Welcome to the last session of the access governance stream. When you look around, I think we did a good job to, to make this day the secret one, but we will take this professional and obviously do our best to entertain you and come and, and come up with with a good discussion and also good, good insights. So I welcome. And obviously I should start with Sabrina as Sabrina WEMA from G and H net design. I also welcome Andrea Rossi from cross ideas. Then Hank funder, Hyden from CA technologies and Stefan Dole from Oracle. And we are still waiting for checks and sure. But he has not yet arrived. So we try to make this happen without him. Right. So please help yourself with the microphones. I think we have three, so you have to switch once you are ready to talk. So I guess we start off with a discussion with a short introduction round, and I think let's, let's start from the right to the left if, if this is okay for you, Hank, would you would like to start from the left to the right. Okay. From your perspective. Yes.
Hi, I'm Hank for NHA. I'm responsible for the security business unit at CA technologies for EMEA, as you probably are aware CA technologies, it management company, delivery software for all it management solutions and the security business unit is one of those areas. And we focus on identity and access management only, but we believe that we are pretty good at that. So
Good afternoon. My name is Andrea Rossi. I'm at cross ideas, which is a company specializing just in identity, Texas governance. We are a so-called best of breed player. And I would say that our unique feature is being one of the few somehow, if not only the only European company popping up in this space in a market somehow dominated by American vendors.
Hi, my name is Sabrina WAMO. I'm with G and H network design as a German word, I think in translation, it means network design. I'm a business development manager and we are focusing or, yeah, we are solution provider in the areas of infrastructure, web and identity management out of these areas. We used our knowledge to develop a product in the excess governance area. So we are also a manufacturer, I guess it's regarding collecting excess rights and showing the right structures of a, of a company of company systems companywide. And yes, that's the beginning. We start with implementing access governance for our customers.
Good afternoon. Okay. Its Stephan, I work with Oracle. I'm an expert on identity and access management, helping all across EA and yeah, as Oracle, obviously we are playing in many fields and we need security for many fields end to end. So I think that's where our strength is that we can actually provide all types of security throughout, you know, corporate customers and so forth. So
Thanks for this round of introduction, not sure who listened the presentation from Martin this morning. And he also gave an overview of what access governance is about and he introduced eight newer fields of access governance. One of which was the continuously monitoring and tracking of user access, which is actually our topic today. Yeah. And I think in the next round of, of, of, of discussion, I would, I would be interested to hear what that means to you continuously monitoring and tracking. So what is it and, and, and how do you support this with your products or services and beforehand over to the panelist, I would also invite everybody who here in the room to think about questions. So after this round, I will probably reach out to everybody to hear whether there are any questions to the panelists as well.
So some, should I give you a start or give it a go? Yeah. Yeah. I got the mic Stephan, go ahead. I'm the one. Yeah. Well continuously tracking access. I mean we have a landscape that's quickly changing, right? Like we have like generic thing, like provisioning users, making sure everything's in compliance and so forth, but continuously managing actually means that we also, well, we manage end to end all the time we get in the security loop where you actually continuously implement things, reconfigure them. And that's why it actually needs to be very business, user friendly because only they can really monitor what's going on on a business level. And that's where I think that, you know, it's not, it's not enough to have an auditing once a year or once a month or whatever. So it, it needs to be certified and tested that security is, are given at any point in time or, and not just basically who has withdrawals and you know, or the Arabic rules compliant or whatever, but also like during people accessing in the world, that's quickly changing with cloud based software, with mobile phones, accessing all kinds of resources.
It's not enough to do just, you know, to monitor entitlements authorizations and roles in the company, but also how are they used? I mean, are there breaches, do we have to mitigate risks while people are actually accessing our systems, which are not necessarily just our systems, but also systems of our business partners, you know, in a, in a federated world where everybody like is over websites and browser, mobile phone apps and so forth. It's always changing from here to there booking this, then adding this, adding a hotel, adding this. So it needs to be ensured that not only the roles are right and the everything in a certain corporation, but across all those worlds and, and with people accessing from everywhere at any point in time, access is controlled. We know who is accessing, what, what should be the rights they have and how can we comply?
