Webinar Recording

Managing Authentication and Access for Different Identities in Hybrid Environments


Log in and watch the full video!

The Digital Transformation is driving enterprises in all geographies and throughout most verticals to become open and connected. These enterprises need to digitally engage with their customers, to technologically empower and mobilize their employees, to optimize their current business processes and to ultimately transform their products. At the same time, large-scale cyberattacks and wrongful exploitation of personal data has reached an all-time high and the associated risks are further increasing.

Log in and watch the full video!

Upgrade to the Professional or Specialist Subscription Packages to access the entire KuppingerCole video library.

I have an account
Log in  
Register your account to start 30 days of free trial access
Register  
Subscribe to become a client
Choose a package  
So welcome ladies and gentlemen to this Ko called webinar, managing authentication and access for different identities and hybrid environments. This webinar is supported by United security providers and speakers. Today are two speakers. My name is Matthias I'm lead advisor and senior Analyst at cooking a and I will be joined later by Micha. He is CEO at United security providers. Before we start some information about a call, the obligatory housekeeping notes and a look at our today's agenda about a call very quick copy. A call has been founded in 2004. It is headquarted in Germany with a team of international analysts spread across the world, including the us, UK APAC and central Europe. We offer neutral advice and expertise in various areas to companies, corporates, integrators, and software manufacturers with IAM being our original starting point. We are now working in the areas, information, security, GRC, and governance.
Generally speaking, we cover all the important topics in the areas concerning the digital transformation, our business areas very, very quick in research, we provide a range of strategic documents and reports, including our leadership, which compares vendors and market segments. We do events and we will have a look at that on my next slide. And the third area is advisory where we provide vendor independent market expertise. And I will talk about that also in a separate slide, but very, very quickly, no much not much marketing here events. We are looking forward to our next events quite closely related to our today's topic. We will be embarking on the 2018 consumer identity world tour again, which will lead us to Seattle am and Singapore from September to October. And we are already preparing a high profile event for security professionals and thought leaders in that area entitled cybersecurity leadership summit, or actually the summit tour, which will take place in Washington and Berlin later this year. And in early 2019, being the lead advisor, as I said here in at Cola, I want to share just a few words about this important aspect of our work. When working with our customers, we support in understanding and benchmarking their current status quo. We assist in identifying potential for optimization. We provide guidance in defining adequate strategies to fulfill all their requirements, including business and compliance, governance, security, and efficiency requirements. We support and transforming those strategies into architectures, into technologies and processes. And we can help to ensure that implementation projects meet the desired goals.
The guidelines for this webinar, all the participants are muted centrally. So you don't have to mute or unmute yourself. We control these features. We will record this webinar and the podcast recording will be available tomorrow and we will have, and this is very important. The questions and answer sessions at the end, you can answer, you can enter questions anytime using the questions feature feature in this go to webinar control panel. And we really ask you to do that so that we can start out the Q and a session with a good set of startup questions and then refine them later on. So that will be the third part of our agenda, which we can see here. I will start out with a first introductory talk about the challenges around third party identities in an agile and hybrid it landscape between customer portals, mobile and web services.
Then, uhm, libi, Michael will jump in and he will talk about the actual working side of this topic. So he will tell us about creating interoperable identity architectures with lightweight turnkey IAM services for Federation access management and web application security to major topics that we will cover today. And as mentioned before, we have the third part, which will be the Q and a session, which will cover all of your questions. So please feel free to add them through the panel. So that is the point where I can start out now with my first part, talk about the challenges. And I will start with a slide, which looks like a typical Analyst slide. Maybe it is, but it is important to, to understand that we are looking at an area when it comes to identities and managing identities that is under constant change and under accelerating change.
So I won't read out all these bubbles that are here, but it is important to understand that this is, this change is happening in various dimensions and in various areas that we look at and this begins of course, with changing organizations, with more partners, being involved with also other people being involved and flexible and, and, and more agile organizations requiring the adequate solutions. We have the disappearing parameters or no longer hard firewalls, which cover the inside from the outside we have, and we've just made the transition to GDPR world. We have changing legal requirements, changing regulatory requirements, but much more importantly, we have changing business models, changing markets and changing business requirements. And all this is reflected in the way we deal with identities. And that is of importance. When we look at the topic that we are covering today. So change is maybe one of the most important aspects when it comes to providing the right solutions when, when it comes to dealing with different types of identities and different types of identities is actually what the next slide is about.
So we are talking about people, but we are not only talking about people. We are talking people in different contexts. We are talking about people within organizations and with organizations acting on behalf of people and the other way around people acting on behalf of organizations. We have lots of devices that are in use and which represent the identities, the people that use them. So I'm resented by my smartphone, my tablet, maybe a, it is an an second factor or a third factor when it comes to identifying the authenticating me and we don't know, is it my own device? Is it a corporate device? Who, whom does it communicate with? We have other devices, any types of IOT devices, smart, connected, autonomous vehicles. We have the smart home wearables. We have the smart meter, which is related to more than one person. And again, all the ownership can be various and D different.
