Webinar Recording

Mitigate Risks, Cut Cost, and Achieve Compliance With AI-Driven IGA

Log in and watch the full video!

Effective Identity Governance and Administration (IGA) is becoming increasingly important as digital transformation, cloud computing, and remote working increase the scope and complexity of Identity and Access Management (IAM) to new levels. But legacy role-based access control (RBAC) solutions alone are unable to meet the changing and dynamic IGA requirements of modern enterprises.

Log in and watch the full video!

Upgrade to the Professional or Specialist Subscription Packages to access the entire KuppingerCole video library.

I have an account
Log in  
Register your account to start 30 days of free trial access
Subscribe to become a client
Choose a package  
Welcome to this Ko, a call webinar mitigate risks, cut cost, and achieve compliance with AI driven IGA. This webinar is sponsored by for drug the speakers today. My name is Matthias ARD, I'm lead advisor and senior Analyst with Ko, a call Analyst Analyst, and I'm happy to welcome Tim Badar he's senior director of product marketing at fork. Hi Tim. Good to see you.
Good to see you too. Thanks for having me here today.
Great to have you really looking forward to your presentation, but let's start with our webinar with a few words about cooking, a call just a few seconds about what's going on in cooking a cold world. We are planning events, and that is the focus that I want to look at here right now. We will have been, we will be having virtual events in February and March on privileged access on zero trust. And we are really looking forward to having the European identity and cloud conference as a hybrid event. So in person and digitally, just as we did in September with a 20, 21 edition, and we would like to invite you to join us there. And that's it already for the, for the news about cooking a colon what's going on in cooking a coal land. So now up to the, to the housekeeping few words about this webinar and how it works, the audio control, the participants are muted centrally.
We are controlling this, so no need to mute or unmute yourself. There will be polls. One will be just after that slide. So we are really looking forward to your feedback, the feedback of the participants. So please take the time and answer the poll. If you have any questions about what we are, are talking about, what Tim will be talking about, or I am talking about, please feel free to add your questions immediately into the questions panel as part of the go go to web panel on the screen. And please make sure that you have the questions provided to us that you want us to answer in the Q and a section at the end of this webinar, recording and slides very important. This webinar will be recorded and the recording will be made available as a podcast alongside the slide deck for download. So if you could not join, you can re you can watch it afterwards.
If you've joined and you want to rewatch parts of it, please feel free to go back to the site where you've registered and there will be the recording presumably tomorrow alongside with the, with the slides and that's it for the housekeeping. So let's start with the first poll as we are talking about AI supported IGA today as a part of the overall discussion. I want to raise the questions. If you, as an organization are already deploying AI supported technologies for cybersecurity and or even IGA, this is a single answer question. So pick one of the three when the poll starts and there it is.
So please we have a few seconds, some 20 seconds or so please make sure that you provide your answers. We will use these answers in the, in the Q I section so that we see where our audience is right now and where, yeah, where we can pick up on when it comes to the, to the questions as well. So to look where you are, so no, not yet evaluation proof of concept or already productive. So that's it for the poll. Thank you very much for your replies. That worked. That's a good thing. So let's have a look at the agenda for today. Very simple one. I will start with a short introduction about towards modern and intelligent approaches to access management. Then I will hand over to Tim and he will give us a real life insight into mitigating risk cutting costs and achieving compliance with AI driven IGA.
And the second, the third part will be the Q and a, as I mentioned before. So don't forget to add your questions when you have, and please feel free to do so really looking forward. So we will have a 20 minute, 20 minute, 20 minutes division of the overall agenda. So it's time for me to hurry up with some 15 minutes left for me. So what we want to look at first of all, is market trends. Quick rush through what's new, what's hot at IAM. And this is really just a quick overview to have a look at that. So the, the trends that are impacting the future of IAM are the ones giving given on the slide and more so IGA and I am are changing rapidly. It's no longer this, this 1990s twenties, 20 hundreds IAM. It has changed. We are looking at moving towards identity as a service.
So this is something that really is getting is getting more, more important, less on-prem more in the cloud. We are moving to a single identity concept. So we are not looking at employees at externals. We are also looking beyond humans, beyond carbon based platforms. We're looking at software, robots, devices and things, and we put this all into a single concept into a single paradigm. And that is what we mean with single identity. And this of course only makes sense if you have single IM we copy a coal, tend that to tend to call that identity fabrics or a single holistic view at a, a, an integrated delivery of identity and access management beyond tools. So integrating every functionality, every building block, IGA, access management, and much more into this single IAM, more and more important is decentralized identity. So supporting all times of, of identities and making sure that we also use identities that are already out there provided, for example, by states, by banks, by insurance companies, maybe by, by your employer or associated with your driving license, we're moving away.
And I think Tim will mention that as well from static entitlement, standing entitlements, we are moving closer to just in time. So just the access when you really need it. And a six very important trend that we see is identity APIs. As the glue between the single IAM building blocks to the left. We have APIs that make sure that these modern digital services get access to this really powerful functionalities into the single IM to get access to the single identity. But there's more, we are looking at policies and automation, and that is really of important. We really want to make sure that policies are well understood and are the basis for assigning access or for making access decisions. I cannot walk through the full slide that we have here, but policies are in general are a very simple thing that everybody can use to describe access and allowed access and wanted access.
So Anna, as a subject can access action, the folder sales at work hours. So object and constrained folder sales at work hours. And we can use this to, for example, assign roles in groups, to objects, to people, to identities with similar entitlements. So we really make sure that this is assigned to the right people at the right time. So we have well described policies. We know what the access should look like. And we assign the entitlements. The permission as described here and policies are not only used for access. They are all, they are everywhere. There are ubiquitous. We have them for authentication policies, firewall policies. And the perfect thing is when they go hand in hand, where we have the chance to have policies that are valid in more than one context, oops, that was too fast. Sorry for that. So we can describe these generic policies and we can derive then lower level policies, for example, access policies and get to the proper access management.
