Webinar Recording

Why Access Governance Moves the Risk and Reward Balance in your Favour

Log in and watch the full video!

KuppingerCole Webinar recording

Log in and watch the full video!

Upgrade to the Professional or Specialist Subscription Packages to access the entire KuppingerCole video library.

I have an account
Log in  
Register your account to start 30 days of free trial access
Subscribe to become a client
Choose a package  
Good morning. Good afternoon. Good evening, ladies and gentlemen, given that we have attendees, I think from Australia over a Europe, to the us, we have people in many different time zones. And so it's not only good morning or good afternoon. Welcome to our cold webinar. Ys governance moves the risk and the reward balance in your favor, the webinars supported by quest software and there will be two speakers today, me Martin, or coal and Phil Ellen of quest software. And we will talk about, about access governance, what to focus on how to bring it closer to the business and how this also helps us to bring a lot of things closer to the business, to have business controlling access and all these things. Before we start some housekeeping and some additional information from keeping a call. Also, keeping call is Analyst Analyst company. We are focusing on enterprise it researcher, advisor services, decision support, networking for it, professionals through subscription services, our advisory services and our events amongst these events.
There's one over here in Germany later this week on Thursday in Frankfurt, which is an industry round table cloud computing, CI it partnerships, which focuses on information security and cloud computing and how to deal with, or how to be able to select cloud services very quickly and still having them secured in a secure way. And I think that's one of the very interesting thing it's in German language, but for the ones who are speaking German, that's suddenly a very interesting UN the second very important event, even more important I would say is European identity and cloud conference 2012, which will be held in April 17th, twenties in Munich again. So it's, they went to attend around information security, cloud security and all the related topics, including for sure access governance. All information is one line@idcom.com. So just inform you and attend our ESC housekeeping. You are muted centrally.
You don't have to mute, mute yourself. We are controlling these features and we will, you will stay muted during the webinar. We will record the webinar. The podcast recording will be available by latest by tomorrow, maybe today, as well as the presentations will be available. So we also will publish the PDF versions of the presentations and then finally Q and a will be at the end. But you can ask questions using the Q and a feature and go to webinars. The, if you look at the go to webinar control panel at the right side of your screen is area questions. They can enter your questions and we will pick them usually at the end of the webinar in some cases, and if appropriate, we might pick them during the webinar. So I think that's everything around housekeeping. Let's have a look at the agenda. The agenda, like most of our webinars consists of three parts.
The first part, I will talk about access, commandants access risks, and how to bring the business divisions into play. So, so really about what is access governance? How does it relate to access risks and how can we really use this to, to move closer to the business, to support the needs of the business, to bring the business in charge of access control to trust makes sense, because they know who should have access to what and all these things. And the second part then Phil of quest software will talk about practical approaches and best practices implementing an access governance program. The third part like always will be then the Q and a, is that where we will pick your questions and try to answer Gemara best regarding the questions. I always recommend that you enter questions once they come to your mind so that we have a comprehensive list of questions when we start the Q a session.
So having said this, we directly move forward to the presentation. I'd like to start with talking a little about what is access skeleton. So what is this term about trust to have, have everyone will say being talking about the same thing here. If you look at a lot of questions which are asked in organization, then these are questions like who has access to what, who has access, what, who has granted that access. So there are some questions and these questions are more or less part of what access governance really looks at. So really the, who has access to what question, who should have access to what that's one of the essential parts who has access to what is something which is sometimes part of it. Sometimes it's more found in the theme or related solutions. So security information when management looking at locks, but who has granted that access. So really looking at access, request management related things, again, something which is definitely a part of access common and said, so when we look at this, then we have different technical or different functional, I would say functional elements within access governance.
So we have different technologies involved, which are sort of access warehouses. We typically find in these solutions. So an approach really collect access control information out of different systems to have a central repository of where, where we have an overview of what should be the, the access. And maybe also, what is the current status of access controls. We have access recertification capabilities, so capability to, to ask business owners, data owners, or others, depending on the implementation, depending on the tool to say, okay, look at this is a list of people who have specific entitlements at that point of time are least correct are, and these correct. So really having them checking these things, we have access analytics and access intelligence capabilities. So in fact, sort of, of capabilities, which allow us to extract reports and other things to, to analyze the status of access. And in some cases also the history of access and all these things we have to more and more frequently, the capability of access risk management.
So we're just saying, okay, this particularly type of access has a specific risk or this information that has a specific risk, really support to support more and more dealing with risk, really associating risk. So to understand what are, what is the most risky thing we have there looking at this more frequently and all that type of things, access, request management. So enabling business people to request access, request the access they need not having it, doing things for them, which they don't really know about, but really allowing them to request access based on their view of the business, based on what they need to do with a business process and all that type of stuff. And, and part, we, we, we typically find within these tools, so enterprise role management, which isn't, which is, I would say practically seen essential part even while roles are so they're, they're, they're, they're not ly necessary.
However, they're have shown up as being one of the most applicable ways to manage access. There are things moving forward is attribute best access and dynamic authorization management systems, but overall roles are something which really helps us to deal with this. So it's a good approach, which that usually is part of the access governance when looking at access governance. I think it's also important to, to have a look at the architectural perspective and the architectural let's say benefits, which access governance provides to us. So reality is we have typically legacy provisioning. We have service request management out there. And so if you bring in an access governance layer into this, then this opens up. This allows us to do something so we can use legacy provisioning to provide information to systems. We can use service request management system so we can interface to them and say, okay, there are a lot of things, situations where we don't technically interface with the target system where we trust, want an administrator to perform a specific task.
