Webinar Recording

Identity and Access Management Strategies That Grow With Your Business

Log in and watch the full video!

For these organizations, an adaptable Active Directory-centered (AD) approach can address the areas of highest impact. By adding cloud-based access request and access certification functionality to the mix, a company can achieve a basic IGA solution for a fraction of the cost, complexity, and deployment time. This approach also provides the opportunity to expand the scope beyond AD and Azure AD by embracing many non-Windows systems (such as Unix/Linux) and SaaS applications (via SCIM connectivity). Learn how to build a strategy for a modular approach to identity that can be custom fit to company needs, size, complexity, and budget.

This webinar will equip you to:

  • Provision your AD and Azure environment – and beyond
  • Approach baseline IAM implementation efficiently
  • Plan a short track for improving security and compliance
  • Set up your identity program for ongoing success
  • Be well-positioned to expand to IGA and PAM when the time is right.

In the first part, KuppingerCole Principal Analyst Martin Kuppinger will give a brief overview of identity in general as well as of IAM, IGA and PAM strategies, and will look at what every business, regardless of size and industry, needs in IAM.

He will be joined by One Identity Field Strategist Dan Conrad, who will explain how to prioritize IGA capabilities for maximum impact and show why you should opt for a modular approach with AD-optimized tools.

Log in and watch the full video!

Upgrade to the Professional or Specialist Subscription Packages to access the entire KuppingerCole video library.

