Webinar Recording

How to Make Your IAM Program a Success

Log in and watch the full video!

The best way to ensure the success of your company’s IAM program is to follow in the footsteps of organizations whose programs have proven successful, learn from their leading IAM experts and avoid common mistakes.
KuppingerCole has compiled a list of recommendations and best practices based on a series of interviews with enterprise security architects, IAM leads, CISOs and other executives from a number of large enterprise organizations in different industries across the globe.

Log in and watch the full video!

Upgrade to the Professional or Specialist Subscription Packages to access the entire KuppingerCole video library.

I have an account
Log in  
Register your account to start 30 days of free trial access
Subscribe to become a client
Choose a package  
Good afternoon, ladies and gentlemen, welcome to our equipping a cold webinar. How to make your IM program a success recommendations from the field. This webinar is supported by one identities. The speakers today are who is a system engineer at Munich re Paul Walker, who is technical director. One identity, me Martin Kuppinger I'm, founder and principal Analyst. Unfortunately, Tom goon, can't attend on short notice. He intended to speak as well. He's the associate director of IST security at Texas a and M university. So let's quickly move forward. Some information about us one identity first, and then we'll directly dive into the topic of today, which is about what are the challenges you're facing in I am programs and how to deal with them. And what are our recommendations to make your program a success? So Ko and Cole itself is an Analyst company where have been founded back in 2004, offering neutral advice, expertise, or leadership and information from the field on information security and general identity and access management, governance, risk management, and all areas concerning the digital transformation. As I've said, this webinar supported by one identity and all, maybe you wanna say a few words about one identity.
Thank you, Martin. Hello everybody. Well here at one identity, a a quest software business, we, we help organizations get identity and access management, right? Using a, a combination of offerings from identity governance, access management, and privilege management. We've over seven and half thousand customers worldwide that depend on our solutions to manage more than, you know, 130 million identities. You can find us online@oneidentity.com and as well as on social media and our YouTube channel, which is one identity. Thanks Martin to you.
Thank you, Paul. One sort of background to this webinar, we have compiled a point of view paper for one identity. So it's one identity paper. We have supported one identity journey to IM success. You can access this document is why one identity website or we are why our website for free. It compiles the insights of a couple of practitioners, including world square, including several others, which we put together to really bring a good condensed view of the experience from the field on how to make your IM program a success. So don't miss to download these documents, this document. I think it's a very helpful addon beyond what we are discussing today. So some guidelines for the webinar, you are muted centrally, so you don't have to mute or UN mute yourself. You're controlling these features. We are recording the webinar and we'll make the podcast recording available I assume by tomorrow. And there will be a queue and a session at the end. So you can enter your questions time and we will try our best, provide you with good answers on these. I strongly recommend that you enter questions really once they come to your mind so that we have a comprehend, a good long list of questions available by the end of the webinar and lively Q and a session.
So the agenda for today's, I will very quickly look at the challenges companies are facing when planning their IM program, and then Wolfgang and Paul and me will discuss Dean add into the organizational technical details of successful IM programs and deliver our recommendations to you. In the third part, we will then we'll do the Q and a session. So this is the plan for today's webinar. Let's directly start. So let's look at five common reasons why IM programs might struggle. And so really looking at what we, and also we at keeping a call, but also the various practitioners I've been interviewing over the last month have been observing at organizations when they looked at why, where I am programs struggling. And sometimes that happens. So one of the big things obviously is lack of stakeholder buy in. So trying to run a complex cross-divisional program without a support by stakeholders, it's a risk, it's a big chance to get in trouble, to pick off a program to succeed. That's the point. We definitely will touch more in, in detail over the next couple of minutes during this webinar, but this is obviously one of the other very important reasons. So if the program is too big, if you promise too much in a too short period of time, the risk of failing is high. And that's what we frequently see.
The maybe most important elements, so is too much emphasis on technology, too little on processes and people, identity management involves technology, but it's not a pure and not even a primarily technology program. It's very much about guidelines, policies, having the right people on board, getting your business organization to understand what you're doing, why you're doing, why they need to support you. All these things, defining the processes only. Then you will be successful if you don't demonstrate quick wins, you're in trouble as well. So you, you must demonstrate quick wins if you, and one of the things I like always to, to emphasize is think in KPIs. So in key performance indicators define what you want to measure, what you can measure or where you can then demonstrate your achievements, your advancements in your program. So look and think about KPIs. For instance, how did you change the number of org orphaned accounts or use the number of orphaned accounts? Did you succeed in making certain pro of onboarding new employees faster? These are all things you can measure where you can define it in performance indicator, where you can demonstrate success. I believe Paul, you have also some strong view and opinions on that.
Absolutely Martin, you know, the, the KPIs prove the projects is on track, and it's all about demonstrating that alignment to the business. They provide a, a guideline on, you know, how far down the journey we actually are. You know, each, each KPI needs an owner. It needs to be measured, needs to have a reporting, escalation and control process. Many of the products out there have dashboards and reports. It's about finding which ones prove to the business that the projects is actually on track back to you, Martin.
Okay, thank you. And to bring up one fifth reason that is frequently, and this is to some, to some extent it's related to the too much emphasis on technology. It's not only that, there's what you frequently see. There's too much emphasis on technology. So I buy a tool and it will work, but it's also that I buy a tool for a certain problem without looking at what is the bigger problem here. And that one tool might be really good for solving a piece of the piece of the challenge you're facing, but it might turn out that if you look at the broader challenge, the next steps you have to do that it led you into a dead end row. And so think about what is your view and identity? Where does it need to be in a couple of years from now? What is your strategy?
