Session at the European Identity & Cloud Conference 2013
May 15, 2013 12:00
KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Optimize your decision-making process with the most comprehensive and up-to-date market data available.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Configure your individual requirements to discover the ideal solution for your business.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
Session at the European Identity & Cloud Conference 2013
May 15, 2013 12:00
Session at the European Identity & Cloud Conference 2013
May 15, 2013 12:00
Okay, so then the panel will come and I please ask Martin Coolman Christian fresco, Darren rolls, Jackson show, and Deepak and Marco to join me here on the Panel. Hi, how are you?
Hi, nice to meet you. Okay, so your first name is sorry. Fuck Frank.
Okay, Frank. Okay. So I think the, the topic of the session was how to govern it all, how to govern all access. And I think to start off, I give you a little bit of challenge and I, I would like to ask you in 60 seconds to answer in 60 seconds, just to make it a little bit more entertaining first, what's your understanding of excess governance? So we heard Martin and all the eight topics. So what's your understanding of access governance and also what's your approach to it? Right? So in 60 seconds I know not easy, but let's give it a try.
And I know the first has a little bit of a disadvantage, but let's start from the right to the left. I give you just almost 10 seconds to think about it. And then I'm curious what your views on that is. And then we take it from there.
Marco, for me first. Yes, please. Sorry.
And, and obviously you have to, sorry, you have to hand over the microphone. Sure. So thank you, Martin. This is Marco from cross ideas.
So 62nd, first talking, thank you for that. You won. Okay. Our understanding 90. Okay. For the first one. Okay. I'm glad with that.
So, well, we are cross ideas. Okay. They probably the only European company in this panel, I presume that deals with access governance and our understanding is access governance. In the way we look at that is also driven by where we come from. We started as an authorization management company lately evolved to identity management and then to access governance.
So we look at that as the end point of a maturity path that evolves starting from automating and enforcing control toward orchestrating various flavors of access controls, including what usually comes from authorization service, but also from ed user management and agency management. So to put it differently more and more, we believe that what we do is a sort of conceptual middleware that bridges the automation side of what access control is about toward the a Jersey space. Okay. We kind of sit in between that's the way we look at ourselves our longer am I on time? 10 seconds to go?
No, thanks, Michael. Darren 10 seconds is, is tough.
Yes, I know. Okay. So Darren rolls, I'm the CTO at SalePoint technologies and SalePoint is one of the leaders. And I think one of the founders of, of the notion of separating identity out and creating a separate layer, which is an identity and access governance component to me, identity and access governance is about context.
And it's really about understanding the relationships that exist between identities and their authorizations and bringing it all together into, as, as Martin said, one place into one view and into one set of controls that can apply to any user coming in from any device to manage any application. Thanks, Darren. Good job. Was it success Frank? Yes. I'll give you more seconds.
No, no worries, Frank for, so yeah, my name is Frank Sheba. I'm from of I'm a product strategist there. And so the way that we see access governance, you know, access governance platform in its sense is really a policy automation platform. So it's about automating policies like access request re-certification rules, join, move levers, etcetera. And to make these, to make these processes work, we need to collect the, you know, a massive amount of data and then draw the intelligence out of it and drive these processes.
And, you know, the process is at the end, you don't give you the right access at the right time on the right devices. That's basically it. Okay. Thanks Frank. Thank you, Jackson Jackson, Shaw from quest, and as I'm sure you've heard now Dell software, you know, I, you know, just access governance to me is, is all about providing, you know, the right access to resources at the right time, under the right circumstances to, to people and you know, the area. And this goes to one of the questions from the audience to Martin, the, the area that I'm most especially interested in.
I don't think that it's necessarily the Atlantic or the us or Europe, you know, where, where, where change is being driven. But, you know, I think it's the persona. It's the people who are wanting to use this software and it's being driven so much now by the business person that we're being forced.