I have an account
Log in  
Register your account to start 30 days of free trial access
Subscribe to become a client
Choose a package  
Welcome everyone to our KuppingerCole webinar "iIdentity and Access Management Strategies That Grow With Your Business", this webinar is supported by One Identity. And the speakers today are Dan Conrad, who is one identity field strategist and me, Martin Kuppinger. I'm principal analyst at KuppingerCole. Before we start, some quick information about some on our upcoming ones. So you'll have KClive event on identity governance and administration of next generation access. And there will be two larger live events, which are our customer technology world, looking at consumer access related issues and our cybersecurity leadership summit, which we're running October and November and a couple of webinars and KClive events, so just have a look at our website on all these upcoming events. regarding housekeeping: you don't need to care about much. So audio is controlled by us and you're muted centrally.
So we are controlling these features, no need to do anything from your end. We will provide the slide deck and the recording after the webinar. So usually I'm recording and slides will be available by tomorrow and we will have a Q&A session by the end of the webinar. So you can enter questions at any time. And we might even pick up some questions during the webinars, but usually we do it after the two presentations off the speakers off today for these presentations, we have three parts in all webinar in the first part I'll talk about or give a brief overview of identity, identity management, and general, as well as some of the key terms such as I chase spreadsheet, pen strategies. I also look a little bit what group, what does every business regardless of size and industry need in identity and access management and where to start them and how to cross-sell touch some of our core sort of introductory concepts and slides, and go a little bit detail also regarding how can you, where can you start? Where should you start? And how can you grow? In the second part, then, Dan Conrad of One Identity will talk about how to prioritize IGA capabilities for a maximum impact.
So where to start, where will your biggest benefit and why should you offer about your approach? And why could you start in many scenarios also with ed optimized, tos, looking at this entire picture that we're going more into detail and just specifically this spec to where to start and how to grow from there. And I'll do it in a way where you don't end up in that end row. Ser part has already said is to know about the Q&A's again, the more questions we have the better it is. So if the question comes to your mind, submit it using the questions area and to go to webinar control panel and this control panel nucleus of right side of your screen.
So do that, that we will have a very lovely Q&A by the end of the webinar, instead of let's get started. And when we talk about identity and access management, we are discussing a very broad field of technologies. So when I look at our KuppingerCole identity management reference architecture, you see that are a lot of different areas within that in access management. And so to speak, we've made here as us and the one that vertical, where we have the administration pillar, the audit analytics pillar T also indication of the authorization pillar. This is to sort of speak the traditional four a, so you, you manage identity. You also have to audit and analyze this punctures, these Armada sort of the, the one time or only rarely recurring. So once a year, every six months, okay. Or if there's a change parts of identity management, then you have authentication and authorization.
And these are the sort of the permanent director, thanks to you. Authenticate someone day by day by day, you authorized the AXA. And so this is me, and then we have to core identity management, so to speak at the Indiana area and behalf extended features, which frequently are seen as part of identity management and related areas of it specifically, it security not only limited to it, security, but security we have at the lower level of this, this graphic. So this is in a natural you overview and the area, yes, with the dark blue background are the ones where we feel these are the most relevant ones these days for setting up your identity management infrastructure. Although more to us left-hand side, we see these two boxes for life and life cycles. Next is governance. So D commonly these days is called ITA for identity governance and administration.
And then on the other side, we see prelaunch management or privileged access management that we see all those things, which are authenticating users and granting them access to systems or the Xs management, traditional web access management, always standard-based standard spaced identity Federation, Silas, that you always will have some sort of directory such as on that Microsoft active directory on premises, such as an Azure active, such as an Eldep server, whatever else you might have, a couple of other capabilities there's nuts, what exactly you will need, because that very much depends on your use cases. So what are your business cases? Are you more trust employee centric or are you looking at consumers and other sinks? It depends on the type of industry on the type of regulations you have to face or the size of your organization with title for the it infrastructure. So, but luckily the areas of these other new ones to start, and some of these I'll have a little bit of close look right now. So what, what I'd like to, to, to look at versus this IJP so ITA, as I've said, it's that the term stands for identity governance and administration, or the combination of identity, life cycle management and access governance. And so w when did we look up this picture?
We have one tall, the access governance piece, which I'll touch in a minute. And towards the bottom, we have our identity lifecycle and a provisioning piece, which is in fact having connectors post inbound. So getting data Gosper data from HR systems, for instance, or from data integration platforms or from other systems. And we have connectors, which are outbound to manage all the systems to connect all the target systems, such as there's types of SAS applications, such as SAP, such as them on proactive director and that run, we don't have to provisioning flow. So if there's a new user, create a cons for your user here and Darren that system, and we have on top of that, some always some auditing reporting some workflows. So it is the technical basis for every single all the connectors you have. And the brass of the, of connectors is very important here. When you look at these types of systems, but also you don't need to go over the top. If you have only a very few target systems, then you don't need a range of 200 different connections permanently.
