Event Recording

How to Move from Legacy IAM to Future-Proof Identity Fabric


As enterprises adopt new ways of collaboration and working, the area that has seen some of the biggest impact is the evolution of identity metadata to support improved and secure forms of access to IT infrastructure and services. Yet, this is still the most underrepresented aspect in target design conversations for most Identity Management programmes. As we move towards IAM 2.0 with the panes of evolution changing from what our approaches were in the pre-pandemic world, there is an opportunity for us to build our programmes based on sound Identity fabrics thereby leveraging the true power of cloud-based capabilities, drive agility in adopting and delivering new Identity services and reducing unmanaged technical debt significantly. The presenter will talk from his own viewpoint of having delivered IAM programmes and legacy transformation at scale using the sound principles of the Identity Fabrics.

So moving from legacy identity management to future proof and energy fabric. But let's see where we are with identity today. Because identity management in itself is, is an interesting subject to start with. Although we call it energy management, but you know, when we talk about entity management, we are talking about access management. About 70 or 80% of the time that basically bleeds programs and that basically bleeds program resources most of the time. But entity management at its core is something that is discussed a lot, but actually on the ground, very little of it's done about it. And, and what I have kind of tried to, tried to put on the slide together is, is in my own kind of awkward way of putting it with some, trying to kind of, to, to merge some humor into it. So first of all, when we talk about entity management, you know, in today's world it has been given a new Phillip with zero trust.
Because when we talk about zero trust identity is at the heart of zero trust. But at the same time, you know, we see an organizations where the third party scene, or for example, the the contingent worker scene is completely chaotic, where, you know, the decision and onboarding process for a third party is, and or third party identity, not necessarily a third party identity. Could be a VIP t could be, could be anybody within the organization is dependent on the last common denominator and, and, and very customized. So on the one hand we talk about zero trust with identity. What, what, from a capability perspective, on the other hand, we have processes for onboarding completely, you know, broken. It does not allow for it, right? So, and that's the conundrum we are talking about. On the one hand, we talk about identity as a set of composable attributes.
So at the core we have a, a set of static attributes, but on the top of it, we have a set of composable attributes that allow us to shape the behavior and or to track the behavior of the user and to make sure that we give the user the best experience and a secure experience within the organization context. But on the other hand, we see identity as a pure data feed, right? You give us a data feed, it becomes an authoritative source. Oh, well you need onboard another third party source. Give us a data feed, we'll onboard that as an authoritative source. Happy days, let's move ahead. The third factor is that over the past three or four years, I mean, we have seen an explosion on third parties within organizations. My organization, for example, has got about 50% of our population is third parties.
And with increasing economic pressures, with increasing contracting and all of that, this is likely to expand some organizations. I mean, peers that have spoken to in the industry have about 75% of their population as third parties. So this trend is going to expand, right? And I don't think that that traditional world we have, you know, the, the four key constructs of identity employee, third, you know, contractor, third parties, you know, agents, agents and then others. I mean, that structure will not work anymore because you have got a whole spectrum of people with different needs from what they, you know, from the organizational resources. So we have to kind of really, from enterprise identity perspective, we have to think how we actually adapt to hybrid work and hybrid identity as our organizations evolve. And, and to counter that, we have today security propensity to make work really hard.
The moment you set up, you step out of your, of the office network or domain. So I think, you know, and, and that is again, we are talking about the different steps of the current room. Identity management is a good CSO conversation, right? Surprisingly, because it is, it can be, it can, it can, it can be led to, it can lead to a conversation about quicker results, better consumer experience, and better value from my investment Im investments, but how is it sold today? It's sold as an access governance solution. The tyranny of access governance, as I like to call it, you know, running certifications after certification, onboarding thousands of applications, taking millions of millions and millions of dollars to basically run these programs, right? So I think there is a tweak required there actually how to change, how to use iTry management as a good CSO conversation there, right?