And, and we as a company are trying to build software that can be used by a business person instead of the it person. So I, I think that's one of the key drivers for, for us is providing that level of, of visibility to the business, not just the it person. Thanks Nixon. Thank you. My name is Christian petrescu. I do work for Oracle, actually. It's quite funny because we had this question several times also discussing it at our booth. Why do you call it access governance? Now two years ago, it was just identity governance.
How, how did access come to the picture? So we, we got of into discussion of, okay, first we had provisioning, then we had some facets coming to it like analytics. Then we had intelligence also coming to the table and now like, like we heard Martin now there are more moving parts who, who came to that? I think the most important is this overarching overall view on it, right? So there's so many parts in it. You should not duplicate things in all of those. They should be integrated at one point of time, privileged account management is also something coming new.
Should I leverage the same connectors which I have for provisioning? So I think my message is perhaps similar, like you Jackson come from more from a business perspective, right?
See, see the overall message that we have here and how these parts are integrated. Next also important is what's what's coming next. Right? So we have controls which are close to the app, right? Do I need a different policy store for them? How do I manage that? So there's a lot of things to do. And the customer with, with who the last one with who I had the discussion suggested, why, why call it excess governance? Let's call it identity and excess governance. Perhaps. That's a better word for It. Okay.
Thank you, Martin. Yeah. I'm Martin from Omar, by the way, the second European company in this panel.
Well, I would like to add, I mean, it's, for me, it's really the bridge between business and it, I think it enables business and it to work together. It enables business also to take or to assume its responsibility for things. Yeah. To assume ownership, to assume responsibility for, you know, evaluating risks, mitigating risks, et cetera. So I think what we can provide with access governance, product and tools and solutions is provide the infrastructure and provide the processes and make it affordable to control access, and to assume the business people's responsibilities. Okay. Thank you.
So I think they could reasonably good job to stay within the 60 seconds more or less. Yeah. So that was already good. And thanks for, for your comments in the, in the last round around integration layer, because that is exactly my next topic.
So, so Martin also was alluding to that. He mentioned that access governance is sitting as the spider within the net and, and is, is more and more serving as the integration layer of everything. And actually I now would like to understand from you, how are you and your tomb set supporting this integration? You already started with that. So I now to be fair start the other way around with you, Martin.
Well, integration also means from my perspective that we have to realize that there's not just, you know, like we, like we used to do, we have kind of a central tool from which we provision things through standard connectors and that's it. So identities, accounts, access rights, but we have a, a multitude of systems. Some of them, we automatically provision some of them. We just manually administer some of them.
We just, from some of of them, we just want some information and we have to integrate all this. And as Martin Cooper are depicted very nicely, the access governance umbrella.
So to say, sitting on this, and I think what we really need is some technologies who, who that can do this kind of integration. And that means from my perspective that we have to, that we have to establish a kind of loosely coupled closed loop audit, which on the one hand side collects information from all these underlying systems. And on the other hand side provides a possibility to do kind of, to, to enforce the policy conforming state to, to the, to all the systems.
And very important, very important is I think what's, what's very important is that you have good reconciliation capabilities. So you have to understand what's the difference between your desired state and your actual state and your systems. And I think one key thing is to you need the analytics to do reconciliation or to detect differences, not only sod violations, but much more, and then have the right means to remediate the situation. I think that's one of the key features of access governance solutions. Okay.
Thank you, Martin Richard, I like This integration just to remember the question, The question was about integration and I particularly like this word let's step, let's take a step back, right? Let's let's first look at integration. I think there are two concepts of how you can integrate things, right?
First of all, you have this notion of functional integration and which is also very important, how you function, integrate things like a connect risk function, integrating a thing, reconciliation, how a product interacts with each other synchronization on data level is, is, is functional integration. But I think there is also other level of integration, which we do call architecture integration, and this goes much deeper, right? So do two components use the same workflow. Do two components use the same connectors or do they use distinct connectors?
I personally feel for achieving this overall message that architecture integration is, is a very important one. It's it's also this platform thinking, right?
So have, have two components leverage the same infrastructure. And this is also key. If you have so many moving parts, how, how good are they architecture integrated? So I personally think that two, two answers to that question and the deeper one is, is, is the one with the architecture integration form. Thanks Richard checks. You know, we're, we're an interesting company that we've grown through, you know, some acquisitions of vendors over the last few years.
