Event Recording

Panel | IGA for Successfully Managed Identities

Log in and watch the full video!

Log in and watch the full video!

Upgrade to the Professional or Specialist Subscription Packages to access the entire KuppingerCole video library.

I have an account
Log in  
Register your account to start 30 days of free trial access
Subscribe to become a client
Choose a package  
So this panel will focus on IGA capabilities for identity centric, security, to challenge, legacy IGA, and gets insights on reducing security, risk, strengthen, compliance, and improve efficiency with a modern future-oriented approach. So could the pal members please just introduce themselves to say who you're from, where organizations you're from and maybe just a, a brief opening statement.
My name's rod Simmonds I'm the VP of product strategy at oh, we are a vendor that focuses heavily on IGA and
Yeah. Hi, my name is ya, Patrick. First. I'm a senior solution engineer ATS, and yeah. Happy to discuss these topics with you today.
Great. Thanks. Well, at least we, at least we won't have so many compet competing ideas. Alright. What is driving the trend to switch to identity centric security? So perhaps just given an idea of what, what your understanding of identity secur centric security is and what you think is driving the trend to in that direction.
Yeah. So what we basically see is that if you have a look into companies that you have done to focus also on a basic risk approach on identities, so you can judge basically every employee, not the same way as you may have done that in the past. So you should have a view on these kind of identities, like, okay, is that a high privileged user? So we discussed that in the privileged panel in here, so privileged access. So I see it but differently. The, the focus is basically what kind of risk is that user having, having the, for the company. So how could he harm the business? And based on this, shall I treat him differently in the approval workflow? For example, shall I do more recertifications for that kind of user? And that's basically the view we have in here,
Yeah. And I echo everything you said, cuz point on. But in addition, I think, I think we all realized the method that we were taking for security in the past really didn't work. If I asked everybody to raise your hand, if you've had your da, got the email saying your data was involved in a security breach, everybody throws their hand up and I say, leave your hand up. If your data was involved in security breach, multiple times, everybody's hand would be up. And that's the challenge we've dealt with. Is that the way we were trying to protect user data, it just didn't work in the past. If we wanna take a different approach, it really is starting with identity because for every attacker and the reason why we need to take an identity, a centric approach is because every attacker focuses on getting accounts. And then from there, as we heard in, I guess, any Pam session, they'll talk about pivoting, or if you were talking, listening to the guys from elusive, they talk an attacker once again in get an account and pivot and move laterally through your organization. And if we treat each identity uniquely, it allows us to prevent that an attacker from getting in and moving lateral throughout our organizations.
So what's your business use case though? If you were pitching for extra investments to, for anything to adopt a more identity centric approach, what would be your, your case to the business and say, well, look, I think we should go this way because these are gonna be the business benefits.
So we're both IGA vendors, we're competitors, if you didn't notice. But I think the challenge that most people have when they start with an IGA project and they're trying to go down this pathway is that they look at identity governance as, oh gosh, we gotta do this. Let's just check that box. We've attached governance. I think at least from our standpoint at AADA where we found the most success with customers is when they recognize that, yes, we have to check the box to say we met GDPR, our socks or whatever the compliance requirements are. However, we are using this to enable better security within our organization. So as soon as the customer pivots and they look to say that they're taking it from a security approach money within the organization, usually flows versus just saying, we have to do regulatory compliance because likely your CEO is saying, I, I barely wanna do ISO compliance. I barely wanna do SOC two type two or whatever it is you're dealing with. They don't wanna spend any more money on it, but they do wanna spend money on security. And the reason why is because they don't wanna be the next company that has a big data breach and they have to explain their customers how they didn't properly protect. So from my standpoint, it's, it's tying it back to security and truly enabling it from a security perspective versus the BS checkbox that people tend to go through. That's worked for us.
Yeah. So I can basically add to that also that you shouldn't do these kind of rubber stamping as well. So if you look at these identities, the thing is, how do you all handle these? So is it everyone the same? How do I handle these based on criteria? And that means, for example, recertification campaigns, you can do them every six months. Well, if you just do a bulk approval, well, you haven't achieved anything from a security perspective. Well, you're compliant well done. So that's the thing. So how can I approach this now from a identity centric view? So that means I make my managers aware, okay, this is a critical user. This is something you should review maybe every three months. And it's only a subset of users. It's maybe just three, four people of a team and not the complete team of a complete department or anything like that. So this basically allows better security, but also having a compliance check on that.
So I asked you what were the business case cases? And so what would you be making business cases for? So what IGA capabilities are required to support an identity centric, security approach? What would be the kinds of, of investments that you would be making business cases for?
Well, let's say that the standard IGA approach has been somehow already solved it's it's it's like China believer re-certification components. That's something. Yeah. Well let's say every vendor can, can do so. Yes, we are two different vendors, but we all do join mobile lever approach. We do re-certifications yes. But the thing is, how do we approach the business and how can we handle these kind of data and how can I make the life easier for such a user? And, and that's the thing. How, how is the user story? How is the an environment created? Is it in hybrid approach? Do we go into the cloud? So those, those kind of things are really relevant, also digital transformation. So those kind of drivers you have done to tackle from, from that perspective and not just saying, oh, I need a feature called join, move lever. It's it's more like, where are we? Where do we want to go? And what is our goal on the long-term?
