KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
Martin Kuppinger, founder and principal analyst at Kuppinger Cole, heads this panel discussion on identity and access management with Jonathan Sander of Quest Software, Kurt Johnson of Courion, and Ravi Srinvasan of IBM Tivoli.
This pocast has been recorded and published by ETM Magazine.
Martin Kuppinger, founder and principal analyst at Kuppinger Cole, heads this panel discussion on identity and access management with Jonathan Sander of Quest Software, Kurt Johnson of Courion, and Ravi Srinvasan of IBM Tivoli.
This pocast has been recorded and published by ETM Magazine.
This is an enterprise technology management podcast, the independent resource for it. Executives. Hello and welcome to this panel podcast brought to you by ETM, a website and magazine for it. Executives ETM keeps the it community informed through original white papers, Analyst research case studies and insightful podcasts. I'm kiai Kira of ETM. And today your host Martin Kuppinger from KuppingerCole will be discussing identity and access management with a panel of experts. Here's Martin, to introduce the panelists and topic further.
Hi, my name is Martin Kuppinger. I'm the founder and principal Analyst at KuppingerCole. I'll be moderating this podcast today on identity and access management with me today as free industry experts, Toronto and Z director of IM business development at quest software. Welcome tram Cardon wise, president of strategy and CED development. Ion welcome KD Ravi program director for data and application security product management at IBM T welcome Ravi. The first question I have is around identity and access management.
Shouldn't this be more access and identity management given to those customers care mainly for access each who is allowed to do what and why Jonathan, would you like to start? Sure. Jonathan from quest speaking now, and I mean, I have to agree with the spirit of the question. I think it probably should be access and identity management given a number of reasons. I think customers do focus on that question of who is allowed to do what and why.
And I also think that that's the most impactful part of identity and access management, but I think it is the other way around simply because of how the market has evolved. Management has been very siloed for a long time done in all the different applications and platforms individually and identity management.
Well, I mean, it got attack together quicker, right? It's centralized much more quickly. And it's only been in the last five to six years, really that you've been able to centralize a lot of access management tests. And really only in the last two that you've been able to do it effectively and efficiently with the rise of newer technologies around identity, intelligence and certification.
So, you know, at this point we have the fusion of the two and access is probably more important, but since identity got there first, it probably would remain identity and access management for now. Okay.
Kirk, would you like to add to this question? I tend to agree and I, I think the reality is though one needs the other and whichever one gets top billing is up to them to kind of duke it out.
You know, it's like 10 and teller and Abbott and Costello. You needed the straight man and you needed the, the relief along with it.
And I, I think that's true with identity and access. It really is figuring out the who and what for the question who has access to what, and for that reason you need the context of identity to really apply that to the access that individuals and resources need. And you need to really understand access above and beyond who can get in the front door, but where within the organization can they get to, where are our critical resources? And the reality is it is all about access.
I mean, whether it be routine changes every day from the hires fires, relocations and transfers that have an impact on access, whether that takes on multiplicative effects for large scale changes like reorganizations and mergers and acquisitions, even rolling out new applications and systems require all the access to be aligned with the individuals that require it.
And in light of all the regulations that are governing this, that, you know, named your regulation, whether it be Sarbanes, Oxley, or HIPAA or Graham Lech, Bliley, or any of the country specific or location specific privacy laws, they all have that notion of access controls and who's getting access to what. So again, at the end of the day, when you're trying to figure out the who, which is the I and the what, which is the a, they really do need to come together to provide this comprehensive picture. Okay.
Robbie, would you like to provide additional comments on that question? This is Ravi from IBM. I was actually thinking about this question in terms of this customers have been overloaded with a lot of acronyms, the acronym of access and identity management aim probably is quite interesting for customers to give them a little bit of focus on this specific area. That's so critical to customers as a foundational control. I think there's an element of both management of identities, as well as an element of the runtime capabilities for enforcement across a heterogeneous application environment.
As long as those two sort of foundational controls are being highlighted, it really doesn't matter how you call it, but I think that's the, the key message that we should be looking at as well. I would fully agree with you. I think it's, it's about identity and access and you need to manage identities to manage access.
However, it's very interesting. I, I currently have customer advisory where one of the, where a company really decided on calling the product access and identity management. So access is probably, well, customer better understands an identity, but at the end of the day, he very well understands. He has to solve those issues from my perspective and my experience. So let's move forward to the second question. The second question is which are the main drivers for IM projects at your customers.
