Good morning folks game here. Okay.
Okay.
So what I wanna do is spend a few minutes talking about, you know, how do you take the notion of cognitive analysis and, and put it into identity and access management.
So the impetus or, or the reason why we need to look at things, right? So let's take a look at that real quick. There's no point telling you guys what, anything about digital transformation. Most of you're going through that, the influx of mobile cloud IOT, you know, we talk about GDPR in this conference quite a bit. We also talk about blockchain.
So I'm not gonna spend a lot of time on that, but some of the things that we see are things like, you know, the requirement for specialized skills, right? We just heard a speaker talk about the, the specialized tools, which are necessary.
And, and in spite of all the good work they've done, still not sure it's a steroid to heaven or the highway to hell, right? It's a little bit scary. And part of it is because the sophistication in tools requires a lot of expertise.
Deployments are not simple. They are pretty complex, requires specialized skills to be able to go deploy that. The other thing is with the explosion of identities, whether it be, you know, yesterday we were hearing about IOT, we are talking about billions, right? If not millions explosion of identities, explosion of information, context becomes very relevant.
It's not about who has access to what it's about, who has access to what under what conditions and where they're using it for the right purpose. And for that, we need to understand not just the user or the role or, or what have you, but also where they're coming in from what are they trying to do, or have they done this before and be able to have that insight be able to make a better decision?
I mean, last but not the least is time, right? We don't have, you know, especially with the, the, the growing threat and fraud and, and some of the regulations coming through it's becomes important to do this in a, in a timely manner. We don't have a lot of time to go and do the analysis and come back and fix it. It's mostly real time.
If I, if I take a look at, you know, where we are in the market,
The skilled resources is always a shortage, right? There's, there's a lot more work to do than we have in a human beings, right?
And, and that's not, that's a problem in general, the notion of insight is, is continuing to grow in terms of how much information you're gonna get, and that needs to be analyzed and, and be able to put it to a, a appropriate use. And then time seems to be shrinking in terms of how fast the decisions need to be there, how fast you need to execute, how fast you need to go and, and react to things, even in things where you don't necessarily plan for.
So that's why we need to take a look at this problem, take a step back and take a look at this problem to see how can we apply some of the machine, learning some of the human knowledge and bring them together in a manner that can solve some of these problems
Today, as we work, we, we typically look for a, a lot of data, right? This is traditional data, which is coming from logs, which is coming from audit events, which is coming from some of the activity, user activity or behavior activity, et cetera.
But that's only the tip of the iceberg, but behind that, there's a whole bunch of universe of knowledge. In fact, yesterday, I think Ian was talking about, it took him 17 years to, to get to where he was. And most of us have about 10 to 15 years of experience in terms of how we've become experts in this space. Right?
And the thinking over here is could we supply this entire information, both the, you know, the, the traditional data, as well as some of the human generated data, which is in blogs and wikis and, you know, conferences like this, where, where I go talk to one of you guys, and I learn something and put that to use with my next customer, all of that information. If you can feed that to a machine, then it becomes really, really powerful and starts to act like a human being.
So when we look at, you know, how do we, how do we look at these problems and take a look at, in the rear view mirror, right? It's, it's a natural progression of, you know, what we've been doing, you know, we've started with, how do we increase? How do we get more insights with simple searches or simple, you know, pattern recognition or some of the analytics. The next generation is what we call cognitive analysis. This is where I think you can continue to do most of your analytics, which is machine learning, but add to it, the, the human generated knowledge.
That's when you get some of the cognitive analysis and cognitive systems, what is cognitive though? Right? It is a buzzword. I get that. So just to make sure that we distill it down and, and give you some key takeaway points. The first thing about cognitive is domain knowledge.
The reason why, you know, we are a little bit of expert have the expertise in this area is because we have the domain knowledge. We have the subject matter expertise in this, and that has come over the years of learning and understanding.
So the first thing of a cognitive system and a cognitive analysis is be able to have the domain knowledge. The second thing is, how do I get that domain knowledge? I get it through reading structured, as well as non-structured conversations, being able to have a discussion, being able to have an experience of deployments. And that's all kind of embodies itself into what we call the natural language processing, right? This is where we need to be able to have a mechanism, to have what I call interaction with another cognitive system, like a human being, right? The third one is learning, right?
It's just like a child when the child grows up and then you're teaching them more and more. You teach them, the child starts to learn. And over a period of time, they start making on the decisions and, and you need to look at cognitive system the same way. It takes time to teach them. It takes time to teach the system. And once you teach the system, it learns and then it can use deductive reasoning to then start making insightful decisions. That's how we kind of define the cognitive systems today.
So one of the key myths is, you know, usually cognitive systems is, is combined or at least used as, okay, it's another machine learning. Yes, there is machine learning, but it's bottom of the list, right? There's a lot more things which need to happen to make it cognitive things like, like I said, domain, the ability to learn some of the interactions with other cognitive systems like national language, things being unbiased, which makes it slightly better than, you know, human beings at, at certain points and be able to do some trade off analytics.
