De-Cluttering your Identity Space

And I know the next session is, I believe Steven Hutchinson and then Martin Kuppinger is coming on stage. So, so I kind of need to, I kind of need to take the time in, otherwise I'm not gonna be allowed back next year. So this presentation is called the cluttering Your Identity Space, and it targets complexity in the identity space and in architecture in general.

And I'm, I'm gonna look into business complexity as well. But before we kick it off, since this is my first time presenting at the COPE Coal Conference, I wanna talk about my favorite subject.

Me, I, and my name is Baldwin. I'm a senior manager with pwc, where I worked for about a year. And I live in Norway. I'm the father of two girls and the partner of Ava Loyal, subject to our cat bias, which is featured in one of the pictures at the bottom. I'm from the western part of Norway, but I now live in the eastern part where I lived since 2006.

Now, professionally, I started off in, in the service desk about 22 years ago. I moved to Belgium and I worked for a company called eds. Then I moved back to Norway and I worked in FinTech for a little while, worked my up through operations, and I worked in technical architecture as an identity architect. And I had a brief stunt in Microsoft, so full disclosure there. So that was back in 2014 when the cloud was becoming a big thing. So I had an early introduction to cloud technology and identity in the cloud to branch a little bit out of the technical space.

I'm currently doing a master's at the Norwegian Business Institute where I'm looking at transformation, digital transformation, and, and change management. So to give you a background about this, this presentation, who was here at the KuppingerCole Conference last year? Can I show a, get a show of hands now? Did anyone sit in at the CSO panel debate?

All right, cool. So one of the questions that was presented during the panel debate last year was uncommon security threats and complexity was brought up as one of the answers by, by one of the panel participants. And he stated com complexity being a security threat and, and the consequence it, it it has for identity. So that's what I'm gonna talk a little bit about, and I have a couple of hypothesis around that subject that I'm gonna bring up at the end of the presentation.

So in order to look at what the identity space looks like today, we can just start skimming the top of the identity service provider space. So this is a short list of 28 identity providers, many of which are presented here.

SalePoint, Savian, forge, rock, Amada. Most of them have booths out here, but this is just the top of the list. There are more specialized service providers being, being published every day. And if you, if you start looking at it, there is a fit for every problem.

Now, in order to look at what problems you need to solve, we can start looking at identity capabilities. So we can break it down into, or one way that I like to break it down is the core identity, access and management features, basic identity access management features and extended identity AC and access management features very often in specialized applications.

So the, the core ones are basic stuff like authentication, single sign-on authorization, policy management, session management, et cetera. Then we'd start moving into the IGA space. You start looking at access request certification and re-certification, what Microsoft calls access PA packages and access reviews, workflow management, and then any, any extended space which is not present in every application, but in many of them you start looking at entitlement management and advanced analytics and reporting.

And last one is maybe one of the most important ones that are popping up due to regulatory requirements, which is segregation of duties. Take for instance, a finance institution where you don't want the approver of a payout to be the same as the one facilitating a payout. Now another concept that has popped up over the last couple of years is light iga. And light IGA is, is a feature reduced IGA solution very often targeted at a specific problem. So one problem that we had with, with a client of ours was that they were trying to replace Microsoft Identity Manager.

Now for those of you who still have an on-prem presence, how many are still using mim? Not that many, which is good.

So one, one of the problems that Microsoft Identity Manager is tackling is being a connector engine between your on-prem and hybrid environment. Very often provisioning user attributes to third party applications, either on-prem or or in the cloud. Now it's out of, it's out of support. And if you have a P two license with, with Azure ad, it's gonna be in extended to Porwal 2026. But at that point they're probably pulling the plug and it, the updates are not very, very rich.

So in order to migrate away from this, we can start looking at light IGA solutions that provide connectors only, or you can start looking at light IGA solutions that, for example, provide entitlement management as the only feature. Now of course the, the benefits of this is that there is a reduced license cost. The implementation path is easier.

You, there's not that many features to learn, but the downside is that right now the upgrade path is not very good. So if you have, well, if there are any, any vendor representatives here, here's a business idea for you modularize your applications so that you can start implementing the features that solve specific problems and then upgrade to features that solve bigger problems later on. It's a great selling, you can do it at low cost first hits free and then you can start upgrading. So in order to break down complexity, I wanna start looking at dimensions.

