What to Consider When Selecting your Managed Identity Fabric

The panel is about what to consider when selecting your managed identity fabric. So it's really about the managed service element here. I'd like to ask the four panelists to come to the stage and have a seat here. So I put this a bit over, so four places for panelists And shift this over a bit here. So then I have more space.

So the, the panelists are from, from my perspective left to right, Michael Roberto, who is co CEO and co-founder of Cyber. Im. Then we have Loral, CMO and chief sales side IC consult. We have Becom emea, impact Center leader, digital identities, and then the rest can't be displayed, but he's from pwc, so he has a too long, too long title for the app. You should fix that.

So, so use use an app com, a compatible title in the future. And finally we have Andre Kavala, who is head of cybersecurity C of water phone business. So a lot of people with experience and managed service delivery.

And so, yeah, what to consider when selecting your managed identity. This is the, the subject of today. We have enough microphones for, for each of you. What I want to do is that you make a very short introduction of yourself. So ideally within 30 seconds, including a quick sort of initial statement, we then can use it for the flow of the conversation.

So Andrea, do you wanna start? Of course. Thank you. . So I spent many years as global CTO and, and head of security research at Hewlett Packard then came to run security at, at Vodafone. And we have 300 million users around the world, over a hundred thousand employees and think about and support about 6 million businesses, right? So it gives us a really unique perspective on identity in all of the different ways that Phillip described a little while ago.

And I think what we've, what I've learned or internalized on that is as an industry and as identity providers and vendors, we are failing the vast majority of those hundreds of millions of people. We are not giving them simple tools that are easy and effective to use. We overcomplicate every single thing we do when we talk about identity. And if who we are is the simplest thing we have, we put barriers and process and complexity in front of the vast majority of the people in the world. And I think that is something that as an industry we need to face into.

But also that that's, that is exactly the role of a managed identity provider. So indeed, I tend to stretch the attribute components with my title, so that's already good.

So Evo, the, the team at PBC for digital identity across ea and on this particular topic I'm agreeing with, with what you said, and I think that one of the core aspects is that we are still looking at this specifically when we are looking for many service providers towards it KPIs and the way that we are structuring ourselves needs to really change. And I think that we are actually at a very interesting time at, at this point in time, or a very interesting time because things are changing. So we see new EU regulations coming in that will help us to navigate the digital identity world better.

I think that identity fabrics can actually help with that because it can help you to understand how you can plug and collect and plug in these type of services into your enterprise organization. And at the same time, I see that the business change is going so fast that we are not able to keep up with that. And the key reason for that is that a lot of many service providers are being chosen and being KPIs. That's Why I always say 30 seconds, because at least gives us a bit of a chance to stay within 60 seconds. Yeah. Yeah.

My, my old trick for the panels. Yeah. So HaCo you with your initial statement, there's a microphone for you. I I do you have one of these? Okay. You have a headset? Fine.

I, I'm, I'm heico working in the identity space since 2006. And I think looking back in time, it's an incredible journey where identity has developed to developed from an an IT core function to a business enabler, getting visibility at the C level and being a very crucial part for futures companies development, identity fabrics as a pattern and manage services from my point of view is a great chance for companies to focus on their core business, what they really do, producing and selling cars, producing medicine, delivering parcels, things like that.

While it's at the same time, benefit from the experience of a strong provider who has gained best practices, but also pitfalls in a various amount of engagements with various customers. So basically not inventing the, reinventing the wheel all the time, but basically utilizing best practices.

So, So Michael, Hi Michael aba. So I've been sort of in this industry for a long time doing vendor banking world and now services. I think what's, what's we are seeing in the managed services space is when we speak to the different organizations and vendors, no one really knows what it, what managed services needs to look like in identity because it's an enterprise piece of software and we, we are really looking at ways of using a combination of software and and scale to do that. Yeah.

And so already with these initial statements, I think we had a couple of very interesting points i I like to touch with which were riss, which also relate to SLAs, which we talked, you touched the sort of standards, sted approaches, best practices, repeatable scenarios. However, the, the one thing I I'd like to start with is Managed service is a broad term.

