Session at the European Identity & Cloud Conference 2013
May 15, 2013 15:00
KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Optimize your decision-making process with the most comprehensive and up-to-date market data available.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Configure your individual requirements to discover the ideal solution for your business.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
Session at the European Identity & Cloud Conference 2013
May 15, 2013 15:00
Session at the European Identity & Cloud Conference 2013
May 15, 2013 15:00
So topic is access intelligence. I think we've, we've heard a very interesting presentation from where, and also from Carston.
And again, there was other functions in the middle, like request approval. Re-certification et cetera. Now we talk about access intelligence and to structure that little panel a little bit, I would, I would like you now in the first round to obviously introduce yourself and your company and what access intelligence, how this is integrated within your product suite. So I would turn the conference too big. Okay. Nevertheless, welcome.
So I just, just started to, so would like to ask you to introduce yourself company, how you interpret access intelligence within your product suite, take it from there. And the 62nd challenge will come at the very end of time. Okay. Shall we start from the left Doesn't work? Yeah. Yes.
Hello, I'm Neil SNS for ADA from Peter systems, Peter systems, one of the vendors in the IM segment standard provisioning, IEG functionality, access intelligence. It's, it's quite an interesting, but sophisticated topic because there is no standard definition for access intelligence. I'm quite sure we will all find out that everybody has a slightly different understanding of access intelligence. I'm sure it is For beta systems. Access intelligence means taking care of the big data problem, providing all the excess data to the business layer.
And that's the second challenge to translate the technical information for excess data to a business layer that they can use this information for analysis and for decision taking. So in order to reduce the complexity of the big data to drive the decisions like recertification decisions, audit decisions, risk assessment, that's all part of access intelligence. Can you give an example just to, Well, the, the question of how to treat recertification period is simply based on the, on the risk contained by a user.
And in order to identify what is the risk coming along with a certain user profile, you will have to analyze this user. You will have to get information on this. So the risk assessment of access intelligence is the basis for setting the right re-certification periods, for example.
Okay, thanks needs. All right. My name is Bandel. I'm from Cambridge technology partners and we are implementation partners of a couple of these vendors sitting here next to me. And for me, it's more like from a customer perspective, what's the value of the data and how do you wanna monitor protected? So it is like on a continuous space. Was it more on a periodic space or like a, a scandal from a auditor and yeah, I think from a product perspective, I gave it to the next person here. Thank you.
So I'm Terry winter, I'm the city OFN, which is a software vendor with a 15 year experiences in identity and access management. We have a worldwide presence, but we are based here in Europe, France and Germany about when definition, one possible definition about intelligence. We are speaking about access governance. So access governance means you define a policy to define who has access to what in the information system. So once you have done that, if you are a security officer, or if you have the business owner, you can say, Hey, so what am I enforcing?
The good practices is my policy efficient? Is it going to remain efficient a long time? These are the questions that I expect intelligence to answer instead of the security of officer or instead of the business partner.
To me, that's the role of intelligence. Okay. My name is AADA I'm with Sam solutions. Samir is a global services organization and I'm based out of the UK. So first off, thank you for coming today. So when we look at access governance, as you pointed out, right, and the, the track for this afternoon access governance really is in its spirits form mitigation of risk, right? And access intelligence within that is an evolution of access governance where you, the risks you're looking at is strategic risks, like loss of IP, loss of blueprints, to customers, sorry to competitors.
Secondly, you know, fraudulent access, preventing fraudulent and access through illegal transactions, illegal banking transactions, and privacy data related risks, right? So let me be a little more specific about this and explain this tube properly. So what companies are doing today, organizations are doing today when it comes to providing controls around these risks is they have access governance, controls like certifications, where they're actually quite static in nature, where they show you what a user has access to. And then they ask the managers to say, is this correct? Yes or no.
Now what vendors are doing is evolving that process further and adding context to it. So they're adding multiple dimensions to the certification process. They're adding color to the certification process by providing the type of context, like, what is this user doing with this access? And is this normal behavior? Right? Normal behavior is a very difficult thing to identify. And I came from the world of role management many years ago. And you know, those things were we've, we've all tried that one, one time of the other they've been dry. They've been static.
