KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
As organizations become increasingly digital, they must continue to evolve their IAM strategy to solve business challenges, support new initiatives, and incorporate data-driven decisions. In this session, Nick Groh will introduce the concept of data-driven decision making, including how artificial intelligence can help reduce the costs of decision-making. The session will also cover mobile trends and other sources of leveraging data, and focus on applications to identity management. This session will look at how IGA has mature use cases, but needs to be applied more broadly. Finally, there will be a discussion on how these applications extend beyond identity management, such as other areas of security, and how the business can incorporate identity data.
As organizations become increasingly digital, they must continue to evolve their IAM strategy to solve business challenges, support new initiatives, and incorporate data-driven decisions. In this session, Nick Groh will introduce the concept of data-driven decision making, including how artificial intelligence can help reduce the costs of decision-making. The session will also cover mobile trends and other sources of leveraging data, and focus on applications to identity management. This session will look at how IGA has mature use cases, but needs to be applied more broadly. Finally, there will be a discussion on how these applications extend beyond identity management, such as other areas of security, and how the business can incorporate identity data.
Okay, so I'll just jump right in market conditions. So kick things off.
I'll, I'll talk a little bit about the market conditions we're seeing kind of in the, you know, broader IGA landscape, firstly, with digital IM becoming increasingly relevant for businesses, there's, you know, now a disconnect between some of the functionality traditionally associated with IGA products and the needs of businesses to become, you know, more agile and IGA needs to become more contextual.
I say IGA I'm of course, referring to identity governments and administration, and it needs to be more contextual, not only in the, in the way it defines its identities, but also in how it governs them and the resources to which they have access. Right. So another shift we're seeing is, is the, you know, the adoption of, of zero trust. We'll discuss this a little bit in a little bit more detail later, but the idea of supporting a more operational approach to the principle of these privilege is now more of a, a necessary reality than an abstract security principle.
So while, while IGA is currently operating completely within the zero trust model, it's in the process of adopting technology and practices necessary to get there. You and, and finally we have, we have a massive shift in the way organizations are conducting business today. Sure. There are some companies have had remote working capabilities and policies for a while now, but I think we can all agree. The scope of this rearrangement is, is a bit unprecedented. Not only have businesses fundamentally reorganized the way they operate, but they've, they've done.
So at, at breakneck speed identity governance needs to embrace the fact that that swath of, of an enterprise are doing business across devices, applications, networks, all in, you know, public, private and hybrid environments, right. And malicious malicious actors can and do take advantage of this.
That's, it's important to understand that cuz with every additional connection comes a potential attack vector. So this expansion of business environments constitutes, you know, a massive, you know, identity governance requirement, little bit, we alluded to, you know, digital transformation and to give that some context, I mean, for so long, IGA has been considered a core security pillar, but it's important to remember that governance is a much larger part of a business. It's a much larger part of business operations in, in general.
I mean sure that we're talking specifically about identity governance, but governance more broadly speaking has always been a core part of any business or enterprise and businesses are increasingly viewing identity governance through the lens of more comprehensive and agile governance landscape in order to accommodate the, the business identity governance technology has to adapt and evolve. Right? So now we talk a lot about agility.
I mentioned agility several times, but what that really translates to is accommodating the speed at which business processes must run in order for the business to survive without compromising our security posture. So there's obviously this, this tension there that's always been there between, you know, friction and security.
So, you know, what does that translate into this laundry list of new things? Not only are, are businesses moving faster, but they're also adapting to their own challenges, which haven't traditionally fallen into the realm of security, right? So there are new privacy regulations, new ways of orchestrating business processes.
Sometimes, you know, entire teams are, are devoted to, to orchestrating things through APIs. You know, we're seeing new architectures with microservices and we're, we're seeing security start to blend with all of this. And a lot of, you know, decisions being made require near real time adoptions. The question is, you know, how are these security decisions being made and, and, and what informs them.
And, and this is kind of the, the framework we want to use to, to think about how businesses are making decisions because every, every business, every business decision lies on, on this spectrum upgrade this sort of decision making spectrum on the one end, you have completely manual intervention. Well, on the other hand is a perfectly automated practically instantaneous intervention. So every business lies somewhere on the spectrum. What's interesting is that they're actually moving towards the automated end sometimes whether they know it or not.
And from an identity governance perspective, we're looking at, I mean, if we, we kind of apply that to this spectrum, we're looking at, you know, on the one end manual approval of individual individual access requests and then moving to bulk, moving to APIs and automated provisioning to eventually eventually on the other end of the spectrum, you know, analysis, proactive provisioning, and deprovisioning based on a highly adaptive and constantly updating real time artificial intelligence. So there are a couple of key takeaways here.
One is that businesses aren't automating at a near convenience, right? That they're doing it from a shareholder mandate of profit maximization. I know this is getting really broad, but I hint that this earlier, I'm gonna call it out. If businesses don't automate they'll die.
So, I mean, if you have two businesses and one decides to automate while the other doesn't, the latter will setters para be paying higher variable costs, you know, and returning less profit to, to shareholders, shareholders, can't, you know, compel the business to maximize profits that leave. So the business could be, it would be driven to extension by competitors who are obligated to maximize profits, partly by reducing costs through automation and security needs to accommodate this. So it's a tricky situation.
And the other, the other takeaway is that, you know, since we have to embrace automated decision making, we, we need more, we need to do it well, and we need more data. The more data we have, the more informed our identity decisions become and the better those decisions can be. So in this context, you know, I IGA needs to evolve again. It's gone through this course of 1.0 and 2.0, and as we move to the right and things get more complex, we have, you know, a perimeter list environment. It's more contextual based on relationships.
You know, identity governance needs to evolve. I mean, con and context is important.