So, which in some way goes close to identity as a service but not fully. And it starts probably somewhere just behind system integration. So how would the four of you, and maybe we go that way, define sort of you powered in this managed services place. So where do you, and I I, I'd like to put this into two parts. Where do you see the biggest need in the customer base and which types of managed services would you really distinguish and maybe where, see where do you see your focus? So you wanna start Michael?

Yeah, Sure. So I think what we are seeing is, is when when cloud came along, the customer said it just works, right? We plug it in. And that may be for some basic SaaS applications, but identity is still a people problem. So it needs a service. So a lot of the organizations don't have teams to, to run these services.

So we are, you know, the managed services comes in into the ability to first do the bau, run the environment, keep it going. Yeah. What we are trying to do is now is, is compilate the project delivery over three years on a Greenfield customer throughout that period and give them delivery as well. Yeah.

And so, so you're touching I think a points as well, which is a skills gap Yep. In the industry and goes back what to I think what, what user evo as well doing things in a more standardized manner, maybe as one element in helping here?

Yeah, so basically I consider more or less four pillars, but probably a 15 edition. So supporting operations, very known, very easy completely to, to, to manage common. Meanwhile also kind of the application integration, application onboarding and implementation. So longer term engagements so that clients can really rely on the core, core competence of the provider. But what we see more and more that clients are asking for need is the advisory piece.

Cause basically it's not just about building software, it's about building software the right way and building software to support the business and not for just the sake of, of building business. And what's probably steadily coming, so very early in time and early adapters are thinking about, or already starting, is kind of business process outsourcing for Im, so customers spend a lot of money and thought and thoughts and time in choosing the right product, whether it's tool A or B or C. At the end of the day, they want us to have China move a lever in a compliant way, in an affordable way.

And basically often customers don't care at the end of the day, whether it's tool A or B, but it's very IT driven. I'll, I'll bring up later again.

Yeah, okay. But as it's, it driven of the mindset is very, very product centered. Yeah. Building on top of that, I'm fully with you on, on this part. And I think that if you look at many service providers, what they have been asked to do is keep the lights on, not help specifically with the transformation. And also if you look at what you actually need is you need to have many service providers that can help you to understand your business processes, how you need to manage those business processes and what that and actually means for your identity infrastructure.

So part of it is indeed what you say it's about sort of, you know, adding on top of the technical capabilities, bringing in the advisory pieces, but also getting a partner in place that is actually able to help you to navigate the difficult challenge of the internal politicals of your own organization. Because the business will not stop with asking you questions.

And you need to be able to have an organization that is behind you that is not just absorbing your change request and just doing it, but is also able to, on all management levels, being able to push back and saying, Hey, you're asking us something. But that is not a leading practice. A leading practice is actually to do it like this and this will help you to become better organized at the, in the long run.

So that's, that's my what you said, And I think, you know, your articulators, we've come from a place where managed service providers ran chunks of technology for customs, right? And that, that that's never gonna give an outcome to your users, your identities, right? You need to move that onto a very different basis. And you talked about, you know, for me the, the role of a, you know, we have a partner, right? Not a service provider, but a, a partner is to help you overcome the barrier to entry that exists when you don't understand these technologies or how they integrate, right? Yeah.

So I expect your provider to, you know, to curate the right set of tools to integrate them on your, on, on my behalf or on your behalf, and then translate that to my users, not through, you know, service tickets, but through operational level agreements or even, you know, experience xla for my users, which articulate, you know, availability, uptime, ease of use. Cuz then you're talking about a business outcome and yes, it's really, really complex.

So yeah, So you're all managed service providers. You, you are biased on this subject.

So let, let me play a bit of role of the avocado here and, and I think we also need to differentiate maybe a bit between being more a greenfield scenario where there's not much identity management and sort of a brown field scenario where where there already is is a lot in place. The question is, can I as a end user organization lift a decision about a tool to a service provider? And what happens if I want to switch service provider? I think the, the second part is probably the, the tough challenge.

So what, what is your, your answer on saying yes for sure you can do that. So who wants to start?

Okay, Ivo. So I think that the answer is yes, you should be able to let your service provider provide that as long as you are making clear agreements of what business outcomes you want. And the reason for that is that we, you want your service providers to actually help you with plug and play SA solutions. So that points into the next point or the next question that you asked, can you change?

