Identity Fabrics Maturity Levels

I'm Martin Kuppinger. I'm Principal Analyst of KU Analyst. I'm here with Dr. Phillip Messerschmidt. We are the moderators for this drag around identity, fabric, maturity levels, and I think there's also a lot of talk about how to make things work, how to implement them in large scale, et cetera. We have a, a number of very interesting sessions in the morning. I'll start with one, talking about den fabrics, maturity levels. We will learn from how to do a large scale production system migration from bmw, and as a consult, we'll hear from the Royal Bank of Canada. We will hear from others. So over the course of these two hours until the lunch break, there will be various, I hope, very interesting sessions. So, and we will then walk you through your sessions and moderate them, step by establish so you have access to the agenda. You can see what's coming next.
Where I'd like to start is having a look at bit at maturity levels and, and what to look at for identity fabrics. There's a, has been already a lot of talk about identity, fabrics about the concept. I'll anyway, give a quick introduction again before I then look more at what I believe is, is most relevant from a sort of a maturity measurement perspective of where you stand, how mature you are, what to do maybe next. That usually from my experience, also helps to benchmark yourself a bit on where, where you stand in, in comparison to others.
So identity management is an established discipline. It is something which is out there for, for a very long time. This is our own reference architecture, which is updated regularly. So this is evolving. Some of you may have been yesterday morning in that workshop where we talked about an anti management fabrics, the building blocks and, and how to build your roadmap. And we, we walk through many of these, these aspects here. So that, that is not, that is just a high level perspective. And so we have administrative aspect, we have the authentication piece or the nalytics piece and, and x governance. And we have the authentication part, the authorization part, something which is to a certain extent, probably in place for most organizations, but this is more, more building block perspective. And then the other thing we, we developed over the past years was this concept of the identity fabrics model.
In fact, when I go back to the history, this really emerged from, from, from a perspective on so, or from a, from stepping back and, and thinking about what is the top of identity management. And at the end, the top of identity management is pretty, pretty simple. The trauma of identity management is that everyone and everything, so not just workforce but all types of humans, all types of non-human or silicon identities can seamless seamlessly access all these resources regardless of where they run. This is what identity management needs to deliver. And that means we, we need certain types of capabilities. We need to manage the identities, their entitlements, their access, get a crip under risk, have some additional services, put this into services, build the tools below that, have the tools in place below that and make this work. And we also need to make this work together with what we already have.
So we have a lot of legacy. It frequently, we have a lot of legacy. I am and we need to, to have a, a smooth migration here at your pace. I, I always think say that that's, from my perspective, it's very essential that these things are not considered as a big bang approach. But the seamless migration, we, we need to contact connect to digital service and SaaS, but we also need to enable identity to serve services. And I think this is a very important paradigm shift. So most of what we did in identity management in the past was we managed the users and their entitlements in a system. So inside out, so to speak, from identity management out to the applications. However, in in the world of building new modern digital services, it is outside in, it's a service consuming, a digital service consuming identity services.
And this is essential. So identity fabrics are about all identities. They must have what I call an identity a p i layer. So it's exposing a consistent set of APIs, which I believe is really essential. They must allow us also to transition our legacy. I am, they need to support SaaS, but also the, they, they should be ideally, I think an identity fabric usually is delivered in some sort of, and as a service model between sort of a managed service to multi-tenant IDA solution, that could be everything. And it must support the hybrid reality of our it. So our, our, it is hybrid and at the end that's also important. It delivers verified identities and access for zero trust. So later today, my colleague Marina and we will talk a bit about some, some results from a survey or from a set of surveys we've been running on pulse, we've been running over the past time.
It is that there are still some, some reluctance in some areas regarding identity as a service specifically and particularly for iga where the adoption rate is not very high. So this is for the ones who haven't adopted yet. So some parts, as we will do it relatively fast, but a very considerable share of the organization says, we, we, we don't have a plan yet. And I think what is important from that graphic for to the identity fabric thing is organizations will usually not just say, okay, next two years we go to an identity fabric. But they will do it gradually. And the identity fabrics is a concept that allows you to build this up step by step. And IGA is usually the, the part which takes longest because I think everyone of you who, who has an IGA solution blaze for a couple of years is probably also cared about the sort of migrating that IGA solution to something new.
