Webinar Recording

Identity & Access Management Predictions 2022


Log in and watch the full video!

Increased remote working, a dramatically increased digital customer interaction landscape, the hyperconnected industry 4.0 enterprise, an increasingly complex multi-cloud multi-hybrid infrastructure - much of what we based our past strategic assumptions on has developed faster and with a different emphasis.

Time now to take a moment and discuss about how to re-align and assess current trends in Identity Proofing, Decentralized Identity and Access with your organization´s business needs. We have put together a list of topics where we see that they have potential to play a pivotal role in your 2022 task list, as they are addressing key business challenges.

Log in and watch the full video!

Upgrade to the Professional or Specialist Subscription Packages to access the entire KuppingerCole video library.

I have an account
Log in  
Register your account to start 30 days of free trial access
Register  
Subscribe to become a client
Choose a package  
Welcome everyone to our Ko call webinar identity and access management predictions. 2022. I'm here today with on one hand, my, my colleague Paul Fisher, who is lead Analyst at Ko call Analyst. We have invited five guest speakers to discuss our five top predictions we have created and put together for 2022. And as a Al who also will be in the call has just written on, on LinkedIn. It's the time of the year where techies tend to talk about what they predict for the next year, where they look so to speak, look into the crystal ball for the, the upcoming year. And that's what we try to do. So with over the next hour, we will look at, as I've said, five predictions before, before we start a quick hint on some upcoming KCE once. So case a call Analyst will do some virtual events and early 20, 22 around priv access management around zero trust and mid May, 2022.
We will run again our European identity conference, which just the sort of speak the identity management conference. It'll be hybrid event. You can try another Berlin, or you can try online, whatever YouTube better for the webinar itself. Not much to say there will be a recording available the slides, which are relatively simple. This time will be available. We are controlling audio and you can ask questions. We will pick done some of the questions, which arrive, but in the interest of time, we will keep this readily limited. But if there are many questions we will follow up in a book post or a different way without further, I do. Let's look at the agenda that we will talk about five protections and probably all of you have seen that list of predictions already when, when Westering part of webinar. So we will talk about passport, less about identity management for a multicloud, multi hybrid, multi identity world about identity proving and fraud reduction, going beyond the financial sector about getting more efficient by building on platforms and about the relationship of identity management and zero trust.
As I said, we have five guests which are hyper, which is on of IC consult group from four truck checks and show Fort sky and lasted least gap from networks. For all of these topics, we will have a, some, some conversations of discussion, and that is how, how we will run this webinar of today. So Paul also all welcome to you and thank you. So, so Paul will be my co-host. He will also engage in discussions. He will also raise questions. And so it'll be us a little bit of back and forth between us. And maybe to start with one point before we go into the first prediction, Paul, we don't see privileged access management here. Does it mean that there will not be a lot of new stuff or is it just that we, it didn't make it into the top five list here?
Well, I can do the list. So that's that maybe the reason why, but I think privilege access management is as exciting as ever. And I think you'll see next year that it's becoming more exciting and it's developing in ways that perhaps we wouldn't have predicted maybe a couple of years ago and the access management, sorry, privilege access management vendors are all bringing out with new and exciting capabilities. We're seeing also the emergence of Pam and C I E M coming together and also identity and access management vendors getting interested in privilege access management, and to put it in a nutshell, I think the whole concept of what a privilege account is, or what privilege access is changing as we move into the multi-cloud multi hybrid world that we're obviously gonna be talking about this afternoon. Yeah. But so very much we
Already will have a privileged access management event after temporary. So that will be a great opportunity then to look at the, the changes we see there. And as of, as you said, we had to, I said we had to limited to five. And so these are five things. We'll talk about it. So the first topic we will discuss is password less education killing the, that will become mainstream in 2022. Our guests now is URA from hyper. And so you should be hearing a second. Yes, here we go. Welcome. And I, I think we all know where this unde term comes from. So I think for no other technology or for no, nothing else, I've heard so much passwords are that, so this are that then, then it was for passwords. So I think since I'm in the identity management space, or at least for the last two decades, passwords were declared that. So Johan, why are we finally killing them?
Hello, Martin, first of all, thank you very much for the opportunity. And also hello to everybody from my side. Why are we killing passwords? Because passwords are disturbing pass. If you ask anybody what you has most on your daily, on your daily way to work, then it's probably no longer the traffic jam because nobody drives to any office. It's the password, or actually the passwords that you have to type in before you're able to access any application and can probably start your work. So passwords are pretty much just a handicap, something in between me and my productivity. And for many years now, we've been kind of, we get used to no longer use password to just use our smart. We look at the smartphone. So many, many things in our daily life is already getting toward getting rid of passwords. I
Could argue that that's true for my, my smartphone. Yes, I used the fingerprint or Savas used the face recognition. I think these days fingerprint sometimes more convenient because Facebook recognition doesn't work well, been varying masks. But, but anyway, the point is when I, when I look at the other part of my daily life, which is whatever eCommerce or stuff like that, I'm, I always have to impression I'm I'm light years behind. Not sure how Paul, how your experience is here, but for every other day, I'm asked for creating a new user account with a username and password. So are we really yet there, or are there, will there be so many end that still in, in 2022?
Well, well, Martin, I think as usual, the consumer applications or what consumers experience ahead of what we experience in the workplace, I've noticed now, when I wanna log onto online banking or my mortgage account or something like that, it's increasingly doesn't need a username and password. What it does is send a two factor of some sort. So I wait for a text message that proves I, who I am, and that to me feels safer and much more satisfying. And I think that's what we're not having in, in the corporate workplace. We're still wedded to passwords and user names.
