Webinar Recording

Identity Security: A Top Priority for the Modern Enterprise


Log in and watch the full video!

Accelerated digital transformation has led to an explosion of digital identities, which means any user can have some level of privileged access at some time. Cyber attackers are targeting this rapidly expanding attack surface. This means identity security, has never been more important or challenging.

Log in and watch the full video!

Upgrade to the Professional or Specialist Subscription Packages to access the entire KuppingerCole video library.

I have an account
Log in  
Register your account to start 30 days of free trial access
Register  
Subscribe to become a client
Choose a package  
Welcome everyone to our call webinar identity security, a top priority for the modern enterprise. This webinar is supported by cyber a and the speakers today are evil van Penk, who is partner of PWC, the David Higgins, who is EMEA technical director at cyber a and me Martin and principle Analyst at Ko Analyst. And that topic, Seth, we will talk about identity security. We will put some specific emphasis on slightly privileged accounts, but overall look at what do we need to do to, to really secure our enterprises and which role as identity management, the broader sense play within this entire security play, but also which role does it play for, for a modern digital organization or digital business in today's digital age? So this is the subject of today's webinar. And before we start, I'll just wanna quickly hand on upcoming events. So in, in February and March, we will have two Casey live virtual events.
They are for free to attend. One will be about privilege, access management. One will be around the of trust. And then mid-May, we do our European identity and cloud conference, which is our flagship event. And the most important identity gathering. You will find it's a hybrid event. So you can participate on site in Berlin, or you can join an online, whatever suits you better, whatever the time allows by then. So having said this, yeah, it's a little bit and only little bit to say about housekeeping. We control audio. We will add to sort of a Q and a, which will be a little bit integrated into our conversation later on. So we'll have a lot of discussion between between Eva David and me. So you can bring in your questions at any time we are recording webinar and the slides will be available for download and last not least we will do two polls and depending on, on the time allows or so we tend, tend to also look at the poll results during our webinar, during the conversation.
And that brings me directly before we dive into the agenda to the first poll. And yet you can argue, this is not a complete list, but I picked five topics. We discussed a lot over the past year with many, many different people. And so the poll is which of these five identity management or identity security topics is most important to you in 2022. So is it building really a blueprint for modernizing IM is it implementing MFA and password indication? Is it taking a perspective beyond human identities to sync device services is a managing privilege to access across the entire multicloud multi, or is it more zero trust theme? So what is the most important? I leave Apollo for another 20 seconds. So please put in your answers, pick one of these themes or in that case, you can pick multiple ones as I see it's multiple. So pick the ones you feel really relevant, which are driving your initiatives. So another five seconds, then we can close the poll.
Okay. Thank you very much for, for delivering your answers to that Paul agenda for today. I'll first give a quick intro, maybe 10 minutes about why we need identity security. Why is identity so essential to the digital business? Why is it so essential to security? What, what, what is changing? What are some of the bigger themes we need to look at? This is done a little bit sort of mindset, a little bit of building the crown for the second part. And this second part, David Higginson, and one Penham will discuss with me as, as the moderator, some insights from practice. So really their experiences on what to do, what to cover, where things are changing cetera, which in fact is already the discussion around Q a part here. So this is basically the plan for today. And I I'd like to start with looking at sort of this entire theme from little bit of a higher perspective.
And I think when we go back over the past two years, a lot of things have changed. The way we work has changed. A lot of businesses had to way faster shift to do sort of a digital business, an online business than, than expected. And this is a longer trend already. We had this term digital transformation for, for many years. I don't believe that digital transformation is the correct term. I believe it's a digital journey. It's something which is not going from a to B transforming, but it is a continuous evolution. And in this evolution, software became differentiator and is a differentiator and success builds on that. And that requires also a strong, strong identity and security approach across everything because district char, that means we are changing our business models, our products and services shifting frequently from paying for products to paying for services.
So you don't sell you brand a service or something like that, and competition is ever changing. And so we need to compete. We need to compete differently and we need digital service for that, where our intellectual property, our unique selling proposition is in these is at a core of these digital services. So we differentiate three services. We need to develop to deliver, to operate them fast on time, but also with a high availability. But if your service is down, you're in trouble. And when, when I go back over the last 12 months, we had a couple of a couple of incidents of sort of large platforms, large providers of services, even large retailers being off for a couple of hours or, or even somewhat longer in that way. So the delivery is critical. Thing is an essential thing and to deliver successful. And this is my strong belief.
We need to, to look at digital identity and security and both are things that are not just nice to have add-ons. These are aspects that are the forefront of successfully delivering digital service. And I tell you why I believe that the one thing is the customer journey and not only the customer journey, it's the cus the consumer converting to a customer, connecting devices and things to the humans. But the customer journey is sort of your door, your entry door. So if you, if you fail in onboarding in having a good journey, if you fail in recurring authentication, then your business will suffer. It might fail. If you're not sufficiently sufficient, resilient against tax you're at risk that your business is not running as expected. So we need to secure that journey. And this is where identity and access come in, and this makes it more complex.
