Webinar Recording

Adding Depth to Your IAM: Automating Microsoft Active Directory and Azure AD Administration


Log in and watch the full video!

IAM and therein IGA (Identity Governance & Administration) focuses on managing identities and their access across a variety of systems. That is essential, particularly for heterogeneous environments. However, there are two aspects that aren’t well-addressed by many of today’s IGA products:

  • In-depth management of Active Directory, Azure AD, Office 365 and other core infrastructure elements, from creating mailboxes to in-depth access control in AD and on file servers
  • Lightweight implementations for SMBs that don’t need the full breadth in capabilities

Where these requirements aren’t served well by existing IGA implementations or where these are just too complex for the customer’s IT infrastructure, targeted tools that work around Microsoft Active Directory (AD) and, nowadays, Azure AD, come into play – with the depth, adding to the breadth of IGA, or as standalone solutions for customers that don’t have and need a full IGA solution. In this webinar, we look at how a complete IAM infrastructure looks like and which capabilities are best provided by which tools for different scenarios.

Log in and watch the full video!

Upgrade to the Professional or Specialist Subscription Packages to access the entire KuppingerCole video library.

I have an account
Log in  
Register your account to start 30 days of free trial access
Register  
Subscribe to become a client
Choose a package  
Good afternoon, ladies and gentlemen, welcome to our equipping, a cold webinar, adding death to your IM automating Microsoft active directory and Azure ad administration. This webinar is supported by manage engine, a division of Soho. Corb the speakers today are tray ready, whose product marketing and technical evangelist at managed engine and Martin ER. So me, I'm the principal Analyst at keeping a call before we start, let me give a very quick up background and update and copy a call. And let's look at let's look at the housekeeping information on the agenda, and then we'll directly dive into the topics of today's webinar. Could a call is an independent, neutral, focused Analyst company. We have been founded back in 2004, have offices in various countries and people in a really variety of regions. Currently we are a team of run about 45 people. We specialize in. I am identity access governance in information and cybersecurity and other areas concerning the digital transformation support to support our customers.
We deliver services in three main areas. One is research the second to CMS and the service advisory and research. We do stuff like our leadership compost documents, where we compare vendors and various market segments. Our executive view reports, buyers, and a lot of other types of research in the event space. And I'll touch it in a minute. We do a series of onsite events, including our upcoming European identity conference. Plus we do the webinars such as the one you're currently attending for advisory. We support our customers in their strategy, roadmap and related area. So advisory basically it's benchmarking it's strategy, support architecture, support technology, selection, and project guidance. What we don't do is we don't implement because we are your neutral advisors supporting you on defining how you do the stuff best and supporting you and making the right decisions. As I've said, there are number of upcoming events.
The next one is our biggest one, which is our European identity conference, which will run from May 14th, two 17th in Munich. Don't miss that event. So if you're not already registered, just do it. Now, it's really the event to be when it's around identity and access management, we have other events like the blockchain enterprise days, digital finance world, consumer identity and cybersecurity events, which we run in various places. Some of the events also run in the us so several in Europe, but also in the us. We have our events for the webinar itself. Some housekeeping information, you are currently muted and you don't have to mute or unmute yourself. We are controlling these features. We are recording the webinar and we will make the podcast recording available short term. Most likely tomorrow, there will be a Q and a session at the end. However, you can end the questions at any time using the questions feature in the go to webinar control panel, which is usually the right side of your screen.
The more questions we have, the more likely the discussion will be afterwards. So don't miss to enter your questions. Once they come to your mind. Having said this, let's have a quick look at the agenda for today. As usual for our webinars, it's split into three parts. And the first part I'll talk about heteros of it, infrastructures about the critical IM capabilities for these environments and a specific role and need for ad centric tools and this ad. So active directory or Azure active directory, both play is still a very important role. And for Azure active director, definitely a growing role for many, many organizations. And so they are in central element of it infrastructure. So J ready then. And the second part, we talk about advanced capabilities, such as adaptive policy based access management about user behavior, analytics, adaptive indications, and others that enhance the value of ad centric tools.
So he will build on my overview picture and go more into detail of what does it require to manage in the broader I am landscape ad. Well, and also for which organizations you need, which type of technology the third part then will be the Q and a session where we will answer the questions you bring up. As I've said, the more questions we have, the more likely this part of the webinar will be. So I wanna start with a picture which is sort of a, a simplified big picture of large businesses when we look at it from an IM perspective. So it's really an IM pattern of what we see very frequently. And in that case, really the identity provisioning access governance piece, primarily of what we see in larger businesses. So what we have on the left hand side is we have HR and we have other data sources, which provide information about uses HR frequently for employees.
