Webinar Recording
Identity Managed Data Loss Prevention - sleep well at night
KuppingerCole Webinar recording
Log in and watch the full video!
Upgrade to the Professional or Specialist Subscription Packages to access the entire KuppingerCole video library.
I have an account
Log inRegister your account to start 30 days of free trial access
RegisterSubscribe to become a client
Choose a package
Well, welcome to this webinar. My name is Graham Williamson. I'm an Analyst with caping Cole and this particular webinar is focused on the, the AsiaPac region. We have some attendees from United Arab Arab Emirates. We have some from Singapore, the headquarters for the called Asia Pacific, some from Hong Kong where we have representation I'm currently in Australia and have some attendees locally and a couple coming in from New Zealand. So for those of you outside AsiaPac apologies for the time zone issue, but the webinar is being recorded for yours at, at another time. They want to, to watch it later.
So in terms of the topic for today's webinar, it is data loss protection, and specifically how we can use technology such as dynamic authorization management for the, to achieve data loss protection for us as a way of introduction, we do have some rules here due to the number large number of attendees. You'll all be muted. We can't accommodate audio, but we do encourage questions to be asked. And if you type those into the area on your webinar control panel, we will get to those questions at the end of the end of the session for those that we don't have time for. I'll get back to you individually with responses. As I said, the webinar will be recorded so that your compatriots can, and yourself can review this at a later time. And we do encourage that feedback and make sure you tell us issues that you would like us to address and any questions you have in regarding the topic by way of introduction.
Just the slide on KuppingerCole in terms of the, the three main legs to the stool, if you like, or the three main strings to the bow, whichever analogy you like KuppingerCole has a very strong background in research services for the last eight years as KA Cole's been undertaking detailed research identity and access management area, and that research is available online, do go to the website. There is a 30 day complimentary registration that gives you access to all of that registration, sorry, research. So please avail yourself of that. Capco Analyst are available for a variety of services. Be it webinars. If you want a webinar on a specific topic for your organization, please let us know if you'd like Analyst input to projects. You are currently undertaking. Please let us know. So access to global specialists in virtually every area of identity, access management, cloud migration governance, please avail yourself of those services.
And lastly events, the largest event is the European identity conference identity in cloud conference. That's held every may in Munich. If you haven't been to one at please do at the event this year, there was over 600 delegates, 700 delegates, 50 exhibitors. It was a very good time to network and to learn about trends in the marketplace. We also have a digital risk insecurity conference coming up in January in sheen, China and Asia Pacific identity in cloud conference, a schedule for Australia in July next year. So please make note of that and keep track of the announcements on the website in regard to those events, the agenda for this webinar. As I mentioned, it's talking about data loss prevention and in comparison with data loss protection, got a slide on that in a moment we're going to talk to about this whole area of dynamic authorization management and how we can achieve data loss prevention using dynamic authorization management. We're gonna look at the drivers why we need to address this topic, the benefits that come from that we will look at the market analysis that was undertaken earlier this year in regard to the major vendors in this space. And lastly, we'll look at the challenges of actually deploying a dynamic access management environment, because some considerations that you, you need to be aware of as you go forward and we'll look at some next steps of actually how to do that.
So the classic data loss prevention basically looks at tools in three different areas. There's the tools that manage data at rest. Typically some sort of firewall or router that's providing restrictions to access subnets in your network where the protected resources reside. So this is one way of ensuring that only those people that are in the access control group that can get access to the can indeed get to the document repository in this case or the protected resource, whatever it may be, then there's the data in motion, protecting the data as it trans its your network. Typically we put some type of router or perimeter device that's monitoring traffic coming in and out of the network. And then again, we can do interesting things of looking at that traffic flow and deciding if this potentially confidential information that's leaving our network and we can put restrictions on that. So that's the data in motion option and then is the data in use? How is the data actually being used by our staff? And that requires some sort of endpoint client that we can put on the devices that are staff use becoming very important in the external when more and more people are using mobile devices, a lot of companies now embracing some type of endpoint protection that places restrictions on what can be done with typically documents that are restricted nature, and that might be residing on a remote device.
So that's a classic approach to data loss prevention. When we're talking data loss protection, though, we can use dynamic authorization to provide protection to our restricted resources. So in this, in this part picture, we've got now our restricted documents behind an enforcement point. So basically what we are doing now is combining our resource with an enforcement point that is going to allow us to decide what sort of access we are going to grant to that repository. And the decision is actually not being made by the device anymore is being made by an external decision point. That's going to talk to a, a, some information repository and make a decision in real time as to whether a user access should be allowed or not. So there's a couple of important things to understand here. The first is if your decisions are externalized, it means that we can have multiple resources all using the same decision point.
So we can centralize our management. We're no longer needing to have individual access control to, to, to, to different repositories. We can have a coherent and a management that's that's actually happening from a, from a central point. The second thing is that the, you, if you look at the picture there, the perimeter is no longer quite as important as it was in, in the previous picture. This, this was actually emphasized to me at the RSA conference in Singapore last week, where one of the keynote speakers said, if you can't identify who or what, in the case of internet of things, if you can't identify who is accessing your protected resources, you've already lost the wall. So what he was basically saying there is the emphasis now is on understanding the identities of the people, accessing our resources and making decisions based on that information rather than restrictions based on individual devices.
So what are the characteristics then of a dynamic authorization management environment? Well, firstly, as we've already discussed externalizing, the decision making is an important characteristic, relying applications as applications that relying on the decision points are, are allowing those decisions to be made externally and no longer have to be built into the application itself. We have centralized policy making, which means that we can have a centralized approach that gives consistency across the organization. We're no longer having to rely on individual access control points or access control lists that are put together for particular applications. So we have somebody and admin for a particular system having to type names into lists of people who have access to the application. That's a big overhead and, and we want to eliminate that because it doesn't, it it's not consistent then across our, our organization, it also allows the business to start managing policies. So rather than the, the, the it organization in many cases, being given the responsibility for, for managing the access control, we can now give that to the, the business themselves, because they're the ones that should be determining that. And they're ones that should, should be making sure that the, the policies that they put in place adhere to
It gives us real time access to. So rather than relying on somebody typing a person's name into maybe a group within an application or a directory that we, we now can go in real time to the repository of that information and make decisions based on a person's actual attributes at that point in time. So if somebody's moved from the finance department to the HR department, we can immediately reflect that change in the access controls we make when that user attempts to get access to applications. And finally it gives us some fine grained access control to the resources that we're trying to protect. In. In many cases, organizations are running a role-based access control system based on group membership, or maybe organizational units, depending on what type of directory we're using. But our a does require a level of administration and it's quite cost grained. If this person is in the finance department, then they get access to the finance application. But with a fine grained approach, we can combine attributes now to allow us to make more sophisticated decisions. So if this person in the finance department, are they part of the project group team, that's actually doing the finance system upgrade, are they accessing the system from within our network or externally, are they accessing it in during business hours or after hours? We can now come up with a much more fine grained access control decision to resources of a protected nature
Picture, I think is worth a thousand words. This is a classic picture of how an dynamic authorization management system will be put together. There's basically four components. The policy enforcement point, as we've talked about is something that's attached to the protected resource that says I'm going to use an external resource to get a decision. So it send a request to the decision point. That is the location of the policy. This is where the policies reside. And when a request comes in, the system runs through those policies and determines whether that request is going to be permitted or denied. And the response comes back to tell the enforcement point, whether it should be permitted or denied, there are a couple of other options. So can, in some cases, a decision is indeterminant can respond that way, but generally most, most policy decision points are set to deny a request unless it's specifically permitted.