And if you have policies and that is of importance, then also again, for Tim later, we can use them for automation. So it's a, it's, it's a recipe to use for achieving automation. Your trust is something that I just mentioned here as a trust, as a trend, we have even individual full day events on that topic, but it's really an important context to look at really getting away from the traditional firewall based network security, getting to an security concept that is capable of dealing with our multi hybrid multi-cloud environment of getting away from the traditional enterprise environment with a, with a data center and secured networks. So users use their devices through networks, to access system and apps, and to use the data, to access the data that is in there. And to understand all these five pillars is a key component for, for understanding IAM and IGA and cybersecurity for the upcoming years.
And maybe beyond now, we have looked at the trends. Now let's, let's look at the business challenges because business is getting more and more important when we look at IGA. So there is a changed role of IGA, and that means we are no longer an it department. When we look at IGA, we are providing services to the business. And that is a really a, a key change in focus that we see here. So we are moving closer to the business, and that means that business says what is important to them. And important could be a fast onboarding process for users. It could be the trustworthy identification of the identities, be it people be it non people we need. And this is a business need, strong authentication, because for example, banks do need that PSD two, we need to have the proper rights at the right time for every user, for every identity.
And we need to make sure that this is achieved by getting efficient and efficient, as efficient as possible through automation through intelligence. And if this is not possible, then moving to self-service. But an administration process that needs not to be done manually is a good administration process. Of course, the, the business demands us to fulfill, to support all the relevant business systems while achieving transparency and insight into our users and what they have access to and what they're doing with that access. So compliance documentation evidence is required. And of course, this is the last item here because usually it's on the top of the list notes. And at the, at the top, at the bottom of the list, of course, we also needed for security across all systems, but the trend is moving towards the business while security still remains important. Have a look at use cases when we have these trends, when we have these business challenges, how does that show when we come to real life scenarios where IGA plays an important role.
So we are looking at the agile IGA providing services for the agile business, and that means really enabling businesses in what they achieve for their daily business. It could be something like preparedness for efficient mergers and acquisition, and everybody who has gone through this process merging an existing organization into an exist existing group of organizations. They will know what the challenges are when doing that on an IGA level. So preparedness for efficient mergers and acquisitions is really of importance. We need to make sure that we can quickly and efficiently empower our partners and employees while our business models are changing. We are all talking about this digital transformation thing, but it's of important to understand that we really make sure that this also is reflected in the way we do identity and access management. We want to make sure that we achieve and demonstrate compliance, because this is a bus, a business enabler.
If we are not compliant, we are out of business quite easy. So this needs to needs to be done as well. And we need to support the changing technology paradigms. We've mentioned zero trust already. So this is a, a starting point to look at. So really make sure that we are ad as agile as possible and can create the solutions that are required. And finally, I've mentioned that on the slide before already, we need to support the multi-hybrid multi-cloud reality. And that adds a lot of identities and their entitlements to the pool of identities that we need to manage. So what identity all identities? What do we need to do? I won't read that out just to, to show that quickly we have the full set of processes of, of tasks and challenges that we need to fulfill when it comes to managing identities and access for all it.
And if we look at this, this is really a wide range of, of, of tasks to achieve between managing the identities and ensuring governance, ensuring transparency. So the, the item number eight is really of important automate. So the definition of enforcement of policies to ensure normal and prevent outliers. So now that we understand where the trends are, what the challenges are and what the actual use cases are, let's look at how we traditionally do access management and many existing access solutions have some, some drawbacks. So this picture really shows the yeah, how some of the users of IGA might look like. And the reasons for that are given to the right it's really that many processes are still very complex and lengthy, many organizations put burdens on their employees. For example, it's the end of the year, we are getting close to the end of the year.
So this is the time for access revenues. And everybody who had, who is tasked with that understands that this can be really a, a cumbersome process. And that might be the reasons might be some outdated role definitions, and that can lead to many issues, including segregation of duties, violations, and just not understanding what roles actually mean. So complex onboarding of applications is another point that we need to look at. So getting the application into the access rights management of an IG IGA solution might be difficult if it's not, not done properly, if it's not done in an, in a self-service automated fashion.
So processes to improve are some of those. So authorization management is of importance. So really making sure that the right role roles are there, the right policies are well defined, and it's not only the management. It's also the optimization. Once there are roles. Once there are policies they might need to be improved over time. Access request and approval are of course important processes that can be cumbersome and very complicated and long running, or it could be done in a much more intelligent manner. And finally, I've mentioned that with the end, the end of the year access revenue recertification, these are detective controls, but nevertheless, they, they need to be executed, but they can be done in a much more efficient way than many organizations do them right now. So how do modern approaches look like to access management? And, and Tim will focus on that later on, but there are two key concepts that we need to look at when it comes to making modern approaches, taking to modern approaches to access management.
And these are the two headlines that are of important here, starting with automation to the right and getting to AR or AI or better machine learning. So intelligent support for those who are managing the access. So what can AI and what can automation achieve? It can lead to recommendations, identifying similarities and anomalies is key when it comes to using proper supporting mechanisms when you're doing IGA. So similarities, anomalies help you to cluster things and to make sure that you get to better recommendations, as I've mentioned, policies, roles, role request, processes, approval process re-certification will change over time. So we need to make sure that we analyze existing entitlements, their usage and understand external challenges and the risks that can be then utilized to adjust entitlements, ideally dynamically, ideally in a semi automated manner, maybe in an automated manner, more important, even when it comes to risk identification and mitigation, identifying the risks that can occur that are, that are actually manifesting just right now will be detected much easier when you apply automation, when you maybe apply machine learning in certain narrow use cases so that you get to actionable support from Xbox recommendations or even to realtime automated response, which of course is the dream for cybersecurity staff as well, to make sure that these decisions are well funded, well executed and automated, and just in time and finally the model management.
