Okay, good morning. Good afternoon. Good evening. Whatever your time zone is and welcome to today's webinar on moving access governance to the next level beyond checkbox compliance. I'm joined today by Jason Gardis vice president for product marketing at RSA of exa. And for those of you who don't recognize my voice, I'm Dave Kerns, a senior Analyst with KuppingerCole for access governance. The challenge is to secure information in an dynamic environment. The information security department does not own does not manage and does not control business processes are changing. Applications are purchased. Cloud services are ordered. Organizational change happens all out of control of is nevertheless information needs to remain secure. That's what we'll be talking about as well as what I perceive is the biggest obstacle that InfoSec needs to overcome. Before we get to that, though, let me tell you a little bit about us. For those of you who aren't familiar with. KuppingerCole KuppingerCole is Europe's leading Analyst company focusing on identities
And access management, their governance and risk management to facilitate innovation and corporate value oriented, secure privacy, maintaining information management and businesses in the cloud in mobile, and in social computing, the core elements of Kuppinger call research are the reports from vendor reports and product reports to comparative segment reports and trend reports on emerging market segments. Based on our research, we provide advisory and coaching services, which support you in the definition of your visions strategy and project roadmaps. The KK flagship event, European identity conference is held annually. It provides thought leadership and best practices on identity focused, information security and IAM, GRC, and cloud computing. It will be coming up again in may of 2014.
Coming up very soon though, is our very first information, risk and security summit, or IRS, a highly interactive event offering the opportunity for you as an it professional, to discuss with your peers, your most challenging topics and questions in a discreet environment, moderated by teams of practitioners and analysts. IRS is a dialogue based event on a speaker delegate event. It consists of a series of five dialogues around five highly relevant topics where you can learn from your peers, share your thoughts and get feedback on your views. Only a few spots remain for this conference next week. So register now at this point, I'd like to introduce Jason Garbus who tell us a little bit about RSA of exa and then I'll be back to start today's presentations. Jason.
Great. Thank you very much, Dave, and good morning and good afternoon everyone. And thank you for joining us. As Dave mentioned, I'm Jason Garbus and I am vice president of product marketing at RSA vexa. So vexa is a leading vendor of identity management and access governance solutions. And as of July of this year, we are now part of the RSA family, and certainly looking forward to, to our session today. Thanks Dave,
Thank you, Jason. Before we begin some housekeeping note that you are muted centrally, there's no need to mute or unmute yourself. We control that feature. We are recording the webinar. The podcast will be available tomorrow and all registered attendees should get an email telling them when it's available and with a link to the place that it's available. Questions are welcome at any time in your little
Webinar tool, there's a box for questions where you can type in your question at any time, we will have a Q and a section at the end, but if something is relevant, then we'll take it as it happens. As for example, the question that's come in now that says, hello, will the slides be available? And yes, the entire presentations will be available as we say, probably sometime tomorrow. Okay. The agenda for today is in three parts. I'll be speaking first about beyond checkbox compliance. Jason will then come in talking about beyond the checkbox. And then of course will go to the Q and a.
It was about a year or so ago. I was presenting a workshop on what drives security change in the enterprise. When I finished and called for Q and a almost all the high level it and is people presence said that they weren't interested in discussing best practices because they didn't have time to study plan or implement them. Instead, their time was fully taken up with reacting to the auditors. The only priority that their management had was to pass the audit, be that a security audit, a compliance audit, or what have you audit. Meanwhile, as a tax on enterprise data stores are becoming more numerous varied and sophisticated. You're being pulled in different directions by business users, demanding access directors, expecting perfect defenses, auditors, scrutinizing policy compliance, and CFOs weighing the return on the technological investments. That's no way to run a business. On the other hand, it's no way to run an audit agency either. I was told that the auditors have to find problems in order to justify their fees and to minimize their loss. When an untoward event occurs, business managers need to have signed off audit so that when that untoward event occurs and it will, they can say they've covered all the relevant bases.