What's your blueprint. This is not an Analyst work. That must not take you a year. That must not take you even six months. It must be done pretty fast. It can be done pretty fast. It's a high level thing, but it gives you the picture of what are the things you need to do and which order, which are the elements and all that stuff. And then you ideally have to underpin it by architecture, by understanding your use cases, capabilities that building blocks, but work on that. Having a big picture first before you start doing small steps. And so from that, right now, let's move into the discussion we want to have during the webinar with, and Paul, about our recommendations for the IM program for setting up the organization and also about the upcoming trends in IM. And so we put together eight recommendations for writing a successful IM program.
And I, again, I want to highlight the, the white paper, which has been delivered or prepared based on this delivered by one identity. And by the way, we also want to highlight, I touched on some of the things we do with one identity. One identity will also be one of the Latin responses that our upcoming European identity Ference and may, but let's look at these recommendations here. So what are our recommendations here? And the first one we put together are know your stakeholders and get their buyin. Maybe what can you wanna bring in a little bit of your perspective on that? Oops, and truly my mistake, what can right now it should work.
Okay. So now I'm unmuted. Yes. This is very important because you have really to satisfy your, your stakeholders in the end. And also as in every flow track, there are maybe you, you are facing some, some, some issues, some problems which you have to solve, especially with some, with the right stakeholders. And especially now implementation project. We had really strong bias, at least from, from one major stakeholder. And this really makes the decisions quite faster than this project, because we have really one fixed session once in a week. And in this session we discussed all open issues and get some really feedback and says, what's very good for the entire project because all of the, the, the further steps really could be discussed and, and, and finalize in the end quickly.
Okay. Thank you. Thank you both. And I think that's, this is really one of the important things you need, the support you need the backing, and you need to contact to these people, particularly when things are sometimes, you know, when some things don't run as expected, that always happens in the program. Then it's very important to have this begging by the stakeholder and by the entire project team. So the second recommendation we want to give, and they, we compiled from the, the view of the practitioners and it's one that everyone raised, its sliced the elephant. So don't try to run a too big program if the program is too big, it's very likely that you will fail. And I think this is really very important to keep in mind. Don't try to and to do everything at the right time and it's related. And I think then we can maybe talk a little bit with Paul about that, to set the expectations right here. So sometimes the expectation is, oh, you do this IM program, a big thing, and everything is available very soon because you weren't very clear in that. Maybe Paul, what is your view on how to really communicate that? How to slice the broker set expectations.
Yeah. Thanks Martin. We've, we've seen a lot of customers with the GDPR date coming up pretty soon. Now we've seen a lot of customers, almost panic and an issue tenders, which cover many aspects of identity and talking to them the almost want to start everything all at the same time. And you need to look at how mature your organization is, how, how it can adapt to change and, and what the historical success to change has been within the company setting. The right expectations is key. You know, start, start with the, the key wins, but also run your project like a product itself. You know, you need to socialize the success almost like in a, in an agile manner, regularly with the stakeholders and the business. It's about education. Not everybody gets what you know, security is all about. So you need to bring the business in, bring the L B and the end users in and regularly socialize the success, you know, provide demonstrations, education, education, education, as to why identity, you know, reduces your risk footprint in an organization. Thanks a lot.
Yeah. And, and be realistic. I remember a couple of years ago I received, sometimes it was late August. I received a call from a company which said, okay, we want to have identity management running by the end of the year. Where, where, where it was very clear, that will not work that way. So it wasn't clear, not even the type of the animal was clear. So is it an elephant or is it something else? Totally different? The expectations were totally unrealistic and this is something which can't work. And I think what Paul already raised us win quickly and show it. So you an IM program, particularly if you're talking not only about a single pro check in the program, but the IM program, then it's a multiyear exercise. And if you say, okay, I need four years and a couple of millions until I'm done and you don't demonstrate your pro progress over the time, then you will, at some point you will be in trouble. You will, the management will raise questions. Obviously it's very important to win quickly and show it. And as Paul just said, educate what, what were the sort of quick wins, the most important ones you demonstrated in your projects?
Okay. Maybe, maybe somebody's now laughing. But I think the first quick ring was in the project that we really delivered and provision and, and SAP user account in a specific SAP system. And this was done after four months of the, of the project. And I think this really showed everybody, this am project is really delivering. That is some kind of a really use case. And even the business guys will quite impressed that now they have really, or are able to request trust an account. And then of course, entitlements just quickly in a self-service Porwal and just after seconds, after the last approval, it gets provisioning and they have received an email in, in the mailbox with, with the password in the end. And I think with this success, we really could go on further even to add more target system to our solution step by step. And this was very important because just before I think most of the business guys were a little bit, how can I say maybe a little bit, not really convinced that this will ever really happen that an, this kind of am solution will reduce a provisioning, automatic provisioning drop the, this thoughts. Very good for us for the project.
Okay. Paul, do you have also some of the, of experiences on which, and I think it's, it's a good one because it's really demonstrated and direct value to the business, people, Paul, any, any, any from your experience you say, which are good, good areas to show quick win.