And we need to really put identity security at the forefront of all of our thinking so that we get better here, that we are as resilient as we can against attacks, which is not easy. And this is also for where all the privileged acts and British identity stuff comes in because at the end, attackers always are after the privileged accounts, because this is where they can cause the biggest harm. And then this all then goes into the digital experience where we compete, where we have our competitive differentiation. This is why we succeed or not. And with that. So when we need to also deliver on time, we need to have identity and security available service. We don't need to, we can't reinvent it again. And again, this is the starting point. So the challenge behind it, unfortunately, is things are getting more and more complex.
We are, most organizations are operating in a multi-cloud multi-hybrid environment and this complexity doesn't go away. So we had servers and we had VMs and public clouds and then came private clouds and edge computing and whatever else it's always getting more, not less the same with devices than we look at tablets at things that's connected devices. At many things, the world of our applications is getting more, more heterogeneous. We have traditional applications, we have SA services. We build things that then run on a public cloud infrastructure, serverless or container based environment. It will continue to grow and we need to manage and secure that at the right place in the well sorted approach. So how can we do this? How can we do that at trial, at cost keeping controlled, compliance in mind and doing it a secure manner. So how do, how do we do that?
And or what I believe is we need to get, let's do some other things differently. Manual administration, can't be the answer for complex environments. I don't believe in everything as code because people that are good in security, not necessarily are good coders or people that are good in identity and good coders, not necessarily are identity and security experts or infrastructure experts. So code might be generated, but it shouldn't be the way we do it by the way code is always ever. So we, we need to think about policy based automation to, to more policies, to gather how our environment looks like and to apply, to augment our capabilities by what code is called AI and ML to automate based on policies, the configurations, and to reduce sort of the, the footprint of, of manual standing outdated, insecure, configurations. That way we need to do more in that.
And there there's things where we can get a grip on that. And this is why we talk about identity security, this entire security thing at the end starts with, we know the identities, we can control the identities. We can also indicate them. It's way harder to, to know which devices are are used. It's relatively hard to, to know how this network looks like, okay, we can work with some sort of overlay over the network, but at the end we know about identities and we know about the resources, the applications, the services, the computer resources, the store, which resources, all that stuff. And this is where we can apply security can do what in these environments. One of the important things to do here from my perspective is we need to go more towards trust and time. And that is, I think, inherently the concept of policy based automation.
If we say there's a policy, which says, Martin can do that, we can apply it on runtime while instead of configuration, we would say, okay, we set some entitlement for, for Martin or for role Martin is assigned to, and then we review half a year later. That still correct just in time means we get rid of standing privileges. And when you look at this attack surfacing, then the risk is that we have privileges, which are never used, or which are not required at that point of time, but they are there. If we are living in, in, in an old world of static entitlements, if we go to policies and assign them when we need them, then our, our risks or attack surfaces way lower, which reduces the risks of, of, of what can happen when we are at tech and VR attack, always. So they might be short lift.
They might be done in a different way. So, but today, so, so in a policy based approach, it is a user sensor request. And that also case our authorization system based on a policy engine allows an action and the service trust system, we couldn't that way, theoretically provision access. So we can, right at entitlements, we can then access the system. We can deprovision entitlements. We can do it in that way, but we also can, can do it with access credentials when it comes to certificate based access li and S H and in other areas, then we can create a short lift certificate, which only can be used for a very short period of time, always based on policies and decisions we make at runtime. So we reduce the attack surface that way. And this is one way of thinking, not the only one. And we will clearly touch way more in our upcoming conversation, but this is one of the, the ways to re rethink the way we do identity security by rethinking sort of also traditional approaches.
The other thing which I believe is important is to have specialized solutions or, or solutions that can solve for specific problem, but in a context and that context, or to our, our understanding of coping our goal is what we call the identity fabric. So a set of service and this set of service capabilities will differ per organization. But the basic ideas that we describe that we take a holistic view and say, okay, how do we need to manage that identity across all types of identities to all types of services? Because at the end, it is how can we able access for everyone and everything seamlessly, but yet secure to every service and taking an approach, which, which is more unified, which is not just saying, okay, here's the problem? Oh, SAP access control. Here's the problem, privileged access to lead service. Here's OSS H sessions we need to monitor here's our role management.
Here's whatever the, the authentication, but starting is a more broader perspective and say, okay, what are other things need to have in place is to our understanding another very important element in our journey towards identity security. So a unified approach on how do we do that and how we can modernize other unified ton of our recordings from webinars, from presentations, et cetera, on our website. I don't want to go too much into detail here, but just give you some ideas and, and sort of trigger a little bit of conversation in the discussion we will have in a minute before that I'd like to launch a second poll, and that is about batch change. So how do you expect your batch for 2022 change compared to 2021? Will it cross significantly or slightly or mainly remain stable or do you expect it to decrease? Okay. I would say another 10 seconds and then we close to Paul. Okay. Thank you. And then without further ado, I'd like to, and David to join and we we'd go into the insights from practice. Hi David.
Hello, good afternoon.
And should also appear, hopefully in a minute. Here we go.
Hello. Good
Afternoon. So pleasure to have you here. And maybe we best start with a quick round of introductions. So, so David, do you wanna start?
