Webinar Recording

How Security and Identity Fabrics Work to Help Improve Security


Log in and watch the full video!

Many organizations struggle or even fail because they overcomplicate the implementation and extension of their cybersecurity toolset. Most do not have a central approach on security, and often use a set of tools that are not well-integrated with each other.

Log in and watch the full video!

Upgrade to the Professional or Specialist Subscription Packages to access the entire KuppingerCole video library.

I have an account
Log in  
Register your account to start 30 days of free trial access
Register  
Subscribe to become a client
Choose a package  
Welcome to today's KuppingerCole webinar, which is supported by Hitachi ID. It is about how security and identity fabrics work to help improve security. My name is Christopher Schutze, I'm director for the practice cyber security at KuppingerCole. And I'm here today with two very interesting speakers. We have Paul Lewis, global CTO of Hitachi Vantara, and Bryan Christ, senior sales engineer from Hitachi ID Systems. Welcome. Also a short hint about our next KClive events, which you can attend online and for free tomorrow, we have one about IGA solutions for ServiceNow, infrastructures, and it is followed by a three day event end of October, our customer technology world 2020 and last but not least our first hybrid event in 2020, the cybersecurity leadership summit 2020 from November the 9th to the 12th. It is online for free and onsite in Berlin in the same location like last year. And for sure, with a well-defined concept for your, and our safety, before we start some housekeeping, we have audio control and you are centrally muted, and we are controlling this feature and there is no need to mute or unmute yourself. We are also recording this webinar. It will be made available in short-term and we also will provide the slide techs for download there's time for Q&A. At the end of the webinar, you can enter your questions at any time using the GoToWebinar control panel.
What will we do today? First of all, I will start with introducing the analysts you on fabrics using our cybersecurity fabric. And the reason why we developed our fabrics then followed by Paul Lewis, who will talk about data and how to protect it using the paradigm of a data fabric and last but not least Bryan Christ, who will show us how to use the products and services of Hitachi ID to solve the discussed topics and to improve security. And then the last part for sure, is the Q&A where you can ask questions to all of us. That's the plan for the next hour, the top five challenges for cyber security. Imagine your own organization. What would scare you most losing due to data breaches, maybe an unprotected API or some employee with bad intentions, the loss of data, especially customer data like mail password credit card is really a very, very sensitive topic and con can harm your organization a lot. Just think about another one. You turn on your computer and you are not able to work. The computer is locked maybe by a software, which blocks you from doing your work from accessing your data. Ransomware texts are in 2020, still growing and black mailers ransom money from your organization. Whether you get excess back or not after paying is often very unclear.
When did you last change your password? Are you forced to do it every 90 days? Are you using a complex one? Passwords are really annoying and the force to change the password frequently leads often to simple rules and passwords or writing them down somewhere. So we should have something more user friendly, some ways, some better ways to access our systems, our data, to prove our identity and to maintain our passwords for service accounts. Maybe we do not need a password anymore in the future. Hacking an organization is always possible. And just a question of how much money the attacker's willing to pay for the HEC. Be aware of that, how much profit does he expect? But traditional hacking is also expensive and time intensive. That is why the user, the person behind the computer is in focus. So you, with social engineering attackers, try to force people to download things, to enter their credentials, or to give information about relevant things. Often the attackers act really clever. They act like a person, you know, they use their names or maybe even their accounts. And if there is not enough to take care of any kind of thing started to connect to our corporate networks. They often connect via an access point and communicate with various protocols to each other, and potentially all of them can have access to the network. They can deliver data, they can deliver menu related data and maybe they can also access other data.
What can you do to achieve a higher level of security? What are the measures to take to make your organization more secure? Well, first of all, you must have a centralized approach which takes care of all necessary things within your organization. This is why we use. So for instance, in our KuppingerCole advisory projects, we use our cybersecurity reference architecture to identify all needs regarding to the requirements based on the described challenges. Our reference architecture is based on the five pillars, governance manage, protect, detect, respond, and recover. So security frameworks like NIST and ISO two, it risk management with its security controls based on risk assessment and as a classification. So topics from governance to security management protection detection of the various data applications, systems, networks, and end points that we have. For instance, enterprise information protection. We have API management and security as well as excess management and operating system configuration network security and malware protection.
Besides that we have some topics which cover all those five layers, like for instance, threat hunting security operations center and the concrete incident response, planning and process in case of an attack of an incident. So for instance, if you are currently under attack under a ransomware attack or things like that, and general topics like incident response management business continued to management and also operational resilience as part of the pillars respond and recover. So we used the idea of the security process, extended it by governance, manage and overall processes and edit our long-term experience in such such projects to define the coping, a call cybersecurity fabric, and with the building blocks of this reference architecture here, you can start to build your own cyber security fabric and fabrics are the topic of today's webinar.
Three years ago, we developed a KuppingerCole identity fabric to help to structure and organize the identity and access management of organization organizations. That's what we also built for cyber security in mid of 2020 a fabric concept to describe a paradigm which shows how to handle and manage things. The cyber security fabric connects everything, identities, devices, structured, and unstructured data, any type of application, any type of system and any type of network from virus to your corporate network, internet up to your local book from home network. I can the identity fabric, we have a bundled set of services to fulfill the needed capabilities. And again, here is the overall pillar govern and manage. And before others with protect, detect, respond and recover in the middle, and this structure gives you the flexible possibility to handle things in a central, but loose coupled approach with the option to extend with new capabilities and integrate existing tools.