Yeah. But, but, but what I talked about is also, for instance, if I go to a standard, whatever, I, I go shopping for wine of other stuff that most of these, these sites are still in the username password problem. And I've been there to say that enterprise, we made some both progress last year and maybe the last two years or so, but what gives me the hope Johan, what should give me the hope that it all gets better? And that finally there?
Yeah. I mean, first of all, I second what Paul said, and you're also right with your, with your assumption that it's really a long, long journey. So when we say it's, it will become, how did you say mainstream in 2022, I might even disagree that it's going to become mainstream already. It's going to, to make a big, big jump in 2022, partly due to the fact that consumers are going to force their employers due to the reasons that Paul said that you are more and more getting passwordless access. The other hope. I think that's just the products that are in the market. There haven't been many products in the market couple of years ago, and I think there's a very fine line. Also, you need to pay attention between what's, what's really password less, and what's just the passwordless user experience. And when you talk about banking or insurances, for example, you're both right, Martin, you said your everyday you're asked to create a new account with the user name and password.
I've recently got a, an invi, an insurance asking me to create an account. And they said, yeah, yeah, but it's password free. You can log on without a password. And when I went to their site, I did have to create a password again, afterwards I could activate, again, my mobile as a kind of a get around typing in a password, but that's not what I would call passwordless. That's just a, making a bit more comfy for the users. Passwordless really means eliminate the password, not just height, the password. And this is where solution providers only really came up in the last two, three years. Probably the first one to really come up in a broad way was UBI core. The UBI key that everybody knows that many users, many, at least many, it pros it, security fanatics are using that. And I think more and more people like you and I might be using these kind of tools that don't require any password anymore for login situations more and more.
Yeah. And, and I think that there are two elements we need to look at. The one is what do we use? And the other is what is traveling. And, and to, to my definition, password less, first of all means no passports traveling anymore. So it really means we don't have a username or password being transmitted. We don't have this, whatever 70 million passwords database that can be hacked and end up in the, in the dark, dark, dark retina. It is that we don't have this anymore. And, you know, I always say we never heard about 70 million records of whatever fingerprint data getting hack, because they are not in the central database. They are not traveling, but for what is traveling, I think this is important to understand is a cryptographic information and, and not, not the credential itself.
Absolutely. Right. I mean, I think, go ahead, Paul,
Go ahead. Yin.
No, you,
I was just gonna say in, in Pam, we are seeing moves towards passwordless and certification and just in time, but there is actually still, for some reason, resistance among customers who somehow feel safer with a password and they like having passwords and they like having a vault it's, it's, it's a strange thing. Somehow they don't want to let go of that sort of umbilical cord, which seems to them, my username and a password is more secure.
I, I believe it has been well explained, you know, I have to admit, I, I, at some point that, yeah, but I'm always using the same code under different devices. And they said, yes, then they, to me, yes, because you're entering the same code. And they said, yes, I do it for more convenience. But I, I think the concept that the really important thing of passwordless doesn't happen at the front end. Oh yes. It's important because it makes live more, more convenient. But the really important thing is the things are changing in the back end. It's not this working against the central set of patches of passwords or stuff like that anymore. It is really that there's no passport anymore traveling. And I think when people understand this also security people, and if we educate him right, then this will lead to, to a big update because it also makes easier to understand why is, and that's what I like with dication. Why is password less, a syndication more secure and more convenient? So we are not balancing security and convenience. We are combining security and convenience. That
Is absolutely. That is an absolutely strong argument that is just putting down that, that when, I mean, I've been insecurity for all my life, all my working life, at least. And we're always talking about balancing, the more secure, the less are comfortable for a user, always the same thing. And here we are really, we are not balancing anymore. We're combining that. And the, we can talk a lot about passwords, but I like the term shared secrets as well. If we get rid of the shared secret. So like you said, Martin, there's no central storage, central database storage for passwords for lots of passwords anymore. If we take that away, we are simply shifting the economies of an attack. It can't happen anymore. You will still be able to compromise an account, but you have to go after each and every account individually, by probably stealing these demises or the crypto you speak, he kind of doing as if you were me with my face, with my fingerprint, you can still do that.
Nothing's hackable. We all know that for many, for many years now, but it's so much harder for attackers. It was so much easier for them and comfortable to just take a huge database and gaining millions, thousands, whatever passwords. And I think that's an important point is that when you ask me in the last question, why is the next year or the next year going to be the years for passwordless? It's definitely because of the ever ongoing rise of a tax that are caused by leaked passwords, by stolen passwords, by guest passwords, even. I mean, it's ridiculous that the most prominent password is still 1, 2, 3, 4, 5, 6 it's it's it's can incredible. And yeah, there are password policy in place changed them, but it's yeah, it's a, it's, it's a war in favor to the, and what the likes of hyper and other vendors are trying to do with passwordless authentication is to, to shift these economies of the attack towards, to the favor of the enterprise.
Okay. One, one final path to you Johan what is your, your main advice to the users? So to speak the user sites, when it comes to journey towards passwordless authentication, what do you look at in 2022? What to do in 2022,
It's actually a advice which exists, consists sort of two advices. The first advice is start your passwordless journey, right at the entrance store. If you have a way to do passwordless authentication, not only for a single sign on provider or for anything in the backend to an application, but if you can do that right at the desktop level, your first step into the network, your first step into the work, actually that is key because this is where most attacks start as well on the desktop. So if you're able to get rid of a password there, then it's a very, very strong thing. And the second advice combined with that, don't try to secure passwords with another password in, especially in central Europe, most companies really only introduce multifactor authentication to access cloud applications or VPNs or whatsoever in the last couple of years. And they are mostly password based, shared secret based. So in fact, you're also a pump system. You access a pump system from an administrative access point with maybe a multifactor authentication, but it's normally just another password. So you predict passwords or password that's most important properly. Don't try to protect your passwords just with another password. It's not going to solve the problem.