So the refinement of authorization models over time, and that can be automated and intelligently supported. And I think Tim will mention that as well. So my final slide is what does modernizing access management actually mean when it comes to getting better at IGA? First of all, modernize traditional role-based access controls those definition and the assignment of roles whenever role-based access control is still required. We want to include business expertise. So we want to ask those who know within the organization. So the business people who know better than the it guys, we want to move towards dynamic policy based access beyond, and instead of static entitlements. So maybe even getting away from role based access control, if it's no longer needed, and we can get to just in time, real time decision making processes, we want to understand what is beyond the person and the authentication and the access rights.
So really understanding the context and the risk into the, as part of the access decision making process. So is it the right time? Is it the right network that, that somebody is using? And all these informations are of important when it comes to making proper decisions when it comes to access automate what's possible. Everything that can be automated is, is good so that we can get to the SME, the subject matter expert so that they can focus on what they are really good at and making the right decisions in details and improving the system over time. And if machine learning can help here to do the heavy living, lifting even better, that is my final slide, but I want to move to a second poll. And this is a longer one to read out. So give me a second to read it out. Once I've presented what we have here, how would you as the audience expect intelligent IGA solutions to impact your identity and access management, workload and processes. And this is a pick as many answers as you, as you think are adequate questions, questions. So it could be not at all. It can support you in the daily routine, work through automation, it can improve and streamline your role management or even reduce roles in general. It can support you in your ongoing zero trust strategy, or maybe it can help you in improving your compliance. What are your expectations? What do you think pick as many as you want and think are adequate for describing your answer here?
So the poll is still running final chance to add your answers here. Really looking forward to the results to see later in the, in the Q and a section. So the poll is close. So thank you very much. I will now hand over to Tim, but not before I have asked you again, to think of adding your questions for this webinar into the questions panel so that Tim and I can talk about your questions afterwards, after Tim has presented, and we come, come to the Q and a section. So that's it from my side. I want to hand over to Tim. Now,
My name is Tim ARD. I am the senior director of product marketing here at, for rock. I'm responsible for the company's identity management identity governance and autonomous identity solutions looks like I dropped out of presentation mode again. So I'll go back here and go back there. And so with that being said, let's go ahead. And, and what I'm gonna talk about over the next 20 minutes or so is I'm gonna take you on an exciting little journey with regards to, you know, talking about zero trust principles, how to modernize role-based access controls and how to achieve a least privileged access model in a zero trust world. So with that, let's go ahead and get started with regards to my part of the presentation. So the first part is zero trust principles. So, you know, when we talk about this, there's a lot of buzz in the market about this and in a zero trust world, there's really three basic principles.
There's one that's trust, nothing, and verify everything. Number two there's least privileged access and controls, and then there's secure all transactions. So the trust, nothing and verify everything. Principle is really the runtime authentication and authorization of identities itself, where identities are continuously analyzed and challenged based upon their level of risk. Now, on the flip side, the least privileged access principle is the non runtime aspect of zero trust. And this is where Ford drug, autonomous identity comes into play. And I'll talk more about autonomous identity in a few slides, but first, what I'd like to do is before we dive into, you know, that let's, let's talk about the least privileged, least privileged access challenges themselves that you're facing as a global organization today. So, you know, when we talk about this and there's a lot of information to cover here, but in general, I'll, I'll summarize it really quickly.
You know, over the past decade, global organizations have leveraged traditional identity governance and role-based access control control solutions. Also known as our back to simplify the process of managing user identities in workforce access permissions themselves. Now, while these solutions have helped reduce administrative work and improve the efficiency around regulatory compliance, their effectiveness erodes time due to their manual labor intensive approach. And this approach fails to keep up with identities at scale within today's, you know, very fluid business environments that we're used to. And these fluid environments include, you know, employees frequently changing jobs, changing roles, we've been changing organizations. So the takeaway here is that in order to avoid this, you know, continued over provisioned access and offer accounts, and even in tore a new innovative approach to modernizing identity governance must be taken. And this is where artificial intelligence and machine learning are the ideal foundational pillars for automating and enforcing a least privileged access model in the zero trust world.
So you're probably asking yourself, you know, how does for track help to achieve a least privileged access model? Well, it does this in, in three very simple steps. The first one is step one. And, you know, you want to quickly clean up, you know, over provisioned access. Step two, you want to use AI driven recommendations to help maintain these privs access. And then point number three is you want have automation and you wanna operationalize your identity governance solution in supporting processes. The point here is that understanding the challenges of traditional identity governance in our back solutions and the best practices to address them is critical for maximizing your identity solution investments. The static IGA based solutions that are, that have very limited context and visibility must become more flexible. They have to become more scalable. They have to become more dynamic. You know, you have traditional RBA solutions, they must be modernized by augmenting, you know, their manual role definitions and role management with automation and intelligence.
So with that in mind, what I'd like to do is, is review how to modernize, you know, least pivot access, you know, in a model itself. So let me go into a little bit more details about how we do that with forger autonomous identity. So again, cleaning up over provisioned access. This was step one on the previous slide, and this is where forger autonomous identity leverages AI machine learning to discover user access landscape risks across the entire enterprise. And it does this by, and it also recommends, you know, remediation actions. Also. Now these specific user access recommendations can help ensure that users have the right level of access to the right resources at the right time. So the key point here is that Thomas identity allows business line managers. The ability to contextually understand the level of risk associated with user access, permissions roles and retirements.