And to put this in a frame of reference, there was a quote that I came across in the Harvard Business Review from October, 2022. So it's fairly recent. And this is about a development project, and I don't like reading off my slides, but I'm gonna make an exception here. And it says, local innovations ended up adding more complexity to the existing fragmented business processes, systems and data.

So adding complexity, although the customer experience often improved and in some cases revenue increased the rise in cost to serve, eclipsed the gains and added other risks like cybersecurity and system crashes. So even in academia, there is a recognition that complexity sometimes adds net benefit, net negative, even though you are, you are adding features cuz those fe those features might not be super needed or you might not have a business reason to add them.

So I'm gonna look a little bit, I'm gonna dive a little bit deeper into these two points, but it and identity and system complexity and business complexity and try to see if I can find some logic between them. So we start looking at it and identity. So complexity, of course, the number of systems that you have is, is relevant. So if you have a lot of systems, you have for example multiple IGA systems, there could be multiple reasons for that. Maybe you have different business units or geographic dispersion. But you need to start looking at the functions of future overlap.

You have a lot of systems that do the same thing. You may, may, you might be able to reduce the number of systems that you have. So I think we can all agree on number three, that task automation is a benefit, right? So if you can automate a task, you should do it, but maybe you should think about what you wanna automate and why. If you have a high complexity, high volume, high frequency process, it makes sense automating it. But what if you have something that you do once a month? It takes two clicks and we do it, you only do it once or twice.

Do you wanna spend time focusing on, on maintaining an automation that, that you only do every now and then? Maybe the automation actually requires more work than doing it manually. So not everything needs to be automated. Now if you start adding systems, you need to maintain them. And even if they're SA applications, there are very often configurations that add up or changes that need to be made. And if you're unable to keep up with that, you're gonna add technical debt, especially for legacy applications, which is the last one here.

If you're unable to maintain your systems, you're gonna add to your, to your attack surface and it's gonna add to your, it's gonna reduce your overall cybersecurity posture. So I think we've all seen one version or another of this matrix, but especially for legacy systems, putting things in the cloud is a good benefit.

So taking, taking away systems and reducing your on-prem presence, it reduces your need for data center requirements like power cooling, physical network infrastructure, everything that follows a, an on-prem presence. Now on the other end of this you have business complexity drivers and we're gonna follow up with an example from pwc. So if we look at organizational complexity, PWC is a fairly complex organization. We're represented in 152 countries. We have 328 employees. These are numbers from the PWC website.

In fiscal year 22 we had one hundred and forty two thousand one hundred forty eight thousand eight hundred twenty two new hires. That's a lot of people coming into the organization, which also means that we had a lot of people leaving. Now we are in a growth cycle, so we didn't have as many people leaving as we, as we had coming in, but it still means that these new hires need to be maintained. Now the revenue is just bragging rights, but it's still there. So what did we do in 2016? We started moving away from a le from a legacy identity and access management platform.

We had 13 different IM platforms with 4,600 administrators in the active directory space itself. We had 90 forests, 90 active directory forests. And I don't have the number of domains, but it was obviously more than 90.

In 2023, we have a unified IGA solution. There's been a great deal of focus on single sign-on. So moving away from having multiple systems with uni, with unique user accounts instead of course, like everybody else, we're trying to concatenate this and consolidate this into an IGA solution so that you have one user account, one password, and there's a simplified join removal lever process, which basically means that business complexity goes down.

Now the benefits that Peter, we see gained from this was that the time it took to onboard a new user to register a new user in the, in the basic systems basically provide basic access, went down from between four to eight hours depending on the business case to five minutes. That is a reduction in excess of 95%. So quantifying that into, into a dollar amount is of course tremendous. Now it also meant that we gained better insight because we now had a unified IGA solution to, to get auditing and analytics from.

And we saw that through the, through the logged, the log log-ons that we were able to target. So it basically meant that we also added to our security posture. Now other complexity drivers that we can talk about is of course geographical dispersion. If you have operations in US, Canada, and then in Europe and in Asia, they're going to be targeted by different regulatory requirements, which means that you may not be able to use the same solutions overall. Now culture, when I talk about culture, what very often comes to mind is different culture based on geographics ethnicity.