Okay. Thank you. Thank you. Your thank you for taking the time. And I sum up, we believe, and I got less authentication and at least reducing the number of UN deaths significantly in 2022. Thank you very much. And so let's directly move to our next guest.
Thank you. Have a great
Session topic here. Thank you. So our, our, our second prediction is that there will be a convergence of identity and access management beyond I am silos. I, I think they're the ones who are following Analyst for a while, know that we are talking a lot about identity fabrics as a concept that is looking at identity management for all types of identities and all types of services. And we see new things popping up every now and then, then like, like scene cloud infrastructure, entitlement management, and, and our belief is that we need these conversions. We need to take better integrated approaches to manage the complexity we have in today's reality of multiple clouds, multiple hybrid levels of hybrid it. And multiple identities please welcome, who is the CEO of IC consult group. And so, Andrea welcome. What's what's your take on this?
Yeah. Hello everybody. Thank you, Martin. You Paul. Yeah. I think what we all are aware of is that the hybrid, it is something which, which is there today. And I think this prediction somehow obvious will stay for long for long while. And because I think it's not, not just, just a sequence you can say, okay, first of all, we on premise and we go to, to an infrastructure service, go to manage service, go to a south operating, then we are done, but it's not that sequence, right? So we're seeing that some customers are starting with a new technology, new, new solution as a service understanding. It's maybe to limited then deciding to go and run it. A, and this is something, what will, what long and saw this an infrastructure service everywhere you have digital identities, you have somehow a kind IM built in, built in, into the service provided by the cloud giant or still running, running on, on premise. And this is not another, an interim solution, but stay for for many, many years, we have really to be aware of that, that, that our overall architecture is, is able to fulfill all the demand, all the use cases of this complex complex environment. Doesn't if workforce customers out there.
So I think, I think that, that we might still have, that's something I also like to ask you, you might still have a, a gap between the perception of large system integrator slide. Like I see consult of, of many vendors. So when I look at the talks I have with vendors, which rod identity fabrics, I see a lot of vendors saying we want to, to go into this sort of de this more unified perspective. I also have to say that that many of our call advisory customers are looking at taking a broader and more unified perspective. But so what, what is your perspective of the outer space, so to speak? Is this already a trend we see in 2021 and pacing up in 2022? Or is it, is it still more, more at the beginning of a larger journey? And is it still requiring a lot of education?
I think what is well understood is that, that having a unified view and it's about identities, that is something we all want achieve. Anyhow, what, what, what is still the case? And I'm sure that this will stay quite a while, except that we have that we have very dedicated requirements of systems, which do not perfectly fit into that unified view. They still need to have identity data, hopefully no credentials anymore, but, but also not of the identity data or the privileges, the scopes views, these things, the unified view. And that's also the reason why I think that this is category huh of cloud infrastructure and title management solutions is really something which will get a lot of attention, additional attention next year, talking a little bit at the beginning about, about privilege access management. And what we, what we really see is that the pace the cloud giants are, are providing publishing new kind of services with new kind of, of resources of privileges roles that this nobody can, can really take care of all these developments out there. And if you're not in the situation, you have complete control over your it organization. Everybody has to come and knock to your door. I want to use a new service out there. Huh? Then, then you are likely not aware of all the critical resources entitlements you have out there. It's a cloud giants infrastructure. That's the reason why
Just sorry to interrupt. There's right. At the end of this statement, we say how SIM cm and dream can help reducing complexity. My view is that we can't actually reduce the complexity. It's a bit like saying, you know, we now accept that most companies will, at some point probably be attacked by cyber attackers or they'll suffer some kind of breach. So we should let, I have this theory of, you know, the expand universe of it infrastructure so that it never stops increasing and, and never stops expanding. Therefore, rather than trying to say, we'll reduce the complexity of the infrastructure. We put the identity first and the access first. So it doesn't matter what's behind that and how big it gets and what people do in their individual silos.
And I think two perspectives of complexity, Paul, and I think you're absolutely right. One is the complexity of the world we need to manage. And I think we have no chance to reduce it that more complex and more complex and more complex. Oh, when I was young, we had data centers and then we added whatever. Then we, we did client server and we added the cloud and we added edge computing and, and we will continue doing that. So this complexity probably will not go down. So what we need to do is we need to reduce the complexity. That's what I, what I have behind the statement is we need to reduce the complexity in managing these environments by managing every piece, separate solution, but with a unified approach. So we need to converge into a more unified management to more unified perspectives across everything.
Yeah. I mean, I was talking to a company and they said, we want to keep stuff on premises. We want to keep stuff in our data centers because that's what we like. And we don't want to put everything in the cloud. So we have to accept that we can't make everything cloud native either, even though we talk about it a lot and it, it obviously has many advantages. So that again is the complex data that I was referring to again. Yeah.
And I think you have sufficient use cases for that from your customers, for instance, an automotive
Yeah. And AB absolutely. Absolutely. So, so the multicloud is there will stay there and things that most important thing, what we can, what we can do even should really do on the, on the short term is if you're not able to complex to reduce the complex, at least being aware of what are the resources, the critical resources, accounts, roles we have have out there that the account providers to, to know that at least there the first, the first step and understanding where I have to put our attention, our efforts on, because we likely cannot do everything at the same part time, but, but really understanding what is, what have to be the focus on and identity. First, we all are aware of what, what happens the last, the last week with this lock for shell. I think that's, it's again for, for us kinda showing that that zero trust trust architecture is really imperative for, for, for the way, how to, how to build up an it landscape today.