And that might be a lot of HR systems there. Other data sources, delivering information about business partners and contractors about consumers, but increasingly also about robots, which are used for robotic process automation in our stuff. And then in the, at a core of I that part of identity management, which is freely called IGA or I identity and access management identity and access provisioning. So the parts of effectively provisioning the access governance. You also have the it service management piece, which usually the different set of tools and this it service management piece then comes in with the service Porwal etcetera. Here, we have capabilities such as the connectors to target systems about ID management capabilities, which map users and accounts from various systems about the workflows, which allow for access request, which support access review processes, which also support to some extents have service processes. We have the management of roles and other types of entitlements access review, and other elements of our access governance and the users have services such as access request, self password, self service, and other stuff here.
And from there, we, we reach out to a variety of systems. So some of these systems in the middle of the, the left of the right hand side are the directly connector systems. So systems where we have connectors implemented. And with these connectors, we, we, we connect provisioning to these systems, manage the accounts, manage the entitlements, at least cost great in these systems. However, when we go to the lower right corner, we also have usually a lot of non-connected systems where we need some sort of manual fulfillment. And then in, in between, we have systems such as for instance, SAP is controlled for certain types of indirectly connected systems. And this is the sort of center of, of today's webinar. We have active directory, active directory, this one of these elements, which usually serve number of systems that integrate tightly with active directory, starting with Microsoft SharePoint, if it's an on-premise SharePoint or the Microsoft exchange server, Microsoft SQL SQL server, but also a lot of products of other vendors that have integrations into active directory.
And so you manage frequently wire active directory groups, the entitlements in connected systems while the users are managed in the active directory. So this is a common element of the, the vast for vast maturity of organizations, which have some active directory and which have connected certain systems, however, from active directory, when we follow the dotted line up, there's the other thing that when someone is created as a user directory, it's frequently also that you need to create a mailbox shares and other stuff. So you have use cases or applications beyond the accounts. You need to do other stuff like as I've said, the mailbox creation here, and then you have this big cloud world where you have your accounts, your SSO, and, and more, which then really goes to office 365 and other cloud services. So this goes beyond sort of the accounts and the baseline exit control and the system, which also in many organizations found on top where I have this box with accounts SSO and more that then a ID, which also comes into play in that area.
So very simplified, but as a sort of a high level abstract picture of the core, I am services, provisioning, access governance of larger organizations. This shows a little how this frequently looks like when we then on the other hand look at, and all of this is this, this businesses have the challenge of, or most of them have the challenge of managing their active directory. An increasing number has the challenge of managing the Azure ID for office 365 and another service. And it's also always about creating mailboxes shares and other stuff. When we look at how this looks in a, in a typical, small and medium sized business, so sort of the Nu so big picture, the small picture I called it right now, the many small and medium sized business, then several elements are the same. They might be significantly simpler. So access review might be trust.
A little bit of reporting. Entitlements might be trust a little bit of groups. The workflows might be simple, but they're still some self-service. They might not be a service Porwal at all. The connectors are less. And basically their focus is more on the right hand side of the picture anyway, which is there's some manual fulfillment because there some systems are not connected. The better you structure it, the better it works, and that even can come then from the active directory. So the active directory mode be where everything goes through. But the main thing here is really to manage with something which is probably a lightweight version of the red red circle boxes, which is managing the active directory, managing the mailbox and shares the application beyond accounts and the indirectly connected systems. And if they then move to the cloud and more and more of these businesses are doing so, as I've said, how, how, how complex this, this box around it, service management access governance provision might be, it might be for small business, very simple trust and admin tool for a medium size business.
It might be sort of a more lightweight, I am tool depending on the size, depending on where other criteria. But if we concentrate on the right hand side of this picture, that really important thing again is we have the active directory boxing, but we also are faced with, with the challenge of managing office 365 and other cloud services more and more through to some extent if it's office 365 through Azure ID with other services as well. So it it's a little bit of bigger challenge because it's really about managing ad mailboxes and shares accounts for an Azure ID and the staff plus the manuals fulfillment, and then other businesses are somewhere in between. They also have some directly connected systems. They have the non-connected systems. They might have a little bit more mature identity access management. So some very in between these pictures, we have a lot of variations, but again, vast maturity of businesses still has an active directory and will have it for quite a while.
And a significantly growing number of businesses has an Azure active directory plus of 365. These are essential elements of what you need to manage regardless of what you do. And even more it is that you need to increasingly manage more and more users. So for office 365, you look at several of these applications, like whatever Microsoft teams, then it's not only your internals, your employees anymore. It's really teams that grow that include more and more users. So the challenge of identity management for these environments it's growing. And one of the challenges we, we basically have between, particularly when we look at this mailbox and shares box we have here and, and the stuff we do there, but also for some of the other stuff we do. And it's really about fine grain control bug on SharePoint, etcetera, I wanna bring up a, a relatively mature picture.