So for the identity access management project, what we observe are that the let's say increasing requirements around governance, risk management compliance have given a massive push to IM projects over the course of the last two years. Would you share this experience? I'd like to start this current to answer this question. Thanks Martin.
From our perspective here at Curion, we've really seen a, you know, somewhat subtle, if not over time, pretty dramatic shift in the drivers where a lot of the identity and access management aspects started from an efficiency standpoint, you know, reducing headcount, getting access quicker, reducing the amount of manual effort. And clearly the major shift has been from efficiency to really compliance as a driver.
But I, I think it's a bit trite to just kind and easy to say, yeah, compliance is the main driver. Even within that. I think we're starting to see a real subtle shift from compliance from the standpoint of, I need to pass the audit to much more of a shift toward risk management and that really where most chief security officers who are ultimately at the cornerstone of driving these projects is really looking at not only, you know, managing the risk, but to understand the risk and communicate that risk out to the constituency who is the business people.
And, and for that reason, we've really seen the business drivers moving and evolving to enabling that ability of really not just demonstrating and managing the controls in place around who is getting access to what, but again, to understand where that risk is greater, you know, we've got a file share that has the everyone group has access to it. The exposure there is significantly greater than one that we have tight controls around and are doing access certification reviews.
So I definitely believe this term of identity and access governance is taking on a much more critical aspect in the market movement because people started with just kind of securing the perimeter. You know, who's got access to the network and who doesn't, how are we controlling that? But I think one of the, you know, significant amount of failures that we've seen in identity and access management is that people haven't been able to get this beyond active directory or mainframe or Unix, and it needs to get to the key risk applications and the entitlements in those applications.
But even beyond that, to the data itself, where who has access to patient data, who's got access to personal information of employees or customer who's got access to our intellectual property or our company confidential information. That's where the risk of exposure is greatest and access real. An inadvertent access really does impact that exposure level. So in traditional risk management, when you're looking at the likelihood of an event versus the severity of the impact, likelihood is really tied, very closely to access.
And I think it really is the business driver that security needs the help to understand where our risk is, communicate that risk to the business unit, and then work with them in a partnership, not just to pass the audit, but to really enable the business to move forward, to share more data to sh put the information in the right hands, but do so in a controlled and securement way that, you know, really it reduces the risk. So you throw mobility and cloud on top of all of that, the exposure is getting greater. The issue for security is how do we better manage that risk?
Okay, great answer. Kurt and Ravi, would you like to add From an IBM's perspective from our clients? We see some key drivers, especially in the last year. One of the key drivers that we see for IAM projects is really enabling the business to expand. Every time we talk to customers, we hear this constant discussion that aren't transformation, whether they're transforming their application, transforming their portals, they may call it different things.
Some may call it cloud-based adoption, some may call it service orientation, but at the end of the day at the heart of it is some transformation project. And that is, that has been a significant driver in the customers space for them to be looking at the identity and access infrastructure and looking at how to implement the appropriate controls so that you are truly externalizing security from these applications and data environment and using IAM as a way to help you with enabling the transformation.
The second key driver that we've seen, especially with the mid-market and general businesses, is a level of being able to support their business expansion. As you look at IAM, it's always been treated as an it project to us. So the last year or year or so, we've seen more and more customers saying this is not just an it project, because it is delivering some intelligence back to business. It is delivering. It is enabling me for example, to do Federation with my business partner in three months and get it up and running well, that's enabling the business to do more.
And so that is fundamentally the big key driver that we're seeing customers look to security controls such as I am. Okay.
Jonathan, any additional comments from your side? You know, I think that Kurt and Ravi have nailed it, but at quest, the one thing I think we see that maybe I haven't heard highlighted yet has been how much of boundary dissolving is driving a lot of this, especially with regards to the governance risk and compliance the GRC aspects.
And what I mean by boundaries dissolving is, you know, sometimes there's the, the, the, the obvious one that every security article has to mention is the, the harder outer edge of the network disappears and both the cloud and other aspects of networking and technology would be it social networking, or, you know, things like wikis dissolved, the boundaries that you've built to secure your infrastructure, or really the boundaries between what we would've considered it tasks in the near past and what we want to enable the customer of it, the business to do for themselves now through self-service and things like very complete service catalogs, which will get to a little later, as I understand, all of these things are breaking down a lot of the structures that not only dictated how we built the infrastructure, but also dictated how we acted and thought about proceeding on a given project that the, the business might assign.
