Webinar Recording

The Evolution of Identity Governance: From Basic Compliance to Federated Security Assurance

Log in and watch the full video!

As the number of business applications across different platforms and environments is rapidly growing, the resulting complexity and heterogeneous nature of modern corporate IT infrastructures makes storing, analyzing and protecting this critical business information an incredibly complicated task. Nowadays, data may be spread across multiple networks and systems in a broad range of formats (structured and unstructured), accessed by a large number of users (not just employees, but contractors, partners and even customers) from multiple device platforms and governed by a wide range of security and compliance regulations.
Protecting sensitive information from unauthorized access, providing centralized visibility and compliance and minimizing access-related risks across corporate IT systems are the key areas covered by modern Identity Governance solutions. In the recent years this market segment has emerged as one of the fastest growing areas of the broader IAM market, quickly evolving from identity provisioning and regulatory reporting into an integrated automation, security and compliance technology.

Log in and watch the full video!

Upgrade to the Professional or Specialist Subscription Packages to access the entire KuppingerCole video library.

I have an account
Log in  
Register your account to start 30 days of free trial access
Subscribe to become a client
Choose a package  
Good afternoon, ladies and Tren. Welcome to our equipping a call webinar, the evolution of identity governance from basic compliance to federated security assurance. This webinar is supported by SalePoint. The speakers today are Darren Rolles, whose chief technology office for SalePoint and me marketing equipping IM founder and principal Analyst at keeping a call before we start let's give me a quick overview about keeping a call and some housekeeping information, and then we'll directly move into the topic of today's webinar. So keeping a call is an independent in national Analyst organization, focusing on information security at anti management and governance, but also a lot of other areas concerning the digital transformation. We do this by delivering research, such as our leadership documents, events I'll touches minute and advisory to our customers. We have a couple of upcoming events like the digital finance world end of this month.
Then our mainly when the European identity and cloud conference, which will be held mid may in the Munich area, we will do again our consumer identity world tour for, with three locations in us, Europe, APAC, and the autumn. And also in Weber, we will do a cyber security leadership summit in Berlin as well. We deliver, as I've said, couple of ways of advisory, very highly standardized, wherever feasible like our GDPR readiness assessment, which was, I think highly interesting with ther becoming effective end of may this year. So let's have a look at the agenda. The agenda for today is split as most of our webinars, just three parts. The first part, I will talk about rapid evolution of identity and access governance and where we see it heading, where we see it today. The second part on Darren, we'll talk about current identity and access governance challenges from governing unstructured data to advanced identity analytics.
And then the serve part will be as usual, our Q and a session. You have the, when you go to webinar control panel, you'll find the area questions go to webinar control panel. Usually at right side of the screen, the area questions, you can end the questions at any time, and we will pick them at the end of the webinar. So having said this directly Trump into the topic and into the content we like to present. So we've seen identity access governance right now becoming a standard capability in many organizations. I wouldn't say maybe in most organizations or small business or less, obviously we also, from time to time see large organizations, which are not yet there when it comes to governance, particularly when it's beyond certain systems like, like the central SAP environment or so anyway, overall, it has arrived in corporate. It, it complement the more technical and administrative focused identity management and access management.
And the target is to provide governance to achieve compliance and in particular, at the end to mitigate access related risks. And when we look at identity and access management and identity and access governance, so we have this identity management piece, which is around managing the identities, their accounts, and the access management piece, which is around managing the access. And on top of this, we have identity governance or access governance for identity and access governance, whichever term you, you tend to use. I think there's a slight difference between identity governance and access governance with identity governance being really more around the governance of identity CG. So for example, the orphaned accounts, on the other hand, we have access governance, which is more around the, is entitlements, like for instance, re attestation of excessive or retest of entitlements identification of excessive entitlements. But at the end, it's one big thing we have to look at, which is about how can we mitigate the access related risks and how can we do it in a way that really works for our organization.
And so when we look at the, the, so to speak the why for all this it's about access related threats, and we have a lot of these threats. So there are the illegal transactions. When you look at some of the very well known scenarios at large banks with illegal transactions and finance and lack of adequate access governance. And then we all know that this can cause very, very significant damage. It's about fraud. It's about information leakage, it's about fraud and changes of data, or just erroneous changes of data. It's about the loss of data. It's more and more so about external attacks. So how can we reduce the risk of this? And it's about consequence also about avoiding reputational damage. So if you leak custom related data, you have a high likeliness of ending up in the press with negative press. And so all these are types of threats.