So who's stuck in the middle. That's right, it's it. And is my colleague Martin COER exposed this problem last spring when he wrote identity and access management is a perfect example of what happens when it departments approach a basic problem with a two narrow focus. In the end, they wind up having to broaden both their scope and their financial commitment. And often they find themselves operating multiple parallel solutions that are hard or impossible to integrate that narrow focus of which he speaks is too often. A bullet point from an audit report. Multiple bullet points mean multiple parallel solutions because businesses priority is to remove those bullets ASAP or sooner. One example. I overheard concerned a company that scheduled quarterly audits to overcome one of the auditor's findings with the proper planning testing and stage rollout would take six months. The CIO told the auditor this yet three months later, the same problem was flagged again, along with others, of course, the CIO re reiterated that there was a plan in place. So the auditor flagged that as a problem, it was taking too long to implement. So our commitment to audits to find problems is driving the it and I agenda and not for the good, in many ways. This is akin to the practice often found in the us of teaching to the test
In our public schools. This means that teachers, rather than exposing students to logical processes and rational thought about their subjects spend much time drilling the student on specifics that will be asked on national standardized tests. Many believe that while this might raise scores slightly on the test, it does little to educate the use the students in the same way would all call securing to the audit, might get you closer to passing the next audit. Remember the auditor will find something new so you can rarely pass completely, but it doesn't necessarily make you more secure or more compliant.
It's analogous to what I said a year ago when talking about data loss prevention apps. So when so much DLP software available, why is there still a problem with data loss leakage, and why are organizations seemingly so surprised when it occurs so two, after all these audits, why are there still compliance issues? One reason is that the auditors as was said about the French generals in the 20th century are always fighting the last war, closing the gaps that were most recently discovered and exploited. There's no attempt on their part to find future problems and they leave you no time to do this on your own.
We and the entities we work for need to take a different approach. We must switch from reactive mode to proactive mode in securing the organization and implementing good identity and access management practices. We need to look at access control in a whole new way and implement apps that allow us to manage those risks known and unknown for the betterment of the enterprise. In a word we need agility. In fact, copier coal believes agility to be an important feature for modern access governance tools, but it's only one of the features other features we understand as core elements needed for today's access governance include annotation and re-certification as detective manual controls, which allow organizations to analyze the status of access controls in a structured way, auditing an analysis features, which support and after the fact view on access related events, including advanced analytical capabilities based on business intelligence technology, that is, we need the ability to look at events in the rear view mirror access request management, as the preventive, at least partially automated process, including automated reconciliation included, of course the dreaded B Y O D or B Y I or B Y O. Anything else finally integrated privilege management features for extending these controls to privilege users, which today aren't typically covered by the standard access governance tools
Over time, a deep integration with dynamic authorization management systems, which are used to centrally define policies for application and system security is required as well. There are solutions available today, which can both satisfy the auditor's findings as well as provide the agile dynamic governance solution, which allows you to move beyond checkbox compliance. Our annual review of the market. The leadership compass for excess governance is a good place to start in that review. We note that RSA of exa is commonly seen as one of the inventors and leaders in the excess governance market. The URL for that report, you'll find that the bottom of this slide, and you'll be able to get it later when we send this report out to you, but let's find out what they're doing today and planning for tomorrow. So I'm gonna turn to my guest, Jason Garbus for that. Jason, are you ready?
I'm ready. Thanks, Dave. All right. Let's get the control switch here and we'll bring up the other presentation. So I think that was a great intro, Dave, and you know, it's a little bit, let's, let's say disturbing or perhaps disappointing that as an industry, we're still in many cases struggling with meeting the compliance requirements and not really able to realize the potential for identity management as a sector that for both delivering better security, which is truly a really, really important and in some ways, business critical aspect, as well as delivering business value. So, Dave, I think you touched on a lot of different things and, you know, you know, you talked to a lot of, of enterprises and InfoSec teams. I do, and, and you know, the people I work with do as well. So I think together we've got a couple of different perspectives, but a good understanding of really the challenges that organizations today are facing.
So if you think about in this dive, what we're trying to do is outline really the three areas, the three primary areas, the three primary constituencies that InfoSec has to work with. And you touched on this in your presentation. If we think about starting at the bottom, the it infrastructure, whether it's on premise or physical or virtual, whether it's in the cloud nowadays it's of course increasingly migrated now to cloud or mobile devices, mobile access to, to critical applications. So as we were saying at the, for, at the it infrastructure level organizations are struggling with the rate of change of new technologies, as well as the explosion of unstructured data, which need to be managed from the upper left side here, the audit risk and compliance teams, organizations, of course, as you just mentioned, are challenged with the increased scale and scope and the intensity of audits, whether they're from internal audit teams or from external audit teams.