And so you'll get one of those two responses. So the only thing that the resource now needs to worry about is how to respond to a permit or deny, okay, the policy decision point must talk to something and get its information from an information point. This is typically a directory or multiple directories that have the access to the attributes. They have the attributes in them. And so the decision point can query the directory to get the response in real time in order to make the policy decision. And finally, there's a policy administration point. This is the place that the policy administrator will use or of tool that the policy administrator will use to actually manage the policies in the decision. Point's a standard approach to externalizing decisions and the policy, sorry, the protocol that's used typically in this area. And the one that we focused on in the leadership compass document was exact more the extensible access control, markup language. And so that request response is a standard and the, the, if you adhere to the standards, then we would recommend that. So that multiple enforcement points can indeed be supportive.
So what are the benefits to this? Well, basically the, the, by adopting this dynamic authorization management, you will improve the risk bro profile within your organization. The centralized policy management will give you consistency of policies. And as we mentioned before, having the business units manage your policies is a significant benefit. Focusing them on how they should be allowing access to their applications is important. And if you allow it to do it and the business just tells it what to do, the danger there is we have proliferation of policies like they, they multiply and become harder to manage. So having the business units engaged is, is in our recommendation as to the way to go. The software documentation is also significantly simplified. I, one of the statistics I saw was that on average, 20% of your development time for an application will be addressing the access logic.
So now, obviously this varies depending upon the complexity of the application, those with more application levels would be greater than 20%. And with those that have a simple access control mechanism, it might be less. But in average, on average, you're taking about 20% of your development time just to manage the logic associated with people, accessing your, your application, put on top of that, the administrative overhead of people, then managing the excess control list that, that do that. And, and there's a significant, there's a significant cost to that particular piece of software. So if we can simplify that and remove that logic from the application, we can streamline our application development and approve the, the deployment of it. The fine grained attribute decisions also gives us the ability to do much more sophisticated access control than we've been able to do in the past. And the fact that it's based on a runtime evaluation means that we can immediately implement changes that might be required as the result of some change in a person's circumstances.
And we've all been aware of situations where somebody has access to applications within organization. Long after they've left, that sort of activity wouldn't happen with the dynamic authorization management environment. And finally, it gives us improved governance. The centralized centralization of our policy management helps we can have multiple policy enforcement points managed the single decision point. So we can have the multiple applications relying on the same policies that we established just once. We also recommend that engaging vendors in this space that you do make sure that the environment is tied into whatever monitoring technology you're currently using. So if you have an S IM environment, you need to make sure that your dynamic authorization management tools plug and play with that as well. So improve governments is, is a major benefit to moving into this space.
It's not for the fainthearted though. We do suggest that to use a authorization management environment, you know, to move into that space, you need to have had some experience with managing your access control and, and this therefore is not something you would, you would do without having some background in both the technology space. Like you, you need to have the information points set up. You need to have the ability to tie your dynamic access authorization management into your existing environment. So you'll have a good identity provisioning system in place now automated, hopefully with work for approvals, you'll probably have a web access management environment. So you've already played around and has some experience with setting policies, for access to applications. You might have a, a privileged identity management environment where you are controlling situations where you need to have extended permissions to, for force to submit. You might be also playing in, in a hybrid situation where you've had to federate authentication across your, your on-prem environment with, with a cloud environment. You know, if, if you've had some experience you've gotta mature identity access management environment, then as dynamic authorization management is something you should, you should definitely be looking at and should be part of your strategic view of where, of, of the roadmap for your access management going, going forward.
Okay. Onto the leadership compass document, we had 11 participants in who, who provided responses to the survey access Sentinel is a pure play dynamic authorization management tool by UDS in Melbourne. They've been in the business for some years and have a, a very competent protocol compliant, dynamic authorization tool axiomatic. They're a, one of the main suppliers in, in the dynamic authorization management area. They've been in the business a long time. They participated in the Oasis forums that have defined the exact more pro protocol. So there's not much in the protocol, they don't understand. So a very good organization to benchmark against in terms of your dynamic authorization management tools, xray, they, they, they took over the VOR Dell technology. They have very good gateway solutions and again, exact more compliant approach to controlling access in the gateway device. Science systems are a us company based in Seattle. They specialize just in the Microsoft environment. So if you, if you're in a Microsoft environment and you've got cross border requirements there managing as Azure and your OnPrem cion systems have Z more compliant code that that allows you to do that cross ideas, they're coming from the process management process control area. And they've got the ideas platform, which has strong governance, access governance capabilities, AIAN they're affiliate of all group. They've got some very sophisticated IBM tools and their enterprise single sign-on product was recently highly rated by the KuppingerCole leadership compass.
IBM. And they've got a number of tools in this space. They've recently focused their security tools under the security division and the Tivoli policy manager to the security access manager for web and, and for mobile, they all use an externalized authentication cap, authorization capability, that's policy based next labs. They take a, a unique approach to external and access man externalizing. The, the access control, a very big on professional services and can basically provide a turnkey solution to your, to your requirements, Oracle, a foundational supplier of the demand authorization management tools with their Oracle, the entitlement server package. So they've been in the business a long time, and that's a, a foundational product to benchmark against Ws. So two, they take, again, a very innovative approach. Their software is all open source and they is well suited to a gateway type of approach, and they have a good professional services offering to, to help you through the deployment and management phases.
We had some organizations declined to participate Cisco systems and Juniper. I mean, the, the whole networking area right now is moving into a space where it's much more attuned to management through dynamic authorization type of approach. So as, as networks move from, you know, level three, up to level six on the side net leveling the tying into the identity management tools within an organization is gonna be very important. So hopefully they'll participate next year and give us some, some view into how they're going to actually provide that centralized support for their network services, Microsoft corporation, they've got very good dynamic access control facilities have done for a long time. And a lot of people, we all make a good use of that in terms of exact mall, which was the flavor that we, the focus that we did have for this tool. That's not a strong point at the moment in the Microsoft sphere.
So maybe we have to take the blinkers off for our next version of the document and, and include a wider view of it. Cause it would be nice to have them involved Dell. They took over the BKU dynamic authorization management product about 18 months ago is no longer sold as a separate product, which is probably why they didn't, they didn't respond to the survey, but hopefully we can encourage them to do so next time so that we can track how they're deploying that technology within their, their products, the quest product Technica, again, specialist, organization, highly technical provide good, good solutions, but they declined to participate in this particular leadership compass in terms of, I've got a couple of slides here on the, the findings in the leadership compass. And I'll, I'll just focus on just a couple of aspects of it. I would encourage you to download the, the document and, and, and have a look at it in more detail in terms of the overall leadership. You'll see that Oracle IBM and axiomatic are in that leadership sphere sector. Oracle and IBM are obviously, you know, the market leaders in terms of size, significantly larger than many of the other participants. So that puts us, puts them up into the, the leadership area.
