KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
Thank you Martin. Yeah, I think most people are seated to give them 30 seconds more than I started with with explaining I'm I'm leading the advisory team within cooking a call Analyst. And so the idea was to share some insights into what we see on a generic angle with our customers and with the market in general. And this is something that I want to share with you I'd have very high level, but to show a, to show trends and tendencies that we see are going on. Yeah. Starting with the not so new reality.
So what we see and if we've been at CSLs in Berlin last year at November, I use some of these slides to give an outlook a prediction of what, what things would, would look like. And I could reuse them because things have changed and people have adapted some of the stuff that I've been talking about. So the not so new reality is that we need to understand that our it and I infrastructure has or have changed substantially. And if we look at this, I think the most important sentence is above your, it is hybrid and multi-cloud, it is right now, they have to deal with it.
So we are dealing with the current challenge. I'm not talking as an Analyst about preparing for a upcoming trend. It's there deal with it. We have these and potentially much more individual platforms where we implement infrastructure upon. We still have our on-premise data centers. We have lots of cloud software service platform as a service identity, as a service. And we have computing and we have potentially more that I missed out.
And on top of this or using this, we have all of this and more, we have agile it, we have DevOps, we have dynamic automatic scaling and orchestrated virtualized platforms. And we have that across all these green boxes because a container can run anywhere and it can be operated anywhere. That means we have to have short lift entities, networks, instances for scaling services up and down for, for, for making sure that they have entitlements in there.
We have, of course, across all these platforms and through all these dynamically generated platforms, users, privileged users, system accounts, whatever we need to have governance and auditing. And we have to have data access governance across these platforms. So this is the reality in that is what we have to deal with. What are the tasks, all of those and more so we need to understand our identities. We need to manage them. We need to manage the entitlements, which is the combination of yeah. A user and accountant and an access, right.
We used to, we have to use time limitation for access to make sure that access is only given for the time required and all these tasks that we need to implement. I don't read them out, but I think the most important point to achieve all of these across all these platforms across all these tasks is number eight it's automation. It's making sure that you get to a process that moves away from manual administration towards doing the right thing through the through policies and automation that implements that for you, or you implement that through automation.
I suggest way back then that we have a integrated, broader approach when it comes to using the right tools. And as of now, and we have that in the panel as well. We have different systems for different tasks and we need interoperability. So we need the traditional identity and access management. So dealing and understanding the identities over their lifecycle, whatever the lifecycle is and whatever the identity is, could be an employee. It could be a customer.
Consumer could be an OT device, could be a sensor and could be a, an ephemeral short lived instance of a cloud service running somewhere. And these life cycles need to be well understood and reflected in identity and access management. And that needs to be governed by identity governance and administration services that take care that you not only do things right, but that you can prove you do things right, and that you have evidence for that for all these privileged accounts we need to integrate.
And I'm always focusing on integration because this is the, the trend that we identify here is that we need to integrate with privileged access management as well because the life cycle of a, of a carbon based user also may have impact or does have impact on their privileged access management rights.
So if you choose to, to change the, the, the department that might lead to getting or losing access to privileged resources, And last year, we've talked about the cm as the new acronym being focused on cloud infrastructure and the entitlement accounts, everything that is required, therefore, all this dynamic scaling that has been taken over embraced by vendors, mostly Pam vendors, and has been taken over and is available also in that game, which adds a new type of provisioning and governance to, to the systems and make sure that you make sure that these systems are well and proper managed our suggestion way back then.
And our observation as of now is that we see this integration at least starting. So this is something that we really can see in the reality Once this, these slides have been used for, for showing where we are and what the technologies are at a very high level.
I, I, I have to admit what are the actions that we see in reality within existing organizations at a reasonable scope taking action is means transforming action. And that also goes back to the questions that has been asked to Martin before, do people really do that? Do they really service allies, their infrastructure?
Yes, they do. And they do that by integrating their existing yeah. Legacy application with, with ignoring the bad annotation of the term legacy. So what is really required is taking this step back and assessing your, it, you need to analyze and understand what you have and what your business demands for. And the focus is on the second part, what your business demands for. Do you have everything that your business demands for? Do you have the services available and do you have the management of identities and access management available to achieve that?
So you need to have the, to take this holistic view. I don't read it out in general, but I think the most important points are those two. I show it here. What is strategic and what is redundant, understand what you really want to have, what you want to achieve, Martin, any questions coming in? I think it's more large generic Question. I probably will look to answer out of band if I find a way to do that. Okay.
Okay, great. So that is really step one. And that's also, and the brackets in the, in the headline are also important. Is your organization capable of fulfilling the needs the organization has, or the business has, and does your IAM and it management really place well with that, I'm an Analyst I have to confess.
So we, we start with analyzing what we have and we try to create a target vision in the target architecture. This is what we do. So the defining the target architecture vision by, by understanding what you have, what you require is, is really the next steps, the next step. And we really recommend to do that based on existing well proven and, and functioning paradigms.
That can be ours must not be ours, or do not necessarily have to be ours, but nevertheless, build upon architecture principles that have proven to be successful and combine all of this together into what you need when you want to implement a solution. I have to check my watch. Okay. So it's really important to define a target architecture, to follow an appropriate roadmap, to get what you require over time with the right deliverables delivered when you need it. It's Analyst.
And if especially it's important that you understand what your external internal requirements are coming from your regulators, from your corporate policies, from the expectations of your supply chain. This is important when it comes to defining these solid policies and proven processes that bring these efforts into your organization. So defining the target architecture vision is step two. So get to a unified approach for one, it delivering services to the business, including I am business.