So that could be, so we treat them doing based on tickets and service request management systems. In many cases, we find some provisioning capabilities as part of the access governance solutions are tightly related to it. And we also might see that there are large organizations, just the fact, there are some provisioning systems out there that might pop up another provision system due to merchant acquisition, due to an legal entity somewhere globally, which does trust what they want to do due to lo like in the SAP or Microsoft environment, which introduces solution more specifically for their work. And so integrating all the things is something which an access governance, layers support. So we can have one layer for managing the access request for managing the access risk on top of a lot of things, which provides a lot of flexibility because we are relatively easily able to exchange one of the elements down there, but our risk without changing the way we deal with access from a business perspective.
So the business always sees the same as the same view. We also can interface in a consistent way with business JRC. And finally, that's the most important point with the business users. So these business users can look at access, always the same way regard regardless of the technology we use below it. So it's an, let's say sort of an integrating layer. It's the point where everything around access comes together. So access, regress policies, access analytics, and right now, why should we sync in risk? That's the next big question? So a risk is a threat on an asset with a specific probability and impact. So we have an asset which might be our information or anything else. And if there's a threat, for example, someone stealing the data, someone stealing PII or whatever, or someone stealing intellectual property with a specific probability, which is not that easy to, to estimate, but we, we can work on this and on impact.
So what does it cost us? What happens? That's a risk, an information risk is specifically this thing for information from the perspective of the business. So what is the risk of an information? What does it cost the business? If the information stolen disappears, it's lost, whatever, and all these things are SEO associated with business risk. So information is part of business processes and information risk does have an impact on them and imposes a business risk. So if something happens, it's not an it problem, it's a business problem. And I think we have learned if you look at all the, the regulations over and all the incidents over the last few years, that is really a business risk dealing with information, still tech stolen tax data, weak leaks, all these things, they are business risks. And the part of information risk related to access is in fact, the access risks.
So we, we need to think about it because we, we, we, we all know right now that all these things are something which really affect our business. And by the way, when we, as an it people, when we, when we talk about risks, it makes it much easier to communicate this business because we then talk on business terms and that's, I think a very important thing to do. So when thinking about the business risks, it's about knowing about information. So really knowing what are the, the relevant information, what are the sensitive information and understanding the risks associated with specific information, this PII with intellectual properties of our organization, with financial data. So all these things. And then when we understand the risks that allows us to mitigate risks, so we can set our focus, we can focus on the information, which is at the highest risks, or we can mitigate the things in addition where the balance of risk and reward fits.
So when we, when we look at risks and, and the ability to, to, to manage this, then it's really about also understanding where can we, so if you invest specific amount of money to mitigate the risk, what is really the benefit of it and dealing with certain understanding risk helps us in doing these things. That's where governance definitely helps us. So this entire single level will very quickly stay only with the slightest trust part of the entire big QRC picture, where it's about understanding which threats do I have, which asks do I have, and how do they impact my business processes and where then model our requirements, where I investigate things, where I improve the activities where I react in crisis and incident management and access governance specifically supports this for everything which is around access. So it's just a part of our big chair seizing about how can we really deal with the governance, risk compliance challenges we are facing as an organization.
So when moving forward to the access risk, how do we define these risks? So there's, let's say very established to you. This view is, is focusing on, on systems. So which system is at which level of risk that's, however, very course grain thing. So because the system might with a lot of different information and a lot of things are not that risky, like they, or not as risky as the overall view on the system. So if you have a system as PII in there, it's maybe much more so, so you could say, okay, this risk system is at high risk because it deals with PII. However, not everything you do with the system and not every information the system deals with might be at the same level of risk. So you end up with course grain and, and usually there's a very high level of ity of all the systems. It doesn't really help you that much.
You might also take an information view, the information you use done, which information is at risk. So it's fine grain. What happens with information specifically? For example, if you look at reading PIs, reading a large number of PIs, so personal information records might be at a much higher risk than changing trust one, if you look at regulations, so if, if you change one record and something goes wrong, that's usually not the, that a big problem than it is when a lot of your PII records are stole. For example. So looking at it more detailed, definitely brings or helps you in doing these things. However, if you look at the situation that we have sort of a dilemma, which is systems and information are, are sort of orally to each other. So systems might use a lot of systems, might use the same piece of information and the other way around information, a piece or asset of information as it might be used by many systems. So it's about combining these use, maybe also bringing in a process perspective into this, which really helps us. However, we have to understand, as we have to move forward, we have to understand which systems are dealing with which information at which risk is this information to really build a risk framework. And I think that's very consistent with what the business is doing. So when we look at business systems, we have a lot of different systems. We have our business systems, file servers, mail, and collaborations, and so on.
They are using databases there using operations, operating systems and risk is everywhere. It's every type of system. We have to look at all these types of systems. So it's not only about looking at structured information of ACLS. We have to look at every type of information, regardless of what it is. And business doesn't really care about what we are doing. Business cares about information. And one of the things I always say is when, when business thinks about it, it thinks about information, not about technology, it's about the AI in it, not a T in it. And when we look at this thing and, and about dealing with then it's about the business, looks at it and says, okay, we have a strategy. We have operational requirements to fulfill our business strategy. We have, from a debt perspective, we have some policies to deal with information.