It's important that you're able to automate flows here, that, that you can trigger also workflows for human interaction. So exit requests, sexism rules, having some stuff, but also a lot of automation here does basically, in a nutshell, what I w what, what the lifecycle management piece is about, and the other element was in ITA. This is the excess governance piece, and this is about understanding what's there all these excess, you have granted. So Monte equipping or becomes part of the finance group in active and so on. If this is correct. So that's Martin Kuppinger X's, if not, ideally is automatically deeper vision Martin, Kuppinger still be in that group or not. These things are powerful access governance task. This is the sort of the second big area is sort of speak more to user centric layer of IGA. So where are you provides the, the, the review capabilities, the approval capabilities, but also mentioned the entitlement models and our stuff.
So the main capabilities here are, again, workflows. This is where we're both areas overlap, and very frequently that integrate the access request and approval support to reviews, managing entitlement models, maybe even with role mining, if you want to go down this road management path, which would be a totally separate discussion. So how much fraud management you should really have and what, what is good for your organization? What does too much for old management, because you easily can go over the top here. So this is the second element of the SIM that both are essential elements. So you need to be able in some way to, and this is where identity management starts and to thrive. And for, for everyone to, to manage your uses, to create your cost, to manage the entitlements, to automate these processes, to ensure that you only have the user accounts you require.
So no audit of the constant orphaned, the cons, and that these have the entitlements they require. So does the threat starts managing the identities on the access then we have, and that's not the part I'll, I'll skip here. And the interest of time we have this excess power. So you need some sort of authentication on if you start, that might be that you trust primarily rely on what comes with Azure. Active directory is Microsoft active directory, because this might be the way users. Anyway, log in London, after a single sign on experience to the maturity of applications, then each, if you grow bigger, you might need additional technologies. If you consume a lot of cloud services, you might, depending on what you use need additional services, but free to you have something coming also on place. So if you have an Azure active directory level, a lot of capabilities, this space, for instance, anyway, but the management capabilities, that is what you always need to add, because does this not work? What is there? And do you need it? You need the ability to manage identity. So create accounts, et cetera.
And our element here is identity Federation. So it doesn't is that more getting increasingly important because you have all these SAS services and otters and you need to authenticate against them. So you need something which helps you there, which could be building capabilities in FRA, which could be separate tools. Does this about authenticating against your directory in that case, and then providing access to some of the services, the backend, and whichever way does a lot of technology behind. And I don't want to dive too much into detail on the various technologies and deployment approaches you have. That could be that you put in some other capabilities, such as WebEx as mentioned, which translate Federation that can be directly Federation applications directly supporting federations, such as SAS services. So it a variety of things here for Federation, it's important that it made protocols such as are supported, and that you have a flexible also indication too, for the identity providers sort of first level to first step of authentication is important and do create it. If you start to directory services, you have to use as soon as it's basically what you need here.
And then we have privileged access management, which is another important domain. So for it, for privileged access management, it's about managing DD, highly privileged access of use it's for pretty at the nexus for the operator access. And again, it is something you, you rarely can get rid of. So there are various ways to have a sort of a lighter approach on privileged access management, such as some types of more simple password managers, not the personal wants, but there are some there's something in-between, I would say the, the, the, the low password managers and the full blown Pam products, if you want to start, but at some point you need to look at this area how to protect the highly privileged access, how to ensure to no passwords for shadow cards, become culinologist assistant at all. Pass us three are always kept secret as long as you work with passwords, but also try to have overtime abilities to monitor sessions of privilege users.
So the bigger you are, and the more critical your industry is, the more critical your data is, the more you need that type of technologies. So they, these delusions cobble commonly come with some shadow con password management capabilities, account discovery, session management capabilities that they provide in the single sign on experience for the administrators to arrange services. So this is the third area. And so, as I've indicated in the reference architecture, I'm looking at some of the key capabilities, there were various technologies, which make up the full identity and access management, and you can start with everything, but what you should do, even if you're, you're starting relatively small, you should understand what is my picture? Where should I move over time? So the approach we, we, we have developed here as KuppingerCole is what we call the identity fabric, which is about a standardized set of services.
And basically it started was stepping back and saying, okay, what is it, what we need from identity and access management. So while it's really the high level picture for identity next, as much simply speaking, what identity access management must deliver is presenting everyone a view as it could as devices and things we can extend to listen to the left-hand side, to every service. So at the seamless, yet secure access of everyone could ever service does this, what identity and access management must provide. There might be different types of identities. There are different ways to integrate services, and that's why we need to services to service for access management. So the one product hush, the IGA services, but other services such as consent handling privacy services, Pam and otters. And so our definition of identity fabric is to set of services, which requires these capabilities. And that should be in some way your target, but it doesn't mean that you try to deploy everything at a single point of time.
It's a attorney, and you need to understand where to start. And when to drill down a little more than it's about understanding, we drove these capabilities we have with the left-hand side. Again, you have to the very left town, you have these different types of identities, very right-hand. You have two systems in the middle of their identity fabric, which connects all the applications then to SAS service and newly developed digital services, which provide access to these. And what you need to start with is to understand what are the main capabilities, what are the sentencings to start with, and how can I solve this maybe in a lean manner, which services do I need? You also need to look at a technical architecture. There are a couple of recordings of talks by me and my colleagues around the identity fabric. So I don't go too much into detail in the interest of time, but I think the hour of saying identity management without a ride, and sometimes starting small, but having the ability to grow from my perspective means you need to understand where you might end, and then you can really prioritize what are first things to do, where to start, and you will be able to grow to new capabilities and new requirements to support them without, as I've said, ending up at a dead end, Andrew here.
