Event Recording

Martin Kuppinger - Redefining Access Governance: Going well beyond Recertification


Session at the European Identity & Cloud Conference 2013

May 15, 2013 11:30

And I will introduce Martin for the next session. I probably don't have to introduce you actually
Saves time.
I would, I would hope everybody knows you anyways and
As well.
And just, just get started with your views on access governance beyond just recertification and probably also some aspects from a cloud perspective.
Yeah. Cloud is, is one of the topics. I think it will cover a lot of topics and hopefully my slides appear. Otherwise I will do it up without slides and try to remember what I have on my slides. Yeah. The topic is around redefining access governance, thinking beyond sort of the purely static entitlements. And I think this is, you know, when we, when I look at, at the current state of the industry, both vendors and the end user organizations, then, then one of the interesting things is that we have, we have some, some industries, some such as finance industry, which are increasingly mature in their deployments. I think that's what we have seen here. I think it wasn't, hasn't been the first Deutche bank presentation. So if you follow the EIC for some time, I think you can easily watch and observe the, the progress companies such Asar are having in this area.
And so the vendors also are reaching a little bit more mature state, not only a little bit, really more mature states. And it's sort of, I wouldn't use the term promoted ties. I think it would be probably too harsh, but there's a little bit more of future equality for sure. Everyone would say, oh no, it's not true. We are better in that area, that area. And by the way, we are the best at all, all, but overall we see some more maturity on the other hand. I see. I think if you look at the keynotes from yesterday and if you, you look at other things which are happening, we see that a lot of other things are happening there. We have the situation of cloud services where we need access governance. Despite the fact that exactly is that the topic of dynamic, it's not that the topic of dynamic authorization management will massively gain mass massively gain momentum because we, we need to more rely on rules and we need to take the context into account, which requires to be more dynamic.
So we have a lot of areas where we are facing the need for change. And so I would say we are just sort of, you know, it's more or less say like just generation one or maybe also generation two. That's something where we have some maturity and it's now about going forward to generation three or four, whatever in access governance, I will start with a very basic thing. So what we are talking about there are in fact, some, some major question questions around us and simply fight they are, who has access to what, who has access to what and who has granted that access. So these are very simplified, but these are sort of the basic questions we are facing here. So for sure, also ensuring that segregation of duty conflicts are handled in an appropriate way. And so there are some partial technologies such as access warehouses, re-certification analytics and intelligence there.
I think this analytic and intelligence part is just a part of the, the broader access governance story from my perspective, but obviously some interesting evolution and the way analytics of that data can be done. We have the area of access, risk management. So risk is somewhere started very early with risk as part of what they're doing edited later. So that's but clearly an important part access request management. So moving from a more detective towards some or the proactive tool, which allows the business to request access, which is an important part of business, it alignment to enable business, to request access in a simple way, seeing exactly the things they can request. They can order instead of having long lists or either complex technical tools to request this access. We have the enterprise role management part as one thing, even while roles are, are only one part of the, sort of the attributes we use for, for authorization.
So it's not all roles there. There are other things such as the context, etcetera, some talk about is attribute based access control. I think that that's more sort of a continuum. So whoever has done a role project always has learned, there are things beyond roles or which I have to, to map to roles in some way or another. So it's more than, than purely the roles. There are always other things like constraints or how competencies or whatever you name in there. So this is just the continuum towards taking into account more types of attributes. We have segregation of duties control. So that's what we are talking about and tries to ensure that we are talking about the same thing. And that's a slide I had. I used yesterday around where to best spend and IM I achieve based on this coal business impact indicator. And when you look at the highlighted area of access governance intelligence, then there are, there's clearly a strong impact on compliance fulfillment.
So it's a technology or it's an area which really helps us moving forward in compliance fulfillment, but there's also a relatively good rating for business alignment because what we've seen in some of the, the successful projects, and I think that's something what you were talking or your colleague was talking about it just now it's done, right. It enables business to do some things they need to do. And it really helps you in closing the gap that historically exists between it and business, because it's really about talking, talking about the same things about enabling business, to do some things better. There's also some impact on the coast side because you can make a lot of processes, more efficient around access request. Re-certification audit etcetera. So it's one of the positive things. And there's a good reason that I have it on my list of the, sort of the favorite areas of spending in I am IG.
And it's clearly also a part of the bigger picture for identity and access management. So I have, I think two big pictures here in this presentation. This one is structure around administration authentication, authorization audits. We, we might collapse authentication authorization. Dave has proposed this in this last newsletter and access governance. In fact is one of these important areas we are, we are seeing here, I put it to the access to the audit pillow button. In fact, it goes beyond the audit part and we have to understand that it's one of these key building blocks we have here in another picture. Here's even on the middle of sort of an IM I G bigger picture I have painted here. So it relates to, to a lot of other topics and yes, we need it. And you might note the, the error on the left hand side, which goes to dynamic authorization management, which design of the things I will cover within my next slide.
