In an Age of Digital Transformation Managing Vendor and Partner Identity Is Critical

Hello, good afternoon. And welcome to this latest webinar from KuppingerCole supported today by SecZetta.

Today, we're going to be talking about managing vendor and partner identities, which is becoming critical in the age of digital transformation, as I'm sure many of you may know, and to do that, I'm very happy to be joined by David Pignolet, who is the CEO of SecZetta. Before we get going, I just run through a couple of events that KC is doing very soon.

We have one of our next KClive event on October 1st, all about IGA solutions for service now, infrastructures, something that affects many businesses today, then October 20th, we have our customer technology world online, which is a replacement for what would have been a live a real event. If you know what I mean, this will also be real, but it's online. And then finally we have the cybersecurity leadership summit in November. So some dates for your diary there in terms of today's webinar, no need for you to do anything you're muted centrally.

And we are controlling that there will be a recording and slides made available very soon after the webinar's finished. And there is an opportunity for Q&A at the end of both our presentations. And you can put, you can into questions at any time using the gotowebinar control panel, which you should see on your right. So as for the agenda this afternoon, I will be looking at some of the business conditions that are driving the increase in the number of third party identities and vendor identities and how the identity fabric can help manage this.

And then David will be talking a lot more about how to create a source for third party data that organizations can use to improve their operational efficiency and accuracy in provisioning, access, streamline compliance, and much more. And he'll be going into more depth about that in the second part of the webinar. And as I said, we'll have a Q and a session at the end. So to get started, let's just have a quick look at what I call the new business and security landscape that many organizations now find themselves operating in.

And within that we have business technology, business processes, security integrations, and security processes, and how all four work together. And of course, business technology is changing all the time, but we are seeing obviously trends. Some trends are more dominant than others. Cloud is obviously one of them. Virtualization is another, but in recent years, we've also seen the adoption of more hybrid architectures where people are mixing up cloud multi-cloud and legacy it systems.

There also, we're seeing a much greater emphasis now on dev ops and containerization as organizations realize that the way to become more competitive and to keep customers is to increase the efficiency and rapidity and indeed the output of development and DevOps. When they brought together the, the, the two parts of dev ops development and operations to share a culture has certainly revolutionized the way that applications and software developed both for, within an organization, but also to sell actual softwares and then product to companies.

And within that, we have seen an increase in identity because people need access to dev ops tools and to get that they need and identity. And we're finding that those identities are not just human. They can be machines, they can be applications, and they may welcome personal to today's discussion. They may come from outside.

What we used to call the perimeter or the traditional organization, automation and artificial intelligence machine learning are also impacting now on a business technology, particularly in some areas such as manufacturing, where automation is taking much greater hold than it did before, but we're also seeing automation of software. We're seeing bots being used both internally and externally, and finally the internet of things where all of this is getting joined up, where all sorts of things have become connected to the internet. Yeah.

And again, internet of things will evolve new identities. And these identities will not necessarily, as I said, be human. They will almost well they'd be machines. And those machines need to access our systems and infrastructure to do the job that they've been designed to do. And for business to get the benefits from them in the last six months, we all know what's happened. We've seen a massive shift towards mobile working and although many economies are now seeing a gradual return to offices and traditional workplaces.

I think the dial has been set now that after the COVID shock, we realized that we could work from home quite well with the tools that we already have, but it meant that we kind of rather suddenly had to access the, the infrastructure and the it from home and perhaps security wasn't first and foremost, or top of mind when we did that, we were trying to keep the lights on. We're trying to keep businesses running.

And I think a lot of us did that very successfully, but again, people are using identities to access the systems and the data and the applications that once they opera access from the office. And so we need to manage those identities as well.

And we need to think about whether our partners and whether our vendors and those along the supply chain, also working from home and replicating what they used to do through more traditional methods, but now doing it from home and possibly on an insecure VPN, or even not a VPN and maybe using a laptop or other device, which is shared amongst the family, which isn't secured and can easily be corrupted. So we're also seeing the greater to a commitment to compliance or other.

We're seeing many more pieces of legislation coming out across the world that make it paramount, that organizations can vouch for their data. They can vouch for the security of that data. And they've got something to say or to explain when that data gets lost.

