IGA Everywhere - Creating your Future Security Ecosystem

Thank you Iran for coming. Hope you're a nice coffee break and networking session as well. And we'll begin with the first part of this IG track, which is IG everywhere, creating your future security ecosystem. Next slide please. You can click okay, no problem. So to begin with, we'll start with the agenda. We will first define what is IGA and its importance in the current ecosystem. Then we will look at the required capabilities of IGA for, and then we'll move on towards Matthias part, which is the advisory perspective.

So he will provide more advisory insights on how he has to deal with customers more into a practical way. And finally we will take a look at the outlook for IGA in the coming years. So to begin with this quick definition of iga, it combines the user access provisioning and the access governance part. Identity lifecycle management remains the core Im requirement and but as you can see in this image there are two split diagrams. First is identity provisioning and then access governance. Two.

In identity provisioning you have multiple elements such as identity re repository, which is a core element of IM and iga. Then the identity lifecycle management previously also called us the joiner mobile lever process. Here you deal with the creation modification, termination of the identities, then the password management. It's more about interface for managing your passwords, password resets, and then the access request management.

Over here you have an interface for user experience for requesting access and then the policy and workflow management, which deals with creation and modification of policies for identify for automatic access entitlements and then also workflow management, which is more about using these rules that we have defined in policies to then implement them. And finally the role management, no, if we move towards the access governance part first is analysis. We have so much information coming in.

This part will use this information to create good insights, which can be used for decision making, business decision making. Then we have the access certification parts, which prevents one of the core elements again of iga. It provides us a mechanism for auto faster and more efficient way of doing access reviews. Role governance provides us the centralized visibility over the ideal lifecycle and the governance. Then the SOD control management provides us the tools for identifying any policy violations that take place. And finally the reporting and the dashboarding.

This is the final part, deals with using all this information for creating reports and then using them for making decisions. Next would be the how. How can we use this ig? What is the importance of IG in the current market? It provides us with enhanced visibility. Access governance part gives us answers to who has access to what, who has access, what and why and who granted this access. Then it helps us to deal with the security risk and ready compliance.

There are new threats coming day by day and IGF solutions help us to keep these threats to a minimum level and also ensure that the solution remains compliant with the ever evolving, ever-changing regulatory requirements. Then we, it also helps us with automation and efficiency. For example, something like granting initial entitlements. If the 80% of the entitlements of all the identities are done automatically, it helps us. It saves time, saves cost and it helps us in the efficiency. Then the provisioning and the provisioning part and access certifications.

And finally the configuration and enforcement of static as well at event-driven access policies. Now the required capabilities of an igs solution arranged from these eight to eight main criteria. First is identity lifecycle management for the creation, modification and termin termination activities. Then the self-service and mobile support provides an interface for requesting access and also managing passwords and providing strong solution for accessing these capabilities via mobile. Then access and review support.

Again, same the mechanism which gives you faster and efficient way of reviewing access. Then a target system support one of the major part connectors and deals with on-premise as well as cloud-based connectors with which deals with the breadth and the depth of all these connectors. So we look into that as well. Then the workflows and automation remains a crucial part using all the policies that have been made and then enforcing them into a good workflow which can be used for, which can be customizable or used in a graphical way.

Architecture and environment is about the solutions architecture and also if it can support hybrid environment, it deals with the deployment of the solution. Then the centralized governance is providing the visibility to the organizations regarding access. And finally identity and access Intelligence uses the modern tools of AI and machine learning for using the information, creating informa, gainful insights and also other tasks such as recommending access to use us and so on. And then now moving on is the advisory perspective from Matthias. Thank you.

So as I said, head of advisory, that means you, that's hell, this is okay, better. This is not the commercial break, but this is just to mention we at Co A Coal, we have the Analyst perspective.