So, you know, to help, you know, make this point a little better, let me provide you a quick customer example. So we'll a multinational financial services company. That's a, a current customer of virus and they're able to reduce their access requests and revocations and certifications by over 80% with autonomous identity in less than a quarter that's less than 90 days. So the enterprise wide visibility provided by autonomous identity allow the business line managers to quickly identify and clean up over provision access and actually accelerated their security decision making in order to approve or revoke users access. So with that being said, let's talk about how we better maintain least privilege. Now, you know, like I mentioned before with autonomous identity, you know, organizations can effectively enforce least PED access that restricts access to only the resources required for employee or a contractor to do their job.
So by implementing a modern rback model, it ensures that users have the appropriate access permissions and privileges themselves. Now this dynamic approach to our back further minimizes the attack service for both insider and external threats. The key takeaway here is that maintaining least privileged access is just as important as achieving it. So in another autonomous identity customer example, to help make this point, you know, we have a leading us healthcare solution company that reduced 70% of their required roles for a financial major financial E R P application in less than three months. Now, in this example, the healthcare company analyzed and recommended and promoted new dynamic roles and rules and role memberships in matter of days and weeks, not in months like, you know, traditional identity governance solutions do now by dynamically modernizing their R back the organization. We're able to maintain the least privileged access model that works in scales with their dynamic business requirements.
Now, that sounds all good and everything about maintaining, but how do I, how do I take it to the next level? And you take it to the next level by automating and operationalizing things further. So, you know, like I talk about from a, a for rock autonomous identity perspective, you know, the product can actually determine and recommend and, and take automated actions such as adding new roles, removing unnecessary roles, or even, you know, adding new dynamic rules directly to your existing identity government solution. So for example, to help, to help illustrate this point further, I'm gonna go back to that multinational financial services company, as an example, where they reduce their click rate for all their access certification review process by automating low risk user access by over 80% of the Tom's identity. And the key point here is that the organization was able to automate and further operationalize their existing identity governance solution, and those supporting processes that come with it.
Now, the actual intelligence approach enabled their security risk teams and business line managers to be able to take immediate action. And because of that, they were able to accelerate their decision making, you know, which obviously helps improve their operational efficiencies across the entire organization whereby they can actually go ahead and review approve or revoke even before they actually have to click anything. So you're probably saying, okay, this sounds great, but what exactly is for drug autonomous identity? So for drug autonomous identity, you know, I describe it as an AI driven identity analytics solution that allows your organization to achieve regulatory compliance. It helps you mitigate risks. It also helps you reduce costs, right by leveraging machine learning techniques, autonomous identity collects and analyzes all your identity data such as accounts and roles and assignments and permissions and assignments to identify any type of security access and risk blind spots.
And by integrating with, you know, your existing identity governance solution, or as a standalone solution, autonomous identity provides organizations of wider and deeper insight into the risk as associated with, you know, high risk user access. It gives you that awareness. It gives you conceptual insights across the enterprise. It also provides you remediation recommendations. The key takeaway here is that autonomous identity provides you what you need to modernize, not just your existing identity governance solution, but also your, your traditional RVAC by leveraging artificial intelligence and machine learning. There's no need to replace your identity governance infrastructure, keep what you have with autonomous identity. It augments your existing IGA solution to improve your organization's user access visibility and agility and productivity. So you're probably saying to yourself, yeah, Tim, that sounds great, but you know, how does that really work? So, you know, at a very high level, at a macro level, you know, autonomous identity, what it does is that actually links individuals or users to the entitlements at the lowest attribute level.
So leverages that user profile data to determine the likelihood and individual will need and time that based on how in time it's currently distributed across the organization. And it does this in three very simple steps, step one, Thomas's identity, ingest user data for multiple different data sources, such as your identity management or HR or LDAP or IGA or database or active directory, whatever it may be, your cloud infrastructure, and that data is consumed and aggregated across all your data sources to provide a comprehensive user access landscape through your entire organization. Okay. In step two, what autonomous identity does it, it, it applies the machine learning to the aggregated identity data, the first predict in time it's for a user. And then it explains its predictions in three ways. Okay. What it does, it provides you a confidence score and these scores, you know, the current time and assignments based on the degree of confidence in whether the employee should have access or should not have access.
And then what it also does is the second way it does this. It also provides you a justification. So what it does is it provides you a fully traceable and explainable account of how the project, how the actual prediction was reached, you know, to that outcome itself. And then finally, what it does is it provides a recommended entitlement where it actually predicts access for new users or, or employees or contractors now in step three, what autonomous identity does is with our very intuitive UI security risk professionals can review those predictions and take approval or certification actions immediately. So the, the, the really the final takeaway here is that Thomas identity allows your organization to contextually understand the level of risk associated with each user access. So by better understanding what good and bad access looks like across the entire organization, you can actually further mitigate your risks and also reduce your operational costs while, you know, accelerating towards regulatory compliance.
So that sounds great, you know, on paper and technology, but what does it mean to a national customer? So one of the things I wanted to show here was just a, a customer case study of what customer success looks like with autonomous identity. So this is a multinational financial services company that offers both banking and wealth management services. They have well over 32,000 employees worldwide, and they have over 3.3 trillion in assets under management. Now, even though they had a traditional Oracle IGA solution in place, they were still had three primary business challenges had very high IGA related costs associated with access requests and certifications. They also had a, a very large, you know, role explosion as I call it where they had too many roles across the organization. And then the third thing was really D roles. They, they had no idea how many duplicate roles they actually had.
