Legacy Enterprise IAM/IAG Transformation

We are still a bit early, but that doesn't keep me from a giving a quick introduction. We are continuing our dis discussion around legacy enterprise, IM I A G transformation. So this situation is that you have something in place, you want to do something, you try to identify doing the right thing, how to prioritize and how to do it correctly. So that is the idea that I see that is the topic of that. A quick warning to all of us, including me, we just have 20 minutes. So concise short answers will give you, give us more chance to cover more topics and that will be great. So I think we are done right now. So my first task would be to the usual introduction. I would like to kindly quickly introduce yourself, who you are, where you're from, and the first statement about transforming an existing I A J i I A g i G a I A M. Sorry for having talked a lot today and what is your stance about that and where you are standing. So just 30, 45 seconds, one round starting with Martin please.
My name is Martin Sand. I'm the product owner for, IM at inter Ikea and I've done a lot of these migrations over the last 20 years. I think the main things to lesson learned is don't, again, too much cope. Try to figure out something you can deliver with not too much effort that looks nice and solves a business problem so the business gets excited about your new project. And third thing is be very careful with all data. There's often a lot of trolls hunting on those bridges.
Hi, I'm Krishna. I'm working as a solution to design owner and Corona with 17 years of experience and have an experience of this kind of legacy transformation for enterprise application. And while I agree with most of the points and one more point which I want to add is that document what are must, must have and what are good to have from a business perspective and then try to see how this can be implemented while transforming.
Thank you.
Hello, my name is to Nebu. I'm from Vik, founding founder and manager and also still blue collar worker for my own company cuz I'd just like to do that. We did a lot of migrations in past 23, 23 years now and yeah, there are many ways to picture the, the, the ways to transform and I think we were, yeah, a few of them maybe including the elephant. Yeah,
So my name is Patrick Shirai. I'm head architect for cybersecurity and IAM in sweat bank. My main, of course, I said all of my lessons learn already revealed, but the main one is make it a business concert. So business might must have a concern regarding that and make sure, you know, why are you doing this transformation. And of course speed up. That's the last thing.
Okay, thank you very much. First of all, just one addition. If there are questions in the room, please raise them this time via the app they will arrive at at Phillips iPad and he can raise them to me or kick me or throw things at me. The same is true for the online audience. Please, if you have questions, please raise them and we will, we'll try to weave them into the discussion as well. So it's not only me having bright questions here, it's really about discussion right now. So, and maybe starting out with a statement that you just said, when when you try to identify the areas where, where you want to start working and you want to align it with something that is business related and have business on board, where would you start finding the right solutions where you can really provide value? Maybe starting with you toten
Partly, I think Martin already mentioned that you might have the so-called low-hanging fruits to, to start with. So where you really see quick and and easy success. Another way would be to, to check for bank wagon projects in the, in the company where just say, okay, I know this happens, I can use that opportunity to update parts of my my elements. And the next question then is what, what, what are the parts of that? And we have the story of the elephant and I'm sorry for the maybe I I I steal the picture right now from, from someone. The question is how do you eat, how do you eat an elephant? And that's just simply piece by piece, right? And the, what you should have is a kind of plan, a picture, a strategy on where you cut. So just like the different kinds of steaks for different area. Sorry for vegans and vegetarians, I have to use that picture now.
Other thoughts on that?
I can, I cannot. One thing, you know in your organization look for two things. Who has the most priority right now? You might have a very important initiative going on for, for example, having a new platform for development and it is highly prioritized. So go for that and prove them that you can be a very good business enabler for them. And also look for who has more money, you know, they can help you.
That's
True Martin.
Yeah, definitely. The, the money and the, the pain part. If you can solve a, if you somehow can, can start your, your enterprise change project by solving a problem for either for someone who has a lot of money or a problem that has a lot of pain distributor organization without having to change the core of your IM system, you can usually build a goodwill that will kind of pull you through the, the transformation later. If you try to start with a huge transformation technology driven, you will usually end up in, or unless you're very, very good and very, very lucky, you end up in a situation where your, your practice killed because there's no goodwill.
Right. Okay. You want to add something or? Yep, please.