Because usually you do not start with a Greenfield approach, but let's have a more detailed look into a potential cyber security fabric like yours could look like in the cyber security fabric capabilities are bundled to building blocks based on our reference architecture. Those building blocks are those building blocks and capabilities are bundled to services like protection and detection in the middle, and also a response service. And so on, especially the topic identity and access management service is again a set of services itself. And therefore we have for sure, our identity fabric as a separate fabric concept. So short example, malware protection, animaly detection and network security can be bundled to a protection and detection service, which can be then consumed by applications. The building blocks of those capabilities are then maybe executed in containers via microservice, via API, and can run local and private or public cloud applications or digital services can use those services also be an API layer or with standard support and custom integrations to use that kind of capability, or maybe to deliver data to the security fabric for something like the animal lead detection. And on the other hand, we have the legacy applications and maybe, or hopefully we have a legacy security products, which can be integrated by custom connectors and integrations. So at the end, we have an open architecture for new digital services and the support for existing applications and security products.
Well, and what is the special thing about the KuppingerCole cybersecurity fabric or the fabrics in general? What are the essential characteristics? It is a unified and overall approach for all types of data systems and identities and for all types of digital services or even legacy applications. Remember our was threats at the beginning of this Webby, not the second point is it's a paradigm and approach for modeling a security organization. It is neither a concrete tool nor a specific service. This is really important deciding which products fulfill the specific capability is usually the last step existing tools are also considered as well as a need for new or additional tools. It is flexible because it builds on API APIs and microservices. So we achieve things like scalability, flexibilities, and things can be replaced or extended if needed. You can start with few default services, adding capabilities from your existing tools and integrate them and extend the cybersecurity fabric or your fabric in general, over time with new requirements, maybe also requirements we don't know today and last but not least the well-proven approach of KuppingerCole was the segregation of requirements, use cases to capabilities, to services.
And then at the end, talking about technology helps usually really to find the perfect fitting set of services for your organization. This was my first part, as mentioned at the beginning, we have an Q&A at the end of the webinar, but feel free to enter your questions right now. And now I will hand over to Paul Lewis, who will talk about data fabrics, Paul, the stage is yours.
Thank you very much. That was incredibly enlightening and actually helps with the presentation. I'm going to go through. I'm Paul Lewis, I'm the global CTO for Hitachi Vantara. I've been here six and a half years prior to that. I was a CTO and CIO in banking for 17 years. So the vast majority of my perspective in many ways is a enterprise consumer and operator of technology. I do spend time talking to CIO and CTO is in CIS sows around the world. They generally travel about 400,000 miles a year, not this year, but I, I have do speak on a lot of different topics, including digital transformation. And I also spent a good portion of my time in the academic side because we know security officers and data scientists are hard to find. So we have to ensure that we have to bring up these resources through academia and make them available to, to the worldwide audience.
I do want to step back a bit from security and talk a little bit about what's happened now, and what's happened in the last, this pandemic of change, right? There's a worldwide change in how we operate it and how we think about applications and data on infrastructure and security. And over the 200 ish conversations I've had with clients, it's clearly a people centric issue, right? I'm used to having conversations one-on-one with individuals. And now I have a virtual conversation with my entire team, even if they're local within the town. I used to manage by walking around desk by desk, but now I have a federated approach of getting things done. There are more bad guys and they're better at what they do. They have as much extra time as we have. And there is a pretty significant increase in securities concerns as we'll talk about.
And we're used to coalescing in an office and now we're, we're tens of thousands of people, hundreds of thousands of people at home and doing work in our own different cultures. We do have a health and safety concern, which we need to get over. And it's different based on their world. There is a bunch of furlough and economic impacts and of course, culture and communication has changed because I now communicate virtually versus physically in terms of the technological changes. When I talk to CIO and the CTO specifically, they're generally concerned about things like collaboration versus creativity, and that's not just a, you know, a go-to webinar, a zoom teams issue, but how do I do creativity? That's different. How do I duplicate the, the home office to be equivalent to the work office? And how do I deal with this federated culture? People are working from 6:00 AM to midnight.
How do I ensure that they're not working 16 hours and sleeping eight, right? That they're in a chair for 16 hours and in a bed for eight, we have to make sure that they have spent enough time with family and friends and so on and so forth. I now think of resiliency and capacity differently, in fact, so much. So I've had to shift people from my it administrative team into my security officer team. And of course, into my ITSMs team, because I have thousands of people working at home. Who've never worked at home before. Therefore the service desk needs to be greater and the desktop support needs to be greater cyber security, which I'll, double-click in a second and digital transformation pivot saying depending on the type of company I am, what industry I'm in, I'm doing different things in technology. If I'm a thriver like media streaming companies or snack food companies, I'm worried about scale.
How do I triple my production flow? How do I deal with hundreds of percentage of increase in, in subscribers and more people, streaming content and more people using the 4g networks? How do I deal with all that new consumption? And I've got to think about scale and what the impact to the security potential and the performance potential of that. On the other side of the equation of those that are suffering, right? Those are, that are challenged. These are airlines and movie theaters and theme parks. They're worried about shifting how they're spending money in it and security. They still have the same security concerns. In fact, a lot of cybersecurity is attempting to attach those because they think they're failing organizations and ripe for things like ransomware. And then those organizations that are in the middle, those are the changers where they're had some analog part of their business.
