Webinar Recording

Identity and Access Management: Where to Start?

Log in and watch the full video!

KuppingerCole Webinar recording

Log in and watch the full video!

Upgrade to the Professional or Specialist Subscription Packages to access the entire KuppingerCole video library.

I have an account
Log in  
Register your account to start 30 days of free trial access
Subscribe to become a client
Choose a package  
Good afternoon, ladies and gentlemen, welcome to our Kino call webinar identity and access management, where to start provisioning, access governance or both or somewhere else. And what about cloud identity and access management? My name is Martin Kino, I'm founder and principal Analyst at Ko Cole. Before we start a general information. So call Analyst company, we're providing enterprise it research advisory services, decisions supported and networking for it. Professionals. Through our research services, we provide various types of research, our leadership compass documents, comparing market segments, advisory notes, looking at different topics. When the reports is executive views, etcetera, through our advisory services, where we provide advisory to advise to those NGS organizations vendors, and through our events, our main event aside all of the webinars, we are doing cetera. Our mainly vendor European event and cloud conference. This conference will be held next time, May 13th to 16 to two weeks from now.
It's I would say a master 10. They went so you shouldn't miss the ESC 2014 in Munich with run about 100 speakers and a large number of sessions around solid leadership and best practices, digital identity access one from cloud security and GRC have a look at R agenda and at the conference topics, it's definitely worse to attend this conference guidelines for the webinar. You are muted central as you don't have to mute around mute yourself. We are controlling this features. We are recording the webinar and podcast report. Recording will be available tomorrow and finally the Q and a session will be at the end. So you can end the questions at any time. And there's the questions of hugging depending on the language area and the good whoever control panel. You can enter your questions there. And I will pick them usually by the end, in some cases I might pick them during the webinar.
Okay. So let's have a look at the agenda. That's a very simple one. I will do my presentation and we will do the Q and a session. And as I've said, I will talk about the identity and access management, where to start so more from the perspective of how to do it, right, what to do first, what are the essential aspects? Cetera, not as much about particular technologies, but really more about how to best do identity access. I want to start with, with two sort of a little bit change, but in fact, really word examples, things from, from our experience, one is so sometime ago, so end of focus, it was at that point of time, a phone rang and, and someone called us and said, could you help us? We want to have identity management installed by the end of the year, what I did was I a friends with declined
Saying, first of all, we should identify what identity management is about for you. So what do you want to have part specifically? And that then when, when I look at planning building, and then putting it into production between the end of August and the end of the year. So within four months, this is clearly, far too short period of time alone. Selecting winds will take some time and doing it well, blend takes longer. So this is one of these things where it's about where to start, how to start, how to do it, which I've found, which yeah, which, which I really have in my mind sometimes when I talk with customers and we talk about the time it takes. And so on, the other thing is talking, and this is something which happened in various firms to me over time, talking with end user organizations.
And they, they say something like, oh, we looked at, or Sentify Microsoft and you can add other vendors or take other vendors, whomever you want. And then we choose and then they end up with some vendor, whatever. So it's, it's when I translated this a little bit like that only apples and oranges, but we looked at a fruit baskets or a lot of things, the apples of ATA, oranges of Centrify there, which are doing just different things. Both of them was value, but just very different, not the same problem to me and I mix. And then we drove, oh, carrots. So this is a little bit like if you look at a picture, there, there various problems transporting the luggage, traveling with the family, transport garbage or other types of goods, and you have different solutions for that. So you have fossils, Towan the mini when car for the luggage and, and other types of transport.
So it's not, not a single problem you're, you're having here and it's not a single solution. And the same is true for identity and access management and all the related siblings. So it's not that you can say, go out, do it exactly that way, pick that or that, or that vendor out of these two or three or four winners. And then you're done. It's definitely more. And you can't start with looking at a tool unless you have understood the problem and understood which type of solution you need for that problem. So now that's, this is from, from the abstract of the webinar and from, from what we've described there, where we start, I will talk about four different topics. So one is understanding the business cases and requirements. This is clearly the starting point. So what was some identity management do you have, do you need, and when do you need, so, which are your priorities, which are less important things.
So first of all, understanding business case requirements, and then as always with it, and in particular with the more complex areas of it, you should have have guidelines, processes, organization first. So identity access management clearly is not primarily a technology issue. Technology is an issue. Technology can be complex, but it's more than technology. You should understand the bigger picture of identity access management. First, before you say, okay, I start here or here or here, how do these things fit together? How do these things work together? Then you can start with your high priority challenges, select the appropriate vendors based on your priorities, based on your specific requirements. So this is the way I've structured my presentation for today. And I will go through these various points. The first thing is, so this new ABC, where we have to deal with the agile business, connected and businesses today have to be agile and they have to connect.
And this is changing a lot of things around identities. And because we have to deal with more identities with more types of access, things are becoming more complex. So basically you call it the actual and connected business or the open enterprise connected enterprise, the extended enterprise. I don't care much about it, but the point is what you have as at activities. So business models, business processes, things, communication channels, the organization, you have to deal with apps. You have more and more machine to machine or system to system communication, just external partners, business processes going well beyond your organization. And you have to secure them and securing means who can access what, who can do what there. And it's about entities. It's about access and it's about connect, being connected and connected means it's not only the employee anymore. There are business partners, customers leads, prospects, whatever other types of information sources, since they're becoming more complex.
