Webinar Recording
Reach the Next Maturity Level in your IAM Deployment - Beyond Classical Provisioning
KuppingerCole Webinar recording
Log in and watch the full video!
Upgrade to the Professional or Specialist Subscription Packages to access the entire KuppingerCole video library.
I have an account
Log inRegister your account to start 30 days of free trial access
RegisterSubscribe to become a client
Choose a package
Good afternoon, ladies and gentlemen, welcome to our KuppingerCole webinar. Reach the next maturity level in your IM deployment beyond classical provisioning. This webinar is supported by quest software, which is now part of Dell. My name is Martin Kuppinger I'm founder and principle Analyst. Copy a call. And with me today is Paul Walker, who principle solutions architect at quest software. Before we start, I think you probably noted from other webinars. I just wanna give you some, some quick overview about keeping a call and some background information on how's keeping is set around before we done dive directly into the topic of today's webinar could be a call and Analyst company. We are providing enterprise it research advisory, decision support, networking for it professionals through our research services, our advisory services and our events. Our main event is the European identity and cloud conference, which will be held again next year, May 14th, 17th in Munich. It's definitely the place to be at least over here in Europe. And we have a lot of people also from the us participating it's about our leadership best practice and digital ID cloud, and GRC. So don't miss this conference.
There are several documents which are related to the webinar we're doing today. Like our leadership on identity provisioning. There will be also on leadership on access governance probably early next year, maybe late this year, technology report, access governance architectures. And then we have several advisory notes which are around migrating look, legacy provisioning, and migrating options and guidelines for our that. I think it's very interesting to have a look at these documents. You'll find them at our website could call com slash reports regarding the webinar itself. Pretty simple guidelines. You are muted center. You, you don't have to mute or unmute yourself. We are controlling these features. We will record the webinar. The podcast recording will be available tomorrow and Q and a will be at the end. So you can ask questions anytime using the questions tool and go to webinar in the control panel.
We'll usually pick the questions at the end and some cases if appropriate, we might also pick them during the webinar. So that's a, was the introduction. The agenda today is split into three parts. First part is the presentation given by me. I will talk about changing requirements for I and access management at we'll talk about mature levels of IM deployments about new architectural approaches. And by the way, to migrate the second part then will be done by Paul Walker from quest software. He will talk about best practice, examples of organizations which have successfully made stab. He also will have a look at sort of old IA old provision, new provisioning. So really also looking a little bit of, but things which are changing. And I think we we've managed to have not that much overlap on the points we we cover. So I think it will be to hopefully very interesting presentations to you.
The third part, by the way, will be then the Q and a session where you are then enabled to ask questions. And we will try to give Wells on these questions. So when we look at what is happening today, I think the, the, the fundamental shift we are really facing in its, which my colleague, Greg Burton recently named the computing dry car, which is really these three major trends, which are cloud computing, mobile computing, social computing, which are affecting the way we are doing it, which are really fundamentally changing the way we are doing. It leads to things like consumerization so far less control of central it partners. It also leads to the ization. So the parameter of farmer days where we said, okay, with our internal it, and there's only one point where, where data passes through these days are passed. Every one of us is using mobile devices.
There are either many or no parameters anymore, and things are fundamentally changing. And for sure, that also affects the way we have to think about identity and access management. And there are some, some other things around this here, like a bigger number of user populations. So if you look at what really this, the, what the term social computing really means, it, it really means we, besides that we have to find other ways to engage with, with customers, etcetera. It also means we have to open up our enterprise in a different way than before. So there are people who are whose first contact point might be that they're coming with Facebook login and we have to deal with it as an identity. We have to deal with it with, there are far identities, they are far more device types. They are far more deployment models. And this scope, finally, we have to understand what has to change with all the things we have done in it.
And especially if you look at provisioning in a traditional way, traditionally seen provisioning really has been more sort of, I have my HR system and I derive my change from the HR system, you know, and I then push it out to some of my bigger it systems I have and my enterprise right now, it's about how can I handle all these different accesses of all the different people using different deployment models of our applications and quotas, which might be running in the cloud. How can I keep this under control? So information security has to look at another scope and that's sort of the bigger context which drives the things we're talking about. We won't, or we will try not to fly 30,000 feet above the, above the ground all the time today. But I think starting with this high level use is important to understand many of the change changes, which are currently happening to things like provisioning to things like access governance, cetera.