Maybe it's a wet signature on a mortgage, or they only sold their products in niche stores and moles, and those malls have been closed. So they've had to change their customer experiences or their supply chain, their distribution. They've had to get their products to the home instead of the store. So there's been a pretty big pivot in terms of the cybersecurity. It's been the new normal of these new bad guys. They're better at what they do. They have more time. They're far more precise in their attacks. They're achieving penetration and actually getting that data and actually offering and receiving the ransom. And even when it comes to things like email fishing, they're far more precise in its language, far more credible, and it's, it's substantial content and people are clicking on those links, especially difficult. When you have tens of thousands of people at home who may have never received the cybersecurity training, right?
They may have been task workers or essential workers or, or, or frontline workers, right? These guys really haven't had the time or energy to take the type of training we would do from the information worker setting. And of course, social engineering is a problem. The reality is if I'm at home and a bad guy calls me at home claiming to be it I'm much more likely to believe them because in a general sense, I it's, it's not possible for a bad guy to know my home phone number. And therefore I'm absolutely gonna tell him information. That's a problem. So big increase in phishing attempts, ransomware and stealing of data itself and social engineering impacts. And I've got to do something about that. I can do things like VDI and VPN or secure my data at the edge. And that edge is now at the home.
I now think of an application lens in terms of security like VDI. And now I have a data lens I need to be concerned about because I now both create and consume data at the edge, right? So now all that data that normally would be protected in the officer in the data center in the cloud is now happening at the edge at my home. And I have to deal with those kind of protections. So if I were to take away, what's happened in the last few days, we started last year, a few months. We have to think that January 21 or 22 or 23 will look a lot more like today than January, 2020. There's a long tail to, to change that have been implemented. We know that work from home will likely be the default in the Western hemisphere. It's likely going to be 70% of people still at home.
And the Eastern hemisphere might be 40% of the people still at home, but still a pretty big percentage. There is a demand that I deliver projects faster agile team. The only it nine month projects are not sufficient anymore. I actually have to deliver them in three weeks. That adds security concerns. As you can imagine, and based on the type of company I'm at, I'm either focused on scale or focus on survivability or focused on change. So those considerations mean leadership has culture P managers that walk around are not as effective as leaders in a virtual world. Edge is my primary consideration. It's not the poor cousin anymore. The laptop support are not what I put two or three people on a VPs of ITSMs become the SVPs of ITSMs. That becomes the major place to which I create and consume data, which means data is everywhere.
It's at the edge. It's at the core, it's at the data center. It's in my supply chain, it's in my customers. I have to extend my governance, extend my security, extended my protection, extend my privacy of data across that entire platform set. And we know that cyber threats are growing and I need to deal with that growth with technology, with people, with partnerships. In fact, I need an ecosystem of talent and technology and information insecurity to actually bring that capability inside my organization. If we look at the higher order, it's this digital transformation change, right? I had a three-year program to which I now have to implement three week implements because there's a pretty distinct difference between more and better, a digitally transformed organizations, worried about highly interactive, highly mobile, highly social conversations, where the line is more important than the circle so much. So is I'm not going to have a three-year relationship with a bank, with 30 products.
I can have a one-year relationship with one product. And if that app doesn't work, I'm going to delete it and download a new app. Same with academics. I am not going to create a four year degree with a single institution. I'm going to create 26 different courses with 13 different institutions and build my own. Unfortunately, we live on the left-hand side, right? We, we live in a highly more environment, more projects, more people, more, more products, more features, more functions. We exist in a world of very hierarchal. So how can we deliver the difference between this hierarchal it environment and this interactive digital environment? We think you need to look at data differently to support that right. Infrastructure lasts three to four years. If you let it go further, I'm going to performance and scalability and availability related problems. Same with applications that lasts a little bit longer, but if I force it longer, I'm going to have performance and scalability and availability related problems.
But data is the opposite to that. So if I think of it as an infrastructure lens and application lens in a data lens, if I abstract data out, I actually see that data is valuable to me for its entirety. From the point that I create it to the point that I deleted, if I ever deleted. In fact, data changes are more important than data in its original instance. If I add data to data, they're more valuable to the organization. In fact, the bigger pot I have, the more likelihood I'll find nuggets of gold, the more data that I have, the more precise my algorithms become, the more data that I have, the more likely I'll find those bad guys when they're penetrating my network across a variety of devices. So that means I need a data centric set of it concerns, right? I think you can think of it as the inner circle, being the databases, my structured data, I have to store that and manage it and governance protect it.
I think of data center, not because it's all in the data center, just what's within my, within my control, within my protection. From that, I look at my unstructured data, right? I have to analyze and correlate and blend and search through that and blend it with my structured data. I think cloud they're not because it exists in the cloud, but a lot of that data gets produced externally to my organization. And then finally, I have to moved from the digital, to the physical world where I'm thinking about machines, right? How am I connecting together? How am I having machines connect to other machines? How am I streaming that information, how I'm at my blending, all of that information across. So I need a set of data services to which I deliver to the business, to which I have delivered to customers and support that. But it's hard, right?
I've got a data infrastructure across my entire platform. I bought a bunch of companies and different line of businesses have their own decision-making processes. I have a bunch of dark data that I don't have access to because they're hidden in, in backups or archives. I've bought a bunch of tools and those tools are in, are interconnected. I have a compliance or regulatory or legal, or just contractual concerns I need to deal with, but above, above and beyond, all of that is my, is my people problem, right? I have a skill set issue in that, in my data team. I have a couple dozen when I could actually use a couple hundred, but then they're focused almost entirely at MIS. So if I'm trying to add new skills to this team, if I'm trying to add things like AI and machine learning and blockchain, how am I sparked, how am I supposed to do something new and interesting when I lack the skill sets to support that, how do I upscale and rescale?
