Event Recording

Trimming down User Access Governance to its Essentials

Log in and watch the full video!

Securing access to data and applications has become a cornerstone of any modern cybersecurity strategy.

In the IAM market, user access governance projects have a history of incurring multi-year roll-outs and requiring specialized personnel, making many companies shy away and bear excessive cyber risk.

In this space, Elimity tries to break the status quo. As an innovator, Elimity provides a data-driven platform that specifically offers the essentials for user access governance: automated data collection, holistic risk analytics and user-friendly access reviews integrated with ITSM. As a result, the platform lets companies achieve mature access governance in a matter of days, not months.

In this session, Maarten will give an overview of the essentials of user access governance, showcase the Elimity platform and how it is successfully applied in practice.

Log in and watch the full video!

Upgrade to the Professional or Specialist Subscription Packages to access the entire KuppingerCole video library.

I have an account
Log in  
Register your account to start 30 days of free trial access
Subscribe to become a client
Choose a package  
Thank you for the introduction. As, as he said, my name is Martin. I have originally a background in cybersecurity and now I'm co-founder of the startup called and we provide a new platform for governing who can access what mainly from the point of view of cybersecurity. And that's because I strongly believe that if you look at that problem from a background of cybersecurity, then we can do things better than we have been doing so far. So what does identity governance has to do, have to do with cybersecurity? This is probably the 10th time that you're hearing this today, but cybersecurity used to be about the corporate perimeter. Then cloud came in saws applications, collaboration with other parties, bring your own device policies COVID so that model has been completely obliterated. And right now the only piece that still stands that still connects all the pieces in your it landscape that's that's identity, your users, and their permissions across your applications, your systems, your databases, your, your environment sense.
And that's why every modern cybersecurity strategy. Definitely. If you look at the zero trust way of thinking, incorporate stuff like multifactor authentications, single sign on, and from the point of identity governance, it's about applying least privilege. The goal is then to ensure that only the right people have the level of access to the right resources, that's least privilege. That's the goal security goal of identity governance. And I've added a small sentence there as fast and at the lowest cost possible, because in, in my opinion, that's where security first identity governance starts to defer from what we traditionally do in identity governance. If you look at everything that we've heard today, and, and yesterday in this track, then something went wrong with the slider, but okay, then the focus of 90% of the IGA projects and programs out there is to optimize costs and improve efficiency.
It's about lowering the, the, the pressure on the, the he desk about password reset. It's about making sure that even though you have a complex it environment, that a new employee can start on day one and not after two months. And it then involves stuff like your role model, like setting up an IGA suite, automate provisioning in your most important applications, like setting up a cell service, help desk Porwal and a password reset. Porwal it quickly becomes a lot. And that's fine. If, if your goal is to optimize costs and improve efficiency, because the world without structured identity governance for these types of companies would be far worse. So by all means keep doing this, but not everybody is looking for that. If I, I talk to more and more companies that deliberately are not looking for this, if I talk to let's say a 5,000 person logistics company that has to, that has to prove that they're in control of who can do what, because a Fama customer asks them to.
Or if I talk to a 200 person bank that has to adhere to the same regulations as a major bank, but with a far smaller budget or a 3000 person material company that just wants to strengthen its internal security, then none of these parties are looking for a multi-year multimillion, IGA project or program. What they do want is to quickly prove that tearing control. They want to know that that who has admin credentials. They want to know who can access personal identifiable information for GDPR. They want to know that there are no accounts lying around of people who already left the company. They want these accesses to be reviewed from time to time and unnecessary stuff to be cleaned up. That's what they want and above. They want this as fast as possible and at the lowest cost possible. And that's exactly why we started very briefly about the company we help.
We help companies take control over who can access what without has. That means that we are no nonsense experts with a no nonsense approach and a no nonsense platform. And at no nonsense approach that focuses on the essentials of user access governance. At least according to me, those essentials, it's about first creating visibility. You want to understand and have a central view of your users and their permissions across any application and data source. Then you want to review this. So you want to see, oh, that, that shouldn't be there. That's that those are too much permissions for this person. He shouldn't have admin credentials act upon this, remove all of this and monitor over time. So you get notified. If something changed that's again, violates your policies and all of that based on the actual data of the users, the accounts and permissions in your system. So make data driven decisions.
If you focus on this visibility first, then you get to what we call the security first IGA journey. And it's a bit reverse in some points and a traditional IGA journey because this focuses on cyber security return on investment first. And we typically take it in, in three major steps. First, identify access risks, review these address violations and get notified of new violations in order to take control or for many companies these days take back control and only then start thinking about consolidating control with which I mean define your role model for the whole organization of the defined separation of duty policies. Ideally based on the same data that you gathered while taking control, and then also introduce governance processes and only then focus on optimizing control by automating provisioning. The goal of this way of thinking is focus on return on investment in terms of cybersecurity, lowering your risk and pushing the, the heavy, complex and risky investments forward in time to rise on the slides
Regarding these access risks. We typically work with with eight categories of key risk indicators. We've built this framework based on, on, on things like ISO 27,001 and, and SOC two and stuff like that. It talks about orphaned accounts, privileged accounts, access accumulation. I won't go into the details here. I only have have 10 minutes, but there's an excellent guide on our website about these key risk indicators. If you want to know more then of course, what I said at the start we provide our own platform to support is efficiently. And that focuses on the same four essential building box as before. And this I know complex slide, but more bit more technical slide, but that's because we noticed that a major hurdle for starting this roadmap for starting this journey for many companies is gathering the actual data into one pain of loss. And that's why we spent quite some engineering effort in making this hurdle as low as possible with very typical to our, to our branch out of the box connectors for the usual suspects like active Azure ad Salesforce, Octa, and so on.
But on the other hand also CSV and file-based export import functionality, because if you just want to review data, once every three months, don't spend time on costly integrations, just have an admin, do this once, create a query uploaded and have the data linked to the rest. And then there's an open API in the middle to create any integration that you want. And what we then typically work towards is to start from the point of view of the employees. That's by far the most interesting view, if I talk to our customers. So you want from your HR system, the list of all the employees, then link this to all the users and their permissions in your different systems, your different repositories, your different environments and your different and your different systems. Once you have that, understand who can do what digging into the details, but also domain specific analytics, like for example, peer review, what we often see is if you make this chart of, of a single team, that there are always people that can do way more than that direct colleagues is mostly is a result of them moving horizontally throughout the organization and never being revoked their permission.
So definitely cleaned that up and also work with key risk indicators that the controls that I talked about before, so we can see where there are. So, so we can highlight whether admin accounts or accounts that haven't been logged into in, in more than six months and stuff like that.
Step three, review this access either in the views that I showed before, or by launching a re-certification campaign to involve application owners, team leaders very important for many of the major frameworks out there. And if someone indicates that something should be removed or revoked automatically send a ticket to ServiceNow or GI, whatever you use to actually create a change request. And you can act upon this, this takes the heavy lifting out of the whole process of identity governance. And eventually you come to the point that if you automate data imports, you can actually follow up over time that you're actually improving that your risk is actually going down and that you're proven in control. Those are the four essential building books and how we support it in the platform. Finally, we, we wrap this up in one sales platform, so transparent pricing and no setup costs is the final slide. Well, 10 minutes, I think. So that's what we mean with security, first identity governance and how we support it. Very brief somebody from my point, if you're interested to learn more, there's an excellent guide on how to prove that you're in control and I use screening and so on all here or come talk to me after the presentation. Thank you very much. Thanks.