And you might also argue, you know, this is not really new. Yes, for sure. We're talking about it for quite a while. But I think the important point to consider is that a lot of things are sort of growing financially, if you have far more outward facing processes. And if I look at our advisory customers, most of them currently in it are sort of of in the defense because the business is coming to them and say, Hey, we need to onboard this partner. We need to work with this partner in a very fast way. They want to have fast solution. The number of facing processes, the integration of partners of customers is, and going forward very, very quickly. The other thing is we have an increasing number of users. I've recently called this the identity explosion because it's at about our 20,000 or 200,000 employee anymore.
It's about our maybe millions of customers also. And we have the external it services used. So we have another close area where we do a lot more in the cloud and all these are related to the points of management before. And today we are sort of at the, the break point from more or less flat growth towards this really exponential growth. And that just means we can't handle everything the way we did it before anymore. So our traditional silo, in words, facing two centric, it will not scale economically. We have to change a lot of things. And that means we have also changed a lot of things around identity and access management and access governance. Not only because of these points, but largely driven and to some degree, at least determined by these things. So governance came into play. That's another point, which is important.
We have to understand that governance is far more important than it ever has been. I think everyone of you knows that from the pressure you have from auditors or your business have from monitors. So it's not about it made administrative efficiency anymore. When we only, when we look at access management and governance is about information security with other groups of users, which come into play, we have another level of access controls we have to look at. So we have to understand what happens in real time. We have to review the status. We might need to integrate into applications or externalization and fine credit authorization control, and this entire topic of identity and access management who's allowed to do what, which device and which context etcetera, is too important to be a point solution. It's very central thing. It's a key critical key capability of it.
And so we have to look at it from that perspective and to rethink the way we are doing a lot of things. And that's basically, I would say what, what really makes out what we are talking about. So it's time to reach the next, next maturity level. Here I am deployment beyond classical provisioning, which also includes that you, you will have to think about how to make migrate your sort of traditional let's call it legacy provisioning to something new, to enable new capabilities, to get better in this. And these are the two major points I want touch within the next few minutes. The one will be really about talking about maturity levels. The second will be talking about architectures and how they could look like, and the questions you might ask when you think about, I have a provision here, what to do next. So let's first look at a maturity level and I have three slides here with maturity levels, following sort of the CMM approach in that area, focused on provisioning, focus on access governance and focus on identity and access management and governance.
In total, we could be in called. We have also have several other maturity level definitions for other areas of the broader access management space, but I will focus on these three because they are really relevant to what we are talking about with this webinar. So in this CMM approach, there, there are five levels, which means an initial level are repeatable things. So you have things which you can repeat, some things which are well defined, well managed. And then finally you trust do optimization when you are, have reached a pretty high maturity level. For sure. It's not always necessary to reach the highest maturity level in every area, but usually it's, it's, it makes a lot of sense to have some degree of maturity, which you have achieved. And, but looking at provisioning, I would define these levels at initial, as initial, as process driven as automated and centralized as business driven.
And as optimizing I've put in the characteristics here, which I won't fully read them, and you can access the slide X afterwards. So they will be published where you find the, at our website where you find the information about it. So you just can download them, which is probably far easier than trying to write down all the characteristics. But just to give you an impression, I think when we look at provisioning, it starts with more or less the manual approaches moving towards some, at least defined processs where you have some standard processes, but mainly based on manual time consuming processes, a lack of things, a lack of automation, then it's going forward towards automation, which is really the, the level you can reach with a standard identity provisioning tool, sort of a classical tool. Many of them have more capabilities right now, but a classical tool would be would've been around that.
And then it's about adding the business interface either by adding an access governance tool or by having an identity provisioning tool, which can do more than just pure classic lacks identity provisioning. So it's about request interfaces for the business users about putting or basing all these things on business rules and business roles about adaptation or ertification, whatever you need there. And then it's about going forward, integrating it, for example, it service management for the manual fulfillment of requests, where you don't have a direct connect connectivity. It's about BPM integration to integrate this other business process, etcetera. And so that's basically the thing you, you have to do here. When I look at the reality out there, I would say the most companies are somewhere between level two and four. In this definition, I, I rarely see some which have at least some part of level five achieve.
