KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
KuppingerCole CISO Christopher Schuetze engages in a fun discussion with Swedbank's Neeme Vool on what the future holds for Identity and Access Management.
KuppingerCole CISO Christopher Schuetze engages in a fun discussion with Swedbank's Neeme Vool on what the future holds for Identity and Access Management.
Hello. Good afternoon. How are you doing? Hello? Good afternoon. I'm fine. The weather seems to be relaxed everywhere in Europe so far. So we are quite fine.
Yeah, the weather is really great here in Europe, short hint to our audience. Before we start with a short introduction, if you have any questions to Mimi, just feel free. Use the question, function on our Casey life platform. Then I will ask him these questions. Maybe we start, I already introduced you, but maybe a few words about you and Mimi.
Yes, I'm quite fine. When people call me engineer also, I'm actually fulfilled. I have been working in the sweat bank now for 10 years and I have, I'm also working as solution architects. There are three layers of architects, so I'm the youngest, but still I'm on hands on architects. I'm solution architects.
And, but there are domains and prise architects, but I'm happy to work as engineer because it helps me to keep hands on things. And so far when we don't still have the all over systems or possibilities to, or common languages, architecture tools, then I'm think, think that engineers still should keep their hands on actual things to, to work out the solutions. So have been working in so identity engineers and solution architect. Perfect. Very interesting background.
So maybe we start with our first question, many identity access management projects, stall and struggle in delivering to the promises. Why do identity and access management projects fail? What do you think? Yes.
I'm, I'm quite happy to have this question because in the sweat bank, we finally succeeded with our I project. Also, we were almost on the edge of failure and we already consider it that it's just next project, which is also going to this second part of the project, half part of failed. But then we finally made, made it through.
And I, I could say that from this experience and the experience, the bad side, thanks that there are probably four things. The first is the assumptions that data in the source, mostly HR is the correct. And the process is aligned. There are aligned with architecture, so identity and access management don't even make these assumptions.
And the, when you go the bigger, bigger enterprises, then the departments are more and all focused. So the focus of HR is not necessarily the same, which you have in identity department or area. So don't expect that they, you will finally in the ultimately the same boat, they have their processes, they have their standards and their responsibilities, and don't make assumptions as rather assume that the data is not suitable for you.
Then the next things is the failure in architecture, failure defined in variance or separation concerns, the possibility to keep the kitchen and the cooking area different from your restaurant area. So, and it, it causes the lot of exceptions in all over the systems. You have to find, you have to literally implement all the different exceptions in, in the, all the I system, when you are not able to find something, the central point in architecture, which is you can keep stable. We were actually in our project, we were lucky to find such which have been introduced in that other presentations.
But we, we found it that then we could actually implement some stable and persistent over the time, the system, which we can attach different HR systems, even many of them, different countries, different boundaries. Then there is another thing which is very hard to cope with these traditions versus policies. There are many things happening, happening because of there are traditions how to do this many things, even don't have the definitions, like for example, which we have, we still don't have the solid definitions. What is the organization at all?
Whether it's the legal entity, what is the structure? Because the, the finance and HR, the ones, if it usually define the structures according to their needs, but there is no clear policies how you create accounts from them. According to this job functions and roles, there have been other traditions and not able to define those to the policies end up having the legacy system.
I, I must admit that we have also have those in our, our am systems. And this is the thing which keeps me wake in the night, because I know that these things are there and we couldn't resolve them so far. And then fourth is the not fully planet transfer project. This was hugely important for us. And it was actually it's. It was impressing that how hard it was actually explained to the stakeholders and, and the project manager that we need very detailed scenario for immigration of identities. They so tell that what is the problem? Just we define the takes and then we transferred.
Then we, we go over and then we are happy. But we created the very detailed scenario for immigration, for data, immigration, for identity immigration, every single detail was work out and all the plans be, and scenario or exceptions were for foresee and, and work it out and the solutions for them. So that's why we were finally successful because not only we were successful to implementing, but also we were successful of transferring. So those four things are, by my opinion, by from experience, which were key success factors. Absolutely.
And in the past, I also worked for integrators for advancement solution, and we scoping at the beginning, knowing what is the core of the identity and access management? Do we also take care of process, definition of responsibilities, where data store, who is responsible, what is the role of the different stake on all the stuff you mentioned is exactly the stuff where you can fail in.
And if you don't have a green field approach, existing data, which is the most common scenario and have a valid and secure migration plan, maybe it's everything at the same time for identities or stepwise department wise, whatever this must be well thought, and only then it can really work properly. Otherwise you lock out in the worst case, everybody who's transferred to new system. Other question regarding to maybe starting such a project, how do you define the goals and the requirements for an effective identity and access management strategy?
How can you make your IM program a success, maybe some, some more details on that? Yes. I must go two steps backward. And I thought about what is the definition of strategy or what does mean for, I am strategy for me. And I think that all the strategies, depending on IM strategies are defined by the two qualities of humans when we go back. So deep is the first is the ability to control, control, limited amount of factors. So we are humans. We cannot control much, much things. So we must somehow split things.
Our, our Concord, to be able to conquer them and then is what is universal for, or which is unique for us is the ability and need or cooperation. It means that we are, spliting the task between humans. We are assigned responsibilities. We define the tasks and components and we to be able to, to cope with them and also to share their responsibilities. So that's why in dislike.