So one of these areas where we need extension, so it's sort of the layer on top of the classical identity management and quotas in the sense of identity provisioning. So it's really layer on top. And the one of you, you have been at DESE last year, or which might have listened to one of one or other webinar during the past 12 months, I think there there're different approaches, but one important approach for access governance clearly is to, to use access governance also as an integration layer on top of all that legacy provisioning stuff and other fulfillment technology you might have in your organization. So it's sort of a consolidation layer that lays a very important role. It's related to privilege management to identity management, to risk context based education, etc. So it's, yeah, it's a little bit sort of the spider sitting in the middle of the net here.
And as I've said, this, this notion of an integration layer. So I guess something which is, is pretty important. So access governance, there should be really one access governance layer in your organization. There might be for various reasons, such as merger acquisition, a lack of control and enforcement for different it departments in your organization. So sometimes I see a lot of organizations, very special, the us, it departments tend to do their own stuff. So, but this is where you really can integrate this different identity, provisioning, cetera, or integrate with service request management systems for manual fulfillment, where you increasingly have own integrated provisioning technology, et cetera. So that's, I think one of these areas we are seeing here, one of student, and then let's look at beyond provisioning. And I think the, the really important thing here is how can we move to sort of a more complete access control approach?
And there's this, we, this, this situation of, you know, we have access governance here and what we really observe is there are some other topics popping up. So one is clearly identity provisioning. So identity provisioning is there. And in fact, access governance added to identity provisioning. Several vendors are, are pushing things like user activity monitoring as part of the story, which is about sort of a continuous control thing. Sometimes they, they call it like that or whatever they call it. But the idea behind is, is fairly simple. It's about not only checking every 180 days, whether the status of exit controls is right, correct, but doing it more continuously, I think it's an important area. It's a, a tricky area with respect to legal issues in at least in some countries. So in Germany, it's probably harder to implement than for instance, in, in the us, but I think you've done right there.
There are also opportunities and possibilities over here, privilege management and other very important thing. I will touch that later again. And we also have to look at doing it for all users for the complete identity and the complete access life cycle. We need to do it periodic more in detail and we need to do it continue. So those things are sort of getting bigger and that means that access governance, technology and access governance implementations and behind the implementations, or before the implementations better said the processes, the concepts, all these organizational aspects have to cover that. And I think there's another important point to understand when we, when we look at how access governance works and identity provisioning works. And we, we in fact have a situation where we have excess governance on top, and then we have some identity provisioning integrated or not, or whatever for fulfillment to the systems.
And we have sort of a break point in between here because the systems expose some sort of, for instance, in the active director, global group, or as a, and we consume it in our access governance view as sort of our lowest level, we might call the system role. We might call it whatever it's or entitlement, whatever it doesn't matter. We, we sort of say, this is what is exposed. And if when the system administrators down there changes something in his structure, we don't necessarily see it at the upper level. So this is the thing on access governance in fact, can help us to, to receive more detailed information, to analyze it, to check it, to see whether things are going wrong down there. So that's, I think an important point. And that's also be why we need such technology is one of these elements because we have such a break point and we can't avoid break point because it, I think it's just from both organization and technology, not feasible to manage all details of all systems from a single management point.
So we, we need to define where is the mapping of these layers. That also, I think is an important point. So when looking at access governance and, and talking about how to move sort of beyond today's data status, I see eight areas where we need to move forward. One is access intelligence. There's a lot here right now. So at adding advanced analytical capabilities, sometimes based on custom off the shelf business intelligence products, not necessarily, it might be as deeply integrated, whatever you do supporting also complex historical analytics, etcetera. I think that's something unit necessarily need to rely on, on standard BI technology, but having the capability in that area, I think is an important thing. So we need more analytics, more advanced analytics. I think that's a, a very important area moving forward. A second one is data governance, a lot of people, or a lot of vendors call data governance.
I'm not a hundred percent sure whether I laugh at the term or not, but I think it's it's okay. And, and it's really thought of adding support for unstructured data repository, such as fast servers and Microsoft SharePoint, how to analyze the, the access on these systems, how to grant access to these systems, et cetera. So in fact, a little bit of expanding it into the detailed view of systems like SharePoint, etcetera, some vendors have added this as separate products or as separate editions or some supported more or less out of the box, but we see a clear shift in that area. So, and I think there's, there's, there's a lot of value in, so we have historically seen, we have a lot of tools which are targeted on, on a very specific support for windows, faster environments, or historically, sometimes environments or SharePoint, especially SharePoint.
I think we have maybe 300 vendors for SharePoint security out there, something like that, which sheds the light on the SharePoint security model. By the way, if you have so many security add-ons, then something is going wrong. But that's another story here. The interesting point, I think from an access governance perspective is that it makes a lot of sense to do it more from a holistic view. So when we are managing access anyway, then it makes more sense do it from that platform then to use yet another security and management tool. So expanding in that direction, I think there's a big value in dynamic authorization management, a very important topic. So, so currently our focus is, or our approach typically is we, we say, okay, there's Martin Kuppinger and Martin Kuppinger shall have access to that system here, window servers here, SAP systems, etcetera, etcetera.