How do I create and find partnerships to deliver on that? We think you do that by delivering a data strategy for this transformation. You think of a data lens for everything you do with an it within store for that date. I think about where that data is created at the edge in the data center, in the, in my supply chain, how do I ensure I protect all that data, our secure, all that data? How do I ensure it has the data life cycle? How I steward that data over time. So if I create a transaction in a grocery store, I know that transaction is secure. Even if it's not within my control and it, how do I enrich that data? How do I have a 360 degree view of the product or the store of the transaction or the family? How do I use orchestration and integration content to activate that data?
How do I create a big pot, like a data lake and use algorithms to, to derive insight from it? And then finally, how do I monetize that data? Everything from selling data or selling more products to that customer, to using correlation and causation analysis on, in my security offering to see whether there's fraud or penetration problems. So I have to wrap all that in a sort of a secured foundation to support that, which means we extend the, our, our information security and it security and physical security into things like digital security, where I'm creating new customer experiences that might in fact be a kiosk in a store. And I have to make sure that I don't have anonymous users accessing content. I have to make sure that if I'm extending my access point into the physical world, to which I don't control that, I know that Paul Lewis equals BW, lure equals Darcy Louise's husband, and they're all connected as part of a family.
So we think of this new data fabric where I'm trying to sort of monetize information by having a duplicate environment. I've an MIS environment based on a data warehouse, right. I shift structured data to a warehouse and use that structured data to build thousands of reports. And it has the necessary friction to support that governance and configuration management and security. It's all appropriately embedded, which is why it's the $10 million, 10 year project to deliver on that. But it actually doesn't create the amount of, of quickness to create real-time decision-making right. I have a volume problem, and that only terabytes can go through that and only deals with structured data. When, when most of my growth comes with unstructured data, and I want to be able to make real time decisions, not decisions every six months and a million dollars when I can make change in this world, which means I need a duplicate environment, not just a data warehouse, but a data lake to, to manage the unstructured IOT data, not just ETL, but integration so that I can connect to a thousand points of light.
And I want to be able to use data, refinement, orchestration techniques, like data quality and machine learning and AI to actually derive that insight. Look for those nuggets of gold, and finally visualize that back out to an environment. So why is Hitachi capable of doing this? Well, when we look at the bigger organization, the hundred billion dollar organization with, with a hundred years of OT experience, we actually understand the world to which we live on. If you're a CIO of a hospital, we actually create the modalities to radiology equipment, and we understand the data that's crits get, gets created out of it. If you're a manufacturing company, we have 240 manufacturing plants building millions of products a year. If you're a financial services company, we do capital leasing because you don't buy a train with cash, right? And therefore we do mortgages and investment loans and so on and so forth.
We actually operate the businesses to which we provide technology for. In fact, we actually consume more it than we provide. If we provide about 600 petabytes of storage, as an example, we consume well over an exabyte on just the machines that produce the data for ourselves. And of course you think of a Tachi is rock solid from our cranes to our storage devices, to our security software and services. We're delivering on that enterprise value sometimes for a mid range price tag, in terms of the actual it side of what we do, it tends to be divided in what you can see physically in an, in a data center, everything from a secure edge or a secure data center deployment, or how we're securely and creating value with the activate and monetize portion, and then curating and creating complaint data, support that, and then using our consulting and digital transformation expertise with our industry expertise to actually deliver on a digital transformation piece of value across a variety of, of these industries.
A great example of that is our relationship with Disney, where not only does the larger Hitachi organization build ride systems and ride programs, but we can actually physically connect the digital world with the physical world. So we can do things like manage and monitor uptime on rides and make sure that the wait time for rides are equivalent to the, to the satisfaction of the, of the guest experience. We have, we are the IOT partner with most of these rides in the, in the Western hemisphere to ensure that we have the most and best, greatest customer experience in the Disney parks. So that was my lens.
Thank you, Paul. I also want to thank Christopher as well for the content they shared. It's going to give me an opportunity to sort of drill down and compliment some of those key concepts that they, they presented today. My name is Bryan, Chris, and I'm a sales engineer with the tachy ID. I've been in technology for decades, started out at Compaq as a project manager when compact existed, 2010. I was the vice president to the cloud security company. And then just a few short years ago, I served as the CIO for small to medium business in the greater Houston area. And now I'm spending my time with Hitachi ID and working with that organization in the cybersecurity identity access management space. So they, I want to sort of drill down into this identity fabric. Christopher introduced the concept a little bit, and I want to share with you how we, a Hitachi ID view that in, in light of the bigger picture for your organization.
So as we get started, I want to, I want to take a look at some of the trends and challenges that we're facing as a global culture right now. I won't dive too terribly much into this except to say that I think we all know that rather suddenly COVID hit just about every organization in unexpected ways. We scrambled to figure out how to take a workforce that was largely on-prem and then moved out to the remote workforce environment. And we, we really had a sneaking suspicion that, that these organizations were fairing well with, with those circumstances. And so in, in may, we wrapped up a survey of a hundred CEOs and asked them the question, how are you doing with remote work? And, and it wasn't shocking at all to the tune of about 95% of the respondents said, you know, we're not doing well at all.
And then in June, we followed up with another survey and this came about the time when we, you know, the economy sort of looked like maybe it was getting its legs back, maybe a little bit of plateauing in terms of, of, of the hemorrhaging. And so we said, okay, you've course corrected. You did. So because you were forced to, and now you've got a different set of priorities. So the question we want to know is, are you going to stick to it? Are you going to stick to this alternative long-term strategy, even when things turn around? And so we concluded another survey for that. And again, not surprisingly, what we found was the answer is, is largely we're going to stay the course and 89% and 82% respectively said, we're interested in focusing, continued focus on cyber security and remote enablement. I think there's some really interesting observations you can make from this, from this data.