How can we audit all this and even take action at a certain point in time when we detect that's a certain access is sort of dubious is potentially fraudulent, right? So that's, that's, I think that's how things have changed from when I started many years ago when people really tried to get their identities right. And their roles. Right. And so everything was controlled in a corporate environment with a certain type of devices like computers, very controlled, and now it's all getting out of control more or less. So we help our customers. So we try and really provide the software to help them to, to manage this access at any time at any point in time and not just data addressed, but also on the move by the requests are going on
From your perspective, it's not just an annual re-certification to take an extreme example, bugs exactly more
Frequent, but even real time in some almost real time. Yeah. Almost or even real time. Okay. Yeah.
Sabrina, what does continuous monitoring of access mean to you?
I would also introduce the word continuous auditing because it's, I think it's kind of the same. What we do is the perspective of implementing a software and our product is called decor, which means to agree, to agree with compliance rules, to agree with statutory requirements with yeah. Regulations, they just happen in the company or they coming from outside. And what we do is actually giving a report out of the exercises a, a company has in, in a company wide systems. So there are employers, there are externally people, there are interns, they switch from one department to the other, they leave the company and to yeah. Collect all this data out of the system, what access rights they have. We developed a core for it. We have a user interface where you can actually see everything on, you can do it on time, actually. Like you can do it anytime giving an ad hoc report or yeah. Give out all the structures you have in the company regarding the excess rights management.
Okay. Thank you, Andrea. As a new entry of the market or relatively new. Yeah. So do you also have a new view to that topic? Well, first of all, I wanted to start with an observation, which is, you know, there is a lot of ju and, and buzz were around risk access risk. So it's quite recent to talk about risk in the identity management space. And before starting this panel, I thought, are, are we talking about science fiction or is that real? We are in thence probably even earlier. And I think that one reason for thinking about that is that when we talk about access risk, we should talk about an it risk, a compliance risk, but you know, take a look around. There is not a single vendor here at this show, which is coming from the it GC space. There is no error.
Say there is no matter stream. So that word is still disconnected. And to be honest with you, these folks, they don't like the identity management piece because it's too technical. These guys sells to different people. So positioning, we are talking about something, managing risks in identity and access governance environment. That means detecting the risk and preventing risks like sod violations. We are still in the early days where in the early days, but as a vendor, of course, we need to manage the today and the science fiction of tomorrow. So our vision, which translate in product capability today is basically serving three characters. And I try to make it the analogy. The first character is the police officer. He patrols the road, he stops the car and issue tickets. So he detects and prevent fine grained irregularities. The analogy goes into access governance with managing sod violations.
That's the ticketing. So you get, you get an sod violation, you need to mitigate it. You need to compass to assign a compensated control. And that's for the police officer. It's a daily tool for stop it. You get the ticket. Then there is a second character, which is the chief of police. That guy has to present to the major, the result of the zero tolerance policy in the identity management committees. It's about showing that there is a decreased number of violation of risk users and risky roles. Someone calls this stuff, access intelligence, but in reality, there is no once you have the data, these are reports. So we don't put much emphasis in, in the reporting side because it comes out naturally of the data. The third part is what I call the minority report department. You need to be able to really investigate the data, to detect risk patterns.
And that's where the risk algorithm with are somehow well developed in the financial risk market are coming in into the specific area of access risk. So that's what we do today, but we need to be aware that something is good for the today needs. We already have the science fiction, but which will mature in the organization, the minority report type of capability, probably as we see it in three, four years time, even for the financial sector in the insurance market, these kind of things that will never come into the manufacturing space, unless you are a super global company,
Which by the way, I know a few super global companies. I, I agree that reporting is, is an important element, but reporting also is the back end of the problem, in my opinion. So it's more about how do you calculate risk and how do you collect risk items? And so when we talk about context based identity and access management, we, we try to collect as much information as possible about the identity, about the data that people are trying to, to access or work with and build a risk model, a risk model that is framework based so that organizations can put in their own policies, cuz not every organization has its own risk appetite is or the same risk appetite. They have their own risk appetite, sometimes driven by governance and compliance loss. But in many cases just, you know, the risk you're willing to take as a business. So what we do is we look at the identity lifecycle management, not in a, in an isolated and static way, but what is the user's context? What is he doing today? What is he trying to access? Where is he trying to access it from and from what type of device? So we collect more and more information about the behavior of that person and therefore can assess the risk of a certain transaction, which then is, you know, the data element much better. And, and that I think is, is something we're seeing happening more and more.