They couldn't tell a difference between a regular role and duplicate role. So what they did is they took autonomous identity and in their phase one implementation, you know, what, they, they actually realized three customer benefits and outcomes from, you know, rolling this out in less than 90 days, they rolled this out to a very small business unit, 2,700 employees, seven internal applications. And what they were able to do with the, with the actual product is they have to realize three business values. The first one was time savings. They had an 80% reduction in access request, revocations and certifications. Number two, they really vastly improved their security. Okay. When they started, before they implemented Thomas identity, they had a 1.8% outlier revocation rate. Now after 90 days, that went from 1.8% to 34%, that's a 20 X improvement in their security. And then number three, the biggest thing that they came across was, you know, just great user experience.
They're able actually able to reduce, you know, 80% of their clicks during the access certification view process and able to give all that time and effort and focus from those business line managers back to the business itself here. So, you know, at the end of the day, the key customer success takeaway here is that Thomas identity can not only identify user access risks, and also identify provisioned access, but also can recommend, you know, Dyna new dynamic roles in a matter of days or weeks and not months. So by modernizing our back, this organization can manage and enforce a least privileged access model that works in scales with our dynamic business and requirements. So you're probably asking yourself, okay, but that sounds great, but what makes autonomous identity, you know, so different. So in my last line here, you know, what I like to talk about is autonomous identity has a number of competitive differentiators, but the number one differentiator that you need to remember and what you need to walk away with in today's webinar is one word speed.
Autonomous identity quickly identifies, like I said, the user access risk over versioned access and allows organizations to define, you know, dynamic roles in a few days or weeks. Okay. In other words, it provides business value almost immediately. Okay. So unlike traditional IGA solutions who rely on heavy manual professional services to identify user access risks, or define roles will provide recommendations. They typically provide business value measured in months or years or never, right. They just, you just keep adding money and there's still nothing coming out of it. So autonomous identity provides this quick time to value a number of different ways. The first one that I like to talk about is global visibility. And again, this is where you're leveraging that though, that that machine learning and you collect and analyzing all that identity data so that you can provide an enterprise-wide visibility for all your identities and what they have access to.
And this approach provides, you know, the security and risk professionals, you know, with content contextual insights into low, medium, high risk user, a access at scale. And because autonomous identity is data agnostic, you know, it works with your existing identity investments for all your different identity types to develop that complete view of, of the user access landscape. And because of that, it can predict and recommend user access rights and highlight potential risks. And then the last one I like to talk about here is really what we, what I call my transparent AI or what I call explainable AI. Now, the nice thing about autonomous identity is it allows your organization to fully understand the how and why risk, confidence scores are determined. So with that explainable UI that I keep mentioning, it allows you to visibly present the low, medium and high confidence risk scores together, right?
It, it provides you green, yellow, red, so that you're securing risk teams can contextually understand what key risk indicators were met and more importantly, why they were met, right? This AI-driven approach recommends risk-based identity and governance remediation updates based upon, you know, enterprise-wide confidence scores, not just what someone put in and what they thought it was. Okay. In summation, the point here is unlike other black box identity analytics solutions that are based upon static rules and roles and pair group analysis. Thomas identity relies strictly on organizational data to develop in, you know, an analysis that's free from any type of bias that might come from human derived, you know, rules or roles that exist in an existing identity governance solution. So with that being said, what I like to do is, is, is hand it back to my partner in crime. A and let's go ahead with the time that we have remaining. Let's go ahead and start answering a few audience questions.
Thank you very much, Tim. Thank you for that presentation was a really interesting one and I'm really looking forward to the questions, but first of all, again, final chance. No, not the final chance, but really the reminder for the, the audience to add additional questions. We have already a few there, which is great, and we will work on them. But first of all, before we come to the, to the Q and a, I would like to see the, the, the, the results of the polls. I think that would be a good starting point. And maybe we can show the first poll and the results as this possible. Great. Thank you very much. And Tim, maybe this is also something for you to comment on half of the audience have not yet, or do not now deploy AI supported technologies, but this is only one half others are evaluating are already productive. Is this what you see in, in when, when you get in touch with your other organizations as well?
Yeah. So what I, what I'm seeing today is the kind of, I wanna call it walk, crawl, run type of approach. And, and this is very indicative of the, of the, of the pole results you see here, right? Where you've got some, you know, more, I would say, aggressive or more, more progressive folks that are already using some form of AI associated with IGA, and they already have it in production, but you do have a good, a good number of folks who are, are like, you know what, I'm running with it, it seems to be working, but I'm also still, there's some that are still kicking the tires. That's where you get that 30%. So this does align, you know, they're, they're evaluating things. There's a proof of concept. How do I make my job easier or giving time and, and resources back to the organization. I think that's where the 29% is coming from. But then we are also seeing, you know, people who are still struggling with the basics of, of identity governance, right. And they're still working with just, what do I need, right. In order to be successful. And that's part of the reason why you see almost 50% are still not there yet. And that's indicative of a new technology coming into a, a mature space, like identity governance in administration.
Right. I, I would fully agree. I think that that really shows the market and also shows a bit of the maturity of IGA deployments in general. Yeah. So this is, this is now the question is what do the audience expect? What does the audience expect from the future? So if we have a look at what they expect, this, this, this technology to, to benefit them in, maybe we have a look at the, at the second poll as well. So that would be the outlook, where are the presumed benefits here? So we can have a look at the sec at the second. Oh, that's good. Not at all zero. That is great. So there must be some value in there. And for every other part that is quite quite positive. So it's a, it's a burden for you at providing such a solution. So because they are all expect that it helps in any potential area that I, that I presented here. Do you, do you agree?