So, and identity fabric from, from the perspective we have at the definition we have is a unified approach for all types of entities and all types of services. So this is the main concept, which then the ability will be supported by usually several technical building blocks. You might start in one area at an ad otters. They might in some even even overlap. It's a paradigm of concepts, or it's not the one identity fabric to it are. The more it makes use of APIs and microservices technically seems trippy. A very modular, granular approach delivers comprehensive capabilities, but also it should be able to grow because it allows you to add use cases, to add technologies, to Crow, Gretchen Lewis, to, and so the recommendation, when we go back to sort of the title of this webinar, so the recommendations where you to, to understand do you want to end up, and we believe that the identity fabric is a good picture.
You can apply to president of the smaller organizations as well as very complex organizations. And then look at the capabilities you need and try to build it in a way where you have a rapid success with the first steps. And then you can drove from there to the next levels of what you want to do in identity and access management. And was this prefab overview of identity management and IGA and Pam strategies and what everyone needs from, from our perspective, I hand over to them and then retinol, we'll talk about how to prioritize. We have to start and how can you create such or implement such a much of approach, but which doesn't lock you into a technology, which then is not capable to grow with your growing needs, but for Chelsea to grow to a more and more complex or more and more capital S w should use to cook home complex, hear more about capital solution, right? And next as measurement, we start, I'd like to hand over to Dan. So Dan, it's your term.
Thanks, Martin. I, I really appreciate the, the overview of the identity fabric. I was making a few notes here. You know, I was thinking about the foundations of identity and access management. And when you just like the foundation of anything that you're building, if, if you don't have a solid foundation, if it's not built, you know, exactly level and square, then you're going to have challenges and plugging things into that. I know it's a kind of a strange relationship, but it's really how I see things. So today I'm going to talk to you a little bit about extending or extending your identity and access management solution, or being able to use what you already have. I've gonna come out and say level set. This is not a, you, these are the five tenants that fit every organization or anything like that. And really just going to discuss three strategies, the three steps, and they are going to be unique for every organization.
I've, I've worked with many different companies in many different organizations, and there's a lot of variables. You know, the, some of the big things are the security culture of that organization, the management, the people, the psychology of technology and how that's accepted or not accepted. And even the psychology of securities implementations. If you're looking at ways to make life easier for users or make things more complicated for users or enhanced different pieces of the puzzle, we're not really sure how all of that comes together in different organizations. And then of course, verticals and variables, every vertical has a different primary purpose or a different care, a different security outlook on the way things should work. If you compare healthcare to retail or something like that, it's widely different in what they would see. And then I've spent a lot of time working with a us federal government customers, their take on how security and how identity governance and IGA affect them is substantially different than really anybody in the commercial space.
And then what we've really seen is, you know, I see a big variable in the ability to prioritize. So how capable are organizations of, you know, jumping into something and then following it through. So a lot of that is affected by budget and sometimes those budgets move around. So I realize every organization is distinctly different. And I kind of take that into account here when I'm giving some overview topics. So let's talk about the first, the first thing that I would recommend is look at what's on fire. I've worked with organizations that have recently experienced a breach and for them to step into something like a breach situation and say, I need to implement IGA today. Like, well, you know, let's take a part of that and let's solve the, you know, let's stop. The bleeding was put out the fire. So is there something very specific that needs to be done?
And are we in a situation where we're being very reactive, we're reacting to the breach and we need to fix this right now, or is it proactive where I'm kind of trying to mitigate perceived risks in the future. So reach back and fix what's on fire first, we see, you know, a lot of organizations that will take a situation where, you know, the, basically their environment has experienced this breach. And then they'll try to implement something much too large that will not actually fix the problem that, that, that was initially created. We've also found that some organizations have better success with validating quick wins or over big wins. So Martin was talking about a Pam implementation or how privileged access management is a big part of organizations. If you're looking at privileged access management in regards to the overall IAM strategy, that's something that really is on fire.
If you're don't have it, and it can give you a quick win, what you really need to do in that situation is take the quick win and implement that completely. And then you have to continuously evaluate those goals. So, you know, it's, it's good to set up a security policy and an identity policy within every company, organization or government entity, but keep that end goal in mind, as you're working towards that, now that end goal can be somewhat flexible, but it needs to be fairly defined. So that you're all continuously working towards that same, same identity security goals. The organization architecture of many companies, organizations is something that we can really consider when we're evaluating goals. How much impact does the security of the organization have in regards to the overall organizations, is their C level buy in? Do they have that budget? Do they have the personnel?
