Good morning and welcome to EIC 2023, number 16 of all the EICs already, and it'll be by far the biggest. So I think we will have plenty of interesting workshops, keynotes, panels, and presentations this morning. We start with a series of workshops in, in various rooms, and it looks like you decided for ours. So I assume you want to be in the workshop building the roadmap for your future. I am. If not, check the agenda in which room you should go. In this, this workshop, we, we really will go a bit more practical into how you come from where you stand towards sort of a roadmap. Four hours are not much for that. So, so doing it then a bit more so in your own organization will take probably a little bit more time. But I, what we want to do is really give you a lot of guidance and experience from, from the advisory work and the guidance we give to, to our clients.
So the workshop will be mainly run by Phillip, Dr. Phillip Messerschmidt, who is lead advisor and Analyst at KU Analyst and Christo Schutze, who is the director of Practice cybersecurity and also acting as the E here at KOL Analyst. I'm here as well. I'll support this workshop. I'll step in to one other time. So I'm Martin Kuppinger for the ones who don't know me yet. I'm the, I'm one of the founders of co coal and I'm the principal Analyst. So my main responsibility is really creating research and, and working with the other analysts who are creating research, doing things like that. So from, from an agenda perspective, welcome we already started. Then there will be the introduction and the methodology and you will then quickly learn that we intend to run this as a workshop. So not as a, that's by PowerPoint approach, but really as a workshop.
So there are handouts, there will be interaction required, et cetera. So that's something that Philip and Christopher will explain more in detail. We look at the capabilities, how to assess capabilities, do that as I've said in interactive manner and at the end guide your, yeah, give you input from our end on how to prioritize and how to create a roadmap and from, from a technical perspective, I think this is already a bit about how this will concretely work. This is also where I hand over to my colleagues already who will give you all the details on how to do that, but you should use the app. So if you haven't the app downloaded the app already, then do so now. And I've learned that if you have an app from past, you need to delete and then load again from the app store because we switch the backend technology behind that. So just that you don't wonder why EIC 2023 doesn't show up in the app. If it doesn't show up, then best reinstall the app Phillip and Christopher your term.
Perfect, thank you Martin. And as Martin mentioned, this is a workshop. So you work and we watch, you know, the other way around. We want to share really with you our insights of how we would or how we usually implement with our customers, our identity and access management roadmap. And the prerequisite here is the coping or call app. That should be also the exact name in the app store, whether it's Android or Apple. And please delete the other one. This is really a prerequisite. If you haven't found the wireless access key, you can find it here. It's pretty straightforward. E i C 23 should be the name and the password added with an exclamation mark. So if you have it on your batch, there is missing the exclamation mark that's important in here as well.
But as, as you know, we are, we're security conference. So for security reason, we made it a bit harder to guess the wifi password.
Exactly the the strategy was if you don't join a session, you will not get the access key. That's the level of security we edit. Okay, so how will we run this workshop? And this is Martin mentioned really an very interactive methodology like we do for our customers multiple times a month, sometimes a week. So we start with our framework. We will explain our coping or call frameworks, the identity fabric. Probably some of you heard about that. It's as always it evolves year by year. So there's an updated version for this year and same for the reference architecture where you get insights into what is in identity and access management scope for you. Is it only a little focused area like only iga or is it really the big picture? And this is what we see us usually also the challenge with our customer. Then we will go through all of the building blocks and this will be more or less the very interactive part you saw on the agenda that we will have around about two and a half hours, something like that.
Going through it here, here you need your app because we will run pulses. So you can rate for the whole group here. And we have really a lot of people also online and we will collect that and build an overall roadmap for all for maybe all of you people here in the room. But also sharing here some documents that you can do it by yourself, that you have an outcome as a result for your organization, an important hint. Everything that will be entered in the poll, whether, I don't know access management is relevant for you or not, is not shared with the whole group. So it's really your individual result only the combination of all of you. So if only one attends, then for sure it's only his result or her result. And at the end we will go through the result of that. We will build the cybersecurity or the identity fabric for that, the reference architecture and then share how to prioritize that, how to take UN under consideration what is important, how to deal with things you already have, how to deal with, Martin mentioned this on a keynote one or two years ago about managing the sue of tools you have.
This will also be part of the end in the last half hour. Yeah, so that's basically the part. Also important hint regarding if you have questions, especially for our online attendees, please use the chat function or the question tab in the app here on site. We can also, we have a microphone. We can, you can raise your hand. This is something we can do important. If you have something, we need a microphone. Otherwise the online attendees will not be able to understand what you ask for. So just raise your hand if you have some question. Is there already some question? No. Perfect. Then maybe I hand over to Phillip who's starting introducing the reference the cyber. We have too many fabrics now. The identity fabric.
Yeah. Okay. Also very welcome from from my end. I want to explain the identity fabrics and the identity fabrics is, yeah, one of our very basic frameworks. The idea of the identity framework is to, to give the, give us and and view a better structure for for iam. So when we look at the left side here, we, we can see that there are lots of different identity types. So we have the consumers, we have customers, partners, workforce services, devices and things. On the right side you can find access objects. So this is what those identities want to access. So on the right side we have digital services, applications, platforms, infrastructure, backend services and legacy it. In between we have capabilities, services and tools and, and that is important. It's not tools, it's tool types. So everything in between is needed as a functional feature or technical feature to enable the identities on the left side to access the data objects on the right side.
So what is the importance about capabilities, services and tools? The idea of capabilities is that we go down to the very functional or technical feature. So that could be for identities, the directories, unification and virtualization for entitlements, the policy management and so on. So we can really go into the, into the topics, into the details that we need to enable the identities on the left side to access the objects on the right side to make it a little bit easier. We assemble those capabilities into services. So on the service column we see that we have the identity management services and this identity management service can consist of multiple capabilities from the topics under the capabilities column. And the last column in the middle is the tools. So multiple services can be combined into a single tool type. So we all know what IGA tools are.
And IGA tools deliver different services. Parts of an IGA tool for example can be identity management services, can be entitlement management services. And those services consist of different capabilities. That's the idea of the middle part. And since we u are usually not approaching greenfield approaches, we also need to integrate all those capabilities, those, those tools, everything into an existing landscape and, and that's where APIs interfaces integrations come into play. That's what you see on top and the bottom half. So on top we have the identity API layers, the connectors to digital services to software as a service, but also on the bottom half the the legacy, the legacy part. So we have the connectors into on-premise applications and this is pretty much how you can read the identity fabrics. So why is an identity in fabrics important? It is important because it provides a certain structure for us.
So based on what we see here, we can decide what we are talking about. So do we want to talk about workforce or employees? Do we want to to talk about consumers, customers, it's, it's completely up to you. So we have a multilayered framework here where we decide which use cases we are following. We could talk about workforce accessing a teams room or a software as a service. And that certainly, that certainly requires different, different capabilities than a consumer that would like to, to access a software as a service component. So this is where the identity fabric provides the structure for us.
Christopher, anything else to add? No, not from this, this perspective. I was busy sharing the slide, sorry. Okay, any questions from the audience so far? So this is pretty much the introduction to the reference architecture. So the reference architecture and, and this is what we are showing now goes one level deeper in detail. So based on what we've just seen, we are talking now about the building blocks and the capabilities. Those capabilities that you see in the middle or maybe I explain, explain the structure first so you might be able to follow. So the reference architecture can be read as a, as a matrix. So on the left side we have the core iam, the extended IAM and an integrations part on the top on the, the columns are important to understand the the functional topics, the the functional columns. And there we have administration analytics and risk authentication and authorization above that we, we have also you can see deploy time and run time and that is important to understand that we divide and those two dimensions because not everything you can do in I am is real time.
You can also prepare certain tasks, certain objects as a prerequisite or in advance to use it later. On the other side, runtime obviously as is a realtime activity. So the best example would be role definitions. This is a good example be for for deploy time because an admin can prepare them in advance and can use it later as static entitlements for example. And on the other hand we have the runtime part, that's where we create the rules and at, while a person is accessing something, the policy-based access control engine can check those rules in real time if the access is allowed. So this is how we can read it. And the deploy time primarily is primarily used in the administration part in parts of analytics and risk. And the runtime part is, is primarily for the authentication authorization part where we are checking accesses in at real time when a person is accessing a certain service or a certain object. So in the middle, as I already said, we have all the building blocks and all the capabilities and this is what we will talk about primarily in the next couple of hours. So two or three hours, depends a little bit on how fast we are. The idea is, and I explain it again, we will explain the, the capabilities each after another. We will run two polls per capability and give you the chance to rate it for yourself.
One rating will be the priority for yourself, so how important is that topic for you and for your organization. And the second poll will be around the maturity level. So all again for your organization and we will take a look into the results obviously to share them with the group, but we will not just play any individual results here. And we handed out the the handouts to give you the possibility to note your answers so that you at the end have an overview of what you answered and how your maturity, how your importance is and what you need to derive a roadmap later. We have that prepared for 25 capabilities. So we will probably only cover the core capabilities here, not the extended and integrations part, but I think that's already a lot to cover. Anything else?
Just we just have some questions from the audience. If it's okay, I'll jump in here. Oh, now three questions. Are the sessions being recorded for later access? Yes, they should be available on the Casey live platform. That's why we have the cameras here. The presentations or the presentation will also be available? It should be, if not then it'll be during the session available at the bottom of the video stream if you join the app online or just if you click into the session afterwards, maybe this evening. Will we get that? Yes, it's part of the slide deck and recording is there. So again, if you have any kind of questions, just use the app or raise your hand if you are here on site.
Good. So we are ready to dive into the capabilities. Do you want to start? Do you want to
Start? We could ask the audience if they should
You want to start?
Yeah, maybe we can start with, or I can start with the first one that is directory services. Usually organizations or if we do something like this initial assessment with our customer, the first question is what do we understand? Was it, was it directory services, is it an L D A, is it some meter directory, whatever. That's why we start with a clarification first. Directory service is some kind of repository where you store your identities. This could also be another IGA tool, but usually it's some kind of held up where you have information, first name, last name, maybe email address, maybe also credentials, but that's not necessary. We have some examples here. So also databases are a possible thing here. I t hubs or something like cloud directory, some Azure ad, some Google cloud directory, whatever you have. And also important, the terminology within the organization.
And this is why we really use the slides. Everybody has specific names for it. So some acronyms are U A P I G A A D F S. It's also an option here. And as Phillip introduce, its part of the core identity and access management. And if you want to start a journey towards an centralized identity and access management or if you, even if you're inside and maybe acquired other companies, you have multiple of them. So usually this is some kind of important thing, some kind of prerequisite and that's the first important capability. And Phillip here you're a bit deeper in the process of voting in the app. Maybe you can share how we proceed.
Yeah, we, that's,
That's the answer we have a question is risk not running, not risk,
Not running, not a runtime thing. So this is, this is still the, on the last slide. So I quickly jump back. So runtime, I introduced that for authentication authorization? Yes. That is a good question. We have that part between deploy time and runtime. So there is this area that's different from the deployment and runtime color. That's why analytics and risk is both. So we have parts there that are deploy time and there are parts that are runtime. So yes, it's, it's also risk is also a runtime thing, not just runtime, also deploy time. But yes. Okay, so what Christopher just did is that was not what I wanted. This is what I wanted. So you have just shared the poll. I've seen that on the screen. So,
So everybody should have in the app some kind of notification and that's the interactive part. We have multiple of them with getting a question asked. Maybe I go through that in parallel and I kind of see what you have to do. So within your app there, it should be a pulse section. If you join the session and in the pulse session I have to management view, sorry, there should should be some kind of section called directory services. And there should be the question, how would you rate the priority of the capabilities for your organization? And this means really how important is this for you? Does this, does this matter in some way or do you say no, it's not relevant, we have something else and we, I can see we have 42 responses already. 48 responses. Exactly. So did this work for everybody here in the room and also online? Maybe just paste in the chat if you have some technical issues here, because you have the honor, this is really the first time with this new platform that we used. That's why I also walk around a little bit like, oh how, how is this working? For sure we had some training, but you know, testing and reality is always a thing.
Sorry,
Multiple back, back in.
Oh cool.
Good to know.
So I don't share this with the whole group, otherwise someone is doing it. No, he just mentioned if you jump back and forth then you're able to vote, vote multiple times. Please don't do that. Otherwise our Casey security will come in. No, just kidding. Okay, then next question directly or what is the plan here?
We can, we can share the results of the poll if everyone is, is, is ready. So can we have that on the big screen? The results of the poll? This was the question.
You should have some kind of, so this is the view we have by the way. If someone is asking a question now we want to see how would you rate the priority of the capabilities? There should be a specific poll view for you. No. Okay. Otherwise I share it that way and I come back to you. Okay, we have one set
Question.
Yeah, we are going through result of the first one. We have one voted for low 18 voted for medium and all others. So 80% voted with high for the first question. So to summarize, 80% of you and also the online attendees say it is really important to have something like a directory which service
Closed on display door.
Okay. Okay, so for the second poll we have also the maturity levels. So the second poll should also be open. I think you can answer it, it's about the maturity. So this workshop will, will help you to define the maturity for each and every capability. And as I said, you can enter it in the handout. Now you have the chance to rate the maturity for the directory services. So how far you are in your organization, how material you think you are within your organization. In the meantime, we will find out how we can share the results of the poll.
Okay. So yeah, perfect. Again, I have to share the results here by voice. I'm really sorry for that. But we will see that at the end. I already announced our technical team. Usually we should be able to display this on site, but now you need some kind of imagination here. Okay, so do we have a mapping, because I was at the backend regarding to what is what here? Abc, D E F G, jk.
But
What was the question here?
Maturity level. So 60% is the maturity level.
Okay. Ah, okay. So you have been okay, okay, sorry, I was just checking in the background. Okay. You had the option to vote whether you have 10%, a hundred percent or something in between. And to summarize, most people voted 50%, 60% and 70%. And then it's getting lower the more we go towards 100%, which is just compared with other organizations. So not the overall organization we built here around the group. That's a pretty normal result. It's really rare that we only have something around 10, 20%. Depends a little bit on, on the people you already asked. If you have more the technical people or more the senior management, this is also must be considered here. Okay, then Phillip, we can jump into the next question here.