And we have, I think to understand, and I think most of us have understood that when we are talking about access risks, it's not an it thing anymore. It's really about a business risk. So when we look at risks and we have these levels of strategic risks, which can put our organization out of business, the operational risks, so where we can lose money, where things can go wrong, the reputational risks, which can damage the brand reputation, which in fact can turn out in both original and strategic risks. And it's very clear that inappropriate access directly connected to business risks. So to reputational risks, to operational risks and even to strategic risks. So bearing BA bearings bank is probably the most prominent example of a strategic risk, but also when you look at some of the other large incidents, which happened over the past year, some of them really affected the strategy and the, the ability to execute on the corporate strategy for large organizations.
So it's not an it thing anymore. It's about policies being follows, followed changes, executed as defined. And we also have to understand that mitigating business risks requires business expertise. So when it's about approving the access, someone from business should have, then it's something a business person has to do same for. Re-certification the same for determination of access. Which also means that this is what, obviously one of the challenges, identity, and access management and identity and access governance are the areas where it, of business come very close, more than many of the other areas. And so we need to, to, to do it also in a way in consequence, which works well for the business, not only for it people, but for the business and translating technical acts entitlements into business, business, language entitlements, which can be approved with understanding what's done, which can be re-certified understanding what you are, re-certifying et cetera.
This is definitely not an easy task. So having said this, I think when we look at many of the implementations around identity and access governance, it turns out that many of these are not at that level of usability and not at the level of sort of business language, business, and adequate implementation of business as they should be. And many of these things are also not good enough to really deliver on the level of access, risk mitigation we really need. And so, so when we look at some of these points, so what is good enough access governance? Is there good enough access governance? So we can raise the question? Is it enough to be compliant once a year for every single access by saying, okay, we have this 12 months re-certification campaign. So once a year we do it. So when we do it once a year in consequence, it means we have 364 days where we could be non-compliant with no one observing it.
If the, the error or the fraud happens trust the day after re-certification okay. We can say, we go down for six months, then it means, okay, we're down to 179 days. It doesn't fundamentally change the, the challenge. It doesn't solve the problem. It's mitigates a little of the risk, but it doesn't. So, so we, we need to figure out ways where we understand, okay, there are significant change. We need to look at that change. So why shouldn't we aim at always being compliant and also, wouldn't it be great to be permanently prepared for audit? So how many of you are always under pressure from auditor saying, okay, we need that on that, on that. How can we come to a way where we are always better prepared and why don't we treat higher risk access differently from low risk assess? And I'm not just talking about saying, okay, for high risk, we do it every three months.
And for low risk, we do it over 12 months. But understanding where are the high risk items having continues, a harm service to speed on the usage, monitoring the usage, analyzing it, bringing more and intelligence here. So why not? The blog continues analyzes to access data and real time activity data. So why not looking at it all the time? So yes, we have the auditors and the auditors are asking for this standard re-certification campaign thing, but they are today are other, and sometimes definitely better, more efficient, more, more business friendly ways of doing a job. And honestly, I don't know, a single a regulation worldwide, which says, oh, you have to punish your business users at least once a year with a very, very big metrics of entitlements. They don't understand, but where they have to say, okay, I revoked this. And the all the rest is comp is correct.
These are the quality of doing so is really helping us to mitigate the access for in a perfect way, nor is it in any way, business friendly. So, and, but there's no regulation which asks for it, but it's definitely extremely tough to convince auditors that there are better ways to do that because you can better mitigate access risks than only doing the standard re-certification thing. So we, we need to, to think beyond that and figure out ways where we can at least compliment sort of these standard activities with other of better ways. And a lot of this will be done explained more in detail by there, and then the second part of this presentation. So when we look at this, the challenge, we also should think about how can we get to, to one approach for access governance, for all the systems and for all we need to look at and what is are the things we we want to have.
So from a technology perspective, on one hand, we have this identity governance and the access governance part, but we also have structured versus unstructured data. So for structured data, data reciting and RP system data reciting maybe also a database, some other systems, we are usually better than we are with the unstructured piece of it. So unstructured data is definitely something which is more difficult to get a crib on all the data hold held in file systems, etcetera. And then with the deployment models, access governance, doesn't end at the parameter. If it's the Lexus of your organization of your internal, it obviously every cloud system also is in scope. We need to look at friction free processes and integrated processes, which work well with our organization. We also need to map our, our access risks to the enterprise QRC views, the governance risk compliance view. So what does it mean from an enterprise perspective?