The one that I want to sort of focus in on today is I believe what I think this demonstrates is that folks were caught off guard. They realized that, and they realized they, they, they now put themselves in a position where they need to aspire to a higher operational maturity as an organization. So that, so that, you know, we get out of this and that the next crisis happens, whether that's, you know, a natural disaster or whatever organizations want to be able to cope with it and cope with it effectively. And so how do you do that? How do you get your organization to that place? Well, really great way to do that is through the identity fabric model, which Christopher talked about a little earlier, it's a framework. And I want to kind of unpack that framework for you today and show you how we, a Hitachi ID view the framework and how we think you can apply it sort of a 50,000 foot overview here of the identity fabric.
On the left-hand side, you have some identities identities that on the right-hand side need access to resources, whether they're cloud or on-prem or whatever. And in the middle, you have the fabric and the fabric is the piece that's governing these identities and their access to these resources on the right hand side. So let's drill down a little bit. Let's start on that left-hand side and talk about these identities. If you think back, maybe just even 10 years ago, most organizations were largely concerned with a single population of identities, typically that was the employees, but maybe, maybe they, they, they managed to, to bring contractors into scope as well, but things have shifted significantly. I would say largely in part due to the smartphone. And, and we'll have time to unpack all of this here, but consumers say we, we sort of wear two hats, right?
We're we have our work life, and then we have our consumer life. And because of the smartphone, we've, we've sort of become accustomed to this idea that I can take these other personas that I have, whether it's through Facebook or Google or whatever, I can bring them into the workforce. And to some extent there'll be value when I do that, right. I can do certain things. I can act, I can function in certain ways and it's just sort of expected. And so if, if I'm doing that, then also means I'm coming through the front door with my smartphone, other kind of a wearable type devices. And there, there is an organization you need to be able to manage them, right? And you'd be able to manage these consumer identities. You need to be able to manage these smart devices. And even if that answer is no, we don't permit that you're still really managing it.
Right. And then the last kind of population of identities here that very similar to the smartphone is self, but it services. These are these non-human accounts. You've got all these things running on your network that are powering applications, will they have a login and they have a password, right? And so all of this sort of needs to be brought under some sort of centralized management to ensure that the right policies are in place to deal with these identities. I also want to take a minute here just to kind of reiterate something that Christopher said earlier, which is the, the identity fabric model is a framework. There's no canonical resource that you can go to. That's going to spell all of this out for you. So now I've identified a handful of identity populations here, but as you go through this exercise for your organization, I would encourage you to think, think beyond what I presented here.
You know, there'll be other things that maybe you consider as well in the middle of that first diagram were, was the fabric. And so the fabric again is comprised of any number of services and these services, what you decide to put inside the fabric will be dictated largely by your organization, your, your processes, your use cases, things that you decide are centrally relevant for your organization, but at Hitachi ID, we've, we've really kind of honed in on a few what I would call essential services. You're not going to turn this on overnight. You're going to plan out your fabric over a period of time. And I'll, I'll kind of leverage the motif here. And I'll say, you'll stitch it together. You'll knit that fabric over a period of time. And so again, this is a, this is a planning endeavor. And so you'll decide what makes the most sense for your organization.
But again, we've got here a few essential services, and I want to walk through three of these and explain to you why we believe they are essential. So in the couple of presentations that proceeded, there was conversation that was brought up about ransomware and, and attacks and things of that nature. So starting on the left-hand side, I'll talk about multifactor adaptive authentication. This really is kind of the guard of the front door. We know that 80% of breaches come from basically acquiring valid credentials. That could be because of a dictionary attack or rainbow attack. It could be like we found out in 2019, we found out that 60% of stolen credentials came from breached email, right? So the point is, is that when, when, when hackers are coming, getting through the defenses, they're doing it with valid credentials are not banging down the door there.
They're using valid credentials and walking through the front door. And so you need something else to, to stop that. And that's where multifactor authentication comes into play. Here's the problem with multi-factor authentication. Google recently revealed that despite having two factor authentication on just about everything they offer only 10% of its users enroll. So there's a real challenge here, getting users to do that because there's a little bit of friction. And so I think as an organization, you can actually do better than Google if you've got the right tool. So you can do a little bit of arm twisting through enrollment campaigns, and then you can lower that barrier, that friction with the adaptive authentication piece, because you can sort of make two and three factor authentication, look like one, or feel like one less factor of authentication. Let me, let me explain that a little bit.
So if you've got an adaptive authentication solution in place that can look at things like your HR system and identity attributes, and you can say, okay, is this person accessing my network during normal business hours? Are they an employee? Are they coming from a trusted? Sub-net like your VPN? Well, if, if browser fingerprinting, for example, is one factor of authentication and then they just enter their password under those normal conditions, men, right? Only when they fall outside of that normal criteria, then maybe you hit them with additional, an additional factor of authentication, making them jump through another hoop. So I believe there's a way here to do really good authentication, but not be so abrasive about it. And we think you need it just because of the nature of what's going on. And in the hacking landscape access governance is another key component of the identity fabric that you put together, access governance.
It really it's in our opinion, central spot check on automation. So I'll talk, talk about that in a minute, but the idea here is that with good access certification, you can provide tools to your stakeholders, to your auditors, to allow them to go in and make sure that that in titlements and privileges that folks are supposed to have are the ones that they're no more, no less like, dude, they've got exactly what they need to do there to do their job. The next piece that we think is super important to ensure that as part of your fabric is privileged access. So privilege access guards, the keys to the kingdom. You know, you heard a little bit about ransomware in one of the previous presentations. Well, it turns out that 80%, 86% of all breaches are financially motivated, right? And the cost of these breaches, ransomware, ransoms themselves are now reaching into seven digit territory, but that's not even really the scary part.
