Event Recording

Expert Chat: Interview with Francois Lasnier


Log in and watch the full video!

Log in and watch the full video!

Upgrade to the Professional or Specialist Subscription Packages to access the entire KuppingerCole video library.

I have an account
Log in  
Register your account to start 30 days of free trial access
Register  
Subscribe to become a client
Choose a package  
Welcome blessed to have you here. And you already had a talk. So you have introduced to the audience, maybe for the ones who might trust, started to a town to see when give a very quick I yourself and then we get started.
Sure. Yeah. Thank you Martin. In charge of the IM business line at Teles.
Okay. And the topic for, for this talk is work from home needs a better identity management, where, and how to modernize. And, but this is the topic we easily could spend probably a couple of hours on, but we decided to, to touch a few aspects. And the one, the one point I'd like to start with is bringing in another password, which is zero trust. And so the point I I'd like to look at is also from your perspective, why, why, why are zero trust architecture, such a strong foundational principle in modernizing your identity management?
Thank you, Martin. That's definitely a good question. And, and before I start, I'd like to make sure that I specify a little bit what I mean by zero trust because there are always, you know, I mean, two different views on zero trust. There is the network centric, zero trust approach, right? I mean, micro segmentation, next generation firewall and so on. And there is the identity centric, zero trust model. And for me, I mean the benefit and, and the, the two main foundations of a zero trust approach to identity and access management is twofold. I mean, the, the first one is that a zero trust framework really is a great opportunity to start shifting the control point, meaning how you want to define, you know, how users can access resources directly from the Perter. Right. So when it was based on, on VTN or windows log or any other type, you know, of, of parameter based decision to putting that decision in front of each individual resource and, and, and really there are a lot of benefits to that in terms of abstracting where the resource reside, right? And, and when we talk about future poofing, I think it's very important because today you may have resources that are on premise, right? And the RP system or an HR system. And, and two, three years from now, you may want actually to leverage that resource into a, a private cloud or in public cloud and having a framework, you know, that makes completely abstraction of where do his source reside, meaning you have an access policy that is based on, on, on, on, just on the, his source, right. Allows you full flexibility moving forward, right?
Yeah. And isn't it also, isn't it also that when we look at the work from home context here, what we've learned in the past 15 months is people don't sit in the office. So it's hard to start the control from the network level, but what we always know is, okay, this is Martin, this is the employee. He wants to access a resource. So, so I'm, I'm a big friend of saying the broader approach and zero trust, which takes identity in a, in a very central position with identity in a very central position is the, the, anyway, the more logical one, because that is where we can control the network who knows which network we are using.
Yeah, absolutely. And, and this is the other important aspect of, of the host is the underlying assumption that the, the network or where the user is coming from, doesn't really matter in, in a sense that you may enable more access scenarios, but you may take on the other hand, the appropriate decision of how you want to manage the scenarios. Right? So in the past, we had a very binary approach on how you users could access resource, right? I mean, with we're providing them a company laptop and forcing them to use that, you know, to access a resource, or we force them to connect through VPN. Now, you know, with a zero trust model, you may have actually different access scenarios. Let's say you may allow users to use their home device, you know, their by O D connect, you know, from wifi at the coffee shop and so on, so forth. But on the other hand, you can fine tune the policy based on that context. Right. And based on that identity, and that's the important part of the, because it really allows, you know, full flexibility of managing these different user scenarios, which in the end translating to better user experience and a better way to manage risk. Right?
Yeah. I, I would even dare to say that VPNs in some way are contradictory to zero trust because they are introduced to have something that people feel they can trust in. And exactly, that's not what we want to do. It might be seen as an additional security measure, which is a different perspective, but usually it's, it's seen as something to trust and zero trust exactly mean we must always verify we can't trust trust. So from this zero trust theme, and I think it is clear, we need to restructure the way we connect users and their devices to the services. But still the question is at the end, can't we do that with our standards, our existing identity management. And why should we start now also in a time where still many businesses are under pressure on the financial pressure in a time where due to all these changes, like work from home, like the shift to the cloud, there are so many different competing initiatives. So, so why start now? And can we start with something small now without risking to invest into something which turns out to be the wrong decision in two or three years?
Yeah, that, that's a very good point. And, and I try, you know, to cover that topic a little bit during my presentation as well, cuz we, we are convinced that there's definitely a pragmatic way of poaching, you know, modelization modernization and, and approach, right. To give you a good example. And, and maybe to illustrate the case based on, on some of our customer experience. So many organizations today, for instance, have a VPN and they have multifactor automation for their VPN access, right. And then they have windows log based and eventually on other form of automation and so on, so forth. So we call that the silo approach to, to manufacture authentication. I think some, a pragmatic, pragmatic step, for instance, for example, could consist in. So implementing, you know, a new security framework based on the zero model. So new access management solution and applying, you know, the access policy already at the Perter.
So meaning you bring your VPN under the, the framework of that new platform and you still apply the MFA to that. Beter so the, the, the integration effort is minimal because you just, you know, I mean, replace the old MFA with that access policy based MFA of that modern IM, but you, you don't change immediately the security model. And then you can gradually, you know, start thinking about applications that today are within the parameter of your VPN solution, right? And you say, what are the applications that eventually I can move outside my parameter and, and build an access policy dedicated to these applications. And really this is, you know, a way that is beneficial in from multiple angles. I mean, it can on casually, but at the same time, it then provide a consistent user experience in terms of authentication, because you are not going to disrupt how then users are gonna be authenticating to access these resources. Because now you have a framework where the alternation remains the same irrespective, you know, of the scope of, of your, your platform. Right? So,
So, so, so, so, so you're in effect, achieving two targets, at least in, in one step, which means you increase the convenience for users by saying it's one way to authenticate, but you also start gradual in an area where you have the biggest risk. And we all know multifactor ation is something which helps us in mitigating many of the risks, because it's far, far more difficult for the attacker to overcome a multifactor indication than to pass a single factor or standard user name, password classification.