Do they have the expertise? Is that something that we can do from an overall level? Or is that something that a lower level entity within the organization needs to take and run with? And then the ability to run with parallel initiatives? It's a big piece. So maybe you can start implementing a Pam solution today at the same time, you're looking over at an overall IGA solution, or is it the same project management personnel and teams and everything that are involved with that. So be very careful when trying to run parallel initiatives and overloading your actual workforce from a, you know, divide and conquer perspective that we've, we've seen this before, where you try to overwhelm yourself or try to absorb the whole thing at one shot. And we want to take what we have, whether it's the technology or the skillsets of the personnel we have, and do as much as we can with that, both from a budget perspective and an achievable goals, perspective, things will be much more achievable if the personnel that you have on hand are capable of implementing what you decide to do or working towards your overall IGA goals.
You know, look at the things that you've done in the past that were great successes and figure out how that you can build on those successes over, you know, things that may not have worked out so well. You know, we can call them failures. We see that most of us learn more from failures and we do some from successes, hopefully that within organizations, as you grow, you can actually build on those successes beyond the failures. I like to divide the Pam initiatives, you know, within our portfolio, we break things up because it's necessary. They don't necessarily have to be directly connected at all times, if you can run a parallel initiative between something like Pam and IGA and, you know, get into some Federation to enhance your IGA, start doing that, but start with like what Martin said, work at the fabric level up, build an IGA solution from the fabric up, and then start adding Pam to that realize how important these pieces are and build on those piece by piece.
Instead of trying to just do everything at one shot, if you, you know, for me, whenever I implement something, I have to, you know, when you look at it from an overall perspective, it may seem very overwhelming and very hard to understand, but when you start taking the parts and pieces apart and looking into them and realizing the actual projects, tasks, and, you know, business processes that may need to change to achieve that, it seems very achievable. And then you can take those and run with those. If you start taking those little pieces of the IAM solution apart and building those one at a time, you're going to be much more successful and that can get beyond an initiative by initiative basis. So if you take something like IGA or Pam can take Pam in particular, we can take that and we can decide we're going to implement Pam.
And then you can say, where are we going to start with Pam? So then you need to take that apart. Then you need to figure out what the problems and the goals are with that. And the problems that may be something like business processes, or even a mentality or a psychology of the people that are going to be using it. So we have to figure out how to overcome that. Once we overcome some of those things, then we can really accelerate towards other things. So, one thing that we see a lot of is act is organizations that say 10, 15 years ago, when all in with Microsoft and, you know, any new application that we added to the entity environment, wouldn't be added unless it was active directory centric. And, you know, Microsoft took that and ran with it. And, you know, things extended to office 365 and, you know, as your active directory, and we're still very dependent on active directory for the most part, does it meet your identity and access management goals, you know, in your organization?
Is it something that you can use to do that? Can you grow it to meet your IGF objectives? These are questions that you can ask, and this may actually be possible depending on a lot of things, you know, the size of your organization. And if you are active directory centric, it gives you the opportunity to mitigate a lot of risks. So when you look at those longterm IGA goals, you may be able to get 90% of the way there with active directory. And there may be some cats and dogs, nuts, and bolts that need to be routed in a little bit differently. But if you can get to 90% of your goal very quickly, because you have an existing solution and you, because you have the people in the technology in place to already do that, it gives you a lot of runway to reach that end goal much, much more quickly. So if you, like I said, if you can get to that 90% with what you have, that gives you a lot more runway to focus on that last 10% with something that you've done.
So a lot of the times when we talk about active directory, we talk about it as account life cycle management. And we're talking about big IGA plans and things like that. It is, it does account life cycle management. And in an IGA world, I would consider active directory, a downstream consumer of an identity because it's an account within a system. And it provides things like authentication. For the most part, we don't really consider it, you know, roles and delegation and all of the things that identity governance goes with, but it's really just a terminology issue in some cases. So you're heavily dependent on active directory. You can progress to the continuum across the identity governance spectrum using active directory. And then you're going to have to figure out how far that will actually get you. And you may be surprised when you start looking at all the capabilities of a centralized directory, you know, the reason it was invented and, you know, well, I guess we could even look pre windows and T days, but you know, the reason that exists is still the reason it works today.
You know, even with its flaws and functionality issues, there's ways that you can make it achieve different goals or achieve different project timelines and get things done that you didn't really think were possible by invoking the right methods and understanding what it's actually capable of. So within one identity, this is kind of what we specialize in. We can take you from the act, the active directory account life cycle management, and then we can take you over to full on identity governance services. If that's where you need to end up, if your organization accomplishes a hundred percent of your goals, simply by using active directory today, you may want to stop right there, excuse me, and then move on to full identity governance later, when you start reaching outside of what active directory is actually capable of. And then we overlay that. So we have solutions that can extend active directory beyond simple directory services.
We can do things like automated group membership, account management, account, deep provisioning, full on what we call crud operations, create update, delete user operations. The roles can be very dynamic with an active directory when you overlay one identity active roles. So things like attribute based population can dictate where roles go. And then that can build active directory group membership in the term of identity that is roles. And then we can follow that through to reprovision and de provisioning. So things that help desks were dependent on back, you know, when I ran a help desk years ago, things that we were making decisions on and, and probably doing wrong. A lot of the times, the automation tools within active roles can take care of that for you, and then feed you down to the path of full IGA with, with identity manager. And then of course we can overlay both of those with something called Starling connect and that's, you know, to really reach outside of what active directory is capable of doing.
