2020 Is the Year of the Identity Management Revolution

Good afternoon, ladies and gentlemen, welcome to KuppingerCole webinar "2020 is the year of the identity management revolution". Why IAM should be at a core of all security strategies. It's supported by Thales. And the speakers today are Danna Bethlehem, who is director of product marketing IAM at Thales cloud protection licensing, Dirk Geeraerts, who is VP sales EMEA IAM at the same company, Thales cloud protection, and me, Martin Kuppinger.

I'm the principal analyst at KuppingerCole I'll sort of guide you through this webinar in contrast to many of the other webinars you're doing it is not a slide show, so to speak, it is a conversation we intend to do. So it will be a conversation about this topic we have in the title on certain detailed aspects of that between Donna, Derek, and me. And so this is basically that our target, our idea, we have to keep you entertained for the next 30 minutes now with our perspectives we have on this topic. Audio controls: you're muted. You don't need to care about it.

We will do a recording of the webinar, but there will be no slides or only very little slides because we have fuse lights, which trust show sort of the main talking points podcast recordings should be available by tomorrow, latest day after tomorrow. And then there will be a Q and a session as usual in our webinars. By the end, you can enter questions at any time, and I appreciate you entering such questions because the more questions we have, the more lastly, the entire conversation will be with that. Let me formally welcome Donna and Derek post should be able to be heard right now.

Dirk unfortunately has a little issue with the video bandwidth. And so we decided that there is only in audio while that also comes in via video. So let's get started. So the title is about 2020 being the identity management identity Medford road, which is a big term mostly, but maybe, maybe we start this, this a little bit talking about the challenge organizations face forcing a serious review of their identity management strategy.

Then I think that is a good starting point because when I look at what we are doing at, KuppingerCole see so many organizations these days revisiting their identity management strategies, thinking about faulted view, correct, what do we need to change? What do we need to change in the context of zero trust in the context of different work styles, but also maybe with some legacy that broad.

So I don't know, maybe you start out as challenges you see in the organizations you are working with when they started reviewing their, their current they're frequently, very matured, established identity management strategy. Thank You so much, Martin. And thanks to all the attendees for joining us today for this webinar and to my colleague, Dirk. Yeah.

I mean, it's been such a momentous year and this year isn't over yet to learn lots of things playing out over which we have very little control. And the reason I think that everybody can agree that identity and access management, this is the year of the identity and access management is because of this very compelling event. COVID 19 pandemic, that everybody is contending with both on an enterprise work-related issue book and on of course, on a personal level.

But I think for organizations, the main thing is having to suddenly support all of the employees working from home and at its core, that is all about secure remote access. So this is, what's keeping it people up at night. Yeah.

There, what do you want to add? Well, you know, I think I don't want to stock talk too much about the pandemic by the way. Good afternoon, everyone. And thank you for tuning in and sorry, you can't see me, but I hope you can hear me well. So I definitely don't want this conversation to be dominated by the current situation, but on the other hand, we can't ignore it either.

I think, you know, before this pandemic kicked off or kick started, you know, I am was probably priority number five or number two, or number 17, you know, within many companies, there will be some companies where it was top priority, but it wasn't definitely the case with, with all of them. And I think today, you know, identity is really, you know, should be amongst, you know, the top three, if not number one priority.

You know, when you look at your it investments for the next couple of years, it should be part of the reviews you're doing for, for this year and for next year. And, you know, I always say, you know, before the internet, we had one identity, right? And that's a long time ago in the meantime.

But today, even myself, for instance, I I've been working for Telus now for quite a number of years, but there have been a number of acquisitions and myself, I have different email addresses. So, you know, you actually need an identity solution near IDP within your organization, you know, to challenge that every time someone logs on to a certain application, that that person is who he says he's right. And I think that's to professionals who've been working in this business for many years. It is a very normal, but you know, we, we think it is a real challenge for organizations out there today.

Yeah. And maybe assuming you've paid the same. So he gets that only about the employee.