Okay. Thank you for the statement. And I think at the end, the advice and the prediction is that, so, and maybe it's a hope, maybe it's more a hope than a prediction that, that more, more end organizations will really take a broader perspective on identity management. Because when we add complexity to our environment, we, we must really try to reduce it and not to add new and more and more components manage it, but always think about how can we get a CRI, how we can, we, can we create maybe policy layers and, and other control planes across everything. This is what I believe will become more relevant if we see this tendency in many of the conversations we have. And, and cause I said, maybe it's more a hope in a prediction that this will become more mainstream in 2022.
Yeah. I, I agree because we have seen things like that happening in the past in a little bit different segments. For example, if I think about managing the cloud, the cloud infrastructure, right. How would it be possible today with our tools, like, for example, Terraform, which, which provides us this kind of, of abstraction layer, that we are able to deal with different infrastructure providers in, in the backend, these kind kind of things. And, and, and as this pattern has proven to be successful in this kind, for these kind challenges, I'm, I'm sure that this concept of, of, of identity fabric having as layer in front of the concrete implementations, concrete systems, that something, what we have the digital identity world as well.
Okay. Thank you very much. We don't have more time to dive into deeper into that. Hopefully we have have a lot of events next year, and a lot of opportunities in these events to go to dive deeper. So the call to action at the end to our audiences, try to reduce the complexity of your identity mentioned by more unification, by creating more comprehensive controls entre, thank you very much for taking the time to be here and without we are moving to our third guest, which is E Maller or for truck. Hi, E pleasure to have you here.
Pleasure to be
Here. Yeah. It's a
Great session so far love hearing everybody. Okay.
Yes. Super thank you. The topic I'd like to discuss with you is that we, we expect that identity proving and fraud reduction technologies will become way more equi than they are today. So we know these technologies are out for decades, but mainly used in the finance industry for financial fraud. On the other hand, we, we see that what we observe is the more and more organizations think about how can we improve the identity of partners coming in and, and with work from home, we sometimes not even are able to, to really prove the identity of a human we are onboarding. So what is your take on that?
Well, it, it is absolutely exploding and, you know, online fraud is increasing. So I think there's a lot of retail impact potentially to these, you know, at least adjacent technologies to straight ahead, identity verification, but FinTech is exploding and lend tech is exploding and, you know, thanks to open banking and kind of the open API movement. And, you know, these folks are experiencing fraud at unprecedented rates as well. And so even if you're not subject to this kind of know your customer requirement, it can be, it can look really attractive to do heavier vetting. And there's just so many different ways of doing it. Now, you know, it's all about taking in signals in order to make a business decision, which oftentimes is authorization, but in the world of consumer, I am of all stripes, it, it could be, you know, kind of top line of the business considerations that you're making a decision about as well. So, you know, even defi I shouldn't even say even defi defi is gonna need fraud reduction too. And so again, these technologies and these techniques, which have just over the last couple of years, they've really innovated. And I think that they're gonna be more and more useful to a broader audience
Yeah. With D five being decentralized finance.
Yes. Yes, absolutely. And, and, and interestingly, you know, it's, it's been the case for a long time that every kind of geographic region and jurisdiction is gonna have different constraints on how you do identity verification per se, and constraints on what kind of data is actually available to you because of privacy, considerations and other. And so you really do need kind of a, a multi-headed approach to doing it anyway, if you're, if you're a, you know, if you're a large enterprise who's global or multinational.
Yeah. And, and, and I, I would, that's, I think our prediction, we see this, this tendency to expand beyond even the customer and consumer use cases. So I think there's a logic to do it for customers and consumers, even when there's no KYC related regulations. Yeah. But, but when I look at that forefront of, of every type of attack there's identity, there's at the end identity fraud. So my perspective there's a, there's a really logic both from a process improvement and from a sort of a fraud reduction security perspective. Yes. Because beyond sort of the traditional use cases for identity improving and fraud reduction.
Yeah. I mean, I think there, there may be dragons there as well, if, if it's used kind of outside of the original purpose, just because of, you know, there's some privacy implications, you're becoming the custodian of very important fact, but I think you're really right about leveraging these technologies and techniques for partners. And particularly in, in ecosystems where your, your partners are really, they're smaller players than you. I used to call this B to lowercase B you know, it's, you know, car manufacturers working with dealers, or, you know, financial services working with the agents who actually sell all the product. You know, it looks a lot, it looks a lot like consumer and more and more as you were just saying, you know, in, in this world where everything's remote and people are logging in at 3:00 AM, legitimately, it's kind of messing up some of the signals. And so, you know, fraud reduction everywhere is it's becoming a more complex and subtle challenge. Yeah.
Yeah. And isn't it, it's also, I would dare to take an imperative in the digital age. So when we look at digital business, then this is about very rapidly changing partnerships. It's sometimes about sort of fast changing, but also more complex, deeper supply chains, even while I think everyone got reluctant a little bit about regarding two complex supply chains in the past year or so when they were so much disrupt, but at the end of the day, it it's still about, so also we have these requirements for instance, about supply chain, risk management, cyber security, supply chain, risk management. So all of these aspects from my perspective mean we need to get better. And this is why, why we believe that, that we will see an uptake because the technology's there technology is proven for years. And the benefit is very obvious
Because, you know, it's funny. Yeah. The tech, the base technologies have been around for quite some time. I think there's been a lot of innovation around remote proving, right. And, and, you know, ensuring that the, the supply chain of that particular credential is sound. And so that actually has opened up sort of new avenues for, for ensuring what it is that you're talking about. We work with what, one of the largest shipping logistics companies in the world, and, you know, they have to talk to the entire chain of folks who care about whatever it is that's being shipped. Right. So it's kind of an, a through Z series of communications. And now that, you know, there's been all these delays that people are seeing, it just lengthens the need for communicating, and it lengthens the, the opportunity. It grows the opportunity for fraud in there as well. And, and so it's just an imperative now to ensure that the, a through Z communications along with the actual physical moving of goods is sound