And I think, you know, to some degree, certainly auditors are always looking for a problem, but in the, in well run organizations, there's a, a, a philosophy, a partnership with the audit teams. A couple of weeks ago, I was presenting at a conference of internal auditors talking about data governance. And, you know, I was, I was really struck by how on top of their game. These guys are. They asked them very relevant questions and it's not at all adversarial in the sense of, Hey, we just wanna shut everything down because we can, we can be the business impediment department it's around understanding and balancing the need to coordinate security and compliance, but yet enable the business to do what they need to do. Okay. And why is doing that? Hold on here. Okay. So if we sit, oops, if we gonna go back to the upper right.
One of the biggest challenges that IM teams have is transforming themselves into a department from being an impediment to the business, to being one that's a business enabler. And that's where we're, we really see the ability to take a modern set of identity management tools and switch from teaching to the test. So to speak that is just meeting compliance requirements to actually adding business value across the board. And we'll see in a couple of slides, different ways that organizations can do that. So if we synthesize this down a little bit, you can see there are really three main forces, compliance, efficiency, and security, and we can't just focus on one of those. We have to focus on and balance out, meeting the requirements for all of those things. And the good news is that there are a lot of tools and technologies out there. Vendors such as ourselves have invested in creating pretty comprehensive, well thought out and modern platforms so that organizations can put those in place, meet the compliance requirements, which of course they have to do, but have an ability through automation and policy based operations to really improve security and most importantly, enable efficient business access and enable business agility.
Any thoughts, Dave?
You caught me muted. No, no, you're doing fine. You're doing fine. You keep going
Well. So we think about why organizations buy IM solutions. Again, those are the three drivers, right? Improving their security, increasing their efficiency. And of course, meeting compliance guidelines. And I was, I was, that was great quote quote here from the CISO of a major financial services organization. And we were going back and forth on email and talking about a few things and he can say, I don't like to list compliance at the first benefit of IM of InfoSec. Cause I think it's a side benefit. And he says, if you only do security because the law demands it, your head and your more fiber just ain't right. So this is him saying for goodness sake, let's not teach to the test here. Yes, he has to be compliant, but that should be a byproduct of our overall best practices. Right? Most of the folks that we work with in InfoSec really are, are dedicated and pride themselves on being well-rounded and well experienced.
Well informed information, security professionals. They don't hear people talking about I'm a compliance expert. They're no, I'm a security expert and yeah, I gotta meet compliance guidelines. So let's talk about some of the challenges and how organizations can approach that from an identity management perspective. First of all, on the left side, you have a wide variety of different technologies and things that are rapidly moving and internally to get your, your arms around this very often, organizations are faced with multiple disconnected accounts across all of those different applications. Many of which nowadays are coming online as SAS based services oftentimes initiated by the right of business without InfoSec involvement. I was talking to, to a customer the other day, and they were kinda laughing about how the line of business was the, these, these SAS applications were sprouting like mushrooms and they didn't find out about it until the line of business came to them and said, oh yeah, by the way, we're using this app over here for this piece, this, this part of our business process.
Can you put it into our, our single sign-on solution? The InfoSec guy says, wait a minute, this is the first time I've ever heard this. You know, we gotta talk about this from the step one. So you get these multiple disconnected accounts and the, the first part of certainly meeting compliance requirements, but perhaps more importantly, meeting security requirements is getting a, a holistic view of all of these different accounts and turn it into a 360 degree view. And I, you know, a, a well-rounded picture of people. So the first step is you need to get a unified business view of user. So rather than all these disconnected accounts here, let's turn it into a picture. And we see who these people are, what role and function they have in the organization and everything that they have access to. So that's really the first step. I mean, if you can't answer the, the very simple question, what do people have access to and why you're, you know, the auditors are gonna have a problem. And more importantly, you're gonna have a pretty weak security infrastructure and have an inability to efficiently and effectively support business processes around the identity life cycle.