And I mean, I can't help, but, but you know, think about the level of integration work and the projects we have underway both to, to integrate and also to, to, you know, try to, you know, design around a standard architecture and you know, this whole, this whole aspect of how access governance and privileged account management and identity management all start fitting together through what we've talked about over the last couple days of, you know, loosely coupled yet open and the appropriate interfaces is, is hugely important.
I mean, I am living it, you know, day to day with, with our own software products. It, it's gonna be really interesting to me. I think the, the proof in the pudding so to speak is when our own customers start to leverage that architecture and leverage the loose coupled loosely coupled, or the, the, the API capabilities that we're, we're building into products. So I think it's, I think it's hugely important. It's something, you know, that I'm forced to live with because when you buy different companies, you buy different products, you have to integrate them together.
Otherwise, you know, you ultimately will fail, not an easy task. It's, you know, we have to make compromises when we do it. But I think over the next, you know, 12, 18 months Martin has laid out some really interesting things that he thinks are gonna happen. It'll be really interesting to see the vendors, you know, and, and how they, how they act to, to his vision from that perspective of integration. That is important.
Frank, Thank you. Actually, they have their own microphone. Why do we need to share the microphone? So Actually nicely from left to right.
You know, That's true. So we can just, so actually I see, you know, yes, to all the, the map points mentioned before, but it's also integrating in terms of, you know, how does intelligence flow? So you mentioned access governance being displayed in the web, but doesn't mean that we just, you know, catch the flys, the light of life out of it, and then just drop it.
It's, it's about gaining this intelligence through the data and through the processes and then sharing it, not only with the business, but also with other solutions. So for example, with seam solutions, we can provide context to them. We draw intelligence from the seam solution. The same would be DLP solutions. So instead of just, you know, gain access from the infrastructure, we can also pump intelligence back. And that I think where the, you know, the high value of the integration that comes in. Okay. Thanks Frank, Darren.
And obviously I'm gonna agree with all my esteemed panelists on the integration is okay, thanks, Darren. Let Is a foundational. So maybe let me try and take that a little bit differently and take it in a slightly different direction in that we have to integrate, but we also have to remain conscious of the fact there needs to be an abstraction.
If we look at some of the mistakes in the first generations of provisioning products, when there was a two tightly coupled relationship between the model and the implementation, and we found the most successful provisioning has been when provisioning is a dumb bus, the brain provides The brain being IAG provides the context, provides the instructions and the provisioning does what it does best. And one of my fears for the aggregation of products that we are seeing through acquisition in, in, in some areas that they just get put back together in the wrong way.
So it's very much how you integrate. And I think I, I completely agree on the idea that it's symbiotic, it's about providing controls and listening to what happens, but it's still isolated SOS that we can maintain the abstraction and I can do what it's supposed to do, provide that umbrella, provide the context and remain abstracted somewhat. Okay. So both integrated and isolated kind Of Together. Okay. Very good. Thank you. Okay.
Well, I also agree with what you, what you already said. So it's gonna be very short. So the way we look at integration is twofold. Integration is as two, meaning maybe slightly different compared to yours. We think at integration on a technical standpoint, meaning how do we make things go back and forth from the various system that we do talk to and that's conversation that drives to the APIs through the API economy, if you wish the links back to Craig's Barton topic that we had yesterday, and that will be a long conversation because there are multiple ways to look at there multiple standards.
And we believe we approach in a pretty holistic way. There is another notion of integration, which is more logical, which is about how do you deal with so many different contributors of controls. Like again, authorization, service, privilege, user manager at TGRC. They have completely different modeling metaphors. They manage completely different things. So you need to be able to deal with this diversity.
And again, we look at what we deliver at as the, the central point to really bridge this diversity and to kind of make the communication flow through the various spaces in a, in the proper way. Thanks Marco. Before I go on with more questions, I will just watch the audience to see whether there are any questions to either the panel as a whole or to one of them. You have a question. Okay.
