Re-Imagining Identity Management for the Digital Era

Welcome to our webinar, reimagining Identity Management for the Digital Era. This webinar supported by Arcom. The speakers today are Gotham who, director, strategic Business engagements at Arcom and Mi Martin, principal Analyst at KU analysts as usual. And before we dive into sort of the content of today's webinar, a quick round of housekeeping. We are muted centrally, so you don't need to care about anything regarding your microphone. We will run two polls during the webinar, one more towards beginning, one more towards the end, and we will do a q and a session at the end of the webinar. However, you can end the questions at any time throughout the webinar. And I also probably recommend that you do so because given that today we will have more in conversation between and me then, then become whenever appropriate, pick up your questions and directly respond to them.
So, so don't hesitate to to enter your questions during this webinar. And we are doing a recording of the webinar. So the slides are less of less of value cause they're just providing bit of a structure, as I've said, and the bring us directly to the agenda. This is really today more discussion style webinar where Gotham and me, Martin er will look at the subjects and, and what potentially must change is changing will need to change in identity management for digital age or digital era In the second part, and as I've already mentioned, we do the q and a and with that I wanna directly shift to the first poll. And that poll is, so when we look at an entity management, the, the question is, this is something where you have really a, an sort of a holistic comprehensive concept. And Im blueprint covers all major areas. Something like the identity fabric that the concept we def defined quite a while ago. So yes or no, I'm looking forward to your responses. The more participate in this pulse, the more interesting it is. And if ever time is left, we may pick up the results and discuss them in the q and a by the end of the webinar. So please respond. And then second 10 seconds or so, we'll close the poll and start our webinar for main part of our webinar. So thank you. Welcome, God, a pleasure to have you here.
So before we directly dive into our first topic, which we'll be looking up at today's Im challenges, maybe you quickly introduce yourself and I need to unmute you. I c sorry, here we go.
Yeah. Hi, good morning, good afternoon, good evening to everyone who's joining in from different parts of the globe. Thanks Martin. It's a pleasure to be here. As, as you mentioned, I'm director of strategic engagements at Arcon, which means we run drive some of the strategic initiatives and go to market approaches for the identity platforms that Arcon focuses on. Great to be here because I, I understand this is more of a fireside chat format and that's what works very well in actually, you know, throwing up ideas and, and making it more interactive in terms of also the q and as that we expect to have from the wonderful audience here.
Okay, great. So let's get started. And we, we decided upfront on a couple of talking points we'd like to, to talk about, as you said, murder fireside chat style. And the first one is about I am challenges. So what do you see? And then I may look at what I see, what do you see as the main challenges these days when we look at identity access management?
Well, I believe the landscape is evolving and changing tremendously, of course from the, you know, traditional challenges of say a password fatigue or, you know, automation of a process of provisioning, deprovisioning, those from statements still stay, but people have understood how to address them if not already done. So. I think the new challenge is around the fact that organizations are spending millions of dollars on, on siloed and disparate solutions, maybe going for a different mfa, different bam, you know, privileged access management, different solution for governance and identity and management and so on and so forth, right? There are specific problem statements for cloud adoption and entitlements on the cloud as well as it may be on the API security or, or application site in terms of,
And I think that is, that is definitely the case. What I also see is that talk about management for, for quite a while and, and the term what anti access management probably is more than two decades ago old already. And it is on the agenda of organizations for, for, for, for quite a long time. But it's still that when, when I talk with organizations, it's very interesting to see at the end that many of these organizations still are in a, in a state that is incomplete to a certain extent. So sometimes really even in main capabilities of Im such as whatever, no good privilege, access management or already gaps in other areas are, are lacking or are are outdated or are the relatively low state of maturity. So I think on a a more generic level, this is surely one of the, the, the bigger challenges we are facing in identity management that it's still not that we, we, we find a high level of maturity across all the organizations.