So, so when we look at what is happening and again, hopefully we'll touch it the last time. Probably not today. The current crisis also is driving digital transformation initiatives because a lot of organizations have Europe. They're not far enough in our digital transformation. We need to speed up things, which digital transformation we ended up in a scenario where it's about, we need to deal with all our customers with vantage, digital identities. We need to change a lot of things we did there. And I believe that that also affects this situation.

So it's that trust and identity management with like direct described a world where you have your own internal ID, it is far more complex. So, so do you also see just this strive, our digital transformation initiatives dealing with the digital customer and maybe even devices things and all the other stuff?

Yeah, I would say digital transformation is probably, you know, the, the, the core theme when we speak to our customers, I would agree to that Martin. I mean, obviously security is, you know, we're, we're working for Telus and we're, you know, in, in cybersecurity amongst many other topics, but we, we address security, but digital transformation is, is very much what drives this conversation. Yes. I fully agree, Donna, For sure. Yeah.

I mean that, and adding to that, you've got three or two or three key initiatives that are really driving that digital transformation first and foremost, I'd say it's the users, the users in enterprises that are pushing for change within the enterprise. The fact that users are so did you just leave confident and are doing everything in their personal lives, on their phones, on their tablets, pushes them to require that same level of convenience and that same level of access in everything that is related to work.

So that in turn really pushes it and CSOs to think how they can better accommodate their users in adopting more convenient technology, more accessible technology, and just making it much easier for employees across the board to do their, to go about doing their daily jobs. From there, I get a little bit more into detail. So w w why Crested identity should be at the core of every security compliance and access directive. One of the talking spot talking points we have on the list.

And I think we touched on aspect, which is really the true transformation that is so to speak the positive driver, because identity enables digital transformation. But Kayla Dow also, this must have things like security, like compliance, like secure access. Could you elaborate a little bit more? Are these puns?

Yeah, sure. Just to, to give a bit of an anecdote here at Telus we've for the past five years, we've been doing a survey on practices within access management and authentication and the use of social media credentials, or personal email as part of that enterprise authentication experience. Because of the very fact that we're talking about because of convenience has always been a hot topic. And the press always liked to pick up on that using your Facebook username and password to log onto your enterprise applications, to log into your enterprise email.

And this is the first year actually that I've seen that topic. I seen the reality set in about ability, the ability to cross-reference those personal credentials that people are using in the enterprise and as well. And that relates directly to what you're saying around security, this growing realization today with enterprises, that enterprises are becoming far more vulnerable because of the transition to cloud, because people are accessing services that are not protected by the traditional security schemes that that we're protecting the network previously.

And so a lot more attention is being paid to security and to excess security and how to protect the core assets. So tell you to bring up, in fact, you're bringing up another key seam of what's happening organizations, what organizations are looking at, which is zero trust. And it brought a sense when we use the bus word and, and what you're actually saying is there can't be a zero trust paradigm implemented or enforced without having a strong, trusted identity. This is what, what do you mean with stuff?

Yeah, exactly. I mean, the underlying principle of zero trust is to trust no one and to trust no entity and to verify everything and everybody accessing any component within the enterprise. And that's especially true today when users and our employees and all of us actually are accessing different network components, different applications, different services that are not delivered from within the data within the enterprise data center, right? These applications are being delivered from everywhere. They're accessing these applications and these services from a multitude of devices.

And that means that each and every time, a user logs onto an application to the network to a VPN, to, to anywhere on any device, that excess event needs to be completely secured. Can it be trusted?

Yeah, they're Catholic second. I think that, that is an important point, really, because I am a strong believer and that I believe that silver trust better would be defined as distributed and verified trust. When we look at what happens in the cross with this, we have someone accessing or using it through wise to go over a network, to a service with friends somewhere, and the only sort of re touchpoints we have our identity and the service at the end, even the device is hard to get a criminal because it might be a bring your own device. And that means at the end is very tied to the identity.

