EIC Blog | Interview with David Pignolet

We're here at our European Identity and Cloud Conference 2021 in Munich, with our hybrid event live on stage, so to speak. And I'm here with David from SecZetta. Welcome, David.

Thank you, Martin. Pleasure to be here.

Yeah. So, David, tell me a little bit about what SecZetta is doing. I think probably a lot of people don't know exactly what SecZetta is doing. So what is your business?

Sure. So we effectively have built the solution that is an identity authority. Primarily, we work in the third party identity risk space. So what that means is we provide the data, the context, manage the relationships and do the risk analysis of the individuals at your your organization that you get access to, primarily non-employees, but that also extends to other types of third parties like bots and RPAs. All of those things have identities like people, and they're often granted access.

OK, and so so what are your focusing on us? When I look at identity management, we have for many years it was mainly workforce identity management. Then we have, on the other hand, consumer identity management or customer identity management appearing. And there's a gap in the middle, so to speak. So you have workforce with consumers and then there are partners and you're concentrating on this sort of part in the middle.

Exactly. So if we look at how consumer identity started, they tried to apply processes, tools and the like that they applied to workforce to customers and consumers. And of course, that didn't work because of the different type of identity with different needs and different processes.

And I even dare to say that other partners are the most complex ones because you have so many of these. So if you if you take a contractor within three years, that's a totally different type of partners, then someone who comes in for a for just a few days or so.

Absolutely. So that's that's one of the challenges with working with partners and managing partner identity is the differences between population types. So not every population type within an organization has the same requirements. From a lifecycle perspective, they certainly don't pose the same risk to the organization. So you might in certain industries, have IT contractors. But if you're in health care, you're going to have the affiliated health care workers. If you're an insurance, you have agents. If you are a car manufacturer, you have dealers, all of those of third parties that you grant access to in your environment. And quite often that access is similar to employees.

Yeah, and you have everything in there. So if you take agents in insurance companies can be pretty much what they can do. And the interesting thing I also believe is, there's everything and there's self-managed registration and approval from an internal, there is managed registration by internals for their purpose. There's everything in.

Yes. So there's a collaboration that happens. And whether you have our solution which manages that entire process in a collaborative nature or not, your business is collaborating with outside organizations. To effectively get those people access and without a well-defined process in a centralized system, you're asking the business to kind of wing it, and the result is access, which is often overprovision, not timely, no timely provisioning. So that's the that's the outcome of that.

Or even worse, it ends up with saying, OK, come on, let's use a shared account for all these externals. And we see this sometimes even in high security and high risk areas. So they take the physical security on a factory. And we still see that the people who are securing that come in with shared accounts to the IT systems.

Yeah, it's because of operational efficiency, right? They're trying to be efficient, they're sharing accounts, they're adding risk to the organization. The reason they have to do that is because there is not a tool in place to let them self-serve.

That is what you deliver.

And that is what we deliver, a collaborative solution.

So, ok. Then I have my workforce identity, now my consumer identity, and the partner identity. So how do you integrate with that? Because at the end, it's still about access to the same set of systems.

Sure. So we're not trying to actually provision access, right? That's not our specialty. We partner with all of the biggest players in IGA, most of which are here at EIC. So they're doing the actual provisioning. We are providing the context about the who about the relationship that that person has with the organization, the vendor for whom they work, the sponsor within the organization and any other context that we can gather to make good decisions about access, right? What access is this person eligible for? And not only what, what are they eligible for, but are they eligible right now? And that is a question that needs to constantly be answered.

And specifically also the deep provisioning. So I remember, I still have an RSA Secure ID token around probably from an engagement ten years ago.

I have a drawer full of them.

Your drawer fell off them. I was trying to give them back, but sometimes it just doesn't work out, right? And yes, I think these are challenges we see in real life. And we are at risk because the partners - this is so volatile and still so powerful in what they frequently can do. And also in an earlier discussion we had here, I brought up this: take the summer break in a factory when all the externals come in and change the software of the machines and so on. High-Risk work idea and we need to protect it well. And this is what you're doing.

Yeah, absolutely. So the deep provisioning that happens for partners, you're asking the line of business to be proactive in their approach to terminate and the provision users. Well, that doesn't work because the line of business is not going to always take that action.

You need to have well-defined processes which help the business in doing that and remind them and ensure that these things happen. Otherwise, you always will end up overprovisioned at risk. So, David, thank you very much for giving us some insight into what SecZetta is doing. I think this is one of the areas that I'm telling us really for for quite a while, the partner identity management piece of the piece, we really need to get better and the like. Your approach on that? Thank you very much, David.

Thank you.

Thank you very much to everyone here for listening in to this talk and hope to see you at EIC 2022 in Berlin, next year in May. Thank you.

Video Links

Stay Connected

KuppingerCole on social media

How can we help you

Send an inquiry

Call Us +49 211 2370770

Mo – Fr 8:00 – 17:00