The aromatics is also in that sector because as I mentioned, it is a leader in this space and has longevity, particularly when it comes to the, the exact more protocol. So aromatics more technology leader, IBM, Oracle, more in the market leader space. I should say that this, these positionings are quite objective. What happens in putting the together? The document is the, the surveys come back from the vendors and the results are typed into a very large spreadsheet that then generates these, these graphs. There is some subjectivity in, in translating the, the answers that are provided into, into ratings, but generally these are coming out in quite a subjective, quite an objective point of view in terms of selection, selecting a vendor, the, any of these vendors would provide you a good solution and a dynamic authorization management space, but they each are, have their own benefits in depending upon your particular requirement. So it's very important that you know, your requirements in order to select the best solution because they are indeed, they all have a different flavor focus, and that's reflected in the leadership document for in the, in the page for each of these.
I also wanna show you the innovation graph in the innovation space. Axiomatic can up as a leader. This is largely due to, again, their longevity in the space. They've, they've got a, a, a number of connectors to different vendors. They take quite a, a unique approach in terms of policy management, and they have a reverse lookup functionality that provides the ability to monitor the, the re the results of a, a policy. So evaluator policy, based on a reverse lookup mechanism in terms of Oracle, they basically, in, in many ways, they're a huge organization. Obviously they've got a large number of environments that they support. So for instance, if you've got Java net environment, they have point code for, for those. And if you've got a JBO environment, they'll support it, WebSphere, WebLogic, but wide support for variety of environments, they also got good industry support.
So if you, particularly in the medical space, if you want to look at how to do dynamic authorization management in the healthcare article have, have a good support for that. Now that's not to say that the other challenges are not don't have good innovation. This is a young sector. And by definition, all of these organizations have an innovative approach, but they are positioned as shown, wanted to put up the market product matrix, cuz this is another graph that comes out of the spreadsheet figures. And, and I found it quite interesting, basically what it's showing in the, the top right hand sector of the market leaders and as expected IBM and Oracle, the way up there with good market guess market sector size. There actually is also in that space because of the, their, the wide large number of, of gateway appliances that they, that they're providing in the strong potential space.
Axiomatic is shown there below the, the line, the line there shows a base line between the two between the market versus product. So what they're saying is axiomatic product capabilities is not yet being reflected in the market share. And so we can expect them to be moving up into the market leader space as time goes by access Sentinel. They're sitting right on the line there between specialists and strong potentials. Again, showing that their market they're sorry, the product potential is not quite meeting the market impact on the market at this time, a large number in the specialist space. And this makes sense because each of these companies coming out of a specialist area and has developed their solution for that particular area. And then lastly, we've got to next labs and Ws oh two in the market performance sector, reflecting their capabilities coming out of the specific sectors that they're, they're used to Ws oh two in the gateway space and next labs in the, the industry sectors that they're working in.
So I found that an interesting graph and gives you a flavor for the positioning of the, the products in regard to their market size. Okay. I said, I would talk about the challenges and it's something that we need to be cognizant of before we go into, into this space. So in the administration policies area, you need to make sure that the, the product that you select gives you the administrative controls that you need, that matches the model that you're following. There's basically three models. One is that you, you continue to have it, do all of the policy management for you and some organizations do that. Okay? The it, organization's happy to manage the policies. And they'll look after that. I think probably most organizations fit into the policy administration group space where they basically say, okay, well, the business is going to manage my policies and we are going, but it's going to be a centralized group that does it for, for the various business units.
Okay. The third area is to say, well, the business, each business unit should really manage their own policies. So each of those models will put a different requirement on the, on, on, on the tool, which you're going to be using to administer your policies. So the, if you're in the area where you want individual business units to manage their own policies, you're gonna need some specific assistance to make sure that your policy administration point can accommodate somebody. Who's not technically savvy who writes policies in business talk, and you need to make sure that there's some sort of expression builder. We pull down menus that gives you the capability of putting policies together. So you'll need an easy to use cap in that situation. As we mentioned earlier, having the business manage the policies does mean that we'll avoid the policy administration, sorry, proliferation, that can happen.
If it does it, the business unit just keeps telling it what to do. They can layer requirement upon requirement and you can end up with quite a complex policy situation. Okay. In terms of enforcement points, that's the biggest issue here is how are we going to plug an enforcement point into a legacy application? Let's face it. All organizations have legacy apps that probably the people that understand them have lost left the company. They're not very well documented. And we play around with them at our peril. That's a situation in which we have to be take care about how we're actually gonna tie those apps into some enforcement point. And in some cases you might wait until the app is redeveloped in, in order to do that. But the big, the good news is that with a pep, any development, you now do, doesn't need to have the logic built into it.
And we can rely on external decision making. We don't have to put together any ACLS. It does happen. Sorry. It does. It's an access control list. It does. It does help. If the developers have some, some knowledge of exact and understand what sort of responses they're going to get back and, and how they need to deal to deal with that for the decision points, those can be distributed. You can have multiple decision points. If you're all on-prem, you can, one decision point will satisfy, but you do need to make sure that you've got relatively low latency to the policy information point. Keep in mind that decision point is going to make decisions based on information. It gets from the information point. If it's got to wait for that information to come back, that's going to slow down your decisions and keep in mind that when we, we are talking about authorization, we're talking about mission critical activities.
So you need to make sure that we properly locate the PDPs and P IPS to ensure satisfactory operation. In terms of the information point, keep in mind that this high availability stuff, we can't have our, our directory folding over because then our, our, our environment collapses. So the main, there might be multiple data sources that you've got to deal with. So then you, you, you might need to have some device that, that integrates those or synchronizes to a single area. You need to make sure that the data's good. If you have, if your PIP is compromised, your decisions will be compromised. So you need to be concerned about how you're going to ensure that data integrity. So those are the main challenges when moving to a, a dynamic authorization management environment. Now this particular graph is not in the leadership compass. Martin Kuppinger said it was too subjective, but I wanted to just use it just to illustrate a point, what became increasingly obvious in analyzing the, the sector is that the, it it's quite broad in terms of solutions are, can be implemented.
So some vendors take a very discreet approach. They're basically the, the pure play dynamic authorization management providers, such as access Sentinel or, or axiomatic the other end of the spectrum. There's those that are providing a gateway device such as Axway possibly, WSO two, where the solutions are more geared towards controlling access to specific, specific re resource depo repositories, or, or specific systems in, in some cases. So the, the gateway solutions are, are solution specific tools. They are good for providing that controlled access to, to, through a gateway, some device such as that to a system model network. So they do on top of the access control or authorization activities they're doing. They're also allowing monitoring of traffic for, for known threats. They can stop traffic low balancing that type of stuff on the discrete area. These are purpose built environments, ideal for cross country, cross company access control. So it's multiple relying. Parties can access a discrete authorization management environment and service, multiple protected resources. The size of the spheres is simply market size. And obviously that's logarithmic. If it was linear Oracle and IBM would obliterate the screen. So I thought it was kind of an interesting view, but I, I say it's very subjective in terms of how, how to position a product, but in selecting a vendor, keep in mind that you need to know your requirements and decide which one best suits your particular situation. Okay.