So that is a conundrum to just to, just to set the kind of baseline with, and I have to be quick with the slides because I don't have much time in my hands. And then so, so I mean, coming back to that conundrum here, so it was less of a fabric, it was more of a pecking order, right? So we had, we have the, the trusted employees who were always working within the domain using corporate credentials and have access to corporate devices and, you know, and, and they always use those forms to basically access organizational resources. Then you have employee like third parties, agency workers, replacement workers and all of that who use corporate. And they're almost employee like. So they get, get the same kind of benefits from the, from, from resources perspective, access to corporate interior sources and etcetera. And then we have the two big to fail.
Third parties who could use their own certified offices could again work from very fixed locations with virtual desktops. Sometimes they use remote, remote working practices and, and VPNs and such, or VPCs or such, whatever. And, and then we have the long tail, long tail of various flavors of retired workers, intermittent workers, contingent workers, you know, agency workers who actually trail in and out of the organization, have different kinds of account types, sometimes use their Gmail accounts, sometimes have, try and renew their old accounts and all of that. So it's a long tail of accounts. And I'm talking about, you know, organizations of similar complexity like ours, 130,000 employees, 170 countries and, and a whole set of use cases in between, right? So that is the traditional construct within which large complex global organizations operate today. And it's more of a picking order, right? So you basically focus on the top three and the, and the long tail is basically they get along with whatever they can get you.
And, and that's where some of the gaps tend to accumulate. And then as we evolve, the pecking order gave away to the persona. I mean, today when we look at identity, I think the speaker before said, you know, have an outside in view to, to identity. And I completely agree with that because we are, today, we are talking about less about identity types, whether it's a third party, but more about personas, right? I'm a retailer, right? I'm, I'm a retailer. All that I want to do is that I want to bring my own identity and I want to check stocks on your central inventory so that I can, so that I can order, yeah, I am a third party that provides data center services to you, to you, and I want to access your infrastructure. And by the way, I will, I will need domain level access 80% of the time.
And for the rest, I just need access to emails and meetings, right? I'm a salesperson, I just need MS teams, I need to take care of my appraisals and my salary slips and that's it, right? I don't need, I work in a factory, I have a shared desktop, which is embedded to my terminal. And I, I, I, you know, and sorry, I use shared desktop for my emails. And then in my terminal where I work on my assembly line, I have a, I have an embedded terminal, which I, I need access to five or six applications that are there. That's what I need. So these are personas and notice we are not talking about what kind of third parties they are, right? Whether they work in the office or all of that. I mean, because that is the notion that the trust that we base of people working out of offices, waking out of network, working out of corporate devices, all of that is going away because that is where the identity conversation and the fabric conversation happens.
So what is an identity fabric, right? Let's talk about that now. And, and, and we have, I want to kind of really, I talk about attributes here, but I don't want to confuse this with attribute based access control. This is a level above that. We're talking about identity attributes. We're not talking about access attributes that basically drive, you know, policy based access control and all of that. These are identity attributes that drive who the person is. And those core attributes can come from anywhere, can be a social identity, but I, I'm very skeptical about the use of social identity in an enterprise setting. But, but it could be in the future for certain use cases, right? And this is a, this is a person who brings in the minimum set of attributes to the organization and represents a certain identity persona for the organization, and then the person requires to do a certain job, which is associated with another set of attributes.
Yeah. And then there are a whole set of sea of other attributes out there, which basically when the person acquires there can be even triggered, for example, a toxic combination or a sensitive event, which will, which will, which will require an elevation of privilege or which will trigger monitoring, right? So I think when we talk about it today, that is what it is, right? It's not just a set of static feeds. We talk about an individual that is traverse in the organization at a certain point of time, and we are actually have a, and are basically dynamically acquiring new sets of attributes as the person changes roles or actually moving move moves roles or whatever. And then our responsibilities to identify when that, to make obviously the life easier for the person to make sure that they are, they are kind of, they can operate effectively and do their job and at the same time and what would require monitoring, right? And that monitoring is not based on whether the person is using working out of the corporate network or using a corporate laptop. It's more to do with what does the person do for what the person require for the job, and what does the person actually has to do the job. And that's the kind of data that we are trying to gather. And the best way to start the journey is through the iTry fabric.