So we have the main thing. We have communication and we have different types of scenarios where identities in communication to each other are actually represented and they need access to the right resources. And this is what we are talking about, getting the right access at the right time with the right device and only the least privilege access that we need. First is short, short distinction between the traditional enterprise IM and the consumer IM that is something that we often see. And maybe Michael will talk about that later. Anyway, we have often the combination of enterprise IM or, and consumer IM, or we, we use a traditional IM also for different other types of identities. And that might not be proved that might not prove to be the, the adequate solution. So just the, the key aspects of those two different technologies, enterprise IM, or just IM is employee facing.
So it's really dealing with the, with the employee, which might be also an external employee, or it might be a partner, but maybe mainly it is about access control. It's about strong authentication within the enterprise. It uses attributes for authorizations or I'm a member of a group. I'm a member of an organizational unit. And that allows me to get access to a different type of resource. And it's typically based on structured data, which is located in an LDAP server and a SQL server. And sometimes Sam as a standard is used for single sign on. So it's a typical enterprise scale solution. And the lifecycle that is below that is the, what we, I am people call JML join movers lever. So it's a clear cut lifecycle process with people entering the organization, undergoing various changes. And sometimes at the end, leaving the organization or retiring very different, but closely related is what we call consumer customer.
I am. This is clearly customer facing consumer facing facing the outside world. We are talking about username password or social logins like Facebook or Twitter or Google login and especially a growing amount of mobile logins. We're talking about privacy in that context. So it's really about protecting the personalized data of the data subjects that are behind that. So only laying that open that is required unless they give consent. It is based on data that is stored in various sources. Again, Michael will talk about that. It's, we're talking about structured and unstructured data and various identity provider systems that are LDAP SQL, but also no SQL systems like MongoDB, big data like Hado or often, oh, I open ID connect as the standards behind that, which are used by everybody and whether they know it or not, when they, when they do a Facebook login and the, and the lifecycle process behind that is not a joiner move lever, but much more an ongoing customer journey starting from registration to a en enrichment of the data over time with yeah, with more consumer interaction with the system.
One aspect that we really love to and really need to point out is the aspect of thinking inside, out to thinking outside, in many organizations, which have been used to using enterprise I systems, they look at customers like they used to look at their employees. And this is something that is, that has not proven to be very successful because enterprise employees have no choice when it comes to authentication and user experience or authorization user experience, but consumers unfortunately have that choice. So once that is being done wrong, they leave and go to another service provider or another vendor of, of, of goods and services. So the thought to just transfer everything that works best for the enterprise, when it comes to personalized data, to authentication, to any types of processes, and to apply that to the consumer side, by saying, do what we want you to do might not prove very successful.
We think it is much more important and adequate to just do it the other way around that the enterprise actually understands what the consumers want, what they need when it comes to user interaction, user experiences. So to understand what works best for them, and maybe in the best case, even apply them that also to processes that employees have to do when it comes to working inside the enterprise itself. So improvement of user experience of user interaction might be something that can result from that. And of course, more consumer customer satisfaction by providing services that they prefer simple, efficient, elegant processes. When it comes to dealing with such third parties like consumers, like customers like partners, then we have, sorry, a slide of six key features that I would like to point out very quickly. The first three are user experience features and the third, second three are security features, but they are all important when it comes to modern IM systems that also look at the internal and the external identities.
So all different types of identities, which is our topic today. So registration is a key aspect, which was not that important when it could, when we talked about enterprise IM because there was a, a clear cut joiner process. But now we have people who want to join the IAM system who need access, who want to have identities that want to do that differently through self-service portals, maybe using their social network and their open ID communication with their Facebook ID or any other social ID, or just about provisioning. We need the adequate level of authentication. So this might vary dramatically between internal and external identities. We have mobile apps, we have biometric that need to be involved when it comes to understanding the identity that is actually trying to access our systems. And of course, customer experience is key when it comes to dealing with external identities.
And I'm quite convinced that it is also key when you are dealing with your own employees and your partners and your external workforce. The other three, as I've mentioned, are looking at security features. So we are looking at fraud detection. So a, a well done IAM system is also able to be the basis for identifying unwanted patterns for profile user behavior on an anonymized or ized way. And to really understand what is going on on your systems to identify what is not wanted. A very important feature is privacy management, dealing with consent, dealing with the editing and the deletion of profile data, which is no longer needed. And I've talked about GDPR briefly also to export profile data, which is a, a right, that the data subject, the user that is you me now have, and of course, security in any dimension that we, that, that, that is possible.
We needs to be implemented in and adequate when, and that is administrative security for the privileged accounts, but also understanding what the actual means in context of an enterprise infrastructure, through a cm system, or just understanding that the right people are accessing the system when it comes to strong authentication and authorization. So what we need is actually one approach, one IAM system that supports all these needs, no matter whether, whether it's internal or external identities. And that's the reason why we have these five boxes of consumers, customers, partners, contractors, and employees, because all of them, they are represented by their devices that they use in for, for actually approaching the system for accessing services and resources. And they come through different channels. And I just divided it into external and internal network, no matter whether the network is trusted or not. So the IM system needs, needs to deal with both types of access network.