I mean, when you, when you look at identity management and some people say, you know, we don't have an identity problem, but you look at yourself and, you know, your day to day life, we all have identity management problems, right? And typically the most frustrating use case anybody, whether they're in a corporate world or, or else on the internet that they have is passwords. And I know for, for the practitioners out there and the people we use of experience who may be listening, it, it might be pretty dull and, and not very interesting, but for the normal end user, you know, providing effective, single sign on using Federation or, or form fill or whatever technology meets the business need. But that's, that's a really big thing for users, right? Makes the life a lot easier day to day. And then, then they feel more comfortable. You've improved security, and you can move on to more, more interesting use cases. But to the business, that's a real, really visible use case.
Make the of your friend absolutely thing he has to do day by day is signing on and help him changing his password. So the typical frustrating situation, a lot of organizations have is people coming back from their vocation or people being required to sign it in once a month into their SAP working time control system and not remembering the password, make it easy to get back to work and don't make it a frustrating experience. And then you have a positive image. Absolutely. Right. Okay. Understand the problem areas. I think this is another, another important thing. So what are the real problems for the business? So what are the use cases? This is from my perspective also very, very important. And that goes to some extent, back to what I've talked before, don't just look at it from a technical perspective, look at what are the challenges the people have in their daily business. Another recommendation is ensure you have the right resources in hand, Paul, you already talked about people more from educating the people, but I think there's another area of education, which helps you having the right resources in hand.
Well, absolutely. I mean, you, you will have different people come into the project at different times, but there's, there's always one or maybe more than one person, but it's typically in my experience, it's, it's one person that becomes your, you know, in quotes your hero right. For, for the company and this person could be internal. They, they could be external, but they're really at the forefront of the project. They understand the business needs. They can talk to the stakeholders, they may own the budget, but they can also manage the vendor or vendors and they bring the whole project together. And, and if, if that person's not identified, then, then in my experience, there's a challenge cuz these, these things don't succeed by committee. There needs to be a core IM team in the organization that fulfills all the needs of the project, but, but can manage many elements at the same time.
How does the team in your organization look like?
So we have at least two teams. So one team is responsible for the service. So the, really the delivering of well it's responsible for the, the operation of the productive side. So really handing incidents and, and corrections from the, from the people. And the second team is really the development team, which is continuously adding new functionalities into the tool. And then we have two internals who are really vibing the, the product and the service forward.
Okay. Thank you. Another important recommendation. We, we, we collected that fits one of the things I always observe is defined processes, define the process with an identity management. So that for instance, your integrator knows what he really needs to do. What is the flow of information? It helps you understanding, do you have too many approvers? Are these things right? It puts you into these discussions, but it also is about defining the processes for instance, to HR. And, and maybe you also have some of the experience around how important is it for your IM program to, to be in touch with particularly these people who delivered information to you?
Oh, so this is absolutely key. And it would really say, define your processes first and try to unique, similar to, to, to make it really, that you have just one process for, for maybe requesting account requesting entitlements and especially for the HR department. It's very, very important because this is a key source for, for user information, at least here in MUN re. So every user has to have first his HR record and also some kind of very important information have to be entered on the HR side. So we have a lot of trainings that really is a HR department, knows if they are changing some attributes on the HR side, that this will have a direct effect on, on their account side. So our active directory, or even in SAP systems. So if they are changing, maybe one attribute employee will lose his mailbox, for example. And several it's very, very, very important that they know what they are doing or what are the effects and, and the infrastructure.
Yeah. And I think it's the point you, you raise here is it's important that everyone understands the impacts, his own responsibilities. And the split, my experience is that the conversations, which HR, when you run them commonly are smoother than expected. So sometimes there's a fear of, oh, that there'll be a very difficult conversation. It's my experience is that frequently turns out to be not that difficult because both and understand and understand, okay, what does it mean and how to split this things and needs the flexibility on both ends, but this can be done. And this, from my perspective is done the thing which is directly related with the final aspect that I want to raise here as a recommendation from the field, which is keep an eye on identity, information, quality or trust think always about garbage in garbage out. So if the things you bring in are not right, then you will struggle stress them. Paul, I think you also have a strong opinion on that.
Absolutely Martin, I mean, just like Wolfgang said, changes in HR or changes in an authority system can have a direct impact on people's work experience, any project that's, that's starting around identity, cleaning up your, and the tools can help here. You don't have to do this in Excel. Although that's one strategy, you can actually use the technology that's out there on the market from the vendors to clean up the data, using policies and rules and rules. If you've got something we call aback, which is, you know, attribute, attribute based access control, like Wolfgang was referring to, you know, changing one attribute can have a direct effect. So you need to make sure your data is clean. Just like you said, Martin garbage in, garbage out.
Okay. So these were our eight main recommendations. As I've said, all of them put together in this white paper, you can download for free our eight recommendations for running a successful IAM program. So most important points here. And if I put this together in sort of an Analyst plan of view into three or four main main items, the one thing is really stakeholder buy and well sought out program planning is projects of reasonable size demonstrated you quickly is resource planning and all these things. They are essential for successful programs. The second thing I always emphasize on is processes. Process must be defined as part of the planning as well as said, it must be done ahead so they don't follow the implementation, but as a documentation, they lead the implementation. So you should put process flow on paper. You should define the process owners, responsibilities and accountabilities, the information quality and things like that.