We verified a good enough to be able to trust that identities at the very core of everything we do is zero trust. That's my, my belief, there are two. Do you want to add here? You know, I think maybe two comments here, you know, there are definitely some people from the financial industry here on this, in this meeting, you know, those people know the PCI regulation very well. If you look at section eight, you know, it's all about just the identities and you know, that, that that's already a very important indicator.

I think why it's important, but I'd like to make a comparison, maybe, you know, to the real world, you know, in, in the physical world, we all look our cars, we look our homes because we don't trust anyone. So as soon as you enter into the virtual world or cyberspace, whatever you want to call it, you know, I would think that it's just very normal to do the same thing. We will very often say it's not the case. So yeah. That's what would be my, my vision on that. Yeah.

Well, okay. The analytics, you could argue if you live very much in a rural area, it might be somewhat different where people sometimes slip their houses unlocked because the frost, everyone in that region. But basically I would say, yes, you're absolutely right. And by the way, a PCI DSS, I think is a good point because at the end, it is about trusted identities and it's about verifications, about a strong verification.

So, so many organizations are in that state of looking at it and say, okay, we need to do something something different unfortunately, or re yes. Reality is there usually is some identity management already there. So the question is how w really from your perspective or how our legacy, I am technologies are impeding the cloud adoption. Do you want to start this time? Yeah. It's something, you know, we've picked, we've picked it up.

I mean, we we've seen discussions around it. And I think a lot of it has to do with, you know, the speed a certain organization wants to go to the with, right. I think if you're, if you're not going to the cloud a lot, although there are many organizations who think they are not going to the cloud, that they are. If you ask a couple of questions, it's always an interesting debate.

But, you know, I recently heard that there are some, some old, you know, or some technologies, SSL, VPN providers who were not supporting, you know, certain SEMO protocols. And I'm thinking, you know, if, if you have an old legacy infrastructure, obviously that's going to make it very difficult for you, you know, to go to the cloud. So I think at some point you want to make an analysis, you know, is it better to keep the old solution and try to, you know, build some bricks into it and make it ready?

Or do you want to, you know, say, well, maybe we should look at rearchitecting everything and, you know, make us really ready for that cloud journey, because it's, if you have, if you keep the legacy for a long time, you know, it can become a real burden. But I think also you're Martin, you, you're probably more an expert on this topic then than I am. So w w how would you, would you agree with that statement? I wouldn't say it's a difficult thing, and you really need to look at where's an organization on how easily, or how quickly can you get rid of legacy.

So we have a paradigm or a concept defined and published a lot about it. You will find tons of material at our website or on what we call identity fabric that this identity fabric is really what, what we see as the future of often high level logical architecture, and as a set of paradigm for our are heading, but there might be a really, for incision pass between the legacy I am at that new world.

And so it really depends on where you, where you are in some areas such as the verification identification, the authentication are generally easier to solve and to shift also due to a lot of broking standards, then I don't parts such as the traditional IGA party identity lifecycle, which is clearly harder to migrate, but at the end, this needs to be clarified per I would say, per customer and for access for things we are talking currently about addressing identity.

I think you can make quick and strong progress towards a model, more capable architecture without spending too much trouble in, in, in which was migrating legacy at a price you don't like to pay for it. Yeah.

So Martin, I think in that regard being proactive about the need to change is always a challenge. It's a challenge in all organizations, larger organizations specifically, and perhaps the, the natural response would be to try and Patrick what you already have and make it work, especially when organizations are trying to respond in an urgent situation and they have to get things up and running very quickly.

But, yeah. Sorry, go ahead. Go ahead. Go ahead.

Well, I'm saying that it's all about planning ahead. And the spring work that you just mentioned really does provide a blueprint for organizations to start making incremental changes and responding rationally to a situation and not being captive to legacy, just because that's what they're used to, and that's going to be, I think that's going to make the difference between organizations who successfully complete their digital transformation and those who have increasing challenges. Yeah.