We have specific controls. We need to implement from that perspective also from a RC perspective. And then we come to implementation and operation, that's done at different levels of an organization. So the C level cares about a strategy. Then we have to departmental level. And a lot of these things really is, is happening up there at the level of system and information around the business. And these are the people who really know the policies. They really know how to deal with information, and that's where really the business comes in. So when we think about the role of the business, when it comes to access policies, one of the questions we have to look at who knows about the access policies and the access risk goods, the business who understands the business versus the business who requires access and should request it the business.
And so, and so all of these things we are looking at are things which are in fact, things which are tightly related to the business. So the point is when we, when we look at access and access risk and access policies, in all cases, it's about business involvement and that requires different elements. And so we have a lot of these elements we have to look at and I trust go given that we, I don't have that much time anymore, but let's look at it from the top. So we have guidelines and books of rules for security for, I am for whatever. These are the essential guidelines, the essential rules that we are looking at, we have to go to the next level. And, and business has to define the guidelines and books of rules. Then we have to define the detailed policies, which is something where businesses heavily involved, because it's really something businesses.
How do we deal with sod, segregation of duty controls? How should we deal with re-certification it implements, but business defines, we have to define models like role models, and they have to be applicable to what the business requires. We have to understand constraints and competencies as an element. So if we have a role of a salesman, the salesman might be only responsible for the sip area, zip code area, whatever. Or he might only be allowed to, as if you've had someone one internally, he might only be allowed to do insurance contracts, contract tracks, specific sample for save 100,000 euros and all these things still business. We have to understand processes. That's where we map business to it. So what are the management, the operations, the reer process around access, the analyzes process, the audit processes are different groups of process and how business involved, how does it map to it?
And then finally, we end up as technology. Then we end up as access governance and maybe some additional tools, slide provisioning, like other things like sea tools and so on. So, but the entire thing really starts at a business level. It technology, it really starts with how do we, how do we want to deal with access in the future? Now that's where we have to go top down through these things. One while we, we frequently used to, to, to do this in our advisory and so on is really saying, okay, what, what do we have? We have, that's where we really start. We have business processes, we have functions and business processes. We have business roles. On the other hand, we have it resources which expose sort of entitlements, which we then might call resources, which we might call system roles, whatever. And we have to map all these things.
So it's really bringing it on one side on business, on the other side, together higher, the business view. So really starting on business, processs down to business roles. That's really the starting point. We have different levels layers where we might have potential sod conflicts, and we have a concept of competence and constraints truly. Then let's say tailors, the different business roles or profiles to widen sprawl of these, these concepts. And so working with approach, which really has, let's say the, the existing part frequently, which is the it part where we have a lot of things there and that drive to map it to what we really do in business. That's something which has proven to work very well and then most organizations. And so it's really where business also comes into play. We have to bring in business to define these things because we can't do that from an it perspective.
We can only do a small portion in the it area. We can't do everything there. And so the user in fact is, and what is done is, is in fact, really mapping business processes and roles on the other ID organization and the competencies and constraints to the user. And that's really a task which involves the business and which is sort of the foundation for what we then implement based on access governance tools, and which is really the LA say organizational and, and structure of foundation for all the things we are doing. So one of the big questions, and I could talk about this topic for hours, and it's really a very quick run through a very complex topic. However, one of the big questions we are always facing there is how to involve business. So how can we really balance work and reward on that side?
Because it's not only a balancing risk and reward, which means understanding that we deal with risks for how to focus on the right things and all those things, but also work and reward for the business. So how do we really bring the business to, to work on these things and to really play their new role they have in access governance. And I think the most important always says, keep it lean. So we have seen situations where, where, where the, let's say the, the amount of work different by more than factor 10 based on different approaches of different consultancies. So you, you might have really masses of people, external consultants in there for pretty long period of time, imposing a lot of workload on the organization. But at the end of the day, business has to do its business first. So we have to do it in a way where it's still lean.
We have to inform business. We have to, to really spread our information to the businesses. So explain the reasons why, and the approach chosen. So really be open to the business and say, okay, that's, that's something where, where, where we have the risks where we have our compliance regulations. That's something where we also have rewards, which are things which really help you to do your business better. And if you look at the reality of organizations showing benefits, that's usually not that difficult anymore because re-certification something which starts to happen. If it's some manual, it's a really a painful thing to do. Access requests, something where a lot of organizations are struggling with from a business perspective. So telling them these things are getting easier, are becoming easier. That's, that's something which is, I think one of the elements where we really can also show benefits where we also can show them that they are much better able to adopt their organization.
Because once you have a concept, which is more based on business process and features and processes, and which is well defined, then it's much easier to adopt is to change in the organization, to changes of business processes, to new business requirements. We have to prepare well, so we need guidelines. We need the policies, but we also need sort of work procedures. So we, we, when we go to the, the organizational departments, we have to have a, a standard concept in place, which allows us to say, okay, these are the proposed sods derive from what you have define as business process or as organization, all these things. These are the, these things which we have really prepared. Are they correct? What do we have to add? What do we have to change? So it's really not about saying, let's start from scratch everywhere, but saying, okay, is it correct? What we brought in there? How does it fit to your organization? Do you have any additional ideas? That's something where you, you end up with a few days instead of a lot of weeks doing this right. And, and doing the preparation, right. Inclusive work procedures, and, and also enabling the organization to do it in a, in a consistent way to really help them to do those things themselves. That's I think a very important success factor in this.