We need the consistent controls, good interfaces, one interface, efficient processes, all these things needs to be done when we want to get better in access governance. And we need to understand, so it's not only the high level view. So I'll use this picture for quite a while right now. And the thing we need to understand is we have the systems which have usually, or some of these like ad like SAP and some others have their internal complex structure of entitlements. And we usually only map the highest level to our identity management might only seed in access governance, but we need to do it for everything. So we need this insight into everything, which obviously then raises the question. Is there a single system we can use for everything or not? And I think we made big progress in that. So there's sort of the death vessel express and the enterprise versus system use.
So we have this very system specific, very deep insight into SAP with some access controls like SharePoint security in, in another world. And on the other hand, we have this more broad covering a lot of systems. If you remind the slide before across system perspective, more across all these systems, my my, my, my perspective is that more and more vendors are getting better in serving both breadth and depth, both enterprise view and system view. And again, this is one of the things Dar Darren will talk about and touch on with, with his. So to come to a conclusion from my part, what do we need, main things we need. So one thing is we need breath and integrations, so we need to do it for all applications. I mean, to do it regardless where they reside, we also need depth. So the detailed inside whenever required, we don't need always the inside, but we need to under be able to understand what's behind that.
What does it really mean? And we need effectiveness and efficiencies. So doing the things right, and doing, doing the right things and doing the things right. So focus on what we really have doing the right things mean. We need to focus on our high risk items first escalations, but at the end, it's about how we mitigate the risk and we need to do it right away, which works for our business users, which works for the audience of all of that. So this is where I see the entering, moving into more access intelligence, into more flexibility into things which help us to focus on the high risk items across all the systems structured and structured, etcetera. This is what we see as the evolution. So from looking at this rapid, or also sometimes not as rapid as we would like to see, but anyway, there's evolution of identity and access governance. I right now would hand over to Darren who will talk about current identity and access governance challenges from governing unstructured data to advanced data or advanced identity analytics. So Darren, it is your turn right now.
Excellent. Thank you. Let me just put my slides into presentation mode and with that confirm that you can see everything you should. Perfect. Excellent. Well, thank you Martin. Very good introduction. And good morning if you are one side of the world and good afternoon or good night, depending on where you are on the other, I think thank you for that introduction there, Martin. I think as, as we always find you and I are very well aligned in terms of, of where this is, where this space is going and what some of the, the challenges actually are. And I think I wanted to set the stage here a little bit by highlighting what are really four key factors that I think have been driving that evolution of identity and access governance. And I think it's fair to say that many of the folks on this webinar have probably been in this space for as long as we have.
And so we've seen a lot of change. And, and so did this treat this as a, if you like as a, as almost an agenda and I'll summarize four key points here and then I'll come back around and dive into each in term, the first is the evolution from what is really pure access reviews to, to true identity governance, this space, and, and certainly cell point as a company cut its teeth on delivering access reviews, you know, fundamentally presenting entitlement for business users to understand. And that is still a major part of what we all do. However, today identity governance means a lot more than just compliance reporting. And I think the title of identity and access governance really says a lot, but it's the word governance that will drill into and understanding the scope of that. So major move there from pure compliance to what we now think of as identity and access governance.
The second area is around moving from key applications to comprehensive covenant governance coverage. I think as Martin quite clearly articulated it, it really is the discipline here of covering all users, all access and all data security is in itself the exercise of the weakest link. And so where we used to be able to provide controls for single applications, a small group of applications today, the scope is, is, is actually quite daunting. And it's some of the things we are doing in the technology to help evolve that. So make it make it much easier. So that sort of move from maybe just the application tier down through the stack and then out into the infrastructure to cover all applications. The third is the idea of from delegated administration to an open platform. And I'll obviously, as I said, expand on each of these here in a moment.
But when we started this, one of the goals of identity management as a discipline was to provide a delegated administration capability so that admin people in the business could actually interact and control the systems. What we now look at is really an open platform, identity management and identity governance today is such a quintessential part of how the business runs that it's a platform. This is no longer an application you might say access re-certification could be delivered as an application. We do do that, but the true core tenant of identity and access governance is about a platform. And so I'll expand that for you here in a moment. And then the fourth area here is moving from static controls to a much smarter way of looking at governance. As Martin said, you know, getting caught by a yearly access review, something that is very static has an, has an order implication and has a security implication.
And so very much now we see things have moved towards a much more dynamic, much more active and much smarter way of governing and controlling the individual applications. So with that I'll, as I said, I'll use this picture as a, an agenda of sorts, I guess, and I'll dive into each area and we'll, we'll take it down down the level. And let's start by coming back to that notion of access reviews, transferring into identity governance. I first of all, want to sort of highlight that security itself is really today defined by access. And the scope of that access, as I said, is changed considerably on the surface. It always looks easy. You know, people access data very simple on a chart. But what we now understand is the challenge is really about understanding that the right people have the right access to the right data.