So that's where we start. And then some ACLS or whatever are written in these systems, which works somewhat well for our standard internal infrastructure. But the more users we have, the more systems we have, the less control we have think about the cloud, think about the identity explosion, the hard disc becomes. And then when we start also thinking about the context of risk and context based authentication authorization. So we want to say, okay, Martin, Kuppinger not necessarily has this access, but he has this access under specific circumstances. He's using his windows notebook with a strong authentication, cetera, and he's not working through an unsecured wireless land, et cetera. In that case, I might say, okay, he's allowed to do it another situation I might say no. And that means we will rely more on rules, which also helps us in, in many other areas. So there, there a lot of situations, so who, all of you who have gone through the role management project might have maybe experience that they say, okay, we have the problem. There's some, there's a person working on the, the contracts and an insurance company. And so the, the for, for em on incident. So when something got, got wrong, then the customers say, okay, I want to get some money from you insurance company. And then there might be a situation where, where some of these people are allowed to do approvals up to maybe 100,000 euros and others beyond that.
This is in fact, it's not, not really a role, it's a competency or a constraint someone has. And doing this in a rule is far simpler than building it into a role. So supporting dynamic authorization management clearly is a challenge. Whether it's based on exact or not, doesn't depend, the, the problem behind is the same. And that means we need to support the rule life cycle, rule, approvals, rule. So analytics for this dynamic world. That's one of the areas we, we need to move forward, integrated privilege management. I think I have a slide on that later.
I at least have it in some of my presentations. And I think it's also on this one, but I quickly touch the topic. So this is around, you know, when we look at privilege management, privilege management, commonly this shared accounts, administrators, route, et cetera stuff. But in fact, this are, there are two dimensions. One is this binary dimensions between individual and shared account. The other, a continuous dimension of elevated privileges and elevated privileges are what we are addressing with access governance. If you look at a business side, it's exactly what we are doing. We're looking at elevated privileges. When we look at it, we don't do it that much. What is the reason for that?
It expects business to think in processes and describe the process as well, but instead of the eat your own dog food think or so it does not do it for itself. So it usually does not describe the process. But if you look at development, test production, this is clearly a segregation of duty situation. You can't do it in processes. You can define your activities in these processes, you can do everything like you do it in business. The same for administration. Cetera. There could be an OD rule, which just says, okay, your operator here and your operator there, and this is a conflict because it's two sensitive enterprise. It GRC integration. So enterprise GRC, it, GRC integration said correctly. Another important thing. So we have to, and I I've talked to my keynote about risk as a common language. And we are providing a lot of controls, which map to operational reputational, even strategic growth out of access governance.
And also when, when there are initiatives, which end up at the C level dashboard in QRC, the target must be to integrate here, assignment management, thinking about not only access, but all types of assignments, a common discussion in a lot of organizations. So there's a little bit of an it service catalog here. A little bit of an ordering system here, a little bit of access request here. Having one system makes a lot of sense. We also see some tendency towards improved transports, so such as ESB based, not necessarily there, but how can you improve the communication addressing area? And then the use activity monitoring part that I've touched before. And yeah, here you go. Here's my excess governance integration with privilege management slide. And this is exactly, you know, if you look at horizontal, this is sort of the binary dimension, personal shared, and there's the other dimension, which is elevated privileges standard to elevate it and sort of the standard user account is the light spot on the, in the lower left edge.
And then we have some not that elevated accounts, which are shared such as technical accounts. And my golden rule is always a wide technical accounts use end to end to security, but software architects and developers are hard to convince of that even while it's feasible. And it gets easier with things like cetera. So you can do far more than you ever could have done. Then we have the ones which are personal. So a personal account, which windows operator rights, it might be also shared account, but they're also personal ones or the SAP business warehouse, power user very elevated one of the favorite targets of any auditor. And then we have the, the, the, the, the things like root. And in fact, when we look at the vertical access, then it's where X governance helps can help us far more in achieving our targets than purely privilege management.
I personally think these two areas have to converge to integrate et cetera. That's one of the things I see there, as I've said, I see also the need for supporting dynamic authorization management, where we have a policy decision plan C, where we have the P P I won't go into detail. So this is the, so more, the, a little bit more detail and complex picture on, on how you can work with this dynamic authorization management part stuff. But I think that's another important thing where we just don't ride ACLS down to systems, but where we rely on rules and then we need another approach, but it has to be part of access governance. And so I have, and I think the print out of this report is in your conference back written a report where I've defined some maturity levels of access governance. I think it will go first also with the things I've talked about.
Probably I will just shift everything one layer up and out of another top layer on that, but I thinks still some things where you see, okay, there's a lot of things to, to do, but this is also more targeted on the, the end user organizations than on the vendors. So, so where, where are you with what you're doing? And one of the important things, for example, at levels, three, is having a contr closed loop approach. So in the early days of access governance, it was more about, okay, I know that something goes wrong and then the vendor started adding, okay. And if it goes wrong, I can remediate it, remediate it. So this closed looping is one of the important things and then enhance analytic abilities, etcetera integration with privilege management, all these things have to follow here. There's also one for identity access management governance in general, as I've said, is the bring out of the report is in your conference back.