So again, if we don't control the identities, if we don't control how, and when identities access data, then we're in danger of, in breach becoming in breach of those new rules. Okay. Customer access and vendor access is what we're all we were talking about today. Agile development, again, linked in with dev ops and containerization and collaborative working again in the last six months, we've seen collaborative working come to the fore. We're seeing wider adoption of what we call digital workplace delivery, where end-users, they may be at home.

They may be in the traditional workplace, but then are getting access to applications and data and the things they need to do their job from a single pane of glass. And again, for that to be secure, your identities need to be managed. So we're seeing more security integrations while this is all going, no, we need to see, well, we will see more integrate with security incident event management. They're much more use of analytics. So we know what's going on.

And we're seeing wider adoption of access tools, authentication tools, such as multi-factor authentication and single sign-on, which are enabling us, or should enable us to better manage access management and identity management. And part of that, of course, is customer identity, access management, privilege, access management.

Again, it has become more important in the last three to five years as more and more privileged accounts start to exist and more and more users and machines and applications want or need access to those privileged accounts. And those privileged accounts are starting to come under things like dev ops, where certain pieces of code access to that is considered to be a privileged account and so on. So we're seeing more security processes is coming along as well. So we need better incident response.

We do need security, security management, or allocation that you could say we've needed for many years. Why do you use it forensics for when things go wrong, much better auditing and reporting. And of course, risk management, which is really the thing that should really bind all of these together, that we shouldn't really be doing any deployment. We shouldn't really be thinking of even thinking of a new security deployment until we understand the risk management. If you understand the risk posture of the organization, we're trying to protect.

So risk management remains hugely important and the new business and security landscape, probably more so than ever, just some core challenges then we'll, I won't dwell on these too much because they're fairly self explanatory, but of course, cybersecurity challenges haven't really changed that much. You know, we have to keep data breaches under control.

Ransomware is by far or has become by far the most pernicious form of attack in the last few years, particularly affecting small to medium-sized businesses, which often pay the ransom because it's cheaper, but we've also seen ransomware attacking hospitals, financial institutions, and other organizations, which are critical to the functioning of our economy. Social engineering is, is, is the way of course, that many of these attacks happen.

And it's, it's crucial that we educate people as much as possible that we can, you know, to alert them to the dangers of phishing attacks and not to click on what I look like, suspicious links, et cetera. However, I personally think that you can only do so much security awareness and we need to really have technology solutions in place that can take away the sort of security responsibility that we put on our end users and allow them to get on their job and protect them. And that's why we need to think more about how we authenticate, how we manage identities.

And we need to be thinking about moving away from passwords and usernames and passwords, which are a weak link, particularly in things like privilege access management. And we need to be thinking about better ways of protecting identities, but, and putting identity at the center of, of the business and protecting that identity or the genuine identity so that it can access the systems that it needs. And finally, we have to think about the IOT, which is becoming another attack, vector factor for attackers, looking for back doors, et cetera, to try and access our organizations.

So what's happening then while this is going on, vendor and partner identities are multiplying. We have a figure here from the respected parliament Institute. And they say that 59% of global companies have experienced a data breach caused by one of their vendors or third parties. And that doesn't necessarily mean the blame is with the vendor or the third party, but the attack has got into the business via the vendor or third party. And in United States, the percentage is even higher, 61%.

And this is why, because we have a globalized world, we have globalized industries, but even within that, I mean, we, we're now finding the ones once. If you cut that in half, once we had on the left there, the identities that are mostly accessing the it infrastructure services, data applications came from within your organization. But now we have people from the supply chain. We have people from logistics. We'll also have managed services providers who are providing a service.

It may be a security service, or it may just be a normal software service, but they too, at some point may need access to the infrastructure. They may need access to the cloud and they need access to the infrastructure even to set up the service in the first place. A lot of businesses wouldn't be able to run without it contractors, who I am variably variously on site for a short amount of time and the same with consultants or auditors.

And finally, we, you know, there are also with the rise of fast fashion and omni-channel retailing, which is also increasing the number of identities and access points that are going into the, in central it infrastructure. So you could probably add many more types of people. And of course, within that, I haven't even included the IOT of the things that are, for example, things that monitor warehouses or factories, or also may need access to core it infrastructures. So this is a kind of a call to action here.