And I think that the smaller organizations become, unless they are heavily regulated, the more it is the case. And I also believe that we have a couple of things which, which we need to fix more on a technical level. This probably would lead too far in in depth chat, but you know, when I see that really, I probably would say that the, the maturity of organizations are struggling was building their own models with successfully executing the re-certification campaigns. It also means that some of these things we are doing in identity management seem not to be good enough to what we need to do, but I'm also agreed that yes, there are other types of, of organ of IM use cases we need to cover
And it it needs to be a culmination of people, processes and technology coming together because it's, it's no easy management of, of specific ID with the types of identities in itself increasing, right? We are not talking of just user IDs and passwords anymore, it's really around the very persona. It, it could mean human and non-human identities. It could mean business privilege identities, service accounts, applications, bots, right? And all of those need to and as, as well as digital assets at the end of it. So digital identities and digital assets need to be eventually mapped back to a human identity as the custodianship or ownership of those, right? So it's more complex than, than just managing specific credentials or username passwords. It's around the evol evolution of identities in terms of an outcome driven model, hyper-personalization, because you know, identity now constitutes the entire persona. It could mean ideas, it could mean how someone carries on some particular tasks, right? All of that goes into the attributes of an identity.
Yeah, kind. You're bringing up quite, quite a number of points. Some of them we probably touched later on, like the outcome based approach, et cetera. I think points you raised, so the different types of identities, human versus silicon, et cetera. I think this is interesting because it fits also to a question that trust came in and the first question I, I'd like to pick for the audience is isn't one of the major challenges that most Im projects are still to workforce focused. So I think when we look at identity management and, and it's running then I, I would agree a lot of this is still workforce. We have quite a bit of consumer identity stuff
Happening, alright?
Sometimes it's a bit disparate when it goes into machine identities into what you call custodianship. So, so, or identity relationships then, then surely we have to go a long way in, in many of the organizations
For sure. No, I I believe it's equally important to look outward towards consumers, customers, or even citizens for that matter, right? At a larger perspective because, you know, that's where a, a lot of external or third party identities will need to access, you know, the a applications or network within the organization for some business requirement of the other. And that, that, that is equally one of the challenges and, and rather opportunities that organizations need to look at in terms of management.
So, so, so when you look at, IM then and say, okay, there are challenges I think, you know, at the end today the point is not say there are challenges. The point is how can we solve it? Yes. So, and when, when we look at this and, and think about an IM for the digital age, what is it? I think we started four or five years ago or so, at least with this concept of identity fabric, which seems to be become more and more prominent. I see others picking up on, on this term where I say, when I created this, this idea or when we created this, basically it was also a bit of stepping back and saying, what is the trouble I am and Im is providing seamless yet secure and well governed access for, for everyone and everything to every service. So that was at a core, well, the, the starting point for, and then it's about how to fill the, that entire thing. And, and so I, I think this is, could be to my perspective, and maybe I'm overrating that, that that concept, but could be a very good starting point because it's saying, okay, it's, it's really about e everyone, everything, every type of service and more holistic view. And it's also has in it, you can access it, it can manage services, but it can also, it also provides the APIs and inherently it runs as a service. So it's IDA identity as a
Service for that matter. Yes. No, I, I couldn't agree more on Martin. And that's where, you know, with the increase in adoption of digitalization and, and automation, it's again, you know, we come back to the types of identities. It's, it's increasing in the non-human segment of things with also service accounts and, and bots being created more and more further on. There could be processes that actually replicating those for, for maybe separate purposes of a business or, or even, you know, inadvertently sort of replicating of processes in itself. But I believe that, you know, the custodianship of all of that, the ownership of each one of those types of accounts coming back into a reconciliation is important and thus that needs to be looked at from a, from a holistic governance perspective.
Yeah. So what I also want to bring up, so touched this is this, this API aspect. So when we talk for I about, I am for the digital age, so traditional I identity management is so to speak, inside out from the identity management system to the applications we create accounts, we define entitlements, we also cate and let them in, so to speak. And that is, that is another thing where I believe specifically when we look at digital services, we, we need to also sort of support the opposite way outside in saying our every digital service can consume identity services. Why are a defined and consistent set of APIs? So create a user authenticate, provide major risk information, whatever is, is could be in there. But I believe that that we modern identity management needs to, to support both, both ways and with the, the, the outside in part becoming more and more relevant. Absolutely. The more we work through standards, the more we work with, with, with cloud services as targets and digital services, the more it's really a con consumption aspect.