You know, we're looking at things like cloud-based services and different, you know, hundreds and hundreds of things that we need to connect to on a daily basis that you may be thinking you need to invoke a full on IGA solution to do when something like active roles, simply extending active directory to the cloud can take care of that for you. So real quick, what active rules is it's designed to do things like increase efficiency, improve operations and reduce operational costs. But what it says to me is the automation that goes with active roles provides a significantly enhanced security to your organization when I'm stuck, plugging in automating products and automating decisions that maybe I've sat down with my security team, my C-level executives, and I whiteboard it on determining who needs to have access to what, how they get it. I need to know when they got it and all of the things and, you know, and they've got the right access to the right time.
Then if they change positions, change roles, change attributes, HR says they do something different. We want to be able to change that role with them and all the access that goes with that. We've seen the organizations where somebody has worked there for the last 30 years since the directory existed. And all of that bloat that goes with working there for years and years really provides a huge vulnerability. So if that person's account were to become compromised, that person has access to many, many things that they don't need access to anymore. So being able to automate that access and automate that removal of access is the big piece for that. Of course, what goes along with that, you can do things like reduce your help desk costs, and you know, all of the pieces that happen automatically make for a very efficient organization. We looked at this during the work from home phase when everybody, all of a sudden got sent home and how do we give access to people?
You know, it's access is different. You know, when everybody went home, it things changed quite a bit, but how did organizations react to that very quickly? And that was a big piece of what active roles was capable of doing for people. So you just go in and, you know, whenever you needed to give them VPN access, so they needed access to a different, or maybe they needed a different role in a different application. It was cloud-based, that's what active roles was able to do for them. So when we extend that scope, so a lot of the times we're looking at a full IGA solution that will provision two very unique things that could be, you know, office 365. That could be any of the cloud-based providers. If you use things like Salesforce, Facebook workplace, all of these things, these, all of these cloud-based solutions, except what's something called the skim standard.
So active roles has the capability to simply provision to that skim standard application. You know, if I wanted to create a user in, you know, I've got a user living in my active directory, and then all of a sudden they need a Salesforce account because they've absorbed, absorbed a sales role. That's a simple attribute check in active roles that could come from your HR system that would automatically provision them to these cloud based solutions. And then of course, when that, when that changes, that would reduce that or reduce or eliminate that access and change that role for them. And this is what Starling connect is capable of doing. So through the skim access, we have that capability to go out to all of these cloud-based applications and do the things that full, very complex identity governance solutions were required to do in the past. And then of course, we extend that to Unix and Linux.
So with, you know, Martin showed in his framework, some Ady bridging 80 bridging is a big part of identity and access management solutions where we want to have a centralized directory. The same reason active directory exist for the windows world. That same active directory exists for the Unix world. So we want it to be able to log on to Unix, Linux, max, all of these other platforms with an active directory credential, you know, centralized directory to controllable. And then when we can control who can log on how they can log on and what they can do when they can log on, when you integrate something like that with a Pam solution for your admins, it's really a full life cycle of full utilization capability of your identity governance solution. We'll be able to do that.
So when solutions
Work together, typical design architecture of any medium size business. So everyone has active directory. Everyone has, you know, a lot of organizations have Azure active directory office, 365. A lot of them have Unix, Linux, Mac, all of this works together in my perfect world. So in this, we have things like active directory management from a Pam perspective, using active roles. I have a Pam solution in here to manage everything from a privileged user perspective. And then I can overlay that with Ady bridging simple things in here as well, like user self-service, password management, if you're still using passwords the way you did before all of that adds to an overall working together, active directory, centric, architecture, even things like, you know, just in time provisioning. So I can reduce the vulnerability of my privileged accounts in active directory specifically by not assigning group membership to them until I check them out.
And what that would look like is if I needed to have say a temporary domain admin account or a domain admin account, I would go to my, my Pam solution then, which in this case is safeguard. And when I check out that account, it actually has no group membership until management, whoever approves the checkout of that account. At that time, that group membership would be populated to the appropriate domain admins, enterprise admins, schema, admin level. And then I would be able to go off and use it either through retrieving a password and launching a session, or by just simply in booking a session directly what I needed to manage. So that gives me a lot of flexibility in the active directory world. Of course, when I'm done using it, I simply check it back in and it reverses that process. So the account is no longer a target.
And when you expand this out to full IGA, this really gets a little bit more, you know, when your, your business tends to grow. And when there's things outside of what active directory is actually capable of, you know, connecting to with active roles. And that can be, you know, all of the same skim connectors we talked about before, but as well as you can be putting things in, you know, homegrown applications and, you know, different cloud based applications all the way down to a Unix directories and things like that. That's when we take that next step to IGA at that point, active roles can still live in the picture and take care of everything if you connect to before, but active roles can be that downstream consumer and super connector to all of these other things that you were already doing.