And at the end of the day, you really should work, focus, or really focused workshops and rules as a recent roles. Not trying to explain everything from the scratch everywhere and starting to discuss a lot of basic concepts again. And again, that's something you do in the information part where you say, okay, that's our concept. That's why we do it. And then you say, okay, right, right. Now we need your help. We need a little bit of help from you. And then you can do a lot of things for yourself. And for sure, the process is at the end of day, day, for example, should allow the business then to request a new business role. It show, allow the business to request access, to do the things they understand they can do. And then those things are successfully. But really when looking at this entire thing and, and our title of this webinar works around, how can we really let's say, find the balance between reward and risk? How can we really bring in business that's from my perspective, what we really have to do. So right now, I'll hand over to Phil who will talk about practical approaches and best practices in implementing an access governance program. So I've pulled more sort of the foundation right now. It's up to Phil to talk a little bit more about all the
Practical details, also from a technology perspective, Phillip it to your turn.
Perfect. Thank you, Martin. And good, good morning. Good afternoon. And good evening to everybody. So yeah, what I want to talk about here is just to, to take on that concept from Martin of, of the business and the business ownership. And I think there's a lot of us who have preconceived ideas of access governance and, and what access governance means. And I think it's, it's very important that we actually start talking about how some of the concerns that people have been looking at today can be addressed, whether it's around protecting information, whether it's around understanding how administrators are getting access to information or, or whether it's understanding how the users themselves are accessing and, and using information. But all of these pieces come back to, as Martin said, information information is what drives all of the businesses that, that, that we're running. It's, it's really, you know, people talk about it, it's people and its process.
But actually I, I argue that it's really around the people and the information that resides within that organization and, and processes are just one of those pieces of information. And so it's very important that we get a good risk and reward balance. Now, if we focus too much on the it risk, then we'll end up in a situation where we're actually stopping people, getting access to the information that they need. And if we focus too much on just providing the organization with the freedom to access, whatever information, then we are opening ourselves up to a huge amount of risk. If we put in good controls and control is the word here, it doesn't need to be controlled as in a restriction on the business, it needs to be having confidence in the controls that we are putting in place. That means that everybody has all of the information that they need within a timely fashion, but we are not introducing any risk to the business or an unnecessary risk to the business.
A couple of slides I just want go through are around some of the pieces of information that have come out this year from, from the Verizon business report. Firstly is around industries which have suffered information leaks. And traditionally, we always think of the finance organizations and the telco organizations as, as the organizations that are targeted. But I think we've seen whether it's through gaming organizations, whether it's through things like hotel or, or travel organizations, there's been a lot of change of focus or where information breaches have happened. And in fact, criminals are playing a risk versus reward game. They know, it's, it's, it's a kind of risky business for them to be targeting these secured organizations and, and potentially there's an easier market for them to go, to try to access information.
But I think we still seeing that access governance rather than hackers are where we are losing the most amount of information from businesses. So whether that is from people who do have access to information, but are then misusing that whether it's abuse of system access and, and, and system privileges that we have, those are still the things that are causing the greatest amount of information lost within our organizations. And that's something that we can get better controls over. So, you know, if we, if we look at the fact that intellectual property is not the highest piece, when it comes to focus around around risk, there's, there's not as many pieces of, of intellectual property that are, are known to be going missing. It is still the piece that is gonna have the greatest amount of impact or potential long-term impact on our business. We need to get a really good understanding of who's got access to that most critical business information that we have and how are they then using that?
And I think another statistic that came out of this was the majority of victims of data breaches actually knew that there were data breaches or had the ability to know that there were data breaches occurring in their organization, but, but they didn't have the systems in place that allowed them to provide that monitoring of user activities or understanding who's actually accessing that information at any one time. So it comes down to understanding specifically what the challenges are that we are facing within the organization, what the challenges are that the information is at risk to. And then how do we come up with the perfect balance that is non-restrictive on the business.
I'm gonna take a, a slight analogy here. And I think for all of you to use back internally within your organizations, I think you'll understand this as an, an analogy every single day or every single month or every single year. We come up with organizations auditors coming into the organization and warning us that we are at risk. When we get a point on an audit report that says, we have a separation of duty conflict, or we have a conflict in, in place around access rights. That is a warning to us. It's not just a warning to us that we may get fined. It, it should also be considered a warning that we are in a position where we could lose information. And that fine is one thing that we may get from the auditors or from the regulations that we have to adhere to. But what's more important to us is what happens to the negative publicity.
If we actually act, if we actually start losing information. So you guys are often dealing with people, auditors who are providing us with these warnings, we have to listen to that information. And then we have to understand what it is that we can do to avoid being fight. We know that businesses are running on information. We know that they need that information in a timely fashion. That is the only thing that we have to provide as, as information technology is the right information to the right people at the right time. And we also understand, and we get this from the auditors as part of the yellow cards that we see that it should be limited to the minimum amount of access that is necessary for that person to do their job. This system of least privileges. I also think that it should not be people in the it organization who are managing those permissions as a business owner, the business owner should be able to ask one of their members of staff to do a job and should be able to grant those permissions as long as it doesn't break any policies.