So you, you, you not necessarily are super happy with what you have, but migrating to something new is something which also is a bit scary. So identify fabrics to understand, they are paradigm, which helps you to concept a methodology which helps you to create your, your architecture, which can provide you guidance and you need to apply it. And from, from a, from a terminology perspective and identity fabric is a bit a mix of things. You can interpret the term fabric as a mesh, but it's also about production. What it isn't is that it's not just Lego bricks, but it's about connecting these bricks into something. So that's the way you should think about the fabrics. And these fabrics allow you to move forward gradually.
And there, you know, you can use suites, you can use individual products. They're pros and cons for everything you, you need to understand the first step is which types of identities to which services, the big building blocks, which capabilities do you need out of these maybe which do you need in addition to what the ones we have listed here, how do you put this together? And then how do you build it? And you need to define your capabilities. You need to prioritize, then you need to define the function services and map them to your target operating model. You need to have a target operating model in place. Your organization who's responsible for what across all the providers. You have an IDAs provider, you may have an msp, you may have your internal teams. You have the business teams define who is responsible for what. And then you come to the tools that do that. So when, when we look at the maturity, what wakes up maturity at the end from an identity fabric perspective, the key aspects are how, how well integrated on one hand is what you do and how far did you sort of bring things together, converge things, but also how flexible are you? And for instance, the API part, there's, when you read through our documents, there's a lot about architectures behind it. It's important.
What I've, I've heard then sometimes is that, so everything is sort of some, some end user organizations, vendors, et cetera, try to then squeeze everything into this identity fabrics. I don't, I I would not say that every, everything you have an identity management really qualifies as an identity fabric. So if you don't have a big picture of all of your, IM across all areas, but trusting in still different pillars here with consumer identity here, iga or here you do it for ot, et cetera, and, and don't un unite this or unified this from a view, then it's really not an identity fabric. If there's not at least an API strategy where you say, I I also expose APIs, I go towards an identity API layer. It's not yet an identity fabric. So there, there are a lot of things in here. I've structured this maturity thing into the, the usual five pillars.
We know from cmm, c i so initial state, then you go to repeatable define managed optimize. So, so how you optimize that, and I look right now at eight areas which are architecture supported identities, supported services capabilities, API layer, ui, ux, the target operating model and the level of integration. So to make this a bit more, a better readable also for the people in the back row, I go through that line by line with a little bit of a larger font. Even while I'm think I have a bit of a reputation to always tend to bring up some slides with a four point, four point or three three point font, which is a hard read for, for anyone even in the, in the first row. So architectural wise, it starts with this high level blueprint across all areas of identity management. So this is really the, the initial stage where you then make it repeatable by having a standardized approach for, for identifying the capabilities and the prioritization.
That's quite a bit of what Phillip Christopher mainly did yesterday. I was mainly working on responding to all the questions that came in. So you go down into a defined concept, you regularly find that adjusted cause this is living, so you don't do it now. And then in five years, again, you should at least once a year review what needs to be evolved. You need a repeatable process, which then moves into sort of a recurring optimization. This is the architecture side from its scope side, at least the humans, different types of human identities should be in all B two, e, b two C quite clear. B2B is I think currently the most interesting area of identity management for humans because the B2B use cases and B2B two C and whichever else are definitely the most complex use cases most interesting from my perspective.
So you should then move into an approach which helps you to identify and and structure identities. So which types of identities you have move to a defined model also for non-human identities, for silicon identities, rationalize the number of technologies. So, so yes, there might be scenarios where you have more than one access management solution for different use cases, but try to rationalize it, try to reduce the complexity and move forward to an organization-wide approach. Services at least IGA and access management should be. And from there go to an approach. Perhaps you're adding more services and how you split services, how you segregate services, how you can reuse stuff, have a good methodology for for deciding on on what are the core building blocks around iga, access management, et cetera, for your fabric versus specialized add-on. So when do you need something special? And I think this is always a tricky balance because yes, you will say, okay, whatever this tool from vendor X that I have that's working quite okay, but for this, this use case, it's not perfect. Perfection is hard to achieve to be honest. So have have an approach which helps you to decide on when do you need really an additional technology which adds complexity, which adds cost and other things. Or where you say, okay, I, I live with the fact that I have a bit less and capabilities or I do a bit of customization. Customization is a bit dangerous. But anyway you need to do it in a, in a defined and structured manner. Implementation, maturity.