Yeah, we will, we will. We have a question from the online audience I guess, or from you at least we have one. So do, how do I rate the maturity? Is it how many systems are connected or about the data quality? So this is where it gets a little bit tricky with the workshop here and that we don't have that much time. Usually we, we do those maturity ratings as workshops. So in that case we can interact with the, the audience a little bit more than we can do with 60 or a hundred people that we have here now. So the level of maturity is a little bit how you think or to, for today, it's how you think, how material you are for directory services. It's, it's important to understand what the, yeah, what the important factors for maturity are. One example could be as, as mentioned here in the question is the data quality. It could be how many services you have covered. So think of an ad for example, how many services are you covering via AD or Azure ad, how good is the data quality that that that is in there? Are there many leftovers from the past? I mean we all know that it could also be how many directory services you have. Do you have a central ad that covers all the, all the applications behind that and as a central point of administration. So those could be important factors for your maturity. Martin, anything to add here?
So if you, I, I think that there are two ways. One is doing a bit just agreeing on a, on a scale. The other thing is we have documents like our identity management maturity levels, or I am, I am maturity levels published. And you always can then take these defined maturity levels and compare your own state against these maturity levels to come up with a sort of a more standardized type of, of assessment. But honestly at the end it is if you, if you take a pragmatic approach and say, okay, I I have my scale, I have agreed with, with my own group and the the consultants, the advisors supporting you, then this will, as you see later on in this workshop, work wide well out. Because the most important thing is that you understand where are you more mature, where are you less mature to be able to prioritize based on that. So I think, I think most importantly don't make a perfect science out of it. It's probably somewhere between science and art, but it's definitely also science part. But don't go over the top here. There will be at a certain point a little added benefit of being too exact in that, but a lot of time spent without this extra benefit. So hope this answers the question back to Philip.
Yeah, I hope to, I mean this is in this case we are doing a self-assessment, right? Usually we are doing this at a conversation in a workshop and are discussing a little bit more with you than, than we are doing here. So in general that's, that's the idea. So next we can do is go into the next capability and this would be identity, information quality management. So we all know that an IGA or an IAM tool can just work when we have or if we have the right information available. And this also includes identity information coming from a source system like an HR or other system that are collecting identity data. And this is where the information quality becomes very important, right? And to maintain those identity quality information, we we can, we can use different functions, for example, cleanup, rewriting of attributes, lookups and so on.
So the idea is to have very good identity information quality to support follow up processes. Examples for for tools are ETL tools, extract, transform, load. We are seeing that sometimes of HR tools are not able to to, to fulfill the requirements between HR and an IGA tool. So there will be an ETL tool to collect more information maybe also from different sources, others than just the HR system. We see some of those processes as as an IGA built in to improve the data quality. And we have in general data quality solutions that are doing the, the, the filtering, the the data cleanup. Maybe you know that for example for Azure AD or for ad, there are some tools that are cleaning up those ad groups as an example. Good. We will again open the polls both at a time this time, this time
Both.
Yeah, I think we can, we can do both. So we save us ourselves some time.
Okay. And while you are thinking, I'm just disturbing a little bit talking about the handout because we haven't shared the ideas really that you put down here. Your personal number, the Porwal is really only for the group. So if you want to make some comments regarding that capability, just put it on that slide. You don't need to, it's just an, an offer that we can give co the colleague what which was in the room also is looking for some, some pencils, something to support you if you don't have something by yourself. That's just the point. And good news, we have been also able to fix the view result issue. So from now on we will be able to share the group results. That's directory service.
What
Question to the group? Question to the group, is all of you able to see the identity information quality? Paul? Yes and no. I try something, I close it and start it again. Let's count one, two, it's 15 seconds. Like you remember like unplugging something. Okay, I reopen the first question. So all of you except the people who answered should have information about how would you raise the priority of capability, identity, information, quality. I love technic. Are you joining by app or was website Android? If Apple, that should work. Okay.
Maybe the basic stuff like shutting down the app and started a, oh my god, maybe we start with raising the hand that's easier at the end. Okay, then I start the second question about the estimated level of maturity in your organization.
Let's close now. Yeah, it's showing question.
It should be op, I clicked. Is there some delay if I click it open
The second one? Yeah. Okay. I've just restarted the app.
But if you did it exactly in the moment I did it takes some, it has some delay of 10 seconds. Okay, then it should be reopened. Maybe there's some traffic in the i l s network here. I don't know. Okay, so to check again, but please mention again if there's some trouble and sorry if it's only working, if you jump back and forth, this should not be the solution. So first of all, we try really to share the results of the survey. So in the best case we are able to see now the results of the, how would you rate the priority of the capability here?
It worked. Yeah, that's time for some really it is. Okay, so we can see most people. So 57% voted with high. So it is an important capability or the priority of the capability is pretty high. Yeah, it depends a little bit on the maturity of what the company's doing. What we usually also see that, that it's more or even less important. We recommend to have some good level of data information or identity information here. But usually the priority at the beginning is not that high. But definitely and recommendation. Martin, you want to add something? No, no,
Go go ahead. I am waiting for the next one.
Okay, then in the best case it should.
Okay, the other one was trust visible for a second. For the quick readers. Yes. Oh, perfect.
Okay. I think this is a, a realistic picture, maybe a bit bit over overly optimistic still. No, but, but I, I think we all know at least the ones who ever run through an IGA project that identity information quality always is one of these things that pop up in the project. And I've, I've never seen a project where this hasn't been a, a challenge. Let's phrase it like this. And so at least we see the system is working. By the way, another proof, as I've mentioned earlier, we, we've changed the back end of our event system and it proves never touch a running system. So right now it seems to work, but until everything works smooth, it also takes a bit. Always takes a bit. So here are the numbers and I hand back to Phillip. Yeah,
With that numbers we can switch back to the presentation, go to the next capability. So the idea to to save some time will now explain the capability, already open the pulse so that you can go back, refresh the page, enter your maturity so that we don't lose that much time in waiting for the pulse.
And the scheme here is pretty much simple. The question is always the same, just the capability changed. So the capabilities next is onboarding, identity vetting. This is the password. You should look in the question or in the poll. Philippe,
Shall I talk about this?
Yeah, if you want to
Stop
You.
This is, this is definitely one of the newer capabilities. So, so at least it's one newer part at the end of the day. The one is the more established part at the end is a bit identity proofing, but we, we have to admit that we usually don't do that much or don't see that much. For instance, remote identity proving in for, for, for workforce and for partner use cases. And the other part and click related to that is then also moving that into proves of decentralized identity, something which is definitely one of the emerging capabilities. So the idea behind that basically is that you say, okay, we have this, this concept of decentralized entities. You will hear a lot about decentralized identities at European Identity conference this year. I also will talk about in one of the talks later this week about decentralized identity use case and how to make, make it work in the enterprise and basically ideas that you for instance can, can use someone from your workforce and onboarding of workforce people with which are remotely, which is quite common in the age of work from anywhere with, in, in a, with proving their identity, with putting it into a, a wallet, all that stuff.
So that would be basically the idea behind this capabilities and hopefully growing. And we see, we saw some, some interesting announcement just recently around it where you can then bring in information from LinkedIn into your wallets, et cetera. So a lot of stuff going on here, but truly one of the newer capabilities lesser established than directory services, for instance, Phillip.
Yep. So
This should be where you, the polls are already open and maybe you've already answered them so that we can have a quick look at the results. So the priority first, just the maturity. So we can also go with the maturity first should not be a problem. What we can see is that 60% is that the priority is at 60%. I can also see it here. Some of you are, nobody is saying that they don't have that. So that that is good by the way. Is that that is, yeah, that's what we just saw this, that the question is regarding to identity information quality management, not to, not to onboarding an identity vetting. So this is the wrong poll.
Maybe Martin explained something while I check
Was trust responding to some of the questions here. I think we talked about this already. Identity, information quality. Yeah. Didn't we, so this, I already
Saw
That this is the wrong, already explained this, so not sure what to add here by the way. I just posted in the, in the q and a link to the IM maturity level metrics document. So onboarding wedding also seen as something which is very high. I believe it'll become even more important as I've said in an age where people not necessarily ever show up physically in an organization. And when you then extend from workforce to partners, which is equally important than even more. So maybe we already have the next results on the priority. Yeah, wonderful. Go standard distribution. I dare to say here, honestly, I I would say this is probably more on the optimistic side. So, so it, it would say that 22, 29, 30, 30% of you already have decentralized identity integration in place and fully integrated identity proofing like video identity et cetera into the i that would be quite a high number. So, so maybe, maybe you, you go back and revert to, to your own rating and think about are you really already at that level? I know we have a lot of identities, so very mature identity or very experienced identity people here, so that might be a bit better than it is across all organizations. But anyway, a bit too much on the optimistic side, I believe Philip.
Good. So we can go back to the reference architecture and go to the, to the next topic here. That would be decentralized identity issuance. And decentralized identity issuance is all about, let's say, if you want to do the identity proofing part, you can also be a distributor here for decentralized identity. So you check whether the identity is the identity that it should be, you, you collect all the credentials at some point and you provide it to other players in the market. So one simple example could be a, a bank that is collecting information, that is collecting attributes, is identifying the people using a good identity proofing process and then provides all those information to other companies so that they, they act as an issuer for those credentials and for, for, for those identity information as you can see. And, and it's written in the definition, the issue is also responsible for the credentials for the information. So it's also maintaining those information, doing the updates on that, having the processes in place and you as a company or an organization can use those information, can, can utilize the results of the processes from that decentralized identity. Issuer question is if you are such an identity issue or, and later we have a capability just asking if you are consuming those services. So in that case, are you an issuer, is that a priority topic for you? And if you are, how mature are you
Consumption of those decentralized, you know, for you synthetic?
No, we have, we have later we have a capability that's called decentralized identity acceptance. This is where you use those information. So for, for issuance it that it could be the case that you are, for example, use social logins for the customers. For example, Facebook is collecting your credentials and you are using the Facebook login for ex as as one example. So that would be the case that you are a decentralized identity acceptance or user. But if you are an issuer, you could be, for example a bank, you are collecting all those information and attributes and are giving it to some other companies so that they can use that as for their single sign on as a federation or something like that. I think a, a good example would be in, in Germany is with the Texas. So when I, when I hand over my, my text explana tax explanation, I have to verify with my bank. So that's where my bank is a decentralized identity issuer to the, to the tax company or the, the tax government institution. Hope that helps. Yeah,
No,
Yeah. Identity proofing can be used to collect those information and this part is about the providing those information to, yeah,
So, so, so basically identity proving is, and, and maybe I mixed it up a bit because I already had the ID thing here. Identity proving basically is really this, for instance, video identification out forms of identification, automated, et cetera, and issuing them proofs for whichever party. And as I've, as I've said before, I see this really as something which is super relevant also for enterprises, for workforce, for partner use cases, not only for customer and consumer use cases is then a second step. And then on the other side, in this reference architecture, we will then also have this acceptance part, which then again goes into the, the authentication authorization elements of the broader reference architecture. So hope this clarifies this back to you.
Yeah. So if, if all questions are answered, we can take a look at the poll. What I would expect is that we don't see too much priority in that and also not too much maturity as I expected. I mean obviously most of you are not issuing identity information, so that's why it is not that important for you. Probably we can see that with 41% on precise, 32% on low, 44 on on medium. There are also a couple here, couple organizations in here where that have rated it as high. So that means that you are probably issuing those credentials. Maturity, oh,
We have a question. Oh, sorry. But you could also ask something.
So this also displays in displays in the maturity level. If, if you have no high priority in that topic, obviously you don't want to do anything in there. Obviously we have lots of people, lots of organizations that have a low ma ma maturity and a low interest in general in that topic. Good.
Okay. So before you, before we proceed with the next question, so, so obviously you see it's now starting to work a bit smoother just for the people who joined lately. You need to copy a call app for the conference, join the app, then you should be able to answer the pulse that what this is what we exactly doing here. So if you need some kind of material, just raise your hand cause I don't have an overview who joined lately? Okay. And back to Phillip for the next capability.
Okay, so let's go back to the I am reference architecture. Next building block would be identity li lifecycle management. Yeah, me hitting the wrong one. So this should be a more familiar topic. Identity and lifecycle management is all about the, for example, the joiner move lever processes. That is, that is what we all know.
Meaning a new people, a new people coming to my organization, how do I introduce them to the company? What do I need to do? How do I get the attributes? How do I get them provisioned to the target system? What, what about birth rights? How do they get their entitlements? And yeah, so that would be for, for join us for movers. We have different questions, but the same game. We are using the technical inter, inter interfaces, the same technical interfaces. We, for a mover, we have a change in attributes. And so they are as a consequence of being moved from one to department to another or from one role to another. And for movers the birth, not the birth rights, the the access rights also change. So that we need to change them across the whole landscape, across the applications for levers, I mean you all know the use cases. We have a couple different lever use cases. The the easiest differentiation is between the emergency lever and the regular lever. While the emergency lever needs to be, let's say expelled immediately in, in a on short notice, the regular lever is, is usually a planned lever with a a, a date where he or she wants to leave. And we need to make that happen that we terminate accounts, terminate excess rights, not just in the legacy applications, but also in software as a service applications.
Did I miss anything? Anything to add? Probably not any, any questions. I, I I think identity lifecycle management that is, is a topic where you also have a good understanding. So are we ready to have a look at the pulse?
Yeah, maybe the meantime trust add one thing. So don't limit it to jml. There are way more processs if you build a good process framework, we are probably not talking about J and mnl three processs, but about 20, 25, 30 processs, depending on how zero you are doing that. Including the management of entitlements, the life cycles for entitlements, et cetera.
Good fault.
So we only have a few responses. That's the old one.
That's user, that's user life cycle management.
That should be the same.
Okay. Okay.
That's the right one.
Okay. There's, that's the identity. Even if there's no,
No, we won't start a philoso philosophical discussion about user versus identity versus all these things here. And now
I just take a seat and then we can start. I love this discussion. No, that's obviously some translation error. So the user question is regarding to the identity. So maybe we give each other few seconds to answer the question. Then we can see in real time because okay, now we have more responses. So high with 80 C, 83%, how important is it?
Okay, usually it's more, but 80, 84% still counting upwards. Okay, so this is really a high number. We have, I don't say the exact number, but we have some that really say it's not an important topic. And that's really interesting. Those people who voted that way, please come to me in the break because maybe security and identity, this is somehow related, but not blaming someone. This is the intention really to verify that. And if you do this with your senior management, technical guys, whatever, in a big group like that, and you realize one of the senior management says, I was at EIC and now I user lifecycle is very important. And then the technical guy says, no, I have no time. And then you have something you dis to discuss about Martin.