And they actually then are processed in all these building blocks when it comes to an I am system from directories through Federation, which incorporates different identity providers, providing web access, which is something that Michael will talk about, but also adaptive authentication. This access actually looks fishy. Let's let's, let's challenge another factor to prove that this is really the actual user, although it is he's coming from a internet cafe in, I don't know, in, in, in Greece, which is unusual privilege management, access governance, identity provisioning, all of this needs to be something that is available for all these involved people, their devices, and their network access. And based on that, they need to gain access to all the resources that we provide, which might be in the cloud, which might be business partner, apps, web, or traditional legacy apps. And this is leads me to my final slide, which actually gives a, a very high level blueprint view on how such an architecture could look like in a building block manner.
So no process data flows here, but just the building blocks. Again, we have the users, we have the different IDPs. We have the platform and we have the different target systems, which need to be connected by the IAM platform to enable all the access that is required ranging from traditional legacy apps, which might need some agents, some, some plugins that make sure that interaction with an authentication and authorization system is made possible up to modern federated apps, public cloud, private cloud, our business partner applications, which might, which might be also cloud apps like software as a service with Federation and all of this needs to be tied together into one single efficient and even maybe effective and cost effective application infrastructure when it comes to IM. And this is the point where it would like to hand over to me libi and, and he will talk more about the, the practical aspects when it comes to really implementing such a, such an infrastructure. Before I hand over my reminder, please enter your questions within the questions panel, when it comes to questions about my part about Michael's part or the combination of both, and we will take care of your questions in the Q and a session. And with that, I would like to hand over to, to Michael, Michael, are you there?
Yes, I am. Thank you Matthias. So hello everyone. I hope you can see my slides. Can you Matthias?
Yes, I can.
Okay. Very good. So hello everyone to that second part of that webinar, my name is Michael libi, as Matthias already said, I'm talking on behalf of United security providers, which is a Switzerland head coed security provider. I'm actually the guy on the right hand side. I have been working in the security industry from some 25 plus years. So basically all my life, as you can see, and our company provides a unique access management technology, which is encompassing that versatile risk based off education Federation and customer IAM technology, which is part of a larger 24 7 cybersecurity services portfolio of security controls that we're typically providing to medium, to large enterprise customers. So to give you a quick impression of who our customers are, which is actually of course shaping my perception of the problem and the priorities that one has to set, you can see here, a graph that actually the largest portion of our customers, some 35% of the revenues is coming from medium to large manufacturing and services companies.
Typically multinational companies next larger customer group is financial organizations being banks from large to middle tier to private banks to insurances. And then the next biggest group is actually it oriented companies themselves like data centers, internet, born companies, providing some sort of online services, managed service providers and so on. So this shapes my picture of the problems in the identity and access management space. You can see a couple of logos here, which you probably don't know doesn't matter at all. So let's come to the, let's come to the central part of the challenge first. Well, you've probably heard the story again and again, from various digital transformation consultants, they, they pray like a mantra to every company which wants to hear it, or which doesn't want to hear it. And the story is always the same. They say, well, every company now has to engage with their customers, whatever their customers are and engage with the customers, of course means building communities somehow interacting with them on the digital channel at the same time, they need to empower their employees so they can work mobile at any time on any device and, and have efficient processes to do what their job is.
And on the longer term, every company has to optimize its business in order to stay relevant and ultimately even maybe transform the product and become from a car company to a mobile mobility company or whatever. I mean, it's the same basic plot for every organization that is told. And what it actually means is ubiquitous use of new technology. So sooner or later, it all hits the it departments. There's almost no more new initiative project or, or program, which doesn't involve the it department. And for them, this all translates to actually more portals, more apps, even again and again, every quarter, every month, new digital interfaces are created against the company. And when we come down to the infrastructure layer, this means everyone has to think about managing authentication, not app by app, but actually as being a part of a general strategy or, or solution.
And the next thing that they have to think about is how do we manage access for everyone, which is coming to use these services. And at the end, the foundation of everything is actually where do my identities live and how can I use them to brand access to all these apps, portals, and devices. So it sounds pretty simple and it boils down to a more or less shared ambition that we see of most enterprises with regards to access management, which is achieve somehow a service oriented and interoperable solution to store manage and use all these identities. So workforce and third parties combined to actually support access to existing and new evolving digital interfaces. And it starts pretty simple and manageable. So maybe the first inventory is we need to enable that controlled and secure access to, to current on premises apps, plus some limited number of cloud-based applications for these employees and third parties.
It might be office 365 link in the cloud, a new customer. Porwal only one to begin the traditional corporate extranet for the employees and some deified legacy. But actually when we look closer, we see that for the longer term, we do have a quite on sharp and changing assumptions that we need to, that we need to bring into the picture. We don't know what we need to plan for. Is it just that cloud initiative that we're currently talking about will be hybrid multicloud environment, potentially multiprovider environment. We're somehow sitting between these convenience expectations of the users that Matthias has been talking about. So it's not the employees that we can just this well advise to use whatever we're giving them, but we actually do have some very high convenience expectations of users coming from the broader internet. And at the same time, we need to meet the agility expectations of the business, which is in the middle of their digitalization program and coming up with a lot of ideas.