We have three create Clarion calls that I think essential, we need to rethink the management of third-party identities. We we've we've, we've sort of got used to a world where traditional employees and their identities who have been sort of as, is more important than third parties. Third parties were kind of, well there's third parties, but we must look at these now in terms of value and risk to the whole organization. And instead of saying, oh, they don't have the same mix they certainly do. So we need to shift people and roles away from those traditional risk identifiers.

We must subject all identities that we know of that may have access to the core infrastructure. They must be subject to the same risk assessment and the authentication must be based on the principles of zero trust and lose privilege. And we need secure access points. We don't need things like VPN. We need zero trust and multi-factor access all those tools that will make the identity or authentication far more secure and identities.

All identities should be treated as an equal risk, unless until they're authorized, whether they belong to third parties to machines, or indeed all regular employees, it's only once they'll rise that they can deliver the value to all parties and the stakeholders that we need and to grow our businesses. So let me introduce in the time that I've got left, but for, for my section, the concept of the identity fabric, which is something that we talk or developing here at KuppingerCole, it's a unified approach to identity and access management.

And what's important is that it doesn't differentiate between third party vendors and normal employees, et cetera. And it goes across all areas of identity and access management. So we see it as a blueprint for business. So it's not a technological product, it's not a technological solution. It's a concept. We see it as delivering that unified identity approach that I've just been talking about. And it will work for vendors partners, third parties, plus more, most importantly, should be able to work with legacy it infrastructures.

There's no point rebuilding the all cause it where we all have to work with legacy infrastructures, unless we're a very new organization, et cetera, as well as working well with cloud and multi-cloud. So it also needs to be future-proof. So the concept can grow as the organization change and related to that, of course it needs to be scalable. It needs to be able to work with the new framework of APIs and microservices and festival. It should make access management or other access for users and others easy.

So the security is done in the background, but the access is upfront and easy so that people, as I said, can get on with their jobs. So these really sum up the identity fabric cross is all areas of identity and access management. And it reflects what we see is the worrying reality of identities that need access to a multi-user servers. And those identities are covering across from, as we say, third party vendors and other people not traditionally associated with identity access. It's not a tool, even though vendors are starting to support the concept of the identity fabric.

We're not selling any particular tool or technology. So it's a paradigm for a comprehensive future-proof identity and access management that can be implemented based on existing or new technology. It provides a clear segregation between the various levels that your business and use perceptive with requirements, the capabilities and their aggregation into service. It all starts with requirements and use cases. That's very important that the identity fabric needs to work with the organization with requirements and use cases.

Then you do the architecture and then you finally, you build the technology around that the identity fabric can be comprehensive, comprehensive, or it can be attitudes gradually delivering more and more services required that deliver the required capabilities. The crusade, the concept and architecture are comprehensive from the very beginning.

So it's, it's fully scalable. The theory should be able to encompass third party vendors, identities, et cetera, right from the start. And it must be built on a modern architecture if possible by through microservices and beyond that, it should be able to provide API access API access on Pickathon to identity services. So just to finish on my part of the webinar, this is basically a schematic of what I've just been describing. So we have on the left on new types of identities.

So we have our consumers vendors and of course our traditional employees and the various ways that they might be trying to access applications, software and services, consumers might bring their own identity. And then they also have an external ID vendors, may use identity, API APIs, various platforms. And of course, employees may, we're using traditional directory services as found in the organization and all that goes into the identity fabric. So you've got access management, administration, governance and privacy we'll built in the sets of services, the, the concept that sits within there.

And then we allow people into the cloud. We allow them into federated services and so on into legacy it through various types of access management and authorization tools. So that's a really an overview of identity fabric and a very simple way. There's a lots more about identity fabric and how it works with various new types of identity on our website. But with that, I shall now handle for a lot more about all of this from our guest today, David Pignolet who is the CEO of SecZetta. So welcome David. Thank you. Appreciate that. Good morning.

Good afternoon for the, the attendees, depending on where you're at, I'm on the east coast of the US so for me, it is still morning. So I wanted to start the conversation today and just talk a little bit about who I am and who we are here at SecZetta. So I founded the organization back in 2006 as really a consultancy in cybersecurity or information security.