So let me kind of summarize real quick, you know, like I said, discover the organization's capabilities, that's this, you know, no, one's, everyone's a snowflake. No, one's the same. So if you already understand what your capabilities are and you know, what you have, you can figure out how that you, how you can already use that and what you can do with that. And then, you know, I'm sure we've all heard this prioritize and focus, prioritize, and focus, but from a project management perspective, once you invoke an identity, any identity project, please stay focused and see that through to the end, keep your priorities the same, unless your business drastically changes. And then of course, divide and conquer, then redivide so keep breaking things down into smaller achievable goals with teams and different overlays and different, you know, assigning the right skillsets to the right tasks and making sure that you're still striving towards that end goal.
And then I wouldn't really like to say, start with what, you know, when we start with places that we know, this is the way, you know, I learn things. I start with what I already know, and I, I build on that knowledge and I relate back to that. The same is true with any system here. So we're going to be able to get corporate goals and reduce the risk at the end of the day, my solution, my, my mindset is to reduce risk. And if I can reduce risks quicker, as opposed to looking way down the road and realizing that in, you know, a 24 month IGA plan, I'm going to reduce risk this. I would prefer to do it much quicker and that wraps it up for me. I'll turn it back over to Martin.
Thank you very much, Dan, for this presentation, this was a very, a lot huge amount of information and very helpful, I believe by everyone attending this called ONR. So when I look at our agenda, the next step will be to, to our Q&A session. So let's directly proceed with that. And we already have a couple of questions here. Most of these questions are for you, Dan, so I'll forward them to you then. So I think the first one wants to start here is, so I love a lot of these questions. Three are on connecting various systems. So, so the first one I'd like to start as we have several things, stalled, use 80 for authentication, we need a way to automatically set up users in these products. So this is the way where you can step in. Exactly.
So like, I think I mentioned red operations, so create, update and delete operations. So within many, many different cloud based applications, instead of, you know, a new person comes on board and maybe active roles pulls from the HR database and it builds the user account. At that point, you may think you need to go to, you know, Dropbox or AWS or whatever it is and create that person, another user account because they are in the it department or in the finance department. That's not true. Active roles can actually make that skim connector for you up to many, many applications. If you check out that it's cloud that one identity.com, you can see a list of the connectors there. And I think at this point there's about 50 different systems that cover the bulk of our what's mostly likely used in the enterprise today. Okay.
Great answer. And here's already the next question, which is our safeguard Pam, and one identity are these two different products or is sort of the same technology, but trust two different licenses,
Completely different products. So at one identity, we have many different solutions that work together, but in they're all individual products. So if you just wanted to implement a Pam solution today, and maybe you just want to, within Pam, you've got vaulting, you've got sessions and you've got analytics. If you just wanted to implement, maybe just session management safeguard can do that without an underlying, you know, massive architecture of an IGA solution. Now, if you had an IGA solution, say you had identity manager from one identity and you wanted to report on Pam user data, they can connect and talk to each other, but neither one is required to operate the other.
Okay, next question. What type of product do we need to automatically create user accounts ideally on, yeah, titlements for user accounts in Salesforce, in Salesforce.
So that would be active roles. So active roles can provision automatically to Salesforce. So active roles will make inbound connections to, to active directory. So you had to pull from an HR database, it'll actually pull from another active directory or an old app, or a lot of synchronization capabilities there, but it also reach out through skim connectors and touch things like Salesforce.
Okay. And another question I think you probably might want to elaborate a little bit more on other than use from one identity, but the question I have here is do you have an identity? So you should push 82 ping one directory. And then from what I remembered this more to say about one identity plus thing for a positive perspective,
Right? So we have a couple of different ways to do that. So, you know, one way is to do it through the skim connector that ping one offers another way is to make a synchronization from our identity governance solution, which is identity manager that is a full on API driven connector. So, and there's probably two or three other ways to do that because you know, we're looking at a paintbrush of tools and you can use them any way you want, depending on what direction you want flow and what you want as intermediaries in between some of those directories.
Okay, great. And I think that the last question I have for now, maybe other questions come up, but no, do I, other questions, I was about a connection issue, which is the active roads provide a way to automatically set up users in slack. And if so, how,
Let me look at the, I believe slack is on the list of connectors and yes it is. So lax, slack accepts a skim connection. So simply you could do active roles. There's a lot of capability. So you could create an active directory group called slack users and then active roles would automatically provision users via skim into slack. You could also do something in active roles using what we call a virtual attribute, which would be, you could create a, you know, a check block that says users should have slack account and simply check that block. And an active roles could base its connection on that slack account. And then when you would go through and uncheck the block or remove it from the group, whatever it is you do, it would be provisioned that user from slack. Very simple.
Okay. So multiple ways as we've grown you number for integrations based on skin, man, the ability to at some time switch or extend to one identity manager, whatever you require, right.
And active roles is really designed to make anything that uses active directory better. So if you have a third party authentication app, that's dependent on active directory, whether it's group membership or attribute population active roles can automate all of that for you and making those other applications work better.
Okay. Sank you down for all the information. Thank you to all of the attendees for listening to this could be on webinars. As I've said, there are a number of webinars in the next couple of weeks and also a lot of KClive and the conferences don't miss our online events. Talk to you soon again. Thank you.