And at the same time, we need to cope with security resources, shortages. So already have two little resources currently to do what we need to. And as if this wasn't bad enough on top, we have to cope with budget limitations. So when we look closer, that shared ambition, which looked first simple in, in first place actually is a moving target. And we need to find an appropriate strategy to actually cope with it. And if we look close, that rabbit is actually a pretty bad looking bastard that tends to not make fun and lead to headache on the long run. And I want to take that budget limitation, resource resource shortage as the first thing that we need to address because without resources and budget, we cannot handle every anything. So one of the problem is for us security experts that the non-experts perception of cyber risk is still just lagging far behind of where it should be.
And I have illustrated that using the world economic forum, global risk report, 2018, that you can see here on the right hand side, we're actually only looking at that top right of that traditional classic risk allocation matrix. So the, the axis are probability of the risk to, to come true and its potential damage and impact. And what we see is that the world economic forum has identified three big risks, critical information, infrastructure breakdown, cyber tax, and data fraud or theft, which is actually as bad as terrorist attacks, which we're pretty used to. We see it every day in the newspaper or natural disasters happening everywhere, fires in South Africa and everything. So it's as bad in impact and damage as these, but this is not the perception of the non experts. And we can see that clearly from the movement that these risks have made from 2017 to 2018.
Although we're all investing a lot into security and getting, making things better, the situation is getting worse. Damages are getting bigger and the probability is getting higher. So the reason for that is something that we need to talk about a bit later. So from my experience, this is how it often begins in many enterprises with that digitalization. Well, the enterprise top management is talked into the needs that they need to become digital, or at least the product has to be augmented with online services and well to begin with, they somehow have to engage with the customer. So a customer Porwal must be provided to get in contact with all these customers. So business starts to collect and generate ideas and to derive requirements from that. So, okay. Primary audiences, the existing customer base, of course that all that stuff, when we are investing money must contribute to the growth plans.
They look at competitive solutions which look complicated. So they want something easier and simpler. They, they clearly want their corporate brand to be represented well as a key differentiator. And it translates into things like our identity and access management solution must somehow link to the CRM system. And we must implement, attract engaged convert model. So allow visitors to come and with a low barrier interact with our company and then engage more, more convert them into customers. Finally, we need more intuitive and more user friendly solutions than the competition because this is what customers tend to see first. And of course they need full control over corporate identity and corporate design aspects in all these solutions that they implement. And well, this is basically the state where it hits the it and chief information security officer, which are then translating and adding numerous additional requirements. Well, they find out some of that data that is being published is actually classified data.
The plan of letting third parties, access company services involves enabling access from the internet to trust its owns. They clearly see that the number of potential third parties that can access these systems is pretty high. So the support definitely cannot handle password reset requests of all these third parties and, and well they have in many cases, no plan to where to place these new digital interface systems yet. So this all translates to additional requirements, which now take us really close to identity and access management. So that classified data might ask for two factor authentication that bridging internet to trust its own would imply not allowing direct access and, and putting some protection measures in, in to, to bridge that gap. And well, they would clearly need user management self services in order to offload these user requests from the support and so on. And what we see sooner or later is that someone will come up with a brilliant idea and it will be formulated more or less like this.
All these new applications do have to leverage the existing identity and access management systems. And this is actually where you should get your package of aspirin a bit closer, because there's a clear difference between workforce identity, access management and customer facing identity and access management, completely different features, which are emphasized. So in the first place, it might seem to make sense to protect that investment that was made into workforce IM. And it actually does. But then should you build everything on top of that and augment the system with additional functionality? Well, it's not too clear. So what you need in customer identity management is things like self services, integration, AGA some form of marketing and sales integration. And of course, a completely different scalability and the shared services in the middle are of course, things like account fulfillment, secure, single sign on also for customers as well as for employees and directory services.
So if you take the wrong turn at this question, then this can turn into a bad headache because what you will find out sooner or later is that licensing schemes, for example, of workforce IM systems are completely not suitable for customer at ease. Numbers can get really pretty big with customer or consumer varies. And looking at these licensing schemes of existing workforce identity access management systems can generate pretty high numbers and actually invalidate the business case from the beginning. And often they do not have these user self services capabilities. They have no functionality in the space of social IES. Why should they have, I mean, for employees, this is the last thing that you probably use. And they, they are lacking a lot of functionality. What I, what I did is I just took an Analyst report and collected some of the cautions from the various technologies that we will see.
And, and it characterizes pretty well where many of, of companies that actually go the way of augmenting workforce oriented identity and systems will find themselves. So they will find that infrastructures requirements are just too heavy to do that large scale consumer IAM, or that they cannot support reverse proxy style architectures, that they have no functionality for open IV connect, which will have a high relevance when, when it comes to social ID. And so on. So sooner or later, of course there's no silver bullet and there's no just perfect technology, but heavy patchwork comes with a, with a, with a high price. So what we see is that, well, everything can be solved of course, but the resulting work of art is then really susceptible to misconfiguration and, and very shaky in operations and expensive to maintain and operate and companies then find themselves in a situation where they are becoming well, just a number in the statistics.