And this is the, this is what really is driving the business case and the use cases for identity access management. And it's important when you look at this, not only to look at it from one perspective. So for instance, the administrative view, oh, we need to become quicker in onboarding our new employees. That's one part of the story, but try to understand the bigger picture and this bigger picture, this new CF frequently used that picture as well around the computing tri is that you have to deal with the cloud. So different types of deployment models, different types of users. So social computing or user population stuff, mobile users, and then manage identity access, and just far more complex area. So it, the business cases are changing. This is sort of the underlying message and you have to define it appropriately. You also have to look at what I call the identity explosion.
This is part of what I've told before. So it's not only the few Analyst, the partners, it's far more prospects leads customers. You have to deal with to make things complex, but these are identities you have to manage. You have to manage them here and, and their access to your own on-prem applications or to your cloud services. And all those is sort of done in a way, which is far more environment, which is far more open, far more complex. It's not the single mainframe anymore. It's not only the mainframes and the few PCs. It's a very complex ecosystem you deal with where you have some on premise it where you use a lot of cloud services. If you look at the pictures, right, where you have a lot of mobile devices, mobile users, etcetera, and this ecosystem, it's about understanding that it's clearly more than trust providing signal on onto my enterprise user provisioning my enterprise user to some applications it's about managing the access and the, of all these users, when they're accessing all the different applications.
Now, this is the, the fundamental challenge effect today, which, which really changes this cases and requirements. And, and remember, years, years ago, I had started conversations with customers about sort of the, the sizing, the coping of identity and access management projects. Now I said, okay, you know, it's important that you, that you design in a way that allows you to manage your business partners, your customers, etcetera, over time, you might not have the requirement today, but you will have it at some point of time today, most organizations are facing this request from their business departments saying, oh, we have to do it. And importantly, even if you start maybe with doing something for your employees, with starting some, doing something for a specific group of applications, such as start applications, you should understand that there's a, a bigger challenge around which is all the different users, the mobile users, their on premise applications, the cloud applications. And at some point you will need to support all of these seminars, all of these use cases. So your design should be in a way that it can handle this. Changing.
This changing landscape is changing ecosystem where I am. I am listen. So this is, I think very important when you go to the business case stuff and the requirements, one good thing, or one approach you can do is, is really defining a list of common business cases and technology. So we have a method methodology, for instance, in our advisory, where we then ask the business people to prioritize common use cases. And we have a mapping them to various types of technologies, which helps them prioritizing technologies, et cetera, the next step. And then I think this is very important when it's about where to start. We, we are still far away from technology. So the first thing is what is the business case, which also helps in understanding who will be willing to pay for it. And then there's to step around what are my guidelines, my process policies, my organization.
And so let's start with the right side of this picture on the right hand. And we are enforcing access via managing access. So this is more the technical perspective, but why are we doing it? Because we have specific types of controls around access, and these are related with access risks. So we are, we having controls, we have risks, and we do the entire thing because all this is about business risks. I think this is just become very clear over the last, let's say one or two years that access risks are business risks. They can be even strategic. If you look at the one or other bank which got bankrupt, they can be reputational. A lot of organizations have experiences. They can be operational. So we have this relationship of various types of, for instance, we're doing it because of the business first, and this is the reason why we do it.
And then that's also, when we look at our policies, we have to understand why do we do it from a business perspective? So our guidelines, our responsibilities, accountability, cetera, for information security and general, and I haven't specific. So we need to have a policy framework, which usually is hierarchical. We have to look at the processes. So which are our processes we have to implement, which is the organization we have. So who is responsible accountable, etcetera, which groups do we need in our organization? And it's always a pro project which involves business. And it, I am never, ever as only a technology project. And then we end up with the technology where we look at the specific technology, but that's really the, the step after all the other things are done. We, we need to understand first, our entire framework around us from the business case of requirements, to guidelines, processes, and organizations, and then we can make the next step towards which technical components do we need to have in place. So when it's about where to start, it's about doing the homework first, building the foundation of everything. So, so not basing everything on sand, but really building a good foundation for the house you are building. This is really the prayer requisite. If you don't do that, you clearly will fail. Inevitably.
So then it's about the next step from my perspective is the big picture. Even while you might say, okay, I have a very urgent need. I have, I have a real issue here. I need to fix this. You need to understand how does it relate to other things? So in investing and, and, and what I tend to call panic mode is never, ever has been a good idea. It, you typically leads to investments where you spend money on, on things where you afterwards say, okay, this obviously hasn't been the best solution. It doesn't fit well into my entire infrastructure, etcetera. So the first step really should be understanding that there's a, makes a, a lot of sense to do, to have a strategy and to execute on the stretch, to understand the relationship of various types of components, cetera, et cetera. So there's a strategic investment that costs you some money and costs some time until you can start delivering.