Even if a look at it from, from a, the perspective of really well defined policies and guidelines, etcetera, that that even level four is, is probably hard to achieve and, and, and completeness this, but it's important to, to move forward. And I think something which also Paul will talk about is that despite the fact that the provisioning is seen a little bit more as, as an ancient or archive technology, in fact, provisioning isn't provisioning is still, is very important. It's the fulfillment layer, and we need such technologies to automate a lot of things. The question is more about what else do we need and how do we integrate it? So let's move forward to the access governance maturity levels. The five ones I have to find here are initial our reactive controlling, analyzing, and optimizing. So, so initially would be that, that we, we, we don't really have a tool to answer all the questions the auditors are asking.
So sometimes there are some administrative tools as points or users, which allow you to extract some audits, etcetera, but it's, it's mainly a paper based manual process supported by, by really point solutions at best. The next level reactive means that you start recertification, which is a common starting point. And which was sort of also the, the historic starting point of most of most access governance products. So where you say, okay, I do it reactively. I know what what's going wrong. I have maybe some initial, so deep support in the sense of that. I know, okay, this segregation of duty rules aren't met, but it's not about automated remediation. So, you know, what's going wrong, but you can't fix it. And that's where you need to fulfillment layers or provided as part of access governance or by provisioning or by SRM, or more likely by a mix of different things, which then allows you really to implement a closed loop approach, which then if you detect the problem allows you also to fix the problem, which is very logical back by well defined guidelines and policies.
And what I also seen in this area that most organizations don't invest enough into guidelines and policies. It's very important to do it. It helps you in implementing your products. It helps you in bridging the gap between it and business. It helps you to understand which organization responsibilities you need and all these things. So in west and guidelines and policies, it's a very important thing to do. Then the first level which I call analyzing is then what we currently see in popping up are advanced analytical capabilities around access risk, which allow you deep into insight into the status, which also means that you, on the other hand, should have done some support for integrations, business, GRC environments. So where your access risk is then understood as one part of your overall it risk. And it risk as part of the overall risks you have in your organization.
So access governance with the fulfillment layer and advanced capabilities would be the, the sort of technology mix you have here. And then at the optimizing layer, it's about integrating other technologies. So like privilege management simply said, privilege management has to become a part, an integrated part of access governance because access governance is looking at who has access to what and privilege access is just one sort of that access doesn't really make sense over time to have a privilege management infrastructure, which is more or less fully separated from your access governance infrastructure, you have to integrate these things. And then finally even looking and that, as I've said, we have more of these maturity levels, things out there are available at Cub.
If you look at the identity access management governance overall, then I, I tend to define five levels which are initial administrative business and audit focused, integrated, and optimizing, which then start with no real IM at all. Then you move forward to the basic things like some directory service ly provisioning, a little bit of enterprise and on by access management. Then it's about bringing business and audits supporting these features by access governance, by identity Federation, to support your externalization requirements, extended enterprise, the agility, your business needs, it's about supporting maybe also privilege management at that level. And then moving forward, integrated into applications through dynamic authorization management, integrated technologies, which with each other, and then move forward, optimize your policies, guidelines in the organization. I would say for most organizations today, it's more about if you're, if you have most of level three, you're pretty good compared to, to best of class organizations.
So there's for most organizations still way to go, but simply said, identity access management. That's not a project, it's a journey. It's a process. It's something which, which you will, where which, where you will have to work on virtually for forever in your organization. So, so that's then in the light of these, these things I've said, I also think that that is time to, to rethink our architectures and gonna look at our advisory customers. Most of the advisory customers read a single layered architectures today, where you say, I have an access governance layer. I have provisioning below. I might have integrated provisioning. This access governance layer might be part of one tool that might be a separate tool depending on, on the architecture, but access governance typically at least can integrate other legacy provisioning tools with has its own provisioning. In many cases can work the service request management and support all the flexibility you you might need.