And that is something that is much more complex to do. Most of the CIOs that I talk to today, do understand how complicated that simple picture can be. And that what it's really about is creating a business process front end to the systems and access governance lifecycle. And providing that, as I said, is a full administration lifecycle, not just delegated for administrators, but into the line of business and then delivering sustainable controls and audit for all of that access. And of course, it's, I said really easy to put these things on a PowerPoint, you know, looks, looks simple. But when we look at the left hand side here, the who, gosh, has this got complicated? It's now not just employees, but it's contractors, customers and partners, and it's no longer just people. If you like, it's about applications, devices, and processes that are all accessing our systems.
On the other side, the it's not just applications it's, it's now structured and unstructured data too. You know, of course managing all of this access is just just difficult. And when we ask the business to take that responsibility, they often get confused. And so I often like to break this picture down and kind of say over on the left side, we've got our authentication based on credentials with basically a yes, no access decision. Unfortunately this is where things get complex and the scope is important. There are so many systems of authentication out there from PKI down to OAuth. I mean, there are so many, and unfortunately the average enterprise has all of them, lots of systems of authentication, and it's our job to provide business user interfaces and delegate administration and audit for all of them. On the other side, of course we have authorization, you know, the act of authorizing as it were something that's generally a lot more fine grained, but the point is, regardless of how it's authenticated, it's still going to be about complex entitlement models, giving fine grade decision point again, over here, lots of different systems, right?
Lots of different models for authorization, which, you know, makes the situation very complex. And I think for all of these systems of authentication and, and, and access, we have to cover and control them today in a single tier, we have to provide administration and audit provisioning, life, cycle management, et cetera, for, for all systems. So obviously difficult. So who has access to what and why? And, and for me, visibility over and control over all of that today is where we've evolved to something, you know, access governance. I, I like that term myself as well, governing the entire access stack. It is now our scope. Nothing is out of out scope for us. Unfortunately, coming back up to the bigger picture again, I think it's critically important for the future of, of both IGA and security that we understand what it means to provide that access.
And the space here has evolved very, very quickly, as I said, from key apps down to truly the data tier. So let's jump in there slightly. I think it's pretty fair to say that today, even businesses like my own are between the cloud and on-prem, I don't believe myself. This is a transitional state. I think this is the end state that everyone will have bits of both. And so the question really becomes how do we provide self-service automation, controls, and governments for everything. It's interesting. Ask somebody in the line of business where an application is hosted. They generally don't care. They don't care if it's on-prem in the cloud. If it's a SAS, if it's just, doesn't matter, it's an application today at the end of a single interface, a web browser. And so the challenges for us is to provide that same level of control, regardless of where it is, as Martin said, structured and unstructured data really is the goal here today.
If you manage SAP fantastically, but someone exports the data and puts it on an open public share, you're still gonna fail, fail your financial audit. And that's a fairly stock thought. When you look at the numbers, the numbers here are really quite staggering up to 80% of the enterprise data today. This actually was, I think this is a Gartner number. 80% of enterprise data is unstructured. And then some surveying we did last year showed market pulse survey showed that a lot of the data that's out there has got sensitive information in it. And so that is very chilling thought. So for us now, the strategy and the vision for the future is comprehensive governance and that's for the applications and infrastructure on the left and the file systems and file storage systems on the right. These are not separate problems and they must be addressed in a consistent and cohesive way.
That seems to be what we're moving toward. And so in lots of ways, unstructured data is a big driver today and taking what can be thought of as a data-centric approach is absolutely key 360 degree view of access providing it in a way that we can think of as data stewardship, very carefully chosen word by allowing key people to actually own and take management and stewardship of the data through a defined process. And then integrating that with the core assignment, life cycle management for complete governance. That's really how we move from be really those key applications to a comprehensive view that will be, and is the future of identity governance coming back up to my agenda. If you like, let's draw back into this op delegated administration to an open platform. This is an interesting one. Obviously we are a special interest webinar here, and I think it's fair to say most of us would agree that putting identity at the center is really a goal.
What we do is evolved to really be a core part of security in it operations. And so as Martin quite exactly said, hit the nail on the head. These things have to be integrated, and I think they also have to be active and responsive. And identity governance really has evolved from being an application to being a platform, hopefully an open platform that is integrated with all the things that you see around the outside of this, of this picture here. And that integration is obviously provided by APIs and SDKs and, you know, plugins and the ability to extend the application. To me, the, the use cases that, that come from being part of an integrated ecosystem that ecosystem for us is, is focuses around the identity plus Alliance. And this is an Alliance of, of like-minded industry vendors. As I always say that have come together to create an integrated system based on that identity governance data and platform.