You can top down, you can do bottom up, but really what you are looking at intelligence here is manage a logical union between SIM data, between DLP systems and between access governance systems to give you real context about what the user has access to. So I'm Rick Wagner, I'm the director of product management for identity management and access governance for net IQ.
I've been in the business about 14 years from our perspective, identity and access governance basically focuses on how do you prevent, how do you present business relevant data to the proper owners of the applications in order to allow them to assess the risk and make intelligent decisions of continued access. So, and then once that decision has been made, have the trusted fulfillment to act upon whether or not that person or entity should continue to have access to that application, but have it not necessarily as a time-bound certification, have something more as an on demand.
When I see a change in profile or any other information that can be leveraged to again, provide the business owner who best understands the risk associated with the data, with the application to make the most intelligent decision possible of continued access. Okay. I get to go on the end, which means I get to listen to my steam panelists and reform my answer before it gets to you. Now I'll keep it really, really, really brief. I'm not gonna first In the last Round. So yes. Okay. Back the other way. I don't think we need to redefine what access governance is.
You've sat through through that. If I was asked, as I sometimes am is identity or access intelligence, a separate product, a separate implementation, a separate line item from a vendor is absolutely. It should not be, it is a, a facet or a feature of access governance. And I think one of the topics we'll discuss is, is it more than reporting?
Yes, it's a lot more than that. But to me, access intelligence is building out an, a model as part of access identity and access governance that understands the complete context of the identity. And I think that is, that has to be in the underlying IEG model itself.
It's, it's, it's not a separate product or feature. Yeah, I think it was an interesting first round of opinion, because quite diverse understanding of what intelligent means sometimes it's to support rule definition, others say more reporting, support, risk, understanding, support, decision taking. So it's quite, quite, quite different topics. So I'm still struggling a little bit to understand what, what is it really? How do you see that?
Is it, I obviously the, the, the, the tools, the, the platform will collect data now, is this, how should I look at that? Somebody sitting now in front of that data and trying to get sense out of it, or, or, or is it more a standard report?
So, so how can I, how can I think about that? I guess we can back the other way. It shows itself in standard reports, and that will be one of the ways the consumer of the information would retrieve it, but it has to be a lot more than that. It has to be, as we talked a little bit here, it's about how do you present the context that the intelligence comes from? The understanding comes from what we will present. We're not just gonna show a list of people we're gonna give them risk context. And risk ratings is one example.
At the same time, we're gonna infer intelligence by virtue of what is being accessed or based on what policy violations are, are, are there. So in some ways, access intelligence is just access to the data and that shows itself through a report, but it's a reflection of a model that understands When I understand it, correct.
It, it is dependent that you think about KPIs or other means to measure the effectiveness of your controls and then presented in intention race, Right? Why wouldn't, we're trying to, at the end of the day, we're trying to move towards a place where, where business users understand who has access to what, and that was very simple and an attestation in its first incantation, but now it's a lot more than that. Yeah. Yeah. Great.
So the, from my viewpoint that it's the intelligent data that you present to the individual, trying to make a decision who is that individual, the, the manager that that person works for may want to see one set of data that's important to them, or as an auditor or compliance person, different personas within an organization are going to want to be presented with different information that's relevant to that individual. If I'm a manager, do I wanna see the raw security events of this person executed a transaction?
Okay, no, that's not important to that individual static reports do play a part in that, but then again, that in and of itself is stale data risk based at station or, or access certification or even access certification in its rarest form is how do I, number one, try to be proactive as possible to minimize or eliminate as much as possible activities happening as, as you discussed on data being leaked and more important, or, and another way to look at that is how do I minimize the reaction time or make sure that I can see a risk as quickly as possible, or see something that shouldn't have happened or incorrect access so that I can re remove that as quickly as possible.