I mean, security began with a perimeter approach and, and it was pretty simple. You build a wall, you make it big and strong and, you know, hope nobody gets past it. But as businesses evolved, the surface of control, you know, expanded and new technology trends emerged and became quite evident that a wall approach to solving problems, isn't just myopic. It's dangerous. It gives a false impression of safety, you know, which of course filled with its own moral hazard problems. And there are so many ways to get past the wall.
You go, you can go up the wall and over the wall, you can go under the wall. You can go through the wall. Once you pass the wall, you have cart blanche access to just about everything.
Moreover, because you got in data exfil simple, you just send it back the way you got it. Right. So IGA and Ian more broadly have evolved to cope with some of these scenarios instead of a, you know, perimeter security, we kind of today is effectively like micro perimeters around specific systems and identities and other resources, right? And we've been able to do this fairly well, you know, even incorporating some elements of automation into various governance and, and, and identity use cases.
But we, we need even more granularity because as businesses, you know, need flexibility to incorporate more complex relationships and as they become more comfortable with automated decision making, you know, security in general, you know, it'll have to evolve. And that, that brings us to something I mentioned earlier, the concept of zero trust and zero trust as a security concept, you know, it's not really that new most security professionals and even newcomers that feel are familiar with the, the principle of least privilege. So it makes zero trust.
A fundamental shift is the fact that it it's now practically applicable, right? So in the context of that IGA diagram, we just saw zero trust is very far along the curve of what we can foresee. Kind of like the 3.0 scenario now, true adoption of zero trust. We realizing what identity is logged into the system automatically providing access to only the resources that identity should need monitoring the identity and updating its risk in real time, you know, automatically provisioning and deprovisioning.
According to that, that risk that's, that's constantly updating and doing all this while maintaining the privacy of that identity and the security, you know, of all associated resources. So this is, this is a, a tall order and the, the only real way you can do this is with lots of data. So I guess what we're saying is, so zero trust at its core is data centric. And in order to obtain a granular enough understanding of identity and the appropriate context for relationships between identities and resources in the greater enterprise data is crucial.
And moreover, as, you know, as, as decision making becomes more automatic, whatever risk or intelligence engine, you know, or platform you have, whatever you wanna leverage, it requires data as its primary input. So semantics approach to zero trust is of course data centric.
I mean, this is kind of a, a broad diagram. You have the, the people and devices, you know, going through various security systems and, you know, elements of control and risk assessment trying to get access to various resources, but it's data centric. And what stands apart for, for us is, you know, our ability to draw not only a wide portfolio of identity resources, but also our ability to leverage the global intelligence network. And for those of you unfamiliar with this Symantec maintains actually one of the largest civilian data repositories in existence.
And what, what makes this source of in information still more compelling is that it draws upon non identity security data as well. Talk about endpoint protection platforms, secure web gateways, you know, a P T protection, you know, all, all of this are part of Symantec's broader security portfolio and they feed into the global intelligence network.
So it's, it's already this massive data set and, and it's growing at a higher rate than most other data sets because it's drawing on more data for more products across most areas of security. And, and this is important.
I mean, data is an essential element for contextual decision making, you know, so we have lots of data. So now the problem becomes now the problem becomes, you know, organizing that data and, and drawing it out for, for the best possible, you know, security and, and operational outcomes. So to this end, you know, we, we strongly favor a, a platform approach to which there, there are several benefits and I should know these kind of these overlap quite a bit for the precise reason that they're provided by a single platform.
I mean, fir firstly, there's, you know, there's the, the closer, the inter the integrations between security products, the greater likelihood in any intervention resulting in a secure outcome that just kind of, it makes intuitive sense. I mean, sure lots of governance solutions can claim to integrate with a given authentication solution, but can they both integrate with the same privilege access solution? Both of them can they do it together while incorporating the same measure of risk into their product visions and roadmaps accommodate each other, and are they organizationally aligned?
And so point solutions, you know, they can tip most of the, the use case boxes, but with digital IM we're already seeing the lines across business use cases and business and solutions, security, and otherwise, and all these deployments, this line gets blurry. It's pretty easy to conceive of a situation, which, you know, one point solution integrates with another, you know, it feeds it data. And the other solution can't readily recall where the data came from. It's pretty easy to conceive of that.
And, and how, how is that contextual enough for an informed decision that preserves, you know, security let alone privacy, because privacy is a big part of the conversation now, too. I mean, and another major benefit I, you know, I should mention of this, of this platform approach stems from the reduced transaction cost of the integration.
Again, you know, it's, it's possible to integrate point solutions, but what about maintaining those integrations, right? There are security benefits and a, and a platform approach. Sure. But a common delivery vehicle for security services significantly reduces operational overhead feeding, you know, into that agile, that sort of business agility that we wanna see.
And finally, you know, there's a visibility element to all of this, right, which has practical implications from a governance standpoint, it makes a big difference, you know, when logging tools or talking the same language and feeding into the same reporting tool, it re this again, you know, it reduces operational overhead and it provides a larger lens for security and, you know, for security insights, for audit and compliance insights, just kind of better visibility in general.
So taking taken together, you know, the, the transformation of, of identity in, in the, in the digital world, adoption zero trust and the implementation of data driven decision making for, you know, identity governance, but not just for identity governments for, for the broader enterprise it's, you know, and, and doing it in an integrated platform takes us well beyond identity governance and identity management. It's kind of a fundamentally different architectural approach to security and business operations.
And, and here we have kind of a logical end state to this. And, you know, it incorporates lots of information and lots of different systems. And an integrated approach to this is, is, is really the direction that, that we strongly feel is, is, is prudent for, for security, for identity, for, for identity governance moving forward. And so with that, I think I can, you know, thanks everybody for participating or for listening and, you know, happy to take some questions.