I'm a strong believer in setting up a blueprint, showing the building blocks of the future. I am structure the relationships which helps you then prioritizing roadmap, planning, cetera. And yes, it's sometime you spend there, but it's a well invested time. It's the same as with processes you define upfront. If you define your processes on paper upfront, you will save the time and money easily by having a leader face of implementation of the project, because everyone knows what to do. And I think we touched the KPI part already. KPIs are important because they help you demonstrating tangible success. And that's a very important thing to do, should be able to really verify that you're moving forward, that you're successful and KPIs helped C with KPIs. You need to start measuring KPIs before you start implementing the program, because otherwise you have, don't have to the well you to compare your success or your current state with, okay.
So we talked about sort of the general recommendations for running the program. And the other area we discussed intensively outline intensively in the white paper are the AAM organization, also the interplay with external parties. And again, we put together some recommendations here. So right now we will discuss and talk about four recommendations for the setup of the IM organization. And the first one I wanna bring up here, the first one we have on the white paper is define their responsibilities in business. And in it having said this, a lot of discussion also I had with the various experts from the field was about how can you involve your business? How can you really make this a, a program that works with the business? Because at the end, the business knows who needs access to what the business is. The one who needs to do the reation. The business is the one who really uses the identity management program. And maybe what can you wanna add some, some of your thoughts on that?
Yeah. So this was also a very important part on our implementation project and we have defined one yeah. edX spreadsheet just to get this kind of interface to the business guys who are responsible for the applications, because they have to add and to define a sense kind of exit spreadsheet who, or which kind of roles are used in the application. And of course, who has to approve each role, if it gets requested from somebody. And this is for us very important, because this is completely done by the business guys. And we have an automatic process in place, which imports these kind of information, and this will steer the complete workflow INM. So we are not responsible for finding the right approvers or which kind of rules are used in the application. So this is really the, the responsibility of the business. And this makes it a lot easier for the team to do its talk
Paul, anything you'd like to add? I totally agree with Wolfgang as always. Okay. I think you said all of it. Yes. Wealth thought I am organization. I think it's another very important point. And what you already touched, the fact that you said, in fact, you have two teams here and I think that's one important thing. And I come back to this in a second. The other important thing is what I always feel is sometimes underestimated. You should have a plan from the very beginning of moving from a project to a line organization, but maybe what often you wanna spend a little time again on this organizational aspects and, and how you did it, maybe also from project to, to, to the, the line organization before we continue.
Okay. So I can just talk about our experience and I think we did everything wrong because we keep too long in this kind of project phase. So, and we just recognize that we want to deliver more functionalities during the project, but didn't get it developed because the developers are just have tried to fix some issues in the productive environment. And I think this was then the time to really, to split up the responsibilities and if have really a clear cut and build up some kind of an team, which is responsible really for the day to day operations, or we call it am service. And then the development team. And we really try to, to have this separation because it makes it easier for the development team to do really their tasks. So really develop new functionalities and bring it to production. And even for the service, it makes it a lot of easier because if, if maybe there are some questions or if something is not working quite right, then they have also a direct contact person, which maybe solves some issue in the end.
Okay. Paul, I don't even need to ask question. You have some yeah. View on that. I think we have, have a lot of experience from the field about exactly that point. And so I ask you to share it with the audience.
Yeah. Well, we've covered on a couple of these things already Martin, but thank you. You know, we, we need a range of different skills on your project. You, you, you need to understand the communicative responsibilities clearly get everybody's buy-in we spoke about getting stakeholders commitment earlier, but if, if you leave a stakeholder out of the project, if you don't think they're involved and you don't ask them, you know, your project can, can suspend halfway through. I, I I've seen it with customers where they've left out HR or they've left out particular B from the IM organization. And then the executives come in and they want to review it for themselves. And everything is suspended and everybody gets frustrated. So you need to get that right from the beginning. And it, it needs to be an ongoing commitment as well from the business. We we've seen projects that haven't had the right priority because maybe it's seen as an it project. And it's not an it project. These things are, are key for digital transformation or digital acceleration. You know, the, the security and the perimeter of I is changing of applications, firewalls no longer relevant. This is a business project implemented by it need to get everybody involved and communicate that they shouldn't go dark, you know, projects, IM projects should not go dark for six months and then reappear, otherwise that they're likely gonna fail back to you, Martin.
Okay. Thank you. And I think all you said is tightly related to the next point, communicate, if you go dark for six months, you're in trouble. You need, from the very beginning, you need to communicate. I've even seen seen programs which had a communication expert. So not an it person in fact, but a communication expert to communicate to the business and to the it. And I think it's very important. And that's also part of selling your success, setting the expectations, right? All this is about communication. And so communication is something which is in, I believe in a very large number of the various topics you already touched. Don't forget to be strong in communication. I think Paul, you, you named it more market program, right? And maybe also some of you used on that.
Yeah. I, you I've seen customers actually conduct their program like a, like a new product, like new offering to their, to their own customers. So, you know, I've been involved in, in customers at lunchtimes or after work activities where the end users have been invited like a show and tell where, where the project team have actually tried to, you know, successfully showed the end users how their, their day to day business is gonna be easier by the implementation of I. So these are all things to consider. It's not just the cost of, you know, external consultants or hardware or licenses for software. There's also an ongoing cost around education and communication. So I, I totally agree with what you said, Martin, about our communication expert. I think it's very good idea.