Okay. So in terms of next steps, if you're interested in moving into the dynamic authorization management sphere, what should you do? And, and I should preface this by saying that this is really a strategic decision. You need to make sure that your upper management understands what this can do for them and puts their support behind it. Because without that, it's going to be, the activity could be fraught with difficulty. Okay. So the first thing is to select what application or what protected resources you're going to, to, to use for this initial deployment. Okay. I call it deciding the ring fence, determining where the ring fence is, and whatever's inside the ring fence is going to be the focus of this initial deployment and everything else, although many other applications. And we're going to be coming in the future. You you're gonna focus on just one or two that are gonna be part of the initial deployment.
Okay? You can't burn, boil the ocean as they say. So selecting your applications for the initial deployment is going to be very important, determining your selection criteria is important. So if you've got, if you currently have a, a, a web access management environment, you probably want to tie that into the, your authorization management. So that's a requirement. If you, you need to determine whether it is a discrete type of application, you've got with multiple applications attaching to, to the resource, or is it a gateway application where you have your protected resources in one system or systems or one area, and you're just providing access control to it. You also, then, as we mentioned earlier, tying your application into your monitoring your event monitoring systems. So make sure that it becomes part of your overall governance. Then you're gonna have to not then maybe even upfront start the change management because a based access control is a different approach and requires a different mindset. So a board level governance is, is going to be important. So you'll need the support of high level management to make sure that this gets properly deployed.
You are also gonna need business students involved. So whoever is setting the policies for access control needs to be involved in the project in order to assist with how it's going to be deployed. Then you can select your vendor. We like going to a request for tender type of approach, where you can put your requirements on paper. You can get the responses, evaluate them, and then decide where to go from there. We like the doing a proof of concept. We think that has some, some benefit, particularly if you've got integrate to, to different, for instance, data, data repositories. It's a good idea to do approval concept, just to make sure that that integration is indeed there and does work. Then you'll deploy that initial application and keep in mind that training is gonna be a big part of it, because this is the initial deployment of a dynamic authorization management environment in your organization. So there's it staff to train there's the business unit managers to train there's the developers to train. So make sure that you've got enough funding there for that. I always remember one project I manage. It was a deployment statewide deployment across 53 service centers. And I, I halfway through the project realized I had no funding set aside for training. Please don't let that happen with your initial foray into authorization management. Of course, once the, the additional, the, the initial applications are deployed, you can then roll out across, across other applications.
Okay? So in conclusion, what the takeaways I, I would suggest are number one are access decisions now are centralized. We're no longer having access control, split across myriad applications throughout the department. They're gonna be consistent and they're going to be managed by the business. So we, the, the access decision capabilities are going to be enhanced through, through that our document repositories and our development application development are gonna be significantly simplified. We, we no longer have to build access control logic into our applications. As we discussed earlier, do suggest that we make sure we, we, we approach this through a standardization. We want to have a standard environment where we can plug additional product in that will understand the, the protocols main protocol here, ISAC. Now, if you're in the Microsoft sphere, you know, daring to the Ws trust duty SharePoint, SharePoint's got some good capabilities here, controlling access to document repositories.
So using SharePoint for that, and you add a new column for the classification of the documents, you've got good capabilities of controlling access to those documents based on I identities, attributes of identities, we're moving into a fine grained decision model where the we can combine attributes in a very sophisticated access control area, and it's all going to be done at run time. So that means that our, our risk profile is significantly improved. So in terms of data loss protection, we suggest that that be incorporated into the, your organization's approach to identity and access management in general. So within the strategic role roadmap for your identity and access management environment, DLP should be part of that rather than putting in individual point solutions. Okay. So that brings us to the end of the main webinar. I do want to, I'll just leave this up on the screen for a moment. The leadership compass document that I've mentioned at a couple of points here does it's was actually published a couple months ago. So the number is 7 0 9 6. So that's called all of the detail in the vendors that we looked at in more detail. So, so do value yourself of that.
The, the scenario report there was written a couple of years ago by Martin caping, it's called understanding identity and access management. And it was the document that actually was the first one dimension dynamic authorization management. So I actually consider this to be a seminal document. So for any identity and access management issues, this is a very good document to start with sort encapsulates and all in the few pages. So that's a good one. Identity provisioning has recently been redone. That's the leadership compass document on, on identity provisioning. So if you want to see how your vendor stacks up against the others, that's a good one to pull down. And of course, there's the new ABT that was the, the agile business companies, how to be an agile business company is in this best practice report that was issued at the end of last year. And dynamic authorization management is an excellent component of that. So the, it gives you very agile business capabilities. If you are doing access control based on, on attributes as you are indeed with the dynamic authorization management environment. Okay. Couple of questions.
Okay. There's a question on if you have D P why Dan? Okay, well look, if, if you currently got, sorry, a document loss prevention in place, and you're quite happy with that solution that does diminish the one of the drivers, I suppose, going to a dynamic authorization management environment. But I I'd say that by considering DLP as part of your dynamic authorization management would give you a lot more. So, so basically if you have a dynamic access management environ management environment, that's that obvious the need for special S D O P solution in some cases. So obviously that's a very case specific situation, but I would see DLP as a subset of dynamic authorization management. And indeed your, your approach should be at a strategic level in terms of how you're going to extend your, how you are gonna extend the, the environment. Okay. How do you stop access by CED? Men's
Okay. SIS has been access, obviously your systems that are, are making up your environment, your dynamic authorization management environment are need to be administered, and they'll be assist have been looking after those. So, you know, this, this, the generic problem of, of system in having privileged access to your systems. So yeah, that's, that's difficult in terms of the going to an, an enhanced privileges area or a situation where the you've got a, a situation where people need to access your systems at an elevated privileges. You can actually use your dynamic authorization environment to assist there because in effect you can have, you can have a condition caught on access. So exact can come back with a condition that indeed you can kick off a workflow for instance, associated with approval to give you access to elevated privileges. So that, that could be, that's an actually an interesting application where you're controlling elevated privileges based on an exact type of decision. I'm not sure that answers the question. Okay. Isn't, isn't,
Isn't our back on for most companies. Okay. For most companies, I get it. Okay. If you are, if you role access control system is working well, again, that diminishes the one of the drivers I supposed to go to Ava C, but you do need to keep in mind that your administrative overhead associated with a role based access control system can be, can be significant. Okay. So there's also the risk profile associated with an RVAC system is typically greater than that associated with an AAC type type of approach, as there's more and more move into the cloud and you know, where you've got hybrid environment. So we need to control our access in the cloud, as well as on-prem and with the move to more mobile devices where we've got, we lose the ability to manage closely the clients that are accessing our systems.
