Event Recording

EIC 2012 Session: Identity & Access Management as a Key Element for a Value focused Security Strategy

Ralf Knöringer, Atos IT Solutions and Services GmbH
Hassan Maad, Evidian
Shirief Nosseir, CA Technologies
Christian Patrascu, Oracle
Peter Weierich, iC Consult GmbH

April 18, 2012 17:00

And I would like to welcome quite a big panel. And I had to have to read out all the names because I don't know all the people in person. So I welcome arrive. Hello from artist it solutions and services. Then I welcome Hasan Martin from Aven. Welcome Hasan. Sheri. I hope I pronounced that somehow correctly from CA technologies than Christian PATCO from Oracle. Thank
And now easier for me paid a wiring from IC consult. Earlier today, we already discussed about information security strategy. We got some insights also from regulators from the fin, and it was emphasized how important to is, is, is it to have information security strategy, and also how important is it to have this information security strategy aligned to business strategy? It probably goes without saying that that whatever we do in terms of information security and it and access management is certainly part of it has to deliver business value. And what I would like you now to elaborate a little bit on is, and we probably do one round starting, probably from the left start somewhere. I give you another second to think about, to elaborate a little bit how identity access management from your perspective can deliver value to the business in the best way.
So I guess if you say, start from left, it's it's me first. So yeah, absolutely. Thanks for the introduction. So my name is Christian Petco from Oracle. I think it's, it's a very interesting and important question and pretty tough to, to answer in a, in a couple of minutes. Let me, let me perhaps try. So first of all, adding value to the business, I think that two dimensions how, how you can add value to the business. First of all, from a software vendor by, by new features, I think the whole conference is about that. So how to support cloud, how to support mobility. These are, these are interesting topics that, that the business needs, but I think the bigger question is about the value and which we can add to the business, how we can align with the business, how, how we can also from a vendor perspective, make it easier.
And if, if I'm allowed to, to give an example what, what we're doing at Oracle we're, we're using what we call a platform. And the idea is how, how we as a company developing the software can, can save money through this platform approach. But I think the most important how, how customers can save money through this platform approach a simple example. So in, in the next minor release, we'll, we'll have a feature. And again, I'm skipping to the first point, which, which is the feature discussion, which makes it easier for upgrades. If you do customization to user UI that prevents these customizations, how are we doing that? We're simply using a component out of fusion middleware. So our developers spent literally zero minutes of adding these code to the product. What's the beauty about it? Well, in the 17 identity access management products that we're having, once customer do customization and they upgrade these customizations are not lost.
This is the platform approach. And I think car manufacturer also going in this direction. So if, if you build multiple cars, it's easier to leverage a platform. It's easier like, like we did in our example, to just reuse some components. I think in Germany, we have this, this word of B custom co, which, which is similar, like, like the platform approach. So reusing components for the business using the same workflow. So we have customers who are not only thinking how can we leverage security or identity access management platform? How can we leverage a so and IBM platform? So combine it, combine it more and save money through that. So I think these are, these are the two angles to come from. So first of all, on a feature and function level, but I think also more important on an architectural level how, how to reuse some important components going towards the platform.
Okay. Thanks for, for the answer, Ralph, would you like to
Have one on my own view? So I think I can take where you are leaving as a story. The point from from architectural perspective is clear that the vendors have to work on making their product easier to implement better to service and so on. I think, see the next step is that a lot of companies, anyhow, have a hard time having a, how inhouse to, to come up with solutions, which are as customizable in their own environment, no matter what, what technologies they use, because there is a special in the whole needed. And I think the real value will develop when we think about identity and access management as a service, which, which from the cloud development will be driven. Yeah. Up to now, we, we made perfect products altogether, which, which have thousand features, but from 10, 20 years experience in this field, I can tell you that we have often seen that these features can lead also to a feature based project, which in the end doesn't deliver, delivers the value we all expected and the customer expected. Yeah. So I think the biggest, the biggest obstacle for identity and access management in the future is to be delivered as a homogeneous service, which is able to, to, to be based on controls like common security controls, common access controls, based on the risk assessment the company has done. Yeah. And many companies goes this way, of course say, say, do security assessment. They do risk assessment say define controls, but maybe we, we, we have to do some work more to, to deliver products and services, which really then deliver to these controls.
Yeah. Let, let add one, one more question to that. Doesn't the frustration of the business often come from the fact that whenever you start an identity and access management process project, sorry that you end up with some sort of fragmented solution. So you automate, I don't know, active directory, or you start with five applications and then you die because it's takes too much effort and absolutely kind of things. Then at the end, you you've, you've spent a lot of money, but after that, you still have not what you wanted, right?
Yeah, absolutely. And I think what we see is that, especially in large international operating companies, we find hierarchies of projects where there are some, let's say basic services defined on top level, but there will be no sense in defining a role and application model for a global player on the top level. Yeah. They are too far away from the local businesses. They are too far away from the local drivers of the business application owners. So therefore I think services must be also modular as product should be. So the customers can start with basic services. I always say still identity management identity lifecycle is the first basic service customers have to look for because results, this Federation doesn't work and all the other nice things we deliver doesn't work. So having a starting point in basic services offers customers a possibility to grow as it go and not spend years in planning on the screen table. And the value comes with the process. I say, okay,
Shif, how does CA contribute to deliver value to the business?
What, what we've been seeing is there's different maturities that organizations go through in order to capture the, the value from, from security. So whenever organizations are going out and acquiring a security solution, there's a number of different reasons. And it depends on the maturity that they have. So the, the first one that we see is organizations are trying to achieve it, operational excellence. And, and, and what I mean by this is that they're trying to improve on efficiencies. They're trying to improve the quality of the service that they have. And, and it's basically just trying to, to grasp with getting automation in place, trying to automate the, the workflows that they have. So this would be the, the first step that they typically try, try to, to do. And, and, and what I'm talking about operational accents here is, is particularly from an it perspective, not necessarily from a business perspective, then the next phase, when, when as, as they get more mature, they, they start going into projects where they try to address risk and address compliance.