And then the, the other point which came up in the various interviews we had, the other point was about work. So you need integrators, you need to work for system integrators, but there are some challenges in that. And I also remember seeing a lot of bro projects where then at some point it appeared that the organization wants to whatever move left and an integrator moved more. Right. And maybe there was a third party, which moved again in our direction. A lot of the things we, I think we touched before and we, we discussed today helping in working with the system integrators, defining the broad track, shaping it, right. Having the broker processes defined, et cetera, but probably there are more of these experiences you have. So welcome any comments from you on that.
Yeah. So I think very important is that, so tell of responsibility is very clear so that if you have chosen one integrator, maybe for your implementation project or for, for further enhancements, maybe very clear who is really responsible for, for the delivery and even think about fixed price contracts. So touch the partner saw a lot of projects. Those customers were really working on time and material based, which has also some kind of benefits, but I think it's always worth to really try to get on fixed price contract because then especially as the integrator have to be really sure that he is able to do his job to, to really deliver what the customer wants. And this makes it really maybe a little bit more easier for the, for the customer side to really, to find the right integrator because it's the integrator is not able to deliver a fixed price. Maybe has he has not the right knowledge
Or the project isn't set up specified the right way. So you can only offer a fixed price if, if it's defined what is the target. And I think that fixed price really helps because it, it means both parties must work on what are the deliverables, what are the expected outcomes? And I think the other thing to add on this is you shouldn't expect that the cheapest offer results are the best results. So in the area where I'm from, so Swia, and in Germany, there's a saying which, which doesn't cost anything isn't worth anything. And I think that's something to keep in mind, there's a cost associated. And I think it, the fixed pricing clearly helps in defining that and then getting a little bit rid of the daily rate discussion towards what is really the output, which is at the end, which Collins.
Yeah, but sorry, but this will be always a very funny discussion with you maybe central procurement department. Oh yes, of course. It's right.
I know it from the other end. So reving up a little, this part of Paul, you wanna add
Something mostly? Sorry to interrupt. I was gonna say the, the partnership, you know, I, I work for a vendor and you know, we've got very close relationships with a number of customers like, like Wolfgang Munich, re, and it really is a partnership. It's not just marketing buzzword. Bingo. It is a partnership. But if, if your vendor is remote, if they don't have, you know, local delivery expertise for the partner network, they have no community. You know, there's no way there's no customer advocacy. You never see them. They're literally on the other side of the planet and is just a paper or a license relationship. You're not getting the full value. There it is. It is a partnership. And that, that's what I wanted to say, Martin. Thanks.
Okay. Let's wrap up this part. I think one important aspect really is if the name indicates an IM program is a program with temporary structure. It needs the structure with program management is all the stuff, but it also needs to be transferred into a long lasting line. Organization. Communication is particularly important towards business and in large and geographically dispersed organizations. So don't underestimate that part. And as I've said, transition into the line organization as well is of high importance. So before we come to the Q and a session, let's also have a quick look at six IM trends you should take into account. So when we, we run the series of interviews to see practitioners, we also ask them about what are the things you expect to be your next challenge. So to speak in the IM program, which are the trends you see will, will be hitting you in some way or another end. I think it's not a big surprise that the first one is identity in the cloud. So both in the sense of how do I manage identity and access for my cloud services. And in the sense of, can I move my identity management to the cloud at some point Ang, what do you think about that?
So at least MUN agree. It's very important to also to manage our cloud identities, especially for the office 365 environment, which is right now quite a challenge. And we have also some kind of ideas to, to bring our on-prem infrastructure infrastructure into some cloud environment. But I think right now we, we keep them on-prem, but in a cloud-like environment, which is maybe a first step and then maybe moving it directly into the cloud. But as many we, our first priority is really to, to really cover all cloud services or cloud application, including the Azure cloud and office of 65, for example, in our account on-prem environment, in our account on-prem IM environment.
And the one point I had in various discussions over time is there's no value in saying I have one identity management for all my cloud service and one identity management for all my on premises world, because right, the targets will remain hybrid for most organizations for a long time. And so you need one identity management regardless of where this runs, but one identity management, which helps you serving both sides. So it's the second trend. I think this was also one of these trends, which were mentioned by all the interviews is there's a lot of change around authentication towards multifactor authentication, towards adaptive authentication, adaptive, both in the sense of having sort of risk based and authentication. So a higher level of proof you need for a certain critical access. And on the other hand, being adaptive in the sense of you can use a lot of different authenticators, the more you move towards the consumer, the more you need to have that. Paul, how do you see that?
Absolutely. Martin Martin. I mean, we've all seen recommendations, you know, from people like missed about the use of passwords and in our day to day lives with services like Google, you know, Facebook, Dropbox, they're all using multifactor authentication now with your, with your cell phone and SMS, but the next stage is context aware, authentication. So we don't wanna be hassled by Microsoft Azure to, to have to FA every time you, you, you go there or Facebook, it needs to be context aware. So things like, you know, time of day, you know, pattern recognition, identity analytics is a, is a big area for, for us, for our own investment as well, as well as customers around privilege around access management and governance. So, yeah, absolutely. So we, we definitely recommend it.