So obviously when we look at current statistics, many enterprises are not getting it right. They're kind of somehow trying to get the chop done, like the poor guy sitting beyond this truck, but actually many of them create vulnerable applications and they cannot keep up with patching the applications. And finally, they're getting part of these of that very high number of companies that have been been breached. So clearly this approach that has been practiced in the past by protecting old investments leads to a huge problem. So what is a different approach that we should take? And this is actually what we do and what we specialize on. We think that in order to solve all these challenges and to catch that, that moving target, what you need is an application delivery platform that delivers turnkey protection about the classic attacks of, of all these published applications as the first component, and then an adaptive and versatile authentication service, which can handle all these single sign-on capabilities that you need, and which integrates with existing identity management systems.
Of course, if you want to leverage that, that investment, or if you need to leverage that investment and you definitely will need Federation capabilities. So the ability to either use a third party provided application and, and use your own identities against, or the other way around use cloud based, or third party provided identities and, and connect them with applications that you control. And the third part that you need is that client facing identity management system, that you can augment the existing identity, next technology for the workforce, which provides you with a lightweight user directory and all these self services and admin delegation that you need to, to engage with outside third parties. And actually all these boxes do have a name. We call them well, the first platform is a web application firewall, which does all that stuff like web security, reverse proxy session mentioned.
And so on the second we call the access component, which must handle user authentication, which must handle all these trust elevation requirements. So somebody coming in with a social ID and eventually you need a stronger proof of identity and authentication to access some more critical applications. It must handle self-services and token services to connect all these applications. You need the Federation function, which we call just, well, the fed rate function, which must actually supply you with a couple of functionalities, like service provider functionality in the Sam term, being relying party in the all out or open ID connect term. You need the identity provider functionality IDP in the Sam world again, or the open ID connect provider party in the open ID connect case. And you need some kind of the broker functionality to make this all interoperate. So for example, use IDP in front and, and RP in the back and all that stuff.
The last thing is just that third party's identity store, which does provisioning against the existing directory in which gives you a means to simply handle the user administration of these third parties. And if you had all these components and they were adaptable to your network zoning, like you could round them highly separated depending on your sewing concept or fully combined, if you're just a small company with a rather flat network, and you had flexibility to adopt that to your individual cloud strategy or the cloud strategy of your enterprise. So deploying hardware, virtual appliance cloud based, or, or in a mixed setup, then actually the world would again, turn pretty simple. And I'm, I'll take you through a couple of use cases now, so you can see how this actually can be built in the real world. So we'll, we'll start with a very simple use case don't fall asleep.
It will get more interesting pretty soon. So the use case is employees are sitting in the land or enterprise van applications are sitting on premises and all we need is some transparent lock in and single sign on to all these applications. Well, of course you do not really need an identity access management system to do that. You can, you can build this single Zon functionality and this transparent login into every application and no technology is needed. So, but it still makes sense to actually build it around a central service oriented platform. And you'll understand why just in a second, because for the second use case where these employees are sitting in the internet, you actually cannot live with transparent authentication anymore. What you now need is some functionality, the math functionality to actually publish and protect all these applications that's in, on premises against the internet, handle all the risks that are resulting from vulnerabilities in the platform or in the software itself.
And now we want to have multifactor authentication eventually depending on, on the risk appetite that we have, or on the criticality of the application, which we just stock to that service. So it's fully transparent. We leverage the same integration. So it's nothing, nothing different. It's still the same integration that we use from the transparent login. Now we're just accessing it from a different network segment. Let's say from, from the internet, from an untrusted zone, if we still have that trust concept. So we handle the multifactor authentication, whatever authentication means we want to use in that space might be the same that you're using for remote access or even hard encryption doesn't really matter. The platform must be capable to handle all kinds of different multifactor authentication. Anyway, as we will see in just a few seconds, this takes us to the next use case. So the same employee, which is now in the, in the internet is actually not just using on-premise applications, but also some applications that are sitting in the cloud like office 365 or, or an enterprise Porwal built on top of Amazon web services or whatever you name them.
One of these many cloud service providers, either local or global ones that your company decided to use. And if we still want to have the single sign on experience, and we do have the strong authentication, everything done already, anyway, we need Federation capability. And in that case, we want to the cloud application to be service provider, which they in most cases can do. For example, office 365. And we want our own identities to be exposed through the Federation function, providing an identity provider functionality. So still one strong authenticated authentication done from the employee using the same integrations to the applications and being identity provider against these cloud applications. And now we've talked enough about employees. Now we come to third parties, which might for example, be employees from a trusted partner. So in that same situation, we do not control the identities anymore. So we still need to publish and protect the applications is that's a good plan.