And what identity really comes down to being in that case is an enabling technology to allow that to happen.
Because whenever you reach one of these decisions to either allow a partner deeper into your network, or allow someone on the business side to give themselves rights, roles, responsibilities, entitlements, new access, whatever it might be in your infrastructure identity and access management is really at the heart of that and having good governance or risk based approach and a mind for compliance about that activity at that point is absolutely necessary to, to making it succeed in a secure manner.
So, you know, I think the driver really is about those boundaries dissolving and all the different ways we see those, those things happening. And at quest, you know, we're just trying to help them simplify that process. It's not an easy thing for people to take on a whole new, not only change of infrastructure, but change of attitude. So thank you for these, this extensive answers on the question. And I think there are two core points. One is things are moving free from, from reactive and trustful fulfilling audits to preventive. So really being more, more long term.
So usual helps company to implement really a good governance. And the second is really about business enablement. My third question is when looking at identity provisioning and access governance. So two of the core, let's say, elements of solutions there, what is the future? So will see. And I think some vendors are expanding their provisioning solutions with access governance capabilities. Others are going the way down from access governance by adding identity provisioning.
So will we see more, more separate or integrated solutions in the future and maybe short answers on this question, let's start with Robbie. Thanks Martin. From our perspective in this specific space, we're actually seeing the, the demand and the key drivers to actually make this offering more of an integrated offering. If you look at this space from a business standpoint, what is the business asking the operations and this type of solution to deliver? It's asking this type of solution to deliver a level of intelligence, a level of insight.
And IBM certainly see customers demanding that when I need that level of insight and to be able to drive governance, I need one integrated solution to support it. Okay. One of them, what's your position on that?
Well, Martin, I, I certainly hope it's an integrated solution, cuz that's certainly what quest has been investing in for the last couple years, what we've brought to the market now and what we intend to keep building is an integrated identity provisioning and access governance solution. So I, I hope that an integrated solution is, as Ravi said, what, what is being demanded out there, cuz that's where we've been focusing our efforts. Okay. And Kurt. Yeah. I believe certainly from Ion's perspective, we believe that, you know, integration is important.
And the, the key thing is really understanding where the integration is important from pulling and managing all this disparate information as opposed to where there's prerequisites and requirements. Because I find it somewhat amusing that we've been seeing a lot of, you know, buzz and hype around the whole notion of access request, being separated from, from provisioning.
And I think from our standpoint, we viewed this, you know, very much the analogy we use is the, in the banking industry, the ATM, the ATM put a very business friendly customer friendly user interface on top of the bank systems to enable the consumer to do things such as get money or put money in or check balances, but it didn't replace the backend banking systems that were already in place needed to integrate with those. While at the same time, it added a dimension, a strong dimension of controls and security by taking the human being out of the equation.
And I think we're seeing a lot of the same things in identity and access management, but unfortunately this industry has had a bad reputation of project failures and I think systems that were originally designed to enable it administrators, to do things quicker and get systems up and running is why we've seen a lot of deployments not go past active directory and mainframe where the critical key risk applications or key financial applications haven't been touched and the ability to expand connectors to that are difficult.
So while at the same time, I've always said, you know, we, we, we built that business friendly interface into provisioning right up front because it is business who's accountable for getting the right access to their employees and understanding what their employees have access to many times we've designed systems that don't work the same way.
So, you know, we've actually separated our access request capability from the backend provisioning for that reason to provide a kinder, gentler approach to customers who have had failed implementations, not to necessarily need to rip and replace everything, but to expand and enhance that with this business interface. So, you know, Robbie and Jonathan touched on this, that the integration's important, but it it's critical that we meet the needs of who that main user is, which is the business people.
And so I, I, I ideally pulling these things together, but where they can't enabling the ability of providing that business level enhancement while at the same time, connecting out to other disparate or point solutions, which might be things such as, you know, data loss prevention, which is looking for sensitive data, but there's a responsibility of understanding the identity context to that, or, you know, SIM monitoring technologies, which are looking at events. And, you know, when you disable, you want to be checking to make sure that there is no activity happening on that.