Yeah, while you understand this pain points, it's also good to note that what kind of issues you're going to solve in going to this new system. Like for example, I have these many members in the operations teams who are doing some manual provisioning activity and will my new system do these kind of auto connections are do auto operating things. So it's better to understand these things and then start these kind of transformation.
Okay. Lots of good questions here, but I can continue with one because that leads nicely over here. You said you need, sorry, I don't need to point a thing in. Sorry. You said you need to have a plan. You said money is a good thing to have. You said technology transformation. What helps you in creating that plan? What, what is what how as an architect, we as analysts we are talk as advisors, we're talking to companies and they say we want to modernize our Im, but where to start? What, what, what defines such a plan? Maybe Krishna you start. Yes.
So it depends on the business problem which you're trying to resolve. So the legacy system is having lot of issues in terms of performance and in terms of SLA deviations. And if I select a system which is going to resolve these kind of issues, how do I, where do I start with this? Is it the analysis part which I need to do on whether this new system is going to have the same performance or is it going to improve based on the number of users I have and the number of roles or number of applications I have? So I'll start with the analysis of those things and then proceed.
Great. Other thoughts? Martin,
I think for my, if you'll take on your architecture hat, actually starting with the cupping, a coal reference architecture is a great idea. And see, okay, I have all of these areas where can I, what need do I need to change when and plan, you know, two, three, perhaps even four years out. Obviously your plans are with 99% chance they're not gonna be correct, but at least if there's some kind of plan that makes the decision and discussions much more clearer. And you know, sometimes it's all about, you know, putting a plan in place and then everyone goes like, okay, we have a plan, let's follow that one.
Right. So really just making facts, creating facts. Other thoughts?
I can tell something. You know, when I was working as security architect, a colleague asking everything's fine and I said, you know, whenever you see me it means something is not fine. At least there is another role in organizations that has the same effect and that's risk officers. So legacy brings risks. Make sure that you are identifying those risks that are really impactful for your organization and then leave it to some risk people. They will help you
At least in, in, in defining a milestone plan. Sure. And that is exactly 1, 1, 1 of the questions that I just received from the, from the audience, I don't know where it comes from and we even have up votes for this question, which is I've never seen that before. The question is how the hec do you succeed in making Im in this transformation, a business concern? I think risk is a good point. How else get your business on board so that you really have the visibility, the support, but also the liability to business. What, what would be good steps to involve them to to wake them up? Anybody? Volunteering, trusting
Security. Security and security. I think that's the main part. Just the cost of of, of, of failing, of, of breach, of other stuff. This is in my opinion the main driver for that. And you need a good team to transport that. And this is something I would like to just add to the former question. What you really need to have and what you need to make sure is value your team. This is especially important if you have a bigger approach on your journey on the transformation I was facing, I was working, I had to work in a project where really failed two times just because of poorly selected teams, which were not able to identify the business use cases. They were just technician, technician, they knew the product, okay, but they don't understand what the business needed and that was a big issue,
Right? Martin.
So I think for this, it's all about understanding your business. So take a concrete example. I used to work for a, a pharma, a biotech. And the biggest business problem that they had was that they needed to get contractors in so they could take care of the bios to make more medicine because we had a, a medicine that was unique globally and the more medicine we could make, the more money we could make. But we had to make sure that these contractors were properly trained and everything was all the paperwork for the, for the FDA was in place. So the business case for the entire IM department was to bring down the number of hours between when we put the usage into the badging system, which was the source for contractors and when they were in the training system so they could actually take the training so they could get anywhere within 50 meters from the bay directors. And if you can identify these kind of, you know, this is my problem, it was very measurable and we could finance the entire department on getting down that number because they were hiring hundreds upon hundreds of people accosted, you know, thousands of euros per day. In in, in just cost for the person.
Yeah, I think what we've just done, we've moved away from technology, we've moved away from architecture, we've moved to problem solving and and you've mentioned that that transf transformation, IM transformation always needs to be related and involved and entangled with business transformation. I think this is exactly what we are talking about right now.
Yes. And I can add a point, you know, it is not surprising that many times you see architects are living in the wrong world. You know, decoupled a bit from companies strategy. So you know, listen to your CTO carefully and whatever he says or she says, just asking him or her, okay, do you know that how IAM is important in this direction because CTOs knows your technology roadmap quite well, technology strategy quite well. Then try to see how you can help them, you know, don't live in your own world.