So you can go through that in detail later, what we did, what published earlier this year. And I think Darren has already said, have a look at it and I've read a tweet of, or at least sale point tweet. We are a leader we published as one of our call leadership documents. So sort of, of our view on how vendors on their products, in the specific market segment, our positioned, we published this, this document, and this is the product leader view with where you also see there's an increasing number of product leaders and these product leaders are, so that's always a sign of a maturity. We have the innovation leaders in here where we say, okay, who are the ones who are really leading innovation, not necessarily being the best ones from their, the, the pure product functionality, but really driving some, some new ideas forward market leaders.
So that's very much based really on custom numbers. Cetera. Yeah. So different views on that. And I think this is also as a print out in your conference back and what we also did and discuss what I want to show in, in as the last few slides of my presentation, we also have some other views on the information. So we have a product innovation metrics, which says, okay, who are the on the vertical innovation leader, who are the product leaders, where are these positioned? And then you have some which are very innovative, but not extremely mature. And you have some others which maybe are, are more mature, but things are going a little slower than for others. And I've also added some dimensions. I think some of you might have a, a blog post of Michael Rasmuson regarding other types of analytics on the market where he said, okay, there, it doesn't help the customer to, to reidentify where to start.
So we have several views there saying, okay, for instance, if you're looking for an integrated solution for access governance, where to start, where we rate the capability of this full stack access governance plus plus provisioning compared to the product maturity. And clearly then you look at the ones which are more at the top or in the top of this, this view, and are maybe good for the product overall, because what you really should end up with someone who helps you now, and who is good enough to support you over time with the growing need for other features. So just having the best one for a specific problem might not help you over time. You need someone who helps you sort of in both management, we've had several of these use, that's sort of the counterpart to it, which says I'm just looking for an integration layer.
And then it changes the picture. Other vendors are on top because they're better in integrating, but they, for instance, might not have a have capability or a strong capability for provisioning. We have a lot of research in that area. I've trust picked some of these documents here. Some are in your conference back, others are available online. So that's trust my view on, on what has to go on around access governance. And I think even for ones, if you have a good and successful and great project, there's still some work for the next few years until retirement. Okay. Thank you.
You certainly mentioned a couple of topics which go beyond recertification, access intelligence, data governance, activity, tracking, and monitoring GRC integration, such to mention a few, you mentioned eight topics, enough work until retirement, but do you see one predominant trend right now, which I don't know is, is above all others at this point?
I, I think you can answer the question from two angles. One, what is probably the thing which, which we observe most being done, which probably is the analytic part access intelligence. Cetera. If I look at what should be done, I would say one is support for dynamic authorization management. And the other is integration is privilege management. This would be my two favorites there if I remember all of the eight rights, so,
Okay.
Okay. So that's yeah.
So are there any questions from the audience? There is one, not sure whether we have a microphone. We had one down. Ah, no, they are all here.
Okay,
Please.
Thank you. The question I have is the whole model in terms of maturity and everything to do with access governance. If you look at where the feel of mobility is going and digital IDs going, does this apply to that as well? So would we manage like internal, excess governance, the same way we manage external access governance?
I think it's just really the point where it's about extending this thing. So I think you need one excess governance tool or one access governance approach. Let's call it approach. Maybe it's not, not a single tool, but you can't say I, I manage cloud access governance differently from the rest because it's one side of information, one side of systems, regardless of their deployment model, regardless of who accesses it. And you should look at where can I really have that insight into what is allowed, what could happen, what is done there? So I think it, it really is important to extend these things. I think it had it more implicitly in my dynamic part and the risk based authentication cetera, part of my, my slide deck, but in these eight areas, I think supporting the computing, Troy car, clearly something which has to be done as part of this journey. So it's great question. Yes. And that has to be done and we need to have one and that multiple access governance layers there there's no, no, no sense in having a cloud access governance and a non-cloud access governance,
Further questions. Yes. More.
Okay. We are running out of time.
Oh, when we look today on cloud tendencies and other things, and we have a lot of global players now, which of the markets drive innovation into the products and services around mostly? Is it more the us market? Is it more Europe, European market? Is it on which country in Europe is the most drive of innovation?
I, I, I don't don't think that is really that much of a, of regional or difference anymore. So I think a lot of things started in the us, but we see some interesting innovations in the, the area after European winter. So I think it's an interesting mix here. So, so I, I think that the user activity monitoring part probably is, is more driven from the us currently other things I think when it comes to, yeah, really the, the very methodological very well deep sort things might be more, a little bit influenced on the European side, but I really don't think that we, that we have currently a situation where the one or the other side is pushing things. What I currently a little bit of surface that maybe if you look at the us, there's some, some first windows popping up, focusing more on, on the, the critical infrastructure, production systems, etcetera side of things, which also would be one of the important expansions.
So supporting all that stuff. But this is clearly also becoming a very hot topic over here. So I think that's probably one of the areas where, where, where both sides of the, the Atlantic are fairly close to each other. There are things which are done differently. So, and sometimes, you know, if you look at risks, maybe the, the tendency here is more to, to work with very, very elaborated risk models. And the other thing is trust is solve a problem. But overall, it's not that big, not that much of a difference, I'd say, okay. I think we're running out of time. Yes. I want,
Thanks Martin. Please join me and give him a big hand for the presentation.
Okay. Thank you.