But over time it will be less cost than always having this. Oh, I do that solution. Then I do the next one. I integrated cost will get higher and higher, higher forever requirement if you do it right, you can save a lot of money. One of my favorite examples around that identity Federation in these days. So if you look at various requirements, I see the business business people are, are facing some requirements I wanna stay it's about, oh, I need to onboard business partners for far more rapid than ever before. I need to allow access of my mobile users. I need to allow access to some cloud applications. I need to federate out my employees to a business partner, whatever. There are several more use cases. All of them are centered around the same set of technology at the end of the day. If you understand this.
So if you step back and say, okay, what is, which are the use cases? Do I have? How do they relate? Then you will end up as a situation where you say, okay, this is sort of the, the common denominator. This is the, the, the common thing in all this. And if I started building that the right way, I will be far quicker and far more efficient and far cheaper with my next use cases, because I build a standard solution, a strategic solution, instead of tactically investing a little bit of cloud single on here, a little bit of Federation on premise here, a little bit of web based Federation there, whatever else you can do, step back, understand the bigger picture. And there are various bigger pictures, big pictures I have. This is one of the big pictures for IM I F I GF created, chose the various components.
In that case, I split up for the administration authentication, authorization parts, etcetera. So for, for standard pillars, sort of for as, and then we have the provisioning, we have director virtualization services. We have specific ions for SAP and maybe other environments. We have the privilege management, which span various areas. That's focused on the specific type of accounts, et cetera. So there are various buildings blocks they're in, and it's not that there's the one thing you need to start with. It's not that there is something as I go from left to, right? Or from top to bottom, it's about understanding where are my requirements and what are, which are my business case. And if you've got this, you can start taking what they are. Usually some things you need. So you need, at the end of the day, what you virtually, ever always need is sort of directory service.
So there's something where you need to manage your users. But most of the other things are somewhat flexible. You might do single sign on enterprise single sign. Before you do your full blown provisioning project, you might start with easier access governance or identity provisioning. Most those can be done. There are various ways to enter that market depending on what you need. This is, but it's important to understand what else in there, how relevant are these things. And I will have a look at this later on again, before you go out and say, okay, I start doing a, B, C, and D, or I looked up in Google or identity management alert, it's provisioning or it's whatever.
At the end of the day, it might not be the right starting point for you. It might not solve your business problem. You need to understand your business problem. You need to, to understand what is in there, how these things are related. Then you can move forward. By the way we will have at our upcoming conference, Tuesday morning, we'll have a four hour work shop, sort of an identity access management primer, where I will dive into detail on all the different building blocks and how they are related, etcetera. So the dependencies and all the type of stuff explaining this, which then sort of a somewhat more deep dive or more, more deep dive into this topic than this webinar today can be.
You need to understand dependencies. And one example here is that we have, for instance, have this area of multilayered security. So if you look at, we have systems and within the systems, we have access control. So we have our active directory, local groups, global groups, university groups. We have SAP transactions and authorization, objects, and roles, different types of roles in there. If you look at the mainframe area, we also have a number of different constructs for the access control management. We have the end provisioning, which is done more across system, but at a far higher level, it doesn't go that much into detail as the system level things are going. And then we have the access governance layer, which is around more the request management, analytics re-certification stuff, etcetera. And so there are various things, and it's not that you need to start at a certain level.
So you need to have some system level concepts in place. But again, then there are various ways to, to address this problem, but you need to understand things are related. Relationships can be pretty complex, and then you have to understand what is the thing I need first for the extended enterprise. I've already touched it. It's around, you have a lot of use cases and all of them require some specific types of technologies. So cloud directories or cloud IM cloud computing technologies, versatile application to provide, to supply to what your business needs. So there's a demand you need to supply to achieve a certain business value. And what plays a very important role in that is the entire cloud and anti access management stuff. So if you look at this, we, we see an evolution towards cloud based identity, access management types of things cloud I am in general.
So what I currently observe is the one hand there's on premise, I am IG and some identity management as a services starting point on the other hand, there's cloud single there's, some identity providers, identity Federation services, cloud service, and strong authentications to services starting point, and all of them converge towards cloud IM. While we currently see one area of just more cloud based, I IG sort of traditional provisioning and access governance technologies moved to the cloud. And on the other hand, cloud user and access management, which is more sort of how can I manage my external users? How can I provide signal on for these and for my internal users to cloud up applications. We also have industry collaboration networks here, but when we look at a little bit more into detail, and this is where it really becomes interesting is, and by the way, there's a research on from call, which defines our review in the cloud identity access management.
Market's at our website call.com/reports. So the cloud user and access management, this is more, which is the wrong managing external users providing single channel on cloud service, but also to on premise lab applications, which are in fact, not that different from a cloud service, from a technical perspective, access management, 2d services, increasingly mercy and self registration, inbound Federation. So allowing your business partners to federating outbound Federation federate to cloud services, federate to business partners, cetera. So this is really targeted at this, this use case I've, I've mentioned before onboard your business partners, access business partner applications, access to cloud services. Cetera, you typically have some on-premise premise creation there at least your on premise director services, but it's very much targeted that this is yeah, this connect business, which has to deal with other types of external users. On the other end, when I look at the cloud-based IM iactually sort of more traditional services, and there's a lot of access governance provisioning in there, some single, some usually to cloud services, and there's some Federation access management and, and there's even more, more integration.
