IAM Across Hybrid On-Premises and Cloud Resources

Thank you everybody. So I will admit that when you come as a speaker to a conference, there's three fears that you have. One, you can't find a hotel close by. Two, that you have a presentation that doesn't fall in line with everybody else. And three, you end up right before lunch. So I don't have any of those concerns, so that's good when I look at all of you. So how many of you are hybrid identity right now? Anybody? Oh wow. Okay. So I will tell you from a Canadian marketplace, the, the market is a little bit different. Everybody asked the same questions and I'm glad, I'm glad Martin's lead up was upfront with the eight categories to consider because everybody thinks, is this possible, can I move my, my infrastructure from on-prem to on cloud? Is there a benefit to me? And we heard from the the BMW N I C team, absolutely there is a benefit.
What do I get out of it? And again, something, when you look through the categories that Martin laid out for us, regardless of maturity level, there is some kind of benefit. The, is it safe? You heard about real time scenarios. There were outages, there are security risks, there's compliance risks for sure, tough part. How do you decide what's going to go where are there best practices? Again, when I look through the agenda, I am glad that the IC guys in BMW went ahead of me because they were able to lay out some of their best practices that were, that were successful. So, okay, here's some things to think about. I, I left my slides to last minute, but they're available for download cuz I did use a three point font, one of them with a description. But walking around, I asked for people to, to give me words that came to mind when they thought about identity management and and services.
And you know what's funny? So if you've ever used one of these word type tools, they will put the word that get comes up most often as the largest suspend suspending tokens. Suspending access, suspending user accounts was the most common. So everyone said, well Denny, why are you talking about are you able to move to the cloud? And and I had to ask, you know, well, well what do you want to do and where do you want to put this content? So the question that BMW had is we were concerned about a certain type of audience. So for yourselves, when you're thinking about this, this migration, think about is it for your employees or is it for consumer or both. Martin's example was you don't, you may have two different infrastructures and they could both be hybrid. At our institution, we have, I dunno if what you know about the Royal Bank of Canada, but we are Canada's largest bank.
But we also have acquisitions in other areas. We have brew and dolphin in the uk. We have City National in the us we have a division of Hssbc. Every one of their platforms is both consumer and workforce based. And we have different technologies. If you look at any of our institutions across Canada, we, we, we all do similar type things that way. When you think hybrid, think about your use case. Are you thinking user functions or administrative functions? So user functions, you know, the, the self-service, I forgot my password register consumers, is it administrative managing accounts, integrating with other tools. You heard about the API models. Where is your organization's expertise? So you think about legacy industries, again, European market a little bit different than North America. We still are heavily mainframe based in North America, I won't lie. Insurance, government, banks, we all have those huge refrigerators sitting in the basement that, you know, people are still writing code to applications or services.
Are they gonna sit on prime or cloud crm, E R P applications. Honestly, the largest, best players in my opinion are cloud-based. There are on-prem tools, no doubt about it. Now this is a tough one. This last one, real-time or batch, think about the technologies you use and how do you use them. Do your users interact with them and need real-time responses? Some those usually need to be closest to you. Batch processes, they can run overnight. Think of financial institutions transferring money, moving accounts, mergers. They're more batch if they happen after hours, they can be done in some offsite type scenario.
Okay? So then you think, okay, what can I gain from this? What, what are, what are my key things? What are my wins? So I, I broke down a few of them. I'll give you a few different examples. The BMW one was great cuz I'll pick on theirs. Cross platform, single sign on applications. Three different geographic regions, different applications, 3,400 locations. I mean there was a prime example of why they needed single sign on across them. The consistency I like at the bottom is something else to think about. So common integrations depending on size of, of organization. I know as a bank we onboard applications all the time. And if, if you saw my title, I'm part of the innovation and technology team. So we're always bringing in new things. We're always trying things for our workforce to get them on board. Consumers like the shiny new toy. So the easiest way that you can bring it on board, I mean those are things that you'll see from, from the cloud models and the hybrid models.