So I think really where the future is going, you know, Robbie touched on the, the notion of intelligence. I think it's an important point. There's a lot of very important information. These systems are collecting. How do we present that? And as I said before, enable us to talk to communicate the level of risk to our business owners and give them tools that they can use, not just tools at the backend it administrators can use. I think I personally think that, that we will see a mix of, of postings because I, I think that it makes sense to have solutions to try and integrate.
And there's some value in having things a little bit more, more, let's say flexible, for example, to support multiple existing provisioning systems by, and let's say access governance layer, which is very consistent across these systems on the other hand. And I think that leads to the question for you. Can't do only one thing because you always need a foundational layer. So my first question, that's my opinion, but you might have a, so let's look at this, this next question.
What we observe is currently that many customers starting this re-certification or adaptation and access analytics, but I still have to gain control over systems. So knowing that some access controls aren't likely should be, is one thing being able to fix this is the thing. So with other words, can you be successful without deploying a mature provision provision infrastructure, one or more provisioning tools below the access governance layer? So let's start with, to answer that question. Sure.
Martin, it's interesting. The market right now is rife with certification. Every customer we talk to brings it up and it's a big topic and, and it should be cuz it's one of the benefits that you can gain from a lot of these systems, but personally, and certainly I think it's quest positioned as well, certification and access analytics without some kind of provisioning infrastructure underneath. It is really an illusion.
It really reminds me actually of when people were running businesses with access databases or Excel spreadsheets or even Lotus spreadsheets that absolutely no connection to the real numbers in the real financial system out there. And you know, you can easily see where that led people, right, to make decisions based on false information or, you know, grossly out of date information that maybe was true at one point or, you know, just the opposite. You'd make some adjustment to something.
And, you know, with the intent of having an effect when it really never had any effect, because it had no way of resonating back through the systems or getting to the other people on the other end of the conversation from the little spreadsheet on your desktop. And that's what I think certification is like without some connection to these other systems. And I think it connects to the point Kurt made about integration and, and how that integration is carried out. Integration can mean, you know, one big fused platform that is monolithic and, you know, unable to be connected out outside of itself.
And that's certainly not the kind of integration the quest wants to foster, but you can also talk about integration where, you know, you're connected to the viable systems. So, you know, certification is extremely important and access analytics, there is also extremely important, but without having a connection to those real systems in the backend, then, you know, it's, it's not going to have the real effects that you needed to, to have it be something truly important for the business and not just, you know, something that I make checks on.
And maybe I get past an audit because you know, the auditor only looks at that, but if they peel one layer back, they'll see that it's an illusion and audit versus even when they look at only the first layer to data definitely will look at the second next year or the year after Kurt. Would you like to add to this question? I agree with Jonathan.
I, I do believe that provisioning is an important component to this. And you know, the key is when you're talking about where to start, you know, the answer really is, it depends, and it's gonna be very much driven by the organizations, motivations and drivers, but at the end of the day, it's hard to really advise somebody that you only wanna tackle one piece and look at this in a tactical way.
I mean, to truly do you know, what we call occurring on access assurance? You know, ensuring the right people have the right access to the right resources and are doing the right things with it really involve this life cycle of defining the policy of who has access to what, you know, verifying that the access that people have is in line with that policy and then enforcing it on an ongoing basis.
And, and by that enforcement, I mean, how are we ensuring that new employees are getting the access? They require that employees, when they leave the organization are getting their access turned off. And that really does require that life cycle. It can start anywhere wherever that pain is.
There can be concurrent aspects of looking at things, but getting back to what I said before, understanding the who and what of who has access to what really is the underlying foundation to do all of those different things, whether you're using that information to define the policy, whether you are using that information to discover what kind of mess we have out there, but again, without the provisioning to clean it up or to have the enforcement, you're still only have a couple legs of the stool.
You know, one of the chief information security officers from one of our customers, who's a fortune 50 organization said it to me said, Kirk, when we started this project, we did it to try to get, you know, the network set up for all our new employees. Cause it used to take a couple weeks to do that. And while it's all well and good that we're now doing, that said for my feet in the CISO spot, I don't care so much about that. I don't care that they get it. I care much more that they get it turned off. And I don't care that it's detective directory.