I can't agree more on that because I just last week had a conversation as a customer book, which was really about even while you might stock by creating two or three, four years from now, planning now start preparing for that now, because then you were at the steering wheel, you were in control. You're not in a hurry. And I think this is really essential thing, start preparing now.

And then if you have the perspective, the division that you print, all that stuff, then you also know which of the investments you make are really straight forward in the right direction, which might be tactical and to do them is absolutely normal, but you understand it and you know what you do, and you are sure about what you're doing is the best thing you can do. So I'm fully with you. So that's what has to be new. There's not a single lender who delivers everything.

So, so Tyler, I think you have, you have your portfolio of historical portfolio strengths in your portfolio, but when you look at this also from your perspective, so how would you talk about the importance of technology partner ecosystem, the deliberate deployment and management of identity management? Well, I th I think Martin, you know, the basic thing, you know, it's all about convenience, right?

I mean, if I were to ask why don't, you know, Indians wear helmets, it's not because they know it's good for them, but, you know, it's just not convenient, right? When it's 40 degrees and you have to wear a helmet. So people always try to find convenient solutions. So the end user experience is really a key driver, you know, for, for solutions.

And that, that is why we think, you know, it has to be made. When you look at the ecosystems, you know, we have a couple of hundred integrations done with, with several technologies out there just to make it easier for companies, you know, to, to, to adapt and to embrace access management solutions. So now one of the elements as well, really important in this, in this, on this topic is, you know, we, we very often see that security is being deployed after an application has been deployed. And just to make an analogy, you know, would you imagine a government deploying electronic ID cards?

And then afterwards storing, you know, the, the certificates on an HSM or another device, you wouldn't do that right in. And too often, we see when an application is being rolled out, you know, security comes afterwards. So we think, you know, there is a zero day security, and if you have a good integration strategy, you know, that's something you can really associate before you actually deploy technologies or applications. Yep. Yeah. Dirk said it really perfectly, right.

I mean, especially, I like that analogy on the zero day, zero day security. Very often we see organizations in a panic come to us because they've already experienced a security incident. And that really relates back to what we were talking about previously. Right. If you plan ahead and if you integrate security security from day one into your access points, then you're going to be so much better prepared to handle any kind of vulnerability or threats that, that could affect you in the future. So it's all about Yeah. Hmm. Yeah.

And I, I'm a strong believer in that because I also think that security must be an identity, must be a service, every new to true service. You build everything you do, you consume.

So it, it must be there. It must be used so that it all, it gives you more time to, well, you at the end of the day, because if you're done miss security in idiot, you need to do it in a hurry. You always lose time. So providing identity and security as a strong foundation, as a service, everything can use will help you in that. Yeah. Yeah. Just to add in that regard, I think that one of the, the, the beauty, the beauty points of protecting applications, especially cloud applications at the access point is that it's incredibly scalable and flexible.

You actually have gives you the inherent ability, first of all, to manage security policies across all of your applications, centrally and apply consistent access policies to all users into all of the cations, but also to very easily grow. As you add, as you expand in the cloud, as you add additional applications, and then ultimately to bridge those policies back into your database and protect also the applications that are on premises or more a non-standard spaced application.

So this does allow you to incrementally roll out a solution, but at the tart, by protecting those applications and services that are most vulnerable, right from the speed from the get-go. Yeah.

Well, two good things, two very important points. And I think we need to look far more at X's policies, their enforcement. So X of policies are easy to define is to understand if it can apply to a lot of poems and you can apply them consistently across a lot of applications, if it was right, are these days of our research key themes around identity management. So I think that that is really a super important aspect too, to always look at when, when we, when we think about, but all these things. And so I'm fully with you, let's do it that way.

So in the interest of time, maybe let's look at the last matrix, a talking point, maybe back to the audience right now, it's the right time. If you have any questions, if you have anything to throw into the conversation, do it right now, there's a questions area. And to go to webinar control on the right hand side of your screen, the more questions we have, the better our Q and a session will be. But so with all we have set, I think we have a pretty common understanding about the world is deep. Parameterization. We have to dip her up. we have your trust.