Can I, I make a point before you have the question that's segregation of duty, right? A question. Go ahead. Go ahead. Sorry.
Right, exactly. I, I mean, it's interesting, you know, I was thinking as we're all kind of agreeing with each other, I was thinking, you know, putting myself in the place of, you know, the customer.
I mean, could we see a year from now or two years from now where one of our customers is using my identity provisioning, our identity management product with, with sale points, governance, product, or sale points, identity management product with our governance product or mixing across this group.
And I don't know the answer to that, but in all honesty, I think that's the, the proof in the pudding as to whether or not we're, we're, we're, we're open it's, you know, I'm not saying anybody isn't, you know, being truthful with respect to, to openness and, and, and wanting to have APIs and, and, and, and loosely, loosely coupled architecture, but the ultimate proof in the putting is the ability for you, the customer to take a, you know, a from Dell B from, you know, one of the other, the companies up here and C from another company, and mix them, mix them together in a way that makes some sense.
So I just wanted to sort of throw that out there to see if anybody Wanted probably a rhetoric question, but since sale point was specifically mentioned, like if There was to Answer Fundamentally agree with you on that, if we keep, that was to my point of abstraction, if we keep the use cases, correct, then absolutely we should we today on product pitch here in any means, but we provide integration modules that pro that allow you to take a request that was consumed through a service request layer, process it through a sale point, identity access governance layer, and push it out into an existing deployed provisioning infrastructure.
At the end of the day, you've all spent millions of dollars deploying infrastructure. I mean, this is the seventh year of this conference. We didn't tell you much different seven years ago, right. Buy our products, deploy them. You've done that. And it's important when we overlay particularly something like identity and access governance that is able to integrate.
So what, and, and the owner should be on your vendor to provide, as you say, an open API, which I'm glad to say, I believe all of do. And then we should provide the integration modules on the top of The bottom.
So would, would you agree, and perhaps that's the question to the other four, would you then agree its rather one central access or identity and access governance architecture rather than one vendor product? It probably has to fall into a Micro. I'm not sure they got the question, right.
Well, I think Jackson started off with, or can we have one product for, let's say yeah, reification another one for provisioning, et cetera. And I think Martin, for example said it's important to have one platform or architecture in place. So now my question was, yes, what's more important to have one product or one architecture. What is more one architecture obviously.
But, and I do agree with that, but what is really my question? Okay. Back to that is why are we talking about this topic among access governance players only? And for instance, in the conference, there is no one which is an it GRC player. Okay. An it GRC player like say, say Archer or metric stream or things like that. Okay. Why we have Lieberman? We have identity management vendor. Okay. So we are probably picturing something which is a bit quite far in the future. Okay.
So probably is gonna be another, not maybe seven, but three or four here, before we will have this conversation really completing what we are envisioning. Okay. On a pragmatical standpoint, in terms of capability that will still be customer, which maybe are a bit more ahead in terms of maturity path. But the average thing we see around and back to us versus Europe differences is what I consistently keep on looking at is coming from us. Lot of re-certification. Okay. In terms of core requirement, we get coming from Europe, lot of segregation of duty and streamlining workflow processes. Okay.
This is pretty simple at the moment. Okay. And then maybe 10, 15%, no more than that really leveraging the integration capability, which are already in our solutions. Okay. To exploit the next level of maturity path. I'm not sure I answer your question, but probably I'm also not sure, but it's was a good answer. I think we've got back around.
Are we, we're going back around and the line, sorry. Thank you. I take that mic. You already spoke. Right? I'll make it very, very short. Cause I think we are somewhat going. Just whatever, whatever we do. I think as vendors, we have to future proof, the identity infrastructure for our clients. Yes. The time is spending millions of dollars for minimal business value are over.
I dunno, what planet anyone else is on. If they disagree and buying infrastructure and buying an architecture is, is a very hard sell. So it's our job as vendors to provide solutions that do transcend right As we evolve. Okay.
Christian, Go Ahead, Mike. You already, so actually I, can I be the bad guy? Sure. There we go.
