Event Recording

When Identity becomes core to security - How to achieve integrated identity management at mega-scale


Log in and watch the full video!

Log in and watch the full video!

Upgrade to the Professional or Specialist Subscription Packages to access the entire KuppingerCole video library.

I have an account
Log in  
Register your account to start 30 days of free trial access
Register  
Subscribe to become a client
Choose a package  
Like Martin said, I'd, I'd like to talk a little bit about, you know, a little bit about the development we've seen in Accenture identity and access management and, and little bit about the priorities and the choices that big organizations have in this space. We've got 20 minutes for this. I'm hoping there'll be some good questions coming in so that we can take out of the time potentially for everyone. But if not, hopefully it can stand alone as well. So like Martin said, there's a very long and, and complex title to this, but I try to just call it simplified because frankly, that that's what we need to do with NC in terms of who I am. So I've got two roles in Accenture. I've been working at identity for quite a long time. I run our European identity and access management business in Europe or digital ID.
We call it, I also run our energy and resources security business in UK island. So those are my two, two main hats in Accenture. I also like doodling and boxing and, you know, going to concerts or whatever, traveling and so forth. So, so the intro like gives you a little bit of a sense of that, but today we're talking about identity. So, so what is it really that we're trying to achieve with identity? And I think you, I see access management has been interesting because I very quickly got in, took an interest in identity back in 2006 when I started getting, getting access to this. And it was really because security was very difficult to really engage with our clients with our clients didn't really care too much about security. It was a side side thing, but identity they did care about there was a big operational piece to, to identity.
And, and for that reason, you know, there was a lot of, you know, very willing participants in discussions on identity that has changed tremendously 10, 15 years ago. We didn't really see security being discussed that much with identity and access management apart from a few specific, very highly regulated, typically industries. So from our point of view, well, it's really positive that security has taken the center stage on this, but it's also, it's also, you know, it's important to remember the operational side to this, this, so the, the, the, the audience here will know what identity is. So I won't spend too much time on that, but, but it is the usual kind of stuff. It's provisioning, deprovisioning, segregation of duties, recertification campaigns, having a single source of truth of, of who's doing what and so forth. And that's really what, what we're trying to do the outcomes well, oftentimes in the past was compliance, but actually more and more it's around security risk reduction.
We still have the operational angle, enabling people to actually work in a timely manner and have access to what they need to and not what they don't need. So, so, so the, the sort of general outcomes are still very similar to what, what we're used to, but I think what is, what is really happening and what has made a massive difference is the way that our clients, the way organizations procure technology, the way they engage with technology. So, first of all, a lot more organizations now, CI and technology is core part of their business in order for them to be successful, they really need to be doing agile technology transformation. They need to be doing digital interactions with their customers, with the B2B and so forth. And that really requires a, a very different approach to, to integration. The other thing is obviously the cloud.
So the cloud has, has enhanced challenge that we've seen for many, many years in the, in the legacy legacy side of things, but has actually increased the challenge manyfold. So we, what an old client of mine once called identity a C secular, because the sea size oftentimes didn't do big business transformations. They would engage in a, in a conversation about identity. They would get a budget and then they would, they would struggle. It was very difficult to get the business to engage. It was very difficult to get the right outcomes. Oftentimes these big identity projects stranded on, on, you know, 10, 15 business applications integrated in some cases, maybe a hundred, but a hundred out of thousands. So, so the identity challenge was very real and, and actually the ability to show and, and evidence that there was value from, from identity 10 years ago was a huge challenge.
And we still have the legacy. We still have the business applications, none of that has changed, but what we have now is a very, very different change of pace, or we've gotta change of pace to a much, much more aggressive pace. We've also got a bunch of access situation in the, in the hyperscalers, in the infrastructure as a service platform, as a service, which is actually not very well addressed and which a lot of owners of identity, a lot of awareness of business services and, and service operations needs to start taking very, very serious. And, and for that reason, identity needs to be much, much more integrated into our platforms of, of choice. And then obviously as part of this, there, there's a big, there's a big question on the people. There's a big question on the, on the users of these services. So one of the things that we've seen, you know, traditionally identity management has been very much a top down sort of application driven and silo driven transformation program.
It's been very much an integration challenge. And, and what we're seeing now is actually that is not tenable and that's not suitable for our clients in as much as if you actually want to reduce your attack surface. If you want to reduce your risk, it's not good enough to integrate 10% or 5% of your important business systems. It's also not. You settled for less IE to just say, well, we'll just do the business systems. But what we won't do is the infrastructure accesses. We won't re-certify access to the cloud providers that we've got and the SAS solutions that we've got so forth. So, so we are gonna have to move away from this sort of very one by one integration approach into a much more factory driven approach and a much more accelerated approach, and in order to be successful with that. And in order to manage to do that in, in big fast-changing organizations, well, we need to start leveraging some of the capabilities of, of the platforms that we use.