Yeah, but to, to hint on that, never, never ever do it in a big group like that. So more than 100 people in the room won't help you in the discussion. No, pick, pick the right people. Usually you have a group between, I would say five and eight, maybe one or two more. But that's too big. But the other thing is that's where, where I'm fully agree with Christopher at the end, the most valuable part of this exercise always is the discussion. It is where you say, okay, the one sees it that way the other person sees it that way. So, so this agreement at the end of the day is what, what really is the most valuable part because it leads to discussion about, okay, where do we have different perceptions? Where do we need to change things or where where do we maybe need better need to just better explain what we already can do. The art and always is with a disagreement to, to calm down those things again. And, and such workshops when some, some say, oh no, we are superintendent and the others say, oh, this always fails. But at the end it's also part of the exercise, these, these learnings, these discussions. So pick the right group, including the ones who might be a bit more skeptical regarding the maturity and the ones who are super convinced. So not only use the I am team, but some people around.
Exactly. And finding the right people is also really challenging. Sometimes depends a little bit on the organization and how you run something like that. Okay, then let's see the results of the other question. It's working great. Still a little, little bit surprised here. So G is is 60%, so most of you say 60 and above percent is the level of maturity for identity or user life cycle management within your organization? In average, this is, I would say a bit higher than usually, but it's again, depends on the understanding. So it's changed again, most people. So the 60% are winning here with 24%. You don't need to change it. When I tell something, don't be afraid. I don't see the names, I just see numbers here. Okay, then we close that question as well. So nobody's able to jump to another one then next capability.
Yeah, just a comment to to this one, it's always interesting to the, to see that there is one person saying, we don't have it at all. I hope that's the tech company that's not interested in people. And we have 3% that's saying, okay, we are at a hundred percent. That's also interesting because those are the people we can learn from, but because obviously the mover and levers processes are working perfectly fine. So would be interesting to, to share the best practice on how you get there. But of course this is also a perfect example where we can show that in a workshop where we are face to face with a, with a lower number of audience, we can discuss those results a little bit better so that maybe a 60 or 70% becomes more of a 40%, probably just as an example. So the next capabilities is one of Martin's favorite capabilities and I would kindly ask him to explain that. So trust
Respond to death, question response.
And
I can,
Okay, so, so we have this term, Kim was just somewhat established not to mix up with C I A M, so c i E M, cloud infrastructure and entitlement management. We, we, when this, this topic emerged also coin the term, which is called DRE for dream, for dynamic resource entitlement access management. Basically these are very closely related. The difference, the main major difference between that is that then our definition, our definitions somewhat broader because we have, we have dynamic runtime or workload environments which are not on a public infrastructure as a service environment. They might, may run a virtually private cloud. Kubernetes environments can run more or less everywhere. And so our intention was to take a bit more, a bit broader approach, but at the end you can use it pretty much similarly here. And the background of all this is, so, so in the past we were looking at, for instance, when we take privileged access management, we said, okay, we have humans and we have servers and we have administrative access to servers.
Right now we have to deal with a lot of applications that are built sort of in agile environment, DevOps, that are then pushed out to certain runtime environments. And then we have services and we have resources in these environments and we have the access. And this is widely, widely out of control today, it's one of the major security gaps we have in most organizations because we don't really have good CRI that we saw emerging a number of tools. We always already saw some major acquisitions like Microsoft, this cloud knock security. We see the pan vendors shifting into this space and it's, it's really a super important essential capability to be able to, to not only so to, to control this access and, and this is something which is by the way, bigger than trust the modernized pen because there's also an IGA aspect in that, which means how do we manage that entitlements, the how do we manage the identities of the services? So the silicon identities, all that stuff. This is something we need to do a huge topic. We definitely have a couple of sessions around that all over conference here we are asking trust where to stand. So basically the answer is if you have a good grip on all cloud resources and which service or user can access these cloud resources, then you can score your maturity high. If not, then better stay on the sort of the left hand side of the trial later on.
Priority wise, if it's not super high, I would raise a question mark here.
Okay, let's go ahead, let's skip to the poll results and Martin, maybe you can even say here something about that.
Yeah, that
You are also involved.
So I i i, I give you, I give you a little bit time as, as I understand this is still a dynamic thing, so that may change a bit. So if you run infrastructure as a service environment, so if you have something on aws, Azure, Google Cloud platform, virtual, private clouds, et cetera. If it's then not on ce, then give it another try because this is a huge, huge security risk.
Okay, then let's see the other questions, Risa,
Okay, this, this looks way, way, way more relevant. Okay, I, I I'm okay with that.
Okay, done next.
Which by the way could give you some guidance for the, for the future, for the flow of this workshop. So at some point later we will talk about how this goes into priorities. If you see such a graphic and seed combined with something where the priority should be high, the maturity is very low, what does it mean for your investment plans?
Not needed except the advisors and analysts. Say something else to you. Okay, so just to summarize with the number, because we cannot, cannot see here C is 20%, I closed the question C is 20% the top response and then we have 30% and and 40% is E. So that's the area here and the most important range and maybe again some few words about how we do this here. So if we are really onsite with a customer or even remote and want to build some kind of roadmap, we are not using some poll mechanisms, but we really use numbers. Sometimes some kind of scorecards like you might know from Scrum or whatever to really get numbers to get a feeling and an understanding of value. Some quantitative measures to really build some kind of roadmap and get an overall agreement on how important it's for the organization. This is really what we try to transfer today as well. Even if the app was a little bit buggy at the beginning, I think we handled that. And then we can jump into the next question, which is about
Entitlement management. So back to the reference architecture,
Could you jump back to the slides? Thank you.
Entitlement management, and this is an an interesting category. Entitlement management is also a dis discussed capability. Also within coping a coal former, it was also known as role and entitlement management, but we reduced it to entitlement management, thanks to Martin. Entitlement management is all about entitlements, permissions, but also covering roles. So the idea of the entitlement management capability is how do I handle entitlements? We all know that we have lots of entitlements ad groups, we have Azure ad groups, we have entitlements and permissions within our applications in the target system, we have it on infrastructure, it's pretty much everywhere. So entitlement management is also covering the roles. We know all that. The approach in the, in the past and also probably in the future will be to create roles and rback approach combining those permissions, those those entitlements into roles, adding information, adding criticality, s o d criteria and responsible persons for example. And providing that all over the company, enabling people to, to get a better understanding of what the permissions that we have combined into roles are doing.
But entitlement management is also covering is the idea of the policies behind that. So what, what we've also seen is that besides the roles that we have combined, there are also rules applied to those roles. Usually we, we, we see that at the minimum with birth, birth rights or organizational roles where they are distributed based up on attributes like the organizational tax or the, the workplace descriptions. So this is the very first step at policy-based access control. What did I miss? Hopefully nothing. We have also the life cycle processes around that. So how are roles and entitlement informations maintained? This, this is also important thing because some of, I've already seen some organizations that launched big role and, and entitlement projects, but didn't make sure that those are maintained. So this was more or less a one time investment. And I think we already know that this is not working on roles if you're just doing this one time and you don't have any maintainance processes on that. Yeah, I see some people nodding. Good. Okay. Martin, any, anything to add on that? Good. So polls are open and I think we can already switch to the Porwal results and I, I hope to see that because this is an, an, an interesting topic in itself because entitlement management and especially feedback, policy-based access control is a topic that is becoming more and more important to handle the amount, the amount of excess rights that we have. Especially when we are looking at software as a service components.
Again, I would like to see the 3% or 2% that are saying a, I hope that is a single person company or something like that, or less than 10 people because at the point where we are getting to more than a hundred people, it, it gets more and more complicated to, to stay in control when it comes to permissions. At least that's, that's my personal feeling.
Exactly. And it's one person who responded, maybe he wanted he or she,
No, not really. Maybe it's also an online attendee, but this is really interesting. Maybe this person says also it's from the other end. We already did everything around entitlement management and we have 100% so I don't care anymore. But never seen that. Okay. Then jumping into the next question, results, which is about the estimated level of maturity for your organization. 60% is the highest number. I close it, 60% is the highest number. We have 21% who say yes, we have a 60% level of maturity around entitlement management. Again, here is a little bit, how did this work? Again, here is a little bit interesting that a lot of people say we have around 40, 50, 60, 17, even 80% level of maturity. I would be happy to discuss and challenge this. Usually you ask five questions and then it's
A bit more in the area here on the left side, especially around what Phillip mentioned, the lifecycle management of entitlements and also the meter data. So knowing who is responsible for which entitlement meant, which is assigned to which role, which is assigned to which asset IT service, whatever, however you built it. And that's really challenging and really highly integrated into the normal user or identity life cycle management process Exactly around mover and lever. So really a challenging topic and if you are in the area of identity and access management or even interested, you know, that that's something we all have to deal with, that there are for, for sure some tools that support on a certain level, but at the end it's not the the the most favorite topic usually within organizations. Okay, then we can jump into the next capability. So could you please share again the thank you.
Yeah, so one more, one more hint from my end here. This is by the way, the first time where you can really use the numbers on your handouts. So entitlement management, especially the rule-based part, reli heavily realized on identity information and quality and on the attributes that are collected earlier. So when you have a low level on identity information, quality management maturity on your sheet, and you have a high priority on entitlement management and you want to go for a P bag approach, you should question yourself if your organization's attributes and identity information are ready for that.
Okay? And this is where we get to identity provisioning. Again, we have discussions about the name of course, this is all we have about provisioning in general. So it's not just identity, we have called it or we named it identity provisioning because we understand all the attributes, whether it be organizational tax or aesthetic roles are covered by the identity and that's why we call it identity provisioning. Other companies are calling it just provisioning. The idea is how, how do I get the information of an identity, whether it is attack, a name, an account, an entitlement? How do I get that from my central point of administration into the target systems? This is identity provisioning. And the idea is in the best case to do that in an automatic way that we have an interface that is handing it over to the applications. And the more applications we have connected to my, to the central point of administration, the better it I can use, make use of policy-based access control, the better I can make use of my central administration.
And the best case, you have a hundred percent applications connected and also in the best case, you're getting information back from your application so that you can work with the information that you're getting back from the applications as well. And identity provisioning, and this is another good example, is also one of the, of, of the capabilities that heavily help other capabilities to shine. So later we will get to, to the capability around re-certification for example. This is where identity provisioning is also very important. So question here, how many connectors, how much of your landscape have you automated by interfaces? How good are the interfaces? So what attributes are sent to the applications, the more the better pulse. Oh questions if you like. We have a question. Christopher, do we want to go with the microphone
That far away? Maybe we can start here.
Speaker 10 01:13:05 Good morning. Good morning. You said that one of the connections, the better our experience has been that a lot of your default IGA and IDP applications only have a few, if any secure connections for their APIs or their calls back. When are the commercial products once you start providing more secure connections so that you're not leaving yourself open to other vector points?
Good question.
So, so, so the question is that you're saying some or several of the commercial products don't provide secure connections between the I chase illusion and the target systems, correct? Correct. Christopher, maybe a question more for you because you, you already come from the implementation side historically never
Seen something like that. Ba ba ba basically. And this is, if we can, can we jump back to the identity fabric a little bit? The identity fabric is a meshed concept. Maybe we can see it.
That's possible.
Identity fabric.
Yep. My fault. My fault.
Okay then I just start to tell the identity fabric has some layer here. Exactly. So I'm too small for that. So we have standards connectors and things like that and we have somewhere should be an API layer. So usually what identity API layer. Exactly. So what our idea of the identity fabric is since used is that we have this multiple products which have no secure a p I endpoints and you add some additional layer of maybe an API management tool or whatever, which integrates into both direction with an IGA tool, talking to maybe an asset management, maybe to in directory if necessary managed via API management, but also offering to additional applications like a cloud application, whatever, some endpoint that you can do the things you need via and secure endpoint with authentication, all that stuff. So we add to those products and additional layer to answer your question. And then you have to secure capabilities and can extend. And the most, or the best thing is more or less the, the fabric concept is even you could change your IGA tool after five years, 10 years, whatever, or add an additional one. So really we offer an api. This API is secure sqs you implement it for sure depends on the tool you use, but then you have the capability to exchange it, have secure endpoints. And we have another question if this answers your question? Yes. Perfect. Thank you.
Now you
Speaker 11 01:16:02 Yeah, good morning everyone. So I have one question related to the last remark you made on the number of attributes you would send downstream or that you would provision. We are currently really debating if and how many attributes we should actually provision from an I G A solution. As many of the attributes that we hold are actually yeah, your system of reference from your HR system. So should you be sending employee type data to other systems like your organizational position or attributes that are really related to the employee and not such maybe to the identity?
So that, that is another good question. I think Christopher and I encountered that while, while implementing IGA tools already. And I think that's, that's not a, not a question that just you have. So this discussion is, is encountered often i, I would say, and by the way, it's not just encountered for IGAs, it's also encountered for customers, it's also encountered for, for other types of identities. And I would say there, there is no answer that I can really provide that says, okay, you should do that, that and that. I think you need to explore that a little bit for yourself. I, my personal opinion is you collect as much as as much data as you need to provide a good level of automation. Passing down attributes to applications is always a good question because you need to, you need to see what they require to make sure that you have the, the right stuff.
1, 1 1 little side story from, from my time as an implementing implementation consultant in a bank, we have connected trading application and they were heavily relying on personal data from your ID cards. So for example, this is one of the confidential information that you usually don't have in your IGA tool. This is where it gets more and more complicated and this is where you need to question yourself if you want to be that kind of data providing central administration that is collecting everything and and sending it to the applications or if you have some kind of ETL tool that is collecting the data and you are just sending it but not collecting it. So that could also be the case, but in the end you need to make sure for yourself which data you need and, and which data you want to, to pass over to the applications. In that case with the banking application, we have not done that. We have not taken this ID from the, the number, the attribute of the ID card into the IGA and didn't pass it to, to the application. So that's definitely a discussion you, you need to lead in in detail and see what the application needs, where it gets it today and how that can be done in the future and if it is required for automation, hope that helps. Good.
We just can talk about it afterwards if you want. Just come to me. Other question always at the end of the room. That was the benefit on online events, but good for physical health. Yes.
Speaker 12 01:19:40 Thank you. I have a question with regard to provision and federated identities. We see now that a lot of enterprises are collaborating with other enterprises, is the identity fabric offering separate capabilities for federated identities?