Okay. Let's see here. I don't know what's going on. Are we still shared there? Can you see that? Okay. Yeah. Yeah. We can still see you. Sorry. Sorry. I just had a stumping strange pop up. Okay. So we think about the three components. You know, we we've seen organizations. We've seen that it works well to think about it as really three parts or three steps, governance and provisioning and single sign on. So started at the left, you know, from a compliance and from a security perspective, it's really, really important to have this be well governed and that rest our foundation of getting visibility across all these apps and then having a mechanism, which we'll talk about next of ensuring that all this access is appropriate. I love using that word appropriate because it implies so much richness behind making that decision of what's appropriate. Who can make that?
What we found is that the decision about whether a given level of access, whether it's to a piece of data or to a very specific, fine grain entitlement, such as a transaction inside a financial system, really depends on the line of business expertise, not on InfoSec people in InfoSec, in an organization of any size. You know, if you're working with 8,000 other people at a company, you certainly don't know all those 8,000 people individually, and you certainly don't know what they're working on, even if you did know them by name. So it's impossible for the folks in info set to make effective decisions about whether or not this transaction or that transaction is appropriate for a given individual. So that decision they can need to get pushed out to the line of business at the line of business manager level and at the application owner level.
And you hinted that some of that, Dave, when you were talking about access review, so that's certainly one, one part of that as our policies. So you need to have policies both centrally driven by the InfoSec team, as well as driven by the lines of business who have expertise around those sectors and the application owners. So again, you might have an application that says, excuse me, an application owner who knows his application and knows his domain. And he's the one who should be saying, people shouldn't be able to access this piece of data or that piece of functionality unless they meet the following criteria. And then they'll work in partnership with info sec. Now that's oftentimes why, when we talk about what an IM program rollout looks like, know, clearly there's a hefty chunk of technology, 30, 40, 50%, whatever it is. There's also a hefty chunk of people and process. And you know, the most value of this is having the InfoSec team work with the line of business and start to establish these kinds of policies and guidelines around what's appropriate. And then InfoSec can go and codify that in the system.
So next up then we talk about automated provisioning and this is really where efficiency comes into play by having an automated provisioning mechanism. Of course, InfoSec can number one, speed up the provisioning process, but number two brings some consistency to it. And that's really, really important because once you have that consistency info stack can then start to offer committed service level agreements or SLA for the line of business where in most immature organizations onboarding the new employee is a difficult process and it can take days or in some cases, a couple of weeks for people to get all the access they want. But imagine, you know, in a, for a well on organization, InfoSec can go to the business and say, we can guarantee you that if you go through this process, your new employees will have access within 24 or 48 hours. That's a big win.
And that really adds business value. And then finally single sign on, of course is a big win for the end users because it allows them much simpler access to all these applications and fewer passwords to remember from an info set, from an it perspective, it's also a big win because what it does, especially for SAS based applications that reside outside the organization, it makes sure that InfoSec is part of the transaction. So to speak with, without this people can, the line of business, people can use SaaS applications really outside of the control of it, but once they implement it as part of an SSO solution, it is part of the chain. They can establish both visibility of what's going on and more importantly, control around who is accessing what they have the ability to turn it on and turn it off and to enforce policies around going back to the governance piece, whether or not someone's access is appropriate. Any comments Dave, before we, we jump to the next slide?
No, not really. I assume when you include cloud and mobile, as well as data center applications all here together, you mean that we really need to manage these together, not with separate applications and services that right.
Exactly. We've I think this goes back to the, the quote from Martin that she put up there is we found that organizations often are facing tactical problems, but they need to solve them in a strategic way. And what we mean by that is use a holistic platform. That's gonna get you where you need to go over the next 18 or 24 months, but also choose both a platform as well as a projects prior, have a project plan that prioritizes some quick wins. And that is, is structured in a way that can let you deliver business value quickly. You know, some solutions require a lot of upfront infrastructure work or a lot of heavy customization, and they take a long time to develop new functionality and, and deliver value for the business. You know, what we've seen with our customers is the opposite of that. You know, we're very much built on, Hey, let's design our products as a vendor that don't require a lot of customization. In fact, over 70% of our customers go live inside of four months. So I think as enterprises look at choosing what solutions we use, it's really important to get one that's gonna deliver business value quickly and is allows them to, to onboard onboard applications, onboard data sources. And as you mentioned, solve these what might appear as very tactical problems, but to solve them in a way that doesn't create additional silos.