Right. Any other thoughts on that? Otherwise I, I would challenge the security part. It's not only security, it it is of course, but usually this is a bank, ikea, I don't know, but regulations, audits, I, I think you have a bank somewhere hidden in IKEA as well. So I assume auditors findings could be also a good way of pushing. I am transformation, couldn't it?
Yeah, audit finding is always a, a good way to get people to wake up and you know, all, all kinds of privacy issues also are very useful to make people actually realize that this is important.
Yeah. Quote unquote useful. But yes. Any other thoughts when it comes to, yeah, failing visibly when it comes to conducting an IM program and to say, okay, yeah, I know we have issues, there are pain points, there are really, yeah, there's pain involved. That could be a good starting point and then taking a step back and, and getting to a more improved architecture. Do you see that in reality often? I think trust you do lots of these proj projects as well and and you've seen that from, from real life experience in your own, in your own companies. Is, is this an approach that can help in in establishing an, an overall transformation strategy?
If you have the seed level on a level where they really identify that security and auditing for me is auditing is part of security in my eyes or you can define it that way. It's if you have them on board, it's really more easily to do. And what I have seen in one of our, I think it's 15 years ago, we created a big slide and I think a zero poster of the landscape. We had a B in the identity and access management world and it was finally done and was very good and, and and the CTO came in and the office said, oh my god, now I understand what you're doing and that is an important part. You need to have that support,
Right, but visibility. One final question before we already have to have to wrap it up. Even with short answers, this doesn't help, it's just 20 minutes, but gaining visibility, you said low hanging fruits show that you're successful, show really that you deliver to the business, to the employees, to anybody who's willing to accept the update and the improvement. How do you measure, how, how, how do you consider KPIs as a measure of means to saying, okay, yeah we are improving, we can show it the big picture, the poster, some, some example KPIs saying yeah, we are getting better. Is this something that you've used and that you've seen proving successful? Maybe starting with you Patrick.
You know, I had my master thesis on dashboards and KPIs and you know, good one. One of the things that people complained a lot was that when I interviewed more than 10 people is that we don't understand any story behind these dashboards and gaze, you know, and read. I don't know, is it good or bad? 5,000, is it good or bad? You know, find the story behind it so the organization believes you otherwise just KPIs doesn't matter really.
Right? Other thoughts around KPIs? Ks,
For most of our, our CU customers, it's the same. KPIs are mainly used for example, for data quality audits or or visibility to see okay, we might have a problem with that flow over here and then take action from that.
The visibility, which I see is user experience, user cannot wait for one day to have a access after joining. You cannot wait for one or two days to get your email IDs. I've seen systems from there and how it is being done in within two hours. So improvement, improvements in user experience. Okay,
Thank you.
Plumber PKIs tends to be very easy to understand, you know, how many days, how many percentage of your users do you provision within two days or three hours depending on what kind of business you're in. So that this then it's very clear what you're measuring and how you're improving.
Is two days good or bad?
Depends on what business you're in.
Depends. When you say depends, it means you need to compare with something so it tells a story, you know. Hmm. That's my point.
Okay. We have to close down final round. We have talked lot about hanging fruits, business involvement. If you have one or two key take aways, 30 seconds that you would like to hand over to those who are starting their I am transformation tomorrow, what would be your recommendation? Maybe starting with Patrick?
Yes. Takeaway, prioritize CT O and C i, CT and CIO first, then go for technology and focus on changing the mindset.
Okay, great. Thank you. To
Start now to build your plan, to cut the elephant to know where your places are, where you can, can split pieces, plan for re island plan for breaking points where you can break up your thing if you would like to do that. And that allows you to, to simplify your, your architecture.
Have business team who understands the current process end to end and who can measure how it is being transformed afterwards to fine tune.
Do not forget about the data when you, when you do the transformation, if you only focus on your processes, you will discover lots of evil things are sitting in your systems.
Great. Thank you very much. Martin Krishna Toton. Patrick, thank you very much for this discussion. This was the first time that I moderated the panel that everybody held to the 30 seconds for the final statement. This is the reason why we are one Mint early. Nevertheless, have a great lunch. Thank you very much for your participation. Thank you.