I, is it the right choice? And, and again, I'm, I'm glad the guys went up ahead of me because it, look at your organization. If you are, and I don't want to use the word legacy industry, but you think energy sector, you think manufacturing, you think banking may be government without citizen services. Those ones are not as commonly moved to the cloud. Now don't get me wrong, Martin had the capability chart up front. For those of you that were here, there are capabilities, documents, online, user services, those are best served in the cloud. Bigger audience, bigger access. In our second scenario and why we look at it, our hybrid scenario is we needed that larger demographic. We needed a bigger space. We needed users to connect from off-prem, on-prem. Lots of mobile users thanks to Covid, our 95,000 users, most of them work from home for quite a long period of time.
And it's funny, I noticed earlier here, I think everyone in this room uses their smartphone. Smartphone for more than just basic access. I'm updating documents, I'm reading things, I'm updating our internal development sites. For me, Hy Hybrid was a way to go. The definitions at the bottom, you can take a look at it. We do work quite a bit with NIST and they gave us a description that when they saw I was presenting, I want you to talk about what our description is of hybrid. So it's their mixed computing and storage and services. It's an interesting description. This, I won't go through all of it, but I'll give you an idea. So when we look at concerns, you heard a few of them from, from our previous team. Most of our unauthorized access reports that happened in the past little while were because of things that happened during the migration.
And, and don't get me wrong, you, you think, you know, you've all heard or if you've been in the cybersecurity field, when you enable a server, what do you do? You disable guest accounts, you disable the default admin passwords. Every one of you I'm sure has a, an internet router at home or, or switch. Have you disabled your default admin accounts, passwords? Oh, I've got some nos in the audience that's cracking me up. So the things that you have to do, and when we look at the bottom, bottom left, the hybrid services, if you've got services that you don't use, turn them off.
And, and, and there's no fault of yours. You'll hear a lot of people talking about IGA at the conference. Nick was up from OpenText this morning and he talked about the identity governance. There's accounts that I'm sure you've heard stories that people have had from day one to the day they've left the organization. It, it happens, we get it, it's never gonna go away. Things to think about access has also changed. So hybrid enterprises, before we all came in in the morning, we badged in, we sat at a desktop, we logged into the computer, we did our daily jobs. Now we're logging in remotely. We're logging in from coffee shops, we're logging in from airports. Context is very important. How many of you are from regulated industries? Energy, aerospace. Oh, okay. Quite a number. So I'm sure you have regulations around can you access data from outside of your region? Can you download it locally? Can you put it on a USB key? Think of those things. So we, if you're going to hybrid, you need contextual policies around access. So there's some, some quick things to think about.
Best practices and I like, you're gonna hear a consistent theme throughout the conference around best practices. I'm not gonna use the term identity is the new perimeter cuz you've heard it for the last decade. But there's a new security perimeter. How you gain access to things. Are you coming in from the cloud? Are you coming in from another application? Are you coming in from mobile apps? Victoria's discussion this morning around and the silver fort discussion around strong authentication. Something that we strong, strongly recommend for all platforms. Legacy on-prem and cloud. There's lots of different ways to do stronger authentication. And I'm not talking about changing your password from eight characters to 32 characters. There there's, there's, there's better ways. There's tokens, there's certificates, there's keys, there are tools and technologies. They are not the silver bullet. And, and no offense to the vendor. I came from the vendor space. I spent 25 years in the vendor space. Everybody has a tool that will make your lives easier, make it better, make it faster, yes. But you still have to do the work and implement it and do the research. And like Martin said, there's a maturity model. So follow through and and and assure that you've done all those things.
The next one is, is contentious. A centralized identity and access management system doesn't mean only one. So you could have a system for consumers, a system for vendors, you may have another one for a workforce. The benefit of a centralized one is, and and, and it doesn't need to be all the capabilities you could have centralized policy management, centralized key management. So I guess I probably should have changed the wording from identity and access management system to capabilities or components. A way that you can have top-down management. I'm gonna keep picking on Martin slides cuz he, he, he hit on everything I wanted to talk about. So if you have that model where you can define this infrastructure upfront, it's gonna save yourself some management. You don't have to worry about is it a different policy for in the cloud, a different policy for my users working from home lease privilege.