We, we did some security roadmaps for HIPAA compliance here in the US it's healthcare regulatory compliance demand. And there was a, our rush to put in security programs within that vertical to meet those regulatory demands. So lots of projects associated with those programs.

One, one of those projects in, in multiple programs that I helped build where identity and access management projects made a realization that there was good opportunity to focus in that area as an organization. And we, we quickly did that and built partnerships with some of the leading identity and access management and identity governance products.

What we saw was sort of a repeated theme around having good data in context for employees, and an ability to effectively govern access for employees, but a real lack of diligence data context, and certainly in certainly risk evaluation around third-party identities and what it led to was a really increased risk to the enterprise for those folks that you grant similar access as employees to.

So to decided the problem is large enough to build a purpose built system, to address it for organizations today, worldwide, we've gotten a lot of attention and good traction, certainly in the last say 36 months. So we're excited to continue to grow in this space and, and lead the market in what I often call third party identity risk.

So I really want, I wanted to talk about what we have to, obviously we're here to talk about what we have to offer, but I like to ask for a little patience so we can really understand the problem many organizations face before we talk about a solution effectively, let's try to answer the why addressing third-party identity risk and life cycle is important in the first party. User populations have exploded and because of new business needs needs caused by the pandemic, the work being done by this group has exploded as well.

So as organizations to move toward more elastic operational structures and restructure workforces third-party relationships can create an increased, serious operational and cyber risk to an organization. The solution to support this new reality has been slowing coming, but the tools that support that type of flexibility are more critical now than they ever were. And really that's why SecZetta is here. Let me see. Sorry. I can get to the next slide here. Here we go.

So risks include a lot of business critical functions and or systems data exposed and potentially held for ransom and really the name of your organization and the headlines. So all of these losses have massive costs, lost IP potentially, and really an uphill battle for the PR department of fight to win back customer trust.

Well, that's the worst case scenario. It's not really the only problem that security organizations face, right? Audit findings, confirming unacceptable risks that you should have managed and control is, is also a bad day in the office. Hello.

Well, that sounds like a nightmare. And it's certainly lurking in the back of everybody's mind, the frustrations that are faced in a day-to-day by the business in managing identity lifecycle for contractors messengers. And I think as, as Paul mentioned, you know, bots and other things can be just as nightmarish.

So we've, we've partaken in some customer led research and found some customers spend as many as 40 man hours to manage a single contractor over their life cycle. And what that equates to is potentially days or weeks before successfully getting a third party necessary access. And that manual process really flies in the face of organizational goals around operational efficiency. When the third party is waiting to be onboarded without access to key systems, it delays value being realized from their skillset, which is the whole point.

It creates a lack of credibility within the law with the lines of business and creates an impression that security is the bad guy on top of that, the arduous and manual nature of the processes, error prone, which leads to increased risks, unfortunately the way most companies manage identity, life cycles and system access for employees versus non-employees is night and day, right? So employees have well-defined processes, a system to track them a centralized team to manage that population and really attention paid at every milestone of process right down to the day-to-day leave.

For any reason, you can be assured that employee terminations or for the most part, you can be assured that employee terminations are timely for third parties. Undefined processes may lead to request based provisioning or even a worse work arounds by the business, you know, or cloning access from other users, do it all due to a lack of information.

And it's great that organizations are really, you know, started to, and, and, you know, at varying levels of maturity organizations are assessing the risk of vendors, but they're not assessing the risk of the individuals, but even if you assess the risk, what then, right, there's a real problem with an inability to operationalize risk controls. You know, that is especially true for third parties. It results in access that's poorly controlled over-provisioned and just not appropriately managed for third parties.

The reality is that organizations party spent a lot of time and money through highly manual processes to provide access to third parties yet, given the lack of rigor, there's still gaping holes, whether it's over provisioning, orphaned accounts or a spotty paper trail, that erodes confidence in what you really know about third parties. Okay.

And what we end up with is a gap that falls right in between the line of business, it vendor management and HR, and it can create operational discord and increased risk what's needed is a solution that brings transparency, operational risk controls, and identity and life cycle management to third parties, really an automated solution that ensures as much or more rigor for third parties as organizations apply to employees. Again, kind of going back to that, you're granting access to that similar for these non-employees.

