also apply the appropriate expertise as well to improve your access governance capabilities in your enterprise. I wanted thank you for spending your afternoon with us and I'll turn it over to Mike for follow-ups.
Okay. Thank you very much, Ravi, for, for that. So that was a very interesting perspective on what IBM is doing. So I've got a couple of questions for you from this. Would you like to just expand on the other benefits that you get from implementing an information, governance, information, access governance solution?
Sure. Mike, if I look at the, as I said, the traditional governance cap benefits are clearly getting better control over your it environment. We see the organizations continuing to have a ping pong effect between it and businesses and clearly governance capabilities help provide that common language for business and it, to be able to communicate in describing the roles in describing the users and being able to then implement a governance support and integrating with your existing it management systems. Clearly that's been one of the core benefits of implementing go access governance and administration. But what is unique is we are now seeing an additional benefit of aligning auditors with the business and it, when an auditor comes into an enterprise, they really don't understand roles. Their view is a user should be doing performing certain sets of business activities. And, and those activities then are translated inside the enterprise as business roles and application roles and so on. So one of the U interesting benefits now we see from applying the governance capabilities like we have defined is now you're able to align auditor's view of a business activity, mapped that to business roles that business sees and application, and it roles that it sees. So bringing now the auditor's perspective into a governance is one of the interesting new benefits that we have seen organizations gain in applying IBM identity governance and administration capabilities.
Yeah. So, so you are saying auditors, like, and understand processes rather than an abstract, like a role. And that's one of the key things, because certainly the challenge for organizations is to satisfy the auditors. That's probably one of the top objectives. So you, you, you, you, you've another question for you is to do with the importance of the information governance process, integrating with the IM infrastructure and technologies. You, you obviously think that's important. Would you like to expand on that, that area, Ravi?
Yeah. And, and to me, as I said, for, for a number of years, identity governance and administration have been viewed as a siloed project. It's a program and people invest in people process and expertise to be able to drive the program. But what we find is those programs end up in, in silos. And then as we interact in the open enterprise, we see that the, the bad actors, the hackers and attackers are using the existing integrations, existing connectivity that we have set up to intrude into the enterprise. And so we are now seeing the need for identity governance and administration to move away from being a siloed implementation to tightly integrating into the customer's security infrastructure from security intelligence, to even applying threat intelligence into the access enforcement capabilities. So we're seeing the, the growing need now for propagating the identity context from the network over to it over to the backend, and now identity and access management becomes more integrated into the security posture, not remaining standalone.
I have another question for, for you. And one of the issues that I brought up in my presentation was how access control and access governance is moving from the traditional internal administration and authentication to an external connection of trust. And I wondered if you have any comments about access governance in that context and what it is that you and IBM are doing around that particular issue.
Sure. Act, as you said, risk authentication is moving from a static to a more variable, adaptive or risk based authentication where organizations are using more information about the user's access, not just roles, but attributes and environmental information that they can pick up and use for enforcing access based on context. And we believe context is getting applied in two places. Context is being applied in terms of governing the user's access in terms of time based elements, to determine who should continue to remain getting access to the back end applications. But we're also seeing context being applied in a more real time in a access enforcement system as part of authentication and authorization. So as you described the four A's, we're seeing context being used in authentication in authorization, and to a large extent in driving, determining access at the governance stage as well.
Very interesting. So do you think context is also needs to be related to content because a lot of the way in which access controls tend to work is, you know, that it's this item rather than looking at what is the content content context is important. Do you have any views about the importance of content and what are you doing about that?
Absolutely. We see we, we believe web access management systems can no longer be blind to content. Traditional web access management systems have been pretty much looking at the header information and authenticating the user and letting all of the content flow into the backend systems. Now with the use of context based access control, we are able to determine transactional limits. We're able to pick up information with respect, to looking at the content, to see if it is compromised, block access. If the transactional limit originating from a mobile device is beyond a certain threshold, let's ask the cus let's ask the user for additional information for stronger forms of authentication for that transaction to go through. So by applying context based access control in authentication and authorization, you're now able to set up limits on the content as well, not just the, the, the environmental information and attributes and roles used for access.
Very good. Yes. That's a, that's a very interesting development there. One of the things you just mentioned was about mobile, and so I'm sure you must have some views about the access governance as it applies to mobility and mobile devices. Would you like to tell us about that?
Sure.
As I said earlier, as well as you described the identity explosion, we're seeing the explosion of identities, if not just users and from the, the diversity of users, but also identities of devices connecting into the enterprise from mobile devices to internet of things connecting as well. So we're seeing with that explosion of identities, the role of governance is gonna have to change from governing users access to, to governing activities, originating from various types of identities. And so this is more of a, a new scenarios and new use cases that organizations are implementing in order to use a governance process for mobility and how mobile identities can connect into the enterprise from managed devices to allowing mobile users in their context, gaining access to this open enterprise with mobility, also organizations now a reaching a broader audience as well. So there's a view of how to apply access control to consumer type scenarios and still allow their access in a given context. So mobile is a big transformation engine for organizations in both managed and unmanaged scenarios. And so this is one of the, the focus areas for us while we introduced new capabilities in early 2014, to be able to control access into the enterprise from the mobile channel.
Yes. And some people would say that in some ways it is possible with mobile devices to actually improve authentication in, in, in some ways, because people are very attached to their mobile device and increasingly the mobile devices contain functionality that allows them to read secondary authentication, such as fingerprints or even smart cards and, and things like that. So I think we are now running out of time. So I'm going to sort of wrap up by saying, well, today's webinar has been about the new challenges that businesses are facing in their attempt to become more agile and to exploit the connectivity that they have to their customers, to their partners, to their suppliers. This openness is also leading to new security challenges and an explosion in identities. And it's no longer sufficient to view identity and access management simply as a tool that relates to internal identities and controlling internal access. But it needs to be something that is aware of all of these different kinds of identity and provides information and is an important tool in the defense against cyber crime, through providing an insight into the real activities that are occurring on your internal network. So I'd like to thank Ravi for his presentation and perhaps allow you to say a few final words, Ravi, and then we'll wrap it up.
Great. Thank you, Mike. I'd like to thank the audience for spending your afternoon with us for any follow up. You can always reach us at ibm.com/security, and we're looking forward to interactions out in the field.
Okay. Thank you very much, Rav. Thank you very much for the audience. Good afternoon. From, from England.