So are you all tired of the word zero Trust yet is zero Trust has been in in, and I have a session on zero trust on Thursday as well. It's something that's been around since what, you know, I think late eighties is when I saw digital made a guide on zero trust for hardware access in the nineties when Google came out with their concept that this is how you access services in the cloud or well on the web in the nineties least privilege, personal recommendation. I, I can't say that all enterprises follow it or all industries follow it. If you have a principle that you can give access to people, the tools, what they need to do their job, I would start there. Every, there's always special cases in hybrid models. You're gonna see some bigger challenges. Challenges now on prem, we all use applications every single day. Every one of you in the cloud, you may use services. There's some technology vendors here and one of them I worked for in the past, they had a great model of segregating things and you hear the terms microservices, there's a few vendors here. If you can segregate and provide the privileged access to what you need to do or a service or a function, it's gonna make your lot, your jobs and moves to hybrid lot easier.
Real world example, a number of you probably use tools like the sales forces and SAPs. You all log into a tool and there's a million tabs and things across the top that you can click on for, for access. I have no problem with that display, but do you need to see them all? I mean, how many of them do you actually use A well configured environment, we'll hide tabs, we'll gray them out. We'll not even show you that they're there is the best way to do it. So users like me, don't be curious and click on them.
Monitoring hybrid environments are, are considerably different. So now not only do you have to monitor the system and how it's working, you have to consider how they're getting into it. It's uptime. As a bank, we do a lot of integrations with solutions that are third and fourth party because they provide services for us. So are they providing you reports? Do you have any insights into their content? So some quick things to know, how do you manage these identities? You heard a little bit about a single authentication mechanism. BMW story was great and BMW was a former account of mine at my last, my last job. And when we started working with single sign on a way to provide user access is, is key to most organizations. Number five is my, my chief shot. Again, again against using out-of-the-box policies. And if you're gonna do it, go all the way. Don't start with putting an application in the cloud. Maybe not onboarding other ones. Do the prioritization. Figure out what's most important to your organization and go from there. These statements. So when you download the presentation, go through the things on the left hand side, what are your business needs, what are your compliance requirements? Are there integration concerns that you may have? You heard about legacy applications this morning? I'm sure there's organizations here that have that homegrown code that's written on a server sitting under someone's desk that nobody wants to touch cuz that guy's left the organization 10 years ago. Those are a little tougher to move. So those, we get it, it's not gonna happen.
These are some quick ideas for you as you're deciding where to go next. So start to go through the situations of does my organization have third party providers that I have to work with? Do I have to work about worry about legal issues, understanding a SaaS model? Where are my services sitting? How do I integrate with different identities? Are there auditing concerns around my identities As a, as a financial institution, we have different lines of business and our lines of business. It's not that they don't talk to each other by regulatory reasoning, they're not allowed to talk to each other. So my information with my car insurance can't be shared with my consumer banking profile, which is a pet peeve, but I, I get it, it's not nothing we can do. Evaluate your applications and where they're going to sit. Will they work better in the cloud? Are they best served for the user in the cloud? And then some of your user requirements, where are they accessing the, the content from? Like I said, I'm, I used to spend upwards of 200 days a year on the road. I not work for a bank. And that's not as common anymore. But think about how they're accessing it. Think of the tools that they're accessing it from.
Now your requirements, this is another tough one for you. Think about some of your access control requirements, plan ahead. How will people be doing things in the future as part of the innovation team? I have a strong development team that works on augmented reality and virtual reality people. Now, it's great that we get to be here in person. We get to talk and interact. I have training sessions now where users are putting on VR headsets and they're walking into virtual conferences. So now I have to worry about their technology and how they're accessing things, how they're accessing their digital wallet. So it's time to do some little bit of planning in, in advance in the synchronization. We had teams before a team that just did identity, a team that did keys, a team that did security, that might be a shared responsibility. So I'm gonna leave a lot of these thoughts with you. Like I said, there's, there's a lot of content to think about when going from on-prem to cloud. And I'm gonna open up for questions. It might be easier than me going through some of this stuff. Thank you.
Okay, thank you Danny. Do we have any questions from the audience here? So since we don't have any questions online, thank you Danny. Thank you for your presentation and see you around.