Yeah, absolutely happy to. So David Higgins, mayor technical director at Cy been with the company just over 12 years now and really excited about this topic. It's, it's, it's been interesting to see the kind of growing changes and growing importance around identity security and yeah. Really looking forward to today's conversation.
Okay. Evil,
Good afternoon, everybody. I'm Eva partner within the PWC digital identity practice, which is a team in the cybersecurity practice. Martin and David and myself were discussing that when I, when my company was acquired, which was, which was called Everett, we had a long discussion should PB and technology consulting with PWC or in cybersecurity. And of course, with a lot of compassion, we went that route and we actually the rest of identity teams moving into that direction as well. And I also need the, the impact center for, for digital identity across EA for PBC together with, with my colleague. Who's not here today, but, and I've been doing this identity thing for about 10 years. And before that had the company that was doing what we now call digital transformation, but we used to then call it online customer interaction, helping clients to get sort of, you know, the first transactional websites in place, like, like, like banking systems and those type of things. So I've been on both sides of the coin.
Okay. So, so, so David, when you take this term identity security, how, how would you describe this term? How would you define that? Or,
Yeah, good question. So I would say it's, it's a reflection of the growing importance and criticality of, of securing identities as a, as a whole, as, as one aspect. And I think that's well understood. I think we can look at most attacks and understand that, you know, regardless of the intrusion point identity compromises, some description comes into play specifically though the importance of identity security and what it means. It's also a reflection of, I think we're not getting less identities. We're getting more as we consume something as a service, more identities are given to us, users have so much more interaction now with differing identities, whether they be federated or not. And identity security is looking at that holistic approach. Historically, we've been a little bit kind of departmentalized when it's come to identity. And I think identity security is a reflection that we need to take a more holistic approach, be cognizant of the fact that the environment's changing and cognizant of the fact that actually user experience perhaps is, is, has changed. And there's a little bit of consistency if I wanna access that resource, go through a, a, a similarish process, but with more control than if I'm accessing perhaps a, an asset that has more criticality to, to the business. So I think it's a reflection of some trends. I think it's a reflection of the, the ever growing importance. And as I say, perhaps, you know, a more broader approach to identity and I'll in there.
So what the two of you are saying is that identity is no longer when I started my journey in identity. It was a little head of, so I'm, I'm in that space since whatever the late eighties, early 1990s or so early network and early land manager versions. And from there, media directories started to come to the market and we thought about X 500 directories back in these days. And, and it was very much an administrative focus. We don't think out as a little bit of hosting asylum would be cool, but the next big thing really was more a regulatory thing. And, and right now I think what, what you two are saying is it is really that that identity is so much at the core of everything we are doing in an organization, everything we are doing in business, that it needs its own own place, because it's way bigger than trust administration than trust regulation, maybe even bigger than trust security, because it's a also, that's what I try to, to talk about is it's also business enablement in the digital business.
Yeah. Completely agree. I think, as you look at it, it's not just, as you say, getting employees access to a resource it's it's, how do we interact with our partners? How do we interact with our customers? Identity becomes that kind of central point of a conversation between a CIO, a CTO it's overlapping many different territories. I dunno if you wanted to add anything there as well, you see it from a different perspective than me, I guess.
Well, not necessarily, but it did. What I see is that with, with organizations moving more and more into sort of ecosystems and where, where everything both from a workforce and, and it, and digital estate perspective is connected to, to everything from your supplier in your supply chain, up until your competition, where you're making, you know, combined joint offerings in order to create lovable user experience for consumers. So what you see with that is that at the business, doesn't stop innovating on a, on a digital perspective. And we as identity people need to make sure that when they are innovating, that identity is then also taking into consideration. And for me, that, that boils down to sort of the question, how are we still focusing on the office environment and trying to make that secure? Or are we looking at sort of the risks that are more modern, like for example, ware attacks, where you need to take a completely different approach towards your identity and access management program in order to mitigate, or, or defense detect or recover from those, those risks when those incidents occur and, and, sorry, Martin. Yeah, go ahead.
Go ahead.
Sorry. Yeah. So I wanted to make two points on this because we're talking about identity security, and I think that this is covering the payload really nice. And, and ultimately we need to sort of, you know, step, step all the way back and think about what are we trying to achieve, right. So first of all, we're trying to achieve that identity management is helping to create a digital representation of you in a digital environment so that you can against a certain level of trust can say, listen, this is really that person that wants to do it on top of that. We are also talking about, and I introduced the top of a couple of years ago with the client non human life forms like artificial intelligence and those type of things, which led to a very philosophical debate about whether or not AI could be a live form, but that's on a separate note.
And the second part is then if you have identified that you are who you say that you are against a certain level of trust, what are you then actually allowed to do? And how can you make sure that you're only actually doing that? And how can we then monitor that? How can we report on that? How can we detect that there's anonymous going on. So if I look at identity security, I see that whole breadth and depth of the topic in here. And the fact that our business is not waiting for us as an identity community to sort of think about how we're going to help fix that. They're just, you know, moving ahead and either they find out that they need to do something about it themselves, because identity seems to be a key thing. And you end up with a whole bunch of point solutions, or you're sort of trying to be ahead of that and make sure that identity is actually in the design of all these new things. And you're making it part of, you know, building out the new digital state for organizations, sorry, Martin bit of a longer approach, but it