I think that there are following sources of goals and requirements, which are the place of the, which define the strategy are the first is the processes and business functions I would look and just, I, the step step aside is that I'm the engineer at the, probably the thinking is different for CPOs or architects, but I, the bottom up guy. So for me, I'm looking for when I'm looking good, looking for the things which I want to see in the strategies to how to how our process and business functions are implemented.
So how we split and share the corporations and responsibilities, then second is important. Thing is the policies to do be, I, I would look for into the basket of policies, what we have and what we will have to define. What are the place in our strategy. Then the third is the, the, what I'm like starting to like in recent way of working. When I work out architecture is the looking into, into the defining the capabilities of the systems.
The capabilities are kind of glue between the business requirements or business functions and implementations, because the capabilities define are associated with have the path of implementations. The capabilities are the things where I attach the components and it functions and capabilities are the things which are looked for the, by the businesses. So then the four things, third thing is the looking into the defining and enumerating the capabilities and how we will actually implement them, what capabilities we need.
Different scale of organizations need different capabilities in the IM systems, the something which is relevant for bigger enterprise may not be relevant for the smaller enterprise, or can be just the capabilities are the things which on basis on which you can decide, which outsource the one quality of the capabilities. That for example, that the, if you can outsource it, then this is the, probably the things which you can call the capability. And fourth is the data architecture and especially the end to end identifications.
I, I literally, I want to like started like the word or least in my head instead of authentication. Authorizations is the identifications, sorry, saying that. But I think that the authentication is still in our world is the proof that I still have ownership of just the credentials.
It's many, many authentication systems, not really prove your identity or the authenticity, but just your, you are proving to the system that you have the credentials, and that is fine for system. So I, that's why I'm saying that the, the fourth strategy is that is the finding the answers, how we do the data architecture and then to end identifications, because those are very closely related, due to the privacy rules to protect the identity. We need more data, but same times to have the privacy we should ask for less.
And the rest of this, which I am touching also in my presentation is the rest of which, which should cover hyper security. So the things which I'm finally would look like is the, how we cover the rest of the things, which you cannot con cannot cover with the strong identity proofing is the rest rest possibility of cybersecurity, by my opinion. So those are the components of the strategies and our humanities, the things which is driven, which drives the reason why we have to split things into the, and define the strategy. We must have the plan and we must conquer the complex things.
Absolutely. So translation between requirements from the business to technological requirements, build capabilities, think about the services that can fulfill. And even if you relate to the presentation of Paul, where is it executed is an MSP, or is it any other kind of solution that isn't relevant, part of the strategy going towards a modern identity and management system? What is your long-term vision for identity and access management, and how do you measure progress?
I think that I, this is the question where I don't have the clear or straight answer, but I have the, a little bit more ambiguous answer is that I found one good sentence in the internet recently. And I think that so far, you could have been considerate yourself successful in the area. When you can answer the question, who can do what and why is that? But I think that it is not enough anymore in our current situations. This has been the central question so far for the, at least in the enterprise identity access management, just who can do what and why is that?
When we think about all those things, everybody who has been working in enterprises can immediately imagine the certification campaigns and onboarding soft boardings, all the stuff, but it's not enough anymore. I would think about, I see three trends.
Currently, the first trend is the customers and employees identity is not just even stole and today's, but they are just made to two harmful things to themself. For example, think about the customers which are getting phone calls and they are so good build engineered socially engineered that they are just, nobody even steals their identity. They just themself do the transfers to transfer the money to the, to the criminals. And same is there for employees. They voluntarily click things and they don't, nobody has to even steal their credentials.
They are just made to do things and think about the latest proceedings with artificial diligence, and which is, are able to already to, we, we are cannot even distinguish between the things generated by the, by the new Google artificial intelligence or, or those things. Those are not generated not fully, but you want imagine that when such systems start to engineer us, and then the second thing is developers. I'm the developer. And I think that developers cannot master dozens of languages, frameworks, technologies, so good that the, the security is well built into the systems.
How many times, for example, you have been seen lately articles like top 10 languages. You should learn this year, top 10 best full stack frameworks, or top 10 micro machine learning technologies. This is the something which pops up every day in my phone. When I read news that it says that I must be multilanguage multi linguistic, multi stack user, and how many full stack developers they are looking for. So it means that you cannot possibly grasp all the datas.
You, you just think implementing authentication, authorizations you, how many times you rather make things work and, and getting help from artificial intelligence or getting help from the just copy based from the, from the stack overflow. So the burden on developers is something which you should consider about. And then the third is that the clouds are not immune. The risk for trivial failure is lower because the security or the baseline security is higher, but the cost for the single file is, is, is higher. As soon as there is the, just it's enough to have the single fiber.
Like we recently saw that, for example, the, in one cloud provider had the issue with possibility to escape the Docker container with just trivial overloading, the overloading, the Docker configurations readings, and the things which you cannot ever even see in your regular environment. But it only appears in the cloud. It was disclosed recently by the finish, some finish scientist investigators, things which only happen, happens in cloud and those persist big risks there. So those are the things where I think that I, data access management should also help to find answers those.
So protections about social engineering protection as how to co our D in who is opposing us then, and in the implementation plans, how the developers can co the complexity and also then our strategies in the cloud when we put the finally deploy into the cloud. Absolutely. And it's incredible. The 20 minutes are already over. I would have so much more questions.
Maybe you have to chance later on after your presentation to discuss one or two more questions was that I would say, thank you very much, Mimi for this great expert, chapter, your insights into your identity and management project, your experience and your predictions. Thank you very much. And to you later, Bye.