Okay. And then there's one, one term which also pops up very frequently. So identity's seen as the new parameter in a world where we don't have that internal network with a firewall well protected anymore, but we have mobile users. We access cloud service. We have a totally different world today where identity is sort of the stable thing. So there's still the user who wants to access something with using a certainty wise. And he's the one where we can say, okay, we control his access regardless of where he is, regardless of where he resides. Again, I think Paul, that's a topic you're very engaged in
Absolutely traditionally. We used to protect systems using firewalls and that's, that's all gone now, you know, I identity is everywhere and modeling your identity is key. You know, 10, 15 years ago, it was all about accounts, right? Synchronizing accounts, account management. But, but now it really is identity management and it's, it's people have multiple digital personas in the real world. And when you look at things like the right access at the right time, segregation and duty, you need to take into consideration all of these different personas that, you know, I, and you have Martin because it's your, your, your access as a person, not your access as an account. So that's yeah. Something to think about.
Okay. Oh yeah. We also have to think about the B bird blockchain, the customer to consumer. And I think this is also things which are, are changing. So we see currently a lot of discussion about customer consumer identity management, which is really one of the big, the very fundamental things here. So wealth going, Paul, any assaults from your,
I think it's, it is, it is an interest. I think, you know, we, we don't see tangible solutions yet. I think the use cases are just being defined around blockchain. I mean, we, we've all seen the cryptocurrency use cases. And I think around, you know, secure tamperproof logging is, is, is, is a use case that, you know, the vendors are looking at is something the customers have been asking for for some time now, you know, how can we prove our, our audit logs have not been tampered with, and this kind of secure, distributed link list provides some interesting scenarios that I'm sure as the investment is going in right now, we'll see, you know, in six or 12 months time, we'll see the vendor solutions that have got implementations of blockchain.
Okay. Use of behavior, Paul, you already touched it. When you said there, you see a lot of things happening, also investment one identity into access intelligence into moving forward here. So this is also one of the topics which has been raised by a lot of our interviews, that it becomes more and more important to really get adaptive context where understanding the use of behavior and then reacting on that by for instance, requesting additional loss indicators. But on the other hand also make any easy with this sort of the user behavior is very common to, to make his life easy, as easy as it can. So again, one of the areas, one of the fields where we see a lot of evolution and then the sixth one trend, which has been named, and I would say maybe it's not even a trend anymore. In the sense of this is out there for a while, we call it privilege management, some call it privileged access management or privileged account or privilege and identity management, whatever it's about these high risk accounts, the highly privileged users and what they're doing and how you can control it and mitigate the risks.
And for me, it's, it's more, still interesting to observe that many organizations haven't rolled out a strong privilege management for all of their various types of systems from network devices, to interest Linux servers for all the various use cases. And I think it's obviously a topic which is highly interesting from an one identity perspective, particularly these days and weeks with one identity trust, having acquired Babi as one of one player in that field. So, Paul, what is your view on privilege management?
Absolutely. Martin. Well, we could probably speak about privilege management and one identity for the rest of the day, but let's try to keep it concise. I mean, one thing, I mean, I totally agree with everything you said. One thing customers often forget about is, is social media and privileged management. You know, we all know, you know, the root users, the domain admins and the, these type of, you know, traditional privileged accounts, but many companies, in fact, most companies these days have got some sort of online social media presence. They should be considered privileged accounts too, because the damage to your reputation in your brand is huge. If somebody was to get ahold of the password for your co a coal Twitter account, for example, what, what's the potential damage to your brand and you as an individual by the release of that password. So, yeah, absolutely. Let let's look at all the key systems and let's look at the, you know, the digital, the new digital systems like social media at the same time, but identity analytics and the, the hybrid approach of SAS based analytics with, with cloud based or on-prem cloud technologies for, for hosting these systems. It's absolutely an area that you'll see innovation coming from one identity later this year.
Yeah. Okay. What's anything you'd like to add around these IM trends,
Maybe just on the privilege management. So for me, it's absolutely key element and I, the just am and am solution and the P account management solution is acting like twin. So you have really to, to adapt both of them and implement both of them to get really benefit from, to really secure your, your environment.
Yeah. You can't do only the one you need to do both and you need to integrate it as well. So you need to have a manager for every shared account and responsible person and owner. And if that owner has a chop change and you do the chop change process in your identity management implementation, it needs to ensure that there's a new owner. If the former owner moved into a department where he's not responsible anymore, all these things are need to be done, and yes, we need to do it because this is all about mitigating access risks at the end and access risks today have to be considered as a business risk. So wrapping it up again, the stuff that's evolving continuously, I personally see adaptive indication as a really, really important element here. So we need to be, get more flexible to balance user experience and convenience with security.
We can do that. There's a lot of potential. We need to do it. Another big trend is I am expanding beyond the employee and maybe the business partner focus. So customers, consumers think all this needs to be considered and everything which comes from cognitive security. So you used to behavior analytics, access, intelligence, all this stuff is highly important. So wrapping it up before we move to the queue and building that white paper. So get your stakeholder buy-in and then measure and communicate your wins in the proof once define projects of reasonable size within the program and understand the problem areas. Knowing the business requirements will help you to set the right expectations or to set the expectations, right? Define the flow of data between IM and the wider business from HR to the target systems and agree on the responsibilities with the owner of all other systems around IM define the organization for both the broker and the full adoption, as well as for when a broker transitions into full adoption, and finally understand the future am trends and take them into account planning your program and update your program planning on a regular basis with that.