And, and, and the, the typically as they start entering this phase, they look at it from a compliance perspective and they look at it from each compliance project, run separately, as they get more mature, they, they start to consolidate and they start to look at it from a risk perspective, really, and, and, and look at what are the areas of highest risk and map it, map the projects to that and map all of the, all of the compliance requirements in, in a single framework, to be able to, to map them as well, to the rest that they have, then the third phase as they get even more material we see is that they truly start being business partners, working with the, with the line of business, to be able to understand what are the business priorities, what are the, what are the projects that are gonna, you know, improve their revenues or, or, or reduce their risks from a business perspective and, and, and start to, to partner in that. And, and, and this is always a, a tricky, difficult one. And, and areas of collaboration for example, is, is starting to be extremely important. And then for the west, innovation is a must, you know, without innovation's gonna become, it'll, Credly difficult to be able to compete with the emerging emerging markets. So, so these are the areas that we see security focusing on to have the, the business when,
When you are called in to, to, to client projects, to what extent can you influence the, the, this collaborative,
You talk to your clients, say, look, don't do this TrackMan approach rather go for a more comprehensive approach. Do you have that opportunity or is this actually not given?
I think it's, it's already depends on the maturity of, of the organization that we're speaking with. And, and often what we find is for example, the last phase where, where the security or the it team as a whole becomes an, an enabler of the business, we typically find that there's someone in the organization, their specific role, and it could be not just one person could be a team. Their role is mapping, how can it, you know, enable, enable, enable the business. So, so it's, it's a specific team that is put in place to be able to, to, to get to close the gap in between, between these two, we find so, so, so one of the first things that we do is, is analyzing the maturity of the organization. What are they trying to achieve? And then from there, we know exactly, even from the organizational structure, it becomes quickly clear where are they are from a maturity perspective as well,
Peter, over to you, what's your view on, on, on adding value to the business from an identity and access management perspective?
What we really see is, is an interesting trend. For example, Gartner group each year makes interviews with CIOs and the identity and access management topic. As part of the security topic during the last years always was under number 10 priorities in technology area. And it's no longer visible there today. It's on the top 10 list from business side business requirements, urge the CIOs to do something in, in, in this direction. And there are interesting things going on one example concerning your question about silos and things like that. I always try to, yeah. To bring my customers to, to mission statements for their identity and access management program, which focuses not just on compliance and security, but addresses, for example, business agility, like in a presentation today mentioned the, the question about how fast can I manage mergers and acquisitions, even with identity access management processes is one question.
And the other question has more and more to do with end customers interaction. So many things today already go far beyond the, of the purely and access management stuff. All the automotive vendors right now want to be sure that the person which configures a new BMW in the Porwal is known as the same person, which is already driving a mini with a contract with which ends within the next six months, and also tries to, to, to get the information. Maybe this is, is an employee. And this, this questions about master data management have impact on identity, access management projects and, and, and strategies, and go far beyond that point as well. So we decided to, to, to found a, a, a separate company, which does nothing else than this master data management to provide this 360 degree view on the people who are interacting with the company. So this is an amazing trend. It's very strong in the automotive industry, but I can observe this in, in, in different verticals as well.
Okay. Thanks for the view Hasan over to you.
Okay. So was mad. I'm managing director of, and thank you, gentlemen, what normally I should say that I agree with all of you because I'm at the end. So naturally the identity and access management should bring value. And I think it's in more than any other security domain. And I also kept in mind the same survey than the RF. So I will jump on that and say, I've been really surprised when you ask the CIO the top 10 concern and you see security. I mean, the terms of security, or it security it on the bottom, the 10 concern I've been surprised. I said, wow, why? But you're right. When you look on all the first priority, you can see vocabulary new, like governance, intelligence, new things that are coming very quickly and why I do believe it depends also to whom we are talking and CIO are more and more, or they've been under the pressure to talk about security constraints.
That's right. But today they are between two pressure. The first one is the business and the business. They are aware that they need to protect their asset. They, they need to respond to the competition, but more and more, they also have to protect the privacy for a lot of data for their, their customers. They have to follow some regulation and they have responsibility. So they are putting a lot of new pressure on the, on the CIO to let, I mean, the security become and okay. And, and business value, of course, but there is still some responsibility here. And the other pressure that the CIO they are leaving, they it's coming from the employees. We've been always telling that the employees it's in a new relationship with the company, but there is another phenomena that everyone has experience that already, which is the, there is no anymore border between your private life and your, your, your, your company life.
What does it mean? That means the CIO should manage and be sure that he is giving to you. I mean, the, with openness, the right access to the application for the company, but at the same time using your iPhone and your iPad from home, from anywhere during your vacation and trying to manage this with certain governance that can comply with what the management is asking for. And according to the responsibility that they have. So a lot of change of course, in the organization. And probably when we ask the CIO again, what's the security he is forgetting what the security is, and he's more oriented now, governance, intelligence, and new vocabulary that we need to follow that's.
Okay. So now we completed the first, first round of of statements. And before I continue with further questions, I would like to give the audience the opportunity to ask questions first. Are there any questions from anybody? I don't see somebody, so then let's continue.
I have one. I mean, at the beginning of I, I did an access management projects. It tried to do its best and mingle through without big business participation. And we all know that that, that, that didn't went. That didn't go well, right now, there's the talk. And, and the previous session actually table that business needs to be involved, somehow collaborate, whatever. And we ask a lot from the business. So they have to define roles. They have to describe entitlements in their applications. And if you, if you talk about hundreds of applications, just, and we don't have to do that, I mean, even if you go into an SAP system to describe, to make sense out of, out of abbreviation, such as virtual print, that's a lot of effort, right? How can we support business in doing that? And how can we make sure that business is convinced that after that processes will be much more efficient than before any volunteer? Peter,