Okay, thank you. Coming back to, to the audience. I think I, I announced that that after the next round, I will reach out to you to see whether there are any questions from, from your end. Are there any questions so far, there is one
Looking at the security risks from an enterprise perspective. I see, well basically two main threats, the internal threats, which is our own employees with I'll call it flexible morality. You can also call it corruption if you will. And external threats, which is people hacking servers, hacking accounts and the feeling we have at least as an enterprises that we want to tackle those problems in a different way. When we monitor our own employees who want to do that in a different way, less aggressively, more tolerant, and then external hackers. And I'm curious if us vendors also see this difference and if so, how you will tackle it or look at it.
It's very good question.
If I may, if I may start here to, to be blunt, I think that's the old fashioned way of thinking. I think a, a, an employee nowadays is not the, the employee. It was years ago when he was sitting in your office, you know, on a corporate terminal, an IBM system that was controlled very well. No is traveling is, you know, using all kinds of risky methods to access your, your organization's data and applications. So, so I think we need to expand that more. And I think that, that the risk is not necessarily higher on the employee side or hire on the external side. I think you just need to identify what is the profile and the, and the context and, and, and the riskiness of a transaction or an access that a certain person is doing. I was mentioning it in a panel earlier this morning. I know if consumers that have higher risk transactions than employees in organizations. So, so I think we need to, you know, stop differentiating maybe too much and, and staying on this result, internal versus external, because it's disappearing.
I mean, just one comment and external having access is always illegal. Isn't it? An external, yeah. An external hacker. I mean, he never has legitimate access, right?
Yeah. But you also have, you know, it's not about only hackers. It's about external consumers
For instance. Right. That's a different indeed. Yes.
Sorry. No, thank you.
I'm a nice person. Well, with my consulting background, I'm always scared when I see an approach, which is too broad. Okay. So the way we approach that again, now that we are an identity governance player is basically we tend to minimize the risk, which is related to entitlement associated to people. Those people might be internal employees might be contractors, might be customers in the majority of the situation. The risk that we control is coming from the inside. I always used the, the analogy of forte posh. We always thought that the Indians were the bad guys outside and the Cowboys were nice inside. And then it turned out that there was a lot of bad people inside. So I think that giving an approach on how to manage risk, the first thing is about, is what type of risk you want to measure from the known person or the unknown people.
Then you start immediately separating the playground in technical implementation because one thing is a program. And one thing is what you implement is a tool to control a bunch of different type of risk. I think that at the end of the journey, which will happen in 10 years, we need to be able to measure and give a score the risk because that's the way that the financial risk gets accrued in the balance sheet. The higher, the higher the reserve is in the balance sheet because it means money. Once we'll be there 10 years now will be, you know, let's say, will, will have reach our Nirvana. So my advice is really have a global picture, but being focused on segmenting, which type of risk you wanna measure. And in our side, it's really the risk associated typically to known friendly people. The employees, as Ian was presenting the traders, they look nice, but not always as nice as they are.
What I think to get back to this question is about the external people. And the internal people is the external people. They have this criminal minds, you know, they wanna do something, but if you have the internal people, they have the opportunity. They, they are not from the, from the start. They are not criminal people. They don't wanna do anything wrong or whatever, but they might have a financial problem in private life or whatever. And then all of a sudden they find this access they normally don't have to have, or that they shouldn't have. Then, then they, yeah. They find out that they actually have access to maybe a financial yeah. A solution to, to yeah. To solve the financial problems in private life. That's what I think about external internal people. Yeah.