This is, which is the work that that Nisha is doing. All the colleagues from the Analyst side, so they're doing the research, they're producing paper and this is really the basis of the knowledge that we have as an organization, as co a coal analysts. I'm a head of advisory, so we are dealing with the real life, the actual customers. We are going out and talk to customers and work with them and try to identify where we can support them, if we can support them and if we support them, how to support them. And this is, I just grabbed three slides that we use in our daily work.

You throw things at me when it's when I have 10 minutes or seven minutes or so spoken because when I talk, this can take long hours. So the the important part is that we really have a, a structured approach to identify how such a IGA solution can evolve and that is what we are really trying to support our end user customers with. And we have just, I have just three slides in the first for those who are not really new to cooking a coal, you might have seen that in a, I don't want to bore you, but I want to use it as a tool. So you must probably have these seen this slide.

This is the co coal reference architecture and everything that that NEAT has just explained shows up somewhere on that reference architecture slide. So this is a published document. You can get that in various versions on our website. This is available and we really want to have that used by organizations as a basis, as a blueprint. So this is nothing secret, no secret source, this is just there. And we use that for talking to end user organizations to get to results, need to explain all the individual functionalities and the capabilities and why they're good at what they're doing.

The question is how mature is an organization? What is lacking? What do organizations really need? What do they not need? What is not required? What can be omitted? And therefore we use this thing and very quickly explained, I should look into the camera, but nevertheless we have a a four column, three rows architecture here. So we have the typical components of an IAM infrastructure. So we have administration, analytics and risks. This is the what we call deployment part.

So where we really say, okay, this is something that is done before the actual work starts, before people authenticate, authorized et, et cetera. And on the other hand we have authentication and authorization and if you think of this is the IGA track, yeah, this is mostly auto scope for this track but not fully. Sometimes you need to have something here that this works. So define policies you will do here an entitlement management and there will be evaluated here. So this plays well together and that is what we use.

And when we try to support organizations, and this is again not a sales pitch, just to tell you how are things evolving, how are these platforms evolving from a tools perspective but also from a leveraging, from a usage perspective. This is where we are right now. We conduct just interviews with stakeholders. We talk to you as an end user and we find the right end stakeholders within the organization. So the idea is to talk to the cso, to an end user, to the IT guys, to the IM guys, to compliance, governance, hr, whomever is required to get a bigger picture.

And what we then end up with is some kind of PR prioritization. I have the legend below here. So usually we end up with some of these components just being out of scope. I don't care for that as an organization, we have some that are of low priority to touch. That means, yeah, we are fine with that.

It's okay, not much to do. Keep it as is medium priority, not not the immediate thing to start with but maybe also something we can keep in mind if it just fits into the picture and the ca be put on the timeline will at the highest priority of course this is the stuff where really work needs to be done. If you are an organization which is highly regulated and you have a really long running, really seasoned and really well working IGA system, you might end up with a situation that you are not really good in excess governance to get insight.

Maybe there is an auditor saying why did Matthias have that access on who approved that and why and when and why is this still there? Why is this account still there? This is access governance. And when we are done, the slide changes only slightly. We end up with something like that and that is really an important step. After quite some work we end up with such a slide where we can say, okay, this is out of scope, this is out of scope, this is out of scope but we need to do something. But not in that project, not with an IGAs perspective.

This is out of scope for iga but nevertheless we identified there needs to be done something here. And if you look at the picture and if you identify the red areas, this is a fabricated example. This is not a real life customer of course because I wanted to present something that is nicely and neatly working to get to the right result in the end. But nevertheless, this is really something that is very common to many organizations to say, okay, we need something to do in the area of identity information quality management.

That means data is not good within agile, within Im maybe data in upstream sources is not good. Say hr, say organization management, say ad, whatever. And so you can then really create more and more of these areas where you can say, okay, this is something where we really need to improve. I don't go into every detail. If you're interested in that, this is a document that is available. There are videos on our website you can follow up on that. I just use this as a tool. But the upper left corner of that slide, everything that is highlighted in red here, more or less is iga.

So this is something where the bigger picture of IGA plays well together. And that is then a result we use together with our clients, with our consultants customers to say, okay, what are the next steps to be taken?