The scary part is that the average downtime to something like a ransomware attack is just over 16 days. I don't know how many zeros behind the dollar sign that looks like for your organization, but I guarantee you it's, it's way more than you that you would ever want to incur. And so, you know, we would encourage you to deploy a good privileged access solution as part of your fabric. The next component that I think is essential is intelligent automation. There's a whole lot, I can say here, but for sake of time, I'm just going to cherry pick a few, I'll start with automated provisioning and deep provision. There's a couple of, couple of facets to this one. It's it's convenient, right? So if you've got good intelligent automation, and it's looking at things like your systems of record, whether that's your HR application, whether that's your directory, whatever, and it's looking and saying, okay, I just hired this guy.
His boss is going to be this person or department or job code or whatever. And then that tool automatically provisions those birthright entitlements on day one. Well, you've done a couple of things. You've, you've alleviated the burden on your it help desk. And you've got a really productive brand new employee day one, but there's sort of another side to this, right? Which is eliminating the human element. You know, a lot of us, unfortunately in many organizations got caught up in this kind of furlough. Some people we've got to lay off some people and it, and as unfortunate as that is when, when you've got a human element involved and they're the ones responsible for, you know, suspending or deactivating these entitlements and they forget to do it. That's the kind of thing that leaves you open to audit failures, risks, breaches, things of that nature.
Other components that intelligent automation should provide a risk scoring, anomaly detection, segregation of duties. And I'll talk a little bit, I'll tie that in here just a minute. When I, when I talk about API APIs, but super important that you have these components in place and, and without, so I'll talk about APIs next because when you're stitching the fabric together, good set of API APIs is essential in a number in a number of ways. First of all, you need these components that you stitch together to be able to talk to each other. So let me give you an example. Let's say you have something like a firewall doing deep packet inspection, and you build that as part of your security fabric. Great firewall. You got, if you got S I E M solution that's deployed, maybe it's some sort of big data log analytics and all of a sudden an anomaly is detected.
Well, if you've got all of these things talking together, let me give you an example, what you can do. And I'll, I'll borrow a military term. You could effectively raise the Def con level of your organization. So for, so if you've got these API set place and you, and that device talks to your adaptive authentication solution says, you know what? We were doing two factors. Now we need to do three until the situations remediate. So it can talk to your adaptive authentication solution. And it can ratchet up the number of factors that, that our user has to go through. And then maybe it talks to the privilege privileged access solution, right? And instead of the things that were normally auto-approved, you know, somebody checks out a set of credentials for a server and because it was routine under normal circumstances, it was just automatically approved.
Well, under this, you know, Def con condition that was triggered by this API. You know, now it's not automatically approved now a stakeholder has to go and approve that thing. And so you can see these, all of these things working together to, to guard and protect your, your network and your entitlements. So that's really the, kind of the, the heart of the fabric and the essential services that we see as necessary on the right hand side of that illustration to think back are the things that your identities need access to. And that can be in the cloud. These can be resources in the cloud, like SAS applications, maybe their access through Federation, maybe not, same thing with, on-prem no doubt you have some on-prem applications, maybe they're access to Federation. Maybe they're not. And, and legacy applications we've talked to to customers and prospects all the time.
This will have, you know, mainframe systems laying around. And so it's really important that the identity fabric after governing these identities, ensuring that they're only supposed to get to the resources that they need, that you make that experience as seamless as possible. In other words, I think about privilege access management, you know, why, why just show the password for that system. They need to access when instead you could launch them into an RDP session or launch them directly into an SSH session. First of all, it's convenient. The second of all, as it was alluded to earlier, a lot of these attacks are coming through social engineering. So in that case, you can't social engineer out of someone, the keys to the kingdom, if they never knew it, right? So it's both a convenience thing and a security thing that you tie these systems output systems to your identity fabric as seamless as possible.
So dive in just a little bit and talk about kind of the mechanics of stitching the fabric together. I think there's a real advantage to using some sort of virtualization strategy, whether that's microservices containers, as you build out your fabric. Again, this is just an example. Remember this, this is a framework. This is something that you and your organization would sit down and you would plan out and you would decide the things that you would, you would want to cobble together. Just a few illustrations that here that maybe mobile device management, maybe that integration with the SAE M system, the sky's really the limit here. But if you can do that through a virtualization strategy, I think it's extremely useful. And it provides a really a good deal of flexibility for you and your organization. So let, let me kind of explain that where that thought comes from.
So it's not really a new, it's not really a new philosophy, sort of an adaptation of an old philosophy to sort of take these pieces and to put together. And I'll, I'll take you way back to two units, right? The philosophy in the Unix world, when, when you're developing a tool is, is do one thing and do one thing well. And so if you're formulating a solution based on, you know, all these little commands and you can redirect and you can pipe, and then you put them all together and you wind up with something that's quite functional, it does a really great, great job. And if you need it to change how that large solution works within you just swap out the pieces and then you redirect them. So that was, you know, that was sort of the unit philosophy around the turn of the millennial that this caught my eye, Steve Yaggie, he's a Google engineer, but he was formerly with Amazon.
He, he talked about this mandate that that basis issued to Amazon. And it sort of took it up a level. He said, Hey, anytime a team writes something new, you've got to externalize it. In other words, you've got to make your thing accessible to all the other teams so that we can leverage and reuse. And we can the fact that we always talking about stitching stuff together, right? And so this idea of using containers, virtualization, microservices, it's really not new. It's an, it's a tried and true philosophy. And we think that if you do the same with your fabric, it will, it will serve you well in terms of flexibility.