So just to give you a peak, right, at a, a scenario, an application of this. So this is a typical it environment, you know, could be most of your customers that you work with and customers in the room, it's maybe similar to what you have within your environment.
In a, in a, in a typical environment, you've got users you've got, and users have some traits associated with that, right?
Where they're coming from, what devices they're coming from, their personalities. And then there's context in terms of the network and, and devices they come from. And the applications and data feels a little bit complex, but this is, this is a today's environment of how you have to look at it environments.
Now, if you take all of these and, and put a little bit of analysis, even if you try to bring them together and understand logs and understand some of the audit events and, and things like that, you start to harvest some good information, like starting to understand inventory, right? Who are my users? What are my applications? And that's a good thing, right?
And as well as, you know, if you start applying some of the business context even better, right, you start to understand, you know, who's accessing what application and should they be accessing or not where cognitive analysis goes is it takes one step behind where it adds some of the human generated knowledge.
And when you put the analysis next to it, that's when you start seeing some new scenarios, new scenarios of how do I now provide a common way of making sure my it and line of business are aligned one of the fundamental problems for IAM deployments, right?
How do I go and report in a manner that is applicable on both sides of the equations, make it relevant for the CISO communication, both at the business level, as well as the it level, as well as it starts to help some of the stakeholders in doing their job. Things like, you know, managers, typically managers have to go and do certification as an example. So if you don't have some level of control on that, it could easily turn into what we refer to in an industry called rubber stamping. That means if I don't understand it, I basically say approve, right?
So this is where you can start influencing that by some decision making. So let me give a, a quick example or two to, to make sure that point resonates.
So here's an example of some of the, the, the work that we've done to take the information of logs and audit and combine it with some of the, the data to be able to then draw some insightful data points, right? This is if you have an existing environment, how can you quickly say, okay, who are my risky users right.
Quickly, and be able to, that doesn't mean they're bad malicious or non-malicious right. Sometimes it could be as simple as I go click on something, which could be a fishing attack that could result in a, in a malware, in my system that could then launch something to a privileged access, which has sensitive data. Right?
So, but identifying those as an important thing, identifying the applications is an important thing. And identifying some of the specific IM functions like the entitlements, when was the last time we ever did entitlements review for this, right? Who are the people who have over privileges, who are the people who are under privileges, you start getting some of the information, and then you can take the appropriate action based on some of the risk that you may have within the environment.
And the action could be, you know, either drive a campaign or either do some, you know, context based access or drive a workflow through your service management. You know, those are different actions that you could take.
Another example is, you know, a, a, a fairly standard process that most of us go through is called certification. Making sure that contractors have access to the right applications or employees have access to the right application, et cetera.
And being able to do that periodically to demonstrate compliance to the business and be able to drive some of the regulatory requirements. So a screen like this typically can be mundane or boarding where you could say, yep, approve, approve, approve. But then if you start annotating that screen, or with some of the risk information, as well as decisions from some of the cognitive cognitive analysis, that's when it's gonna become really powerful to be able to say, well, usually I approve. It's telling me that James Martin should be rejected because the risk is really high.
So I can choose to listen to the system and the machine and just go take the decision, or I can go and, and do a deeper look into that and says, why is the system telling me that we should reject James Martin or disapprove that or saying that because he's got way too many entitlements, he's different from his peer groups, he has misused some of this information.
And by the way, if I look at the historical analysis, people with similar type of entitlements and others have been rejected in the past.
So you can think about this type of scenarios as a way to not just I'm showing the positive use case, right? You can also look at it as how do I know restrict the screen so that I don't even show anything, which is less than 50 as an example, I can only show the top five, which are more than 50% for somebody to review and approve or disapprove that way. You're not only, you know, saving a, a lot of time in terms of looking through hundreds of certification, but also making sure that it is very contextual in nature.
So these are some of the examples of how you can apply cognitive analysis to IAM.
So, as I summarize couple of things, right? One is we've got a lot of data, which is, which is important. And we've got IAM, especially spending a lot of time in pouring through the data and doing analysis, either demonstrating, compliance, or being able to figure out how to influence the policies.
I think what we are saying is if you take some of the existing information and combine with some of the human generated information, which is out there best practices, some of the learnings that we have done in the industry over a period of time conferences like this, right, where some, some of you may blog and based on your experience on what you've learned over here, right? Being able to take all of that, harvest that information and combine with the analytics, then you get really, really interesting results out of that.
A Ty back to the original problem, one of the results is to decrease the need for specialized skills, right? Instead of having to understand the, the specific details of each and every, you know, product and or understanding, you know, what it does, being able to have a, a machine, give you a suggestion, and it then becomes a question of approving or disapproving what the machine is giving you based on the evidence, of course, right?
You can't, you can't just take for the face value, but let it present the evidence. And then based on that, you can make a decision. And that's not specific to the access certification example that I was giving you. That's just one example. You can apply that to risk based access when you're doing single sign-on based on context from mobile device to some of the SaaS applications, how do you take some of the behaviors as well as other context, to, to influence that experience.