And, and if you're a larger organization, you will have typically more than one provisioning product, because there are merchants and acquisitions. There are might be some, some regional it departments, which do their own thing, etcetera. And if you can integrate it hubs and it needs to provide and interface the business user, it needs to integrate this business GRC. However, many of you might have a sort of more of a, of an existing provisioning. And I might think about what you do now. So shall I migrate? And if I, if I think about migrating, how to migrate there, so there are some questions you, you should ask. And that's the, the last thing I would go through pretty quickly. There are some five major main questions. You have to ask why to migrate resu. What, when and where again, the slide deck will be available for download. So I, I won't go through through every detail on the next slides, but give you a quick overview, which is important. So the first question is why to migrate. I think there are a lot of, lot of reasons you might have in mind to migrate, which starts was you have more than one provisioning system, Q2, M and a day, or you have an end of life of a provisioning solution. You feel that you have new features like identity explosion. You had trouble with your bros, with you integrated with your end or whatever.
There are reasons, but you should ask the question, should you really migrate? Even if you're not fully convinced by your current solution, there might be a good reason to stay with it. So, so which of these reasons are really compelling and what are the benefits of migrating? So what do you earn new features, new capabilities. You can handle more users here getting more agile. All of these, these are good, good reasons to migrate. And in many cases it makes sense to migrate because the tools of today have far more capabilities. They allow you to, to quicker reach the next maturity level in your deployment. On the other hand, there are consequences, cost, acceptance functionality. So there might be some specific functionality you like, which you don't have anymore.
Cost factors like license, maintenance, cost, hardware costs, rebuilding a lot of things. And overall the migration risk. So will the new thing really help you? I think that's something we just have to look at very realistically, make it a rational decision. That's I think the most important advice I can give you around really make it rational, not say, okay, I need to migrate. So, but step back and say, okay, what are the consequences? What does it mean? What are the benefits? In many cases, it will pay off, but you should do it right. And if you do it right, it's also about thinking, should I, should you migrate all something or nothing? And there are also some points to consider. So running things on powerless expensive. On the other hand, in some cases you might have integrations with, with very complex environments like mainframes, where you say, if I touch them, then I have risk of affecting my core business applications. So you might leave that in place at least for some time.
So there are reasons for, for, for all these things. But if you go think back about this layered architecture picture I had before such a layer architecture allows you to run the old system in parallel to your new system, at least for quite a while, by, by just building a new layer on top, which really integrates these things, which integrates the policies that really helps you to do better job on this. When to make migrate again, really calculate the things, think about flexibility. What about folding options? And all these other things think about the resources ensure that you can migrate. That will never be an easy task. And if you look at the reports we have out there, there several reports becomes very clear, but, and again, layer architectures help you to migrate at your own pace. By the way. There's also very interesting document out right now from which we've written and which is, which focuses on how to migrate in the context of west software and request one manager, which also might be a very interesting piece to look at change your existing provisioning.
So how to migrate an example, migration path might really review your migration needs. So step back, define your target architecture, really think about what is the future. Think about maturity level, thinking about layer architectures gather the advice you really need define your migration roadmap, then select the products you need implement the top layer. And then you can reimplement the refined process on the top layer. In most cases really will have to re rethink your processes before you, you really move forward because many of the processes you have from the, say the administrative driven past don't suit, your needs of a business driven future implement connectivity between the top layer and your existing provisioning product at a new provisioning solution. And then my connectors one by one, that's probably the best way to do it. And anyway, I think it's really time to step back. Think about what about provisioning its role today? What else do you need and where do you want to move? So what is your, your future and IM look at our maturity levels, look at the migrations things and listen to what Paul will be talking about mouse. So I will hand over to Paul, make him the presenter and he will then provide you some more information on that topic.
Thank you, Martin. My name is Paulka. I work in the European identity access management team as principal consultant over in Europe. I'm gonna be talking today about beyond classical provisioning and our approach at quest software and a Palo Dell. So before we move on to look at the future, I really wanted to take a step back and look at where provisioning came from. I mean, to understand provisioning, look a bit of a history. I mean, provisioning products were emerged out to synchronization and meta directory type products, and there was very little consolidation and multiple synchronization targets existed. For example, classic synchronization between corporate and external facing directions and database. It was very it driven. And at this time connects us with king. The larger, the number of type of connectors was seen as, as increasing the value add and vendors competed on the strength of connectivity, sync and reconciliation logic was often built into the connector endpoint.