I care that it's the key financial and key risk applications we have within the organization. So if your system can't be flexible enough to expand out to where those risky applications are and systems are, you're just scratching the surface. And so really it's looking and prioritizing where it is.
And, you know, we strongly advise our customers to look across that spectrum define, verify and enforce that policy cuz otherwise you're just kind of, you know, tackling one little thing. And for one very tactical reason Sound like Kurt, any additional comments from your side That was cart. I did Ross, sorry, Jonathan, I think is From an IBM perspective. The short answer is now you can't be really successful without deploying provisioning infrastructure in place. And I think that's a lot of the key messages were already echoed over here.
If I look at customers who have been successful in their governance projects, they have that foundational control with provisioning that gives them the element of automation, the element of being able to centralize the, all the identities and have the policies defined at one place. So that, that then feeds into the appropriate governance layer for providing the, the visibility to the business. And so that's really how we've seen successful projects take on the ability to have leverage the foundational controls of a provisioning system in, in place. Going to the next question.
What about a medium sized businesses? Should they care for IM I'd like to start with Kurt to answer that question. Yeah. Thanks Martin. In this case.
Yeah, absolutely. They, they should care and I don't don't really think it is an element of size. It really has to do with risk and a lot of the regulations. I mean we certainly see small mid-size healthcare organizations that are small facilities, but dealing with larger hospitals that are getting access to patient data, credit unions and smaller banks that are still dealing with federal regulations, it's not so much an issue of size. It really is an issue of really understanding the risk associated with access and the controls in place to manage that.
And you know, the identity and access management solutions really provide those benefits across the board from small to large. And the key is making them easy to implement, easy to use because smaller organizations don't have the resources to hire a 20 person team to come on site for a year. It's getting those solutions in getting the value out of them.
And again, the independent of size, there's a critical need for 'em Robbie. I just wanna come comments from you side Myco, the same comments.
I mean, it's absolutely critical for even the, the general business. And if I look at our customer base, there's a ton of innovation coming out of the general business in mid-size companies. And we've got IBM documents them as a lot of these smart case studies. And a lot of the industry solutions are coming out of mid-size companies as they are handling business critical data and their applications are more vulnerable because they may have gotten to the point of being successful by quickly getting their application up and running.
And so when our X-Force team run runs and finds out vulnerabilities and attacks on a lot of these mid-size companies, they find out that they were sharing passwords and the basic foundational pieces were missing. And so to me, it's, I am becomes even more critical for mid-size companies because of the, the, their levels of defenses have not been robust enough to begin with.
Okay, Jonathan, what do you like to add? Yes. I think business size is absolutely irrelevant to identity and access management. It's all about the pressures that the business is under.
If they have to be compliant with any number of regulations, if they're handling sensitive information, if they're simply handling a whole lot of money in New York, we have a hedge fund that I have talked to many times over the years, 30 people working there, you know, multi billion dollar business, and obviously who has access to what is a huge issue for them because of that, even in that 30 person organization simply so they can, you know, meet their obligations to their customers in terms of telling them who has access to what, and also to the auditors to do the same.
So, you know, business size isn't as relevant as what that business is up to. And you know, what the business drivers for them are gonna be with returns, you know, in terms of compliance in terms of risk and in terms of governance again, okay. I'm looking forward to see more medium size businesses adopting identity, access management. I think it's still, still some way to go there.
However, I fully agree you, it's not a matter of size. It's a matter of how do you manage your risks in your organization? The next question I would have is which are the most five most important technical building blocks like provisioning, Esso access governance you would expect to see in an IM ecosystems. So which are the five important, most important one for you? Maybe there just a short list of these elements you have in mind, Rav would you like to start?
Sure, absolutely. From our customer base BM, we clearly see a single sign on infrastructure to support web and federated single sign on being one of the key foundational controls, user provisioning and policy based role management. As a second piece of the control. The third one is around entitlements management. There's a as, especially with all the transformations that customers make, we see customers externalizing security from the applications into an entitlements management system.
That again can be leveraged for defining policies of who can get access to the fine green data and, and under what conditions the fourth area is the S SIEM infrastructure tying that directly to IAM to be able to pull out the intelligence that customers need. And then so, and the fifth area is web security.