Eve. Can I, there's one thing that as a, as a consumer, put my consumer hat on and I use online banking all the time on my phone. And it occurs to me sometimes that I, a lot of trust in that. And basically I, I get online by adding a simply a, a five digit pin. And it, I, I think what happens if my phone is stolen, it wouldn't be beyond the realms of the person who stole it to work out the pin. And basically then they're into my, my bank account. And I think we, what we were talking about earlier about convenience yes. And the financial industry is certainly cracked the convenience side of online banking. But what do you think about that as a, as a, as a, as a red flag? Or is that just a, my naivety this
Not at all. I mean, I think it's very realistic and I think tying together an initial ascertain of, you know, connection to a real world identity to the entire life cycle management of that credential. I mean, it's, it's what, that, there's actually been some innovation in, in the standards that we use in this area, you know, in the us, there's the N 863 special publication, which is so it's really improved around its conveyance of assurance of not just authentication, but Federation, which is nice. And the identity as a whole, it used to be that this was all front loaded, and now it's possible to do it kind of heuristically even socially and triangulating on somebody's real identity over time. And so that's where it gets really interesting. I mean, things like an SMS, one time password, it is not much respected in the world of multifactor authentication these days for good reason.
But the nice thing is you can tie somebody what they're doing to the device. They have, you're, you're taking in a lot of signals that are silent with respect to the user, and that can be a better user experience. In fact, so, you know, I totally you're with Martin Martin talking about, you know, security versus experience. Well, you don't have that option anymore. It's kind of gotta be both. In fact, you know, I, I think, you know, we were in this world where I, I joke about you, my new VIN of identity has four sets in it and it's in its protection and its personalization and its payment and its people. And so I think some of those silent signals that you could derive are, are actually quite valuable for ensuring a great experience while, you know, personalizing and giving service in, in a protected way.
So, so, so we have everything we need, we just need to use it. And at the end, yes. I think that's the cool thing here. The technologies here, the problem is here. We just need to bring it together. And this is what gives me hope that we will see a huge uptake of that. And, and I think at the call to action clearly is to organizations to think about how do you apply these technologies to broader use cases?
Yeah. Yeah. I mean, my advice there would be, be responsive in your approach. Meaning look at the circumstance, look at the channels, look at, you know, the experience somebody expects and be fine grained in your approach, which is not only friendly to zero trust kind of, you know, approaches, least privilege approaches, but also from the experience perspective so that you're not asking more than it is appropriate for the circumstance.
Okay. Super if for your insights and thank you very much for taking the time today with that, we go to prediction number four, and that prediction then is thank you. We expect an efficiency push in identity, access management. So, and one of the things I observe is, is we see a lot of innovation around workflows and, and low code, no code. And it's always interesting, you know, I'm, I'm watching as an Analyst, I'm watching this industries for so many years. And when, when a couple of vendors start telling me about their great event inventions at the same of time and all are telling me roughly the same, then I think it's a trend. It's a clear trend. I had this around this, and I'm very, very happy to have checks and show with us here who is at clear sky, welcome check,
Thank you, and season greetings to everybody.
So, so what's, what is your perspective on that? If I be a little bit biased, given that that clear sky is building on, on top of service now platform, but yeah, at the end of the day, I think you have a very clear perspective on, on the need for that. And, and also why you believe that this will be a trend.
Well, you know, at the end of the day, it's, it's funny. I didn't think of it this way. When I first, you know, was looking at clear sky a couple years ago, but recently I have been because I just see customers struggling with, like, if I just take it from a, you know, a totally identity perspective, I see customers struggling and vendors struggling with things like, you know, dev ops and Kubernetes and horizontal scaling and vertical scaling, you know, and data center politics. Should we have a data center in Europe? How many data centers should we have in Europe? How many data centers in north America, where would we put our next data center? And one of the things I, I mean, to me, that's like worrying about how your gasoline is blended in your car, right? Does it have this, does it have that?
Does it have the other, this one's got, you know, cleaner in it and this one doesn't have cleaner. I mean, who cares? You shouldn't have to worry about that. So from a, just a general efficiency perspective as a vendor, one of the things I love is basically passing upon all of that efficiency to my customer. You don't have to worry about any of those things, because it's all being handled by the platform below it. That's at my perspective from a vendor. And then from a customer perspective, I, I, I think the key things that, you know, we've been seeing and, and, you know, genuinely, both surprised and happy to see is the fact that more and more customers are realizing that with work from home and zero trust and some of these other capabilities and identity security, to be honest, also, right, as we were saying earlier in the, in the, in, in the speaking lineup, you know, identities at the center of most cyber hacks these days, whether it's cracked passwords or bad passwords or lack of passwords, or what have you, or found passwords.
And a lot of customers are looking at questions like how can I get more productivity outta my staff? And, you know, I kind of look at it as, as a, you know, if, if we worked day in and day out and only let's take two for an example, Microsoft office or the Google suite, if all I had to do was all my work in either of those packages, my daily job would be relatively easy, right? The switching from, you know, word to outlook to Excel is pretty straightforward. It's over the last 10 years where so many new SaaS products have come out. And so many companies are using so many SaaS products. There's a ton of context switching, that's going on with employees, right. I gotta be on Salesforce one minute. I've gotta be on work work the next minute I gotta be on, you know, something else the next minute.