It's making changes quite complicated with integrated other recombining connectors or, or making customization changes increased the complexity of deployments, as well as the cost and effort. Therefore many provisioning projects ran into difficulty or failed, completely giving, giving IDM a bad press, to be honest, to put it simply, it was often oversold vendor and integrators were keen to satisfy all the customers, perhaps a little bit poorly understood requirements, developed provisioning systems that Creek under pressure and were poorly adopted. These are the days prior to, to compliance regulations such as, so obviously really starting to have an effect on the it controls. And we, we now see commonplace provisioning projects were driven by it efficiency and the scope was often limited to solving it challenges just such as reducing the amount of time spent performing account administration. As they evolved over time, we started to include aspects such basic self service, password management, and role based access control.
And as Martin said, in recent times, we've seen a push towards access and risk governance without said, provisioning still has a part to play. We see access recertification projects, often falling short customer's expectations by not including the need to perform automated remediation and automated provisioning. So this is really how provisioning is matured to being an integral part of identity access governance. It's been development as well by vendors such as press software to provide solutions that are integrated, that don't need complex customization that are minimized the number of moving parts, but not a piecemeal approach anymore. You know, we don't have, we can have the separate provision engine, of course, but if you have an integrated solution that performs provisioning and access and risk governance, it obviously is, is better for the, for the customer and the projects overall. So just a quick recap on, on the old and the new before we were replicating data from point to point, the old classic synchronization use case.
And now we, we want to replicate data only when it's absolutely needed previously in provision projects, like the version one provisioning products, there were many, many connectors, and there were often customized. This increased the complexity and the time and effort. Nowadays, we want to focus on the key systems we want to consolidate around key authentication stores. So, so only customize if you absolutely need to consolidation as much as possible, but really good use case these days is, is leveraging Federation and claims based authorization to actually remove the need to provision entirely. A classic example, we support here at quest is this, this ship, a SharePoint claims based authorization use case. So we, we, we can leverage an existing authentication repository and we no longer have to provision systems like SharePoints by using claims based and Federation technology. Moving on previously, we focused on accounts. It was, it was an it project.
Now we focus on people. What do people need to get their job done? What permissions do they need? What authorizations and critically nowadays, what data access to the actually need. And as Martin said, again, we now delivering services to the business business is key. It's no longer an it project stored within the realms of the it department. Moving on to the top reasons of failure. This is by no means an exhaust exhausted list. It's just some things I wanted to share with you today. From a, from a vendor perspective, we, we strive here at quest providers, much out the box functionality as we possibly can. And of course we provide the ability to make customizations and configurations, but in a controlled manner, okay. For the customers that are looking to migrate, as, as Martin said previously, they need to be very careful about ensuring of proper selection procedure.
They need to double check references and look at the technology is no good. Just looking at some marketing slides or recorded demonstration that just need to bring the technology in the vendor and the partner in-house and, and double check their credentials. Also check what the business is trying to do. Why are they trying to migrate? Okay. Just knowing the project methodology and having technological knowhow is, is not really going to solve the migration challenge. You need to find a consulting partner and a vendor who is a relevant track record in delivery. And they need to know both the source system, the one you're migrating from as well as the target system and double check the track record in this space. Okay. Moving on tips for success letters more really reduce the complexity in the effort, focus on the key target systems by this. We may mean L apps or key databases or active directory.
For example, for those target systems that are relatively low value or not mission critical, we want to treat them as really disconnected systems. We're previously in version one provisioning projects, vendors often tried to connect to everything that, that often doesn't provide the benefit that we're really looking for these days. We can leverage the help desk that they use today to provision these disconnected target systems. We want to consolidate and simplify. For example, two tangible examples. If you've got multiple authentication, repositories, such as active directory or apps, you can consider virtual directory service provider bridge. Therefore you are removing the need to provision everything by, by, by using a central virtual directory, just a classic example that we've seen customers adopt here request. Another one is the world of Unix. Previously, when I was working for some Microsystems, we saw customers who had deployed provisioning technology to, to target hundreds of Unix machines.