And the, depending on how that picture looks like, what is outta scope? What is low priority, medium priority, what can stay as is and what is really high priority? We take the next steps in evolving in architecture, thinking of the concept of the identity fabric as an underlying concept. That does not mean that you need to rip and replace the complete solution, throw it out and replace it with something else. And you are not able to work for three months if at all. This is really used for augmenting, extending architectures. That is really the important part here.

I have to speed up because Nita has one slide as well. This is what we end up with. This is a bit surprising, maybe even irritating, but it really helps us in clustering and identifying in prioritizing components to work with. We are analysts, we like diagrams and we love scatter, demogra, scattergrams. These are these the these graphics. And on the one angle, so the, this is the Y axis, I assume it's the priority that we have identified with the customers.

So red, green, red, yellow, orange is reflected here in on that axis. And this is as an example, there are other options to do that, but this is a good one. The priority at the market, talking to vendors, talking to the market, what Nita does to understand where is the market going right now. So then we end up with a, with a graph where all these blocks that we've seen before on that reference architecture slide are projected into that scattergram. And then you can say, okay, it risk management, it grc boring and it's not really of importance for the customers. Well stays here.

And so you can do that for all these individual aspects. So this is something coming from research, this is something coming from the analysis and what do we do with that picture? We have three areas identified. The high priority is the one where one should take action depending on the analysis taken. So it's really something that we build upon with the work potential. Upcoming threats, trends are here.

Yeah, do it. Sometimes what's not that important can be take done later and this is something you should focus on, although it's not necessary. Al already well reflected on the market. So you have these different areas where yeah, you can look at and where to start.

Yeah, easy analysts look to the upper right corner, always upper right corner says identity lifecycle management, access governance and everything that is around that. And surprise, surprise that this is iga and this is something that we see in, in reality all the time. Many organizations are still fighting, struggling with getting better, getting appropriate at IGA and having the right functionality in in place. And often they are talking about the access analytics, even machine learning part. But of course you need to start with getting things done properly and the base work.

So having roles recertifications, sod done correctly and that is something that we then use in the next step for creating a roadmap, a milestone plan to continue our work from that. So this is really the, yeah, the advisory perspective really how do we work with the research part and with our customers to get to a milestone plan. Next step would be put that on a milestone plan depending on requirements and dig deeper into other dimensions here about quick check. Woo.

Okay, handing over back to Nish. Perfect. Thank you so much Mathias. That definitely gave more practical perspective compared to what analysis we do more on the theoretical side and now we come to the last slide of the presentation, where is the IgM market heading? In our communication with the vendors and the IG solution providers, these are the few trends which we have spotted in the last few years. One of that is it's still, it's still growing.

It's at a maturity level, but it's continues to grow and it's evolving and one of the areas where it continues to evolve is more towards access intelligence. It is, it's becoming a differentiator for all the igs solution providers and that access intelligence includes tools such as machine learning based workflows, AI for recommending access. And that's the third point. It's automation. Then automation is also a key trend, which we observe in the last couple of years. Many vendors are not for using automation for multiple functions such as granting access, access certification, access reviews.

And finally one of the final trend is that leading vendors continue to support on interoperability. The support for cloud is growing compared to on-premise and this is happening through provision of secure APIs. So Thank you. Thank you very much from Matthias and I I think we are just one minute left. One minute left. So we have time for one question. There are no questions from the remote audience, so this is your chance to raise your questions. Are there any questions to the stuff that we just presented? Don't be shy. No questions. Then I have one question to to to nish.

When it comes to the market perspective, everybody's talking about machine learning, AI helping and and augmenting and access governance. How has this really arrived in products? Is this something that you can buy already or is this something that is still growing? It's definitely growing. It's more towards the growth trend rather than it has arrived. The traditional major IGA players continued are investing more into it, but also we are seeing many small new upcoming vendors who are investing a lot in this new trend.

Okay, great. Thank you very much. Thank you nitric. Thank. Thank you.