And there is a drive to make people more efficient in their daily job. And one of those things, not just, you know, things like passwords, but one of those things is less context switching. So, you know, we're particularly excited to see customers gravitating towards business platforms that allow that. And, you know, I'm always very specific in saying while I have a lot of respect for what, you know, Microsoft Azure is, or, or, or Amazon AWS, those aren't business platforms, they're compute platforms. So, you know, my general view is over the next five years, seeing more of these business platforms, AKA things like ServiceNow and Atlas and JIRA potentially, excuse me, Salesforce. And even something like a Workday become more of a business platform that people can start centralizing more of their employees around to increase productivity. Of course, that also means the platforms have to add those capabilities in. And I, I think at this point, ServiceNow is the, is the most advanced, but you can see where people are trying to do this with, with, with platforms. I mean, even Okta, you just have to look at quotes from Todd McKinnon and, and, and you, you would follow exactly what he's trying to do is to build a business platform on Okta. So I think it's gonna be a big push over that to you. Yes. Jackson,
Can I, where I agree with a lot of what you said, but where would that leave? For example, office 365, if people are looking for a business platform that, for example, like you say, ServiceNow is developing a whole time, right. Do you think people will start switching away from 365? No.
No. I mean, look, I'll, I'll, I'll, I'll say one thing from a historical perspective, you know, if you go back many, many, many years ago, when I first started in this business, I think it might have been Kim Cameron who came up with this was yada yet another directory and I'll leave what the, a stands for. And there was a big push, you know, in the, in the nineties and into the early two thousands to eliminate directories. And I think the biggest thing that we kept saying to people was, look, if you've got 14 directories internally and you get to seven, that's a huge win. If you've got seven and you get to three, that's a huge win getting to one, probably not gonna happen. So I feel kind of the same way Paul, to answer your question, you know, with respect to, you know, workplace, you know, business packages that, you know, we've got way too many interfaces, way, too many help systems way too many phone calls to make when we have problems during the day and getting from 15 of these or 85 of them, that there, that there are today, perhaps in the company down to, you know, 25 or whatever is, is gonna be hugely beneficial.
And then I think, you know, on the prediction side, one last point, I mean, who says that Microsoft doesn't acquire a service now, you know, in the future or, you know, something along that line. I mean, it's within the realm of possibility.
Yeah. And, and I think going back to our prediction, I think what you talked about is the platform aspect. And that is part of where I see a potential for efficiency. I see a lot of interesting announcements from various windows around new types of workflow capabilities. And interesting point is that these workflow capabilities commonly are not sort of. So when I go back and, and projection, we have been in this space alone and workflows were always tailor made for certain I and identity management, exactly use cases. And that is really from, from what I see fundamentally changing these workflows are low-code local and they are built to integrate this, everything. Yeah. They are going well beyond this idea of, I have this in my provisioning tool. I have this life cycle. Yeah. They, they think about a broader perspective about way more use case. And I think this is what we are seeing to evolve where we have the first first sort of approaches out and where, where, when I talk with vendors, I see the next arriving very soon.
And it also helps us then in automation and doing things better and we have for integration, we have better standards. So, so you and me, we are following PMML from the very beginning. It took a little, but some whatever, 15 years later or so with skim in its current release, we are there where we have a standard that helps us in integration and, and helps us also in automation of a lot of things. And this is why I personally believe that we are, we have a huge opportunity for being more efficient in energy management, which we should leverage in 2022.
Well, one, one thing I'll just throw, throw on there, cuz you, you did mention workflow and, and I'd forgot to mention it, but I think it's hugely important. I mean, it really is amazing to me. And I've, you know, again, been doing this for so long, you know, in zoom at days we had to teach people Zs script, you know, and then at Microsoft days we had to teach 'em something else and, you know, just on and on and on. And this is really amazing to see somebody who knows service now to sit down in front of, you know, the, the service now developer workflow interface and all of the functions available for an identity governance product around setting up work, setting up connections and requests and all this kind of jazz is all right there in the same interface. So you don't need to, you know, once you've done your PhD in vendor a you don't need to go out and do a PhD in vendor B. Right? Yeah. And I think that's one of the huge efficiencies that I want to see end up in IGA, as opposed to what you're you just mentioned at the start, which was all the IGA vendors going out and buying their own workflow package. Right. Or their own user access request package. Yeah.
But, but, but I, but I think, you know, when these things are no good local and they are easy, they're good in consuming all the APIs of the other things that we are making huge broker. Unfortunately we are already running out of time. Track is always a great letter talking with you
Efficient in my discussion.
Oh, you, you very efficient. And so thank you very much. And with that, we, we go to our prediction number five, which is the final one and definitely not the, the least important one. It's a super important one. We will see zero trust moving our head and, and for cybersecurity identity management there, trust from my perspective is important thinking, but we also need to learn better to understand what are the things that are the clue and how do all these things work to together and at least welcome their app is C and Palo Alto networks, if I'm correct. Mr. Title. Welcome. I'm.
Thanks Martin. Thanks Paul. Thanks for having me on the show.
So, so what is your, your perspective I'm so you come from a, from a historically seen a network security vendor more from the traditional blade. What is your percept of the role of identity in zero trust?
Yeah. Well look, I think that's a really good question. And, you know, coming from a network background as a Palo Alto networks, think, you know, we've, we've sort of tried to disrupt the, the security component of network in the way that we wanted to make security as easily consumable as possible for the user, because I think we've talked a lot about, you know, complexity efficiency, you know, on, on this predictions as well. And I truly feel complexity is not an enemy of security, right? That design is, and in most organizations I'm coming from a financial services industry where I've spent around 10 years, you know, working this area, an industry, which was always an early adopter for new security solutions, you know, for new security controls. And, you know, in the end, you're ending up in a, in a very huge product zoo where you've got potentially best control, specifically tailored to a specific strap, but you lost very often in, in the management aspect of that.