So it's really important that people are actually managing those permissions correctly, themselves also from an access governance point of view, we need to specifically know who is accessing sensitive data, and it's not necessarily accessing the systems themselves. Sensitive data exists all over the place within the organization. We don't necessarily know where it sits. And I think a lot of the focus that we've had on identity management in the past has been about providing system, not necessarily about providing access around that unstructured data. And that's one of the things that I want to cover as well to, to start with on the system access. We understand it. We understand things like society general. We understand things like UBS, where people have actually had access to systems that they shouldn't have access to. They've been able to move from one role to another, and their knowledge of internal policies has allowed them to, to break the system.
So perfect example of somebody who has been able to have a separation of duty conflict exists, it's been unknown. They've been granted access to a trading system. And from a previous role, they still had access to the approval processes or the ability to, to monitor their own traits. If a good access governance solution is in place, then separation of duty conflicts to systems, and also to information that sits within those systems should be able to be managed. If we know that they need access to a new role, and this may only be a temporary role, it may be something they need just for a couple of couple of days to cover somebody else, whatever this system is, the administrator or the owner of that system, the business owner should get a notification that says, by granting this access to the, this particular person, it will be creating a separation of duty conflict, and therefore they need to have the approval or, or the underlying system that's, that's causing the separation of duty conflict removed from their, from their rights.
And it may be like, say, if that's temporary, it can then be reverted afterwards. That's fine from a system perspective, but how much data do we actually know about, we think we know about the systems that people should have access to and within the it organization and the security systems, we are providing that, but huge amounts of information is, is existing all over the place. And most of that critical information is, is unidentified or even unknown from the it organization. Somebody may be setting up a SharePoint site. Somebody may be setting up a, a file share. Somebody may have access to a database without people necessarily understanding what's within that. And we dunno who owns that data. So from an it perspective, and from a security policy perspective, we actually can't define any policies because we don't know who the owner is, but unstructured data is hugely important to the business, whether it's coming through from email systems, SharePoints file servers, it is actually the majority of the information that's within the organization is potentially unstructured or potentially sitting outside of critical systems that we're doing our traditional access governance and access management around.
So it's important that we are able to, to discover that information, assign it to the right people and come up with processes for being able to automate and secure that. And I think that the sort of first part of that has to be actually understanding where that critical information resides within the organization, who is able to access it. And, and how do we then understand what controls we should put in place. And, and with within quest, we've come up with, with a, a six step strategy around this. And, and we've been working with a number of consultancy organizations to put this into place, but we, we need to put these steps together in order to provide a coherence access governance package that is not only operating from the system perspective, but also from this data. So, so understanding and discovering not only from the data perspective and the information perspective, but also from the user point of view, what is the information in the infrastructure and who are the people that are, that are able to use that information?
So we need to look at the systems today and not just as I say, not just your applications, look at the systems today to understand where your critical business information sits. How many places does it reside? Is it in virtual machines? Is it on people's hard drives? Is it in email systems? Is it on Porwal websites and who is using it today? And that may be a process of monitoring that to understand who's actually using that information once you've discovered truly where that information resides you are then in a position where you can start to classify that information correctly. You need to be able to understand what is in that information, what type of data resides there and see who the owner is of that information. If you don't know who should be accessing that, and who owns that information information, you've got no way of actually establishing an access governance model around that data.
So this discovery and classification piece is really, really important. And one of the problems that we have within it is a lot of this information looks very, very similar. You don't necessarily know whose is who's. And, and I use this analogy of, of, of, of babies in a, in, in, in their cots to the untrained eye and people they're looking very, very similar, but the parents know who's is who's. They understand it. The owner of those children understand whose is whos. It's not up to people within the it organization to start to do that, to start to control who should be accessing information. It is only down to the business owners themselves. So you have to be able to make sure that you've got that, that ownership, correct. Once you've got that data owned and you understand who would be approving access to those systems, then you can assign it.
And now we start to get much, much better control compliance checks can be, can be maintained around that. If you can make sure that you haven't got a separate segregation of duty issue that you are creating around that ownership, you can also then put in automated processes to make sure that that workflows and approval steps for getting access to that information is in place. But you still wanna know who's using it today because you may suddenly, by assigning that piece of information to an owner have restricted an entire group of people. They may actually have been two owners of that information or two people that were the primary users of that, or two groups of users. So by assigning it to one owner, you may have suddenly restricted a load of people. So it's really important that you're able to, to maintain an understanding of who's using that information, that you're able to audit that and keep that regular business level at station going so that you've got good control over it.
It doesn't want to do this. You don't, you don't want to have this as something, an additional task that you're having to do each time. This is something that the business needs to own. And so make sure that they have the responsibility of that. And automation is the only way that you are going to be able to make sure that the security baseline that you put in place is maintained. If you have a manual process for maintaining that, then it is going to break. So make sure once you understand truly who it's assigned to and who are the users that should be using that, that there's an automated process. That's going to keep you in within the security framework that you want. And so finally then we are saying that the business is now in a position where they can take that responsibility, and it's not gonna suddenly create a huge amount of ongoing work for them.