I've created a couple of years ago and we try to still use switches around high level inside. It's not enough. So when we look at how identity provisioning was the fulfillment, so trading accounts and access governance with analytics, recertification, request management, stuff like that work, then they need detailed information from the target systems. So provisioning creates the users in the target systems, such as SAP act directory, the mainframe, whatever information is provided back to access governance, to compare the assets to the, to B state doing stuff like that. And we sometimes have a more, sometimes less complex structure of entitlements. It's the left hand side side of access governance and identity provisioning. We have a more or less complex model of entitlements like business roles, system roll, but in several of these systems down there, we do far more things. So we have the need for system level access controls and capabilities beyond that.
So active directory, global groups, local groups, we have a hierarchic structure within the active directory grouping. When we look at SAP with profiles and authorization, objects and transactions, and more, we have complex structures, we have the mailboxes, we have other stuff we have. If you look at SharePoint, even more complex access models, we need to manage these and we need the detailed insight. And the point is access governance and identity provisioning are create for cross system identity management at a cross grain level, but we need the additional tools for the insight into what we do. And this is why tools, which are for instance, specific to active directory, Azure active directory, or focus on these with some additional capabilities on one hand are great for this picture drawn before for the smaller medium enterprises where a lot of its is circled around these environments, but for the larger enterprises, it is that while the cross system big IGA tool provides a lot of capabilities across all the tools, the depth you need then is provided by tools which are specific to ad or specific to SAP or specific to the mainframe or other environments.
And factually there are different requirements for various capabilities, but some challenges are always the same. So when you take the small and medium business or the small and medium business, which also has some, some more cloud infrastructures or the in between companies though to speak, which are not the super big ones, but also not that small anymore. And then you look at this big picture I've drawn before. So, so for the large complex things, you have all the environments, you have all these requirements, you need to manage the identities map users, etcetera. You need to do access governance. You need to do integrated the it service management tool. You have the Microsoft ad integration, the Azure ID integration. You need to manage mailboxes and shares cloud singles and on you need to do at some point, etcetera. But I think it's interesting to look at what are the three lines, which only show green bullets here.
It's the identity management. So really manage the users, map different accounts, et cetera. It's the Microsoft active director integration, which, which all business have, and it's creating the mailboxes to shares and stuff like that. And for most businesses with the shift to the cloud, it's also the Azure ad integration because office 365 plays an important role here in other cloud services as well. Obviously there are other things such as SAP integration or the integration to a big IA tool, which are usually not very relevant for the smaller businesses, but very typically for the large ones. So the need for the various capabilities differs, but there are some common elements and these are particular lines with a lot of green bullets here. And this is really where, why there's sort of the need for, for looking at ad centric tools and sort of two different perspectives.
The one is really, it's the one tool you're using as central IM for SMBs. The other is more the addon for large businesses where ad focused tools come into play. So for many SMBs, it's really well managing ad ad managing mailboxes shares and integrate maybe with the one or other additional target or it's about saying, I have to speak, I am IGA thing, but the detailedness I need for my ad is where I need something additional. So there, there are various places for these types of tools and, and even while, while sometimes the perspective is, oh, these are more the admin tools. I strongly believe it's more than, than trust and admin tools. It is what really makes your environment or, or your, I am. I am for certain environments work really well with that. I'm done with my partner. I'll hand over to Jay and Trey right now will talk about more advanced capabilities and how to do this and what type of tools can deliver. So delivering some insight on a certain tool, which helps automating Microsoft active director, Azure ID administration, Trey, it's your turn.
Perfect. Thank you so much for that wonderful overview Martin. So going forward, taking Martin's lead. What I'm going to be doing is diving deep into how to ensure that the tool that you choose essentially for identity access management has critical capabilities that help you manage. Let's say in the introduction like Martin, most pointing out, be it small and medium size business or an enterprise. There are certain capabilities that you'd essentially be needing to look into to start with. What we need to understand is an identity access management tool. If you were to choose that it needs to be in a position to manage hybrid identities. That's the first thing that we'll be talking about going forward. We'll be talking about how delegation can be done and quite in recent times, you must have stumbled upon this term called zero trust quite often. So we'd be talking about how do you do delegation with zero trust in place and with respect to authentication, how do we go forward?
What's the future of authentication? Is it just going to be plain and simple multifactor authentication? Or is it going to be more, we'll be talking about that. And yes, an identity access management solution today will be incomplete without having a security module to it. And that's where we'll be talking about bringing in user behavior analytics into the picture. So essentially breaking it down for you. We'll be talking about how to manage identities, how to empower them and how do we go forward protecting these identities? Alright, so I'm gonna be walking you through how ITT management can be done with respect to hybrid environments. It's very evident that it's no longer just active directory. It's going to be quite a lot of other applications. It could be office 365 could be Azure. You are in a position to manage all these identities and where comes the challenge.