So this is really about how do you move forward with your implementation. So work, again, it goes a bit a bit back to what we had was a reference architecture that could be ours, that could be any other identity management, reference architecture that fits to you, the ones you like or the one you define yourself. Again, have an approach for identifying, prioritizing with the right stakeholders involved, which is important. So I, I think I, I talked about it quickly yesterday morning in, in a workshop, you need a good group of people, not the 120 we had in the room yesterday morning, but also not only the IM core team, so prioritization, et cetera, that in gap analyzes. All these things require that you have a good mix of people from identity for cybersecurity, from the business, from digital services, from other areas depending on what you are looking at.
This also may change a bit when you go more into new types of identities that come more from, from your OT IOT space. It may be different people describe the capabilities, map it to your I TSM at SLAs and all the other things, APIs. This is one of, of the key things you need to think way more in APIs. So, and identity mentioned, as said, we have very much just inside out thinking from the past. So an IGA tool creates user accounts in an SAP system and entitlements in this system or that system. But in the, in the world of digital services, it is that someone creates a digital services says, oh, I I I need to consume existing identities or have a process that allows me to create new identities, new consumers, customers, whatever to build a relationship, whatever else. And this is done via APIs.
APIs also help you in customization. So whom of you over time has sort of run into trouble with all the customizations made, let's say in the I tool you have in place where you say, okay, it's hard to keep up with the standard, it's hard to, to implement updates and, and new releases. So who, who whom have you went into drop hands up. Be fair. Okay, I think it's at least half of the room, which is no surprise. And it was a bit of a, sorry question I I have to admit the point here is customizations always should be segregated from the rest. Why are the use of APIs they should reside and own nowadays microservices which may expose other APIs again, but they should be always well segregated. This is what, what is at the core. If you don't have that, it's not yet an identity fabric.
So you need to describe the, and you need to manage the APIs, which is also very important. You need to security APIs move to unification, which then allows you to replace certain technical elements by others while the APIs stay similar. In ideal world, there's always a bit, it's gets a bit bumpy then when it comes to replacement, but you can do a lot here really a lot. As I've said, also API securing the other things, there should be a bit of a common ui, ux Patrick on the other side there's also space and for the others by the way as well. You can just move to the other side and we might find a bit place here and there are also this, this a few seats in the front row. Even while people don't like to sit in the front row, I know most at least, so you can unify, you need to unify then more and more of admin in, in UI integrate with itsm, IT service management if you're have it in place to, to really have a consistent experience.
What else have a target operating model in place? LY stuffed, I think defined asla also very important thing. Describe it and do good integrations. So document what you have in integrations, how you do it, build all the integrations to seam and all the other things. And that will help you then to, to really come to a, to an evolutionary approach. So identity fabrics, this is very important. They are evolutionary. You can move there without disrupting what you have and you can do it at your own pace. So to be integrated, migrate what you have and expand to the future. This is a very short overview. You'll have access to the slides later on. I hope you was able to give you some insights here on my, so thinking about maturity of identity fabrics and a bit of background around identity fabrics. So if you have any questions, I think we may pick one question now. Otherwise don't hesitate to reach out to me directly. We are linked via LinkedIn or via email. Any questions, don't be shy, but you can also, okay, here's one. Patrick, I knew that it will be Patrick. I, I trust was about to say you can save all your questions for Hak later on. Specifically the nasty questions. Totally fine with that approach.
Yeah, I think so Patrick,
I'm just curious about your thoughts. I mean it's, it's new to all of us, but the impact of LLMs on UX because I have a huge design team now. We feel like we're getting great at design and all of a sudden if we're living in this post LLM adopted world.
Good question. So, so what is it? I think at the end translate the question of ai, of conversational AI and all the things on Dux. And I think this is a super, super relevant question because I believe we can do do a ton of things here by, by utilizing the technical capabilities. Unfortunately I think Martin, we don't have time to pick your question because I think we can augment users in, in doing the things they need to do way better. We can augment the operators in being way more efficient. So yes, it makes sense, do it. But I already have to hand over to heico, otherwise we too late. So thank you very much. So for listening to me.