Okay. So if we go ahead and we build this out, we think about those three areas of governance, provisioning and single sign on what we've seen in what we, what we call a, a value pathway or a maturity model. Is that organizations, let me go back for a second on the, sorry, here on the governance side, particular less mature organizations are certainly struggling with the areas on the left side, getting visibility across key applications, and then performing access reviews generally just in compliance compliance requirements. And very often they'll be looking for a solution that can help them automate that, to expand both the scope in terms of the number of applications that they're doing, access reviews for as well as the effectiveness. And very often we see organizations take on an identity management and automation program where they'll do they'll use a solution to automate access reviews.
And at the same time, start to enforce segregation of duties, policies, or policies around controlling who has access to what data and putting policies around the joiner mover and lever process. And that's really the first inkling. The first step of where IAM that's a program inside of the organization can start to deliver business value. If, if all a team is doing is taking Excel spreadsheet based access reviews and moving them into a web based system, certainly that's a win and that's an improvement because it's gonna, it may improve the user experience. It's gonna help the business, but it's not truly delivering business value. It's just delivering a slightly better experience for certification. But if you start to enforce segregation of duties policies, if you start to have the ability to right automate, join or mover and lever processes, all of a sudden the line of business starts to get some value out of this.
Now I know when someone joins the organization, what if my IAM system can detect that based on a feed from an HR system and automatically provision their birthright entitlements, they can automatically provision or even suggest to me types of entitlements that make sense as someone in this role or someone with these kinds of attributes, that's gonna make things a lot easier for the business and start to start to really drive a lot of value. Likewise, if organizations get more mature to the right side, they might look at embarking on a roles project or more and more nowadays we see organizations really prioritizing an access request program where they put in place a centralized Porwal for requesting access. This Porwal is built on the foundation of broad visibility, across applications and data sources and policies so that it ensures proactively that people can't request or have assigned to them inappropriate access rights, and also has policies for access fulfillment and access request approvals, which is really important so that when someone requests access to perhaps a high risk entitlement, that that goes through the appropriate approval chain, which would be a very different approval chain from someone requesting access to something non-controversial or, or pretty basic.
Likewise, on the provisioning side, organizations that are less mature would use say email based task notification or service desk integration, more mature organizations, of course, wanna move to automated provisioning for the right set of applications. Typically those that are high volume or perhaps more complex to help include, excuse me, increase the effectiveness, the reliability. And of course the speed. And then finally, for a single sign on, I think this is a great example of the, the, the need to where the value get from moving from, from solving the problem tactically, which you might do with let's, let's call it standard standalone SAS based single sign to what we view as having a lot more value, which is governance driven, single sign on where you might have a single sign on solution based in the cloud, but because it's connected to and integrated with the governance processes, we just talked about you're ensuring that the kind of access that you're granting to people is appropriate follows policies and follows processes, and really drives both compliance and security and efficiency. So it's a win across the board for all three major areas that, that organizations are struggling with comments or thoughts, Dave, based on your, your conversations with folks.
Well, yeah, as we said, you know, provisioning needs to be automated. I, I certainly agree with you there and especially deprovisioning, which I didn't mention needs to be automated. Also. In fact, there are those who believe that deprovisioning is a lot more important than the provisioning is to begin with one.
Yeah.
Especially from a security point of view.
Yeah, exactly. Exactly. So let's, let's take a sec now and move forward and talk about how identity management can tie into the broader security ecosystem. And this is pretty interesting, right? We talked, we spoken in the last half hour or so about the value that an IM program can bring within kind of within the sphere of identity management. So we talked about accelerating access reviews. We go back for a second here. We talked about being able to, to define and enforce access policies. We talked about automating join or move and lever processes, enabling roles or enabling access requests Porwal, but there's also, and that adds a ton of value. We've seen customers, you know, get a tremendous amount of value across the board from, you know, just this, that scope. But if you look at a broader ecosystem, I am teams at at and enterprises can really start to influence even even more value.