Why aren't we doing the diligence around these people like we do for employees? So our offer is a solution squarely aimed at that gap. Our solution generally sits right between vendor management and identity and access management. And frankly often tied into an HR system as well.

Organizations use our products to enable commercial initiatives, support regulatory compliance, and reduce third-party risk in a centralized automated, easy to use solution by tying vendor risk management to identity risk management, holistic risk evaluations are assured further operationalizing controls around that risk measurement through automated, actionable controls, ensure that insurer, that access privileges are appropriate and be, and can continuously be updated throughout the non-employee lifecycle with et cetera.

You get a more granular level of detail around risk exposure and an ability to automate controls to mitigate that risk. So the bottom line is that maintaining and using good third-party data to make informed decisions lead to the good access management and access the governance. And it's not just about people. It's also a box in IOT devices that need to have their identities managed.

You know, we see this done really well for employees because we have that data. We have that context, we're able to use that to make great decisions about what access those people get and deserve. We need to be doing that for non-employees the same way or in a different way, but as effective way as we do it for employees. So some of the challenges that go along with not having a great solution for this, you know, are timely, deep provisioning of access. It's been a long known problem and risk for most organizations, actively managing non-employee relationships.

Collaboratively is the, is the only effective way to do that. And it's only effective with a system that automates that process through continued identity, relationship validation. So always checking, is this person still valid, right? Do they still have a relationship with the organization? So if you start with a zero trust mindset and engage those third parties and ensuring that they stay active in that relationship, you can solve for the problem seamlessly in efforts and effortless effortlessly.

So, you know, gone are the days of relying on contractor access. It's something I've seen for my entire career and identity and access management. And it is really whisky prone because you can extend access for a contractor today. They could be gone tomorrow and you could have 90 or 180 days where they maintain access to your environment.

I have seen that in 100% of customers that we have engaged with, and there is a variety of ways that organizations try to solve for it using orphaned account reports, using inactivity reports, but really all of those are good, efficient in their ability to mitigate that risk. So our solution is more than just onboarding and offboarding it streamlines those prophecies, it streamlined audits and reduces some other risks associated with non-employees like Ms. Cap classification or co-employment, which are serious risk factors for non-employee data, which is kept in an HR system.

So its job is to safeguard data and in doing those safe guard, the organization, which if not done efficiently, can really slow things down for the business, which is why sometimes security gets a bad rap. So how do we become the good guys security professionals in the eyes of the business? We have to have security solutions that are business enablers, right? The ideal solution helps it helps the third party and the line of business get on the same page to speed those processes with confidence.

All well, accomplishing security is goal of mitigating risk with that in place when new third-party access is requested, you can assess risk and provide the right access immediately. So SecZetta has promise. We talk about this a lot internally, you know, we're, we're trying to provide tools that effectively meet the needs of managing third-party identities so that access can be appropriately governed in many organizations, security and operational efficiency, efficiency work against each other. And proper vetting takes time.

You have businesses want their non-employees onboarded and contributing as soon as possible in this scenario, letting letting security concerns when really hurts the business, but letting business concerns when may compromise your security. So our belief is really that it's possible to deliver peace of mind and non-employee risks in a streamlined or risk mitigation in a streamlined low cost way that serves all stake holders without compromise. And that is my last slide. So appreciate everybody's attendance and participation. And I think we'll go back for Q and a Thank you so much, David.

And thanks. So summary great points. One in particular, when you said about we, we, we do focus on vendor risk and there is lots of tools for vendor risk management these days, but the individual risks is, is what we should be focusing on as much as possible. So that's a great point. And also something I didn't really mention was of course, HR, HR has become much more integral now to, to managing identities and offboarding and onboarding of people. So that both great points. We do have a, a, a couple of questions and it's one there, but I can't read it for the second.

So I'll just the first question. Would you, this system that you described, would it allow me to risk rate every third party user based on their unique attributes? That's a quite a big question. Yeah. So that's a great question.

It, it absolutely would. So, you know, one of the things that our tool really is, is very expensive, different organizations, not only manage third parties in different way, but even within that organization, they manage third parties differently depending on population type. So risk factors associated with, you know, they, a third party affiliated healthcare provider are very different than if you are an insurance organization and you are validating, you know, agent credentials as part of the process, right?