Correct. Go ahead. And, and you improve your security posture at the same time, because under this model becomes easier to expand also the M coverage, right? In many organizations today have MFA only for VPN, for instance, right. And they may have, you know, I mean, no MFA or some MFA for cloud applications. Now, all of a sudden with this pragmatic approach, you can start expanding, you know, the, the coverage of your, your MFA and, and really improve the security posture of the whole. Right?
Yeah. And, and when, when you talk about policies, then one of the things which I would say very quickly come into, into play source context. And, and there, remember when we did, I think our first European identity conference, which was, I think, 2007 or something like that, we talked about context, aware access. We talked about context based authentication. And right now it looks like context becomes something which is really a normal. Why do you feel that context is so important specifically at the age of work from home?
Yeah. Work from home or work from everywhere to a certain extent, right. And I'm, by the way of the opinion, personally, that flexible workspace is going to become a competitive aspect of recruiting low, the best employees, right? I think many industries today under threat, you know, of people that are disrupting or, or, or, you know, impacting their industry because these companies offer, you know, I mean, new workspace, new work habits, people, you know, can, can connect from everywhere using their own personal device and so on. And for companies that are still thinking, you know, in the old model that they can force, you know, how users are gonna connect, they need to use the company should laptop and, and, and connect, you know, through VPN and so on. I think these days are under threat. I think we all need to recognize that as an organization.
And that's where being able now to have a framework based on policies that take into account context, achieve actually your goal of maintaining the security very, very high, but more importantly, achieve the goal then of providing many ways now for employees to connect to resources, because taking into account the context, give that flexibility here. You can really have granular scenarios. You can say, if you're an engineer doing source code development, right, you will need to do that from a specific device because that's on the other hand, very sensitive, right? But on the other hand, if you want to access, you know, salesforce.com, or if you want to access some GI, you know, resources or your ERP system, we may be more flexible in, in how we're gonna allow you to access these resources. And that's where, you know, taking into account the context, the behavior, the risk analytics, and all of that, give that flexibility because now all of a sudden you enable users to connect through multiple user scenarios without compromising, you know, your it posture, right?
So that's, and, and going away from this, you called it a binary model where you say, okay, you're only allowed to do that, but not, that's always very, very strict going away from that. I think that fits on one hand to this work from homework from everywhere. And what you mentioned, this new work styles in tr my perspective also would be that this brings again, the, or this, again, highlights the need for putting a strong emphasis on identity and access management. Because at the end, we have a CRI on the user, lesser on the device, lesser on the network. And then again, we can control the access. So the identity at the beginning and the access at the end are the things where we really have a good level of control. So my precision would be that explains why I am so essential in every modern zero trust concept. And why we, on the other hand, either modern identity management,
Correct? Yes, absolutely. Yeah.
Okay. So context leads us and you brought us up this term a couple of times already leads us to policies. So we talk about policy based access controls for quite a while. Are we already there and how do we construct the policies is,
Think that's, that's a very good question. Right? And, and, and I think policies in the context of access management, you know, is part of what I call modern and access management, right? Because in, in the past access management was more defined as, you know, providing single sign on providing plumbing and Federation, you know, between identity sources and all of that, right? So IM used to be it tools, right? And, and, and now through policies, access policies and the auto trust model, it's really become now a security framework, right. But policies are, are very important to me because they draw many fundamental outcomes, right? The first one is that this is just what we discussed earlier. They now more access scenarios, right? It's not just an enough switch. Now, all of a sudden you can allow, you know, I mean, a wider range of access scenarios, but you take the right, you know, access decisions and the right control for each of these scenarios.
They allow better risk mitigation as well, including the ability to do security orchestration based on policies. For instance, if you, if for instance, you can adapt, you know, I mean, the decision you take based on things that happened just before, right? So today's the ability now also take an orchestration aspect of policy. They enhance the other user experience as we discussed, because at the end of the day, you know, nobody wants to force MFA all the time, right? So the ability to actually minimize the impact of multifactor authentication and actually reduce it to the payer minimum can be achieved through policies because now the policy will define, you know, under which circumstance you want to authenticate the user versus allow that user without being authenticated. And, and then it provides, you know, I mean more flexibility also in terms of, you know, managing the, the security policy around your applications, because for policies, you can, you can define that as well. Right. So that's why I believe, yeah, policies are very important. They drive many fundamental outcomes. Some that are related some that are, you know, user experience related. And they really prepare, I would say for how we should see the, the future of the workspace as well. Right. Where multicloud multi type of users, multi type of working habits and environments.
Okay. And you brought up our final topic already cloud. So last at least why must your modern Futureproof IM be cloud ready?
Yeah. So the by cloud ready clearly. I mean, we talk about two things here. We are saying that modern access management needs to properly protect cloud resources and all clouds multi-cloud by the way, because that's something also that is important. Right. And they understand a little bit the evolution of your infrastructure. I mean, at the end, the, you know, you have resources that are in private cloud, public cloud, and then some that are going to remain on premise. So you need definitely to have framework that can protect all these resources consistently, but the benefit also of leveraging an IM solution from the cloud as well. Has there are multiple benefits to that, right? These benefits are the same, I would say to, in terms of cloud conception, in terms of the always on aspect. But most importantly, there's something that we need to, to pay attention to many organizations currently also rebuilding, you know, many of their business applications through API integration with various type of cloud resources.
And, you know, we talk, I was talking to a customer in the insurance space that is building, you know, a applications on the insurance side based actually on, on APIs from different cloud and sources and the ability, you know, in this cloud model to also have an identity and access management framework that manage the identity centric, API access control is, is very important in this cloud economy. So, so clearly I think that cloud is important, not just from a target resource standpoint that we need to protect, but also from a consumption model for IM I think that the cloud based IM model, or at least the hybrid model for IM is the right approach moving forward.
Okay. Thank you. I think we could probably spend a couple of hours discussing this topic, but unfortunately we are already at the end of the time, so thank you very much. And I would say let's send back to any.