Of course, I mean, anonymous access and let alone like DDoS attacks and these kinds of things like, but I think, yes, it's, it's dangerous and even not fair to the employees to have less security measures inside than outside, because they might get it under the suspicion that, you know, if something, if data leaks out or whatever, I mean, you want to protect your own employees. So they are not, you know, suspected of being potentially the fraudster that has sold this information to some German tax authority or whatever. So basically I think, yes, differentiating based on the context, so where, where is a certain request or where is somebody accessing from or whatever, but not generally drawing the line between internal or external, because as we all know, I mean, risk is also coming from social hacking or whatever or things, you know, people get convinced or they get, you know, I mean, friendships are abused or, or whatever.
I mean, you never know what happens and you really want to protect your internal, your employees using, you know, even on the database side, you know, making sure that DBAs don't get to see this critical data and they don't, you don't want to open any leaks inside. So, you know, it's always clear that any, you know, if anything's leaking, hopefully it wasn't one of the employees and so forth beyond that. Obviously it's always important to collect information where I think behavioral data is sometimes a little bit critical. I mean, that, that, I mean, we get this from many customer experiences, obviously you wanna know, is this coming from a mobile phone? Do I know that device, is it coming from an internal corporate PC or whatever you wanna mitigate risk? You want potentially challenge or alert somebody or whatever. But yeah, but just to say for your sake, I mean, I would say draw the line between risky and less risky transactions and access, but not between just generally internal and external that we might take.
Okay. Thank you. Coming back to our actually topical title of this, of this session, which was continuously identifying and tracking access rights. When we, when we say we have on, on the one, on the one side, we have the re-certification, which you said you, you made correctly the, the point we are in early days. So many companies still managing the X risk, which are in the early days, which, which, which, which typically happens annually and obviously also requires an annual collection or access to the necessary data. Now, I have two questions to you when we now move towards ongoing tracking or monitoring of this kind of excessive violations, what is currently from your perspective, best practice in terms of data collection. So is it monthly? Is it daily? Is it whatever you mentioned perhaps real time even, right. And where do you see it going? Will it go to real time? So that, that's my question. Should I start again? If you like, I have the microphone, but I'm happy to pass it on.
Yeah. You wanna start,
It depends on the, on the, the regulation or the right. The access, right. You actually have in the system, like if there is a segregation of QT, which is with a yeah. Or which is, which has a low risk, then it probably doesn't matter when you, you know, report or the access rights or the right structures, or if, when you do the re-certification for it. But if there is an access, right, you really have a high risk, probably a segregation of duty, which is in a, in the financial sector or in the financial industry, like the one who does the investments under one who do the, the forgot, the word, the trading and the investments, or yeah, there are, you know, the, the Chinese wall yeah. In between. And yeah, there, this is a very, really high risk. And then you should track it on a frequently basis. And
What is, what is best practice from your perspective? That was the question, or what do you see in
Projects? I say, if there's some changes, so if it's event related, then if there's the changes in the right structure, then you should probably report it.
Okay. So event driven event related, any other use here?
Well, I think that the best practices mandated by standards and mandated by the, how dynamic is your company. Yeah. So let's form best practices in. So the way we see it is that there are companies that are hoping not to have violations or risks, simply because they have defined a fantastic should be model. And they say, it's, everything is fine. All the applications are connected. Everyone gets the access right as per ears role, but then the reality is different. So you need to detect that for detecting. You need to have a model, which in checking the access, right against that model, if you do that daily, hourly, weekly, or monthly depend on how much you trust your organization and how much your organization changes, if you are in a very stable, operationally oriented company, eventually checking that on a weekly basis or monthly is enough in a trading organization, you could do that, do that hourly because that's the business changing requirement. So that's, there is no best practice. It depends on the industry, the other pieces. Have
You, sorry, just out of curiosity, have you seen example where hourly collection takes place?
Of course, yes, of course, because you know, the, the it's so variable that it has to be detected in almost real time and mitigated. That means the reason a violation, we need to do something when it comes to recertification is a way to eliminate, to reduce these violations. And when it comes to rectifications companies, subject to ISO 27,001, they are somehow mandated to do global cleanup rectification at least once per year. But then they may force to do focus cleanup based on the number of risk on a weekly basis. For example, we have a peer garden session tomorrow on risk driven access certification. What is it a simply way to clean up when needed and know when it's mandated by the godfather from the outside. Okay. So who's coming next.