So leveraging that type of information to allow the proper individual to make a decision is what's important if that's a, a report or if it's the specific types of data dependent upon which person and organization is looking at that data to make a decision. So I, I think to achieve this, it's key, that, that we talk about how frequent and quickly we collect the data and what are, let's say the process is to well, make sense out of It. Correct. So you have to collect the data.
You have to be able to present the usage of the information and then be able to allow that individual to make a decision as quickly as possible. That may be in some cases, time based. And in some cases it is based upon some change or some activity that has occurred so that I can shrink that time that I'm actually looking to perform the certification process. That's a good con, thank you for sharing your views. If you think about what intelligence really is and what you're trying to get out of this, it's, I feel more than just harvesting data and reporting, putting BI reports around it.
What it really is, if you think about we wanna prevent fraudulent activities from happening, and I'll use a code that you used yesterday is when users want to get access, they will get access somewhere or the other one way or the other. They will get access.
And, you know, some studies have shown out that like, there's this study by various, the Verizon study, which showed that 50% about 48% of data breaches actually happen with people who have appropriate access access that has been certified, that's been reported. So that's fine if you report it real time, you reported times, you know, snapshot in time. It's the same thing.
Now, what vendors are focusing on in terms of bells and whistles to see exactly what is access intelligence, maybe it's in process of being developed in roadmaps. But what it really is, is maturing of the access governance controls to provide some advanced analytic capabilities. And what this is basically is things like PR group analysis, outlier analysis, right? The ability to see who has accessed my bank outside the normal working hours, are they using some bank functions that are typically not used? Are they making a very high number of transactions?
Is any of this, like you said, elevating their risk profile, right? So, so these type of analytics enhancing what's already out there in terms of static controls or real time controls is what the intelligence component behind this AI is. So that's, that's interesting.
So, but the prerequisite for that would be that you probably collect more data as you typically would need, for example, for an ation. Yes. I think thank you. I think you hit the ch the challenge obviously is you've got now transaction data log data, and what the, what, what I will challenge the vendors here is what the ability to correlate this data is going to be the biggest hurdle. Once you correlate this data, then being able to provide some kind of understanding of what this means in context to the user's access. That is your application of That data Link to access. Exactly.
Yeah. Very key, very key that it's linked to access, cuz there's a bit of a trend to, to try and make identity intelligence, security intelligence, and, and that it is not, we will break everything if we try and stick everything into this repository and make it everything to everybody. Okay. As in fact, you, you gave a good introduction to, to my next point, because to, to me, intelligence must be active.
It, it's not only, it's, it's mandatory to have a lot of data to make reports, but it it's the step above the report above the, the reporting. It's not big bang.
We, we already have a lot of data OD trails give information about the user's activity about the administrative changes about a lot of things. And as you said, as you said, what is important is to do correlation inside this data? Cause otherwise we could have a lot of legitimate or correct data. I have an access to SAP. Okay. My access to SAP is certified.
Okay, fine. But during the last six months, I never used this SAP application. So perhaps somebody should remove this rights that I have on SAP because it's not useful to me. So it's getting important things related to security related and based on activity data, as you said to give recommendation to say, Hey, this guy has too many privileges for the job he's doing. So one step further then simply looking at the reporting is making recommendation. This is to me be active on the management of the security. Yeah. So I think that was a very good example. And I'm looking for this kind of example.
So finding out who didn't use something for quite some time, and actually you probably can make a use business case out of that because you may potentially save licenses. Right?
Yeah, sure. It's, it's another, it's, it's another important thing in particular, when you consider cloud computing, because at some point you will be using licenses everywhere. And at some point you might like to know who is using which license because you pay for that. Yeah. And it will be important for you to, to, to see what your, what your users are really doing. And if they don't use the license, maybe you can save money. Yeah. Thank you. Right. I think many things have already been mentioned and it's hard to add on, excuse me.
I think you also, the question is like, are you able to do something with all this data you're collecting? You know, a report is one thing, take action was mentioned a couple of times, but do you need a person to make the action? Or you're able to set up rules who takes action for you? Because many things you can standardize maybe based on certain actions who happens. So that's the question the end user wants to know, right.