So the, the only thing where, where I, I would like to use the word currentness and perhaps I'm giving an example of article what, what we experienced. So we also had two products for provisioning and for analytics, right? And these products came from two different players.
We, we acquired them and I, I could not, not look in your eyes and say, well, use all of the products here because end of the day, it's also a big, big integration effort that, that you need to do. We had Oracle had the same integration effort, right? So the analytics product and the provisioning product had had two data metadatas right.
We, we did unify them because we didn't want the sync to happen at the customer. It's very error prone. Right?
So this, this whole notion of, of this is why made the point with functional integration, architecture, integration. This architecture integration is a, is a big benefit. It saves a lot of money.
So while, while I tend to agree, let let's speak about openness. It's very important. But also to clearly speak to you as a customer, there's some integration of course, that, that you might need to encounter. We encounter ourselves just, just for Oracle products, just by acquiring the products. And we did remediate this, but just for fairness purposes, also there's a, there's an effort of, of, of this integration kind, which you need to, which you need to think about Martin. You also had a comment. Yeah.
I mean, I think there's a twofold kind of integration question. One is of course the, the, this kind of downward integration, of course today, we, we already have like, you know, provisioning tools. We have script based, just send in, forget provisioning. We have help desk tools, which play a big role. And we have established processes, which of course, I mean, shouldn't this investment in existing processes, shouldn't just be thrown away.
I mean, they need to kind of continue for some time and what, what we are feeling as matter, we are feeling as a key point is just providing an access governance solution. That that is, is kind of robust enough to, to deal with all these different techniques. And on the other hand side, of course you have the, you have a kind of integration with other kind of business level solutions, like for example, GRC solutions like point point GRC solutions as for example, SAP GRC solutions. And I think that's also important.
And, and as you, I would agree. I mean, none of these vendors are sitting here these point solution GSC point GSC solutions. And I think that would be really also helpful to, to have a standardized way of communicating there because it's for, it takes a lot of effort for cross-platform access governance products to integrate with these, from my perspective With I GRC Frank, how just, do you have any examples from your customer base where you already see these kind of integration taking place? You mean with existing other IM parts and bits and pieces?
Yeah, actually we see that all the time. So, you know, especially when it comes to the doing of the provisioning action.
So, you know, we see all kinds of vendors where the GS, well, the access governance solution actually hooks in and, you know, does all the decision is the brain that drives all the processes and I'm not devaluing the provisioning system, but you know, more or less since just the dumb, stupid provisioning actions into the applications.
So there, you know, this kind of integration makes sense, but you know, going beyond that and ripping an access governance solution apart and integrating it with another access governance solution for another process that endangers this, the benefit that you get from having this one brain, this one data store, this one time collection of all the data. So if you have to do that with several solutions, just because you want to, you know, have the access request here, workflow there recertification over there.
You know, again, you have several brains and integration effort, you know, syncing these ones up that goes through the roof. So I don't see the benefit there. Yeah. Okay. So last chance for the audience to ask any questions. There is one, can I borrow the mic please? On the topic of integration? How do you, well, what do you recommend in terms of integrating the access governance solution with, with an I TSM product, I TSM Somebody volunteering to answer it, Some details like where does the process start?
How, what is the handoff and where does it end? Well, you have to find the balance between short and detail. Okay. I'll be very short it GRC, sorry. It TSM sells itself on the value proposition of a single pane of glass for the user. And to some degree within access request management in, in IAG, we counter that message cuz we say, no, no, you must come to us to request fine grain access that is going to have to change. And I personally believe that the models that we maintain and the context that we have within IEG must be shared with your it GRC.
So as you can make the request from an external interface, you can't own the glass and the model in all cases. Thanks, Darren. Unfortunately I think we are running out of time. We've done really a good job and I think the audience got good food for thought on that topic. Obviously we cannot expect to cover a complex title, like how to govern it all in half an hour with six very experienced people. But if you want to follow up, I'm sure people are available for you for any questions after that session with that. Thanks again for being with me and enjoy lunch break.