Stay Connected

KuppingerCole on social media

Related Videos

Webinar Recording

Application Access Governance for SAP Environments and Beyond

For many enterprises, SAP systems are an essential part of their corporate IT infrastructure, storing critical business information and employee data. SAP systems have traditionally been a major focus area for auditors. It is therefore essential that all existing SAP systems are covered by…

Webinar Recording

Zugriffsschutz für sensible Daten – mit Data Access Governance und Identity Governance

Damit Sie besagte Vorschriften rechtzeitig erfüllen können, ist es notwendig, sensible Daten zu erkennen und zu klassifizieren, unabhängig davon, wo sie sich befinden. Vor einer Cloud-Migration müssen Sie die Kritikalität von Daten verstehen und definieren, welche…

Analyst Chat

Analyst Chat #34: ITSM and IGA - How to Integrate Two Key Infrastructures Right

Matthias Reinwarth and Martin Kuppinger discuss the challenges of integrating IT service management with identity governance within an enterprise.

Webinar Recording

Agile GRC: Adapting to the Pace of Change in the Digital Era

In the digital era, the rapid rate of change in business, IT and regulatory environments is continually accelerating, making it extremely challenging for organizations to keep pace in terms of their governance, risk and compliance (GRC) capability without the right mindset and…

Webinar Recording

Gain a Unified Business View With Enterprise Identity Management

Identity Governance and Administration (IGA) is continuing to evolve through more integrated Identity and Access Governance solutions. IGA products are often required to give deep integrations with other enterprise products and applications to deliver the expected business value, as well as…

How can we help you

Send an inquiry

Call Us +49 211 2370770

Mo – Fr 8:00 – 17:00