I think the answer is yes because more and more we are not looking at, you know, entrenched on-premise IM solutions anymore, but will we start with cloud solutions where technology is not a problem anymore? It is the integrations that are already and the data and it is the process that you are having around it And it's the data. And I think the data maybe is the point where you say, okay, I, so the process I believe could become a bit of a problem because your users are used to that type of onboarding and say maybe even they say that, I like that way, this works well for me.

So if you change, it may be perceived as being a bit disruptive, but the other part of it is the data. So if you switch even from one size tool to another, data is needs to be moved and that could be the part which I would say is a bit more challenging.

So Yeah, I Michael yeah, I'll go further. So I, I agree. I think moving from one app to another is possible, but it's a migration and you can't avoid that. So the right time to change technology is during transformation when you, you're moving away from your heavy on-prem tools to your cloud tools.

And I, and I've seen that's been the best time to execute on a, on a, on a tool change. The answer to the other question about whether a, a partner should be able to decide on your technology, it's an interesting one. I've seen it where there's two partners involved and the one's deciding on the technology and the other one's delivering. So there's no bias. So as long as you've got an experienced partner that has done, used all the tools and not just some of them, you can probably get an objective view, but other than that, it's the customer has their input. Yeah.

Andrea, first, well, I think the two questions you pose, which is, you know, what about vendor lock in and then how do you, you know, how, how do you change and who chooses? The tools are actually large, complex, and well-funded organizational problems, right? And most of the offerings that we have are large, complex, and expensive, right? If you're a small organization, even a couple of thousand employees, there's no way for you to understand implications of vendor lockin or migration paths for large SAS services, right? You cannot do it yourself.

You don't have the tools or the skills to understand and trade off, you know, one identity vendor from another. It's very difficult for you to stitch together the pieces of fabric rather than the whole fabric. Yeah. Right? So you can only do it with a consulting partner or a, or a manage services partner. I think genuinely, you know what the question you ask is, well, if you use a a manage services partner for that stuff, then at least you've got somebody you can help. If you don't, right?

I think you're in the, you're in the, you're in the desert stranded on your own without any water and you're just gonna look around and not know which direction to walk in first and Yes, so, so basically I'm with you and, and, and I think you can for sure do it, it's important to line out really what you need, what the business outcome is, what the SLAs is.

You can also define contractual wise, the transition if you wanna split apart with the existing MSP provider and looking to reality when you do an RFP as a client with an middle size or smaller size, IM team, those RFPs are often very high level. So basically do not exactly need what you, Well they are also frequently not good when you go to a very large organization, I have To say ab, ab, ab, absolutely.

So basically, I don't think that the decision is better in figuring out and what we see, and unfortunately we see it too often, so not, not to say very often, but, but too often is that plants have decided for a tool in the past and then figuring out, oh my gosh, I bought an SSO tool and I need iga or the vice versa. So, so that's, that's reality.

I had, You know, I have to say I even have seen tools choice where these different categories have been pitched against in each other ladies at that point. I think some guidance is helpful.

Yeah, Absolutely. And so basically I think when having an experienced MSP provider, the likelihood that the decision is better and basically contractually agreed that it's clear what you get, that it'll, I I think, I think what you're saying at the end is also a bit from, from your perspective, depending on how you'd like to phrase it, it's either eat your own champagne or on dog food, whatever.

You, you as an msp, if if you bring it in, you need to deliver. Yeah. So I think the point is you can't sort of push liability back to someone else, which is different.

I, I've seen these scenarios in large organizations where whatever one of the big four was on the, the strategic program and deciding about tools and one of the others, big four or five or whatever should have was the one who, who was sort of outsourcing most of the operations. And then you end up with these discussions because, yeah, there are a lot of reasons why this tends to fail.

I like, this is even a large organization. On the other hand, surely the, the shifting something in large organizations is a way bigger thing to do. So you also can say, I make the decision on myself and then I go for a managed service provider.

I think it depends a bit again, on the greenfield versus Brownfield thing where you start, but I think there were some, some compelling arguments also for saying we deliver you really something for, for what, what what is hard to solve when you're not a, that big organization when you are not obliged to spend billions on regulatory and keeping up with regulations. And even there, you know, when you look at all the, the, the, the organizations that nowadays or in the next couple of, of weeks and months and years will fall under N two, which is more or less everyone.