Yeah. I think, I think when you talk about best practice nowadays, whether there's really the best practice is something different. Yeah. But how organizations are usually doing it is probably more periodically whether that is daily or monthly or, or, or yearly in some cases or in, in little cases hourly, I would say. Yeah. Yeah. Not necessarily, as I say, it's is the best practice you should, you should implement because it all clearly relies on your risk and, and, and your needs there.
So then one question comes to my mind, if we did it very frequently, let's say even hourly or perhaps near, near time or real time even. Right. What's actually, then the difference between preventive and detective controls, is there still a need to, to have preventive controls in place then?
Well, there are organization that they don't like to change the way they assign access rights. So not every organization is ready for a full structure, big brother oriented provisioning process, or not all the application can manage that. So you are Sol force to use a detective approach instead of a preventive approach. So ideally you would like to prevent, in some cases you need to issue the ticket after the violation has been detected. So, and we see a lot of companies that have eventually deployed. They call, we have an identity management system in a reality, it's a provisioning tool that connects active directory and few other applications. And probably 95% of the application are not connected, not controlled. And they don't want to automate provisioning because they are too critical in that case. The only way to control is the detective hourly, daily, weekly, whatever. Okay. Thank you. Very good answer.
Just my take on the earlier question here or yeah. Covering that as well. I mean, of course the majority of corporations and the majority of cases and applications or resources, it's all good, you know, having, having regular, like annual monthly or whatever reports in place. And, and, and when I talked about real time earlier, I mean, that's really very critical, critical things with unknown audience or, you know, that kind of thing and transactions and so forth. So I think most of the customers we see, obviously they're happy with having regular controls, whereas, but you know, us as a, as a software vendor, we have to cover also those high, high risk, high yeah. Velocity customers that, and, and we do it just by making everything business friendly and, and making sure we always have the data and can always be re retrieved and, and certifications are getting out, you know, based on rules, whatever those rules are, the customer defines them right.
Based on their business requirements, based on their compliance requirements. And I think it's always also a combination of detective and preventive measurements. I mean, it's a preventive measurement if I have an annual risk audit. And, but I tell everybody everything's being recorded. So whatever you do, it will not be alerted immediately. But at the end of the year, you'll be fired if we detect something. So that's preventive enough for most businesses, I would say, right. But then again, you have those like really high velocity, highly dynamic, you know, trading, you know, with lots of money and so forth. And there, you can't have it like for you have it event, you have it event driven, right? So you wanna make sure that if a role changes or if anything changes that is really significant for business transactions, you don't want it to be detected O even after an hour or whatever, because at that time, the, the trader could have done things that bankrupt the company potentially. But those are only very few cases actually. So, I mean, it's always a trade off, like always, but what effort do you want to take and what risk it is that you want to prevent, but
Sometimes you only need one incident, right?
Sometimes one incident to make him rich.
Yeah. No. And, and what I like is the, the concept of time based security. I don't know if, if you're familiar with that, it's a very, very simple concept that actually comes from the banking world where you have the, the physical vaults. And we all know, you know, the physical vaults have preventive controls. Yeah. You're, you're not just walking into a bank and opening, you know, this locker and, you know, get the gold bars or something like that. So the preventive controls, but we've all seen the movies that if you go into the weekend and you, you drill a hole for this, you know, thick concrete wall and you get into there and you get all these lockers and you don't have any detective controls that are monitoring, you know, you walk away with the gold eventually as well. So there needs to be the balance between the two. And that's what, you know, the concept in very simple terms of time by security comes from. So, and you can actually calculate the time, you know, you need to put in there to have the detective piece to make sure that you protect it at the right level.
So I think I, I like this comment of the balance, obviously in high risk OB applications, obviously you have to think about certainly preventive controls. Yeah. And, and obviously the detective measures have then to are dependent on what kind of preventive controls you already have implanted. Exactly. Exactly. Back to the audience. Are there further questions coming to your mind? No volunteer.