A couple of the areas of this are, are worth drilling into just quickly. The first is privileged account management and how we govern Pam. This I say is a particularly interesting one because it's, it's a very competitive market. There are a lot of great solutions out there. Just, just some of them listed here, ones, ones we see most in our, in our partners and in our customers. But the, the back to the challenge as a business, regardless of, of who's at the bottom there, we have to provide business process control and admin life cycle and controls and governance.
And in the same way that we do for every other system consistent sustainable governance to, to Martin's point, we have to go from a high level down into the deep depths of control and understanding of what's happening in these applications. So for us, identity governance at least has evolved to provide automation, controls, and governance for the Pam tier. And so we now provide, turn this into a sale point advert, but, you know, we provide a Pam management module that does a lot more than just connect to those systems via a skim open standards interface. It actually creates a whole new operational paradigm. And I'll just click through these very quickly that that helps us drive full visibility into container access, automated, join a, move a lever for the assignment of those containers and making containers, basically requestable units of access. That's what they are, they are access and they should be governed in the same way.
And of course, that means back to basics, container re-certification understanding who has access to what and why, and then adding in and layering in preventive and detective controls very, very important that everything we've learned across the enterprise is applied here to this very, very critical resource area in order to give us end to end governance. So sort of diving down into the details of Pam is now in my view, a mandate for identity governance and administration. Another area in the ecosystem I want to drill into quickly is, is access management. And I think as, as Martin kind of, I dunno if you caught that one slide very, very key where we showed the, the identity one might think of as, as SSO in some respects and the, and the, sorry, the other way around access and SSO separated from identity and governance. And that's definitely something that, that we've seen evolve.
And when you look at governing access management systems, it's a very similar situation to Pam. There are numbers of solutions out there. Our customers often have more than one. And so therefore our job is against and look very similar, common business process, manageable administration lifecycle, and controls an audit for all of them. Again, consistency, sustainability. They are the tenants of governance that we are looking here, looking for here, regardless of who's providing the SSO token, the session, all the password replay capability, lots of great solutions out there for that. And I'm glad to say that we have been able to integrate with all of them. And so for us, this is access management integrations that can extend the core governance framework to provide controls and governance for, for the access management tier. And again, I'll click through some basic requirements. They should look very consistent, right?
Full visibility into the assignment. If somebody's getting an assignment, an SSO assignment it's access, it has to be cataloged, documented, and audited, and doing that with automation, providing automation. So tiles and access can be provisioned and deprovisioned as requestable units of access makes absolute sense. It's just more access. That's managed it the same way. And of course, integrating with password management with preventive and detective controls, and back to that same point, providing end to end governance for all systems and all systems of access, of course. So quite logical and sensible. And I think that is something that's certainly helped set the, the bar for a platform, as I said, open platform for identity governance, rather than just an application to move to the last and final area of evolution that there are many more, but just the four we've Cho chosen for today is this movement from static compliance only controls to the world of, of smarter governance.
And I, I use that word in yellow very specifically, cuz it is about smarter governance to set the tone here, that's perhaps share a, a quote from Jack Walsh. Jack was the I'm sure everyone knows the long, long time CEO of GE a remarkable man actually, and a man of great wisdom, Jack, an organization's ability to learn and translate that learning into action rapidly is the ultimate competitive advantage. I very much agree with that when I overlay that into my world, it means that identity and intelligence is power and action is impact. So being smart and being able to take action upon those smarts. And when I explain what identity governance smarter identity governance actually means, I think you quickly see why both intelligence and action are, are the keys to the evolution of, of identity governance. Now are the heart of smarter identity governance for us is this notion of analytics.
So machine learning, advanced analytics and, and a product that we call identity AI. So that is of course of the, of the center here. And that allows us to see through the noise of configuration events and data, for which today there is a mass, so many systems, so much access and so much data. So being able to see through that noise and being able to detect abnormal behavior very frequently today, the issues that cause vulnerability are simple mistakes, those mistakes, one would hope are abnormal. And so there are things that we can actually find. And that enables us to highlight anomalies very much. Now it's about the detection of anomaly and outlier then is the recertification of, of the norm of the normal. And of course that allows us to make much better governance recommendations, very tactically, very materially things like dynamic approvals, peer group analysis and, and role recommendations for example, are things that can very easily be delivered here.