Yes. I think if we, if in, in this entire puzzle, if we could get the piece on the single source of truth identified, and if one gets that correct correctly, then that's a whole, you know, side of the problem that gets solved, right? So when we are looking like you said either outwardly or external to inwards, right? The identity provider and the single source of truth becomes that much of a point to look at, right? Because one may not have all the attributes known about the, the user trying to get that access, but I think when they're now more in terms of federated identities, and if one could look at it in a, you know, nationwide identity provider, like, you know, maybe our service account or so, you know, in terms of the, the SSIDs that some of the citizens have across the entire country, it could be our, you know, country identity or, or your social security numbers being integrated into something of that sort. We, we need to kind of think through and reimagining identities too dictate that identity provision and, and the single source of proof as well.
Yeah, I I, I even, even, would you dare to say that decentralized identities yes, will become a very, very, very relevant element in the Im for digital age. And I think we touched some points. The one is how do we deploy it? Which types of identities do we support every type of identity. I think there's also by the way, matches the questions I'll, I bring up in a second the, the way someone can consume or is supported by the end management system. So it's really that yes, a lot of things change, but I think it's also important that's maybe something we can touch or talk about later on. Again, it's also important to understand that, that that that that does that, this doesn't mean that we need to sort of speak, throw away everything, but what, what, what comes as something we can use really in the conversions to, to sort of gradually expand and, and, and, you know, so sort of modernize our existing identity measurement. But maybe let's, let me quick pick up the question that is, I think it fits to something you said, so I'll hand it over to you that question then. So which role do identities of devices and syncs play for? Im in the digital age,
Did you say devices and systems.
Devices and syncs,
Right. So yeah, I think in terms when we are looking at a complete identity access management with governance, it is about human identities, digital identities and digital assets, right? So in terms of having those assets, you know, having, having the right types of a access to those assets as well as being mapped onto a specific ownership of it. And this ne needs to be modularized even in the governance aspects of it, right? So as much as a user access review is important, I think device access review is equally important on that and constant and continuous certification, re-certification and reconciliation of all of the types of access that are provided needs to be studied carefully, right? It's a very dynamic environment all across within organizations or even externally with third parties. And thus a continuous motion of checking the relevance of some access that may have been given some time backwards, current day is an important factor.
Yeah. And, and I think it goes back to what you said before around custodianship. It goes back to the concept of we need to understand at the end who is using a device or in which context is the device or the sync operating. And that can be rather complex relationship. So if you take a a vehicle connected vehicle, then the vehicle itself consists of many, many different things, different components with their own identities. So we have, and then we have a huge system of organizations and individuals around that from the driver and the whatever assurance company and the leasing company and the police and the garage and the manufacturer, et cetera. So, so these, these, these relationships can become extremely complex and I think there's surely something in Im for the digital age where we need to get better. So in the interest of time, let's move a bit forward. We, we touched this topic of where are the challenges, where, how could it look like we touched Im identity fabric as as a term we sometimes hear about swim lanes and convergence. We also see bit different trends and, and I think also for an identity fabric that there are two levels. The one is we have consistent view and which tools do we need to, to build that? And brings us to this, there's all this interesting question about conversions versus best of breed. So what is your, your take on that?
Absolutely. Like you said, everyone's looking to optimize, I mean, in the ideal world, a single stop shop, but at least have minimal number of, you know, technology coming in along with people and processes so that there can be lesser to manage with more outcome, right? And that's what everyone is looking at as far as what we've heard from market and, and, and even the likes of keeping your coal have researched upon, you know, with what you call have rightly termed as the identity fabric, right? I think it's bringing every everything together in a, in a coordinated mesh and not have a mess, but actually a mesh put in place, right? What what another benefit of such, such a thought process going in, in terms of delivering solutions for that matter is that you also will optimize the human resource overload because you would have a common skillset required to manage less number of technologies with possibly a common code base, less number of interactions in terms of touchpoints as well as some use cases, right? Coming together in a convergence or, or you know, bringing the best of breed of different technologies that are intertwined can only come when each of these is inter-operating and, and integrating with each other seamlessly in a native form.