I think it makes sense to try to learn from good examples. Once for me, once more, this example of Munich re is quite quite interesting because they had the top level support to standardize all processes around ordering it entitlements. And many, many people were very skeptic about the question, will this work really? And after just the year it was implemented, it worked. And people found out that it's cool to have just one system where to order SAP accounts and active directory groups and all that stuff. And so they were a bit surprised, but this is a success story, which something has some, what has to do with the underlying technology. Okay. But has also to do with the question, how the project was organized and how it got the top level support to do the right things.
Okay. So answer basically is take care that the top management support senior management is given and create soon success stories, which you could market.
And if you take the, your auditor like KPMG or Pricewaterhouse Coopers to put pressure onto the, the top management to do these things, which are necessary,
Christian, I see it, that something is on your mind as
Well. Yeah. You, you saw it right. So excellent point, Peter. I, I just wanted to add, and one point that that is pretty obvious, but, but needs to be called out is the communication in between business and it, so it's sometimes also very important, first of all, to get the ideas, what business wants, but also from an it perspective to tell business what implication it has, if for instance, I do that customization for them. So I think also major importance in, in the question, what you ask is the communication. So it reminds me of, of role management. So yeah, top down, how, how should we, how should we go? Well, start top, but also start bottom up. It's it's, it's simple and this is crucial.
Any other views?
Okay. I think when you look at the, the business side, so most successful businesses are risk takers. So, sorry, I didn't get, say are risk takers. Okay. So say they decide to go into the risk to, to conquer new markets, to, to get into, to new portfolios. So from a business perspective, risk is nothing which is unusual or always to be, be dismissed. But on the other hand, the it department and the special security department has quite often the role in preventing people from going into risk. Yeah. And that makes discussions and communications sometimes very complicated. I agree with Peter that as soon as you can bring compliance into the picture, the discussion is easier. Yeah, of course, because we all know this compliance is in the CFO office and you, you get the budget, you need to, to fulfill the needs of compliance. But from a risk taking side, we believe that when we want to support our best customers who are risk takers, we have to help them to transform the risks which come in with spring, your only wise, and with social media and all this stuff, we have to transform this into value.
And this is what this is about here today. I think we, we have to, to manage that we as providers of security tools and services, we can mitigate risks, which come with this new technologies and new services and brings the value that say are trusted, that they are usable. And that's say are really, really valuable to the business
As compliance is, is a big driver, but I'm also interested to what extent our business cases relevant for. I don't, I don't hope I was this, to what extent are business cases relevant for as a motivation to start an identity access management process
And project.
Yeah. I, I think there is this here two point we are talking about, sorry to get back also again, to those point, the risk management yes. And compliance. So somewhere risk management, it's like the internal pressure. Yeah. It's it's for your company, it's your company, which is requesting the, the risk management where the compliance is coming from an external pressure where you need to show that you are compliant or simply, I mean, you are offering the low, what is the added value here? I mean, the business added value. It's, it's neither the risk management nor the being compliant. It's, it's simply, I do believe more and more it's delivering the service to the business, but also more and more, as I said to the employees, I think we have to bring your own device. And my people told me, I should mention the, bring your own device, if not, I'm not doing my job.
So I believe it's part of it. So it is a news case. If you are to show the first of all, let's start with the very simple thing, which is called single sign, where agen started many years before to tell our customers start. But with it's easy where you can, can deploy and show that you have an, an return on investment and service and then build on if, of course it's always the question bottom up or top down. So it's always both, but I think the, the best thing that we can do it's to show that we are able at each stage to deliver a service and think service, what I'm delivering. I'm not just protecting this is and padding, which is changing. And we are more to be aligned as the, it has been aligned to the business. We are to align the identity, access management to the business
Also. Okay. That's little bit running out of time, but I would like to give Sharif a chance to, for final comment. When I, when I attended this conference a couple of years ago, business collaboration was very high on the agenda already. It seems that we are still discussing this topic without having made a lot of progress. What's your view on the next three to five years, will this continue like this? Or will we see significant change here?
I think with, I think with cloud computing that there's gonna be, as cap competing, starts to pick up even further, there's gonna be more collaboration that is, that is gonna be needing to happen. And, and, and I think one of, one of the challenges that we've been having is
There's a technical problem on this front. And, and there's a lot of standards that we haven't been able to achieve in order to, to really automate it in a, in a, on a mass scale level. So, so I've been able to do it, but it's always been on domains and a limited scale level, but we haven't been able to yet come to a single set of standards that allow us to have it on, on a large scale level. Cloud computing is, is, is this a strong business case now with, with the cloud to drive the industry as a whole, to come up with these kind of standards and, and, and we're starting to see O OS and, and all of these kind of good stuff and heading in that direction now with, with once cloud competing is opening up and, and cloud competing is, is building on top of, of web services. Basically this would, you know, accelerate, hopefully the movement in going in that direction, I would say,
Okay, so let me summarize the panel as far as this is, this makes sense of which a lot of detailed statements, but I think everybody was in the agreement that it is, there is no way to, to do an identity access management project without the business business is absolutely necessary. They need to understand the benefit. They need to see successes soon. And that will, that will keep them motivated to continue with these, with these projects. And perhaps from a personal perspective, I would say we also should share with the business, the end state and how one particular project contributes to achieve this. That will also keep people motivated, I guess, with that. I thank you all for participating and fast success actually leads on to the, to the next to the next presentation. But before I introduce the next presenter, I will give you the opportunity to leave the stage. Thank you. Thank you. Thank you.