Then if you look at the single atom of the fabric that the fabric constraint, I mean if you look at the four layers of it, now, there are set of core attributes that define the persona, right? And that persona could be what I'm ready to share with the organization that I'm going to join, right? My name, my, my, you know, for my HR application, my dear of birth or whatever set of core attributes. But some of those attributes will not define who I'm as an identity, right? And then we'll have the set of composable attributes that, that will adapt to the role of the person. But department I'm from, which cost center I'm from, which, which, you know, where do I belong in that organization, right? And therefore it'll drive what kind of work do I need? What kind of access do I need to actually do my job on a daily basis?
Yeah. And these are composable because you know, when those attributes change, when, when the person's roles change, the composable attributes change as well so that the person can get what they need to do their job at that point in time in within the organization. The third layer is the composable it attributes that allow the person opportunistic. Now, for example, now if you need for a certain period of time, you are doing somebody else's job. So you need a certain period of time, you need a certain set of set of attributes to do a particular job. Or you need elevated access, for example.
So, or you would, or you may even be an external party bringing your own identity with to the organization where your core is light. But at the same time, you are extensively you for doing that job. You acquire a certain set of application attributes or energy attributes that define access to certain set of applications for a fixed period of time, right? So that is the, the third layer and, and the last bit is that what our organization exposes when our employees go out and, or, you know, the, the entities that we own, they go out and see access to other applications when they go out, what kind of attributes are we ready to expose for them? Because we own those attributes. We have, we have, we have the responsibility to manage those well, what do we expose for them to actually, you know, access those services?
So I mean, that's the way I see these, the attributes that build out now. So finally, you know, weaving the entity fabric, ally spit falls and watch outs. Now, you know, too often when we start designing, IM programs, the first thing is that I, IGA programs, identity governance and administration programs will say, okay, you know, how many, how many applications are we going, How many users are we going to onboard? What's the role based access control of that? We kind of, we have a preponderance to move towards, pivot towards access governance. But technology has evolved. You have today everything starting from the core of the identity, identity protection is the core of everything that we start with from a zero trust perspective. Now, if that is the case, you have to start with what are the personas that interact with your services and outside in view, right?
Know your personas. Yeah. When you build your business case, there are, you can leverage from zero trust story, you can leverage from some of the actual reduction of cost. I mean, for example, I can work out of my organization today without my corporate laptop for a week or so without any disruption, right? Is my journey insecure? No, it's not insecure because it is the, my organization does not identify me, but the trust that is associated with the device that I use. Yep. Now and, and, and likewise, so which means what? The reduction in terms of costs, you know, there is a outstanding, there is a issue going with the issue of laptops and there's a reduced number of ships and organizations are kind of really struggling with it. You know, it's a good story to say that, you know, if we actually build this from identity upwards, we can actually reduce the cost of IT equipment that we issue.
And there are bells of business passwordless and all of that that goes on with it. Windows of a business and you know, everything that, that goes on with that journey. And then there are enterprise wide complimentary initiatives like cloud migration, you know, cyber security like ca, cloud access security, and Z tna, that these are all allies in that particular journey. Because these all start with theise of zero trust and cloud migration, specifically platforms like aws, Azure, you know, all of them have zero trust at their core. So I think we can actually build the case for the identity fabric as well as zero trust in conjunction. So these are allies. Allies, right? We have to understand the tradeoffs, right? What are the must managed components of this particular fabric? What do we, because the, the larger our attributes said, the more difficult it's going to manage, right?
So we have to basically understand where we establish trust, where we outsource the trust, reliable trust, and at the same time where we manage it and we kind of manage the life cycle of it, there's a cost element associated with it and building it at the end of the day, speed is also the essence. You cannot take, you know, years and years to actually build this. So that right balance is really important. And finally, investing, investing, getting ary right access will follow. If you build your fabric identity forwards, access governance will improve and you will get less of friction from the adoption of access governance. I think that has been the, the, the, the bond burning issue for a number of years without a clear, but I think we today, we can see a clear roadmap as to how we can actually make our access governance more effective. So with that, I think I have just about reached the end of my time, so I'll stop there if, if for any questions.