And, and I think that, you know, I I'm asked quite regularly about, so how, how many tools do we do, do we need to sort of, to build our identity fabric? And, and I I I I I think the first distinction I make is between the, the core capabilities like the IT related or what do you call AM or PAM today or CM and the, all the, all the additionals highly specialized technologies you may need or not, depending on your environment, depending on your, your specific needs. And for the first part, my answer is keep it very, very low. It could be a very small digit of suppliers technologies you have, but you may need others. I think what what is very important is that context and is to understand, yes, there's truly a benefit. If I have everything from one vendor, then I should have a a, hopefully a consistent architecture.
And if it's deployed as as a service, it gets better, consistent APIs, the same types, dashboards, ux, et cetera. That is definitely harder to build the more components you have. It's on the other hand, way simpler to build in today's age of identity as a service in today's age of microservices, container-based deployments and APIs. So it gets easier, but it still requires way more architectural thinking and way more integration work. So I think it's, it's really about that, that balance that that's one, one other question coming in and that is about will single vendor strategy for Im ever So, so I, I think the answer could be it depends on, because it depends, I believe on the size of the organization, if your earning really small, have lower requirements, maybe yes. The bigger you are, the more complex your world is, there is the more complex it gets.
Yes, no, I, I fully agree it is, it's, it's not a child's play or it's not, you know, easier set than done. But I think that's where also disruption will come in and someone's gotta do it, someone will do it, right? It's, it's about understanding the core of the problem and actually delivering not just the problem statement of, you know, maybe automation or governance and visibility of it, but seamlessly operationalizing that with ease of optimizing, you know, the entire process in itself. So I think, I think that's where could get disrupt,
Given that we don't start greenfield in most organizations, how do we get rid of the silos? I think this is the next point. And so if you say, okay, we want, sorry, holistic concept, like an identity fabric, we want to reduce the number of technologies in there even while it's becoming simpler in, in a world of, of SaaS and IDAs. But still the question is what do we do with all the legacy stuff?
All the legacy,
Yeah. What I see in, in identity management, there are basically two challenges. The the one is where to start to modernize and the other is other things I better leave and and integrate somewhere.
Absolutely. I, I totally agree. It's, it's not that one fine day one wakes up and says I'll get rid of all the silos and I know, you know, the fabric or a converse platform is what I would go with. That's, that's not how one would imagine it to be, but I think it's a definite journey, like you rightly said, it's to, to begin with at some point, but being future ready in terms of at least having the wherewithal to easily scale up, easily modularize and go from one level to the next in course of that journey and have a definitive plan that okay, it could, it could mean one year for some it could mean three five years for some depending on the complexity size of the organization, but eventually that's where a lot of the value will turn up in terms of the outcome that they expect.
So, so, so when I look at this also what we do sometimes as advisor, right? So, so on the first part, so where to start where we have for instance you some, some standardized methodology which looks at on one hand where are the biggest gaps and what is on the other side more easy to do so and, and and some other aspects. And then you then we can rest and well sort of so also visualize what are the things that, that are sort of the, the biggest pain points that are best to fix. And then truly there sometimes are huge pain points which aren't easy to fix but are, are must. And on the other side there might be somewhere you say, okay would be easy, but it's a big pain and, and that helps them making a bit of the decisions. The other thing I always recommend is don't try to to to sort of move all the big rocks.
Absolutely. I
See. Because in implementation or transition projects for, for each of the major areas of I am are complex and the management capacity in organizations, not only the budgets but really also the management capacity, the, the, the skills that the people are limitations. And so you'll be more successful by doing that. That leads me to my other point that, and that is what to do with what you have and when I first take legacy iga, so the provisioning part, and you may have whatever things that are complex connectivity things to your mainframe or other things, in some cases it's really also a bit of a mathematic, whether it's not better to, to retain power of that, put something new on top and then so to speak, use the old, like the old IM system trust as a target for your new identity fabric, which then executes to, to a few systems which become less and less and less until you maybe then might fully replace it or you leave it because rebuilding whatever mainframe connectivity can be such a,
It's a, I mean it's a marathon on its own. You Absolutely right. Yeah. I think that that's, that's what it is and that's, that's the way to go about it.