So that lastly, that sort of just leaves us talking about high Hitachi ID management suite. I would be remiss in not talking about it. So looked at the whole fabric. And what I'd like to share with you is we can, we can effectively help you jumpstart that, right? We do have a single product. It's a common platform comes with connectors, API, multifactor authentication, and again, being a common platform, all of the other pillars of our solution are built off of it. In other words, when you look back at the fabric that, that I illustrated earlier, all of those things, those essential services can be found within our suite, right? So the multi-factor authentication, the federated access that's that's provided through the password manager, suite identity manager brings that automated provisioning, deep provisioning of, of users to the table, along with that governance, right spot checking that your automation is doing what it's supposed to do. And then of course, privileged access management ensures that those keys of the kingdom are bolted. And not just, not just with the normal accounts, but it can also, it can also do the same with those nonhuman accounts, those services that are, that are running around on your network.
I will tell you here, it's just a word of caution. As you start thinking about this, this concept of stitching together, your, your fab, your fabric, you know, there's been some interesting analysis from, from research firms lately. One of them says that identity and access management budgets are going to be shrinking three to three to 6% in the next 12 months. And I would say that while using open sources tempting, it could prove costly in the long run. So, so with these shrinking budgets, and again, I'm a huge fan of open source. I've been doing the Lennox thing for two decades. There's a, there's a lot of value in open source, but I think there is a temptation to go and say, oh, well, we're just going to use this open source solution and save a lot of money. But, but the variable there is that a lot of these solutions aren't shovel-ready, if I can use that term, in other words, you're going to spend a lot of time doing, integrating them in ways that an off the shelf solution would already would already provide for you.
So that's the path I would encourage you down. I would say, take a look at some of the off, off the shelf solutions, but also keep this in mind. Industry analysts are also saying that in the next two to three years, 10 to 15% of identity and access management vendors are actually going to go out of business. And so I just want to really quickly take this opportunity to remind you who we are. Hitachi ID is part of the Hitachi limited family. That means $3.4 billion in research and development across 300,000 people in our organization. And there's rarely a vertical. We haven't much. So the punchline here is that in terms of providing you these solutions and helping you achieve that operational maturity, we're going to be around with that. I'd like to thank you for your time and turn it back over to Christopher for some question and answer. Thank
You very much, Bryan, for unpacking Hitachi's ID view on the identity fabric, that was really a valuable presentation. Also big, thank you, Paul, for sharing the idea of how to put data in the center of security for all of the attendees, feel free to ask your question. Now we have a few minutes left, just use the go-to maybe not controlled panel. First question is asked for two Paul, and it is how are different industries approaching impact to cybersecurity threats? Paul? Great,
Great question. So depending on the type of organization you are, whether you're a thriver or you're challenged or you're changing is, is sort of an attack factor. So if you are perceived as struggling, you're a challenger, maybe you're a, a theme park or movie theater or, or travel and tourism. You are an attack vector in that people would believe in general that you have a survivability problem, and therefore you're going to be DDUS or ransomware. There's a lots of people working home to support that. So that's sort of the vector there in terms of scale, the cybersecurity problem there is that you're gonna reach a cliff at some point, right? If you're currently running at 10 transactions and you now are making that a thousand transactions, it's quite possible that your software ha we'll find security holes and loopholes. Once it reaches that a hundred, a hundred fifty two hundred fifty transaction limit, and you really have to focus on ensuring both of you have a software based or infrastructure based limitation would do that on the change side, it's much more of a digital security problem where I'm introducing a new customer experience or I'm introducing a new partner to deliver on some of my logistic or supply chain problem.
And the introduction of new creates potentially new security holes to a chive to patch. We, you know, with security and partnerships. So that's different industries, different categories, different possible cybersecurity concerns.
Okay, thank you very much. And then we have a question from Sumit from the audience. Maybe it's more indirection of brine. Why should we choose Hitachi ID management suit versus an individual I am product that are, or individual I am products that are rated best in class for specific things. So suit versus best of breed is the question. I think
Bryan. Yeah, that's a great question. So, so I would, I would challenge the notion that best of breed always makes sense. First of all, I would say the Hitachi ID products are best breed. So I'm just gonna, I'm just gonna say that with a little bit of enthusiasm on that, but one of the advantages that we bring to the table, if you think about deploying these solutions and their desperate solutions, what it means is you've let let's say, you're going to put together three things. You're going to put together privileged access. You're going to put together identity and access management, and you're going to do adaptive authentication. We've got three different solutions. That means you've got three different integrations. So your project roadmap takes a big hit on that. You've got a learning curve. So you've got staff, you've got limited resources, even more so in the current environments, you've got limited resources, but yet you have to train them on all of these tools.
And then the course you've got, you've got to wire them together. And, and as I was illustrating in the identity fabric, I do think that choosing a solution that has a really good API is super important because of that. And so one of the things that we're doing for you right, is because we have a common platform and, and, and our three products are built off of it. If you don't really have to worry about integration with those components because they're already tightly tied together. So I think there's a lot of benefit to, to actually getting started quickly, ensuring interoperability and leveraging that, that ability to, to train your resources on one solution, one pane of glass, if you will, where you get a really high return on that, that training investment.
Thank you. Very good answer. Okay. So I would say we achieved 5:00 PM, at least in Germany, depending where you're located. It's full hour, I would think so. Thank you very much to Paul. Thank you very much to Bryan and thank you very much to the audience. Have a good day and stay healthy. Goodbye.