That's very complex within an individual connector for each individual units target nowadays like with the technology quest authentication services, we can provide active directory bridging to actually incorporate the world of Unix into the world of active directory. With group policy. We are removing the need to provision those tens or hundreds of individual targets. Again, this is something that one of our existing sub migration customers leveraged to great success. So to summarize the fewer and simpler the number of connectors, the better avoid complex green scraping technologies like from mainframes adopt common protocols, such as L app where possible customized with care. If at all, we've seen a big focus around core identity management, where previously in version one technologies, we, we had customers trying to connect to everything and customizing products, taking them to edge cases where they were never designed to go to this often led to performance problems.
And every time you customize you, you have a, a custom of ownership associated with that. And we've had customers come to us saying, can we perform administration configuration once the projects has been delivered or do we need to talk to the partner and, and spend lots of money maintaining these customizations? So just be careful about customization check all the out of the box features, see if it meets your needs. Don't forget to get the business buy in. It's just no longer an it driven project. It Multiplay part in the project of course, but the business is critical. They will be the final end users of the system. The overall success will be governed by how the business uses the system. Talking about migration. What we've seen the success with customers who have migrated with quest is developing a model when the integrator comes in and they look at system and the target system, having a concise, accurate, validated model of what we want to do.
And what we have today is key. Such a model may be as simple as having an Excel spreadsheet. Nobody's gonna read hundreds of pages of documentation throughout the project. It will just sit on the shelf. So what would be in a model where we would need to consider the actors, the users who are going to use the final system, as well as the resources, these will be it, they may be non-IT assets. When you provision provision accounts, new people, they may things like a laptop, a mobile phone credit cards, non-IT assets, and how do they get this? How do they request these resources? They're moving on entitlements. The permissions to actually allow people to perform a job function. Attributes are key in the system. We will need to identify the data values and how they flow throughout the systems and which systems are authoritative, for which attributes, having a simple list of the attributes and the target systems who is author, what really helps when you're migrating.
And finally, we come onto the tasks to perform the basic provisioning tasks and the process orchestration. How does the process within the company exist today? And how can we use the tools to model that process? Do we have to code, do we have to know a particular programming language, or can we use wizards and graphical tools to help with this process? Orchestration it's wanna talk about two, two customers that migrated from provisioning products to quest one identity manager. The first of which is a north American energy company. They're an existing sun identity manager customer, and they approached quest for migration. They had a very large Unix estate and we simplified the provisioning by leveraging the active directory bridging technology. I've mentioned earlier, we integrated all of their Unix estate into single active directory. So we had one single provisioning target using group quality to manage the authorizations in Unix, really helped speed up this project. The timelines was 14 weeks in total to replace SIM and the actual product work was eight weeks to install, load all the data in from the systems, configure the synchronization and, and provisioning targets and take it into production. The customer really benefited the business, benefited from the web shop. This is the self-service business. Porwal easy to use for the business for access request, governance reporting and attest or recertification. So this particular customer is, is performing recertification on 700 applications with 10,000 objects available for request and lifecycle management within the quest one web shop.
Our second customer today is a European customer that previously migrated to two former provisioning products, and they actually found it cheap and long term to migrate to quest one, the functionality that they were looking for was driven by compliance regulations. It was sovereigns Oxley. In this case, they had to perform access governance, but they did not want to go for just a simple tool that would report on what people had today and what was incorrectly assigned. They wanted an integrated tool to help reprovision that access and critically, they had a focus on data governance. And this is something that kind of wanted to talk about in later slides. So they wanted to provide the business owners with the ability to manage the requests for actual key parts of data that the, the company runs on today. So they benefited from lower maintenance costs, a better business functionality outta the box. And again, the time to migrate was a very reasonable 40 days. This particular customer took full advantage of the model, the migration model that I spoke about earlier.
Okay, we're talking about the key, the key trends in, in the market. And Martin touched on this earlier. We see mobile devices and users wanting to access information, you know, any time, anywhere on their own device. And this creates complexity around access rights and endpoint management, as well as increasing the security risk. Moving on to data explosion, we're seeing a lot of big data, huge volumes of data, a tremendous need for new approaches to protect the data and protect the access to that key data. And then there's the cloud. There's many traditional on-premise apps and infrastructure components. And moving into the cloud, you know, it is to transform, has to manage the performance security and the access request to those systems. It's new world. And it it's a new approach. And that's something that we're looking very closely here at Dell.