Even if the partner is a trusted partner, we still want to stay in control. But actually what we now need to do is we need to be Federation service provider. So our applications, which are sitting in the back end on the, on the right side or in the cloud, wherever need to be exposed through service provider functionality like this, we can use the identity provider function, which is provided from the partner enterprise. And we see that set up being used more, more so in many situations, for example, where multiple states allow access one state to the other state, cantons in Switzerland, where I come from one Canton runs an application, two cantons can access the application because they do have a partnership where they share investments. So that's quite typical situation, even in larger enterprises where maybe a new company has been acquired, which is now part of the group, not fully integrated it wise yet.
So they trust each other. They publish identities using identity provider functionality and, and share applications through the service provider functionality. Okay. Looking at the next thing, external third parties, which is prospects and clients. So we do not trust them, obviously. So still we need to publish our applications towards these clients. Eventually we might integrate them or allow them to use their social IDs to access the same applications or a subset of these applications doesn't matter too much what it is because it's all connected once to the platform anyway, and we need to want to give them self registration functionality in the case of consumers, in most cases, self administration, self password, recovery, self ID, recovery, all that stuff. So they can be more or less fully self-sufficient. And for that, now we need that identity functionality. So that identity store where all these identities can live and all these attributes can be handled.
And we need provisioning functionality to connect this additional identity store to backend well directories like the active directories. So the applications are supplied with everything they need and we're handling tokens through the SSO function as we did before. So in the consumer case, things still look pretty simple. Eventually we need, we are successful in actually attracting them, converting them to customers, which might imply a high level of trust and a social identity. So we must do trust elevation, which now could come through multifactor authentication, actually this time using a different authentication method effects or second factor. So finally use case that we're looking at B2B clients. Well self-registration is probably not the thing that we want to do in B2B clients. So what we actually need in that case is some kind of API. So we can link to the customer relation management system, and we need an administration delegation functionality.
So these clients can administer themselves or all the users of this company can be administrative by the client itself. So a, a simple form of Federation if you want to do so, where actually Federation wouldn't do wouldn't make sense, but self administration makes a lot of sense. Okay. So we've been walking through this, this picture, but this is actually not theory. This is actually what we do build for modern companies, which are moving fast into this digitalization space. And we should now put it into a somewhat bigger context. So let's imagine that the nice thing about this approach is that if you have a solution, which is interoperable by design, that means all these dotted lines that we see here are actually something you do not have to take care about. All these components, talk to each other when they need to talk to each other in the respective use case.
That's, that's the beauty about such an approach of an interoperable solution. And now we can quickly move into putting it into a bigger picture, which will be all these services actually must be part of a larger cybersecurity services set of the company integrated with the secure SD one functionality integrated with the cloud access functionality. So we could, can place all that stuff into the pictures or the internet access, the, the corporate van, all the on-premise backends and the cloud based backends hybrid multi-cloud that we're talking about. And we need to be able to put it on top of either physical, virtual, private, or public cloud functionality going forward. We're actually thinking very hard and working very hard on delivering all that functionality, containerized. So, which would be a, a separate webinar by itself. But we think that going forward that this is a very good plan to have these components ized, and, and orchestratable on a, on a open shift architecture that as I said, different, different talk.
So if we have that full picture, what we now need to do is we need to assure 24, 7 security operations collect all the locks and make sure nothing bad happens, which can be also if it's now an integrated solution, a manage service source from anyone eventually from the technology provider, which is moving from technology to services anyway. And if we had all that, then on top simplification comes back through a digital cloud interface. So just one service that lifts in the cloud, which allows you to see all your services in operation, in a security dashboard, being monitored and, and self-service and API enabled. And through that, you can now look at the, the, the global distribution of your company as being a very simple thing. You just follow your customers and your applications, which are living on multiple continents. You deploy these services on these, on the respective locations, be it on premise or cloud based, whatever suits you best.
And now look at it through the dashboard. So you need to make use of all that threat detection, technology, and artificial intelligence to find out if something bad happens when you, when you open your systems to the world. So it's a good plan to not look just at IAM functionality, but also at supportive functionality like embedded threat detection, all that stuff, drill down into what happens on these components, interact with your service provider, by resolving any issues, changes or tickets eventually add additional users, yourselves, or, or being published through a web application to your end customers. So that's basically all the story. That's what we think. That's the plan, how we catch the moving target. We actually do it every day. So quick wrap up, think back the digital transformation leads to that explosion of Porwal service in applications, and ultimately the need to manage IDs authentication and access. You will get more money if you work on perception of cyber risks as well. And then we have to achieve this service oriented interoperable solution. Think back that the client facing IM emphasizes other features than the workforce IM and that patchwork can lead to headache and well, the big picture that we present here, I hope you like it is that, that an interoperable by design solution consisting out of bath authentication Federation and client IAM eventually available manage 24 7 will save you a lot of aspirin. Thank you very much for joining.
Thank you, Michael. That was overwhelming. I'm really, I'm really impressed. Thank you for your presentation again. I first of all, want to remind all participants to finally enter additional questions when it comes to the Q and a session, whether we're approaching right now. So yeah, which, and we're actually quite coming to the, to the Q and a session. So if you have any other questions, please ask at them right now, I would start with, with one question that, that, that, that you mentioned in the overview slide on slide 11, you mentioned the concept of an, of an IDP broker, which I assume is some consolidation, some, some joining things together component, but you did not show the use case for that. Is there something more that you could tell us about that functionality?