The, the rback mechanism is, has difficulty in that environment. And so indeed an a back solution using a, like going to a dynamic authorization management solution. That might be the, might be the go there. So those are situations where you would need to consider that, okay. That looks like all the questions that we have here, and our time is just about gone. So look, do thank you for attending. I hope you found that of some use and some help. If there are any questions, please come back to us. We'd also be injured in any comments too. So if you found the webinar useful, or if it's missed the boat in some areas, we would love to know that and to hear that information. So do get back to us with any questions and comments that you have there with that. I will say goodbye, and we'll catch you next time.
So in terms of the topic for today's webinar, it is data loss protection, and specifically how we can use technology such as dynamic authorization management for the, to achieve data loss protection for us as a way of introduction, we do have some rules here due to the number large number of attendees. You'll all be muted. We can't accommodate audio, but we do encourage questions to be asked. And if you type those into the area on your webinar control panel, we will get to those questions at the end of the end of the session for those that we don't have time for. I'll get back to you individually with responses. As I said, the webinar will be recorded so that your compatriots can, and yourself can review this at a later time. And we do encourage that feedback and make sure you tell us issues that you would like us to address and any questions you have in regarding the topic by way of introduction.
Just the slide on KuppingerCole in terms of the, the three main legs to the stool, if you like, or the three main strings to the bow, whichever analogy you like KuppingerCole has a very strong background in research services for the last eight years as KA Cole's been undertaking detailed research identity and access management area, and that research is available online, do go to the website. There is a 30 day complimentary registration that gives you access to all of that registration, sorry, research. So please avail yourself of that. Capco Analyst are available for a variety of services. Be it webinars. If you want a webinar on a specific topic for your organization, please let us know if you'd like Analyst input to projects. You are currently undertaking. Please let us know. So access to global specialists in virtually every area of identity, access management, cloud migration governance, please avail yourself of those services.
And lastly events, the largest event is the European identity conference identity in cloud conference. That's held every may in Munich. If you haven't been to one at please do at the event this year, there was over 600 delegates, 700 delegates, 50 exhibitors. It was a very good time to network and to learn about trends in the marketplace. We also have a digital risk insecurity conference coming up in January in sheen, China and Asia Pacific identity in cloud conference, a schedule for Australia in July next year. So please make note of that and keep track of the announcements on the website in regard to those events, the agenda for this webinar. As I mentioned, it's talking about data loss prevention and in comparison with data loss protection, got a slide on that in a moment we're going to talk to about this whole area of dynamic authorization management and how we can achieve data loss prevention using dynamic authorization management. We're gonna look at the drivers why we need to address this topic, the benefits that come from that we will look at the market analysis that was undertaken earlier this year in regard to the major vendors in this space. And lastly, we'll look at the challenges of actually deploying a dynamic access management environment, because some considerations that you, you need to be aware of as you go forward and we'll look at some next steps of actually how to do that.
So the classic data loss prevention basically looks at tools in three different areas. There's the tools that manage data at rest. Typically some sort of firewall or router that's providing restrictions to access subnets in your network where the protected resources reside. So this is one way of ensuring that only those people that are in the access control group that can get access to the can indeed get to the document repository in this case or the protected resource, whatever it may be, then there's the data in motion, protecting the data as it trans its your network. Typically we put some type of router or perimeter device that's monitoring traffic coming in and out of the network. And then again, we can do interesting things of looking at that traffic flow and deciding if this potentially confidential information that's leaving our network and we can put restrictions on that. So that's the data in motion option and then is the data in use? How is the data actually being used by our staff? And that requires some sort of endpoint client that we can put on the devices that are staff use becoming very important in the external when more and more people are using mobile devices, a lot of companies now embracing some type of endpoint protection that places restrictions on what can be done with typically documents that are restricted nature, and that might be residing on a remote device.
So that's a classic approach to data loss prevention. When we're talking data loss protection, though, we can use dynamic authorization to provide protection to our restricted resources. So in this, in this part picture, we've got now our restricted documents behind an enforcement point. So basically what we are doing now is combining our resource with an enforcement point that is going to allow us to decide what sort of access we are going to grant to that repository. And the decision is actually not being made by the device anymore is being made by an external decision point. That's going to talk to a, a, some information repository and make a decision in real time as to whether a user access should be allowed or not. So there's a couple of important things to understand here. The first is if your decisions are externalized, it means that we can have multiple resources all using the same decision point.
So we can centralize our management. We're no longer needing to have individual access control to, to, to, to different repositories. We can have a coherent and a management that's that's actually happening from a, from a central point. The second thing is that the, you, if you look at the picture there, the perimeter is no longer quite as important as it was in, in the previous picture. This, this was actually emphasized to me at the RSA conference in Singapore last week, where one of the keynote speakers said, if you can't identify who or what, in the case of internet of things, if you can't identify who is accessing your protected resources, you've already lost the wall. So what he was basically saying there is the emphasis now is on understanding the identities of the people, accessing our resources and making decisions based on that information rather than restrictions based on individual devices.
So what are the characteristics then of a dynamic authorization management environment? Well, firstly, as we've already discussed externalizing, the decision making is an important characteristic, relying applications as applications that relying on the decision points are, are allowing those decisions to be made externally and no longer have to be built into the application itself. We have centralized policy making, which means that we can have a centralized approach that gives consistency across the organization. We're no longer having to rely on individual access control points or access control lists that are put together for particular applications. So we have somebody and admin for a particular system having to type names into lists of people who have access to the application. That's a big overhead and, and we want to eliminate that because it doesn't, it it's not consistent then across our, our organization, it also allows the business to start managing policies. So rather than the, the, the it organization in many cases, being given the responsibility for, for managing the access control, we can now give that to the, the business themselves, because they're the ones that should be determining that. And they're ones that should, should be making sure that the, the policies that they put in place adhere to
It gives us real time access to. So rather than relying on somebody typing a person's name into maybe a group within an application or a directory that we, we now can go in real time to the repository of that information and make decisions based on a person's actual attributes at that point in time. So if somebody's moved from the finance department to the HR department, we can immediately reflect that change in the access controls we make when that user attempts to get access to applications. And finally it gives us some fine grained access control to the resources that we're trying to protect. In. In many cases, organizations are running a role-based access control system based on group membership, or maybe organizational units, depending on what type of directory we're using. But our a does require a level of administration and it's quite cost grained. If this person is in the finance department, then they get access to the finance application. But with a fine grained approach, we can combine attributes now to allow us to make more sophisticated decisions. So if this person in the finance department, are they part of the project group team, that's actually doing the finance system upgrade, are they accessing the system from within our network or externally, are they accessing it in during business hours or after hours? We can now come up with a much more fine grained access control decision to resources of a protected nature
Picture, I think is worth a thousand words. This is a classic picture of how an dynamic authorization management system will be put together. There's basically four components. The policy enforcement point, as we've talked about is something that's attached to the protected resource that says I'm going to use an external resource to get a decision. So it send a request to the decision point. That is the location of the policy. This is where the policies reside. And when a request comes in, the system runs through those policies and determines whether that request is going to be permitted or denied. And the response comes back to tell the enforcement point, whether it should be permitted or denied, there are a couple of other options. So can, in some cases, a decision is indeterminant can respond that way, but generally most, most policy decision points are set to deny a request unless it's specifically permitted.