So if we tie these things together, we look at IAM as a foundation that provides this identity context or business context around all the things that are listed there, not just the identities, but the things that make up those identities, attributes, and entitlements and roles. And of course the policies and processes in support of that. But now all of a sudden, let's take a look at the rest of the security landscape. You've got, you know, a sales solution, security information and event management, where those things are, are obviously security solutions. They're trying to understand what people are doing based on log or nowadays increasingly looking at at network packets. There's a lot of value that an IAM system can add, which we'll talk about by connecting, you know, what look like really detailed transaction level packet level activities, to the broader identity context, GRC solutions going from the opposite direction, right?
You have a governance risk and, and compliance solution that fits kind of above all of this and is certainly driven a lot by compliance requirements, but identity management solutions can connect with that. Both get information from a GRC solution around the risk levels or the importance of doing certain, putting certain controls in place, as well as feeding information back into the GRC solution about the effectiveness and the, the actual activity around these controls to, to improve security and to eliminate a lot of manual effort, likewise data loss prevention, or data loss protection solutions. That's pretty well established in terms of the value that identity context adds there to help do things like established business owners, for data resources, to them to then include those in the overall access governance policies and processes.
So, you know, great example is someone has an entitlement to sensitive data and it's being used. Is that appropriate for them? Is it is a level of access that they have and what they're actually doing consistent with people in their peer group, or is it something anomalous? Should we start to look at this and, and prioritize this for, you know, for the SOC team to, to drill into and try to understand what's going on? So let's take a look at a couple of these areas. If we look at SIM integration, right, there's actually four ways that identity management can help, but of course, there's the preventive side of things. This is the principle of leads privilege. This is making sure that people have the minimum level of access necessary to do their jobs. And essentially what you're doing is not only you trying to meet compliance guidelines, but from a security perspective, you're trying to reduce the threat surface area.
You of course wanna validate that as people's access changes that it remains appropriate. And this is something that we call continuous compliance effectively, where rather than having to have a huge effort to get in compliance with the guidelines, you make sure that staying in compliance is a byproduct of your day to the operations because you have these automated solutions that can see what's going on across the broad set of areas and automatically enforce policies. There's of course detection, which is when something is when anomalous and anomalous event occurs. We can provide identity context to help improve that. And then of course, there's the response, which is, as Dave just mentioned, the big red button to deprovision someone's access when there's a problem or a suspected problem.
Jason, did
You have a yeah.
On response there, are we talking about dynamic provisioning here so that the system can actually respond to something that's uncovered during detection and modify or change the, the access that's allowed to this particular user?
So the, what you're talking, we certainly have the capability to, to do that, right? Once you have a provisioning system in place, then you can close the loop here and have some sort of, you know, initiation, whether it's manual or automatic go through the process of deprovisioning. I haven't seen organizations that are quite at the maturity level where they wanna have this all be automated. They wanna have humans involved in the loop, which I think makes a lot of sense. There's still a lot of false positives inside of, you know, threat response and at security operations centers. And I think organizations don't want to have the system kind of automatically shutting things down. But what we found is this number one, the context that it provides when something a anomalist is happening helps these SOC teams prioritize, do the triage and really drill into what's going on.
And when you're looking at perhaps some strange activity, you can tie this, not just to an active directory account from an IP address, but you can tie it to that rich 360 degree view of an, an individual. And you can see what their role is in the organization. You can see what other access rates they have, and then you can make a much more intelligent decision about what you need to do here. Now, for example, if there's some strange activity that's happening in a, an account that was just recently set up yesterday, and you don't know very much about this individual, maybe they're a contractor that just started, you might wanna respond differently versus it's, you know, someone who's, you know, in the it operations team. And, you know, their job is to diagnose problems on the production systems, right? That person's probably gonna be doing a lot of things that look perhaps weird because that's what they have to do versus a contractor who just started. And they're working in the finance team, you know, that's, that's gonna raise your, your, your alert level much higher, but I, I don't think that organizations get what to kind have an end to end completely automated deprovisioning, but they wanna have the ability to let's say, have the big red button on the desktop and someone can push and say, all right, let's, let's disable this accounts or this person's access right now while we investigate.