The challenges you'll have to target between all these windows to do the same thing over and over again, essentially the life cycle that involves provisioning users modifying the users, deprovisioning them. This is going to be a lot more tedious. If you are going to do it toggling between all these windows and probably have five different tools to do it. The idea is to have like a single dashboard to do the whole process. We'll be talking about how can a single dashboard help you do all this? And through this process, what we'll also understand is automation can be quite a game changer when you're trying to manage identities. I'll tell you why in a I'll tell you why in a bit, we'll also be talking about modifying these user accounts and how do we clean up these user accounts? So when it comes to the first phase of user life cycle, which is onboarding the identities, like I mentioned, it's important that your provision accounts in active directory, you go on and provision accounts in Azure, and then it doesn't stop right there.
You also have to provision accounts for users in office 365, assign licenses, respectively, go for other target systems, have your in-house applications. You need to provision identities there as well, assign the right applications there as well. You'll be in a position where you'll need to integrate with the HR database. You will need custom reverse right there, and it doesn't stop right there. After the identity is, are provisioned. They are supposed to have access to multiple applications. They'll probably be needing access to a dashboard where they'll be able to log in. And it doesn't corporate that goes forward with entitlements as well. So the whole process of onboarding employees is going to be quite tedious when you're talking it the hybrid way, multiple steps and doing all of this one step at a time, one user at a time is going to be quite tedious. And also it's, it's going to be error prone.
So what we want is a single dashboard. The screenshot right, tells you how simple it could be. So all of those multiple dashboards under one single layout, talking active talking Azure talking office 365 G suite, the entire list of applications can be provisioned from one single dashboard. That's the idea behind the templates that are going to power the tool. So essentially as an administrator, you'd get the provision to pre specify what goes well, you're very aware of your environment. Nobody knows your environment better than you do. So we'd ask you to build templates for different roles, for different departments. You can pre-specify attributes. The best part is when you are doing it, you do it right the first time. So when a new user gets provisioned, all you have to do is select a template to onboard the users. And the user accounts are going to get provisioned across all these target systems that are talking that we are talking about beyond just active directory.
And as it gets done during this process, there are quite a few other things that you'll want to manage, manage the group memberships, manage who gets what permissions on files and folders. Why not have all of that prebuilt into your templates? That's the idea that fires or that powers the templates in 83 60. The solution that we're talking about when it comes to onboarding users. So we've got templates, okay. That's started. What about the common problems that you'd be facing when you're provisioning users? Once it's problem, when you're managing hybrid identities, it's going to be the log on name. So there needs to be a provision to make it uniform one. There needs to be a provision to make it uniform so that the synchronization works properly between Theise and on your cloud. The second one is going to be the problem with duplicates, your native or your legacy systems like active directory.
It's going to not be very repulsive to duplicates, but when it comes to cloud applications and provisioning identities on the, on Azure duplicates are going to be handled strictly. So we will need to have a provision to prevent them right when they're getting created. So that's going to be a part of the templates when, when it comes to certain attributes. So you not necessarily need to have privileges in active directory or target systems to keep changing attributes every time or make a non-mandatory attribute mandatory. So that's, when again, the template comes with the picture and helps you do that. So we essentially are trying to go beyond the basic limitations limitations of what the native tools offer. So we are onboarding users, all of them into multiple departments, because we've got roles in place. Again, the templates have all attributes brief, and you are also going to be solving quite a lot of challenges like preventing duplicates while creating accounts across platforms on-prem and hybrid on-prem.
And in cloud talking about making attributes mandatory, and quite a few challenges on the go. So this is provisioning users, but what's the realtime challenge on an average, you'd be provisioning a bulk of users. That's how you usually do it. Ther essentially Schutze out an email. The email contains a CSV file. So you'd essentially want a tool that can accommodate such workflow. So what we've done is we've kind of built a tool that can read into CSV files or what would even be better read directly into an HRMS tool or integrate with an RMS tool. So that's how our onboarding works. Our system can effectively tie into our existing HRMS tool. When a request is made right there, user provisioning gets transfer to active directory accounts, get provisioned office 365 licenses get assigned, mailboxes get created. And in fact, if you have other systems like G suite or you have your own in-house systems, that can be provisioned as well.
So we are talking about a 360 degree onboarding and all of this powered by an automation. So bulk user provisioning is going to be possible and hybrid at the same time is also solved. So two challenges solved with just one simple straightforward automation. So what's the advantage one, since all of this is going to be automated and pre specific, you don't necessarily end up making mistakes when you are giving group membership, a location or giving someone specific access to a file or folder. So all this is predetermined and the best part is you can approve or reject the whole process of automation, because it's going to take, ask for your approval. So you can modify any attributes that are assigned on the go as well. So that's the first phase of user lifecycle, which we are trying to, he power, which is onboarding the next one during the course of the lifecycle.