So again, totally agree. I think the biggest challenge you have is anybody in here doing identity governance, like on a day to day basis, how popular are you in your organization? Everybody loves you. They love the certification camp. Yeah, exactly. No one wants to do it. I'm a vendor I'm telling you customers don't wanna do governance. They hate it because it's not their day to day job. So the way you solve it is trying to make it easier for the user. And the only way you make it easier for the user is to surface the information they need at the time they need to make decisions. The reality within governance is that for most people, they might do a certification campaign once a year. So your it group forces you when you adopt an application to train the users on how to do this. But if they only do it once a year, it's net new every single time.
And that's the challenge you're dealing with. So from a vendor standpoint, whether it be us saving it or any other identity governance vendor, the problem we need to address for you and the community is trying to surface information that makes it easier for the users make decision and intuitive because did anybody take a training class on how to buy stuff on Amazon? I didn't, but I buy a whole lot. And that's what they need with identity governance is that they need a solution that's so intuitive that you don't have to train them because they can just figure out how to use it. That's if you ask what the challenges that we deal with in the marketplace, it's fundamentally that,
But you guys have been talking about JML and you know, that's looking very much at the in-house workforce, but, you know, haven't, we moved, we've moving beyond that. We're evolving beyond that. We need to look beyond the immediate workforce. I mean, there's the, the kind of partners and consumers and so on. So like, what are those C what are these other challenges that, that, that kind of the old paradigm is, is not addressing and how can I an identity centric approach, address those things.
Absolutely. Right. So that's the thing. So IG is one part of the complete security story. So the thing is, what do I need to tackle next is also question to customers like privilege access management. Yeah. We have heard that some see that privileges are not that relevant, but if you have a certain situation, you need full admin access to a yeah. Virtual machine or your application. That's not something you have in general. It's something you need for that moment. And that means you need that high privilege, what you normally don't use. So this is something you have to address as well. You intervention as well, external identities, but what about IOT instances workload in the cloud? So how do I govern these kind of, let's say Silicon identities. So how do they access other applications? How are these permissions? Reved we have seen that, for example, solo wind attack. So that that's something where we've seen that also this, this kind of application had impact on, on so many things, because it was everywhere. They, they had access to other instances because yeah, they, they introduce or got into the built chain, but that means something was open. It was a technical process. So someone has not governed that process. There was something where someone got into that and it was not a user. So these kind of identities has also to be handled. And that's a challenge. I see.
Yeah. So we're, now, now poking a bit kind of the problem space. And, you know, I'm also thinking of things like RPA, you know, where, where, where there are nonhuman entities now becoming increasingly involved. So again, how can you give us a practical idea of how an identity centric approach can support this kind of expanding universe almost?
Yeah, I think it, obviously, as we were saying earlier, it starts with treating each type or each entity or each type of entity, slightly different. So one example would be when I think about a user users are their behaviors chaotic, and I have to anticipate chaotic behavior. I'm on a plane. I'm currently here in Berlin. I'll be in Paris a couple weeks. I'll be in Denmark and a couple weeks right after that. So my behavior is very hard to track. When you start thinking about an application account, a service account, a non-human identity, they have very predictive behavior. Whether it be every 15 minutes, I expect this process to kick up from this one location and initiate behavior. That's very easy to track and manage whether you're going with certificate based, authentication, whatever you wanna do around that, but it is it's approaching each one slightly different and, and how you're gonna actually manage those.
Okay. So one of the use, one of the cases that, that one of our online audience members are asking about is how do you suggest to have full customer buy in for something like a recertification campaign?
So what I've seen basically in the past, so I've, I've worked as a consultant as well at various places. And, and the really big challenge is if you present a recertification campaign to a manager saying, do a recertification name on the technical name of an entitlement. And at that moment, they're like, accept. I dunno, what's, that is so that's the thing. So you have to bring more context to it and, and to make it really easy to manager, is it a risky access? Is it a risky entitlement? And then also compare that back to the peer group of that user, because he has got colleagues. And based on that data, you can then predict, is that a standup entitlement for that kind of role? Or is it not, or hasn't been used in a malicious attack, sod violations, anything like that. So you basically need this kind of context and you don't need the entitled name, entitlement name in the target application. So that's something where I can get a better buy-in from a manager to understand, yes, it's risky. It's not risky. And then I achieve that from that perspective.
Yeah. I think the problem starts with the inception of the system. I think we, we're probably sitting a room with a bunch of intelligent people that do very stupid things when we implement products. No, no offense to anybody, but use typically the reason why resources are named super technical is because we didn't involve the business owners and that person who has to make that decision at that point is looking at a resource saying, I, I have no idea what this resource is. I don't know what a governs access to what they're like is I know what my J drive is because you've mapped that for me and I come in the morning and it's always J it's, it's very simple for the users, but I think the biggest problem is again, at the very start of any project, we have a thing called identity process plus, which essentially brings the business people to the table helps you name those resources properly so that you can actually move through the process.