Was a little, a little longer answer, but I know I asking long questions, so you can't come up with long answers. Anyway, I just wanna quickly highlight. So we mixing up our parts number two and three. So we, we have these insights, we have discussion, we have Q and a, which also means to the audience, if you have any questions, if you have any comments, please end them in the go to webinar tool, which you will find usually the right hand side of your screen. There's an area questions. And the more questions we have sort of the more lively also this conversation will be, and then we can, can react to things. So, so even with what you've said, I think there are some, some interesting points and, and, and identity and security have there dare to say there, the specific focus like identity is not just security because it does a lot of, for business enablement.
On the other hand, they are very, very close together. I, I, I think a very, very good example for that is when we go to look at the solar winds attack, it was roughly a year ago, then this attack at the end was identified or detected by anomalies in the behavior of, of a user account at the end of the day. So things were, were just going wrong. And then someone asked, why can it be, I think this shows also how, from my perspective, and I'd like to get your opinions on how, how neatly OV these, these topics are. So I think the artist is not saying identity is part of cyber cybersecurity or the other way around, but it's more like an event Diarra where there's a overlap in the middle. David. Yeah.
Yeah. Like, I'd agree with that. As you say, it's, it's, it's not in one camp or the other it's, it's that piece that kind of stitches the, the two together and you have to manage the identities appropriately, put the right controls around them to enable the business, to be doing what it's doing. Right. So, you know, you take, take the example of, of the solo breaches you mentioned, right. And it was more the anomalies that, that kind of flagged it. So the authentication piece had already been compromised. It was more the activity, et cetera. And I think that's a, that's an important discussion point as well with, with identity security. It's not, it doesn't just stop at the authentication point. It's how do we continually assure and attest that the individual behind the keyboard is the original one. We authenticated at the start of the process.
And that that conversation gets even more interesting when you say it's not a human being behind the keyboard, but actually it's an autonomous autonomous machine. And I think, again, with that topic in mind, that's why identity sits between, you know, those two threads because as, as organizations start to embrace automation as well, identity becomes part of that. And I use that as an example, but definitely as you say, if you draw that Z diagram, I see identity fitting between the two, cuz how do we, how do we securely authenticate and enable our employees to do what they do, but mitigate the risk associated to the business that some of the access those employees will have will be to critical systems and critical assets that no doubt would be covered by, by an attacker. So it absolutely kind of sits in between striking that balance. And then, you know, we might give identities to our customers, to our partners, to, to non-humans, as I mentioned before. So very much with you there on that point.
Yeah. I think I I've, I fully agree with that then I think that to that point, when we are looking at this, we need to reshift our focus a little bit as an identity community as well, where we are actually looking at technology to help us with that journey in order to sort of be able to digest and, and consume the amount sheer amounts of identity data that is being produced by the digital estate and focus on, okay, what are we gonna actually supposed to do with that? And how do we make sure that we are aligning that with, with, with the business goals, the key risks that our organization have. So one way to put it, if you want to go through zero trust, which is one of the events that, that Martin and the team is also doing on the 23rd, that's about continuously validating that the, that the identity has not been compromised and that the access is still appropriate.
And in order to do that, you need to have AI machine learning technology, shall you really need to look at it from a platform perspective on that part. So if we're introducing that, does it make it simpler? It makes it more complex, but it changes the way that we need to think as a, as a, as a group, because we need to focus on sort of understanding and how do we create these detective measures as an identity team instead of, you know, trying to build enormous locks on every door in order to, to make that happen. So add that, that changes to gain a little bit. And that might be a great point that
We display the results of the first poll we did where asked for about five investment areas, because you brought up that zero trust theme. And so, so when we hopefully see this results should be here, so you should see the results right now of this first poll then, and it's interesting to see 60%. So we had it sums up to more than 100% because people could choose more than one answer, but the clear leader is building the identity security foundation for zero trust. And this shows that that identity is seen as something which is super essential to zero trust. I think the second one was close to half of respond. So, so really managing privilege access across the entire it and the complex multi-cloud multi hybridy environment. So doing, doing things well for, for, for DevOps, for H I T is also very close. So the address are a little lagging behind, even while I believe that for instance, password less altercation is a key thing for everything we do around zero trust. But going back here, I think the interesting point really is it seems that the people really say, okay, zero, trust this something which you can't achieve, if you turn it around without identity security poster,