I would say
Okay, yes and no. We also have federated or we can also use the capabilities to discuss federated identities. We, we also have capability identity federation, we will later get to that. But when we look at the functional features on the, on the process level, it pretty much comes down to what we were already hearing. Also for federated identities, at least as far as I understand or what I understand under federated identities, we have already talked about identity, information quality about identity proofing and so on. So all those capabilities are also applying to federated identities as far as I understand that. And when we talk about the federation part, we have that here in authentication on the right side. So identity federation will be a topic to the end of our, our session at least. I hope we have the time to get there.
We are will, will be a little bit tough, but as always we are at the timeline. No, no, no, that's not true. Okay, so let's see the result of identity provisioning. In the best case it should be shown Hyde question,
Which to the Paul?
Okay, identity provisioning the level of, or no, the priorities 83%. Again, we, we have probably one or two people in the room that that should talk to us at the end. Really, I don't know whether it's always the same one. Okay, that's no surprise. Identity provisioning is a big topic and identity provisioning is one of the best topics. You can automate a lot. You can improve quality security and all that stuff and at the end, if you are really good, save some money around processes and that stuff. Martin, you want to add something
Not directly on that. Trust the hint that there are, that's super, super super. There are so many questions coming in. So I'm already have sore fingers from responding to all these questions, but I'm currently responding so I'm not doing something different. I'm really responding to the questions all the time here. So you'll find the responses to the questions also in the tool in the app, if you haven't noticed it yet, sometimes I say reach out to me or reach out to the team, you can always reach out to me, you'll find me on LinkedIn, my email should be well known mk co or call.com. Just reach out to me or grab me here during the event for the questions I can't fully answer in a 500 character limit response.
Perfect. And maybe if you have a really good question, Martin is, Martin is happy to answer this in a video post on LinkedIn because he loves it. Okay, so coming back to the whatever this morning. Yeah, so please like his LinkedIn, sorry. Okay, not wanting, wanted to make too many jokes here. So identity provisioning, how is the level of maturity in your organization? And interestingly we are only jumping around 50% with the most responses. So this is column F depends always a little bit. Maybe it's changing while I'm talking again, 50% is a good number because it depends on what you want to achieve. I mean identity provisioning could also be, and probably all of you from bigger organizations have have this like famous email provisioning or adding a ticket in a ticket system, which is then manual fulfilled by the IT team somewhere. This could be called identity provisioning, but maybe we have something else in our mind. So this is really one of the most discussed topics within a workshop. What is the really re what is really the level of maturity? And the reality is I think the 50% is pretty much good except especially if you go more towards cloud and combined with the, let's call it legacy applications.
Okay, then let's jump into the next capability. User self-service.
Yeah, I mean have you seen that we have again one person or 1% of the persons with a maturity level of zero? I hope that person is using birds or something. Okay, user self-service. And this is, this is an interesting topic to discuss. We also have the, I tsm I TSM capability in in the same column, but user self-service is all about enabling the end user to do something. It doesn't matter if we have an ITSM in place to do that, but the user self-service capability is all that the user, the end, the end users can do in your organization. It doesn't matter if that is requesting an access, right? Changing the telephone number, changing any other identity attribute or doing role maintainance, answering re-certification campaigns. This is all user self-service. And the question is also resetting passwords. Also a topic for user self-service. So the importance, the importance of user self-service is to enable the end user and the, the better I enable the end user, the less work have is in the, in the admins responsibility.
So we all know the approaches of like 10 people companies. So they have one admin, if I need an access, right? I call the admin and the admin gives me the access, right? You can probably not do that anymore if you have 10,000 employees, right? Or you have a lot of admins that that's the other hand of that, but hopefully you, you're not going that way. So hopefully you'll have a self-service and people can request access on that. We are also seeing that on an increasing level with a decentralized identity that is coming in for, for HR that people are able to maintain identity informations for themselves. But I I would consider that a trend. So this is not nothing that you, that you have in into your mind when you are talking about the maturity level. Question here, user self-service, do you have one that would be good. How much is it covering? So are we just talking about access requests? Are we talking about password reset? But maybe we are also talking about identity, identity attribute maintainance. That could also be a thing. Did I miss anything? Yeah, so I think that's, that's, those are the most important topics in user self-service. Any questions on that? Christopher is again sitting, so any questions that he can run around? No, nobody in the, in the end of the room
Speaker 13 01:27:09 At the at at, at microphone.
So let's switch to the poles.
Speaker 13 01:27:18 Could you turn on my microphone?
Thank you. Okay, so user self service, how would you rate the priority of the capability user self-service for your organization And it's high
Christopher, he probably muted you because of the bad jokes you've made before,
But good
Guy,
It's always great to get support.
Okay, so hi is the priority and that's no surprise because as Philip already mentioned, you can minimize the IT tickets or the supporting tickets a lot if you have a good user of self-service, like password reset as you mentioned. I mean in the best case, and this goes more on the identity provisioning Part U user self service could also be like the the famous Amazon store for entitlements and all that stuff. You have a high level of automation here. So there's only a small amount of specific access requests you need to do by user self service. And then it's really only about you have an issue, you need a password reset or something is really not working. But this is more and more important or less important, depends on your view, the more you have around identity and access management at all. So the priority is not a big surprise here.
Now let's jump into the level of maturity. Most responses are close. The question most responses do we have with D, which is 30%. So 20% say our level of maturity is 30% and then it's really an interesting wave. We have some kind of peak with H, which is 70% and no one says we have 100%, that's no surprise. And two people say we have only, that's a different number, 3%, 10% level of maturity here. So this would be an interesting discuss discussion if we have a smaller group and talk about what do you have here. But it's no surprise if we have so many people from smaller, bigger organizations here that it's like that. So usually the bigger organizations are more on that level because they have something like an ITSM and IT team and user self service help desk and all that stuff and the smaller ones are more here. Okay, then let's jump into the next capability, which is access governance.
Yeah, so since we are just focusing on the core IAM parts, we will go to the second column. So first column is done, second topic, analytics and risk and first building block. First capability is access governance here. And access governance is one of the, of the bigger capabilities that that's containing a lot of features, a lot of topics, also a lot of interesting topics. So in access governance we can, we can find re-certification. We find the access rec request process and a lot of risk and role mining or role, not role mining capabilities, but a lot of of risk risk topics for example, we can see that here. Key questions, who has access to what, who, who did request the access? Where did it come from? So those are all the questions that we have in there.
Segregation of duties is, is a topic that we can also find in here. And for example and and also important is the risk level or risk score of excess rights or entitlements roles, whatever you have. So this is all part of excess governance. Okay, let me explain a little bit more about that. So especially when we are talking about the excess request, the the level, the risk level of your access object is, is very important. So that's why we need access governance. The higher the risk score, the higher the S od score, the lower the number of people that should have that access, right? So this is one essential part of access governance also in here is the access recertification. I think you are all familiar with access recertification. So the the, the least privilege approach can only apply if we regularly check if people are still allowed to have permission or an access ride. And this is where access recertification comes into play. That should be done at least once a year maybe, maybe twice a year depending on how critical the access, right or the, the role is. We are also encountering a lot of discussions on re-certification because it's a lot of effort. This is where policy-based access control is getting more and more interesting to reduce that effort on access re-certification because with an automation behind that, you are not recert re-certifying all the all the single person access right relations, but you are re-certifying the rule behind that. So that can significantly reduce your effort there and this is one of the major advantages of effort wise on on feedback. Good. Did I miss anything? Any questions?
Any wise words? Good. So that would bring us to the polls. So let's switch to the polls if we don't have any questions. Yeah,
That's not a surprise, isn't it? So the one who always voted first for not important is didn't participate here. I don't know, maybe it's, it's this guy here at least medium. So really no surprise. I mean access governance is really the foundation of having a good housekeeping within your organization. Whether you have some kind of ISO or certification, whatever, they all need access governance, you need access governance to improve the security you need to clean up your existing systems, you need some regular revenues and all that stuff. So it is one of the essential and most important topics, not the sexiest one. It's always a little bit boring, but it's essential. So boring in case of really doing it, looking into systems, designing processes, having maybe a bigger I g A tool around that which supports the people, the asset owner, the role owner, whatever kind of governance you do in in doing their job.
Okay, then let's jump into the level of maturity of all of you. So we have 40% is the answer with the most rating. So it's 40% is eso, 27% say we have a level of 40% and that's probably the truth and overall, so again, maybe some kind of bigger organiz, maybe a pretty small organization with only one ad account, whatever. But if you have invested already a lot of money you should be or time, which is you should be something around here 100%. And something like that is really difficult because especially around those legacy systems and also cloud applications and stuff like that, it's really difficult to have a good or even a real time access governance. So usually it lives from taking care maybe half a year manual review and things like that. So it's always a little bit delayed if it's not triggered with join over lever or something in asset management. So no surprise here. Okay, then let's jump into the next capability, which is
Speaker 14 01:35:48 Break Now
I will take the access analytics and then do break.
Yeah, okay, because that works good together. So the next one is access analytics. And this is, this is, oh,
Back to the reference architecture please. Yeah, so access analytics and that's, that's the interesting part that is analyzing all that we have done in excess governance in the last capability and this is the part where we get the reporting on that, we get the controls on that, we get a better understanding of how to, how to control that. All the stuff that we have defined in excess governance is really done in in the reality because nothing is more inefficient than a policy that we have defined that is not working. Obviously also within that capability we have the parts of where, where the AI is coming into play. So lots of IGA tool are coming up with AI modules helping you within re-certification with peer grouping with predefined answers or like like with with answers that that might apply but you should check that it gi it's giving you advices what to do also in the access request, it is helping you to find the right access rights to, to request access. Analytics is also the reporting part. So when you are trying to do, the easiest example is access re-certification. You can easily do reports on that. How many people did the re-certification, how many did not? So that's all we can find in access analytics.
Did I miss anything?
Good.
So we should be ready for polls then if there are no questions. Yeah, it's it's before break, right? Yeah, no
Questions. Let's use the four minutes Martin. Looks like you want to add something. So we have three. The next one ha question should be, could you switch to screen please? Perfect. So access analytics is from priority perspective again, 60 58% say it's from high importance or from high priority, no one says it's low. So it's a topic for all of you to summarize then the level of maturity, okay, that's, that's interesting. The most popular answer is still raising us. This one is around 30% is the level of maturity is the answer by most people. And then also around 20% and 40%. So really 30% of you say access analytics is the estimated level of maturity. And this is then for instance, if we jump into the identity and access management, roadmap creation, stuff like that. Like it's an high important topic for you, but the level of maturity is pretty low. So this is something you might have in your mind to to
Focus. That's probably because most are still stuck in their role management projects ahead of the analytics part, unfortunately. Oh, I see a lot of people nodding. So it's not just a joke, it's reality unfortunately. Anyway, close to the break right now, isn't it?
Yeah. Then we have planned a 15 minutes break, so we will continue at 10 30,
Maybe we go for 10 35. Give a few minutes more. It was a,
If Martin cooking our house then we take 20 minutes. Okay,
10 35.
Okay, so welcome back to our second part of the identity and access management roadmap Creation workshop. I'm speaking a little bit slower because that helps that people realize we will continue. Perfect. So some people will join in the next five minutes. That's normal, that's not an issue. Again, the information to the online attendees, if you have any kind of questions, use the chat function, use the question tab. Tap Martin is really happy to answer all of this question as he mentioned his finger alma or almost smoking from typing that fast. So really cool that you have so many questions. Also, same if you have something you want to discuss with Martin with me or with Phillip. Just reach out
At the end. And as as mentioned, if there's something not fully answered or I say reach out to me afterwards, either try to grab me here during the event, send me a LinkedIn message if you haven't connected to our LinkedIn trust or directly sent me an email to mk Kuppinger call.com.
Okay, perfect. Then we will continue. So this was or have been almost 50% of the capabilities. We will now be a little bit faster because the big topics are already discussed. And the next capability is user and entity behavior analytics
Yeah, good user and entity behavior analytics. This is always a topic that is very much discussed because when we are taking that to the workshops, the first question is, are we allowed to do that? So obviously user and behavior entity behavior analytics is about what is the user doing? How is he behaving, what can we learn from that? How can we take advantage of what we've learned and how can we improve our own security based on that or maybe improve efficiency based on that. So
Based on the discussions, I can tell you that that is one of the hot topics. Are we, and and the the main question is are we allowed to take a closer look at the behavior and based on the behavior, can we make any, any, any or can we have any consequences, especially in Germany that that is a problem. I can imagine that this is also the, the, the same for other comp countries and also other companies. The important thing is, or maybe I I just give you an example. So when we can observe a behavior that is unusual, we want to restrict the access. So let's say we have an admin, an admin is doing pretty much the same all the time. He is creating, for example, accounts, he's assigning access rights in a local, in a local application. And now we, we check his behavior and for some reason he, he was creating many accounts, providing extremely many entitlements and, and and access rights to certain identities or accounts. So is that a normal behavior?
So based on, on tooling, usually AI tooling can help us with, with discovering such a behavior we can see if that is a normal behavior and if that is an un-normal behavior, we can react to that. The example is only the, the simplest version that, that you can imagine there are also, yeah, there's also behavior for end users that can be unusual. For example, if, if a person is accessing only, I don't know, 10, 10 documents per day on average and downloading two of them and for some reason on the next day the person downloaded 300 documents. So that would be unusual behavior. The AI can can see that and could re react immediately and restrict the access or terminate the account or at least, yeah, at least restrict account access. Good. One of the hot topics very much discussed. Are we allowed to do that? Are we not allowed to do that? In, in general is as long as it is for efficiency and for security, you can do that even though it's point of, it's a huge discussion to do that. So as long as it is justified by security, it's usually not a problem.
Good polls. Let's switch to the poll results.
Perfect. The voice control is working perfectly. Okay. So let's see the results we have medium was 62%, at least on my list. So 60, 62%. So there might be a little delay that is more than usually. So I would, I would have expected more in that area because is as Phillip mentioned, very often an internal and legal workers council discussion and people are a little bit afraid of it. The IT people always say or the IT security people say, yes, we want to have it, but then it's getting more politically usually if you then have a look at the detailed level of maturity and that's then not really a surprise. Most people are in that area of 20%, 30% and 40% and one person has 70%. Yeah, exactly. And that's it. And that's what we really usually see in organizations. I mean Azure or if, if you rely on Microsoft Azure as a key component has a lot of risk mitigating measures, controls, analytics of behavior and things like that. That is usually the, the highest level people really use in organizations in the background if they rely on, on Microsoft's infrastructure here. Okay, then let's jump into the next section, which is I have to adjust
Application risk management.