So you have an on-premise gateway to manage your on-premise non web applications. Also sometimes your on-premise web applications, you have your own premise directory services. Interestingly, typically all of these services are hyper to some extent, and again, it's important to understand what can they do and whatnot. It's important to understand, okay, there allow a lot of things happening, but clearly the cloud I am and cloud IM cancel everything. It's about understanding what is your use case? This is the right solution. How does it work together with your existing world? Because having something in place, which only serves some cloud services with no integration to your existing, right? It doesn't really help you. You need something which works well together with what you have, which sort of embraces the terms, extend your existing infrastructure. This is really where things are, are becoming interesting. Okay. What else do we have?
How to identify where to start? First of all, I think understanding business cases and requirements helps having guidelines, processes that are in place helps because it helps you to understand a lot about your specific requirements. Understanding the big picture in your relationships also is very important here. And then it's about identifying your high priority challenges, selecting vendors based on priorities. And there are various ways to do that. So to standard RFI, POC, etcetera stuff, and clearly it's, it's important to say, okay, I understand the requirements. I do my RFI. I have a long list of vendors, which are reduced to shortlist. I select my vendors. I do my POC, and I have used cases to find far in detail for the POC. And then I end up with the decision I do. I just will highlight some of the, the methodologies we are using when we do advisory or some of the methodologies we are using in our research.
So one of the things is that we have, for instance, approach, which looks at what are the various technology component components. So the ones from the big picture you I've shown before. So how relevant are they in general? So for, if I look at sort of the, all of the different organizations and how relevant are they for particular customer? So this is, I think one important thing, prioritizing different technologies. Why are they relevant in general? Why are they relevant for you organization? Another thing, which, and then, you know, then you have a list of three or four or five things, which are the top priorities, and you have a list of something such are medium priority and some lower priority. Then you can add at for instance, something, we also have the list metrics, which shows the dependencies. And if you look at your priorities or the dependencies, the was a starting set of things, the other thing you should understand is how good do I want to become?
So which maturity levels is my target? Is it level three or four or five? Do you want to be the best in the class or good in class? Or do you just want to do the minimum things you need to do? We have to find maturity levels for anti access management, anti access governance. We'll publish an update around EIC. So in around about one and a half weeks or so on that this also have saying, okay, what is my, my, my, my target, where do I want to, to end up when I do this entire thing, what do you also do is for instance, we do maturity assessments where we, based on our maturity levels, based on our knowledge body industry, then identify where is the customer? So in, in various areas. So usually we have 12 categories, six of them are technical. Six of them are more organizational. Then we compare and identify where you are from compared to good and glass compared to the ideal world, cetera, which also helps to identifying weaknesses. For instance, in that case, if you look to the bottom, there's a lack of a technical master plan. Obviously that's something where that makes a lot of sense to invest in. Other things are already done.
We also provide another tool, which are our leadership documents, which compare vendors in the particular markets. And so this is the most crowded one, the identity provisioning with a lot of vendors where we have our leaders, challengers and the followers, all of them might be the best fit. So if that the ones, the right most vendors, so it's only the right, the better demoted left the not good, but so there's only one dimension in that. And it does not mean that the ones right are the best fit for you. Again, it requires understanding your business requirements and then moving forward step by step to make a well sort out well informed decision on. So saying where to start forc access management from a technology perspective, I would say, it's impossible to say start here or here or here. It's not about starting at provisioning access governance or somewhere else, noti where to start.
Another thing we to start is about what are your business requirements? What is your big picture? If I am, where do you want to move over time? What are your top priorities? What do you, what can you afford to do that might be also limiting factor. And then you can make a well or not decision, but not by just saying, okay, I move forward. This is the type of technology I wanted to, this is not the right way to do it. So that's it from my side on the question where to start this question, as I've said is not, there's the technology. One thing you, you should need is some directory services, the one other directory service, but there's more in that. So we have right now time for Q and a. So if you have any questions, please enter these questions now. And the go to webinar control panel, there's questions or flag or whatever, to so that I can pick up the questions. And while you enter your questions again, from my side again, to the European identity cloud conference, which will be held weeks from now, even you should numbers. And the other thing I want to highlight until we have some questions here, this is related research. So there's far more research around it, but as you can see, there are various leadership combust documents. There's an important scenario, understanding
Identity and management, which drives the market, the future of it organizations, some advisory node, which describes our view on how it organizations should change in this landscape. And as I said, there's a number of other, there are a number of other documents out there. So as I've said, we have some time for Q and a. Now, if you have any questions, please enter these. Now, if there are no questions, as I've said, there's also, the recording will be available tomorrow of this webinar. And guess our upcoming conference, a good place to ask, ask questions directly to us. So thank you for your time. Have a nice day. Hope to have you as an ESC attendant, attendee or participant in upcoming webinar soon again. Thank you. Bye.