Then you have a lot of organizations which, which will need identity and identity security and which don't have the teams to do everything themselves. And I think this is a, a huge market, medium sized, lower mid-market business, mid-market for us thousand, 1000 to 10,000 employees.

So in, in this space there's a lot of relatively green field. Maybe there's a few brown pieces in there, but it's, it's really a different thing there.

So maybe, maybe look at, at another topic, I recently had been supporting a customer in a very different field, so it wasn't, it was insecurity, but not on the identity side of it. And basically they, they ended up with, it was more around s so C and, and managed, so manage soc, security operation center. And basically they had, they had two offers at the end of the table. One was perfectly defined with the managed services and the SLAs and everything. And the other set on the question of how do the SLAs look, we define them jointly with the customer. So what's the right approach, Michael?

You're smiling. I mean, I have an opinion.

So yeah, I mean depending on what you answer version two, Version two sounds fantastic to define them and join you with the customer. We don't always get that luxury in the negotiation phase of, of a project. But you know, if, if you, if you're open, honest, and work well with your customers, generally you can negotiate the SLAs to be something that works well or set them at a loose level up front and then agree them, adapt them later.

But yeah, that, that is the perfect approach. Okay. Yeah. Negotiation, negotiation of SLAs.

So what, what we see or what I, what I regularly see that sometimes customers just over achieve it SLAs, so asking far more that they really need, you as a provider can do it, but you as a customer have to pay it. So it's very important to think what do you really need to make it affordable and to make it commercially attractive. And I think our, our part is to guide the customer, what do you really need to de-risk the business?

And, and of course what can you really commit to be absolutely sure to deliver? And there are differences between iga for sure and access management. In my talk before, when you have 27 million authentications at the customer site, there is mini outage of five or 10, 10 minutes a day affecting a huge amount of authentication requests, for example, evil. So assuming that when you are going to buy some new technology that it is a cloud product, I think it is very difficult as an organization to set your own SLAs as a client organization.

So I think that, I was in a discussion with one of one of the clients who said, yeah, the, the uptime needs to be higher and said that is nice, but that's also not possible because it's the maximum uptime that Azure gives us. So I cannot guarantee anything else. Yeah.

So, you know, those type of conversations are, are really interesting to have. And it boils back to your point, a lot of the IM teams and the IT operations teams don't understand how their applications are actually being used and what the SLA time is actually that, that you need to have.

Yeah, That, that's a critical point, isn't it? Right. SLAs in that kind of context is that are a mechanism for managing the efficiency and effectiveness of your provider, not the business outcome that you are trying to achieve. So it's great for service credits, it's great for, you know, negotiating the level of delivery, but it doesn't actually help you deliver an outcome for your business, which I think is the bit that's missing. And if you take a step beyond, you know, in the sock example, right?

Take, take a step step beyond what are the SLAs or the ELAs, what's really important is how you manage the process. Whether when it's, you know, a severe or a catastrophic instant occurs, how are the teams gonna work together? Because that's the only thing that will matter. Not whether you've hit a threshold of 75% below SLA performance or uptime in a given month, right? These are not business critical items.

It's, you know, has large scale systematic fraud been committed across your identities or your business. How are you responding with that partner in real time to solve issues? And I think we can, you know, we can go through a procurement process and we lose sight of the actual business impact, which is, you know, something, you know, we've all lived and we all live and you know, when all of our phones ring at the same time, you know, something's happening. And that's the moment. Not in the quarterly or monthly review when you get the document that says, no, no, we overachieved by 2%. Right.

Good, thanks. Yeah, A lot, a lot of, lot of important points. So one which is Ben, what you were saying is SLAs and TOMS target operating models are inseparable and you need a well-defined target operating model that specifically also looks at the crisis, at the incident.

Because that is where, that's the proof of the pudding where you will learn, okay, this works, that doesn't work and this needs to go by the way, Tom needs to go across all layers from the SaaS provider to the managed service provider or providers to other parties that may be into your internal IT teams or identity management teams to your business teams. I think so in in that, I think there's a very simple headline test, right? Does the introduction of this partner increase your comp operational complexity or reduce it? Yeah. Right?

And if by adding an extra person and a whole set of processes to manage and interfaces you didn't used to have and expanding the timeline, then you are increasing your operational complexity. That's never good.