Yeah, I completely a hundred percent on the same page as you with regards to there is value here. You know, the business value, the business outcomes that I talked about earlier, it is about, you know, I hate to say this, but you know, these business line managers, these, these entitlement owners, these application owners that have to go through all these access reviews and certifications are, are really fatigued and overwhelmed, right. And anything that we can do to further automate and cut through the noise, right? Whether that's doing the certifications, doing the access reviews, or even just, you know, the role maintenance, you know, that, that number 74, right in the middle there, that percent that really speaks to there's a problem there. And of course, like I mentioned earlier about the zero trust principles, this being, you know, non run time aspect of it, this is where it falls squarely in there where you can actually continue to move towards and execute towards your zero trust strategy with, with AI and machine learning in, in your IGA solutions. So this completely aligns with that. And of course it also improves your compliance, right? It helps you achieve regulatory compliance quicker because you can do things at a faster pace.
Right. And I think that that's really promising it. And it shows also that there is quite some confidence in such a new technology like, like AI and ML is or are. So when we now move to the Q and a, and thank you for present showing that, that, that poll results, if we now move to the Q and a, when, when you say with the customers that you're dealing with, how, how comfortable, how confident are they with these new technologies like AI and machine learning in their IGA solution? Because we are talking about access, we're talking about trust, we're talking about compliance requirements. Do they believe the results? Do they check? How, how do they deal with that? What are your experiences right now?
Yeah, my experience has been, customers are typically a little suspicious when you introduce a new technology that comes around and promises to make their lives and jobs a lot easier. And that's, you know, the same is true with artificial intelligence and machine learning when it applies to identity governance, hate to say that, but it's just the reality. The great thing about, and I'll, I'll turn this back to tos identity, is that it, it actually delivers on that promise and, and by leveraging that machine learning and those techniques, you know, it does help accelerate, you know, the identification of what good and bad access user looks like, and those high risk access, because it does have an impact on people's access. And, you know, and, and not only helps identify that risky access, but also helps those security and risk teams to further, you know, automate and operationalize their user access, which in turns helps mitigate the risks and reduce their costs across the organization.
So there is a little suspicion, but once they get comfortable with the technology and they, and they actually see that this new technology and AI, and I know that's an overused buzzword in the market and machine learning as a type of AI yet at the end of the day, it's really, once they understand that it's actually making a positive impact and a quick impact and, and providing quicker time to value and making their lives easier, we get comfortable with it pretty quickly. And that's the reason why I think getting poll number two, you started to see a lot of value being shown in a lot of different areas, whether it's automation, role maintenance, or even, you know, becoming more compliant quicker.
Okay. Yeah. That, that's what you mentioned also when it comes to, to where you think your solution excels in comparison also with the, with the market competitors, competitors, it's really about speed. It's about being based on, on the full picture of data being available. And, and then really speeding things up. One question that I, that I've just received very quick answer. Will the slides be available? Answer yes. Tomorrow the same site that you registered with, there will be the recording and the slides for that. Let's have a look at the other questions and when, when it comes to, and I think that's, you've mentioned that role explosion part, you've mentioned that many organizations struggle with the, the mere size and the number of roles that are available on the, on the, on the, on the static definition part and the assignment to the users. So many organizations having more roles than they have employees, because it's a, it's a, it's a Lego principle compiling all these roles on each other when it comes to, to applying your solution to customers that have such a, such, such an issue, such a challenge, what are the biggest challenges to, to, to deal with that, to, to move to a more modern, more adequate approach towards role-based access control?
So I would say the biggest challenge is, and this is gonna sound silly, but not trying to boil the ocean when it comes to modernizing your, your, your organization's role-based access control. You know, a lot of people have, you know, grand things like, oh, I can do this, this and this, but you know what I would say, you know, let me provide a few, a few points to kind of, kind of emphasize that larger point of not boiling the ocean. My advice is start small. Okay. Focus on a small group or small business unit. Number two, what I would do is I would define, you know, new dynamic business roles based on your, your, your identity data across the enterprise, so that you get that visibility and that whole visibility of landscape don't define roles just to define roles. Don't define 'em based upon peer group or manual analysis.
The reason why is because that that's not looking at the macro data, it's only looking at a small subset of data saying just because you're in sales, you should have access to this. Well, maybe you don't, maybe you should, but if you don't have all the data and that's where you, that's where the AI machine learning comes in, can help you better calculate what the level of confidence score is when it comes to whether or not you should or shouldn't provide access. And then the number three thing I probably would say is, you know, as a, as a point of guidance, is that, you know, once you actually, you know, focus on that small group or business unit, you know, show success with that small group and business unit and use that and turn that into momentum to tackle, you know, into the next implementation phase, right?
That's when you go, okay, we did really well here, but then let's go ahead and roll this out and start to implement it into a bigger group or business unit. And that's when you start to really start to get, you know, better traction when it comes to starting to modernize your organizations, you know, are back, it's not balling the ocean. It takes a while. Your organization's a very large and dynamic, you know, animal in organization. And it's gonna take a while to get there, but start small and then, you know, define what it, what you need to do based upon all your data across the enterprise, and then use that momentum that you have from the success of, of the small group or business unit. Roll that into the next phase. That would be my advice in, in, in doing that and don't boil the ocean,
Right? And then a question more targeted at me, but I think you can contribute from what you just said to that as well. It's, I've mentioned a stronger business focus for, for IGA service. So involving the business involving the subject matter experts that are doing the daily work, not the it guys, but what needs to be done to implement this from, from my perspective, of course, this needs to change the process to really get the business into the loop. That of course is required to get, get out to the people who know, get them into the process, get them the right tools to do, to execute on that, to get to a, to a common language between it and, and the business so that they understand what an entitlement action actually needs. So that, that might be an issue as well. And I think there needs to be Scouts that really, really support in that in helping in this translation between IAM team, IGA team and, and, and the business. Are there any other recommendations you've mentioned involving the business as well, just in your last answer, how, how would you recommend?