Stay Connected

KuppingerCole on social media

Related Videos

Analyst Chat

Analyst Chat #152: How to Measure a Market

Research Analyst Marina Iantorno works on determining market sizing data as a service for vendors, service providers, but especially for investors. She joins Matthias to explain key terms and metrics and how this information can be leveraged for a variety of decision-making processes.

Event Recording

Cyber Hygiene Is the Backbone of an IAM Strategy

When speaking about cybersecurity, Hollywood has made us think of hooded figures in a dark alley and real-time cyber defense while typing at the speed of light. However, proper cyber security means, above all, good, clean and clear security practices that happen before-hand and all day,…

Event Recording

The Blueprint for a Cyber-Safe Society: How Denmark provided eIDs to citizens and business

Implementing digital solutions enabling only using validated digital identities as the foundation for all other IAM and cybersecurity measures is the prerequisite to establish an agile ecosystem of commerce and corporation governed by security, protection, management of…

Event Recording

Effects of Malware Hunting in Cloud Environments

Webinar Recording

Advanced Authorization in a Web 3.0 World

Business and just about every other kind of interaction is moving online, with billions of people, connected devices, machines, and bots sharing data via the internet. Consequently, managing who and what has access to what in what context, is extremely challenging. Business success depends…

How can we help you

Send an inquiry

Call Us +49 211 2370770

Mo – Fr 8:00 – 17:00