Agree. And as you say, I think the results kind of reflect that because, you know, interestingly, if you kinda look, what's the objective ultimately of, of zero trust well it's to ensure there is not unapproved inappropriate access to data and services. That's, that's ultimately what we're trying to achieve with it just kind of, you know, build the environment in a, in a different way to help prevent ultimately lateral movement and compromise of access. And, you know, key asset of that is decision making process, whether access should be given at that point of time of request and, and clearly identity plays a major role in that you need to be able to, you know, authenticate your individuals and not just authenticate in a kind of binary fashion, but actually take multiple multiple data sources to make a, a decision point, right? David sitting on a company delivered workstation in an IP address, that's known to me behaving in a typical way is one situation, me making an access request on a device that is not company approved, that isn't an unknown location to an asset. I haven't connected. That is a very different contextual decision, right? So identity becomes hugely important in deciding or identifying who an individual is, and then deciding the, the, the relevant access and doing that in a, as you mentioned before mine, right? Just in time, access becomes then a key aspect that as well, give the user the access when they need it, revoke it afterwards, because we assume breach, we assume the attackers, we assume the network's hostile in that zero trust environment. And therefore they're gonna try and compromise identities and perform natural
Movement. Yeah. And the one thing I, I, I always tend to say in my, my zero trusts are two points on this journey of a user where we have sort of the best grip on what is happening. So identity is about authentication. So yes, it's the smart, that's what always happening, or is this the service or not the service have to whatever the right certificate or not. And then, then we have the device, which is way harder to control, at least when it's a pre year own device device, the network yes. Could create some artificial overlays like SDM, which is probably more the macro segmentation approach and the micro segmentation approach then. So, so I think there there's some, some the best price to pay, not for very, very simple, but then it's about accessing. So who has access to what, how do we control policies or better, not too much static privileges.
And then, then we have maybe also data governance, but identity access really is where we can relatively easily get a certain level of control or certain level as you say, of an analytics anomaly detection. But, and I think this brings us to maybe a direct follow up question, which came in from the audiences with regards to the current trend of moving everything into the cloud, or at least to use hybrid infrastructures in how far do you regard secure identities as a central central mandatory functionality to support us? That's part one of the question and do the IM and privileged Analyst management vendors focus enough on the adaptation of their functionality to the changing requirements. So shifting from we secure leading servers to be secure, dynamic workload to the cloud, who wants to start,
Maybe if I take the first part Eva, and you could take the second, cuz I think if I answer the second question about Pam vendors, then I might be a little bit biased. Like, so maybe you could, you could take that second part, but I think it's, you know, to the question it's, it's even more important, you know, as part of the, you know, consuming anything as a service. And the reason for that is, is the cloud kind of from an identity and entitlement perspective, it's, it's a bit of a double edged sword, right? You know, if you think, you know, you know, 10 years ago, we're focusing on privileged access in infrastructure and some of the, you know, take windows of the environment, it's pretty binary in terms of admin. You're either you're either full admin or, or you're not. And this really noted by groups and you couldn't really become too flexible. You could drop people in the groups a little, but it wasn't ju granular. Right? You, you couldn't really get to Evo could do that command
You could discuss. So I think there's a lot of, a lot of options to work with operator level accounts approved, even in windows, but it's a little bit of difference.
Yeah. I, I think my point is, if you then look at, say AWS as an example, right, I'll take that one as an example, over 7,000 entitlements, right. That exists because of the multitude of services. Right? So, so the challenge is it's usually important. There's a lot more granularity. You can be a lot more specific in terms of the roles, et cetera, that are being granted. But the challenge from to the identity teams is getting a view of that. You know, what, what do all these 7,000 entitlements mean? When does too much become overly privileged? When does too much become a privileged user versus, you know, perhaps a lower level user. So I do see it as being hugely important, if anything more important because also the criticality that, of, of access these accounts have right. Global admin in Azure, that's hugely powerful. Something that we want to get visibility of. So for the first part, I would answer with a, with a pretty much straight. Yes, I think is important either. I dunno if you wanna take the second part about whether you see the industry.
Well, I think that there's, there's two answers to that, right? So it feels, to me it feels a little bit like an arms race. And I think that three years ago, there was a pivoting moment where we saw a lot of the security and also the handy identity and access management vendors moving in more mainstream into, into cloud. And there's a reason for that. And that's been accelerated through, of course, the journey that we went through with, with COVID that we are going through. I have to say, especially after the news in the Netherlands today, but where one of the challenges of course was always that if you have an on-premise version of a software solution, then yeah, yeah, you can, how do you call that? You can interface as much as you want as a, as a vendor, but before a client actually implements that you're like years behind that or these months.
And now with have a lot of the vendors moving more into the cloud. That also means that had that, that the arms race is more on par with the things that are happening in the ecosystem around, around us as a, as as systems. So are they doing enough as a has software vendors? I think that what I'm seeing is that they're trying to reduce the amount of complexity that is needed to implement systems from a technical perspective, so that there's more room to focus on the business and the risks that we, that we need to address. What I also see is that with had these platform place, that you become more into a situation where they're also seeing that have vendors that used to be, for example, in the Palm space now also have, you know, offerings in the identity space because that connection needs to be made holistically.
And you want to make sure that from an identity script perspective, you're not just looking at one piece of the puzzle and then need to focus on another piece of the puzzle as well. And that's, I think, think a good thing, but there's also a negative side to that. And that is status for people that are not dealing with these type of topics every day. And trying to sort of find out and understand what do you actually need to do in order to keep my company secure that, you know, it becomes very diffused on what you need to actually, you know, purchase in order to get to a general trust situation. Because if I, you know, talk to a security defender, a that's doing threat detection, they say, if you buy me, I will get you you're, you're moving towards general trust and that's entirely true, but it's really the whole package that you need to have.