Being able to provide some level of integrated web application security capabilities into the single sign on infrastructure so that you're not only letting people in the door, but you're also making sure that you're inspecting the content of it and blocking the content to make sure that the applications are in vulnerable. So those are the five key infrastructures that we see customers implementing today. Okay.
Jonathan, what are the five ones on your list? You know, Martin, I found this to be a hard question to, to come up with an answer to, because what we could be talking about is what has been the building blocks and, and probably then what should be the building blocks. And so the, the approach I decided to take or the, what I see our customers being successful with when, when they have these things in place, that was my, my approach to this.
The customers that quest has, that are successful with these large identity and access management projects and achieve their goals of, you know, simplifying their approach site to day and access management. What we've seen them have some good discipline around is definitely user provisioning. That would definitely be the, the first and foremost.
I mean, a lot of times that comes down to eliminating the need for user provisioning in as many systems as possible by consolidating and simplifying the second area, we would definitely agree with IBM, there is gonna be a single sign on approach. And that really breaks down to, to two areas itself, right?
There's, there's single sign on from the enterprise perspective, right? So the, the enterprise single sign on comes a really good stake in the ground to, to understand who has access to what over time. And then of course, there's the second area that, and then the third item on my list, which is the web access management and having control over those web applications that, you know, they're the future and having control over them today, obviously gives you a big advantage over what will be the, you know, future of all your applications, more than likely.
The last two areas are, are, are much harder to, to pick up on because these first three are, you know, pretty much the traditional parts of identity and access management. But the things that I think that have helped our customers be successful is a more organized approach to auditing, which may or may not seem like belongs on this list for identity and access management. But one of the things that makes customers successful in an identity and access management project is going to be having an idea of what the current state is.
And usually that's gonna come from their ability to audit things and just, you know, know where things are now. So they know where they need to be at the end of the project, what the end state is. Can't be determined without an idea of what the current state is.
And last but not least, we would definitely wanna see people get a hand on just access from the standpoint of who has access, where, which is a hard question to answer, but like, you know, like quest has and other vendors have, there are solutions, the Lighty go out there and query that right from the technology itself and build some important databases of information to help you get your identity and access management project rolling along Kurt, your five favorites. Yeah.
My five favorites are really coming from the perspective of where ion is focused with his customers to really help achieve the business value out of this. And I get back to what I commented on before this life cycle of defining the access policy.
Well, that's where role management fits in and, and I'm not talking traditional or back necessarily. I'm talking about how do you catalog the availability of roles? How do you define these in business terminology as opposed to it speak and really use the aspect of who has access to what to define the policy? The second component of that is that verification process, which Jonathan just touched on. So the access certification and reviews, the ability of discovering that, putting it in front of a business person.
So again, they know in business terms, what people have access to and can enable the ability to verify that, correct. It remediate when it's not in line with policy. As we talked about before, the provisioning is an important component for the enforcement of that.
So on an ongoing basis, you've got controls on the setup modification, disablement of those accounts also important in that enforcement vehicle or some of the authorizations that be web access management or extracting that such as some of the exact tools out there that when people are logged on, they understand where they can get to and what they can do in those systems.
And the fifth one is really one that I think is an emerging one and kind of a points toward the future, which is really the analytics and intelligence, you know, think of it as a business intelligence for access and identity information where you can assemble the various components. And as I mentioned before, even pulling from things such as SIM technologies and events and DLP for sensitive data. But I think a critical element of this will be the activity of what people are doing. It's not just who has access to what, but what are they doing with that access?
And when you can pull that activity element to really understand what are people doing out there at the most sensitive areas? I think that's a critical element that'll really enhance the whole solutions to really enable the business value. There are, I think there some different, different opinions. And I think that's also very interesting to our, the people who are listening to this podcast. The next question is looking a little bit more into the future, let's say the near future, but also the things which are happening over the longer, longer period of time. So what about a cloud?
Have I am initiatives to change, to support what is happening in the cloud? I'd like to start with Jonathan to answer that question. Thanks Martin. So first I have to disagree with the, what you just said, Martin, don't slightly cuz we're finding that the cloud is already impacting us quest or at least the quest customers are already being impacted by the cloud around identity and access management.
We've had to build into our products support for many different cloud situations, whether it's simple identity situations, creating accounts or more complex situations where, you know, you're getting into the access and you know, doing governance for the cloud stuff. So I think that the cloud has an impact, but does the cloud change your identity and access management initiative?