And obviously I've spoken a bit about the hyperscalers. They, they're obviously very important. So how do we actually integrate and do identity governance for the, you know, the, the Googles of the world, the AWS in show and so forth. But, but actually when we look at this and, and I know that this has been a big topic on the conference today, well, how do we leverage the existing interface, our it service management tooling to actually increase that engagement and, and enable our customers better, or sorry, our internal customers, our employees, and our, our contractors to, to work faster, work more agile, and actually get a nice experience. And that's really where this integration into the platform comes in. One thing that I do think it's worth pausing on here. So we've got, as I said, we we've seen a major shift away from away from operational business cases for identity management to, to much more security driven business cases.
And one of the conversations that I have with a lot of my clients, a lot of the CSOs, oftentimes heads of risk COOs CFOs is actually, well, what, what is identity management in that? What, what is the importance of this control? And one of the challenges, and one of my personal Bo bears, the security expert rather than as an identity individual has been that our clients have, oftentimes they bought a tool, they had an audit finding, they bought a tool in this case, this could be an identity management tool. They integrated that to the HR, they integrated it to their it service management tool. And they onboarded the applications that, that the, that the finding related to this is, this is a good way of closing an ordered finding, but it's a, a terrible way of managing your attack service. And, and this is really where I think identity management needs to start scaling.
And this is where we need to start integrating identity management and everything we do. And this is where service now can be a great, a great entry point for that because you already have the, the relationships and the interaction with the, with the, with the, the users and, and your employees and your contractors through ServiceNow. But, but what it means is actually you need to move away from, from looking at these individual applications and actually say, well, it's pretty likely that an attacker will come in, not through the critical application directly. They will find a softer landing spot. They'll find somewhere nice they can land, and then they'll move laterally. They'll move, you know, they'll start escalating the privilege and, and the ability of access they'll have, and they'll use that to, to get into the critical, critical systems. So, so from my point of view, a really big driver for us, having an integrated approach to identity is to have that ability to actually secure the identities across, you know, there's a lot of talk of, of zero trust approaches and a lot of talk, you know, I I've grown up in, in public sector security quite a lot.
So a lot of talk with defense and depth and identity and access management is actually absolutely cool to being able to do these things. So, but I'll move on to my, to, to my sort of final slide here. Well, I've got one more slide just to mention what Accenture does, but that won't take too long. But so in terms of the choices and decisions that we have, one is the balance between the legacy and the new, the new doing it. And, and most of the clients that I work with in the space, don't have the luxury of saying we won't do legacy. We won't do the old school applications on premise in our data center, you have to do both. And what that really means for a decision making it is that you need to find a balance. You need to find a balance between how deep you go with your integrations, because we can, all, we, we can all get excited about T codes, transaction codes, and SAP, and so forth.
But actually there, there's got to be a balance between what does good look like? What is a good set of identity capabilities? And on the other side is, well, actually, what, you know, how can we leverage a more pragmatic approach to identity to then reduce the, the, the, the, the challenges of that integration? The, the other side of this is the user experience. And I have feel that over the last, I don't know, eight years, so many questions of does ServiceNow do identity management and, and ServiceNow has been telling the story that they do, but every time we looked into it, well, they really didn't do the provisioning. They had obviously the, the workflows, but they didn't really do segregation of duties. There wasn't really a re-certification capability.
We, we work as, as you can imagine with, with, with most of the big identity management vendors, and we work with some of the, the new entrants and, and clear sky, who's one of the sponsors of this is one of those entrants. And actually there's a very natural play that there's a very natural integration point where, well, how do we actually give the user a natural way of engaging with what access they're given when it's revoked and so forth. And, and so now is definitely a natural point for that. And then I, I guess my, my final point before I just give a quick summary of who your Accenture is, my, my final point would be just reinforcing the cybersecurity and cyber resilience. It's no longer good enough to look at individual controls, I E access or provisioning of accessioning of access, segregation of duty, in a limited part of your infrastructure.
We all organizations need to start expecting that they're gonna get either targeted for an attack or attacked and, and breached, and, and the way we can control and mitigate this one way we can control and mitigate. This is put identity under control across, across your environment, across your cloud and across your, if you have OT and I ICS systems then across that as well, but also of course, the business applications. So having said that I'll hand over to a QA and while Martin, if, if, well, while you look for the questions, I'll just give a little bit of summary of, of what Accenture does in this space. So we, you know, you you'll probably know of us big, big it services company, about 1800 people in identity, both managed services and transformation in consulting and so forth. But, but having, you know, not two, two made two, two fine point on that. Martin was any questions.

Stay Connected

KuppingerCole on social media

How can we help you

Send an inquiry

Call Us +49 211 2370770

Mo – Fr 8:00 – 17:00