Application risk management.
Okay, back, back to the IM reference architecture, back to application risk management. So application risk management is also an interesting topic. So when we think about our landscape, we have lots of applications, lots of services in our landscape. And application risk management helps you to identify the most critical ones. So based on several factors, and one of the factors can be which data are stored in an application in a service. But also since application risk management can also be seen as dynamic approach, you can also try to find out how many people have access to my application, how deep is the access? So is it an administrator access or is it just an end user read access is, is there critical data in it? So all of that is part of application risk management and the very minimum is a static list of all your applications, who is responsible and what is the risk level of the application.
So that should be the, the minimum, the static information. As I said, you can dyna dynamic size this if you have a dynamic application risk management, you can also use information how many people have access to that application maybe how is the, are the objects, the risk level of the object objects changing? And you can also incorporate as, as mentioned here, insufficient s O D policies. You can mention documentation. So all of that is increasing the risk level of your applica applications. On the other end, you can also use the application risk level to launch re-certification campaigns more often. You can, you can use it for excess request to increase the the steps in within the excess request for new entitlements. So that would be the dynamic part of it.
And it could also be used as a foundation. I mean that's not a topic of today, but zero trust relies on policies and policies rely on some kind of attributes and knowing how critical is my application is it does it as he mentioned, strictly confidential data, pii, whatever, or is it really, I don't know, the lunch table, something like that. And these kind of information are really relevant and I'm really looking forward into the results. What is your level of maturity here? So can we jump into the results?
So importance. So we have a good balance between high and medium. That's no surprise. It's usually part of enterprise risk management or asset management or a combination of that. And then let's directly jump into the level of maturity and this is, yeah, this is what I expected. So we want to have a good data set here for applications for verifying to knowing what's in the application, all that stuff. But the level of maturity is usually more on the left side. Same like the topic we discussed earlier, it was around roles. I think it's not a one-time thing, it's really implementing a lifecycle process for application risk management, withing, if it's manual or some automated, automated measures like Phillip mentioned. And it's really important foundation for multiple things as Phillip mentioned.
And one more important thing to add is such a static or dynamic list of applications is also important when you try to protect your landscape. So often, I mean I've encountered a couple companies and organizations that don't have such a list. The problem with that is how do you know what to protect if you don't have an overview of your applications, of your services? So this is where you also can discover shadow it. So that is really not an unimportant topic when it comes to that. And in addition to that, if you are going for a roadmap, this gives you a very good understanding of sizing projects within the IAM space. So if you don't have a clue how many applications you have and you launch a a role definition project for example, so how would you know how many applications you, you, you will cover within your project? How much budget you need, how much pe, how many people you need. So that will be impossible if you don't know how many applications you have or services or whatever.
Exactly. One point to add, because I see a lot of scared faces, maybe that's the right phrase. I don't know how how would you usually do that if you have nothing? Usually something like in business impact analysis could be the starting point. Identifying what are the critical processes for your organization and identify which IT assets are used here. And if you, I don't know if you have five pro processes, business processes that are relevant for your organization and they rely on, for instance, let's take Azure, then Azure is potentially one of your critical systems, then we have for sure to, to identify how how big is the risk of the data within that then it's getting deeper, but this is usually a good starting point. Okay, next one, use noted application privileged user behavior analytics.
That's
Oh, sorry,
Speaker 16 01:52:26 Hello Mihail from, from insurance about the previous topic, but I, we found that it could be rather like rough like split if you, because the data layer is what, where, where they actually what we want to protect. So in protecting implications, whether, whether data is, is spread across the different types of the same data or doesn't really maybe a good starting point, but, but obviously it's not like solve issue
That, that's a good point. So usually both dimensions are relevant, the application and the data that is stored within the applic application. So if you have a static data or and database with multiple data sets, entries, whatever, there could be some confidential and some public stuff within that. This does not automatically mean this, that this application is strictly confidential, but maybe the administrative access to the application and the intention why this is so important. This goes back in the zero trust topic for instance. Or if you want to do policy based access, you need the, or you can, you don't need, you can use the application level, so the security level of the application. So for instance, if you are want to access from here from conference, external network and critical application, which contains confidential data. So both from here, I would not allow SN C for your organization for instance. And that's the point. So both matters, but at the end it depends a little bit on how you work, what is the focus here at the end, you want to protect the information within the systems, but the application risk management or the application risk score, whatever could be one additional metric.
Good. So let's dive into the privilege part. So as you can see, we have a new color here. This new color is showing you where the privileged part begins. And this is not, and those are not all the capabilities for privileged identity fabrics. This is just, or those are just the first three capabilities of a bigger, of a bigger identity fabrics. So those are not all just the most important and we are covering them to give you a better idea here. So let's dive into privileged user behavior analytics, which is pretty much what we've already heard. We had that under user beha and entity behavior analytics and now this is exactly the same feature but for a different type of identities, for the privileged identities. And why is this worth mentioning? It is worth mentioning because privileged identities are the, are the most critical ones.
So while we discuss user behavior for, for employees and for the workforce a lot, and we don't get really hands on that topic, it's different with the privileged identities. So privileged identities have more and more critical excess rights or maybe sometimes they have less rights, but they are more critical and they are worthy to protect. This is the, the, those are the most risky accounts, the most risky access rights. And this is where user behavior analytics can be very important When we see that an admin or an an privileged identity in general is doing something that is not expected from the identity I was, I was saying a normal identity is down, usually downloading like two or three papers a day or documents a day, and suddenly the normal identity is downloading 300 documents. This, this could be one thing, but let's, let's assume we are talking about a privileged identity that that has access to, for example, fire firewall configuration and suddenly the the, the identity is changing fire firewall configurations, opening ports, shutting down firewalls.
I mean you, you don't want to react to that. You want to prevent that in advance. And the best case would be after the first firewall that is shut down, not after the, I don't know, 50th firewall when, when everything is open. So this is where the AI can, can see what an identity is doing and can shut it down for privileged users immediately when there's something happening. Of course that is not the only capability helping with that, but this is definitely one of the most important things you can do when you restrict access of privileged dead entities. Good. Any questions on that? If that's not the case, we can change to the poll results.
Okay, so again, so everything starts to get priority high. This is also interesting, something that is very often happening because if we tell you about what is possible, you think I want to have that, and this is at the, at the end something you need to figure out and this is why usually, I don't know if we have the time today for for detailed discussion here, but this is something that is usually changing a bit during the session because otherwise you end with all your capabilities. We, we have how many capabilities?
25 in the core part and over 40 total.
Exactly. So then we would have roundabout let, let's say 30 priority high end. This does not really help at the end. So then is really the next step. How important is that? So a few people say low priority and most people say high priority. That's a result here. If you then have a look at the average level of maturity, this is again a really big mixture of things here, I would explain it that way. So usually most organizations should be something in that area between 30 and 60%. 60 is pretty, pretty much good here and only a few organizations are really in the area of 80 90 or maybe even 100% I think here in that group it's again, we have a big mixture of multiple companies, multiple security requirements. So most important or most rated answer is 20% and then the next one is 40%. So that's a good feedback. Okay, then let's jump into the next topic, which is privileged session manage. Yeah,
One, one comment to that before we change back. So here you can also see that user behavior analytics is coming for privileged identities before it comes for all identities. So this is one of the, not trends, but the capabilities that are established for privileged identities first because those are the most critical ones. And from that, with the, with the experience you have with privileged identities, you can roll out all the, all these features also for, for your workforce identities and your employees.
Good. Next is privileged session management. Also a privileged capability. And this comes definitely in all colors and forms you can imagine. So while implementing such a topic or such topics in organization, you can see it in all ways possible automated organizational, as mentioned here on the bottom, you have different ways to implement that by keystroke logging, we have video sessions recording, we, we can have screen scraping, we can have OCR translations and, and further techniques to capture what a privileged identity is doing. The easiest way is the four eyes principles. So I have somebody sitting next to me controlling what I do as long as I do something with a privileged access, right? There are definitely ways, more tech, more techniques than I just mentioned here to do that. But the idea is always the same. Four is are seeing more than two and it's, it's easier to prevent fraud if I have somebody looking at what I do so that a second person can, can stop me from doing the, the wrong thing, the wrong things here. That's, that's pretty much the idea of privileged session management from a procedure or pro process perspective, privileged access management tools can support me as a, as an admin. When I start a privileged session, the the tool is, is recording what I do and helps me to, to have that kind of of session recording, for example, to reduce my risk that that I'm doing some fraudulent behavior or something like that.
Exactly. And and that's the wrong language. Exactly. And taking care for instance was the application security level. This could be for instance, used here if it's only a medium critical application, whatever than the administrative session session monitoring or yeah, session management would be then for instance, Justin recording and no real four I principles. So really afterwards having a proof, what did the administrative user do? So if there's something or if it's a low rated application, again, we have a jumping into the results, we have surprise that high is the most important thing. I would fully agree here that privilege access management and this sub topic session management is one of the more or most important things, which is no, don't change your opinion, but it is really, and that's what we probably see in, in the level of maturity not sufficiently implemented. Yeah,
Yeah. But there's also bit of disillusion, I think I've, I've saw in many projects. So, so you start this payment and say, okay, we do shared account password management and then we do session management. Then you learn the first part is straightforward. The second part, session management then triggers the question of what do you do with all the data gather? What is the manpower required to do it right? Et cetera. So at the end, I think the expectations versus the adoption rate in practice lastly differ because specifically for the parts where you say, okay, I I I really have whatever, four I principles. So really a session monitoring in real time or so it means you need twice to people. So you need to restrict it, you use it for certain use cases. And I think this is where, where, where the challenges sometimes can come in and which explain such a graphic.
If we then jump into the level of maturity, we have a mixture of almost everything and most people voted for, we have a level of maturity of 20% here. So that's no surprise. I would be interested in what does 20% mean in session management only for ad admin or something like that probably. And not for all the also business critical privileged accesses, like for instance the firefighter user for an SAP system or something like that because this is also something you need to consider. Okay, close question. And then we jump into the next topic, which is adaptive authentication, good
Adaptive authentication. Also one of the more important topics around authentication. One of the trends that we are observing in the market, not just for workforce identities or employees, but also for all of the other identity types. When we think back just a couple of years, we have that static, static authentication, we have a username, passwords, we, we now have mfa, but in the future we will probably en encounter more and more adaptive authentication, meaning that based on the context and the parameters we are delivering as an identity, the authentication level is, is changing. So one easy example would be if I'm within my company network, I'm on my company device and I'm using an low low risk application, I would just need require the minimum level of authentication. So that could be different if I'm sitting in a Starbucks using my, my personal cell phone, trying to log in into a high risk application, for example, an HR application. So that would require a much higher level of authentication that I need to provide. So for example, not just username, password, but also mfa, maybe some, some credentials or some some certificates that I also need to provide maybe a second level of MFA so that I just not just need an an OTP or or a token, but also other stuff
Right here in the definition, you can, you can find much more information. So what what you can use, you can use knowledge-based authentication, mfa, OTP and and many more. But you can also include more context information that you can find on the bottom. So IP address, geo location, gear, velocity, device id, and maybe even use a behavior and elicit an analytic results. So that can all be part of adaptive authentication and I'm convinced that we see that more often in the future, especially as consumers. Good polls.
Let's have a look at the results. So we have different numbers here. So hi again is the most important thing. I'm a little bit surprised that also medium is from a priority perspective, very often voted, but this could be again the case whether you already have MFA or adaptive authentication in place and say, no, we have this under control, we don't need to focus on this topic anymore. So this is really good what this could be an explanation here. And if you don't have something like that in place, do it. Because that's pretty much the easiest thing. Credentials, fishing, even at conferences, whatever is pretty common. Just have a look at some dark net tracings or whatever. There are so many credentials from almost every co company and private account and that's really a big risk. And combined with all this metrics like the application risk level, data risk level, whatever, you can really build also good access policies in that case that don't annoy your user every time.
So for instance, if you're here at the conference or non-trust wireless network, medium critical application, then at least maybe some, some push notification or even SMS is more secure than to an and one time token. Then not having something like that in place. Okay, now I clicked the wrong one, adaptive authentication. Then we can jump into the level of maturity and yeah, that's a little bit, I mentioned I would've expected those guys who answered medium have a good level of maturity, but as we can see, most people are around 20 and what is this? G is 60%, please talk to me later on. Oh, Martin, Martin is also happy about that.
Yeah, so it's really a mixture. What is interesting is maybe those average guys, I mean you have MFA or adaptive authentication or not, and then it's more like how many applications or for how many applications do you use it? And the challenges. Then often, whether it's an enterprise application with an own access about with your ID account, then you have the cloud application with an IDP or something like that, which is then more easy to add something like mfa. Okay, then any questions, any feedback? Sorry, I'm running a little bit fast. So Martin is answering the app questions if on site, no one has another question and we can jump into the next section, which is decentralized identity acceptance.
Yeah, and that's hopefully not a new topic. We have already discussed that. So this is the other end of the decentralized identity issuance. And now we are basically on the other side and this is where, where you as an as an organization might find yourself because this is where you consume other, other, where you consume the identity information that others are collecting. So that could be, again, if we think about the social login of, of Facebook for example, where you could make use of a social login of another provider. So you could offer somebody to use Facebook credentials to log into your service. I mean, as an organization in the, in the workforce and employee context, that might not be a good idea to use Facebook credentials. I I, I hope I don't need to say that, but if we think about yourself, you could also say, okay, I'm, I'm, I'm having another company that I completely trust.
Maybe you are a big organization, have multiple organizations within that structure. And you could say, okay, my, my sister company or, or parent company or whatever is collecting good identity information. So we make use of that and use that for authentication that that can also be used if another company is collecting good consumer credentials and, and good consumer identity information that you could use. It depends a little bit if you want to use that in the workforce context or in the consumer context. In the consumer context, this is much more common already just saying social logins like Facebook, like I don't know, LinkedIn or whatever you can, you can already use net in the workforce context. It's a little bit more complicated because you need to trust that other company that the processes behind getting those information and the life cycle processes behind the credential management are good enough to cover your secrets. So that's in the workforce, in the employee context, this is still a challenge on the consumer side, we are observing that much more often. Okay, importance and maturity. So question would be if that is a topic at all for you, depending a little bit on workforce or consumer parts and if you are doing that or not, this is pretty much it and, and how deep you are doing that. If you're doing that for workforce, are you having something like a supply chain risk management to see if the processes on the other end are working properly or are you regularly reviewing those processes of another company, organization, whatever, how they are getting their identity information?