Okay. Yes. Let me think. Okay. Yes, of course. Identity provider broker or, or IDP Federation. Yes. Okay. The use case actually comes from, from, let's say, a shortage of the Sam protocol, IDP and SP are concepts from the Sam protocol. And typically, well, the concept is by having one IDP would access multiple SPS service providers, but the other way around is kind of not foreseen. So one service provider typically talks to just one IEP. So in the case that you have multiple IDPs, which should all use the same application, published through an SP you need some kind of broker functionality, and that's actually the IDP broker thing. So against the SP it, it just presents itself as one IDP and handles the complexity in the back of having multiple IDPs that should talk to this SP. So for example, you could control which IDP to use by some kind of attribute well origin of, of the user ID.
For example, if it's one part of the enterprise and, and the mail address is cuing, and the other part of the enterprise is coal, and you have to identity stores, then you just direct it automatically through that. Or you could even provide the functionality of selecting the appropriate I IDP to access the function. So very helpful if you have multiple IDPs, which you will probably have in the end, if you control identities in separate ID stores. And also we can bridge technology from the open ID connect world to the Sam world, which is sometimes very helpful. So on one end being Sam IDP and on the back end being open ID RP, relying party, which is pretty helpful in many cases.
Okay. Thank you very much. I just have to read that questions just a second. Okay. I just read it out. Have you considered having using the final IDPs as an authentication module of the IDP broker?
Okay. Again, okay. Then get that.
Have you considered having using the final IDPs as an authentication module of the IDP broker,
The final IDP,
Just trying to understand that as well, maybe the person who asked that question, maybe you can refine that and we get to that later. Yes. Or,
Or handed in by email because I, I just don't fully get it currently.
Right, right. May maybe, yeah, please, please, please just refine it and send it either by mail or ask it in the, in the, in the panel again, another question, just, just, just from your experience, very, very basic question. How many organizations that you are dealing with are actually using social login for, for, for their consumers. And, and so from a percentage point of view, is this really something that, that actually has the traction that all the analysts say?
Yes, it does. So it, well, when you work with consumers, obviously not in the B2B context that we can exclude all the P2 B companies, but in the consumer context, well, it's just very convenient and actually user experience counts a lot. And yeah, we, we see a grow a really growing number of companies using these social IDs and actually even using multiple social IDs. Of course. So if you don't have a very clear target group, which is, well, you know, that 99% of your clients will be using, or, or consumers will be using Facebook anyway, then you will have to offer multiple social IDs. And yes, we see that we see that as a grow number because of that very good user experience, actually just, well, not creating an account, but just connecting your social login.
Okay. Thank you. And another question machine to machine communication. Is there something that you typically also integrate here and does that change the use cases? So really service account system accounts, something like that?
Well, yeah, well, okay. We see it often in, in the case of, let's say API gateway functionality where some other machine communicates to APIs, which, which can be, which can be a mobile application, or actually another company using that stuff. And, and authentication is just done in a different form and fully transparent. Of course, you still maybe want to use tokens like in the O out concept and other things yes. That that can, and should be integrated. The more intelligence we actually get, even, even if it's real users, their, their devices are also one element of the access. So companies which really take a series, they will of obviously always take a combination of machine attributes and user attributes and involve that into the policy decisions. Yes.
Okay. Okay. Thank you. Maybe a bigger question, but, but as we're getting close to the end, just a short, short answer, please. If some organization chose to, to actually deploy your full four component stack, how much effort do they need to spend? What is your experience when it comes to implementation times? How long does it take them? And maybe if you want to talk about that, how much should they spend on that?
Okay. Yeah. Big questions with many parameters, right? So let me, let me recall an example that we had shortly. So mid-size multinational industrial group, which had the requirement to have three staging environments, like test integration and production. And everything I'm saying is excluding infrastructure, because it was all built on top of IaaS anyway, having 10 applications, more or less 1000 concurrent users. If I remind right from all employees and 5,000 external third party users. So in that context, they had, they had the need to use all components, actually, because of the combination of their applications. They spent some 35 to 40 days of professional services to actually build and integrate all authentication factors and all backend systems, 10 applications, as I said, so 35 person, they spent over something like four months from start to going life with the complete system in total and spending, spending was somewhere in the space of 6,500 euros, monthly subscription, because this is all subscription based if it's on living on cloud anyway.
Okay. Okay. But this rather, rather rather quick for, for month, and of course you need to spend the time and the, the efforts and the professional services, because these systems are custom built in the end, but that sounds, sounds quite straightforward. Okay. As we are getting close to the, to the hour, thank you all for your questions and your participation in this webinar. I want to thank Michael libi from United security providers for, for a great presentation for the rabbit and for sharing his expertise on insight in this, in the presentation and the Q a do you want to share some famous last words before we close down the webinar?
Nah, I made the best team win.
Okay. Talking
About football, obviously,
Obviously, but, but, but we will see, we will see. So then I would like to close down the call. We would be happy to welcome all of you in another world with soon. Then of course, very much looking forward to meeting some of you in real life at one of our upcoming events. So that's it for today. Thanks for your time and participation. If you have any other questions, please get in touch with or United security providers by mail. The webinar recording will be available tomorrow. If you want to, re-watch it have a great rest of the day and goodbye.