I don't know that it changes it, but, but I think it does perhaps give it more weight, more gravitas because once you bring the cloud into it and really when you're talking about the cloud, right, what are you talking about? You're talking about your data, your users going outside of what you control or at least control from a, you know, strict standpoint and vice versa, perhaps, right?
The, the, these systems coming into your enterprise and having impact on your systems. And that means that having identity and access management in place, being able to control who has access to what and being able to do that in an organized manner, is that much more important? So I might change the of the business about identity and access management, but I don't necessarily think it changes the activities and what you're going to do. Can I echo Jonathan's thoughts there?
You don't want to have some technologies and solutions and policies for dealing with cloud and then some separate ones for how you're dealing with your premise. You need this hybrid approach that really encompasses both the cloud as well as some of the traditional, but you know, clearly the cloud has aspects that add additional risk.
You know, there are some organizations such as think if you shut down the network access, people can't get access to the key applications. Well clearly with cloud applications, that's not true with cloud providers as well. You add a whole new dimension of users that have access to your sensitive data. There was the case, not too long ago of Google firing a handful of Gmail administrators, because they were monitoring Gmail traffic.
Well, I think they were looking at personal emails of people going back and forth. But what if that was some mission critical information being sent by an organization? So if your data's sitting out there, what people at your provider have access to that, are they still employees? Are they got the access to that in a manner that is appropriate, secure much like your own organization.
So it, it really is, you know, cloud offers a chance of a little bit of a security do over, but how we manage these, those identities, how we really understand enforces the core principles of making sure we understand who has access to what out there. And we're staying on top of that. And the complexities of that from the cloud are significant, but from a business person, I don't care if it's the cloud or premise. I don't necessarily know that. All I want to know is who's got access to it. Are we protecting it and taking the necessary controls to ensure it stays safe? Okay.
Robbie, what would you like to add? I wanted to add one key point from an IBM perspective. Customers are already leveraging the existing IAM infrastructure to support both on and off premise access specifically in the cloud environment. I think the one area where we're seeing customers look at IAM from an in priority for an initiative standpoint is to look at possible alternate delivery models for IAM, where customers are saying for a given type of workload. Maybe I don't need to manage this infrastructure on premise. I may look at an alternate delivery model of adopting IAM as assessed.
So we're seeing customers look at that model as well. Okay. Thank you. So we are moving forward to the last question of this panel. Many companies are thinking today about using service catalog Porwal to request that entities and access as well. So they like think about how can I have any type of access request put into one Porwal whether it's the new PC you need to have, whether it's access to an application or company car or whatever.
So integrating all these things into a service Porwal does it make sense from your side and how would you integrate this with the existing or nice to have IM infrastructure Kurt? Would you like to start with the answer? Yeah. Thanks Martin.
I, I believe the whole, you know, service catalog aspect does make a lot of sense. The question is really the unfortunate reality behind the why it had to take place. As I mentioned before, current approach has always been about enabling the business user as a consumer of this. And unfortunately we've seen far too many identity management implementations take a more backward looking archaic view of this. That really didn't get much. As I said before, beyond the setting up active directory or Unix or mainframe access and in many cases, having the it, administrators do that.
And I think that's because we've walked into some of these organizations and here that looking at their interface and it says, Hey, does Kurt need access to rack F group 1 23? And I, as a business user is saying, what the heck is rack F group 1 23, mean I need to give them check writing privileges or vendor approval privileges. So the key is how do you put an interface in front of 'em that's business friendly and intuitive.
And, you know, we we've always had this as part of our provisioning system, but as I mentioned, have actually separated it as a standalone option for customers that may have other identity management infrastructure in there because it defines these things in business terms, you can filter it based on attributes. If I'm a finance person, I can only request these kind of things for these kind of users, you know, taking an Amazon-like approach to a catalog.
And so, you know, we, we really see that this is critical to make sure that you, you can enable a business user and then have the rich set of connectors behind the scenes that can link out to automate the provisioning. But many times we've done this even without those connectors in place. So you can at least track it, get the approvals and attach that to people's records. Even if it sends an email off to an administrator for a system that only gets a couple provisioning requests a year.