And so you'll get one of those two responses. So the only thing that the resource now needs to worry about is how to respond to a permit or deny, okay, the policy decision point must talk to something and get its information from an information point. This is typically a directory or multiple directories that have the access to the attributes. They have the attributes in them. And so the decision point can query the directory to get the response in real time in order to make the policy decision. And finally, there's a policy administration point. This is the place that the policy administrator will use or of tool that the policy administrator will use to actually manage the policies in the decision. Point's a standard approach to externalizing decisions and the policy, sorry, the protocol that's used typically in this area. And the one that we focused on in the leadership compass document was exact more the extensible access control, markup language. And so that request response is a standard and the, the, if you adhere to the standards, then we would recommend that. So that multiple enforcement points can indeed be supportive.
So what are the benefits to this? Well, basically the, the, by adopting this dynamic authorization management, you will improve the risk bro profile within your organization. The centralized policy management will give you consistency of policies. And as we mentioned before, having the business units manage your policies is a significant benefit. Focusing them on how they should be allowing access to their applications is important. And if you allow it to do it and the business just tells it what to do, the danger there is we have proliferation of policies like they, they multiply and become harder to manage. So having the business units engaged is, is in our recommendation as to the way to go. The software documentation is also significantly simplified. I, one of the statistics I saw was that on average, 20% of your development time for an application will be addressing the access logic.
So now, obviously this varies depending upon the complexity of the application, those with more application levels would be greater than 20%. And with those that have a simple access control mechanism, it might be less. But in average, on average, you're taking about 20% of your development time just to manage the logic associated with people, accessing your, your application, put on top of that, the administrative overhead of people, then managing the excess control list that, that do that. And, and there's a significant, there's a significant cost to that particular piece of software. So if we can simplify that and remove that logic from the application, we can streamline our application development and approve the, the deployment of it. The fine grained attribute decisions also gives us the ability to do much more sophisticated access control than we've been able to do in the past. And the fact that it's based on a runtime evaluation means that we can immediately implement changes that might be required as the result of some change in a person's circumstances.
And we've all been aware of situations where somebody has access to applications within organization. Long after they've left, that sort of activity wouldn't happen with the dynamic authorization management environment. And finally, it gives us improved governance. The centralized centralization of our policy management helps we can have multiple policy enforcement points managed the single decision point. So we can have the multiple applications relying on the same policies that we established just once. We also recommend that engaging vendors in this space that you do make sure that the environment is tied into whatever monitoring technology you're currently using. So if you have an S IM environment, you need to make sure that your dynamic authorization management tools plug and play with that as well. So improve governments is, is a major benefit to moving into this space.
It's not for the fainthearted though. We do suggest that to use a authorization management environment, you know, to move into that space, you need to have had some experience with managing your access control and, and this therefore is not something you would, you would do without having some background in both the technology space. Like you, you need to have the information points set up. You need to have the ability to tie your dynamic access authorization management into your existing environment. So you'll have a good identity provisioning system in place now automated, hopefully with work for approvals, you'll probably have a web access management environment. So you've already played around and has some experience with setting policies, for access to applications. You might have a, a privileged identity management environment where you are controlling situations where you need to have extended permissions to, for force to submit. You might be also playing in, in a hybrid situation where you've had to federate authentication across your, your on-prem environment with, with a cloud environment. You know, if, if you've had some experience you've gotta mature identity access management environment, then as dynamic authorization management is something you should, you should definitely be looking at and should be part of your strategic view of where, of, of the roadmap for your access management going, going forward.
Okay. Onto the leadership compass document, we had 11 participants in who, who provided responses to the survey access Sentinel is a pure play dynamic authorization management tool by UDS in Melbourne. They've been in the business for some years and have a, a very competent protocol compliant, dynamic authorization tool axiomatic. They're a, one of the main suppliers in, in the dynamic authorization management area. They've been in the business a long time. They participated in the Oasis forums that have defined the exact more pro protocol. So there's not much in the protocol, they don't understand. So a very good organization to benchmark against in terms of your dynamic authorization management tools, xray, they, they, they took over the VOR Dell technology. They have very good gateway solutions and again, exact more compliant approach to controlling access in the gateway device. Science systems are a us company based in Seattle. They specialize just in the Microsoft environment. So if you, if you're in a Microsoft environment and you've got cross border requirements there managing as Azure and your OnPrem cion systems have Z more compliant code that that allows you to do that cross ideas, they're coming from the process management process control area. And they've got the ideas platform, which has strong governance, access governance capabilities, AIAN they're affiliate of all group. They've got some very sophisticated IBM tools and their enterprise single sign-on product was recently highly rated by the KuppingerCole leadership compass.
IBM. And they've got a number of tools in this space. They've recently focused their security tools under the security division and the Tivoli policy manager to the security access manager for web and, and for mobile, they all use an externalized authentication cap, authorization capability, that's policy based next labs. They take a, a unique approach to external and access man externalizing. The, the access control, a very big on professional services and can basically provide a turnkey solution to your, to your requirements, Oracle, a foundational supplier of the demand authorization management tools with their Oracle, the entitlement server package. So they've been in the business a long time, and that's a, a foundational product to benchmark against Ws. So two, they take, again, a very innovative approach. Their software is all open source and they is well suited to a gateway type of approach, and they have a good professional services offering to, to help you through the deployment and management phases.
We had some organizations declined to participate Cisco systems and Juniper. I mean, the, the whole networking area right now is moving into a space where it's much more attuned to management through dynamic authorization type of approach. So as, as networks move from, you know, level three, up to level six on the side net leveling the tying into the identity management tools within an organization is gonna be very important. So hopefully they'll participate next year and give us some, some view into how they're going to actually provide that centralized support for their network services, Microsoft corporation, they've got very good dynamic access control facilities have done for a long time. And a lot of people, we all make a good use of that in terms of exact mall, which was the flavor that we, the focus that we did have for this tool. That's not a strong point at the moment in the Microsoft sphere.
So maybe we have to take the blinkers off for our next version of the document and, and include a wider view of it. Cause it would be nice to have them involved Dell. They took over the BKU dynamic authorization management product about 18 months ago is no longer sold as a separate product, which is probably why they didn't, they didn't respond to the survey, but hopefully we can encourage them to do so next time so that we can track how they're deploying that technology within their, their products, the quest product Technica, again, specialist, organization, highly technical provide good, good solutions, but they declined to participate in this particular leadership compass in terms of, I've got a couple of slides here on the, the findings in the leadership compass. And I'll, I'll just focus on just a couple of aspects of it. I would encourage you to download the, the document and, and, and have a look at it in more detail in terms of the overall leadership. You'll see that Oracle IBM and axiomatic are in that leadership sphere sector. Oracle and IBM are obviously, you know, the market leaders in terms of size, significantly larger than many of the other participants. So that puts us, puts them up into the, the leadership area.