That would be the time where we get to the polls. Christopher,
Sorry, Martin is guilty. So let's have a look at the results. Oh, this is the right one. Perfect. So we can see medium to low, low is the most important and followed by high. Okay. I mean it's your system. Okay, then let's have a look at the level of maturity. And that's what I would have expected here. Most people are more on the left side as an overall topic. Okay, so nothing to add from my end. That's a fast topic. Yep. Let's jump into credentials management
Reground. So credential management. Credential management is an a very interesting topic I think because that is where you learn more about how the credentialed credentials of your identities are issued and maintained. In the worst case, you have hundreds of applications and hundreds of different credentials that need to be maintained. In the best case, you have an SSO system and have reduced that number of credentials as much as possible. So in the end, you should make sure that the processes to change that and to maintain the credentials are stable, at least at some point. I, I think the easiest example is username, password. How do I reset my password? It might be for my, my Windows credentials or my, my AD credentials, my LDW credentials. So those are the most basic examples. But what happens if I have an unconnected software as a service where I have different credentials than my SSO system has?
So how do I get there? How do I change those credentials? And if it has mfa, how do I change my MFA credentials or my, my token for example? How do I exchange that? How where is it is listed, which identity contains which token or which token contains which information? If a token can have more credentials than just for a single application. And this is all part of credential management. So the processes behind that, the landscape understand where I have MFA or adaptive authentication and how that is maintained from, from the end users, but also for the administrators.
Good. Also an important part in the process, I just forgot about that, is the onboarding part. So if you are a joiner, how do I get my credentials? Especially in the, in the past years where where everything was going digital and I mean my onboarding was, was completely digital. I've, I've not been in in BBA where our headquarter is. So I receive pretty much everything on a, on a digital level. So how would you do that when you are a huge company, thousands of employees, hundreds of onboardings, maybe every day, hundreds of levers. How would you make sure that the right person gets the right credentials in the right way and that the, the identity that is getting those credentials is al is the right person. This is also an a question that you can ask in credential management. Good. I hope that covers the whole definition. Oh, we have a question.
I'm walking. Perfect. Yeah,
It it's, it's one of the shorter ways.
Speaker 10 02:16:35 No wonder you took it Phillip, but not Chris may, Chris walk. So on this, not this the, not decentralized, but the credential management. Does this also include the ability for individuals to add additional credentials to their identity profile? So not just a decentralized one, but if I want a person that has multiple credentials depending on the environment they're working in, that I will have mentioned earlier step up authentication. So I may want to have two or three different types of credentials. Is that in this credential management or is that somewhere else in your fabric?
No, that that should be also covered here. I mean we are also talking about phyto credentials for example, something like that. Tokens that I, that I use for multiple applications. So all of that should be part of credential management. And especially when we are talking about phyto credentials, we have encountered that question a couple times. How do I manage my phyto credentials? How do I keep track of who, who is having which tokens and for what applications? What is on the token? What happens if the token is lost? How do I recover that? How do I prohibit somebody that found one of those tokens to, to access my organization? So that is really a good question. And this is part of credential management.
Exactly. And coming back to the example Phillip mentioned about how he was onboarded many years ago, many years ago, we are using password management tool and one time tokens to share those data encrypted and then he got access for instance. That's the way how to share it. I mean you have some basic risks at the end because the one time token needs to be transferred, but the real password and all the risk metrics in the background are working and that's, it's what it's about. So credentials management, we can already see the result. 74, 70 5%. That's interesting. Which numbers more ac? Okay, so this one 75% say our priority is high. And I would fully agree, and I also would would agree that idea to have or to provide your users something like a central managed password management system, otherwise they will start to use the iPhone stuff, Siri, whatever, or maybe, I don't know the, I don't tell the name of the company, but a bigger password management company had some data breaches half a year ago, and this is something you need to consider in your pre check of the organization. Let's see the level of maturity here. Oh, that's good. I like that. So most people say we start with 30, 40, 40, no 30%, so few people have 30% and most people, which is G is 60%, 70%, 80%. What would be interesting, but that's not a question, but just for consideration is what kind of credentials you manage here, whether it's more user or really service accounts or tokens, all that stuff. So maybe this is something we, we ask afterwards, maybe LinkedIn or maybe here. Okay. Then we jump into web access management.
Web access management. While we have covered a lot of trends and then hot topics, this is hopefully one of the things that we can delete sooner or later from our identity fabrics because it's a, as as mentioned here, rather traditional approach. The idea is putting a a, a web, a layer in front of the web applications that helps with app, with authentication and authorization management to a certain degree that is especially interesting for legacy applications that are not built for MFA processes or more complex ways of authentication authorization. So that is what web access management is doing, maybe Christopher or Martin. You have something to add here? More experiences than I have.
Do you want to say we are older. No,
No, no, no.
Yeah, I, I remember even the days when this was called Extra and access management by another Analyst firm, which is probably two decades ago or so. Honestly, I don't share young Phillips perspective on this will quickly go away, I hope, because I remember also the year 2000 when everyone said, okay, all these old coil applications will go away. And I remember that the mainframe has been going away since three decades or so. The problem is with web access management, this is also very much about all the legacy applications we have. And so for, for the legacy world of applications where we don't have good federation support, et cetera, it's probably in many cases for year, for staying for quite a while unfortunately. So it's surely not the most modern thing, but enough use cases,
I, I just hope it goes away.
But even that coming back to the identity fabric, then it would move to legacy. So there's a specific part of that. So let's have a look at the results. And that's interesting. So obviously most people are a bit older. No, so PRI private, sorry. Most people say the pri that's interesting. It changed when I said that. Most people say it's medium priority. I would agree.
I I I In the meanwhile, I have the impression that there are always a few sitting there waiting until you start to speak. Yeah. And then they then they vote
Some kind of attack. Confuse the moderator. What is the The workshop guy? Okay, so 46%, at least on my tablet.
That's right.
Something below 50% say medium is the priority for web access management. And I think this really or pretty much reflects what Marty mentioned more the traditional organizations they have that they have to prioritize, that they have to deal with that. Phillip would say yes, we want to remove that as soon as possible. Probably all the IT guys would agree here. So let's have a look at the level of maturity. And I close the question. So we have a big mixture of almost everything. So 11% is something like four responses in average most people have 50% and 80% as level of maturity. And I think this, that's how I would interpret interpretations this is that really we have some bigger organizations here, some have a good level here and some have to deal with it. And that's basically I think the answer usually I would expect from those organizations who have it, something in that area and the others are, I don't care in that area more or less. Okay. Then let's jump into the next capability, which is Identity Federation.
Yes. So Identity Federation, that is also an a very interesting topic. Identity Federation is all about two parties that are trusting each other with authentication. So that means basically that I am taking the authentication process and the credentials of another company allowing the access to my data. It's a, it's a little bit like the, the comparable to the issuance topic, but here I create a standing and static trust to another company that I really trust. It's, it's not a built in capability, but a standing trust and a use case that we often encounter in that area are different organizations of the same head organization that are trusting each other. For example, more than one AD or Azure ad that is that, that are having those trusts. But also when we are talking about guest accounts, so for identity federation is a thing when we are talking about guests.
For example, when I as a consultant come to your organization and lock into your teams, I could also use my personal credentials from my company as long as you have that as a trusted company. So doing that, you as an organization don't need to collect my identity. You don't need to collect an an yeah password, a second factor and most importantly you don't need to store that data and you don't need to maintain it. So in that, that is the way that I as a, let's say flexible identity working for multiple organizations don't have credentials in each and every organization. That would be, in the worst case, the same. So at least when I go for username password, I could use the same password for all the organizations or could have the second factor on the same phone. This way I have just to protect my very own credentials of, for example, coping a coal in this case and having a good process in place as co a coal, we are able to protect these credentials much more efficiently. But this requires a trusted relationship and this is what I need. Federation is mostly about
Okay
Speaker 16 02:26:57 And add upon benefits of having it, we, we are considering even establishing federation with large customers to access our services. So it's, it's it's, but the benefit is that you also get this employment information for free actually, so you don't have to revise all the accounts that that you provide to your partner.
Yes. It depends a little bit. There are also, but this is more Phillips topic of expertise, specific tools or platforms around really end consumer and collecting and you know how, how to phrase it? Validating as much information as possible. So this is, what is the word for that? The consumer. We have a specific name but we can paste it in the chat afterwards. But yes, if this is the intention, this is absolutely true.
Speaker 18 02:27:47 So two questions actually. So one is how do you see this part of identity federation with the trust? You need to have to, to federate in combination with the regulation like ISO or TAs X where you have specific labels to like see if you can trust the, the relying party to establish that such a federation. And second question would be how do you Oh, at school with the first one.
Okay, so the ISO or even the tacs are pretty straightforward if I would def define, can you hear me? Yes. If I would define I trust everybody with another ISO certification or whatever, I can write it down. Maybe if there's some kind of risk I can add this in the risk, which is and then that's fine from an regulatory perspective, from from implementing view security, I would define or we have defined, first of all, if I use something like an external federation partner and trust them, I would validate them. If it's more consumer-like especially around PI I and all that stuff and I would enable and monitoring, I would, there are multiple tools around it that you can actively monitor even what's in the darkness available. So darkness tracing around those companies, those federation partners and say also with other companies you are working with, then you have an overview and can in the worst case react to what is going on there or even block all Xes because they had something like in big data breach. I mean Facebook has every, dunno four months big data breach and nobody cares. I, I don't understand it. If this answers your question, we have another question.
Speaker 10 02:29:37 In your definition here of identity federation, are you actually federating more than just the identity because you bring in credentials, you bring in authorization, which are all different levels of federation versus if you were doing a pure identity federation, I would just be federating that you are Phillip, not that you are Phillip with his credential with this access. Can you explain
Deep?
Yeah, I I I can try at least. So the, the idea is to, to leave that a little bit open, I mean the classic federation is the, the username, the password, basically the credentials as much as you need, need to log in. But when we are thinking about especially partner management for example, or a distribution network of resellers, this could also be an information that we can use. So if my, my, my reseller has an IGA and IS is maintaining access rights in there for maybe my own service. Let's assume it's it's software as a service that makes it a little bit easier obviously. And we are using that together. This information can also be synchronized via identity federation but the obviously the classic use case is authentication. So hope, hope that answers the questions.
The best answer in that case would be depends the typical Analyst answer and especially just add to Phillip's example of the partner management. For instance, if I have an IT supplier which is responsible for maintaining or service whatever, I don't care who is doing that job. I pay an organization with that. I have monitoring risk, blah blah blah and all that around. But at the end I don't care who in person is doing that. So I trust an external party, they are federated and I need all the information, maybe their skill level, maybe their level of it help desk support 1 23, something like that. And if I can use that then I can use this to assign the right rights or something like that. Yeah, so it's really depends on,
And, and it gets a little bit more complicated when you are pro progressing on your zero trust journey because on on on that, in that area you just want more than just identity and the credential. You might want to have the position as well. So is he an admin? Is he not an admin? Where does he come from? Is he maybe an admin from China? So is he allowed to access my, my data and and also giving me a risk score for example could be an interesting thing to make sure that he's not accessing very, very sensitive data. So that could also be a use case in the future. We had another question is that's still
Speaker 20 02:32:28 Yeah here. Cause we have talked about decentralized national government providing entities. So, so how long is it that you just need to trust national?
There are specific presentations about the topic. Maybe Martin knows more. There are some European government initiatives with identity assurance levels and and that stuff. So I think I A I A L three is the one with the most critical. I mean we have some kind of European ditch or the plan is to have some kind of, there's
A, there's a, this standard about LOAs that can be provided in the context of federation. If this is the question
He was asking how to deal with, for instance, governmental issued federation, something like that. So the European Union initiatives that are running here,
Yeah, that is probably probably the next step. Which which, so when you look at Ed Ida 2.0, when you look at what is happening around other decentralized entities, then, then this is probably mainly flowing into the, the decentralized identity. So you will have a wallet, you will have government issued IDs as part of that wallet, you will have a strong authentication to that wallet and then this wallet provides proofs and if the identity management systems then are able to consume these proof, this is the acceptance part we had before, the decent decentralized identity acceptance, then you can build on that and then you can do a lot of things based on that because to a certain extent it means you receive information about a level of authentication and assurance, but you also have a lot of proofs that you can consume. I will have tomorrow or on Thursday I'll talk about decentralized identity in the enterprise.
Very touch a bit more on that. We have surely a couple of talks around E two oh about all the decentralized identity stuff. So this is really a, a very fast moving field and, and I'm, I'm, I'm honestly optimistic that we will see way, way more options in that field where where we really can utilize such information and not only for the authentication piece but really also for authorization. As I've said, don't miss my talk sometimes the next few days, I don't know exactly when I have so many talks but it's around decentralized advantage in the enterprise. I think it's tomorrow now afternoon.
Maybe you just paste it in the chat, then you have some time to look at it. Okay then let's jump into, was there another question? Okay, so let's jump into the results here. Forget about the could you? Perfect. Forget about the decentralized tier. Martin already brought in the chat more identity federation is the overall topic and we can see it's high priority for many organizations but also, and this is more than the usual guy that clicked the low multiple organizations also say it's not a thing for us. And this really depends on your business model, what you are doing, how you're collaborating with other organizations and whether it makes sense for you or not. This is your, I would fully agree if you say I don't need that and I would fully agree we are, if you say we, we rely on that topic very much so good result level of maturity is okay, also a mixture. So I would say so interesting. A lot of people say low priority, maybe they have a good maturity and no one says 0% is level of mature. Stop that.
Okay, so most people say H, which is 70% say is our level of maturity and then we have really distributed, I think this really, I don't understand it and this is really, I think again the topic, multiple organizations, multiple different use cases as we've mentioned from partner management to consumers to IT suppliers that they do that do maintenance jobs or something like that for your organization. And this reflects here, I think pretty much the average, I would say in average we have something around 50% more or less. Exactly. Then we come to another topic. I'm pretty sure this is how Philip would call it one of the boring topics, it's enterprise S is O. So do you want to explain? No, no,
I I'm old enough for that. So
Experience is the right word.