And, and I think the other point with CSLA is at the end the truth is somewhere a bit in the middle. So I, I personally, I I I prefer managed service partners who come and say this is our standards that this is proven, that's where we start, but which give a bit of room for negotiation where it makes sense and where it can be delivered. Because at the end of the day, everything which changes from the standard also means it goes potentially on the margin of the managed service provider. Is it because there's more work involved or more risk involved and some things are just not meaningful?

You know, I, there's availability things, so, you know, is as a p HR something where you need to care about high availability? No. Where you need to care, it must be avail within a couple of hours again, but it's nothing about high availability, sorry, high availability. When you, your operational, your production environment, if your, your, your production line stops, then it costs you immediately money.

If your, if your hire Bay rack software fails, you are in total trouble. So if you do business impact Analyst by the way that you are manufacturing, look at the high bay rack storage first. Because if that doesn't work, nothing works anymore. You not even know where you find the parts if the software is out. So this is really the things you need to understand and I think this is where, where you as managed service providers need to, to give the guidance to the customer. Ivo. Yeah. Yeah.

I actually want to add something to this topic because I've been doing this managed services thing for about 25 years outside and inside of identity. One of the things that I've learned when I started inside identity to do provide these services is that I think in the 10 years that I've been working on this, we had one time an incident that was caused by the IM system and all the other incidents were always caused by a source system or a target system, changing something without telling the IM team that they're going to change in attribute. So we can discuss all thes that we want.

But the problem is in figuring Out, it's not only Im, but again, that is something which comes from experience. And I think this is a very important as a managed service provider to bring in experience, to bring in best practice. And I think there's also, when you look at it from the other perspective when you're a customer, what to look for in your managed service provider. I think the importance, the important point that you made was that it's about the outcome.

What, what are the outcomes and, and what happens when there's an incident? Not are we meeting with 500 SLAs? Is there the outcome in the team that's ready to go when there's an incident? Yeah.

So, so, so by the way, if there are any questions, either use to app or raise your hand and for once we are listening in online, you always can enter questions via the app and we'll try to, to ask, ask them. Then Michael, I'd like to bring in another aspect of, of s ls. So currently we've been talking about incidents, problems and operations, but of course you can have SLAs also from a more business perspective when, for example, comes to application onboarding or such things.

So as an, when you're taking over on engagement as an MSP provider and the customer has kind of compliance issues. So, so we had one who had to integrate one and a half thousand applications within a year in an access management solution or so, and this was not fun for him cause compliance finding have been in the books and the cfo and so the CIO had to get rid of it and therefore SLAs become a completely different flavor. Cause you give the commitment as a partner, we'll get it done and will get it done, not in an endless journey. We'll get it done in 12 months or whatever was agreed upon.

And so then it gets the flavor of not being just a, a measure for a monthly discussion or for getting a couple of service credits back, but then it's a measure of generating business and supporting the business and getting rid of compliance finding and risks. I, I had a conversation that was quite similar maybe to this application on onboarding thing and you know, e customer needs to think about how can I make application onboarding more efficient?

So which patterns do I use, which from a entitlement model perspective, from a technical onboarding perspective, et cetera, you need to do that exercise once and then you can optimize. And I think this makes, it makes a huge difference.

Yes, when you're a large organization you have thousands of applications, it's a bit of different play, but for the smaller you are, the better managed service partner definitely can help. And definitely the progress is faster because if you're doing 20 apps, five apps is 25% there.

Yeah, if you're doing 5,000 apps, that's a different ballgame. And to be honest, you know, I'm, I'm a bit more the observer of the market and you know, we are coming in frequently in projects which are in a bit more troubled state. So usually analysts are asked when the things are really in trouble. Sometimes they're asked early, which is which I prefer. But anyway, so we see, see some of these things and you know, just take onboarding your first SAP system. That usually is a really long journey because you learn so much about that.

And truly as a managed service provider, you also learn it once, but then you can benefit from these learnings while in a large organization or in another organization, you won't do it the second time maybe. And I think this is really an important point, Andrea, you first and Ivo, it looked like you wanted comment on that or add something.