When the users Mo moving between departments, probably getting a promotion, what's the biggest challenge and administrator finds it really, really difficult. Given the quantum of changes that happen in an organization, quite a lot of changes that happen quite a lot of users move. And when that happens, many, a times there tends to be this problem of assigning or giving away more rights than actually required. Let's take an example, a users moving from sales to marketing, let's say, when that happens, what essentially needs to happen is the old rights and privileges need to be removed. The user should no longer have access to sales data or files and followers in the sales department, but what essentially happens most of the time, the user just gets new privilege or additional privilege. More access is just added and the old ones are forgotten to be revoked. This is basically because a lot of this happens manually.
Manual processing does take a toll on organization. So what we've built into is a system that can proactively listen to changes that are happening. Alright. So when users moving the department attributes changes. So essentially every other attribute pertaining to that department automatically gets triggered and gets changed. Likewise, let's take another case. Let's say the title of the user changes right from being an executive to a manager. So when that happens, the department again, or the group membership again, should be correspondingly altered. So the automation is quiet, intelligent, it listens to changes that are happening and also it's policy based. So you pre specify what change should trigger, what costs are was affect. So that is going to be very helpful. And it's all, all of this is going to be adaptive and it's going to be at an attribute level, essentially mitigating quite a lot of challenges right here.
Again, putting forward the last step is going to be cleaning up your active directory or your target system. So here, when it comes to deprovisioning users, it's a lot more challenging than onboarding users are modifying them. And why would that be? Because during the course of your life cycle, they would've got a lot of entitlements, more access to the system. They, they effective access. Would've penetrated a lot more deeper into the system and the checklist of things that you have to do when you deep provision account, it's definitely longer than the onboarding checklist. So systems or identity access management solutions essentially need to be receptive to these, you know, changes. So the system should be in a position to not just let you right click and delete an account, but accommodate your organizational requirement where they're going to be a sequence of actions. I would want to probably just inactivate or deactivate the account first and then probably disable the account, remove group memberships after a pro set point in time, maybe after a week, remove their licenses, remove their mailboxes.
And finally, after say 15 days time, I would want to delete the users. So an automation module that's sequential that can understand your organizational requirement and effectively does sit in a chronological order that you prey. So that's going to help you cleaning up your active directory. That's one thing. And again, when it comes to deprovisioning, it needs to be absolutely perfect. There needs to be a, a check to see that there are no backdoor entries or accesses for someone to come back and potentially cause an attack that is also insured and licenses. Again, like how we assign during provision, they can be revoked when the user gets re deprovision. So the whole thing happens through automation right here. The that's how we help administrators manage user life cycle. So when it comes to delegation, we have a different approach to delegation. We do it through roles.
We also have this concept of non-intrusive delegation. So all we need is just one admin account with the right privileges that are configured into the solution. And every other technician who essentially wants to make a change in active directory or performer task can in-person it as the administrator. So all that we'll need is just one account with the right credentials. And every other technician can make use of that account. And all of this gets audited as well. So we are trying to have the best practice of least privileges right here, right when it's done. Alright. So that's about how we go forward performing delegations. So if you see the task controller right here, taking an example of a help desk technician, the technician would essentially just require provision to reset password or unlock account. So with the task controllers, you'd be able to get to a granular level select only those attributes that you want the technician to have access to, and then go forward assigning those roles.
So they not necessarily need the complete admin privilege. You can be very specific on what attributes they can get to change. So that is how the works. You can also have a workflow in picture, just in case you have more users in your organization. Say for example, you have a provision for reviewers, a provision for approvers. You can very well have them inside this whole process. You can have a workflow where the whole process is request review approval based. So the requester can very well make a request for something as simple as access to a file or a folder is going to be a mediator who approves it, reviews it. And then someone who executes it, and this is going to be context based. So based on who's requesting the reviewer and the approve is going to be assigned, and the whole process is also going to be, you know, telecasted the right users are going to get notified at the right time, just so that they can act on it.
So we are talking about delegating the right privileges to people and going forward, we are also trying to bring in the concept of ticketing. So if someone wants to make a request, they can very well do that. Alright. When it comes to the next phase, which is empowering the end users, we are talking about giving them provisions to self serve themselves. They don't necessarily need to call up the administrator every single time when they have their accounts passwords to be reset, that can be brought at the very place where they're logging in the log login screen. You can have a two-factor authentication in place right there and going forward, we also have strong multi-factor authentication capabilities for privileged users. So what they've got right here is dashboard that essentially lets administrators fortify the existing password security. So what you can see right here is a tool that's going to help you prevent attacks, right?