So I'm a bit jumping around between business and IAM, but this is closely related because you need to understand what you have to have in which place very quickly, just again, to explain it, defining that target architecture really don't want to through, but it's really important that you start with a big picture and you carve out what's important for you, that you focus on the capabilities that you require, that you focus on the services and in the end, the tools that you require when implementing such services.
So There question, which is maybe, maybe a little bit of a joint question to us for, for methodology, you for other things, me and it's in my company, more in 10 K employees, we don't have an identity tool, many applications that integrated with D a D what is the best way to get an identity management tool? What is your recommendation to get? I think it's a lot of these things will, are answered by you already, or will be answered by you. I just wanna hint maybe here on, on some upcoming research. So probably early Q3 will release something around more IM solutions for, for midmarket.
So enterprises, and there, there are a ton of leadership composes out there, which compare vendors, which also clearly are a guideline. So back to you Matthias, I think this should answer that question Halfway through, there will be a talk this afternoon at two 30 in this room by me, it's about implementing identity and access management for medium sized and, and, and mid-market organizations which have different requirements.
Oh, no, they have the same requirements, but not enough money and not enough people. So how can do they do that? So that will be the topic this afternoon. So short spoiler for that. Yeah. Maybe that can help. I'm not answering take this and that, but how to choose it was okay. Now going back. So the important thing is that you'd take another color and, and really highlight what you require when it comes to identifying the right identities. And that means implementing an IGA, getting through the right services to the right and understanding which services are required.
Do you need privileged access management? Do you need to provision into cloud services? Do you provide, do you need to provide services for a DevOps approach that really scales up and scales down platforms in the cloud or somewhere else in orchestration, on demand and with all the identity management requirements that come with that. So that is really the next step. That is step two. And that would be the fine print for, for step two next step. And this is something that we see in reality very much.
And this is why I'm talking about, I think, is what's experience or recommendations from the field. This is what we really see organizations are right now, revisiting their target operating models.
They, they we've we've said that it will happen very soon. We expected that to happen two years ago, and of course, markets are slow. Now they do it.
So we, they organizations really rethink where they provide their services in which form, and to whom the idea is to scale up, to gain performance and to secure services at the same time, and to refocus it operations on what is really important. So nobody has to run an IAM systems themselves, really not. This is something that can be done by somebody else. On the other hand, more and more organizations are leveraging, reusing the capabilities that are already built into the platforms. They already have Microsoft 65 integrate all components into one service portfolio.
That is something that really is more and more gaining traction. And that is also this service certification of what we have been talking about. Understanding this is authentication. This is risk based authentication. This is authorization. This is access governance. And where is it and where it is provided. Do I do it? Is it enough for me to use this access re-certification that comes with Smith, Microsoft 365, or do I need something much more full blown? And this needs to be understood, but nevertheless, the components are there and they need to be understood where they can benefit.
On the other hand, Martin mentioned that before the identity identity fabric, as a whole needs to be kept in mind when doing this. So once you delegate a task to a different infrastructure, identity fabric can deal with this perfectly saying the service is more than one's available, but you need to have the full big picture and keep control over this. And this is not only technology. This is concept, this is process. This is organization, uniform management. And as examples with this changing target operating model for many organizations, access management has moved to the cloud.
It is there because they have Microsoft 365, they have Azure ad and they use this as an IDP plus more for other services as well. And C I E M we've mentioned that before this cloud infrastructure, entitlement management is even defined as being something cloud born check Very quickly. What do we do?
We see, this is a summary. This is a summary slide that I've created earlier for understanding what our organization doing. For example, when it comes to IDP strategies. So some organizations, okay, first the dimensions, criticality of workloads and trust into external provider. Do I trust Microsoft? How critical is my workload to be, to put it bluntly? So many organizations know that's strong, that's wrong. A few organizations say, okay, I have a single on-prem IDP and nothing else because highly critical. I don't trust anybody.
I'm not allowed to, I have requirements or I have multiple on-prem for different purposes, but this is more, more than minority. We see hyper scenarios where we have, we see hyper scenarios where we see organizations having something in the cloud and something on premises, depending on either criticality or on the trust towards the external provider. But nevertheless, there are many measures available to even allow to move even legacy driven hybrids, highly critical, or not that much trust into the IDP of a, of a third party provided service.
That makes it possible that this operated even securely and more, more organizations that is also takeaway is, is moving, are moving really to something is pure cloud IDP, pure multi-cloud IDPs, even in strongly regulated industries. So that is really something that we see. And we see both of that. So there is, there's no current trend other than to the left, a little to the right a lot. And Martin said, why does this come slide a slide?
Come now, this is something that we just see right now, many organizations are finally saying, okay, let's do it. I don't want to run my IGA myself. So this is something that, that is, is gaining more and more traction. And this is true because IGA pre is, is preparing also this for zero trust security, and, and it provides the services and the provides the identities to the services that provide authentication authorization processes, wherever they are. So that is a trend again, that we see, I have been given two minutes.
So the concept behind that one minute, My kind reminder, please revisit the keynote Martin gave last year in the EIC. He, he presented this concept of the dream dynamic resource entitlement and access management. That means that we combine lots of components, including including access, privileged access management, policy management, identity, and access management, including this cloud based access management, access governance, and integrate that with cybersecurity into one bigger picture. That is all that is behind that, that overall picture.
That is another depiction of the people of the picture that I showed with the four bubbles in the, in, in the circle. This is the same in a different format, much more elaborate. And I would highly recommend that you move towards a, a, a paradigm of implementing access management and identity management that follows this broader approach. And I have to stop. You have to stop by the way I did this slide. And so the seconds last year, Mike it during my keynote. Okay. If there are any questions, please get back to me afterwards.
I will, I'll be around. Just get in touch. Yeah. So thank you, Matthias and raise your hands.