So I'm seeing good investment from, from the vendors. I still think that the ability to innovate and how quickly you are able to adopt certain innovations from vendors is going to be something that needs to be looked at more and more by organizations, not so much, what can the product do now, but more how consistent are they against delivering against their roadmap? And are they sort of a visionary in this space or are they basically just, you know, followers in this space? And, and how do I make sure that I, as an organization can adopt those type of things as well?
And do you know what yeah. Or I hate most, or I see most scary from vendors. So that's when we talk about how they build their roadmaps and when vendors says, oh, we listen to our customers, then this is a, a large signal. Yes, it is part of what you should do. You should listen to your customers. But if you say my roadmap is built on what my customers are saying to me today, then you will be always lagging behind a roadmap. Must always be a good mix of what do I need today? What are my, are my customers requesting? Is there anything missing? And what do I expect them to request in two or three years? Because you need to start it now. And that should be by the way, the same principle when you architect your future identity management, not only saying, okay, what do I, what are the gaps I know about, but also what are the trends, what is changing?
And so, so I think that is very important. I think that, that we see a lot of evolution, but, but what I see, and I'm curious about your perspective is that it's not necessarily trust a lack of technology, David, you said, okay. Or, or I sure the vendors can say, okay, I have this solution for zero trust. And clearly there's no software for, for zero trust. There are a lot of things which help you in following a zero trust journey, which follow the guiding principle of zero trust. But there's not a zero trust in a box no way. But I think when's making brokers. The point is when, when I look at this, that part of the challenge to my, my per my, or my analysis is that there's still too much of a gap between different parts of the organization. So when you look at identity security versus DevOps, it is still that it seems to me that there's not enough conversation here.
Yeah. And I'd say perhaps as a reflection of a point you were making before, right. About identity strategies being for the reacting to the business needs here and now, and kind of seeing, seeing the future, because, you know, when, when we look at the, the, the DevOps space, the C I C D pipeline, there's absolutely an identity and, and entitlement and privilege discussion to be had. In some cases we're automating what was once a human task. And we're now giving that to an autonomous process. There's, there's an authentication and entitlement access discussion to be, to be had. And developers, when they're writing this understand, there's a challenge they want to consume perhaps a secret and use that to, to, to deliver access to whatever it is. They're coding that particular point of time. But then if they don't know there is a process or something, a service that they consume to, to, to secure that they've just go off and find something else, right. They, they, they're moving at a high velocity. And, and, and that's where perhaps sometimes the conflict of, of security and, and the DevOps teams kind of come into, into encounter, right? Is that, there's this kind of one, we need to review that and check that is secure. Whereas, you know, a lot of people, it's that cliche word of think, you know, shift left trying to embed security early on and make sure that developers, when they're coming across these problems know there's something they can already leverage and utilize,
But, but it is, isn't it. And people, you have a long history, digital transformation, isn't it. Then that sort of we, as the security people need to deliver to the DevOps teams, what they need. So, so we can't wait for them to ask us, we probably need to become proactive
Then. And I think that's a good point, Martin. And honestly, I think that this is sort of where we are late to the game, actually, because in all, honestly, most DevOps engineers already figured out that they needed to have something to manage this in an appropriate way, as much as possible. And they figured out something themselves in order to do that, which is completely standalone from the rest of the security structure that, you know, you C typically tries to put into place. So basically how, yeah, if you then want to change it again, you are facing a, a team within the business that is actually quite S with, with sort of proficient with it, it savvy. So they know how to sort of have the conversation with you. And secondly, you know, they already have something, it works for them. So why change? And, you know, ultimately that then boils down to having the conversation on how can you make their lives easier either from indeed just in time provisioning to make sure that you have the right privileges at the right time.
And secondly, also that it takes away a lot of the burden for them in their development, because they're able to consumer service instead of having to build something themselves. And then thirdly, also making that very clear explanation that it's not only about the fact that it's easier for them from, from the technical perspective, but also they won't be, if they implement this correctly against the right standards, that then also need to be there. That's typically something that's also somewhat missing. If they implemented correctly against those standards through responsibility for actually, you know, effective measures against cyber risks is also not longer with them. So they can focus on, you know, bringing the business forward instead of, you know, dragging along all the cybersecurity requirements that they need to think about as well, if they, they built it themselves. So I think that, yeah, so you typically saw a big shift between sort of, you know, the business that was building digital services for the business and then the it office environment. I also think that if you look at where, you know, chief digital officer and the CIO sort of, you know, thing about that, it's two separate functions that, that also has to do with these type of things, right? CBO is more business and transformation focused while CIO was typically more it standing organization focused. And that needs to be, we need to bridge that gap again in order to create and remain secure digital estate within, within our ecosystem and our organizations. That's answering the question.