We are through that part of discussion right now we have a couple of questions already here. I'd like to pick, I just wanna quickly highlight again. So while we do the Q and a, there will be some slides displayed in the background. One hints, the upcoming Cola events, including our European identity and cloud conference, where we will have one identity as one of the VLA sponsors that don't miss to attend the conference and don't miss to visit the one identity boost. And then there's also, again, the hint on the point of view paper you can download for free. So, which then compile what we've said here and bring in some more details. So don't miss to download that document. And then there was a question about where will the slide deck be available? It'll be available using the same link as you used for registration. So right now, having only a few minutes left, let's move to the, to the questions we have here. So there was one question which I think is very, very interesting. The identity is one of the keys to success. Workforces are not only employees, it's also consultants and temporary workers. And very often HR only takes responsibilities for the employees. And all of a sudden, you end up with several for the identity. Do you have any good experiences how to manage that? So I'd like to throw that question to, or Paul, whoever wants to start responding.
Maybe I could just respond on this question. So we have the same situation, or we have the lucky situation that HR is also right now managing the exon accounts for us, but we want to move from HR for the exons into am directly. So I think my suggestion would be just building some functionality directly in your AAM solution as a central basis for your Exxon accounts. And just for one department, we already did this and this was quite successful and it really speeds up the complete process of onboarding externals for consultants.
Mm Paul, anything to that?
Absolutely. I totally agree. When, when we spoke about digital personas earlier, you you're talking about everybody and you know, we, we've done a lot of work with, with universities and, you know, whilst many people may think they're, they're not as big or as complex as banks, you look at different personas. You know, whether they're, they're, they're doctors, they're students, their suppliers, they're all at the same time and the same way you need to bring in employees, contractors vendors, you need to make sure that anybody that's coming into, you know, your physical building or your online presence or your it infrastructure, that they all have the right access. And you can prove that the access is timely and it's been removed and granted in an efficient way. So yeah, wrap everything up and, and create a, create a, an identity warehouse that has all of the different identities, no matter where they're from or what they're doing.
Okay. And I think one of the really important things here is identity HR is by it's standard role, another one who is responsible for the non-employees. And so we need to understand, yeah, go ahead.
May I add something? So I think if you plan really to use as central store or maybe exon or account, so I think one key functionality is really to, or how to make sure that you, if you happen some kind of a self-service in the end that you are not generating too much duplications in, in person. So in digital identities. So here you have really to think what is secretarias that you can maybe just reflect to the, to the end user. That's not doing too much duplicate entries in terms the system. So it's very, very important.
Yeah. And I think it needs to be well sought out. How do you handle that? It's not an easy thing, but it's feasible and you need to support various use cases like manage registration, sales, registration, all that stuff. But it's part of the IM program. Then there was a comment I maybe I'll quickly take that a comment to slide where we talked about the KPIs. So obviously it's a challenge to collect sort of the base value for KPIs before your IM program really is running. I think that's something, yes. We need to be aware that that's something which is challenge. So which applications, identities, etcetera, you have, it might be estimates, but my experience is that couple of things really can be collected before the program. So identifying orphaned accounts, I've frequently in organizations doing it upfront. So at least trying to figure out which might be orphaned accounts or accounts, which I never have been used for for over long period of time and other stuff or measuring the time it takes on average for someone to, to onboard, et cetera.
So some of these things really can be done before, whatever you can do before do it before just a recommendation on that. And I think it's very important to keep that in mind. And then maybe let's move to the next question. So one of the questions I have here is what, what are the right tools for, for the data clean up that can be used for an IM project? Or how can you sort of ensure the data quality? And I think that's an little bit of bigger question so to speak, but maybe Paul, you wanna talk a little about how do you get the right level of data quality?
Absolutely. Well, one, one of the, one of the strategies that we, we consider to be, to be viable is to run an at station, you know, at station campaign to make sure the relationships of value. This could be something from a major employee relationship, or it could be an employee to a particular account in a, in a target system, or it could be on the authorization model within a target system. If you're going to use, you know, efficiency and, and, and rule based control, then you actually need to identify those attributes that Wolfgang mentioned earlier that actually have a change. So you need to map the, the key attributes out and you, you could look in your, is it success factors or is it Oracle HR or whatever HR system you are using attributes like job code, you know, cost center, location department, the manager relationship. These are all key fields that we would say, take a look at those first and make sure they're accurate.
Okay. So the final question we have here we come also pick in the time we have is which department should be the owner of identity management or which division or who should it be? Is it infrastructure at infrastructure? Is it security or who should it be?
So I think for the last eight years, our am solution was located in the application development area. And now it's moved to the security area, which I think it's not a bad place right now. So.
Okay. Paul, what do you observe most frequently?
A bit of everything, to be honest, Martin, the, you know, there, there are lots of trends in identity, lots of trends for projects, but I think if you follow the advice that we've spoken about on this, on this webinar, I think you'll be in a good place.
Okay. I personally would tend to say security is better than it. Infrastructure in tendency. Yeah.
Many people may. I was just gonna say many people don't see identity as security. You know, they, they may either may see it as something else or may see identity as not business related. And that that's the wrong approach is absolutely about security and it's all about education.
Okay, great. So I think we had a great discussion. We had a lot of input here. Thank you to all the attendees. Don't miss to download the point of view paper. Thank you. Welcome. Thank you, Paul, for spending the time with this webinar. Hope to have you soon again at one of our webinars, I'll meet you at one of our events. Thank you.