So when I need to do certification, it can be simple. And more importantly, the worst certification campaign you do is when someone gets 2,500 questions, certification campaign should never for any individual at one point in time contain more than about 20 to 25 questions. So it's trying to think and be smart for the end user as to who has to do that certification, cuz most people are fine saying, we need you to take this responsibility to a test that this person needs access. The bigger challenge you tend to run into is when they're like, I don't know what it is. I don't know who these people are. And I think as you said, surfacing up the context, you need about a peer access analysis and saying, these peers have access. They're actually using the access you granted whether or not it's sensitive data, all of that stuff feeds into the process.
Okay. So we've, we've started poking at some of the, some of the issues and some approaches. Are there any questions in the room so that we can get kind of more interactive conversation here going? So it's not all on our two panel members and, and yet, so is there anyone in the room?
I got a question if that's okay.
Great. Paul, welcome to the party.
Tricky one in the previous session, one of the speakers suggested that privilege access management is potentially a thing of the past because so in the future, everything is possibly, oh, so, so you're answering the, so to do that though, would suggest that we need a high level of accuracy and just in time processes to create a situation where you think there will, we won't have anything that's privileged anymore, but everybody just gets access for when they need it. And then it shut down. So what's your view?
Yeah. I don't believe that one. Okay. You guys have a Pam product, right? Yeah. So I've worked at two Pam vendors in my, in my, my history. I've worked at one company called quest software. They did privilege access management. They had a vault and I've worked at another company called beyond trust. They had a vault privilege, access management Unix, the whole nine yards. The, the key challenge you deal with with privilege access is that at some point in time, someone might be at a Unix terminal, for example, and need root for a very specific finite task, which one might argue well, that's policy driven, but I still need root. And I need something to manage and delegate that root access to me when I need it. Other times you have accounts that are nameless and they need to be put into a credential vault and have the credential scrambled. More importantly, I would guarantee you if we ran security products against most environments, no one has to admit you likely have passwords in your environment that are active running for a decade or more. That problem doesn't go away without using Pam products that go out and can automate scrambling credentials. Because one, we suck at passwords and we also suck at changing them. So I don't see Pam products going away anytime soon.
Yeah. So I agree most of it. So the thing is you, you should definitely try to reduce the attack surface. So in, in the industry, I also worked for another pan vendor, so called a so that's the thing
Of all. Yeah, we have all off on stage. So the thing is you should basically try to reduce the surface are off the attack vectors. So that means reduce the number of accounts, but some of these accounts are still there. You cannot delete them. So you have to treat them. So you mentioned route account, absolutely network devices, those kind of things. But also if you look into the cloud, there are also these kind of accounts, but you should try then to go more from a user perspective in the, just in time access approach and just enough. And, and just imagine you have a Saturday night, you get called out for an emergency. Something is not working and now someone has to prove it and, and you cannot wait for something and, and you have to react on that. Yeah. In an idea world, it would be a easy that a system could tell me.
Yeah, you're allowed to do it, but would be great also to have a governance on that. And I guess most of the companies have to guarantee that there was a governance process for that. So I, I guess that just in time access in that moment is the best approach. First of all, to create this account for that particular moment, having a small revenue on that, calling everyone out attention, this user has been used. It's a critical user firefighter role, anything like that, get into position and, and get that sorted. And, and that's something we do as a S company, for example, with our pump products.
Okay. Before I ask the panelists to wrap up one last chance, if there are any burning questions in the room. Yes. No. Okay. Okay. Gentlemen, in an ideal world, you used the expression earlier. What does IGA for successfully managed identities across the whole spectrum? We've been talking about, look like,
Wow, that's a broad question.
I did say wrapping it up.
Yeah. I think we've all seen the big wheel. Whether whomever it's from cupping, a coal, when they come up with their wheel of all the different elements that are involved in an identity project. Honestly, I think whether it be, you're looking at human based identities, machine based identities, cloud based identities, if you're doing Kim or whatever you're jumping into, it's really just following around the wheel and making sure that you cover it because again, no one wants to do governance and you have to do it. So you wanna make sure that you get from join a move reliever at the very front end provisioning, and Maning your systems. But at the end, if you work your way around the wheel and you realize that at the end, we always talk about audit. You wanna make sure that you can meet the audit requirement at the end, so that at the end of the day, you want the reports to come out. That says we're doing the right things up front. So map it to your business process and just follow all the documents you can get from every single Analyst firm out here that talks about what's involved in a good program and follow best practices. To me, that's the most important is that you follow best practices and bring the right people to the table with the project. And it's not it and only it,
And last we're young.
Yeah. I, I agree to that. So it's good to have that, that full view of all identities, but also keep in mind the usability quite important. So don't spend too much time basically sending these re-certifications every six month with all the users or all the entitlements. So focus on things which is risk. And, and then based on the risk, decide what is important for the business. What do we need to secure and make sure that all the identities are governed in the right way.
Thank you very much, gentlemen, please show your appreciation.