Where they could essentially stop. We're talking about fortifying password security and what we are doing. We are letting administrators probably choose a dictionary and stop users from assigning or using weak passwords that can be done right here. And also if we are talking about password security with respect to stopping patterns that is also going to be available and all of this is going to be again available from the login screen. So we are talking about enhanced security for passwords, right? When a user is trying to log in again, and I was talking about privileged accounts, what is the need of VR? We need an extra factor of authentication. Why not have that extra factor right? When the administrator or the privileged user is logging in. So we are talking about a concept when an administrator is logging in, they're going to be prompted with a second factor of authentication.
Alright. It could be a text message. It could be an email with a verification call. Like in this case, the administrators logging in, goes on to choose email verification. As the option for authenticating himself, all goes forward, receives an email. All he has to do is select the email, copy paste, go forward, authenticating himself, being able to log into the system a second factor of authentication, right at the time of login. So this works for systems like windows, Linux, and mark as well. So that's the kind of security that we are talking about. Preventing privilege, escalation, making sure that the right administrator has access with a second factor right at the time of log on. So that's how we are trying to build on authentication module. So the next one, with respect to how we are seeing the future is the adaptable authentication or the context authentication.
So when you're talking about authentication, it essentially boils down to be this war between usability and security. When you're trying to make it easy for the users, you have to compromise the security. That's how it's been all long, but what could probably help you is adapt to authentication something that's intelligent, something that understands context, something that just goes beyond straightforward Q and a talking about adapter authentication. The solution supports provision, the check and users behavior. Say for example, parameters like the geographical location from where the user is logging in, is the device the users using enlisted in the system is the reputation of the IP good. Or is the user logging in at a different business? Hire, not the usual business, a time that he has never, he or she has never logged on. So such parameters get taken into account. A risks score gets drawn every single time when a users trying to log in and based on that, the parameters of authentication either becomes stringent or become easy.
So if I, if I'm an user logging in from my home office, it's going to be absolutely easy, straightforward. It works effortless. It just one factor of authentication. If I'm probably working out of office from a different geographical location, from a different time zone, it's going to be more stringent, two or three extra factors of authentication. The screen right here tells you how simple it is to map or restrict access based on geographic right here. All right, going forward. We'll also need to understand that risk management has to be taken into consideration when you're talking about new age identity and access management. So that's where we've gotten quite a lot of out of the box reports for compliance provisions, for detecting threats, provisions, to audit all privileged user activity. And most importantly, the recent edition, which is the user behavior analytics modules talk about unusual activity in terms of file integrity.
Talk about logging behavior that's unusual or any change to privilege accounts and files and folders. So we are talking about data exfiltration that's happening right there. That can very well be detected through the UBA module that we've got. So when it comes to anomaly detection, we kind of prebuilt a lot of use cases into the solution. Once such use case is going to be a case on file activity. Alright, so let's say a user, all of a sudden goes on to copy unusual volume of files. The user is not supposed to be doing it. It's not his usual behavior. And it's a critical file out of folder. That's being monitored. The system can tell you what file, what user was it a usual behavior? Was there a deviation? It in fact tells you if it's not usual time, it's not as usual average and you can drill down deep and check if the user's gone further to do anything more.
So the analytics module is intelligent enough to check and tell you if it's usual behavior for a user or if it's not. And based on that, it alerts you. And in fact, it lets you stop such this key behavior. So what have we been talking so far? We've been talking about modules pertaining to onboarding users, provisioning them and then going forward, modifying them. And we are talking about delegation. How do you do securely? How do you have task controllers in place? And with respect to authentication, we've been talking about how to have multifactor authentication in place and have adaptive modules. And also with respect to how security gets done for IAM, you saw how user behavior analytics can help predict anomalous behavior or unusual behavior. So why would essentially someone be choosing ad 360, which is a solution that's been powering all this with respect to what we offer at code quite a lot around automations and identity management, quite a lot around entitlement management and extending our capabilities.
We'd want every user in the organization to probably have access to a dashboard, let them make requests, not toggle between multiple windows, have a request review approval system. And also all of this gets fortified with the security module that we've recently brought a more security centric, identity governance with all best practices, like J JIA, all of that prebuilt into the product and an identity management solution like Martin pointed out will be incomplete with its without integrations to probably its and tools, HR databases and the whole lot. So this goes hand in hand with all those tools and with respect to why would someone choose manage engine the 83 62 that's made all this possible. The company is got a huge portfolio, 90 plus products, a ranging from ITSM to it, analytics to endpoint management security, the whole lot. We've got about 180,000 customers worldwide. Again, standing testimonial to how we serve a global reseller network of 200 plus partners.