They want to take responsibility of this information, but what they don't want is to have the overhead of all of the additional pieces of work that come with maintaining that information. If it's automated and it's within a security baseline, it's going to be much simpler for them both to request access for the business owners, to be able to approve that access. And for somebody within the security or the audit team to verify that those access rights are correct. Nobody from the it organization needs to be involved in that granting access rights. It's something that the business can take the complete responsibility for and people within the it organization can then be there maintaining and operating service levels and spending their time working on things like that, rather than on, on access rights. The one piece that security does come into play and from an information security point of view, this is something that is, is still needs to be owned by the it organization is making sure that unauthorized changes aren't being maintained, whether it's from privileged users or from people who, who do have access rights to make those changes.
So keeping it within the framework still relies on the responsibility of the it organization. So when you're talking about access governance, we're not only talking about access to systems. When, when we think back to, to the first questions that that Martin was asking of, you know, who's got access to what, and, and how do they use that access? It's not just access to systems. That may be the starting point. That may be where we've been, been concentrating our efforts over the last, over the last five or six years. But data access is critical to the ongoing success of our information security in and, and helping to re to, to take away these risks and put that balance back into the business so that they can be using information for that business processes. You then have got a nice secured environment where you've got ownership of information itself assigned correctly and discovered and classified.
You've secured it from an automated point of view. And now you're providing these compliance reports and dashboards, which the business owner want to see as does the auditor. And they've gotta be simple, make sure that these access reviews are something that people aren't frightened of. I see in numbers and numbers of organizations where literally they are petrified around re-certification, but it doesn't need to be difficult, make it something that is easy for the business to see and make it easy for the business to understand within our organization, I get a report at the end of each month saying who my direct reports are and what their roles they're in and what access they have. It's nice and simple. I can, I can see at a, at a point glance, who's accessing systems who has access, who isn't accessing systems. So if somebody has access to something that they shouldn't have, again, there's a cost to the business on that.
Especially as we're using software as a service, you want to be able to make a decision that is saying, actually, if that employee doesn't need access to Salesforce or doesn't need access to that, that application, I can actually remove that and we can reuse those funds back into, in, into other projects. But it's also important. I think for us to let the managers start making those decisions, okay, we have to have a framework and a bottom line that says anything beyond this needs to have approval from somebody who is actually gonna take a true it risk decision, but the managers should be able to make, reduce risk decisions themselves. As long as we've got these fail, safe mechanisms built into the organization is built into the system. That means they can't break it. The, and, and that information is there today. It is, it is all sitting within our systems.
Go back to that, that my, my initial statistic, my initial slide, 86% of organizations that suffer data breaches actually had information available to them that told them either they were going to suffer a data breach or that they had suffered a data breach. The problem is that information isn't available either to the managers or to the it organization themselves. It exists within the systems. So use it. And if you can get that right, if you can get an access governance policy that is able to truly understand both the system access and the information access, you are gonna be in a position where you are an enabler to, to the business, you're actually helping the business move forward. You are reducing the risk and you are providing the business windy ability to generate more revenue. You're also gonna keep the auditor happy, and that is gonna reduce the amount of work that you have to do on an annual or a biannual basis, trying to cover and trying to deal with audit points that that are coming up. So you will see an improved efficiency. The business will see better agility. And again, you'll see that risk and reward balance being moved into your favor.
That is the main points that I wanted to cover off in, in my 20 minutes slot, we have set up within quests, a specific page associated with this webinar. So if you go to quest.com/access governance, you'll be able to, to see and download some presentations and white papers that are associated with this. So with that, I will hand this back over to you Martin, to see if there are any questions that have been raised. And if there are any further points that need clarification.
Okay, thank you, Phil, for this information. And I think we have had two presentations really looking at the topic from, from different angles, but I think that points behind us are, are the same. It's really about a business getting in. So I'd like to ask all the attendees attendees to enter the questions they might have so that we can pick up the questions now and do some Q and a session afterwards. So still maybe, maybe a question to, to you from, from, so from what we observe, we see a lot of organizations which tend to say from the initiatives they have around access. It it's even, it's increasingly, let's say access governance first and then provisioning. So really saying, okay, that's the thing we have to do. It's the same you are seeing and what are from your perspectives or reasons for that evolution.
Yeah. So, so, you know, and I think if we look, if we look back to, if we look back sort of 5, 6, 7 years provisioning and automation was, was the leading topic. And I, I think part of that is, is the way it was being positioned within organizations. And I think people realized that that automation actually, if the access governance wasn't there correctly in the first place, what actually ended up happening was automation of problems. And I think some of the things that we are dealing with today are on the back of that automation of problems. And we've actually created a potentially a little bit more of a mess within, within certain organizations. So what we are seeing of the primary topics is access, right? Reviews, people wanting to look at information and understand who can access it. So access right reviews are a really important piece and access governance understanding putting a framework in place today is, is something that needs to be done correctly prior to provisioning being done incorrectly.
Now it may be that the organization already has access governance done. They've put in some really good manual processes, and they've got a really good understanding of that in which case they can lead with provisioning, but the majority of customers that we are dealing with at the moment, and it doesn't matter whether these are financial telco, retail, manufacturing, organizations are saying they haven't got a good grasp today on actually who is accessing information and where the information resides. And so with that, we are looking that that the majority of people today are starting with access right reviews. Re-certification because that's what the auditor is, pulling them up on the auditor. Isn't turning around and saying, you need better automation. They're saying you need to get these controls in place to make sure you know, who has access to what, and people don't have more information than is necessary for them to do their jobs.