Stay Connected

KuppingerCole on social media

Related Videos

Analyst Chat

Analyst Chat #125: Leadership Compass Access Management

Access Management refers to the group of capabilities targeted at supporting an organization's access management requirements traditionally found within Web Access Management & Identity Federation solutions, such as Authentication, Authorization, Single Sign-On, Identity Federation.…

Analyst Chat

Analyst Chat #124: Market Compass "Policy-Based Access Management"

Shortly before EIC, Graham Williamson and Matthias sat together virtually and discussed the recent publication of the Market Compass on "Policy Based Access Management". In this episode Graham gives a great introduction in this evolved market segment and talks about hybrid and cloud-native…

Event Recording

Panel | Protocols, Standards, Alliances: How to Re-GAIN the Future Internet from the Big Platforms

In talking about a "Post Platform Digital Future", it is all about a Vision, or better: mission to not let the current platform dominance grow any further and create the foundations for a pluralistic digital society & business world where size would not be the only thing that matters.…

Event Recording

Enhancing Cloud Security Standards: A Proposal for Clarifying Differences of Cloud Services with Respect to Responsibilities and Deployment

Widely used cloud security standards define general security measures/controls for securing clouds while not differentiating between the many, well-known implementations that differ with respect to the Service and/or Deployment Model they implement. Users are thus lacking guidance for…

Event Recording

Panel | Decentralized, Global, Human-Owned. The Role of IDM in an Ideal (If there is One) Web3 World

The Internet had been created without an identity layer, leaving it to websites and applications to take care for authentication, authorization, privacy and access. We all know the consequences - username and password still being the dominant paradigm and, even more important, users not…

How can we help you

Send an inquiry

Call Us +49 211 2370770

Mo – Fr 8:00 – 17:00