Is he has a person sit there the whole day and look at their report and find out what to do next, or does a system help him making the right decision or making the right action for him. Yeah. Perhaps you as a, as a service provider, I mean, you probably deal with, with different tools and not only perhaps even access governance tools. So coming back to what, to what Darren said, is this now a access governance specific function? Or can we just use these tools to help us to collect the data and pump it somewhere else and do the analysis over there?
Well, there are a couple things, right. You can see from a compliance perspective. So because you have like quarterly compliance, like audits, do you have to provide him the reports through something or is the data that much value to your business that you have to protect it 24 hours by seven? So it's like you have to be cons constantly on the hook to find out what's actually happening in your system and help preventing certain actions. So that's a more intelligent part. So doing something with all the collected data out of it. Okay. Does that answer your question? Yeah. Thanks.
So when you started that round here were asking the differentiation between access intelligence and reporting. Is it similarity?
That was, and when we started to develop access intelligence couple of years ago, I think really we can grab the definition, the differentiation also from the business intelligence, because that's what we found out. What is similar challenge with data analyzes of course, business intelligence is sort of information presentation that it is much more than just standard reporting.
So in fact, we, we really took for our product the same technological basis by using a standard BI platform in order to provide this information for access data and the need for that in order to extend, extend, or exceed the, the, the borders of standard reporting is the need of flexibility.
Also in business intelligence, you have the challenge to be interactive for the individual question you have because in business intelligence, you also are addressing the same data, the same cube from different angles, depending on your today's most actual situation that you want to sort this information by the organizational unit, by the user, by the target system. And this is something you can't predict by, by giving standard reports.
It must be in the flexibility of the user to drive through this data pool and to get individual information until because that's, what's all about until he got enough information to take his decision on that. Yeah. Yeah.
And, and that is something which is exceeding very much the standard reporting capabilities that you have one tool and, and one data room where all the information is collected and the business user, not a technician, a business user can drive through that information and can get the output from that, what he needs.
And just to add that for, for Darren and that's, to me also, the reason why it not necessarily must, but it should be a standalone product because the value from an access intelligence comes from having the complete overview of this data and looking to the enterprises with federated identity management systems, with target systems that are not connected to IAG solutions that are solitaire.
If you want to combine all this data and you want to have one single point of information, one view on this data, it, it is quite some, some benefit to have a standalone product, not just feature a module in your I product, but really a standalone access intelligence solution that can collect the data from all the sources and integrate them and give a single view on this. I mean, we, we all are probably in different stages of majority.
When we think about access governance, we have seen, heard a couple of, of presentations and purposely people in the, in the audience also are in different stages there. So what, what's your view? Should people first do the basic stuff, starting with attestation and, and these kind of things before they think about access intelligence, or is this something which will all happen in parallel or right from the beginning? What's your view here?
So, I mean, the vantage point is from any customer is what's that customer's greatest pain point. Yeah. But I think if we were to look at this in a very simple analogy of, of access intelligence and, and you made some excellent points, we've all been through airport security. We all know what that's like. If we take the example of a hundred users first and, and run that parallel with, with a hundred people going through airport security, 90 of those hundred typically go through airport security with no issues whatsoever.
It's the 10 individuals that may go through eight of those 10 individuals may do something silly or eight or nine, like leave a water bottle or liquids in their carry-on bag or forget to take their belt off. Or, and they get stopped. They get looked at briefly.
Oh, okay. You made a simple mistake and move on. It's that one out of the 100 that we want to pinpoint that maybe they have a knife in their bag, or they have something that's, that's very questionable. And the whole idea behind this intelligence is how do we pres, how do we actually filter and what data can we give to the person making the decision. That's gonna allow them to pick out the 10 and easily whittle those down to the eight or the, the nine that are simple mistakes and, and show the one to minimize.