I hope we're not disturbing too much. Sorry. I hope we're not disturbing too much.
Okay. So let's make a last round of discussion. Where would you see the, this, this, this access governance, especially from a continuous monitoring and, and, and, and, and control and, and tracking perspective, where would you see that going, going forward? So what is, what is, what is the end state? What is the final, the final, the final vision in that space, from your perspective?
I think it needs to start with awareness. You know, that that organizations have a true understanding of their risk and that that is difficult. But I think that's the, the wahala, you know, if they really truly understand, you know, what they're trying to achieve and what their risk basis is, then we can, you know, have you both preventive detective measures we put upon. So that, that will be my wish is that organizations are truly getting an understanding more what their risk is.
You know, as we don't have enough marketing money as CAS, we cannot really let's say, put a focus on the awareness part, but, you know, on the product capabilities, nobody in general, what we see is that basically access governance is managing and detecting access, risk access risk is a component of it risk. So theoretically, every violation, the sod violations or other that we detect should be fed into the so-called it GRC program or into it GRC tool that are capturing risk from us. But from other types of tool that are collecting other type of risk, the problem is not a tool. Once you have fed a risk incident, what do you do about that? Yeah. Okay. What are the action? What's the follow up? And, you know, I've seen a lot of companies, they have built it, GRC, Archer being probably one of the biggest one.
There they are doing the access governance project there, but never thought about connecting and feeding the OD violations into the it GRC too, where things like for, or reviews further assessments are stand of picture. Yeah. And I, the first thing about awareness is start connecting those two departments. And it's a simple incident transfer and try to do something out of the global it G picture. So that's what I see. And when I started on this market, I thought it was quite obvious. It's not sealed there. And as I said, at beginning, there is not a single it GRC vendor here. They don't see what we do all of us. So aligning incident management processes that aligning the access risk with the it GRC risk. Well, sorry, sorry with the it risk managed by it. GC implementations. Okay. Thank you.
What I think is that especially compliance and statutory requirements getting much more intensive. So in the financial sector, we have to B in, in Germany, in the insurance area, we have the solvency tool coming up. And I think the, the companies have to focus on that a little bit more. They have to be aware about all the risks and they have to be aware that they have to invest in tools. Like I think what we all have like to, you know, implement a tool who is helping tracking risks, identifying risks, and giving you a report and continuously auditing about all those risks they come up. That's what I
Think. Okay. Thank you.
Yeah. I think that space is also evolving quickly. Like, like other spaces, like networking became simpler. Software became simpler, everything and whatever. So I think, I mean, we are coming from a world that was less dynamic and we are going into a world that is more dynamic. Right. And that changes by the hour. So, and the software is actually adapting slowly, but you know, even big tankers like Oracle, they adapt their software, like, and make it really agile. So, so people, you know, I mean, it used to be driven by it administration, and it's now driven by the business, right. Having business friendly interfaces. So it is actually possible for people to certify, to be alerted while they're working with something else for managers or auditing stuff for security stuff. So it's actually possible from a POS software point of view. And it's about time because, because the environment is changing even quicker, right.
So people are moving they're we have different like job descriptions. We have people moving from one top the other very quickly. We have people participating in projects and common projects and whatever that may not be the case for everyone. I mean, we have lots of companies where people stay for years and so forth. And, but, but we also have very, very dynamic environments. Right. So I think where it's gonna end up is, or not end up, I mean, it's never gonna end up, but, but, but just in time, auditing like event driven, like ongoing is, is really what's coming up because it's AB absolutely necessary. And at some point we won't, won't be able to do without it. That's what I think.
I think that was a good final comment. Thanks for your, your contribution here. I think it's this discussion showed also the maturity of access governance. When you think about 2, 3, 4 years back, I think we all had to convince people that access governance is needed and that's not just provisioning and all that. Now I think that's bought by most people. And now we talk about, about, let's say more mature processes, like ongoing tracking, like intelligence, et cetera, the new mobile world and environment, etcetera. And that is actually a sign of maturity. I take this. Thanks again for, for participating. I guess we have another 15 minutes now break until the big sessions start again. So.