And trust me 2000 plus intelligent dev folks working on these products. So I'd like to leave you with just one thought before we close the session. So take this example, an organization with 500 employees, alright, basic math, 500 employees on an average receives about 10,000 calls. The helpless calls that get received and off these calls, 30 percentage of calls are from me password. Think about the quantum of time administrators spending on something as simple as possible and the volume of money that goes into this. So with just one password self-service module of 83 60, you'd be able to save whole lot, think about having the rest of the modules also in place. So thank you so much for your time passing on it. Got to Martin. What do you Martin,
Thank you, Jay, for this very dense information you provided. Let's switch flip back to my screen. We right now at the Q and a session, so it's latest time to enter your questions if you have, so that Jay and me can provide answers to these questions. And Jay, the first question I have here, that seems to be targeted to you. Maybe just another question coming in, which is more an organizational one. Let's pick that first. We will provide this Slidex for download together with the webinar recording. So post Lidex will be made available, available for download as PDFs, but back to the first question. So Jay, during user creation, is there a provision to trigger custom scripts and does the tool support custom attributes?
Absolutely, it does. So while I was briefing you on the onboarding part, the templates are going to help a user do this custom attributes are quite supported. And in fact, if someone wants a log on script, say for example, to be regarded right, when the user gets provisioned or accounts to be provisioned and other applications inside the organization, a custom script can very well be incorporated into the log on script or into the template itself. And when it comes to list of custom scripts that we support, we've got quite an exhaustive repository from which you could pick and choose. You could build your own as well. Yes, it's supported.
Okay, perfect. Next question. I have here in, in my organization, we have our own use cases for which we'd need customer reports from active directory. Can the tool help me build such reports?
Absolutely. Yes. The tool does help you build reports. We've got about 300, 3 50 plus reports that are out of the box already. And in fact, if you have your own case, you can very much mix match users, computers, groups, contact, whatever object that you have in mind and create custom attributes or custom reports. And again, it doesn't stop with just creating reports. If, say for example, a C I S O or a security officer or an auditor wants access to these reports, you can create dashboards for them and have those reports assigned to them. That's going to be possible as well. Yes.
Wonderful. Another question I have, I have here, is there a provision to have workflows or ticketing system for request review approval involving HR line managers or other non it stakeholders?
Yes, that is going to be possible. When I was explaining the delegation module, I had brought up this point workflow, you can configure different cases. In fact, the system is quite context aware based on who's making the request corresponding approvals and reviewers can get chosen automatically. And the system also has a very smart notification component to it that essentially emails them, text them. And if probably even one reviewer or approve is not present, someone else can step in and perform this request for them. That's going to be possibly. Yes.
Here's another question. That's windows TFA function work for remote users as well. And maybe you elaborate quickly on what TFA is.
Perfect. So two factor authentication, essentially. Like I pointed out, we we've brought to windows login. Yes. Again, it does work for remote users. We've got a VPN that's working on the background. So this is the problem with most of the remote users. You know, when they're trying to be on travel, when they're on the go, they try and call up the administrator to request for a password change or a password recent. It doesn't work. The reason is they're not a part of their domain anymore. They're outside their network, they're outside their domain. So that makes it quite challenging for them. So that being the case, what we've done is we've brought this VPN functionality. Be it self-service be it password reset or account unlock that is also supported, or the TFA module that I pointed out. This TFA module is actually a lot more useful for remote users because you know, on a scale of one to 10, if I were to rate users, on-prem to be off risk score of five, I'd say users who are away working from a different geograph location to have risk score of maybe eight. The reason is lot of unknown parameters and it makes it all the more important for TFA to be present when they're logging in. Yes, it's going to be possible. It works for remote users and it works through extensive support to is available. And in fact, we are open to other VPN vendors. If you have any inhouse that's going to be possible. Yes.
Okay. So the final question I have here for now, maybe another one is showing up in while you're answering, but the final I have I have here so far is office 365 native limitations to store audit lock beyond 90 days. Can the tool go beyond that limitation?
Absolutely. Yes. So what we have done is we've made it unlimited. So if someone wants to say, for example, store data for a year or more than that, they can very well go on save the data as long as they want. In fact, many, a times we wondered as to why Microsoft restricted it to just 90 days, because when someone's trying to audit just three months of data is not going to be enough. And again, especially when audit log are being used for, you know, doing a root cost analysis after right after there's an attack. So just with 90 days of data, I'm not pretty sure if an administrator would be able to draw clear conclusion because most of the time, much to our surprise, you know, organizations end up detecting an attack. We probably after four or five months after the attack is down. So it's quite important that a solution should be in a position to save data as long as they want. Yes. The tool does that. It can be archived. And in fact, the data can be password protected. It's it's it's available. Yes.
Perfect. So thank you. I think we are done with all the questions we had so far, so thank you very much, Trey, for all the information you delivered. Thank you very much for the audience of this on call webinar. Hope to see you at EIC the week after next week, or have you be in one of our webinars or one of our other ones soon. And thank you again, Trey. Thank you to all the attendees. Bye.
Thank you so much, grace. Thank you.