Stay Connected

KuppingerCole on social media

Related Videos

Analyst Chat

Analyst Chat #152: How to Measure a Market

Research Analyst Marina Iantorno works on determining market sizing data as a service for vendors, service providers, but especially for investors. She joins Matthias to explain key terms and metrics and how this information can be leveraged for a variety of decision-making processes.

Event Recording

Cyber Hygiene Is the Backbone of an IAM Strategy

When speaking about cybersecurity, Hollywood has made us think of hooded figures in a dark alley and real-time cyber defense while typing at the speed of light. However, proper cyber security means, above all, good, clean and clear security practices that happen before-hand and all day,…

Event Recording

The Blueprint for a Cyber-Safe Society: How Denmark provided eIDs to citizens and business

Implementing digital solutions enabling only using validated digital identities as the foundation for all other IAM and cybersecurity measures is the prerequisite to establish an agile ecosystem of commerce and corporation governed by security, protection, management of…

Event Recording

Effects of Malware Hunting in Cloud Environments

Webinar Recording

Advanced Authorization in a Web 3.0 World

Business and just about every other kind of interaction is moving online, with billions of people, connected devices, machines, and bots sharing data via the internet. Consequently, managing who and what has access to what in what context, is extremely challenging. Business success depends…

How can we help you

Send an inquiry

Call Us +49 211 2370770

Mo – Fr 8:00 – 17:00