Stay Connected

KuppingerCole on social media

Related Videos

Event Recording

Cyber Hygiene Is the Backbone of an IAM Strategy

When speaking about cybersecurity, Hollywood has made us think of hooded figures in a dark alley and real-time cyber defense while typing at the speed of light. However, proper cyber security means, above all, good, clean and clear security practices that happen before-hand and all day,…

Event Recording

The Blueprint for a Cyber-Safe Society: How Denmark provided eIDs to citizens and business

Implementing digital solutions enabling only using validated digital identities as the foundation for all other IAM and cybersecurity measures is the prerequisite to establish an agile ecosystem of commerce and corporation governed by security, protection, management of…

Webinar Recording

Advanced Authorization in a Web 3.0 World

Business and just about every other kind of interaction is moving online, with billions of people, connected devices, machines, and bots sharing data via the internet. Consequently, managing who and what has access to what in what context, is extremely challenging. Business success depends…

Webinar Recording

Erfolgreiche IAM-Projekte: Von Best Practices Lernen

Häufig beginnt die Suche nach einer Identity-Lösung mit einem ganz konkreten Schmerzpunkt im Unternehmen. Ein nicht bestandener Compliance-Audit wegen überhöhter Zugriffsberechtigungen, technische Probleme, wegen komplexer Systeme frustrierte User und eine…

Event Recording

The Role of Managed Security Service Providers (MSSPs) In Your Future IAM Application Landscape

Trying to “do identity” as a conventional IAM or Security workload with in-house resources and vendor platform deployments may not satisfy identity and access today’s requirements for IaaS, PaaS, databases and other cloud infrastructures. There are now a growing number of…

How can we help you

Send an inquiry

Call Us +49 211 2370770

Mo – Fr 8:00 – 17:00