Stay Connected

KuppingerCole on social media

Related Videos

Webinar Recording

Erfolgreiche IAM-Projekte: Von Best Practices Lernen

Häufig beginnt die Suche nach einer Identity-Lösung mit einem ganz konkreten Schmerzpunkt im Unternehmen. Ein nicht bestandener Compliance-Audit wegen überhöhter Zugriffsberechtigungen, technische Probleme, wegen komplexer Systeme frustrierte User und eine…

Event Recording

The Role of Managed Security Service Providers (MSSPs) In Your Future IAM Application Landscape

Trying to “do identity” as a conventional IAM or Security workload with in-house resources and vendor platform deployments may not satisfy identity and access today’s requirements for IaaS, PaaS, databases and other cloud infrastructures. There are now a growing number of…

Event Recording

The IAM Fabric and How It Integrates With Your Cybersecurity Program

Architecture, operating model and governance are key viewpoints for every business as a whole and its subdomains as well. Depending of size of the organization, information security may be managed as single domain or divided into multiple subdomains. Viewpoints and domains are still static…

Event Recording

Identity Management and its key role in the Zero Trust strategy

Since any resource access is subjected to a “Zero Trust enabled” step-by-step process, where  policy engines define and enforce the appropriated access level, apart from device, network, identity systems and resources, we need also a “ZT enabled” identity…

Event Recording

Expert Chat: Interview with Neeme Vool

KuppingerCole CISO Christopher Schuetze engages in a fun discussion with Swedbank's Neeme Vool on what the future holds for Identity and Access Management.

How can we help you

Send an inquiry

Call Us +49 211 2370770

Mo – Fr 8:00 – 17:00