Stay Connected

KuppingerCole on social media

Related Videos

Webinar Recording

Championing Privileged Access Management With Zero Trust Security

A modern approach to securing privileged accounts is to apply the principle of Zero Trust: Never trust, always verify. While Zero Trust is not an off-the-shelf solution, it is modern vendors of PAM solutions that recommend using this security principle to cement the technical capabilities…

Webinar Recording

Evolving Identity and Access Management for the Digital Era

Join Identity & Access Management experts from KuppingerCole Analysts and Broadcom as they discuss how business IT is changing, and the implications for IAM. They will define modern IAM and explain why and how IAM needs to change to support modern app development, regulatory compliance,…

Analyst Chat

Analyst Chat #156: CIEM Is Entering the Privileged Access Management Market

The PAM market is changing and expanding. Paul Fisher talks about the latest trends for Privileged Access Management, the role of CIEM, mergers and newcomers in this important market segment.

Analyst Chat

Analyst Chat #154: 2022 Wrapped Up - Major Trends in IAM and Cybersecurity

Another year gone already! It's time to take a look back at 2022. Martin Kuppinger and Matthias talk about what happened in the past year and identify top trends in IAM and Cybersecurity. They go beyond technology but also look at processes and business models. By this, they also…

Webinar Recording

Implementing Zero Trust With Privileged Access Management Platforms

Among the many approaches to do that, Zero Trust is one where organizations apply the principle of “never trust – always verify”. Since Zero Trust is not a single product or solution, implementing processes that work accordingly can be a challenge to IT teams that want to…

How can we help you

Send an inquiry

Call Us +49 211 2370770

Mo – Fr 8:00 – 17:00