Yeah. So, so when, when we, so radio getting innovative silos is not, not easy and, and I think don't, my recommendation would be don't be over ambitious in, in the, in the sense of I want to have everything done three years better do it right and focused it give you'll be more successful approach.
I think it's the, the the classic 80 20 rule, right? You've gotta achieve the, the maximum with the minimal effort that one puts in. So with, with 20% of your effort, what's the 80% problem statement that you can take care of? Maybe that maybe for, for one it focuses around the crown jewels of the critical IT infrastructure and managing the privilege side of things for another, it may mean the join mobile lever process and having productivity on that side of things. So yeah, to each their own for that matter.
Okay, so, so let, let's go a bit away from the, the legacy towards the future. So, so we have titled this part I AM Data and and Context and I, I think that data is becoming more and more relevant. We see, see more and more, for instance, AI ml stuff in the IHA space. And that only works if you have data and context is out there as an idea for not only ideas, a solution for quite a while when we look at authentication where, where it's about adaptive risk and context aware where authentication. So, so where do you see this entire field heading?
I think this, I would call it the next level of convergence, right? You're looking at identity centric security marrying with contextual data centric security. Because as you rightly said, data in itself doesn't mean much, but if you've got, if you've got data context, you understand what that data, if you're able to address and answer that, who has the most important information in the organization and what are they doing with it, then you've got meaning behind what you're trying to do. And that can only happen if you've got a contextual data model marrying with the user context in itself. So you know, if, if it's something that is sensitive in nature to the organization, but you also need to know who is the custodian of that in terms of the role, then the meaning of that data becomes more contextual,
Isn't there? That goes, goes back to a question that came, came in here and rephrase the question a bit. It's Eddie, isn't there? So there's the, the context data for our user. So what is the user doing with data? Has user accessed Yes. Location and all the other things. I think these are, some are more activity, some are more state based so to speak. Some
Some maybe behavioral based. Yes,
Behavioral based behavioral would be a bit activity is. So yes. And then there's, there's another angle which is the context from from from other identity management services maybe. So I see this quite frequently when when we look at IGA and do re-certification, then we look at that Martin have the entitle I SMART should have or CEO entitled. But if the other angle, what what does Martin do with the entitlements? So which are again, two angles. The one is did Martin ever use this entitlement? And the other is at runtime if I take the context for my authentication and something is a bit strange and Martin is doing highly sensitive things. Yes.
An anomaly. Yes.
Yeah. And, and, and I think this context thing is, is a, is a really big beast at the end because there are so many facets of it. And yes, I try to bring up a graph, side picture, it leads to a very complex graph of information we need to deal with. Yes,
It's, everything is interconnected. Like you've rightly I think, you know, chosen a point here, but the, the fact is data is such an notion, right? It it, it flows like water. It, I mean, unless you've contextualized that and understand the meaning behind where this is coming from, who has it and what are they doing with it, just having, you know, control over that data is, is not gonna help to my mind.
Yeah. So we, we need, we need to rethink data models. So I see, I see a lot of things happening around, around craft databases that are used. I, I personally believe that is for not, not for every use case. I, I think like this most things it, there's not that the holy creative one solution that's, that solves everything. But I think graph database are definitely an interesting element for certain use cases in the identity management context. And which again is a bit tricky because when, when someone selects a tool, should someone really need to look at that level of detail or is it better to look at a capability level? But at the end, the main thing is that we, we get the capabilities and sometimes, and maybe it's more our analysts when we compare products to understand is the architecture good enough to serve the needs?
No, I think it's important to get down to granularity of the data. It's, it's a difficult task to do, but effectively that is the, the core prize that one is trying to protect as well, right? So to my mind, there needs to be AI ML driven. I mean there's, there's so much of data that even the mid-size organization forget about the large ones even will have within themselves that to actually, you know, understand the context of it. One has to have strong AI ml capabilities to be able to pattern, recognize, churn them up and have the intelligence to reco to kind of discover, classify, you know, the sensitivity of it and then put in the context that okay, if for example, this data refers to maybe a a, a legal contract, this data refers to PII information. This may be referring to, you know, security related documents. What is the kind of categorization or or classification I need to provide to that? And the next level of context would be that, okay, if this is a, say a legal contract document, then who is it lying with? If, if it's lying with someone say, who is a business owner or, or a legal case manager, then it's not an anomaly though the data is sensitive in nature, but if it's say for example is lying with and IT support engineer, that in itself becomes an anomaly because of the user's context driven in there.