The aromatics is also in that sector because as I mentioned, it is a leader in this space and has longevity, particularly when it comes to the, the exact more protocol. So aromatics more technology leader, IBM, Oracle, more in the market leader space. I should say that this, these positionings are quite objective. What happens in putting the together? The document is the, the surveys come back from the vendors and the results are typed into a very large spreadsheet that then generates these, these graphs. There is some subjectivity in, in translating the, the answers that are provided into, into ratings, but generally these are coming out in quite a subjective, quite an objective point of view in terms of selection, selecting a vendor, the, any of these vendors would provide you a good solution and a dynamic authorization management space, but they each are, have their own benefits in depending upon your particular requirement. So it's very important that you know, your requirements in order to select the best solution because they are indeed, they all have a different flavor focus, and that's reflected in the leadership document for in the, in the page for each of these.
I also wanna show you the innovation graph in the innovation space. Axiomatic can up as a leader. This is largely due to, again, their longevity in the space. They've, they've got a, a, a number of connectors to different vendors. They take quite a, a unique approach in terms of policy management, and they have a reverse lookup functionality that provides the ability to monitor the, the re the results of a, a policy. So evaluator policy, based on a reverse lookup mechanism in terms of Oracle, they basically, in, in many ways, they're a huge organization. Obviously they've got a large number of environments that they support. So for instance, if you've got Java net environment, they have point code for, for those. And if you've got a JBO environment, they'll support it, WebSphere, WebLogic, but wide support for variety of environments, they also got good industry support.
So if you, particularly in the medical space, if you want to look at how to do dynamic authorization management in the healthcare article have, have a good support for that. Now that's not to say that the other challenges are not don't have good innovation. This is a young sector. And by definition, all of these organizations have an innovative approach, but they are positioned as shown, wanted to put up the market product matrix, cuz this is another graph that comes out of the spreadsheet figures. And, and I found it quite interesting, basically what it's showing in the, the top right hand sector of the market leaders and as expected IBM and Oracle, the way up there with good market guess market sector size. There actually is also in that space because of the, their, the wide large number of, of gateway appliances that they, that they're providing in the strong potential space.
Axiomatic is shown there below the, the line, the line there shows a base line between the two between the market versus product. So what they're saying is axiomatic product capabilities is not yet being reflected in the market share. And so we can expect them to be moving up into the market leader space as time goes by access Sentinel. They're sitting right on the line there between specialists and strong potentials. Again, showing that their market they're sorry, the product potential is not quite meeting the market impact on the market at this time, a large number in the specialist space. And this makes sense because each of these companies coming out of a specialist area and has developed their solution for that particular area. And then lastly, we've got to next labs and Ws oh two in the market performance sector, reflecting their capabilities coming out of the specific sectors that they're, they're used to Ws oh two in the gateway space and next labs in the, the industry sectors that they're working in.
So I found that an interesting graph and gives you a flavor for the positioning of the, the products in regard to their market size. Okay. I said, I would talk about the challenges and it's something that we need to be cognizant of before we go into, into this space. So in the administration policies area, you need to make sure that the, the product that you select gives you the administrative controls that you need, that matches the model that you're following. There's basically three models. One is that you, you continue to have it, do all of the policy management for you and some organizations do that. Okay? The it, organization's happy to manage the policies. And they'll look after that. I think probably most organizations fit into the policy administration group space where they basically say, okay, well, the business is going to manage my policies and we are going, but it's going to be a centralized group that does it for, for the various business units.
Okay. The third area is to say, well, the business, each business unit should really manage their own policies. So each of those models will put a different requirement on the, on, on, on the tool, which you're going to be using to administer your policies. So the, if you're in the area where you want individual business units to manage their own policies, you're gonna need some specific assistance to make sure that your policy administration point can accommodate somebody. Who's not technically savvy who writes policies in business talk, and you need to make sure that there's some sort of expression builder. We pull down menus that gives you the capability of putting policies together. So you'll need an easy to use cap in that situation. As we mentioned earlier, having the business manage the policies does mean that we'll avoid the policy administration, sorry, proliferation, that can happen.
If it does it, the business unit just keeps telling it what to do. They can layer requirement upon requirement and you can end up with quite a complex policy situation. Okay. In terms of enforcement points, that's the biggest issue here is how are we going to plug an enforcement point into a legacy application? Let's face it. All organizations have legacy apps that probably the people that understand them have lost left the company. They're not very well documented. And we play around with them at our peril. That's a situation in which we have to be take care about how we're actually gonna tie those apps into some enforcement point. And in some cases you might wait until the app is redeveloped in, in order to do that. But the big, the good news is that with a pep, any development, you now do, doesn't need to have the logic built into it.
And we can rely on external decision making. We don't have to put together any ACLS. It does happen. Sorry. It does. It's an access control list. It does. It does help. If the developers have some, some knowledge of exact and understand what sort of responses they're going to get back and, and how they need to deal to deal with that for the decision points, those can be distributed. You can have multiple decision points. If you're all on-prem, you can, one decision point will satisfy, but you do need to make sure that you've got relatively low latency to the policy information point. Keep in mind that decision point is going to make decisions based on information. It gets from the information point. If it's got to wait for that information to come back, that's going to slow down your decisions and keep in mind that when we, we are talking about authorization, we're talking about mission critical activities.
So you need to make sure that we properly locate the PDPs and P IPS to ensure satisfactory operation. In terms of the information point, keep in mind that this high availability stuff, we can't have our, our directory folding over because then our, our, our environment collapses. So the main, there might be multiple data sources that you've got to deal with. So then you, you, you might need to have some device that, that integrates those or synchronizes to a single area. You need to make sure that the data's good. If you have, if your PIP is compromised, your decisions will be compromised. So you need to be concerned about how you're going to ensure that data integrity. So those are the main challenges when moving to a, a dynamic authorization management environment. Now this particular graph is not in the leadership compass. Martin Kuppinger said it was too subjective, but I wanted to just use it just to illustrate a point, what became increasingly obvious in analyzing the, the sector is that the, it it's quite broad in terms of solutions are, can be implemented.
So some vendors take a very discreet approach. They're basically the, the pure play dynamic authorization management providers, such as access Sentinel or, or axiomatic the other end of the spectrum. There's those that are providing a gateway device such as Axway possibly, WSO two, where the solutions are more geared towards controlling access to specific, specific re resource depo repositories, or, or specific systems in, in some cases. So the, the gateway solutions are, are solution specific tools. They are good for providing that controlled access to, to, through a gateway, some device such as that to a system model network. So they do on top of the access control or authorization activities they're doing. They're also allowing monitoring of traffic for, for known threats. They can stop traffic low balancing that type of stuff on the discrete area. These are purpose built environments, ideal for cross country, cross company access control. So it's multiple relying. Parties can access a discrete authorization management environment and service, multiple protected resources. The size of the spheres is simply market size. And obviously that's logarithmic. If it was linear Oracle and IBM would obliterate the screen. So I thought it was kind of an interesting view, but I, I say it's very subjective in terms of how, how to position a product, but in selecting a vendor, keep in mind that you need to know your requirements and decide which one best suits your particular situation. Okay.