There's a whole bunch of insights that you can get.
It's not just, you know, it's a true embodiment of one plus one equals three, right? Where it's the, it's the, the data which is available to you, the business context, which can be derived both from, within the organization as an external, and as the market context, when you put that together, you get a really, really good insight, right? You may be qualified to be a, in a role to get an application, but based on external evidence, I may not be suitable because I may, I may have a credit score, which is really bad. I may have a, a police record.
I may have other bad things going on, and that will influence how that contractor should be treated for you within your organization. That's where the power comes from. And the last one is, you know, the, the cost and time, right? End of the day, I think, you know, we are trying to figure out how to harvest this information in a timely manner so that you're not spending time, whether it is analysis, whether it's decisions, whether it's demonstrating compliance, whether it is demonstrating some of the remediation aspects, most of those would be reduced because of some of the cognition work.
So that's all I had just to give you a quick introduction to what it is, how it can be used, any questions,
Thank you, shear. There are a number of questions. Okay. Let's start with the first one, this three votes, risk valuations, ideally, a business task, depending on the value of assets processes are to the business.
So, so actually risk valuation is, is two people's task. You have the valuation of the, of, of the potential damage coming from the business and the probability coming from the technical people, whether the risk is actually occurring, but the second part, where do we get information from?
So it's, it's a, like you said, it it's a two part problem, right? I mean, it's two part in multiple dimensions.
One is, it's a, it's a top down approach in terms of how do you take some of the models, whether CMU has come up with a good model, N has come up with the model COVID has come up with the model. How do you take that and, and use your Analyst to come up with the risk model and the bottom up approach of how do you then harvest in information and come up with the appropriate mapping to that, to be able to then do this coding basically. Right. And the interesting thing is, as we've been looking at this risk is just one example I was using. What we've learned is there's no one size fits all.
It's basically depends on what is your level of risk. So end of the day, I may come up with a model. I may learn something from the environment, but you could then go tight rate what percentage you can weigh that and influence the overall risk score. Okay. Right.
Let's pick the other question I pick pushed up to the top. It what's timeframe. Can we see cognitive analysis and commercial products?
I mean, the question is at a larger scale,
Right? So, yeah. So I think in, you know, we, we absolutely have cognitive systems available in the market today. And I think I, wasn't planning to talk about Amy at the IBM stuff, you know, but I'm sure most of your inundated with the IBM Watson ads. So those are available. The APIs are available for you to harvest and work with and develop applications.
We, as a product group within IBM have already leveraged that for the security. And we've been doing it for finding threats and, and fraud. And we are applying that to identity and access management, as you, as you've seen with this course. Right. So I can see the maturity come through in about a year or so, where you'll start with some of the basic scenarios. And then in the true spirit of cognition, you continue to learn and evolve and grow and get more insights.
And one, pick one third, can you apply cognitive analysis to learn risk from scoring for systems, roles, and accounts instead of human work to learn risk scoring from systems, roles, and accounts?
Yeah, for sure. For sure. I think what I was trying to say human is in, in, I was trying to take two spectrums, right? One is machine and one is human. And I was trying to draw those two things. But in general, it is a framework typically, right? And the framework is consists of number of different risk models that could come top down. Cognitive analysis is one aspect.
You as a human being, being able to say that for me, right? Like a healthcare institution, having my personal identified information may be a lot more risky than let's say a, a, a financial application where bank information may be a lot more risky. So it depends on how you titrate that and that risk models are something that you can define, or you can go and derive it from a different system. So obviously it's a framework that can, you can not only provide input, consume input, but as well as tight rate, how much and how you wanna work with.
And I would like to transform the fourth one, and then we finish. Okay. Because of time, can you identify fake news with Watson?
Good question.
Yes and no. Right. I think what Watson over a period of time. Yes. Right. So as you start, you know, there is in fact if most of you have browsers, right. Take a look at something called Watson Explorer, right. Just Google Watson Explorer. And all of a sudden, you see this big spider and put in your search words and you'll see everything there is to know about that search word. And you can then go and gather information.
And it, it does a really good job of a graph database right now, as it do, does that we can start putting, providing some ranking on who are the valid sources, who are not the valid sources, so that it can start giving some confidence levels on whether a sources, a higher level or a lower level. And it then becomes how much you want to put your weightage on that to consume who
Pay, who weighs.
I mean, who puts the weights? I mean, if, if you have too many people that believe in fake news, that it seems to become truth,
Right?
So, so for us, for the Watson Explorer, what we've done done is we look at the sources. If the source is legitimate, if it is wetted out, we have a higher level of reputation. If the source is non repeated, you know, news from a Twitter feed is not, not authoritative, right. It also becomes, you know, some of how sensitive it is, you know, what type of keywords you're looking for, what type of knee F writers and Thompsons are much higher than maybe some other star news in LA, which is doing gossip magazine. Right. Okay. Thank.