And again, to shorten that reaction time when issues occur that from our vantage point in being able to very easily tie together, provisioning activities with security events, correlating that information together, either from anomalous behavior, privileged, privileged administrators with rogue administration type activities. Again, it's most individuals go to work just to try to get their job done.
And it's how do we focus on the one individual, the needle and the haystack analogy, and how can we present the data up to the decision maker to find that one or two people that, that are the problem. Yeah. Okay. Thank you. And Darren always has something To, yeah. Maybe if I directly answer your question as to where to start, obviously intelligence requires data, right?
I mean, this thing doesn't just direct itself. And then to use your example, perhaps the airport security, the first place you've gotta start is have everybody go through the magnet. And so ultimately data collection, and then some form of verification of that data is the first point classic garbage in garbage out. Right. So I think you have to start, I wouldn't necessarily say enterprise attestation is the first goal, but some level of verification of the data start with the source identity. Right.
I mean, okay. How many people have clean HR? Very few hands usually come up. Right.
So, you know, there's a, it really starts there. My, Okay. So I would like now to go, to make the, the last round, my, my famous 60 seconds each. So I would like to you to think about one good example where one could clearly see the benefit of access intelligence, which you have experienced in your implementation work recently. And perhaps as promised, I start you, The ice cream cones, I get You go the other way wrong. I'll try and be very, very quick. What we've definitely seen.
Some of the highest values of intelligence does come down to the use of risk or context, having a certification for a thousand identities with a hundred thousand attributes in each is a daunting task. And I think to the point using risk to identify outliers, to identify target populations, moving to a more risk based view of attestation and certification, that's a huge value.
It's very, very achievable. And to your point, a use case that we've, we've seen, okay. Live deployed several Times. Yeah. Thanks Rick. Good example in your practice. Good examples on our practice are customers who start with individuals who have privileged access, not necessarily administrators in some cases, administrators, but really looking at privileged access because it's, it's a, it's a small subset of the individuals who have a higher likelihood of either inappropriately or inadvertently creating an issue.
So it's, it's being a being narrowing down. We have a lot of customers who focus specifically on those with privileged access on higher risk privilege, Texas.
So that's, that's your recommendation? Very good. I would say two areas and I make it very quick. 60 seconds. The first is I've seen banks and financial services organization try to put standards in place that are along the lines of, let's say the FFIEC guidelines that say you must detect anomalous behavior, and you must react to that anomalous behavior. And the static access governance tools can only take you halfway there. So you need some kind of intelligent tools that will help pinpoint these areas. And then that would also help in certification processes.
The second thing is access governance tools today are very application focused. They're all about application access certing application access requesting application access. What users and organizations are are focused on is data access to the data. So intelligence and I'm finish in two seconds. Intelligence here is extending this to the DLP and to the data realm as well. Okay.
Thank you, Gary. So I already give my example about SAP. So I would skip this question If you wish.
No, I, I would just mention a couple of example, example to, to give a perspective about intelligence, even if it's not today inside the, the, the walls of the companies, it's that intelligence is going to have an and access management or access governance across the usual borders of security. You mentioned data prevention. There is also usage control. There will, there is also physical access control. For instance, some guy is acting in a database. He didn't even go through the door. So maybe there is a problem. This guy is a, is a hacker from, from the network. You see?
So our examples, according to me, maybe in another step for intelligence will correlate information, the lot of information that we have already with access governance, with other contextual information, even by adjustment domain in security. Thank you. All right. I'm just giving a practical example.
Last we, I finished a project. The question was like, how do you monitor six and a half thousand databases? And obviously lock files. Reading is not enough. So you need a tool to help you to find needle in the haystack basic. And it was a classic sample for access intelligence to find out where is the issue or where is the Threat?
Okay, thank you. And one more vote for risk assessment. Access intelligence provides really a new level of, of analytics for risk assessment, not just presenting a single cryptic score for a user, but having the capability to drill down, really, to understand where the risk assessment comes from. That's a new quality in, in risk management for by, by access intelligence. Okay. Thank you all for your comments for your time discipline and your insightful comments and contributions. So please join me to give the panel of hand.