Okay. So in terms of next steps, if you're interested in moving into the dynamic authorization management sphere, what should you do? And, and I should preface this by saying that this is really a strategic decision. You need to make sure that your upper management understands what this can do for them and puts their support behind it. Because without that, it's going to be, the activity could be fraught with difficulty. Okay. So the first thing is to select what application or what protected resources you're going to, to, to use for this initial deployment. Okay. I call it deciding the ring fence, determining where the ring fence is, and whatever's inside the ring fence is going to be the focus of this initial deployment and everything else, although many other applications. And we're going to be coming in the future. You you're gonna focus on just one or two that are gonna be part of the initial deployment.
Okay? You can't burn, boil the ocean as they say. So selecting your applications for the initial deployment is going to be very important, determining your selection criteria is important. So if you've got, if you currently have a, a, a web access management environment, you probably want to tie that into the, your authorization management. So that's a requirement. If you, you need to determine whether it is a discrete type of application, you've got with multiple applications attaching to, to the resource, or is it a gateway application where you have your protected resources in one system or systems or one area, and you're just providing access control to it. You also, then, as we mentioned earlier, tying your application into your monitoring your event monitoring systems. So make sure that it becomes part of your overall governance. Then you're gonna have to not then maybe even upfront start the change management because a based access control is a different approach and requires a different mindset. So a board level governance is, is going to be important. So you'll need the support of high level management to make sure that this gets properly deployed.
You are also gonna need business students involved. So whoever is setting the policies for access control needs to be involved in the project in order to assist with how it's going to be deployed. Then you can select your vendor. We like going to a request for tender type of approach, where you can put your requirements on paper. You can get the responses, evaluate them, and then decide where to go from there. We like the doing a proof of concept. We think that has some, some benefit, particularly if you've got integrate to, to different, for instance, data, data repositories. It's a good idea to do approval concept, just to make sure that that integration is indeed there and does work. Then you'll deploy that initial application and keep in mind that training is gonna be a big part of it, because this is the initial deployment of a dynamic authorization management environment in your organization. So there's it staff to train there's the business unit managers to train there's the developers to train. So make sure that you've got enough funding there for that. I always remember one project I manage. It was a deployment statewide deployment across 53 service centers. And I, I halfway through the project realized I had no funding set aside for training. Please don't let that happen with your initial foray into authorization management. Of course, once the, the additional, the, the initial applications are deployed, you can then roll out across, across other applications.
Okay? So in conclusion, what the takeaways I, I would suggest are number one are access decisions now are centralized. We're no longer having access control, split across myriad applications throughout the department. They're gonna be consistent and they're going to be managed by the business. So we, the, the access decision capabilities are going to be enhanced through, through that our document repositories and our development application development are gonna be significantly simplified. We, we no longer have to build access control logic into our applications. As we discussed earlier, do suggest that we make sure we, we, we approach this through a standardization. We want to have a standard environment where we can plug additional product in that will understand the, the protocols main protocol here, ISAC. Now, if you're in the Microsoft sphere, you know, daring to the Ws trust duty SharePoint, SharePoint's got some good capabilities here, controlling access to document repositories.
So using SharePoint for that, and you add a new column for the classification of the documents, you've got good capabilities of controlling access to those documents based on I identities, attributes of identities, we're moving into a fine grained decision model where the we can combine attributes in a very sophisticated access control area, and it's all going to be done at run time. So that means that our, our risk profile is significantly improved. So in terms of data loss protection, we suggest that that be incorporated into the, your organization's approach to identity and access management in general. So within the strategic role roadmap for your identity and access management environment, DLP should be part of that rather than putting in individual point solutions. Okay. So that brings us to the end of the main webinar. I do want to, I'll just leave this up on the screen for a moment. The leadership compass document that I've mentioned at a couple of points here does it's was actually published a couple months ago. So the number is 7 0 9 6. So that's called all of the detail in the vendors that we looked at in more detail. So, so do value yourself of that.
The, the scenario report there was written a couple of years ago by Martin caping, it's called understanding identity and access management. And it was the document that actually was the first one dimension dynamic authorization management. So I actually consider this to be a seminal document. So for any identity and access management issues, this is a very good document to start with sort encapsulates and all in the few pages. So that's a good one. Identity provisioning has recently been redone. That's the leadership compass document on, on identity provisioning. So if you want to see how your vendor stacks up against the others, that's a good one to pull down. And of course, there's the new ABT that was the, the agile business companies, how to be an agile business company is in this best practice report that was issued at the end of last year. And dynamic authorization management is an excellent component of that. So the, it gives you very agile business capabilities. If you are doing access control based on, on attributes as you are indeed with the dynamic authorization management environment. Okay. Couple of questions.
Okay. There's a question on if you have D P why Dan? Okay, well look, if, if you currently got, sorry, a document loss prevention in place, and you're quite happy with that solution that does diminish the one of the drivers, I suppose, going to a dynamic authorization management environment. But I I'd say that by considering DLP as part of your dynamic authorization management would give you a lot more. So, so basically if you have a dynamic access management environ management environment, that's that obvious the need for special S D O P solution in some cases. So obviously that's a very case specific situation, but I would see DLP as a subset of dynamic authorization management. And indeed your, your approach should be at a strategic level in terms of how you're going to extend your, how you are gonna extend the, the environment. Okay. How do you stop access by CED? Men's
Okay. SIS has been access, obviously your systems that are, are making up your environment, your dynamic authorization management environment are need to be administered, and they'll be assist have been looking after those. So, you know, this, this, the generic problem of, of system in having privileged access to your systems. So yeah, that's, that's difficult in terms of the going to an, an enhanced privileges area or a situation where the you've got a, a situation where people need to access your systems at an elevated privileges. You can actually use your dynamic authorization environment to assist there because in effect you can have, you can have a condition caught on access. So exact can come back with a condition that indeed you can kick off a workflow for instance, associated with approval to give you access to elevated privileges. So that, that could be, that's an actually an interesting application where you're controlling elevated privileges based on an exact type of decision. I'm not sure that answers the question. Okay. Isn't, isn't,
Isn't our back on for most companies. Okay. For most companies, I get it. Okay. If you are, if you role access control system is working well, again, that diminishes the one of the drivers I supposed to go to Ava C, but you do need to keep in mind that your administrative overhead associated with a role based access control system can be, can be significant. Okay. So there's also the risk profile associated with an RVAC system is typically greater than that associated with an AAC type type of approach, as there's more and more move into the cloud and you know, where you've got hybrid environment. So we need to control our access in the cloud, as well as on-prem and with the move to more mobile devices where we've got, we lose the ability to manage closely the clients that are accessing our systems.
The, the rback mechanism is, has difficulty in that environment. And so indeed an a back solution using a, like going to a dynamic authorization management solution. That might be the, might be the go there. So those are situations where you would need to consider that, okay. That looks like all the questions that we have here, and our time is just about gone. So look, do thank you for attending. I hope you found that of some use and some help. If there are any questions, please come back to us. We'd also be injured in any comments too. So if you found the webinar useful, or if it's missed the boat in some areas, we would love to know that and to hear that information. So do get back to us with any questions and comments that you have there with that. I will say goodbye, and we'll catch you next time.
Stay Connected
How can we help you