Yeah. And anyway, so enterprise is on is is a a technology we, we, which has been very popular some let's say some two decades ago, but it's still very relevant in, in certain use cases. So you see the, see quite a significant adoption for instance in healthcare where, where you have the need for for signing on to different systems in a somewhat secure manner and very quickly as was fast user changing. So one nurse going to get a computer coming there entering data, you, it was more widely adapted in the finance industry in the past I see it way less there. I also see it's not only rarely in data centers, but as I've said there are certain use cases and I see also that there are some areas where, but it's definitely could be better than what we have. So if you take the, the typical operational technology environment, so your, your shop floor, your factory floor with a lot of unprotected systems, very argument always is oh, but if, if someone goes to that system and it interrupts so to speak the work and it costs too much time, I always say if it works in a hospital, then it definitely also will work in a production environment.
So there are areas when the idea basically is you have a system that injects the credentials into the, the backend application, taking it from a wall. It's not very different from Pam to be honest. So Pam does a lot, lot as a privileged access management, a lot sim a lot of similar things. It as a wall it injects credentials. So it's, it's more the broader use case as I've said, mainly used in in certain specific industries and traditional traditional use cases. But in some areas still relevant, probably more likely to retire from the blueprint early year than web access management. I have to say.
I mean we have enough new trends, so that would not be a problem. Okay, then let's jump into the results. And again, the priority is pretty high for most of you. So all of us are very experienced, no traditional organization usually have some kind of that in place or would like to have something like that in place. This is a true challenge and even if you have some password and username tool running as a client on the computer, this is sometimes more secure or often more secure than using the written down passport on a note somewhere below your keyboard. Okay, then let's look at the level of maturity and that's, yeah, this really reflects, so we have a lot of organizations here or people from organizations where it is a topic, but at least from a result perspective or maturity perspective, most of you have a really good level of maturity here and one person said, no, it's not a topic for us. Okay, then let's jump into before you change your vote into the next topic, shared account password management,
Right? Those is, those is one, this is one of those topics that is again, in the privileged sector. One of the important topics that we also see in the non-privileged sector, it's about shared accounts and shared shared accounts have a special challenge at that point that they are not personal. And with that the credentials can't be personal. So if you have your very own account, you are the owner of the credentials, but if you have a shared account that is used by multiple people, you, you, you have two possibilities. Either you all share the same credentials or each of the users has have their own credentials that which would be good, but in the end you need to make sure that you are, you as IM engineers are able to see who is using that shared account and for for what reason. And also to this person needs to be able to lock in with, with own credentials.
And this is where shared account password management is an interesting thing because those solutions give you the possibility to share the credentials across multiple people. That can be done by really sharing the credentials but also by rota password rotation as an example. So the easiest way of password sharing and password rotation that I've encountered is two admins having each one part of the, of the password since the password was split into two halves and it was noted on, on a piece of paper and stored somewhere. So afterwards, after using that account, they had to change the password and split it up again dividing it to two admins. So this is the, the, the easiest organizational way to do that. And meanwhile the pump solutions are coming up with password vaults and more, not, not complex, but more automated ways to, to make this password rotation happen. And password rotation is, is just one, it is credential rotation. That's not just passwords to be honest. Good. I think that brings us to the poll, right? Yep. If there are no questions,
Okay, then let's jump, we already jumped close question first button. Okay, that's no surprise. Most people answered 60 70%, I have 63 whatever, 70% say it's high criticality or high importance or priority in that case, and I fully agree here, I would more disagree to disguise, but I'm happy to discuss this afterwards. Then let's see the level of maturity here. And that's again really a good mixture of different levels of maturity. The most voted ones is 30% with 22% of you that voted that the I will not tell any number this, this one is the biggest one. No, we have now H is 70%. So again, it's a mixture and I would say in average we are something around 50, 40, 50, 60%. And this is I think really a thing, especially bigger organizations, privileged account management or shared account management is, is a topic and usually it's on a certain level handled not always by a tool, but at least handled. Perfect. Then let's jump into the next section. Phillip privileged EV elevation.
Privileged elevation. So we have a very long definition for that. That's obvious. Privileged elevation is all about users that are trying to access objects that are above their level of authorization. That can be the case. If I'm trying to do or I'm, I'm an admin and we have not, we have dynamic access rights or non standing privileges, meaning I don't have my, my access rights all the time. I just get them when I need them. So in such a case as an example, I could open a ticket, can say, okay, I have here a case, I need my privileged access rights, please confirm it. And they are given to me, for example, for 30 minutes so that I can can work on that problem, can fix the problem, can close the tickets afterwards. This is where we go away from the static approach into a more dynamic approach.
And this is not just a possibility in the privileged parts or in the in general in the privileged administration, but that can also be a thing when we are talking about employees usually, I mean we all know that if you, if you want to access certain company data that might be more sensitive, but you have a high risk score at the moment you are not allowed to access something. So I'm at a Starbucks in the Starbucks network f from my very own company device in, in a country that is, I don't know, not not as secure, not rated as secure as my home company. For example, maybe I'm on a vacation and I'm trying to access my HR data, I maybe get denied, but the system gives me the possibility to to, to talk to my manager of or something else on a short notice and requesting a privileged elevation so that I'm able to see that those kinds of information that would be privileged elevation. So you get above your current rank of authorization by running through a certain process. And with that we come to the poll
We already did. So can we see the results please? Perfect. So most people voted again, it's an topic of high important or high priority, I would agree. And no one said it's a low priority, so I like that result. That's fine. Okay, then let's jump into the level of maturity. And here we have most people saying at least in the current version, 10% say it's our level of no, 22% say that 10% is the level of maturity in our organization. That's pretty much low. Honestly, I think you have some, some kind of tendency here. You have some people around 50, 60% which have not a good level of maturity. And then you have some people who say, okay, we invested a lot into the direction. I would again say probably more the bigger organizations or some of the bigger organizations are in that area here. Okay, then let's jump into one of the last topics. So we almost did it, we are on time now. We will discuss policy based access and, and just in time access. And then we will jump into the evaluation, the roadmap process,
Right? Policy-based access management. So this is again one of the, the hot topics I would say trends that we are seeing in the market right now. We have touched it a little bit already. So policy-based access management is all around getting the access management more dynamic. Meaning that we are going away from the role-based access control approach that most organizations have. And I mean this will also not die in the next year's to be honest, I don't expect that. But it is claimed by most of the IGA vendors that we can have 80% of the excess rights optimized automated by policy based access controls and based on rules. So this is, this is the target that we are following. And with policy based access management, we are able to apply rules and give access rights to identities based on those rules. And whatever we define that rules with is, is up to to us, to you.
So every, every attribute that you have in your, in your database, every attribute that you have as a context information, you can use pretty much everything as long as you can make a rule out of it and use that for authorization, for access rights delivery. And this is what policy-based access management is about. And it is definitely a deploy, not a deploy topic because policy-based access management happens at real time. When I try to access the object, especially when we are talking about zero trust, that is where it is open often applied to, I get checked when I try to access an object and at that point the rules kick in and and try to find out if I am allowed to do that. So am I the right identity? Maybe have I the right have, am I having the right ad group? So that would be the static part in it.
Am I at the right place? Am I using the right phone or device? Am I in the right time zone? So for example, an access request in the middle of the night would be unusual. So this is where you can see where other capabilities are kicking in. Am I requesting access from China, for example? So all of that is, is what we can check with policy based access management. And of course that is also a deploy time part where we define the rules, but most of it is happening in real time and I I'm trying to access a resource good questions because that's a big topic. Also, if Martin has anything to add, now's the time. Martin,
How much time do we have? I think I can, can easily speak hours about policy based access. I think one part is radio syndication piece. Ideally we, we go beyond that. So we had this idea of exec model a couple of years ago, a lot of attention, lesser adoption there. But we see for instance a huge uptake of OPA open policy agent right now. And, and I'm, I'm very positive that we will see more adoption of this. So not to, to spend all time talking about this here. I'll do a keynote on Friday morning, I think nine 20 or something like that where I'll talk about what I envision around policy based access and where this all fits in. And this is a huge space and I believe some of the things which always are seen as the, the big challenge, like how to deal with legacy applications that still sink in static entitlements and standing privileges. I think a lot of these things are easier to solve than, than maybe even the industry sings. So there will be a deep dive session, probably more than one, but I know about that one for sure because it's mine on, on Friday morning. So don't miss that one. Back to Phillip.
Yeah, I mean we have more keynotes and, and presentations on that topic, so keep your eyes open. There's more than just Martin's presentation,
But Martin is for sure the most important ones. We have a question necessarily.
Speaker 21 02:52:55 I have been looking into these policy-based for the last six months and so the huge challenge is enforcement of those policies, none of the vendors are able to provide any way of enforcing it unless you are writing a new application and building from scratch.
So you mean, and maybe Martin here you can jump in. You mean the policy enforcement point and all this topics I'm missing, right? So, so this is basically, and I will have a presentation about that on Thursday, but it's more in the zero trust dimension. But there's, policies are one important part for sure, depending on, on what you want to achieve, you need some kind of specific tool that is you, you might have agents running on those system that's supporting you and enforcing those policies you've implemented. Yeah,
It, it depends very much on, on where you want to use it. So if you, you have a legacy application, it's most complicated. We, we make anyway massive use. When you look at authentication at modern authentication, that's usually policy based. We see a lot of as management adoption in digital services nowadays where developers really love to use open policy agent, which works then exactly that way where, because it's a very simple way to do it and we, we need to close the gaps. What I definitely can encourage everyone is to, to very thoroughly look at this subject. It's something which can make a lot of things much, much simpler than they are today. And policies, you know, everyone understands the policy because it's, it's really simple subject action object may be a constraint. It's a, it's a very simple construct way. It's simple to understand them recertifying, some esoteric technical entitlements that go down to the transaction code level in SAP or so, so you can phrase it in the business friendly manner.
So this is, this is a, a very important, a very cool subtract, not an easy one, but we see an uptake in adoption. What will be always a challenge for organizations nowadays to say, okay, this is what I envision I can move fast. So it's a multi-speed thing. I can move fast in some areas like in in when, when I look at building new digital services, I will move fairly also relatively fast probably in authentication. It'll come in via decentralized identity when I have more of that because the proofs logically lead to policy-based access control. The hardest thing as as I've said is all that stuff which which deals with standing privileges with static entitlements. And I think as we all have learned over the past years or many of us have learned over the past years, maybe not everyone, the root cause of all bad and identity management are standing privileges. So this is where the problems start and we need to overcome that. That's a longer journey, but thinking multi speed approach moving forward towards policy-based models.
Which
Speaker 22 02:56:03 Type of vendors? Sorry, what vendors were you talking about? Were they identi and access management vendors? Privileged access management vendors. Okay,
So, so on identity or access level more, right? So that, that's what I mentioned the the policy enforcement point or or decision point which is taking all the attributes to build some kind of policies. This, these are specific and other tools that give you the capability to enforce it on a certain level that you want to have access. I'm happy to discuss this afterwards. Just join us. We have to take a little bit care on the timing because only 35 minutes left. But definitely an interesting topic on the end as Martin mentioned, he has a presentation on that. I will talk about more general in the direction of cot trusts on Thursday if you are interested. Okay then let's see the results of the policy-based access management and this we can really go pretty much fast to, that concludes what Martin mentioned. Everybody, everybody wants to have it.
So 70% say priority high and what did you then say? All of them lack a little bit on that. And this is mainly shown here. So most people are in the area of 10, 20, 30% in a level of maturity around policy based access. I'm honestly a little bit surprised about some people here. I would ex have expected most people in that area because on a certain level you have that maybe on identity level, maybe you have, if you use conditional access, I mean even here you can decide this device, this level of the device can be used from eight to 10, whatever, something like that. Even that is a policy that can be used on authentication level. Okay, then let's jump into our last topic
Just in time access, right? Last but not least for the core IM capabilities we have just in time access. And this is interesting because it's not just, it was a topic for privileged access management, but it is also becoming an A topic for workforce and employees more and more when we observe, when we observe the market. So the idea of just in time access management is to get away from the static and dynamic from the static entitlements that are granted all the time and reduce it so that we get closer to Justin to to the least privilege aspect. So we are trying to reduce the number of active standing privileges so that the person is having only the excess rights that it needs at a certain point. So that was very complicated to, to make it a little bit easier. I give you an example.
So the idea is to say as long as I don't need the ad group for example, as long as I don't access a certain application, a certain information, I don't need to be in that ad group. And the idea is when I try to access that information, I also get the access right just in time and as long as I need it, not longer than that. So that when we try to implement that, there are several ways to do that. But the the easiest approach is probably to say when I are the, yeah are the pre-approved ways. So when I know that I have an access, right and a and a document or an object that is not that critical, I can say nobody get that access right as a standing privilege, but everyone gets that pre-approved. So that would mean that I can go to my IGA and can say I need that access now for 30 minutes. And in the background the provisioning would give me that, that access right for those 30 minutes and not more. That means if my account get ca gets captured, I don't have that access right at that very moment.
I need to request that and I would get that just in time and I get that approved just in time based on the process behind that. And if, if it is part of the process, for example, for a more critical excess ride that my manager is assuring that I'm allowed to do that and he has to approve that, that could also be a possibility to reduce the standing privileges and give it, give me that excess right just in time. Hope that was not too complicated. If
There are any questions, Martin is happy to answer them. That's the way how it works. Okay, if there are no further questions, let's jump into the results. Perfect. Now I prepared the answer, I'm happy that most of the people voted for medium, but just let's wait a PA few seconds and it will change back. Now expectation would have been really medium or even low, depends a little bit if you reflect this as Phillip mentioned, more on the privileged level, also business privileged accesses or processes, this is important. So we have a good mix to something like something between medium and high. And if you have a look at the level of maturity, oh that's a clear statement. So it's an important topic or a medium between important topic from priority perspective. But most people from you voted in the area below 40% or 30% is the level of maturity.
So this is then also like the, the other topic I mentioned earlier, I don't remember which it was. This is then something where you really need to validate maybe from a risk perspective, would this solve a certain business risk for my organization if I implement or invest into just in time access and what are the expenses for that? How much do I have to invest and things like that to get a good understanding and a good level of maturity to mitigate the risk. So this is the overall process then, okay, so I closed this questions now you should not be able to, it will change, we know, but at at at least the tendency is pretty much clear. And with that we have gone through 24, 25, 25 capabilities. As Phillip mentioned at the beginning. These are only, only the core capabilities. We also have the extended capabilities, something like peak public key infrastructure stuff, fraud reduction platforms, maybe also secure information sharing and API security and management.