Stay Connected

KuppingerCole on social media

Related Videos

Webinar Recording

Erfolgreiche IAM-Projekte: Von Best Practices Lernen

Häufig beginnt die Suche nach einer Identity-Lösung mit einem ganz konkreten Schmerzpunkt im Unternehmen. Ein nicht bestandener Compliance-Audit wegen überhöhter Zugriffsberechtigungen, technische Probleme, wegen komplexer Systeme frustrierte User und eine…

Event Recording

The Role of Managed Security Service Providers (MSSPs) In Your Future IAM Application Landscape

Trying to “do identity” as a conventional IAM or Security workload with in-house resources and vendor platform deployments may not satisfy identity and access today’s requirements for IaaS, PaaS, databases and other cloud infrastructures. There are now a growing number of…

Event Recording

The IAM Fabric and How It Integrates With Your Cybersecurity Program

Architecture, operating model and governance are key viewpoints for every business as a whole and its subdomains as well. Depending of size of the organization, information security may be managed as single domain or divided into multiple subdomains. Viewpoints and domains are still static…

Event Recording

Identity Management and its key role in the Zero Trust strategy

Since any resource access is subjected to a “Zero Trust enabled” step-by-step process, where  policy engines define and enforce the appropriated access level, apart from device, network, identity systems and resources, we need also a “ZT enabled” identity…

Event Recording

Expert Chat: Interview with Neeme Vool

KuppingerCole CISO Christopher Schuetze engages in a fun discussion with Swedbank's Neeme Vool on what the future holds for Identity and Access Management.

How can we help you

Send an inquiry

Call Us +49 211 2370770

Mo – Fr 8:00 – 17:00