I mentioned data centric, identity access management. So we're seeing a trends towards data governance, and this is really leveraging what we've learned from the world of provisioning and access governance towards a data driven approach. And what we mean by this is not only the relationship between users, their accounts and entitlements, but also the authorizations that these entitlements provide to the actual data that the company runs on. We've seen customers with existing access ertification projects, state that those projects only provide certain pieces to the puzzle. And what's really key is understanding the relationship between the entitlements and the authorization to the critical data that the business actually runs on day to day. So we involve business owners to identify and analyze the unstructured data, whether it be in SharePoint or a NAS device or an NTFS, and those business data through the workshop can take control of their data, provide automation, access, request, and monitor who has access to the data and who has access their data historically. And that's performed by personalized dashboards and reports all coming under the data governance realm provisioning also plays a part here without provisioning. The automated remediation of inappropriate access rates cannot be automated, but in some circumstances, it still may be best to do this manually by help desk when existing provisioning system, it's all bit down to the actual customer themselves.
So this is my last slide, really talking about the future of what we see today, just to summarize where we've come from. We started off with the world of sync and this was, you know, a relatively it centric solution. It didn't really provide all the business value and provisioning took it from advantage of synchronization, took it to a next level and provided basic self service, password management, basic request functionality, but it was never really adopted by the business. So it never really fulfilled its claims and moving on to identity and access governance. This is where we are today. So identity and access governance taking full advantage of the provision capabilities to remediate people who may have inappropriate access controls, talking about data centric, identity, access management. This is where we are going. This is the content where IEG the quest. We just released the data governance edition of quest, one identity manager that provides the business owners with all the, the, the needs around critical data, providing the access request and the controls that are mandated by compliance regulations like ley. And then looking at the future, we're looking at more context to where authorization and we have the pieces, but there's still a lot of work to be done around this.
So that's my slide deck today. So quest one identity solutions, you can find out more information on the quest website, quest.com/identity. And I'll be happy to answer any questions you may have Martin or the audience.
Okay. Thank you, Paul. And right now it's latest time for the, the audience to enter the questions so that we can move forward to the Q and a part of our webinar. So if you have any questions, just enter them in the questions to at right go to webinar control panel, which you will sign at the right side of your screen so that we can pick up these questions. In the meantime, I, I have some other, some other questions here. I, I wanna start, start asking. And so, so when looking at the current state of identity access management deployments, we observed that there's a lack of well-defined processes, policies in the organization. I am done still a fairly technical project frequently doesn't deliver on its potential promise. What is your experience on that?
That's a very good question, Martin. Exactly. It is. It's still kind of struggling for the most part in the, in the it department, but with certain challenges like the, the cost of replacement or products being end of life, I, I think we're looking towards, you know, what can we achieve going forward? It's not just replacing what we have today. It's not just looking at what they what's there today. Of course we have to replace what's there today, but what can we, what can we move towards? What's the stretch goal? So that that's where we're seeing a lot of customers saying, how can we involve the business? It's, it's, it's absolutely critical that the business plays a, a, a part in these projects as they move forward. And that's where we've seen customers leverage the advantage of the quest one solution to, to provide the business with controls and the view, the transparency on the data and the permissions that actually makes the custom, the companies run daily. So now it's a very good question.
Okay. I think another important point is that many companies learn in their IM projects that is not only about entities and access to provision. So, but about many other assets, think about requests for mobile phone or whatever you can imagine. So does it make sense to evolve the, sort of the identity access management shop and you have this shopping cart paradigm for, for a while your product, does it make sense to evolve to it shop and how can quest support customers here?
Absolutely. Great question Martin. Now, what we're seeing is the it shop is, is absolutely key. It's either called an it shop or a web shop, but it's essentially an interface for the business to, to, to interact with the system. And it's more than just a shopping cart icon on the screen. It, it it's really, it's really the mechanism for people to request for themselves or for other people entitlements products that they require to do their job. So it could be for example, a mobile phone, it could be business cards. I mean, of course we're not going to physically provision a mobile phone, but there, there will be existing processes today with help their systems and procurement that we can integrate with. So as recently, the customer in Scandinavia, whereas part of the provisioning, they not only had to create domino accounts and the usual active directory and held apps and database accounts, but they also wanted to request a work desk.