Yeah. I think it was definitely a lot of things in which I like, cause I, I definitely agree with that. We need to play it differently. We need to deliver to the developers because at the end of the time, the, the argument, which from my experience always resonates best is time to value. If we help them be getting better in time to value developers, then they will listen to us. And that is by getting them, getting rid of the bird of man doing identity and security themselves, because for most developers, it's really not sort of the fun part of what they're, what they're doing here. So I'd like to quickly look at the second poll here where I've asked about how do you expect the budgets to change. And so when I quickly display this, I think the good news is only for very small or part of the organizations.
We, we see a expected decrease in the budgets for identity management security, roughly half expect to be rather stable, but more or less the other half. So 49% expected to grow either or slightly or, or even significantly. And that's like when we look at, even in these challenging times and we see a number that, that one out of four organizations expect as strong as deep increase in their budgets for this space. And it, I think it, it tells us a few things. It tells us, or at the end, it tells us it is well understood that identity security are at the forefront of their key success factors for the digital business. And I think this is also, I would actually say good news. So being close to the end of the time, I I'd like to, to, to ask you maybe for, for sort of a final statement, final recommendation to our audience. So even do you wanna start it then David?
Yeah. And I'm going to reflect on this budget thing because I am in a lot of conversation with executives around their identity budget. And the problem with the identity budget is that it's typically being seen as part of the security budget, which is typically being seen as part of the it budget. So we need to stop with that because if we are only looking at that, then we are neglecting and ignoring the hidden costs within organizations because of broken processes and, and sort of, you know, managers not being able to provide access and spending a lot of time around that and doing certification campaigns and all of those type of things. So, you know, our bridge as an identity team typically is way bigger than the actual bridge that we get allocated, but we just don't see it because it's hidden in the business.
So, so my, my, you know, key takeouts would be if, if we look at for how the CEO survey that we are doing as PDC for 24 consecutive years already, we see that there are, you know, the main risk that your CEOs are seeing is that cybersecurity is actually next to the pandemic. So if your CEO, and if a lot of CEOs already see that as the biggest risk for their continuation of their services, take that into consideration and also look at how can you then augment your identity capabilities in order to help decrease that risk. And, and, and secondly, and also look at it from, okay, what type of identities are we supporting? What are the user patterns that we're seeing and what is the digital assets that we're trying to protect and make sure that you can explain how your assets are being protected against the right risks for a CEO.
And that boils down to three risks, main risk that I see within identity. The first one is the risk of data theft, either IP or PII data. The second one is the risk of financial loss, either through fourth or through, through ware attacks. And the third one is business disruption and the risk of business disruption equals into two topics. For me. One is for example, factory downtime, if you are hit by rent somewhere tech, because you cannot do what you're supposed to do. But the second one, I also consider businesses option is broken processes from an IM perspective, because if people are not getting the right access at the right time, they cannot do their work appropriately. And that is also costing a lot of money. They sometimes I step into situations with clients where they have people that join the company and before they actually have the right access allocated to them, they're already leaving the company, which is from a user experience perspective, not good and workforce and, and getting the right people in and retaining the right talent is also a very big topic for CEOs. So you can align your story to that as well, next to the cyber security topic. So I just wanted to sort of give that as a couple of takeouts that you can use to actually think about, Hey, how am I framing the conversation within my organization around the importance of identity management and not sticking with, you know, being part of the infrastructure alone. Okay, thank you. Ivo David.
Yeah, I guess I should say couple of points probably from me. And I'll, I'll also kind of react from the, the budgeting question too. I think that's probably a reflection. We could probably compare some synergies to, to the first poll as well. Probably those who expecting a huge increase are probably those also kind of going through some of the, you know, perhaps addressing multifactor cetera and others, perhaps more mature in that process already. And, and now shoring up perhaps their digital transformation cloud adoption for me, two, two key points really to think about when you look at identity security is, is really think about what's most critical to you as a business. What's really gonna hurt if it's compromised and then consider the access routes to those assets, right? There's so much to be done in identity security, so many different things you can be doing, whether it be technology or process, but really, and, you know, it's an echo of the zero trust type mindset's really secure itself from the inside out and secure.
What means means most to you. And with that in mind as well, if you are going through a cloud strategy, a digital transformation strategy, there's that discussion about what's secure first, the existing or the new, and actually in some cases it may be worth considering securing the new first because there's no existing process. Half the challenge sometimes was securing the existing is your own picking existing processes. And that's where you get the people conflict. So sometimes it's, it's worth considering, you know, securing the new environment that you're building, cuz it's much easier to enforce security and the appropriate controls there than trying to pick something that's existed for 10, 15 years. Right. Yeah.
And it's interesting. And maybe as last comment from my side and a couple of customers we have in advisory, I get this, oh, we don't want to encourage sort of the legacy applications sort of to, to continue existing. So we put our focus clearly on the new, and we will not put extra effort into what we want to get rid of. And I think this is clearly an interesting point. So I think we had a very interesting conversation touching a lot of points. So thank you to everyone listening to call webinar. Thank you, David. Thank you evil. Thank you to cyber a for supporting us and, and running this webinar. We said we are at the end of today and hope to have you back soon at one of the other upcoming events of copy a call. And until then, I wish you a happy holiday season. Absolutely happy holidays. Thank you. But
The holidays and looking forward to see everybody in Berlin.
Yeah. Looking forward. Thank you. Bye
Bye. Bye.