So while we continue to, you know, emphasize this business aspect, if customers are using something else, like a remedy system or a service catalog, like new scale or something, yeah, we'll be fine to sit and leverage that as well. But round that with the other aspects of access certification and role management, access intelligence and the fulfillment, but the key is how do you put the best interface forward?
So our approach is we'll work with whatever they might be using, but if they don't, we're more than happy to put a very business friendly interface in front of them because that's the only way to make it work. Okay.
Thank you, Ravi. And with IBM being one of the big players in the it service management market and the business service management market, what is your view on that?
Our, our view is you, you leverage the IAM infrastructure to support a service catalog type deployment. I don't, I don't believe the service catalog itself would subsume and include an identity infrastructure.
I mean, think of the, the end users of service catalog when I'm getting information or data from a service catalog, there's an element of disclaimer, in some, some of the environments, I can't really provide that disclaimer with, with respect to identity saying, oops, sorry, I provisioned you the wrong data. Or so to us, we believe that the IAM infrastructure is foundational control and that feeds the data to a service catalog type environment. And that's really how our we've delivered our integration as well with the service catalog environment. Awesome.
Well, I mean, I have to echo the agreements here that, you know, service catalogs are definitely modeling the way that people are approaching these projects. So I was, as was said, people want that simplified interface where they can essentially shopping for access to systems and shopping for rights and systems and shopping for whatever it is. They might need to provision to a user and they want the systems to then make that real, right.
When they click submit, they need to have the system check what that impact would be if they gave that person those access rights, let them know hopefully at that moment, what that impact is. So they can make an intelligent decision about that. And that's where that identity intelligence comes into play. And then obviously go out and actually configure that whatever, you know, mechanism is necessary to do that, whether it's direct connection or through some indirect system, obviously quests can do that. Or I probably wouldn't be saying all this.
And the other thing that I think I would definitely agree with is that the overall service catalog tends to live at, you know, a different spot simply because the risks involved with identity and access management and the subject of identity and access managements, all the different, you know, access rights that we're dealing with is a little more sensitive than usually the overall service catalog is. So you have to treat it with a different level of sensitivity, but we've already seen our customers successfully integrated with the remedies of the world.
And here at quest, actually, you know, just in our own systems, we have our own provisioning integrated with our service now service desk. So that's definitely a very common theme. The second part of your question, how to integrate, I mean, that's more of an implementation question, right?
I mean, you can integrate this in, in many different ways, from a technical perspective. I think the more important part to concentrate on is from the business's perspective, delivering that simple, easy to use interface that the business user can actually take on and master and therefore take the load out of it. And also make sure that the people who actually understand the impact of granting rights are the ones who are the ones granting rights. That's the most important part. And that service catalog model allows you to do that. Okay.
I think given the answers, it's also a little bit about that service management has to, to better integrate with IM the other way around to look at services from an access and risk perspective. So that's also one thing we should keep in mind when thinking about IM and access in the context of service management, there are, let's say dependencies in both directions.
So to wrap up some things we've been talking about in this panel podcast, I think one very important finding is it's much about moving from reactive to preventive solutions, which are really trying to not only solve a specific audit requirement, but which really enable an organization to stay secure over a long time, which I risk focused. And it's, I think overall it's about moving from technology also to business. So I think if I look at, I am over the last years, we've moved from the administrators even hired.
And this morning I've been in a, in a meeting, there have been three members of the board talking about, I am, which you seldomly have seen some five years ago. The second thing is really done. And I think that's very highly related. It's about business enablement and companies more and more understand that I am. It's a very important enabler for a lot of things to do in business. For example, to federate with your business partners, it's relevant for all businesses. It doesn't depend on the size of the business. It depends on the risk situations on what these companies have to deal with.
And so also medium sized businesses definitely should look at identity and access management. And finally, when looking at the cloud, it's not about reinventing identity and access management. It's about having an hybrid approach. So having one, it, which is hybrid having one security approach, which is hybrid having one identity access management approaches, which is hybrid because there's no value in separating these things. So that would be from my perspective, the most important sort of learnings web apps from this panel podcast.
This brings us also to the end of this panel podcast and identity access management brought to you by copy a call and ETM. I'd like to thank our panelists today. Jonathan andand from quest software, Kurt Johnson from ion and Ravi Seren VA from IBM TV. It's been a fantastic discussion. Thank you.