And there's a very nice law from a, you know, programming point of view. I can refer to it, it's called the Tesla store, right. Which sort of assumes that there's always a portion of complexity in every application. You can't really, you know, eradicate away right. Or take away. So either solve this by holding, putting this complexity solutions into the product or by really, you know, pushing this complexity to the user. So I think to answer your question, we have to understand how we making the, the way easier for the users out there. And obviously in a very fragmented world where the parameters are not existing anymore, we're trying to connect every device was, was, you know, every user and every device out there. We have the challenge that it's really hard to keep security up to date and to keep security consistent. And the only way to do this properly is, and this was mentioned as well in a couple of predictions here on the, on the webinar.
It's really, really to have an identity focus security, which is evolving everywhere. We, we see more and more complexity. I mean, DFI is a great example of that. The entire blockchain industry, if you, if you don't have an identity based concept there you're going to lose, right. So identity is going to play a very foundational role. It's plays really foundational role in the networking space. It is becoming more and more important. The cloud space, if you take that think potentially the worst vulnerability we've seen in the public cloud space, identity based vulnerability, because the rest is completely, you know, an abstraction there, right? You don't need the, like a fully fledged firewall in the public cloud environment anymore where microservice, you know, is defined on the way to communicate with specific server as APIs or other microservices. Right. So
I think was important to, to see that, that we're not only talking about the identity of humans, we're talking about service, having an identity. We are talking about things about devices, about everything, having an identity. And, and I think then, then it's at the end of the day, always that something, someone with an identity, doing something which we need to control. And so I think this is, this is important to, to, to, from my perspective, to understand when we are talking about identities, ID does not equal human.
Absolutely. I mean, you know, apparently, you know, we are living in a, in a technology world and, and you know, for us as humans, trust to everybody is very important, but like within the technology world, trust is a, is a vulnerability, right? And most of the trust is being implemented as trust between machines talking to machines, right? Applications, talking to applications, processes, talking to processes. I think the challenge where we're getting by the zero trust strategy or vision, right, which was sort of very strong vision management was developed based in, you know, as project Jerry and John writing down this white paper, which is by the way, 10 years old now, you know, being seen as a marketing G I think slowly being recognized as though by the leaders as the strategic aspect to position security, simply because it's very easy to digest, right. And what's telling us is simply to ensure that you have always security in place between all the different technological components, technological entities, but also users you have, you know, in your technology world, interacting between each other.
So can I, some people listen to, you might get slightly confused cuz you mentioned how zero trust was, you know, the theory from last 10 years or so. And, and we're often told that zero trust is a theory. It's a way of design is a way of thinking. It's not about actual hardware or products, and yet you do talk about a zero trust network access. You do talk about a platform. So maybe you could just enlarge on that a little bit.
Yeah, absolutely. I mean zero trust. So zero trust is not a product you can buy, deploy, and then you got secured, right? Zero trust is a, is a methodology. It's a strategy how you basically secured. And I think through the like last 10 years, we've seen zero trust being implemented in various applications, starting more or less in, you know, in the networking space because that's where we had the most systematic risks living in. Right. Think about like large corporations, really building like the most powerful defenses, but then having the entire network being completely flat where, you know, even like $1 devices are connected with, with 100 million, you know, servers who run the most important applications. So I think zero trust started more or less in the networking space and the slow as well, evolving into the different areas. Like you see Google strategizing, zero trust and you know, building products like Chromebook and so on Microsoft now, zero trust based concepts.
So I think a couple of foundation talking about zero trust now, like always, you know, when talking to our customers as well, you know, about zero trust, trying to show them like a pyramid of zero trust where the two foundational building blocks for most traditional companies are always identity and connectivity because that's where you've got the biggest, you know, the biggest systematic risk you've got potentially like ware endpoint applications, you knows C I C D pipeline. So on where you need to ingest more zero trust. But for traditional companies, that's building blocks where you have to start now to answer, answer your question, I guess zero trust or the biggest challenge in cybersecurity is really the, the, the problem that, you know, we have not really built security, you know, as a design principle in our products, right. Everybody's talking about that. Everybody's aware about that.
And you know, what I've learned from my Kay is that you have to plan for future security ation because the, the amount of complexity you have to manage, if you're not build this in is going to be very instilled. So insane. Right? So take, take for instance, us as a, as a, as a largest security vendor on the planet by revenue, we have even not 5% of the market share out there, right? So if you, if you take any company out there, you know, they're running potentially one HR system, you know, one, I don't know Salesforce system for controlling their sales, but they're running like 15, 20 security products. And I think this is going to change as we're becoming more complex. And as companies understand, they can't really manage those complexity without simplifying and consolidating the security stack.
And, and that's, that's what we, me, Paul that's, that's what we, we expect to, because I, I expect this conversion really to, to, to go forward, to, to increase and to 2022, because we, we, we need to do it. We need to have certain types of control plans, certain types of integrating layers, like the HDR stuff. We are, we are talking a lot about like clearly also, so for automating stuff and so on, and this is, as I've said at the end, this is really what we expect to see that different initiatives are the different sort of approaches on, on angles on zero trust will convert to a better integrated prospective growth from conceptual and from a technical level. Secondly, we, we are already approaching the end of the time we have for today. Maybe one last final recommendation you want to give to our audience.
Well, yeah, I think, you know, I would encourage you to think just about, about your business architecture, about the system you're trying to secure. I think if you have always that view or not just a point product point process, you know, point thread you'll always have a much more effective security in them instead of, you know, just trying really to, to hit this one specific problem.
Super, very good advice. Thank you very much, Sarah, for taking the time and with that it's time for us to thank everyone, listening into this webinar. Thank you very much to our five guests of today. And we all wish you happy holidays, stay safe and see you again in some of the call events in 2022. Thank you. Thanks everyone.