Yeah, so, you know, at the end of the day, it's, it's, depending upon the, the size and maturity of an organization, you're gonna have different levels of, of actors, right. That are, that are either champions or sponsors or influencers. Right. So, you know, what we see is we are actually, you know, you, you probably most likely talking to a CSO, right? And, and they overall, they only overall security aspect of it, but you may have an organization that has ahead of, you know, or a VP of IM that also has responsibility for the IGA within that organization. And that's where you're bringing, you know, they they're an influencer, but they're also the owner of identity, but their actual economic owner of the business side is the CSO. Right. You gotta have those two on the same page themselves, but there's also, you know, I've, I've seen an enterprise architect come in and they're a major influencer on the VP of IM and getting that, making sure the technology work, but then he's gotta make sure that they properly influence and get approval to the CSO who oversees the overall security.
But the other thing I've also seen is even though you may have those three all lined up the ultimate business person, that's gonna be held accountable on the senior executive level, hate to say it as the CIO. And if the CIO is gonna sign off on something and then he just may be a signature, but at the end of the day, the board is gonna hold him accountable for the business. Right. If something goes south, they're coming to him because he signed off on it. Right. And that's where you need that full alignment of not just the technical side of the enterprise architect or the VP of IM or IGA. Right. You also need to make sure you've got synergy and full alignment with the business, which in this case, this would be the CSO and the, in his boss, the CIO, if that's the way it's constructed. So completely agree with you. You need to have that full synergy across both the business and the technical, because at the end of the day, the technical is gonna be successful. If the business isn't gonna get anything out of it. Right.
Correct. Okay, great. Thank you very much for that. There are some questions around the functionality and of what can be achieved also in comparison with the market. But I think a good indicator of what can be achieved is what are the results that you've seen, or what are the most large, the hugest results, the most surprising results that you achieve within applying this autonomous identity towards actual business use cases? What, what can be used as a, as a proof that things work.
Yeah. So I, so I'll go back to that example that I mentioned earlier, with regards to that, that multinational financial services company, I would say the thing, you know, being able to, you know, address, you know, duplicate roles and role explosion, and a high cost associated with those IGA related costs. I mean, they're spend, they were spending over 12 million and for requests alone. I mean, that just blows my mind. So you've got a big number that if, if you're gonna take a dent out of that, you're obviously gonna show value back to the business very quickly. But the thing that really stuck out to me with that specific situation or, or implementation that started in, in late December a year ago, 2020, and by the end of, I hate to, I hate to, yeah, at the end of Jan, at the end of January, early February, they're already starting to see those time savings, security improvements and the user experience improvements.
And so the biggest thing, even though I talk about the 80% and the 20 X improvement and, and all that, that's really good, but what really sticks out and something that's not really a, a stat. And that's the reason why when I talked about it and our differentiators, I, I brought it down to one word speed, okay. Quicker time to value, you know, showing almost immediate value back to the business. And I think that's the biggest surprise that I've seen, not just at this company, but at other companies, you know, that healthcare provider one, you know, we, we probably saved them over 12 million prior to a major, major acquisition that they made here in the United States over a year ago. And it wasn't so much the dollars and cents that the CISO was talking about. Say, you know, because what he did is a use autonomous identity to clean up his environment before he brought everyone over, right.
For the, you know, as the inquiry to the acquire and all those employees and contractors, his comment was, I can't believe how quickly we were able to do this. And the reason why he said that was because he was working with a very large consultant firm had said, this is gonna take 12 to 18 months with so many head count. It's gonna cost this many millions of dollars. And we still may not be finished. It may be a multi-year thing. And he said in less than a quarter to six months, you were able to show me full business value in that short amount of time. And again, that goes back to time to value or that speed, right? You can't put a number on speed. Maybe you can measure in days, weeks. That's, that's probably the biggest surprise out of all. This actually does what it says.
Okay, great. We are getting close to the hour. So maybe a quick question and maybe something beyond technology, we've talked about auto about autonomous identity. Is there something that you've learned that can be applied even without using that solution? Are there some learnings that you've taken away from these optimization exercises that you already did? Maybe when I start, I usually recommend one very simple thing. Just if there are access requests and approvals, make sure that you assign the access rights only for a very limited amount of time so that they get lost over time. And if they are not re requested, you don't need to re-certify them. So that's a simple, very simple trick, but it, it does the trick in many cases, are there final words that you could say that, that you learned from that what you could apply here as well?
Yeah, one of the things, well, one of the other trends that we're seeing is just people, because there's so much for them that's being thrown at them is, you know, one of the things I, you know, the human nature is, is to click and move on. Right. And, and that's the, that's the immediateness of our, of our nature now in this, in this very digital world. So there's a lot of, I hate to say this rubber stamping going on, right. Approval select, all hit submit. And, and you, you know, certify someone's access or your business units access in, in, in two minutes, right. Just before you go and do that, you know, I would my advice to any type of business line managers, learning application owners, stop before you do that and think about what potential risks you are introducing to not just your group, but the whole organization itself.
Because I hate to say this, but by over provisioning access that does the, to higher risk over time. And people move within companies. They come and go and hate to say this, but you, if you forget about, and this is the reason why we talk about over provision access, we talk about offering accounts. People leave, they don't get things turned off. They don't, they don't automate that process. You, you get entitlement creep. People have been with an organization over multiple years, they get access to more and more things, and that's not in the purview of their role. So before you give 'em access, think about the potential risk you are opening up to your organization itself. And if you're not sure, then don't approve it. That would be my advice.
Okay, great. Thank you, Richard. Richard, it's, it's, it's kind of over warning as well. So this is really of importance when it comes to, to making sure that we are doing access governance actually for a purpose. And that is protecting the organization from, from too much risk. And that is of importance. If there are any more questions, please reach out to Tim and or me. We can be reached by the mail addresses that are on the website, just reach out to us. And if there are any more questions, please let us know. And thank you very much, Tim, for being with me today and for presenting that interesting topic. And, and as we have seen people really want this solution help you and to, to safety 4% for some of these, these access areas, that's really interesting. And I'm really looking forward to how this evolves and how that really moves into our day to day usage of IGA. So thanks again, Tim. Thank
You. Appreciate joining us today.