So this is for identity and access management, this is our reference architecture. We also have a bigger picture which includes all the other topics around cybersecurity. Then it's called cybersecurity reference architecture, which then also highlights topic like information security and all the topics around detection response and recover that are necessary to really run a whole organization. But identity and access management is really straightforward focused here. Also integration topics like the famous email provisioning of entitlements, which could also be done with some kind of service management. I T S M tool, I mentioned that. And also CM saw and risk management is usually in organizations that driver or the starting port or should be from doing all that stuff here. So identifying the most critical processes, assets and how can I secure them? Implementing controls if you follow some ISO standards or whatever. So this is usually the journey.
Yeah, and that is only for, I mean we have more of those. Im reference architectures also for other types of identities, especially privileged and consumers. So we are not covering all the IM parts with just this identity with this reference architecture. But you can use this reference architecture also for covering some of the aspects for other identity types. I mean we were talking about privileged a little bit. We can also talk about consumers a little bit, but we have dedicated fabrics and reference architecture documents for that. Good. Anything to add at this point? So we can proceed with the next slides around, around getting to a roadmap. So this is why we are here the last 30 minutes to get a better understanding how we get to a roadmap, how we build our roadmap based on that. Of course this, this in a workshop, this happens a little bit more in a dialogue based on discussions
just talk. I fixed it.
Okay, so we lost the slide obviously, but the idea of that slide is pretty easy. So you had the handouts that we have given you. You have entered your priority, you, you have entered the coverage. And what we have done in the background thanks to Martin, we have entered the main priority and coverage for each of the capabilities here. So this is the highest value for each capability so that we can see, we have an example that we can work with. Yoshi should pretty much look the same. So you don't need to take pictures, you have it and now we can start deriving information from it. So Christopher mentioned that already earlier when he was looking at the polls. The idea is the first step would be to identify gaps and gaps are everywhere where we have a high priority and a low coverage. I mean we have the average values here, so that might not be the best way to do that, but we can, we can try that. So where do we have one? So we have an analytics and risk access analytics. We have their high and coverage of 35%. So that could be an indicator that we need to talk about access analytics that maybe just the reporting is working, but you are missing some, some AI tools and tooling to get a better control of what is happening in the access governance department.
I mean the next one would be user an entity behavior analytics. We have their medium priority but only 15% of coverage. So this is also a topic we could go into and check what we can do in there. The other topics which are for example, high priority and a high coverage. So I mean those are the first three topics. For example, directory service, identity, information, quality management, and also onboarding an identity vetting with a high, high priority and a high coverage. You are on the right way probably, right? And for you, the next task would be to take your own handout where you have your priority and your coverage and identify those capabilities that have that gap. So this is where you want to work on in the next probably years to be honest and improve.
Yeah, for authorization we have that here. Three times high priority, low coverage. So those are obviously topics on average that we as, as the audience in general want to work on. All of those numbers go into a readiness assessment usually so that you have that for, for the management all on on a single view. We, I have left that in here that the extended and integrations parts to show you there's more on the identity fabrics than just the core IAM parts so that you get an idea of what you can derive at the end. For core I am, we have entered the numbers, just as an example, I'm pretty sure it's not what the real numbers are or at least based on, on what Martin were able to do in the last minutes. But in a workshop we can deriv the actual numbers from what we have learned in the workshops and discuss together so that you get real priority coverage values here for high, medium and low. And also based on the columns and the, the functional topics here. That's the idea of the readiness assessment. Any questions on that? Good. Anything to add?
Depends on the next slide. Nope. Also one point to add, because usually we af when we do this with our customers onsite or remote, this is exactly the moment you are tired, you talk usually 6, 7, 8 hours about priorities. Then my, my most of the times we have an additional workshop and then it's again of how of validating those results. Like I mentioned during the session, everything has criticality or priority high and everything. If everything is high, you cannot work with that. And sometimes it is necessary to break or drill this a little bit more down. We as analysts, we love something like a scattergram, like we have to dimensions priority and coverage and identifying big wins, ments, something like that. But you could also use, and this is what you might realize, that sometimes that impact or risk or whatever, you not necessarily need to talk about priority and coverage.
You could also use other attributes like how much is the risk mitigation of this? Having something like, I don't know that access management is no good example, the access governance, how big is the risk mitigation of that? And then you can sometimes add additional layers, additional attributes that help you to prioritize and see what are the next steps. And this is then really in very dynamic and interactive format. Usually where we try to build together with the customer or here in that case where you can build by yourself and identify and ask yourself how to proceed. Okay, Phillip
Good. I mean we can also see here that we have right now no capability that it's rate at low priority, right? I mean that, that should not happen when we are doing that workshops with the customer. Not everything can be important obviously this is why we've taken average values here.
Exactly. I I think that that's one, one thing I also noted when when, when I looked at the results, not having a low priority is very uncommon. Usually there are some parts where you say, okay, I really don't need them in my environment or I don't need them urgently in my environment. So with the huge attendance here in an online, this is a bit more towards medium and high and towards an average than it in most sort of single customer analysis.
Exactly. And we, we are seeing here the the perfect reference architecture and rating over all of your organizations. So from small to big organization that it's clear that we have that almost everything is at the end somehow important.
Good. So how do I get to a roadmap from that? Or what can I do with that? I am readiness assessment first of all. Now let's assume we have taken that full, full workshop. We have all the capabilities rated over 40 results here. The, the full picture. This is usually an depending on how you do that, a status quo picture. I mean we have the priorities of course, but mainly we are looking what you have right now and we are maybe exploring a little bit where you want to go. But the readiness assessment can be enhanced by additional, let's say objectives by OBJ additional objects like, and this is what we have here in the second column, a target state or target architecture. So it's one thing to say when we are looking at a certain capability, I have that, that and that, and I would like to go th that direction, but it's a different one to say in five years my whole identity fabrics should look like that, right?
So what we have done right now is more or less we have assembled the status quo that we have today in your organizations and the direction that you want to go with the priority. If we think about the target picture in five years, we, we get a timeline on that, right? Another thing how we can enhance that picture, the status quo picture is by adding people to it. So how, how is my organization organized in, in that capability saying for example, I have a high priority when it comes to entitlement management, but I have only three people doing that. They will probably, depending on the number of identities that you have, they will be drowning in service topics. So how do you proceed? You can say that is a high prior topic and and you are on a maturity level of 20%, but when you have only three people working on it, you will probably not leave the 20% ever.
You I mean who, how, who can do that? I mean if you have just 10 identities, yeah, okay, okay. You can do that with three people. But let's assume, I mean you have thousands of, of identities also probably hundreds of applications and, and permissions within that you will probably not move forward. And this is where the target operating model is, is one interesting aspect when you add people, but also when you define how your organization is working in, in the I am space in general. So meaning is it working in a decentralized manner with lots of local applications, lo lots of local teams doing the administration on their own or do you have a central organization where you have one Im department, one IAM team that is, that is defining policies and doing all the administration stuff and providing it to the decentralized teams to operationalize that.
So those are the possibilities that you have to enhance the, the, the point where we are right now with the readiness assessment. And when you have done that, you can do lots of different stuff with that. So I've listed that on the right one. So I am, you can define our I am roadmap. So that is at least the, the title that we had for that workshop. When you have the status quo, what, where we are today and you have a target state, a target architecture where you want to be in five years without or without a target operating model on that doesn't matter. You have two, two points where where am I now, where I want to go. And all in between that gap that wants to be filled. That is your roadmap, right? I will, I mean we will come to that on the next slide.
So I will, I will yeah, skip that a little bit here at that point to explain that on the next slide. But what you can also do when you know that i I want to move in a certain direction is, and you know where we are today and you know where you want to go in the future, you can talk about tools, you can actually talk about tools at that point, not just tool types. You can talk about vendors and this is where the selection of new tools or the ex exchange of existing tools can come into play. Am I able to fulfill my requirements that I have today with the tools that I have today in five years? Easy question, but hard to answer. Some of the, sometimes at least, and this is where we can think about this exchange. So the identity fabrics gives you a perfect structure to discuss those tools. You can also investigate if you have too many tools in a certain area.
So that's at least an interesting, interesting thing. What we also can do is improvements and activities and plan activities as projects. Again, the same game like for the selection and exchange of tools, but without the tools part. So we can discuss where am I, where, where do I want to want to go in five years and 10 years and 15 years? Maybe that's a little bit, little bit long in the future. And think about processes or or functional stuff that I, I want to improve. Are my processes good enough to, to work for trends that are kicking in in five years, for example. So the, the covid time was a perfect example. Are my HR and onboarding processes good enough to work in the future? I mean we, we all have experienced that. So how fast can an or can an organization switch from onsite processes to digital processes? That can happen again probably, or if my organization is, is growing a lot, I I I need to prepare my processes for that. The same, it's the same thing that we are observing with policy-based access control. This is a topic with with in combination with the zero trust that we need to get prepared for the future
Benchmarking. I mean I think that's a kind of an obvious one. If you, if you sit next to each other, you can compare your numbers and you can probably learn from each other. So that is, I think I don't need to explain much more on that. And one operational thing that, that is interesting is with those status quo and target architecture, you can also start supporting your m and a section. So buying new companies, if you want to split your company, you can easily, you can easily do that from, from having that insight in your, into our, into your organization with the status quo and the target architecture. Good.
Perfect. And short interruption, because Martin is a very busy guy at this EIC conference. Thank you very much. Martin. He has to leave and he needs some ice for his fingers to cool a little bit down. Thank you Martin. So still eight minutes, no 30 minutes left. Sorry for intro in interrupting.
I mean, Martin is missing the best part. So,
So I said I would skip the roadmap part part a little bit because I will get to that right now. The idea of the roadmap is really to, to use net status quo and the target architecture to derive the gap and with that gap to, to start assembling a roadmap. And the roadmap is all about that gap. So you have the priority on your list, you have the maturity on your list, and now it's up to you to, to decide which of the topics are your gap as an organization, what is important, what needs to be done, where are you good, where are not good. This is, this is highly individual. I mean we, we can obviously not solve that for all of you here on, on the screen. But the idea is really to say, I I have a couple topics here like identity lifecycle management, access governance.
I have just taken some of the capabilities and you can say, okay, is is that a a small gap for me or not? That depends a little bit on your priority and your maturity and you can add them together. And by doing so, you want to define the gap to close it. Obviously the size of the gap is very important when it comes to that. And to, to get from that gap to a roadmap, you need a couple items. And this is what I've displayed here on the bottom half of the slide. So with that gap, you want to define measurable goals. So how, how am I able to close that gap? Yeah, easiest example would be within entitlement management. When I say I, I don't have any roles. So very easy example, an objective would be I want to add roles for 100 applications, 100 applications.
So this, this is a measurable goal, 100 applications and I want application roles. Problem is, I have not defined when I want to do that and how much it would cost me. And this is what I have on the right side. So I need a reliable timeline that would add obviously the timeline aspect. So I could say I want to add roles for a hundred applications within the next two years. So that would be your timeline. You also want to define specific actions because that measurable goal is, is is good. And, and every manager would say, okay, that's a good goal, let's go for that. But as an I am engineer, you definitely know that adding roles to an application is, is is more than just defining the goal, right? So you need to make sure that you have the right people on board, that you have involved all the stakeholders, that you have the templates, you have the tooling that you need for that.
So the next step would be to define specific actions within that timeframe that you have defined to get to that objective. So I mean we know that as milestone definition more or less. And when you have that, you have a goal, you have the, your milestones, your specific actions, you have all the people that you know need for that, for that to, to achieve that goal. And you have a timeline, a reliable timeline. In the best case you can start thinking about money. And this is the last, last thing you, you might need to get to an roadmap. Sometimes it's the other way around. You define the first three, get your roadmap and afterwards we talk about money. But this is the general idea. When you have that, you can pretty much put it all on the list. You can define the timeline, you can think about the activities, the task. I have done that very high level here so that you can say, okay, for entitlement management, which is the third role here I have, I I can, I can assemble those 100, the roles for the 100 applications within 2024 q1, q2. And afterwards we talk about money and this is pretty much how you, how you get to your roadmap depending on how many activities and tasks you have that that picture gets much bigger there. There are much more stakeholders involved because at some point you need to also to talk about stakeholders. But not yet on the I am roadmap. That is when you start setting up the projects behind that. And depending on how you scope such a project or program, you have multiple faces with which rely on each other.
Anything to add?
Oh sure. But we don't have any time.
I mean
Question is more or less. Thank you very much Phillip. If one of you has some question, we have few minutes left. Something that you want to know, something that is unclear. Otherwise as Martin multiple time mentioned, just talk to us. We are here the full week. We have an own booth, we have LinkedIn and all the options you want to use to get in touch with our
Email addresses.
Oh, right, email. Cool. Yeah, how legacy, okay, perfect. If there are no further questions, most of the questions are answered by Martin in the chat. Even regarding to the slides and the detailed slides, we will upload this in a, at, at the end of the day, this is what I can promise you. And if there are no further question, the main conference will start at one 30 in the, how is it called? So on the first floor and the big room
Up there,
The big room up there, you, you have one hour for having a lunch break. And I would say, I wanted to say have a good day, but obviously there's, so
We have one question,
Speaker 25 03:26:57 Just, just a small one because that's what I heard earlier. It's super great to have the Analyst part of it to understand the, the, the kind of high level, the challenge is choosing the tool.
Yeah,
Speaker 25 03:27:10 Finding the actual solution
To That's
Speaker 25 03:27:13 A pretty good
Question and didn't pay. That's where
Speaker 25 03:27:15 We're struggling.
That's a pretty good question. And we didn't pay him for them. So keeping a call has an Analyst part. They are creating, like Paul for instance, leadership compasses, they create detailed rating comparison of different tools for all of these areas and helping you if you want in finding the right tool, designing the right architecture, prioritizing this is part of what we do. The advisory part of coping a call and we are are happy to support as well here. Yeah, and,
And we have multiple sessions also here on the EAC that are giving insight in source both market segments. So if you're interested in a certain capability and to a certain market, keep your eyes open. There might be a session on that. If not, we might have some research on our homepage. And if that is also not the case, ask us. Maybe we have some insights and if that is not helping you, we might create some, I don't know,
Martin, Martin,
Martin will answer that.
Okay, and with that, thank you very much for participating. Have a good day.