So we have to be able to risk rate those individuals based on who they are, things like where they are, as well as what they are doing with your organization from a relationship perspective. So, so absolutely we can risk rate those, those folks differently. And this is a great question, actually, it says, can third-party uses inherit the risk of their employer. That's very interesting.

I'm sorry, can you repeat the question? Could third party users inherit the risk of their employer? So That's actually a great question.

Yeah, yeah. So absolutely. This is something we talk about and we, we execute on all the time, right? So it's the story of, you don't want to have a low risk, third party identity working for a high-risk vendor organization, right. If you've gone through the effort of risk rating, a vendor organization, you want that to be reflective in the individual, right? So that you can make those good contextual decisions about the access you're willing to grant that person.

So there is a thread that kind of travels through, you know, the entity all the way through the identity, right, and effectively then to the access. So we want to have that kind of, you know, connective tissue between those three things so that any one of them can affectively either shine the light on, on the risk posture of the organization. So if I have a lot of high risks people, but I'm a low risk organization, why is that? Or vice versa, right? If I am a low risk person working for a high risk organization, why is that?

So having visibility is one thing, being able to action through those relationships is another. And that's really kind of where, you know, the meat and potatoes of our product comes in is operationalizing those risk controls, right? You have a vendor that doesn't have appropriate cyber risk training in a timely fashion. We'll all be individuals should probably be affected based on that factor at the enterprise, at the entity level. Okay. We do have a question which may be, I dunno, it might take longer to answer live, but we could always offer it as a follow-up off to the session.

But the question is as to how does differ from SAP field glass. And I dunno how long the answer to that might be.

No, that's a great question to them. So we actually break with SAP field glass quite a bit. So Fieldglass is a great tool for procuring staff, augmentation resources. Obviously it is a module for vendor, a vendor management tool. It doesn't allow you to operationalize any of the lifecycle processes or risks controls around those third parties. And almost always, we see it capturing only a fraction of the people, right? So those folks that are associated with staff org or Southwark only in reality enterprises have much broader populations of people. Then those two categories.

And again, the real, the real impact and value comes in the integration with an SAP field glass to effectively drive operationalized risk controls around those people. Okay. Thanks. Thanks very much. So finally, we mentioned HR, why would use your HR system to, to manage third party users? That's a, that's another great question. We get that one all the time. Yeah. A variety of reasons. Why it is not a good idea to manage not employee since your HR system.

First and foremost is the cost the cost associated with putting you third parties in an HR system, both from a licensure perspective, an implementation perspective to customize it as well. And, and even more so the cost of having that centralized team be on the hook for managing that population. There is a resource cost to an enterprise to do that.

Managing third parties is a distributed process, meaning that there are stakeholders involved in that process if done appropriately, that you cannot involve in an HR system, like the third party themselves, as well as the, what we call it, delegated administrators. So like a project manager or some other representative from that vendor organization that were involved in managing those relationships. So the cost is number one followed by really an E a lack of feature functionality required to effectively manage these people.

And then on top of that is all a lack of really being able to risk rate the people, right? So third to be evaluated for risk different from other folks and, and HR systems don't really, you know, have that concept within them. And then the last point I'll make is that there are some real regulatory compliance problems with that, which I mentioned earlier here in the U S we have real issues around co-employment and misclassification of employment.

As a matter of fact, we have a customer very recently had a class action lawsuit to dismiss because in one of their leading arguments was they had a third party identity systems separate from their human resources system. So they were not, they were not treating non-employees as they do employees. And that was one of the pieces of evidence in Europe. There are actually even some very prescriptive approaches to that. So I know that in Germany, it's prescriptive in German, Germany, it's prescriptive. They are absolutely not allowed to put third parties into their HR system.

So, yeah. Yeah. Okay.

Well, fantastic. We haven't got any more questions for you. I've just put up there, there, if you want to know more about SecZetta's identity risk solution. We do have an executive view online on our website. COVID nicole.co. You can register for 30 days free access to all our research, and there's some other advisory notes and reports that you might find useful. So what about, just leave me to say thank you very, very much indeed today for, for your excellent presentation. And I hope that it, you listening at home enjoyed it. I certainly did.

And I look forward to the next webinar and thanks again to SecZetta for their support today. Goodbye for now.

Thank you, Paul. Thank you to all the attendees. Have a great day. Thanks.