So that's the SIM side. Oops. So there's a, and then just looking at it from a kind of a swim lane perspective, right? So the first, the first area is taking this identity context and pushing it into the SIM system to help enrich the triage prioritization. And basically the, the, the, the activities that a SOC operator is looking at second is this access violation, or excuse me, access validation. So in this case, what the SIM system can do is detect a new access grant or a new account creation. And the identity management system can then look at this and say, well, GE this is interesting. Joe was just granted access rights, a, B, and C, and this application, and then go validate, was it requested properly? Was it approved properly? Does this violate any policies? And then it can respond to the SIM system to telling them this was requested at a ban or so you should do something about this or no, this is okay.
They follow the process. Everything's good. And then finally, there's some access usage data that is useful inside the IAM system, particularly during access review. So if you're a manager performing an access review, seeing how frequently someone accessed something is pretty useful. Cause if I look at this and I'm reviewing, Dave's access to an application, and I see, well, gee, you know, he hasn't logged into this in the last eight months. That's a pretty good candidate for me to revoke that as something that's excessive versus I see that Davis logged into this 45 times in the last six months. That's an application that I know he uses frequently and probably needs to keep, okay, I'm gonna skip over this. And then finally, we'll talk about, I am in GRC integration and there's a couple of different areas where this can work. So first is taking the risk levels prioritization and the overall importance of an application at a corporate GRC level and pushing that into the IAM solution to help prioritize that you can very easily imagine this kind of corporate risk analysis going down, and then being able to distinguish between high risk applications and high risk entitlements that need to be reviewed, let's say, on a quarterly basis or perhaps even a monthly basis versus much lower risk entitlements that we can, we can push back and just incorporate in an annual access review.
So this is a great example of not being able to do everything and not needed to do, you know, the highest level of security for everything, but working in, in conjunction with the, the audit teams to, to prioritize and balance out the overhead and compliance and security security forces. We can also provide identity context and push that into the GRC solution. So when there's an incident going on investigation, for example, that team has access to this rich identity context. And then finally you can help report back up into the GRC solution, high risk users, and to validate levels of controls that have been put in place around those. Okay. So to wrap up here, I think we've made a great case for both from our perspective as vendor, as well as from more importantly, from our customer's perspective, solving these problems in the real world at a well run IM program to deliver a lot more than just compliance.
First and foremost, it delivers security to the enterprise. It can help dramatically improve the efficiency and the effectiveness of both technical processes, such as provisioning or data collection, as well as the business processes such as accident request or the identity life cycle, the joiner mover, lever practices, and most importantly enables business agility. So we've seen well run organizations, you know, embrace the technology change. That's come in, especially with cloud and mobile, take this identity context and leverage it across the security ecosystem, involve the line of business to make these better access decisions and really partner with the business to help enable and add and add business value. All right, Dave, what do you think? Any, any comments?
No, you go right ahead, Jason.
Okay. Well, I think, you know, that's really what, what I wanted to say. I mean, we've, we certainly seen a lot of enterprises successfully do this. It's not easy and it's not easy. Not because it's technically difficult. Sometimes there are challenges connecting to applications just through the, you know, complexity or age, but there's, there's, it requires a lot of work to connect with and engage with the line of business and the application owners. And that's, that's kind of the nature of the beast. And I think no amount of techno of technology is gonna gonna eliminate the challenge of sitting down with your peers, explaining what you need to do and explaining more importantly, how you can add value to them. I mean, imagine when a line of business comes to you and says, I want to take this application and I wanna expose it to all 500 of our partner organizations, and we need those people to get access to it, or they say, guess what? We're taking this division and we're splitting it off into a separate company, or we're acquiring that company over there. We need to integrate everything. It's we want the IM team to be part of that conversation and to be able to say, yes, we can do that safely and securely. And here's how versus no, we can't do that. Or it's gonna take us forever and, and cost a fortune.
All right. So with that, I think I'm happy to take chat questions here and see what, see what people think.
Very good. We do have some questions that have come in and let me see if I can find them for you. Okay. First one here that we'd like to take, and I'm interested in this too, if the questioner says that they're part of a company of 40,000 and access reviews is a weakness. They wanna know if there's any way to automate access reviews.