We have a changing growth, but why do we still see companies investing heavily in perimeter security, despite latest 2020 have shown that these no longer exist, at least in the way we were used to it. So what is the reason, Should I take that one?

Oh, sorry, go ahead. Yeah. Then are you, you go first I'll comment afterwards. Okay. I think it's a release directly to those organizations who have a plan in place have been much easily able to adjust, to making the transition to modern and to feature distributed networks, the term that you used earlier.

Whereas those organizations who had to scramble and didn't have a plan in place found themselves pouring money and resources in a, you know, in an attempt to really, to really support urgently the work from home that work from home phenomenon that we've seen since, since the March timeframe. So I think that's where the paradox can be most likely explained. Yeah. So I think, you know, identity is, is probably the weakest link.

I mean, it's a bit of a strong statement here, but, you know, we see from many different studies by the way, not only coming from us, but also from other players in the, in the it world that, you know, when there is a data breach, for instance, 68 or 70% is actually the results, you know, of an identity, which was compromised because there was no FAA solution in place or another, you know, in order decent access management solution in place.

So, yeah, I think I'm really struggling to understand why they are still so many organizations, because we did some, some research research ourselves, and we learned that yet people seem to be spending more on, on, on perimeter solutions or security than, than before. Whereas we think today, you know, it's all about identity and it's all about data. These are the real important things.

And I think, Yeah, if I just may add, you know, and, and another thing that is really amazing, you know, it's not really on the agenda here, but when I think about it, we see, we still see many organizations using static passwords, which to us is also something, you know, we've been used to, to a face solutions now for, for decades.

So maybe over to you, Martin, what, what do you think is, is there any reason why The dad has been simpler reason I believe, but back to maybe quickly to the too far MFAs thing, I think that's the first thing everyone should have done the latest at the beginning of the crisis. Switching on MFA in many environments is pretty straightforward at the baseline level at the increase in security uses fishing risk, but looking at why might it be that there's still a lot of investment into, into sort of most traditional technologies?

I think there are two reasons to want to psychological, but there are a lot of experts. There's a lot of knowledge to be realistic. Some people struggle with shifting into a new expertise. That's I think quite human, totally normal, totally understandable, but in a bigger reason and far more important reason why, why it takes time, I would say not why it doesn't happen, but I will still take timers. If you have, for instance, a BPM it's easier to extend the VPL at least the first class, didn't you say? I go to a new concept.

I go to Sierra crest, but what we have surface that many, many organizations currently really are pushing down zero trust initiatives. And so I expect that we will see a significant shift into new paradigms, but it is really a transition phase. And I think it just takes time because sort of the, the, the rapid action is just to say, okay, I increased capacity of my VPN. I build on what I have then, because I'm ready for much of the safe side before I do the new things. And some of these things are in some way, you does it at the end of the reason. Yeah.

It Seems I could fix something then to maybe, you know, start a new yeah. But I see organizations really starting right now, executing on their Sierra dress strategies or finalizing just trust registry site. Make sense with that. I think we are at the end of the talking time, more or less, we have quickly shifted to the Q and a, but before we do go into the Q and a, maybe that idea, Rick, do you want to give a one main recommendation you would give to, to the audience? So what would be your main recommendation data?

Yeah, sure. So I think from an architectural perspective, it just makes sense to secure cloud applications and services at the access point and not force your users to go through the on premises data, data center in order to reroute them out, back into the cloud from a user perspective, the on experience is just much more familiar and much more straightforward. And from a security perspective, it just makes more sense in terms of flexibility and scalability. So that's where you should start in terms of reassessing your access management and MFA strategy. Yeah.

I think very important as well is, you know, the use cases look at your use cases, you know, upfront before you implement any kind of solution to make sure, you know, you cover everything because, all right, you may be thinking, oh, you know, I have an access management solution sitting somewhere. You know, it's part of a global package, but maybe not all your use cases are covered.