Stay Connected

KuppingerCole on social media

Related Videos

Webinar Recording

Multi-Cloud Identity Governance 101

In an effort to cut costs, improve efficiencies, and cater for a mobile and remote workforce, businesses are adopting cloud services from multiple providers. This has created a host of challenges in managing identity and access across multiple clouds, and has introduced several risks that…

Webinar Recording

Dealing Effectively with Modern, Industrialized Cyber Threats

The cyber threat landscape has become very complex, with state-of-the-art intrusion, ransomware, and cryptocurrency mining tools now readily available through online stores and service providers, and an expanding attack surface due to increased cloud computing and remote working. Keeping…

Webinar Recording

Sicherheit für SAP und mehr: Wie IGA-Systeme unterstützen können

Access Governance-Tools sind in der heutigen Business-IT ein unverzichtbares Element. Sie dienen dem Management von Benutzer- und Berechtigungsworkflows, der Vergabe von Zugangsrechten, der Durchführung von Kampagnen zur Zugriffszertifizierung und der Implementierung und Prüfung…

Webinar Recording

Understanding the IGA-Focused Identity-as-a-Service (IDaaS) Market

The IDaaS market combines Access Management functions with Identity and Access Governance capabilities, and delivers them as a cloud-based managed service designed to meet the common IAM requirements of hybrid IT environments, but finding the right IDaaS solution with a focus on Identity…

How can we help you

Send an inquiry

Call Us +49 211 2370770

Mo – Fr 8:00 – 17:00