Yeah. So, and, and I think the point is when we do that right, we can move away very much from, from static entitlements, from standing privileges. And yes, at the end, most of the staff, which which really hurts us today is like re-certification like roles. That is because we are aesthetic in entitlements and we can do way more wire policies. Plus if we utilize AI ml and I understand AI really as augmenting intelligence here, something that helps us our drop better, then we definitely can reduce complexity. So from here maybe to, okay, the best part of the decay zero trust. But so, so when we look at this, and I think this fits very well to this context topic, et cetera, which role does I am play for zero trust. When I start talking about zero trust, I i, I tend to say, okay, you know, when we look at this then it's about someone or maybe something Martin using a device, going over a network, whichever network it is, hope, hopefully encrypted to service. So if we were sort of deconstruct service, then it would be a server with an application, et cetera, but call it a service and he does something with data. So we have identity at, at the beginning and we have access, so to speak atm. And so I am is is in some way the what what what really is the, the big bracket around sir trust, it's very, it starts
So this my perspective
Yes, yes. No, I, I absolutely agree Martin and, and I believe identity is really at the core of a zero trust strategy. Because if you look at maybe the three key principles I can, I can think of right around verifying explicitly least privileged controls and visibility and analytics in case a breach were to happen. Yeah, you un unfortunately have to assume that a breach happens within post and even post all the, you know, guards that one may put up. But that's what zero trust is all about, that you have to be guarded all across in terms of preventive and detective as well as re residency controls. So I think identity and I am play a very core important role on that, be it from risk-based adaptive policies to role-based access controls to ensuring there's least privilege access given to users for doing specific jobs. And as you rightly said, even zero standing privileges, right? We there, there needs to be people process technological solutions in play that can enable organizations to have zero standing privileges, yet make it pragmatic to deal with elevated tasks that may be required to be done as business as usual, but then follow, adjust in time with continuous assessment models around it for zero trust.
So, so so how, how do we, how do we prove that we did right stuff? You, you talked about outcome-based approaches. Yes. What do you mean by that?
So like I started off with saying, you know, there is a motive behind doing everything, investing into some solution, addressing some problem statements, but probably the mode of how it has been carried out so far is where, because of its own complexities is where the challenge of not having the expected business outcomes being driven is coming forth, right? So an outcome driven approach is to actually, the way I look at it, probably turn things around and say that I want this as the outcome, right? How do I go about it and what do I need, need to finally get there, right? So to to deal with say, to address that who has access to what and where am I able to answer that question, right? Am I able to operationalize between people, processes and technologies at the end of it such that there is a single view unified result on, on what I'm looking at and is that measurable, right? So I think these are some aspects one needs to look at when they're looking at specific outcomes. It needs to be measurable and actionable in terms of what the result is and, and what the visibility talks about.
Yeah. And, and I think we, we need matrix, we need to have KPIs and Ks as well and we need to prove that things are getting better by the way. Which, which also means I have discussed this organizations over decades, we need to start measuring very early before we spend the money. We need to have a sort of the, the, the metric to compare with. Otherwise we can't prove that we really got better. And yes, and I think at the end we need to prove that we did the right things and these things we focus on. I think this is also part of outcome must be the things that are most relevant. The big art to my understanding is that we, if we were outcome based, then we don't forget the bigger blend, the bigger picture. So there's always a risk with, with outcome based approaches that they are two too short minded in some way say, okay,
Yes,
The next problem then I have 20 different solutions. I think balance in these
Have a larger picture is important. I fully agree. Yes.
Okay, so I think we, we discussed a lot. We do a second poll, then we go to the q and a. We have already a few more questions here and already hint to the participants, please enter your questions now so that Gorham and me can provide our insights to you. So, but first the second poll. So what, what is to your opinion, the number one reason for IM projects stalling or in failing? So this is more a stakeholder management, lack of require insufficient requirements gathering two technology focused approach. Gotham talked a couple of times about people, processes and technology, or is it more an expectation management over promising? So what's your perspective? So the more participate, the better it is. So don't be shy here, come on it open for another 10 seconds. Okay, thank you.