Yeah, it's, it's a fact is really about bringing it and business together at the end of the day. So I think it's three, the point where, where people say, yes, that's where the customers say, okay, that's the thing we really have to solve. That's our, our big challenge we are facing. And that's where access governance helps. And beyond that, I think it's really point what we also see is that that organizations pretty well understand that access governance is something that helps them to then better manage and integrate technology and increase their, their flexibility. Also from a technology perspective, instead of relying on one specific technical provisioning solution, they can decide on how can I integrate this, but I have this link between this is, and it that's which, which doesn't change, which is standardized, at least the process. And even if, if they would change that, that wouldn't say that they have to change things below that. So it's layered approach, which makes things a lot, a lot of things, much easier down.
And one of the things, you know, people have talked about aligning business with the it for, for, for years. And I actually, I think we, we are now in a position where we can go a stage further than that. If we put these access governance controls in place correctly, what we can do is actually say, I'll let you the business deal with this. It's not aligning it to the business. It's actually handing the control and the responsibility of that over to the business, but they can only do that if it's easy for them to do it. And they want to do that at the moment, if the controls aren't in place and it's too difficult, the business doesn't want to have that ownership because it's just gonna take up all their time from doing the work that they actually need to be doing. If we can make it nice and simple. And the technology exists today to, to be able to do that, then we can actually hand that responsibility over. We can still maintain those hard controls to make sure it's not gonna fit outside of those boundaries, but the business can actually take the responsibility. So I would say it goes beyond aligning it with the business it's giving the eye of it back to the business who is, who is the real owner.
Yeah, I think that's exactly the point. So I have another question here. Don't you think that awareness is the most important thing when it comes to unstructured data rather than it is automated acts policies?
Yeah. It's certainly the, it's certainly the starting point and you're not gonna get any buy-in from the business unless people are aware of, of what information is sitting out there. And I think this comes down, you know, as part of access governance, we talk about privilege management, which is one of our previous webinars. It knows about the fact there's privileged users who have access to information, but people in the business don't necessarily know that I, I recently spoke with a CFO and explained to him, which of the people within his organization, two of whom have only joined that week. The fact that they had access to all of the information that was available within that company and that scared them a lot. And I think the business owners, again, they're all sitting there with information residing in all these places. Somebody does care. The fact that that information is unstructured has no control over it and is available to a huge number of people.
Now, the problem is that awareness isn't out there. And one of the things that I, my team and the consultancy firms, the large organizations and systems integrators that we are working with is spending the time doing is not necessarily talking to it about access governance, because I think most it people know about it. It's actually talking to the business and explaining the issues that could reside within their organization. That, that in a way they're a bit of a smoking gun. And, and so that is something that, that, that we are spending a lot of time is trying to generate that.
However, I think that the good news around this is that let's say building awareness is much easier than it has been some, two or three years before. So it's, it's really about, you have so many examples out there, which are, are familiar to people that they pretty quickly understand, okay. That same thing could happen here as well. That's the same,
I think you would,
I'm facing. And I think that's, that's a big step forward because it makes things much, much easier. And it proves what I'm, I'm telling for years that we, we should start talking about when we look at the entire topic of, I am start talking about access because that's what the business understands and identity is what we need to, to do with them. But yeah,
And thes the auditors are helping that, you know, I think the auditors are spending a lot more time now actually raising these points. And I think more so than they did even three years ago. And, you know, again, been working a lot with, with, with the major auditing firms to understand exactly what it is that they're seeing as these common pieces, so that we can make sure that, you know, any future technology developments and integrations that we are making are, are actually meeting those audit points that are being raised. And, and that's some, you know, something that we've been working on a lot over the last 18 months.
Yeah. I would even say that the interesting point is I think there are two things regarding the auditors. I, I personally believe that that auditors, you shouldn't only rely on what auditors are seeing. So, so they're focusing on, on specific topics or some things which are, I would say hot. And they're, if you look at it from a holistic view, there are more things you have to do. The other thing is what, what really roofs, this entire thing is the, that we, we really have to build an architecture versus sort of a holistic solution. We, we, we can't say, okay, we, we fixed that reg, that, that, that thing, the, we fixed that. So we, we just look at at specific points, but we really have to move forward towards and strategic approach. And access governance is a key building block in everything we have to do there.
So we have one other question from, and not handy. And I think that's the last question we can take within this hour. Yep. How is it possible to show benefits if it's not possible for only a few cases? That's the question. So can we, can we assure the overall benefit of this thing? I personally believe yes, because my, my view is that there are benefits like reduced times where I similar certifications and a lot of things which are really around, let's say the regulations. So what is your view on, how should we do we show the benefits?
Yeah, you've gotta, you've still gotta start. You've gotta start showing benefit to the business literally as quickly as you can. And, and, you know, a typical engagement for us is looking at something around about 30 to 40 days to be able to, to bring those initial systems into play, to be able to show those benefits back because they, the business won't buy into the ongoing and ongoing project. If it's going to, even if it's gonna take, you know, 120 days to, to, to, to show value, you've gotta start on, on really understanding. And that's why you need this automated discovery. You've gotta have a process in place. That's gonna be quick so that you can show value back to the business straight away and say, you know, will, it's gonna be a phased approach because you can't just go into a large organization and discover all their information on day one. We, we understand that and the classification needs to have business involvement, but you've got to take critical systems and work on those critical systems, show the value, automate that people don't understand exactly where this is and the business will continue to invest into that project.
Okay. So thank you for, for your answers and thank you to all the attendees for participating in this coming a cold webinar. There will be several other webinars until the end of this year. And for sure, also there will be a lot of webinars next year. So feel free to attend other webinars. Thank you for your time and thank you to Phil for his presentation.
Thank you.