Well, And the thing which I found remarkable is that as an industry, again, we we're okay with very long complex onboarding journeys and we believe that, you know, you talked about the chaos of organizations and trying to impose an I am fabric on chaotic organizations full of humans. And now increasingly, you know, rogue, you know, gen gen ai, you know, identities as well.

You know, we have to, as a provider, as a partner, be able to help people go through that onboarding journey and tame some of that chaos. But I think, you know, as you say, that is the, that's the key piece. It's the learning and then the outside world context, you know, to be able to say, right, these are the applications, these are the identities, but these are the indicators of fraud. For example, you know, we, we, we have a view of over 300 million SIM cards and the behavior of those sim cards and the data.

And if you think about it, what's the one thing that you use is, you know, it's the data, it's where you are, it's your location, it's the apps you use, it's the traffic, it's the time, it's you as an individual, it's your age, it's your, you know, I can correlate all of that information around a single user's access and place that against the identity and the data. Yeah, right? We use that with most of the major banks to spot fraud. It's a very small logical hop from spot spotting financial fraud to managing identity, right?

All that financial fraud does is kick up a higher level of authentication in the banking system or pause or penned a financial transaction, right? That's a business outcome. Based on that sort of integration, I think you need your, your partners to think in that broader data landscape and what those are, you know, those indicators are, is, you know, that that's the critical bit and accelerate you through your onboarding process. So We have five minutes left, five minutes left.

And given that I know that you always will take a little longer than 30 seconds, I think we, we start with your sort of closing statements here and going back to the initial question, what to consider when selecting your managed identity fabric or your pro provider for your managed identity fabric. So your service providers here, what, what is the, the, what are the, I would say maximums three things you would list to consider for that, right?

You start, Okay, so I think the three things we seeing organizations are asking for is speed, price reduction and understanding the, the business requirements and take them through the cycle. If you can get those three things right and it's not possible with people alone, software alone, tools alone, or methodologies alone.

It's gotta be a combination of all of those to, to bring down the cost it increase the performance and the automation and then then be, be able to articulate from business business requirements all the way through to technic delivery Yeah, so first of all it's kind of similar covering the whole life cycle. So from advisory through integration implementation and support and operations that you have one reliable partner.

Second, scalability and know-how management so that you really can help when you have the peak times by integrating dozens or thousands of applications. But also feeling good when going out, when the work is done and supporting another client and a proper know-how management to avoid reinventing the wheel and sharing be best practices. And the third one, especially when it comes to the larger and enter international enterprises, a global organization for providing follow the sun support if if needed for providing onsite help in Asia, in Europe, and in Americas.

So last year I presented here on the BXT philosophy that we use. So I want to reiterate that you need to put the business lens and experience lens and the technology lens on it. So the two things that we haven't touched upon in this panel discussion yet is the, the experience part, which is basically how does your managed service provider is helping you to make the life of your coworkers or your customers better. And I think that's an SLA that you really need to start looking at because otherwise you'll just sort of keep fixing stuff.

The other aspect that we haven't touched upon, I think, and I think it's critical technology change in the business is going really fast and we need to keep up with that. And I think the component of how do you bring innovation into the relationship with your managed service provider, for example, looking at how do you deal with cloud workloads, are you doing that in the same way as what you're doing on your on-premise workloads?

Of course we know the answer, it's no, but giving room and creating room to experience together on what potential solutions can actually help your organization to the do the BXT thing, again, better for the organization. I think that that we missed that and I think it's important.

Yeah, You need the, your provider to be the expert and you need them to reduce your complexity. Really, really simple things. If you can, if they can be those two things, then you're winning, right? Yeah.

And, and in that I expect them to curate that technical landscape for you so you don't have to make those choices yourself to do the integration and help integrate into your business. And then critically, as I think you know, you talked about is to translate that to your users, your business needs and your outcomes, right? So if you can that for you, if they can translate that to your users and perform the integration that you won't be able to do, right, then you've got an extra expert partner that's gonna reduce your complexity. Sort of simple at that level, right?

Those, that's the headline test I would use for a partner who is a true partner who understands another experience and does those things. Okay. Great answers. Thank you very much for all these insights provided and I hope that helps everyone who has been listening in to potentially make a better choice of the managed service providers for the identity space. A fast moving space with a lot of changes all the time. Hard to keep up with the these changes. So thank you very much. Applause. Raise your hands.