Okay, with that, back to our talk and right now as I've said, we'll dive into the q and a again, the more questions we receive, the better. We already touched a couple of answered a couple of questions that came in, but I think there surely some more and, and I think that the question I have right now in front this one, which goes into a bit into the the last point we, we touched outcome based. And so, so the question is what are good quick wins versus good big wins for IM projects I I does tend to, to distinguish between these two. So, so what are the, the quick wins we can show which are important, but also what are the big wins, the, the large things. So what would be your, your favorite quick and big wins?
That's an interesting way to put it across. I think a very good question Personally. I think when you're talking of outcome driven approach, we really like Martin did, you know, throw some light on. We really need to be looking at the big wins rather than quick wins, right? Quick wins are run off the mill. Something that comes across, you know, as, as as we go about operationalizing things, but outcome driven approach is keeping the larger picture in mind and the big win in mind. But having said that, from an IM standpoint, some of the equipments I would look at, you know, is that, let's just say for for instance, I wanna have, I mean again talking from a workforce perspective, I wanna have my workforce, you know, enabled such that they're productive from day one. That's, that's one of the quick wins I wanna achieve with a simplistic automated I am solution that can take care of my, you know, workforce for that matter.
So a join a mobile lever approach wherein birthright applications are well established and set in across the organization. So someone joining in has the relevant access to resources, maybe training material, maybe some certain application segments that enable him to, you know, start his day-to-day tasks at least begin to kind of settle down from very day one, right? If I can achieve that, that's one of the headaches that probably taken away from HR as well as IT operations in terms of enabling users. On the larger picture perspective, I think it's around ensuring there is holistic management around of, you know, the complete life cycle of provisioning. Deprovisioning a very stringent role based access control from security standpoint and you know, authentication and authorization explicitly put in such that it can also take care of workloads of maybe segregation of duties and the entire lifecycle management for access reviews. I think one needs to look at what benefits this larger big win will carry forward and that's what outcome is all. Yeah,
And, and I think, I think when I take another example, when we go to the access management authentication side, then, then it quickly could be that we rather fast bring the vast maturity of the users to at least two factor authentication. The Bitcoin would be when we have leveraging password less is a risk adaptive authentication in place of, so the one thing is something we can achieve fast nowadays going to something which is, which is at least these two factors.
Yes,
The earth thing takes longer because this is really the doing a way more, more complex work. Okay, another question we have here, and I think this is also a good one, which part of I am should be the best or is should we best start our zero trust journalists? So where should we start? Which part of I am is where we should start when we look at zero trust?
Yeah, again, a good question and I've been, you know, pondering a lot with this myself. I i I believe it's probably a, a, a circle and you know, there's any point is good to start with. It's what's important is to make a start as I covered earlier on, you know, to each their own in terms of identity security. Do you wanna first look at your crown jewels in the critical digital asset side of things or you know, data center resources or our endpoints more important to you in terms of privileges that are there, say for local administrator or are you looking at the complete lifecycle management of identity and access management holistically? So, you know, there could be different elements of an identity centric security journey coming from an IM solution, a PAM solution, an EPM solution, or even you take a step back and probably start with, you know, just the people aspect of things in terms of training culture, the process aspect in terms of say some consulting of, of, you know, improvising processes and then build technology of that. So it's complex and starting
Agree that there are separate starting points. Honestly, the one I would start with, I think when I look at zero justice, improving authentication including device binding, because this at the end a bit, the front door thing saying, okay, can I, can I really very well verify the person ideally in the context? Yes. And do I have to device binding under control things you've, you've talked about a lot about, okay, so I think we, we touched quite a number of topics, answer the questions we have here. So then I would say it's time to say thank you. Thank you very much Gotham for all your insights. Very valuable, very interesting. Thank you Martin.
My, my pleasure. And it was, it was really good to hear these questions and, and try to at least pick up reigns in terms of what's happening.
Thank you. Thank you to Arcon for supporting this webinar. Thank you for everyone attending this webinar. Hope to have you soon back at one of our webinars or see you at ESC in Maine in Berlin. Thank you.
Bye-bye.