But more importantly, for me, this lays the groundwork for something that I would call predictive governance, very much an evolutionary thought here that the governance model can go beyond basic statistics, which is what many tools provide in this area and help us predict governance, response actions, but for us, and for me, particularly asked as a market, but me particularly at sale points, smarter identity governance, it's, it's not about an AI, a machine learning app standing alone. The key word on this slide is platform. It's about having a platform that can leverage all of the elements that are provided by your identity governance provider. Obviously these are, these are ours here. I'm not gonna put somebody else's products up, but it's about connecting these things together and taking the intelligence of AI. And as Jack said, translating that into actions, smart sheets and great wizzywig pictures mean nothing.
If you can't take action, if you can't prevent vulnerabilities, detect problems and remediate actions, that's why we are doing this. So this vision for me is all about integrating together the disciplines of identity governance, the provisioning controls, the sod, the notifications, and approvals into a single platform, not a standalone acquired piece of technology. The, the vendor hopes they can stitch back together for you. It really is about integration and action that are actually the key. And so that for me, brings a smarter governance into view and it's, what's evolving to further drive identity to the center of security. And it now, one other thought I want to kind of close on here, cause I know I'm getting close on my time is this idea of a further piece of evolution into something that I would call federated access assurance. This is an interesting one. As we continue to drive down this road towards the future, the things on the outside of identity governance, the systems we interact with the functions be they security or operations are getting smarter in themselves.
They're getting faster, they're becoming more self-aware they have more control and controls embedded within them. And this in itself proposes, proposes, poses a question. It, it means the things that we share, things like identity, context and actions and things like change awareness need to be more normalized and more integrated as configuration and control evolves independent of the governance core. It's great that we've been able to overlay all of this control where it didn't exist before. But for example, if service management gets really smart and has control and complex configuration of its own, we have to have a better way of sharing and understanding what's happening over there, as you might think. And as you might expect from SalePoint, we've always been at the forefront of, of standards in this space, the long history of that myself, there's a need here. There's an opportunity to provide new standardization in this space.
Of course we do have skim and a number of others standards in this space, but they are not quite enough. We need a better way to exchange things like complex access policies, for example, or change management rules or controls that are defined in that layer, cuz they are the essence of governance. We don't need to duplicate them and we need a way of understanding them. So the future of identity governance is about an integrated and shared responsibility and the best way to do that is through a shared understanding. And that really means continuing to drive open standards to get there. So I think we'll see some more standardization here that will hopefully help us all drive back to putting identity at the center. That's pretty much all I had there. I think at this point I'll open back over to Martin and we can create or, or take some questions.
Yes. Thank you, Darren, for the information provided. And as you said, I'll right now hand over slide, like to me again, and we'll move looking at the agenda, we'll move to our Q and a session. So we already have a couple of questions here and maybe there are more from the audience. So if you have questions, use the area questions and go to webinar control panel to enter your question, but let's start from, with the ones we already have. So Darren, you talked about sharing identity context. Can you explain how this is different to something like ELD up and how this is implemented?
Ah, very good question. When well that's, first of all, describe the term identity context for me. I didn't do a very good job of that in the webinar there, but for me that is everything that we understand and, and know in identity governance. So that's all of the relationships, the controls, the history, the approvals, if you like everything that's in the identity governance database, you might say. So that is what we, you know, we think of as identity context now, sharing that is obviously just, you know, handing it over to somebody. The, the reason that isn't just purely LDAP. I think the question was is that, you know, that that's obviously a protocol and what we are really talking about here is, is not just sharing data but sharing actions. And as I said in the future, sharing things like policies, again, it's, I can transfer a complex AWS policy or aback policy to you as a big giant blob of code, but can you understand it? And do you, do you know what it means? So sharing that context is about providing open standards for it. We, we do do that with skim today. You can think of skim as being L app over rest in one respect, but there's a lot of community work gone into ensuring that there's a lot more understanding and meaning in there than that. So, so that's our definition anyway.
Okay. Can you explain the lifecycle for managing unstructured data in a cloud file sharing application?
Ooh, that's a good one. So I'll give you certainly our perspective on that. And, and that is, as I said, I think you, you said it yourself, Martin, that, that lifecycle, maybe that was prior to the webinar when we were talking, but this is all about lifecycle. It's about understanding initial assignment management through a life cycle and then reassignment. And it's the same thing for unstructured data. So today in our unstructured data governance capabilities, we're able to, first of all, connect to say a cloud file sharing application and basically inventory. What is there? It's very talk evolution again. It's very much what we've been doing in governance from day one, right? The here's something that contains things I care about. Let me inventory, let me aggregate, let me collect the entitlement model and look at it. We do the same thing for, for file shares.