Stay Connected

KuppingerCole on social media

Related Videos

Webinar Recording

Erfolgreiche IAM-Projekte: Von Best Practices Lernen

Häufig beginnt die Suche nach einer Identity-Lösung mit einem ganz konkreten Schmerzpunkt im Unternehmen. Ein nicht bestandener Compliance-Audit wegen überhöhter Zugriffsberechtigungen, technische Probleme, wegen komplexer Systeme frustrierte User und eine…

Event Recording

The Role of Managed Security Service Providers (MSSPs) In Your Future IAM Application Landscape

Trying to “do identity” as a conventional IAM or Security workload with in-house resources and vendor platform deployments may not satisfy identity and access today’s requirements for IaaS, PaaS, databases and other cloud infrastructures. There are now a growing number of…

Event Recording

The IAM Fabric and How It Integrates With Your Cybersecurity Program

Architecture, operating model and governance are key viewpoints for every business as a whole and its subdomains as well. Depending of size of the organization, information security may be managed as single domain or divided into multiple subdomains. Viewpoints and domains are still static…

Event Recording

Identity Management and its key role in the Zero Trust strategy

Since any resource access is subjected to a “Zero Trust enabled” step-by-step process, where  policy engines define and enforce the appropriated access level, apart from device, network, identity systems and resources, we need also a “ZT enabled” identity…

Event Recording

Expert Chat: Interview with Neeme Vool

KuppingerCole CISO Christopher Schuetze engages in a fun discussion with Swedbank's Neeme Vool on what the future holds for Identity and Access Management.

How can we help you

Send an inquiry

Call Us +49 211 2370770

Mo – Fr 8:00 – 17:00