Yes, absolutely. So is there, so when we talk about automating access reviews, I mean, of course there's gonna, there's always by definition gonna be human beings involved in actually performing the review. You think about, you know, where where's the real, real value of a review. It's when some information gets presented to a reviewer, a human being, you know, is sitting down and looking at a screen and making a decision about, should the person who has this access maintain that access, or should it be revoked? Should Dave keep this entitlement? Or does Dave not need it anymore? Because you know, his role has changed or something like that. So we're not automated that, but what we are automating is kind of, first of all, all the infrastructure around collecting the data across hundreds of applications, putting it together in a way that makes sense and presenting it to the user.
We're also automating the enforcement of policies, enforcement of policies. So instead of line of business managers, having to make individual decisions, the system should automatically flag policy violations for, for remediation. So if I'm looking at Dave's access and the system gives me a warning that these two policies are that these two entitlements are in conflict, I can then make a decision about, about which ones to, which ones to remove. And then of course, there's the, the follow on of when I remove access as part of a review to have either a service desk ticket created for manual deprovisioning or automated deprovisioning behind the scenes. So there's a lot of manual work be eliminated access review. Okay.
Okay. Next question. Person wants to know if you have any use cases available showing of X's access governance features being used with other I DM tools such as Hitachi ID.
So yeah, many of our customers, many organizations have existing provisioning solutions that they perhaps deployed over the last 10 years or so. So I think most of the time will go, we'll talk to a prospect. That's interested in take taking a governance driven approach. And the question is how do I work with my deployed identity management solution? And, and the answer is, you know, very well, thank you. So what we seen is those organizations have put a lot of, a lot of time and effort into taking those identity management systems, connected them up to usually a relatively small number of applications, five or eight or 10. So we can connect up to that, incorporate that as entitlements into access reviews and policies and processes, but also connect back out to that for, to use those for, to provision or deprovision access or roles for systems that they're already connected up to.
Okay. And next question we have here. One of our audience members wants to know if there is a, a sort of a matrix available showing how your access governance tool stacks up against others in the areas such as they mentioned, net IQs, access governance suite. They want to know about your key differentiators before I throw it to you. I'd like to remind everybody that we do have available our leadership compass document for access governance, which does indeed show all of the major players, their pros and cons, and essentially how they stack up with one another and, and different areas. But maybe you can explain what you see as your key differentiators from, from your competition.
Sure. So I think that obviously the, the Analyst reports are a great place to start and to, to look at how they've ranked the vendors, but, and I'd also encourage folks to, you know, engage with the vendors, do your own analysis. We can certainly work with, with you to help identify what we've seen across our hundreds of customers around, you know, key success factors and key criteria. So do do a hands on analysis of the products, take a look at what's gonna work in your environment for, with your team and to meet your requirements. That's, that's the most important thing, you know, from our perspective, we've worked very hard to, so number one, build a comprehensive platform, but, but number two is to build one on a foundation of rapid to value. That's one of the areas that we've seen our customers be successful. And our, our, our products really shine in, in having a solution that doesn't require a lot of heavy customization or a very long and involved deployment project. So those are areas where, where we've seen, we've seen our customers be successful and what we view as differentiators for us.
Well, thank you very much, Jason. I see. We're just about out of time here. So I'd like to thank everybody for being with us today. And also I'd like really like to thank Jason Garbus from RSA of exa for sharing his presentation with us and being willing to answer your questions as needed before we go. Just a quick reminder that I hit the button too often. There we go. Just a quick reminder about the information risk and security summit, IRS coming up next week in Frankfurt. This is a highly interactive event offering the opportunity for you as an it professional, to discuss with your peers, your most challenging topics and questions in a discrete environment, moderated by teams of practitioners and analysts. This is not a speaker talking to you event. This is a dialogue based event. You can learn from your peers, share your thoughts and get feedback on your views around a series of five different dialogues around five highly relevant topics. Now, there are a few spots that remain so you should register. Now, if you're, if you want to do that and with that, we'll leave you for today. We'll be back again soon. Remember the podcast we'll be available probably tomorrow and you will be notified when it's available and where to go to pick that up again. Thank you, Jason. And thank you to everybody from Cole for making this possible. Enjoy the rest of the day.