Let's look at the files that are out there. Let's look for PII information let's categorize and classify that data let's understand its access control model, and let's find a data steward something that it's true, but the is a, this is a huge challenge for the business. We've ignored this area of access for so long that today there is a plethora of things that need to be discovered, categorized, classified, and controlled. So finding our data stewards through that life cycle is key and then giving them a set of capabilities where they can manage that over time. We'll often say get clean and stay clean, find what's out there, clean up what's there, and then don't allow the wrong things to get put in the wrong place in the future. So that's really the life cycle as
We see it. Yeah. I think the one thing to add to this life cycle thing is we life cycle, for instance, with does customer lifecycle policies. So if you automate your assignments of entitlements, we are a policy. If the policy has lifecycle, then you can do a lot of your audits related word by demonstrating that this lifecycle and the policies are working correctly, set up correctly handled instead of looking at all the resulting entitlements, these are things which I think really help you to do things better. And yes, I'm absolutely with you. I think defining the life cycles, defining these policies and all the stuff around it, but particular life cycle and processes. This is very, very essential for being successful in what you do with your identity and access management. Okay. Another question, how is smart go governance different than the machine learning capabilities deployed in next generation seam? Or we tend to call it security intelligence platform. So you talked about smart governance and there's also some AI or applied artificial intelligence capabilities. And so, so why do you need some different what the sort of the future and then currently evolving security information management or security intelligence platforms provide?
Yeah, I think our focus, the security intelligence platforms are, are dealing with an immense problem of their own. And that is looking through the log and infrastructure tier and the security incident here and finding intelligence. I personally believe there's a layering here, almost a, an OSI model like layering and what we are doing in identity AI and in identity intelligence, we deliberately called it identity intelligence because that's its job its job is to understand. I mean, is the world not complicated enough? All that, you know, picture with all that stuff below the management tier, there, it, it's our job to wrap that up into unknown state and then track its behavior, understand its its context and, and be a specialist. So I think for me, the smarter governance is about it in effect sticking to our knitting, as they say in the UK and doing a, a, a much better job, a smarter job of, of the things we are responsible for.
And then sharing that with the security intelligence tier. So very much, I see a, a strong Alliance if you like and connection point between the security incident tier and the security analytics tier and the identity analytics tier. I personally think it's a, it's a mistake to mix the two together. They're different people. They're different. It's like mixing your layer two and layer three routing. It's just not a good idea. You can do it, but it it's, you know, that separation has proven to be, to promote stability. And I think that's what we're looking at for the future. So they're very different things in our view.
Okay. I think we have one, one more question. So if you have questions, enter them now. Right now, the one question I have here is can you expand? So you touched the standards and can you expand on where and how standards for federated governance are needed? And I'm a big believer in standards in that space, because I think we have some standards for sort of directory information like ELD. We have standards around authentication. We have even a little bit of standards around authorization, but we don't have the standards around auditing and governance agreed, need them. So maybe expand a little on that, Darren.
Yeah, most certainly. I think maybe I should, first of all, qualify back to skim. That really is probably the only true independent standard in our space. If you like one that we were very much, you know, instrumental in bringing to bear, but it in itself, it's still, it's a transport protocol. It gives you a great way of asking a question and getting a response. What it doesn't do is define if you like higher level use cases. And so the standards I think we need to move toward are things that allow us to exchange policies and governance. So by example, if we have a really, really smart piece of the infrastructure, the absolutely to, I think to your point, you, in that deep, just to say it's a really, really deep SAP governance solution like SAP TRC, access control, very good example. It has controls, it has life cycle.
It has governance. I need to be able to interact with it. I need to understand what it's doing, how it did it, when things change. We have to have a peer to peer federated responsibility today. There aren't any standards for that. We all just have to go from one app to the next and try and dissect it. And I think there's an opportunity for a much higher level exchange context model rather than just a protocol. So is that we can make this stable over time. So that's a great example is difference between GRC access control and, and an identity governance tier like SalePoint. I think that's a great place where it standardization
Can happen. Yeah. And the GRC levels on top of that, we, we have done some the enterprise GRC things where we need to map our controls as well. I think there, there are really a lot of things we, we, we need to look at and, and fully with you. And I hope that you find the people from the various places in the industry that help that work with you on these centers, because we definitely need one in that empty space of autism governance centers. So I think we've done all of our questions. So if they're now first questions coming in, then I would say thank you to the audience for listening to this call webinar, listening to the presentations of Darren and me. And thank you, Darren, for taking the time for your presentation and delivering valuable input. Thank you.