Stay Connected

KuppingerCole on social media

Related Videos


Unifying the Perspectives - Application Access Governance

The application landscape in organizations is getting more and more complex. Applications from vendors are more plentiful - or they differ very much from each other - and the combination of on-prem and cloud applications is no longer unusual. It's easy to lose track of all the different…

Webinar Recording

Application Access Governance for SAP Environments and Beyond

For many enterprises, SAP systems are an essential part of their corporate IT infrastructure, storing critical business information and employee data. SAP systems have traditionally been a major focus area for auditors. It is therefore essential that all existing SAP systems are covered by…

Webinar Recording

Zugriffsschutz für sensible Daten – mit Data Access Governance und Identity Governance

Damit Sie besagte Vorschriften rechtzeitig erfüllen können, ist es notwendig, sensible Daten zu erkennen und zu klassifizieren, unabhängig davon, wo sie sich befinden. Vor einer Cloud-Migration müssen Sie die Kritikalität von Daten verstehen und definieren, welche…

Analyst Chat

Analyst Chat #34: ITSM and IGA - How to Integrate Two Key Infrastructures Right

Matthias Reinwarth and Martin Kuppinger discuss the challenges of integrating IT service management with identity governance within an enterprise.

Webinar Recording

Agile GRC: Adapting to the Pace of Change in the Digital Era

In the digital era, the rapid rate of change in business, IT and regulatory environments is continually accelerating, making it extremely challenging for organizations to keep pace in terms of their governance, risk and compliance (GRC) capability without the right mindset and…

How can we help you

Send an inquiry

Call Us +49 211 2370770

Mo – Fr 8:00 – 17:00