Stay Connected

KuppingerCole on social media

Related Videos

Webinar Recording

Erfolgreiche IAM-Projekte: Von Best Practices Lernen

Häufig beginnt die Suche nach einer Identity-Lösung mit einem ganz konkreten Schmerzpunkt im Unternehmen. Ein nicht bestandener Compliance-Audit wegen überhöhter Zugriffsberechtigungen, technische Probleme, wegen komplexer Systeme frustrierte User und eine…

Event Recording

The Role of Managed Security Service Providers (MSSPs) In Your Future IAM Application Landscape

Trying to “do identity” as a conventional IAM or Security workload with in-house resources and vendor platform deployments may not satisfy identity and access today’s requirements for IaaS, PaaS, databases and other cloud infrastructures. There are now a growing number of…

Event Recording

The IAM Fabric and How It Integrates With Your Cybersecurity Program

Architecture, operating model and governance are key viewpoints for every business as a whole and its subdomains as well. Depending of size of the organization, information security may be managed as single domain or divided into multiple subdomains. Viewpoints and domains are still static…

Event Recording

Identity Management and its key role in the Zero Trust strategy

Since any resource access is subjected to a “Zero Trust enabled” step-by-step process, where  policy engines define and enforce the appropriated access level, apart from device, network, identity systems and resources, we need also a “ZT enabled” identity…

Event Recording

Expert Chat: Interview with Neeme Vool

KuppingerCole CISO Christopher Schuetze engages in a fun discussion with Swedbank's Neeme Vool on what the future holds for Identity and Access Management.

How can we help you

Send an inquiry

Call Us +49 211 2370770

Mo – Fr 8:00 – 17:00