Stay Connected

KuppingerCole on social media

Related Videos


Unifying the Perspectives - Application Access Governance

The application landscape in organizations is getting more and more complex. Applications from vendors are more plentiful - or they differ very much from each other - and the combination of on-prem and cloud applications is no longer unusual. It's easy to lose track of all the different…

Event Recording

Hernan Huwyler: Security and Governance Done Right

Webinar Recording

Application Access Governance for SAP Environments and Beyond

For many enterprises, SAP systems are an essential part of their corporate IT infrastructure, storing critical business information and employee data. SAP systems have traditionally been a major focus area for auditors. It is therefore essential that all existing SAP systems are covered by…

Webinar Recording

Zugriffsschutz für sensible Daten – mit Data Access Governance und Identity Governance

Damit Sie besagte Vorschriften rechtzeitig erfüllen können, ist es notwendig, sensible Daten zu erkennen und zu klassifizieren, unabhängig davon, wo sie sich befinden. Vor einer Cloud-Migration müssen Sie die Kritikalität von Daten verstehen und definieren, welche…

Analyst Chat

Analyst Chat #34: ITSM and IGA - How to Integrate Two Key Infrastructures Right

Matthias Reinwarth and Martin Kuppinger discuss the challenges of integrating IT service management with identity governance within an enterprise.

How can we help you

Send an inquiry

Call Us +49 211 2370770

Mo – Fr 8:00 – 17:00