Stay Connected

KuppingerCole on social media

Related Videos

Webinar Recording

Evolving Identity and Access Management for the Digital Era

Join Identity & Access Management experts from KuppingerCole Analysts and Broadcom as they discuss how business IT is changing, and the implications for IAM. They will define modern IAM and explain why and how IAM needs to change to support modern app development, regulatory compliance,…

Analyst Chat

Analyst Chat #154: 2022 Wrapped Up - Major Trends in IAM and Cybersecurity

Another year gone already! It's time to take a look back at 2022. Martin Kuppinger and Matthias talk about what happened in the past year and identify top trends in IAM and Cybersecurity. They go beyond technology but also look at processes and business models. By this, they also…

Event Recording

Panel | Why Access Management Is About Managing Risk

Analyst Chat

Analyst Chat #152: How to Measure a Market

Research Analyst Marina Iantorno works on determining market sizing data as a service for vendors, service providers, but especially for investors. She joins Matthias to explain key terms and metrics and how this information can be leveraged for a variety of decision-making processes.

Event Recording

Cyber Hygiene Is the Backbone of an IAM Strategy

When speaking about cybersecurity, Hollywood has made us think of hooded figures in a dark alley and real-time cyber defense while typing at the speed of light. However, proper cyber security means, above all, good, clean and clear security practices that happen before-hand and all day,…

How can we help you

Send an inquiry

Call Us +49 211 2370770

Mo – Fr 8:00 – 17:00