Stay Connected

KuppingerCole on social media

Related Videos

Webinar Recording

Erfolgreiche IAM-Projekte: Von Best Practices Lernen

Häufig beginnt die Suche nach einer Identity-Lösung mit einem ganz konkreten Schmerzpunkt im Unternehmen. Ein nicht bestandener Compliance-Audit wegen überhöhter Zugriffsberechtigungen, technische Probleme, wegen komplexer Systeme frustrierte User und eine…

Event Recording

The Role of Managed Security Service Providers (MSSPs) In Your Future IAM Application Landscape

Trying to “do identity” as a conventional IAM or Security workload with in-house resources and vendor platform deployments may not satisfy identity and access today’s requirements for IaaS, PaaS, databases and other cloud infrastructures. There are now a growing number of…

Event Recording

The IAM Fabric and How It Integrates With Your Cybersecurity Program

Architecture, operating model and governance are key viewpoints for every business as a whole and its subdomains as well. Depending of size of the organization, information security may be managed as single domain or divided into multiple subdomains. Viewpoints and domains are still static…

Event Recording

Identity Management and its key role in the Zero Trust strategy

Since any resource access is subjected to a “Zero Trust enabled” step-by-step process, where  policy engines define and enforce the appropriated access level, apart from device, network, identity systems and resources, we need also a “ZT enabled” identity…

Event Recording

Expert Chat: Interview with Neeme Vool

KuppingerCole CISO Christopher Schuetze engages in a fun discussion with Swedbank's Neeme Vool on what the future holds for Identity and Access Management.

How can we help you

Send an inquiry

Call Us +49 211 2370770

Mo – Fr 8:00 – 17:00