And, and very often if you find that out down the road, you can actually be in trouble because maybe you need to, you need to run two services to be able to, to deal with the different use cases. So that would be my recommendation. Okay. Thank you. We're stuck. We are shifting to our Q and a session, and I thought that whoever has questions, I ended the questions. Now it's your opportunity to ask your questions to Donna, to Derek, or even to me, but we already have a couple of questions here. So we have a good starting point. And the first is, I think it's a good question.

That is zero trust a security initiative, or is it a set of products? So who wants to start the answer on death? I'll take it.

Yeah, sure. So the way that I see it, it's actually philosophy to security philosophy and a security framework, and it really provides a blueprint for how to implement security across distributing it across distributed networking and computing environments, which you described products can adhere to zero trust concept. And that's where the strategic planning part comes in. Because if you have the blueprint, then you're going to want to plug in the pieces with products that adhere to zero trust principles. Yep.

Doug, go ahead. No, I think, I think, you know, we're on the same page here, right? It's a concept, right? It's not a set of products, but obviously they will, they can work together, but no, that's Fine. It's a paradigm. Yes. It helps doing certain things. Right. Recent things are things there's not a single zero draft product for products to help. I think it's a neat, it's a neat, you know, by our customers and I think many different cyber security vendors try to come up with, you know, different sets of solutions to, to allow that needs to be fulfilled. Yep. Yes.

So, so are there any specific Accenture and features that enables your trust could work with you, if you want to use that to term, is there something in that space where you say this is absolutely essential to have? Yeah, for sure. So if we're talking about securing applications at the FX, the access point, and we want to adhere to that principle of verify everywhere, trust no one, it really is very important to make sure that every time a user logs into an application or service that their identity is verified and that you're securing the access points.

Now, as organized as users hop from application to application from service to service, I think the last number I heard was that on average users have to log into about 27 or 30 cloud applications during their day. So it means that you need to verify each and every time a user is logging into an application. And the only way to do that is to continuously authenticate them to continuously, continuously verify the users login each and every time they log in without overburdening the actual login experience.

So achieving that balance of security and convenience while continuously authenticating is key. Okay, great. So the question to the lender last, not least. So how does Tallis pretty together?

All, all, all the various security solutions you have into a zero trust plea. Third, do you want to take that one? Did you want me to take it?

Yeah, you can take it that up. Awesome. Thank you.

So again, tell us we have an power identity and access management portfolio, which consists of a cloud-based access management and cloud-based authentication. We also have a very leading portfolio of encryption products. So this ensures that applications and services are always protected at the access point and protected within their data. So applications are protected and data is protected throughout, and we strictly adhere to that trust.

No one principle by making sure through our policy engine, that authentication is carried out each and every time, even if a user is in the middle of a single final session. So we verify each and every login attempt and apply the right policy and enforce the rest, let alone indication at the access point.

Okay, great. Anything to add?

No, I think that sums it up. You know, I think what we've said before is, is we really believe, you know, identity and, and data are today. The two most critical things to protect within an organization. And we have built, you know, solutions around it. I think maybe one thing we could add is that, you know, there are a lot of people sort of organizations who've deployed, maybe some legacy, you know, PKI solutions whereby they were using smart carts.

And we know from, from, from effect, that's combining, you know, that technology together with access management, isn't always easy, but we've managed to do that. Actually. I think we're pretty unique in that respect. So also organizations who have deployed those kinds of technologies, you know, shouldn't be shy of having a conversation about access management with us.

Okay, great. Donna and Derek, thank you very much for the conversation and thank you to all the participants to listening to this call.

ONR, thank you to toddlers for supporting this webinar. Hope to have you, as soon back in one of our virtual events, there are a ton of events upcoming in the next couple of months. So just you again soon. Thank you. Thanks Martin. Thank you everybody. Thank you everyone. Bye.