Stay Connected

KuppingerCole on social media

Related Videos

Webinar Recording

Erfolgreiche IAM-Projekte: Von Best Practices Lernen

Häufig beginnt die Suche nach einer Identity-Lösung mit einem ganz konkreten Schmerzpunkt im Unternehmen. Ein nicht bestandener Compliance-Audit wegen überhöhter Zugriffsberechtigungen, technische Probleme, wegen komplexer Systeme frustrierte User und eine…

Event Recording

The Role of Managed Security Service Providers (MSSPs) In Your Future IAM Application Landscape

Trying to “do identity” as a conventional IAM or Security workload with in-house resources and vendor platform deployments may not satisfy identity and access today’s requirements for IaaS, PaaS, databases and other cloud infrastructures. There are now a growing number of…

Event Recording

The IAM Fabric and How It Integrates With Your Cybersecurity Program

Architecture, operating model and governance are key viewpoints for every business as a whole and its subdomains as well. Depending of size of the organization, information security may be managed as single domain or divided into multiple subdomains. Viewpoints and domains are still static…

Event Recording

Identity Management and its key role in the Zero Trust strategy

Since any resource access is subjected to a “Zero Trust enabled” step-by-step process, where  policy engines define and enforce the appropriated access level, apart from device, network, identity systems and resources, we need also a “ZT enabled” identity…

Event Recording

Expert Chat: Interview with Neeme Vool

KuppingerCole CISO Christopher Schuetze engages in a fun discussion with Swedbank's Neeme Vool on what the future holds for Identity and Access Management.

How can we help you

Send an inquiry

Call Us +49 211 2370770

Mo – Fr 8:00 – 17:00