But in this case, very often the different work cultures based on on the role you have or the type of organization you're in is has an even greater impact. An organization that has a lot of engineering capability, very often wants to stay autonomous. They wanna choose their own platforms, their own solutions. And that affects the, the technical complexity you have because you may have a business unit that is pretty much on their own.

So you need to make a decision whether or not you're gonna implement them and enforce them to use the same products and services as the rest of the organization or if you're gonna facilitate their, their need to stay autonomous. Now, the more manual processes you have, the more manual intervention you need to, to do. So you need to find the sweet spot between automating your processes and and doing it manually. And the more manual processes you have, the more human error you can expect.

So I, I derived on three hypothesis that I'm gonna go through pretty quickly cause we have four minutes left and if you have any questions, I wanna leave room for that Now. Hypothesis number one, failure to map your needs and make subsequent investments in IT systems results in unnecessarily complex business processes. So my hypothesis is that if you have a lot of manual processes, you're gonna have to do a lot of double increase. Now imagine that you have an a recruitment system that doesn't talk your, your HR system.

So a potential candidate enters their personal information into the recruitment system, but then the HR representative needs to add that same information into the HR system. Now moving on from that, if you don't have a good connection between your HR system and your IGA system or your identity catalog, then you need to do that again. That leads to double entries, it leads to additional time used and of course it's gonna lead to to human error because we're fallible.

Now my second hypothesis is that in the other end of the scale, increasing the number of systems above a certain threshold increases the business process complexity. Now this is the example where you've added so many systems that you have an overlap. So you need to maintain the system, you need to maintain processes that have been automated and maybe you've gone overboard and you've automated stuff that doesn't really need to be automated. So every time a system changes or every time a business process changes, you have to go back and you have to redo the automation.

And that means that you're spending extra time doing it. It also means that you need to add to competency. And if you add competency, if you add a number of people to maintain the systems, of course you're gonna have to add HR and support personnel to main to maintain that, which is also going to increase business complexity. Now I've added a graphic total complexity because of number three. And if you are a, if you're a budget owner, this might be interesting. Increasing total complexity increases cost.

Now the more systems you have, the more licenses you pay and the more systems you have, you need to maintain them. If you don't maintain them, you're gonna end up in technical debt. If you do maintain them, you're gonna add to personnel cost. So the bottom line is it's somewhere in there, there's a sweet spot that you need to find. You need to find the needs that you have and the resources that you can set aside for automation.

So to sum, sum it off, there are some key takeaways and those are find a balance between business and technical complexity. Not everything needs to be automated.

Low, low volume, low complexity processes doesn't necessarily need to be automated. Know your systems and their features of course. And complexity drives cost. So when you talk to your C level six six and, and you want to either get permission to buy a new system or you need to to remove a system, you can bring the cost aspect into into the discussion and I guarantee you'll get a better, better audience than if you just talk technical. And that was it.

The QR code is to my LinkedIn profile if you wanna, if you wanna connect and if not, thank you for your attention and if there are any questions, we have about a minute left. Okay, thank you. Do we have, do we have any questions from the audience in the room? That's not the case. We have one online question for you. Okay. And it's referring to the slide that you've shown earlier. So the question is, the identity life cycle is no core feature for you. Is it only a basic feature? Why? And an IGA solution should handle this in any case or not? Can Can you, can you say that again?

So the identity life cycle is no core feature for you. Is it only a basic feature? Why and an IGA solution should handle this in any case or not? So the question was about the identity life cycle and I believe that any IGA solution should be able to handle the identity life cycle of user. And that is very often a pain point in, in a lot of the solutions that you have. If you don't have a good IGA solution, you will very often find that you have identities, either human identities or what's been talked about earlier as silicon identities that are not being managed.

And you find your service principles, your managed identities, your group service managed accounts are still in the, in the directory later on. So yes, lifecycle management should definitely be a part of it, and that goes both for personal and service accounts.

Okay, thank you. There are no further questions. So thank you Rita for the good presentation.