They wanted to request software applications, credit cards, mobile phones, company, company, company cards, and all other assets that are in the it shop. So, so with the request one web shop, we can publish it assets and non-IT assets, and they look and feel exactly the same way. People don't need training on this type of new development for, for these products. It feels, looks and feels just like an eCommerce site that they see on the see on the web, that they feel very comfortable and that people actually use the web shop. If they, they don't choose these products, if they don't choose the self-service interfaces, then the quality of the data within the system, you know, is questionable. People will go around the system, they will talk to the administrators or they'll go and call the help desk or, or just do it themselves. And, and that really just doesn't add value to, to the actual cost of deploying such systems. So a web shop being user friendly, being intuitive and giving that transparency of what people have requested looking at the workflow history, being able to run reports on historical assignments and having a complete change log of, of all the requests on all the approvals. That's absolutely key. That's absolutely key today. And that's often driving people's people's adoption of these technologies, but don't the first question they ask is not, can you provision to this target? It's, you know, can you show me how people can interact with the system? So, great question, Martin.
Okay. Another question I have here is as well about a cloud. What is the strategy of quest for supporting identity access management for the cloud and in the cloud?
Yeah, that's, it's a very wide topic, as we all know. I mean, for provisioning, we we've got the provisioning endpoint targets for systems like Salesforce and Google, as you can expect an office 365 and that's there today. Okay. What customers are also asking us for hosted systems, managed systems, service providers are talking to us about the ability to provide access governance in the cloud. You know, this, this is a very wide topic. There's also authentication and authorization. I spoke earlier about claims based authorization for systems like SharePoint. And this is something we're seeing, you know, a rapid adoption here. I mean, classic use case. I went to a customer in the middle east recently and they, their help desk was outsourced to, to India and they were in the middle east and they wanted to provide access to the help desk people to the SharePoint, which is being used as a knowledge base, but they didn't, they have a problem today of having to provision a large number of accounts and entitlements in the actual low collective dietary system. So use using cloud-based techno Federation technologies like claims based, or really allow them to simplify their, their projects and their deployment. So, no, it's great. A lot of aspects within the cloud, you know, we are looking carefully to, to see where customers are going and what they're asking. I mean, I think there's maybe a misunderstanding about provisioning in the cloud. We don't wanna put the provisioning engine in the cloud itself that doesn't really make any sense, but adopting cloud targets, leveraging cloud standards. That's absolutely key.
Okay. Another question I, I have here right now is many organizations. There are legacy provision systems that are hardware place. I think I've talked to about, for example, mainframe environments and in many organizations, there are too many local provisioning tools, etcetera, to fully standardize in one system. How do you deal or how to deal? How do you deal with these issues?
Yeah. So that's another good question. I was at a customer recently in Paris and they've adopted quest one on top of an existing provisioning engine because there's just simply too much business risk to, to turn off that existing system today. So what we, what we did was we had a, a mixed approach to integration. We had made sense. We adopted a help desk approach. So we, we can create the tickets we can interact with that help desk to, to close off our own internal approvals. When the actual ticket is created. Other approaches we've adopted are web service interfaces. Many of the provisioning products that are installed today have web service interfaces, and you can integrate via via web service bridge. So the customers need to look carefully at the cost and the risk of replacing what they have today, but also look to the future and look to what their business is asking.
Maybe a hybrid approach is best if they, if they're prepared to, to adopt a full solution, then the quest one identity manager provides not only the provisioning and if we need the sync, but also like we've spoken about the web shop and the data governance to allow the business owners to really take control of what they need to do today. So, yeah. Great question. The provision tools, it might not always make sense to turn them off immediately. And a hybrid approach is often best in this case just to reduce the risk, provide benefit business quicker.
Yeah.
So, and I think the other point was really what I call my at your own pace. Yeah. So, so having this, this layer approach really gives is customers the opportunity to, to move forward at their own pace, not taking the risk of sort of a big bang approach. And so I think they're, they're very good reasons. Okay. It looks like there are no other questions at that point of time. So if there are any questions, just end them now. Otherwise, if you look at the slide, you will find the email address of Paul and me at the slide. So you can also approach as for email. So if there are first questions, it's time for me to thank you all for participating in this and call webinar. Thank you for quest for supporting this webinar. Thank you, Paul, for your presentation.
You're welcome.
Okay. So thank you to all attendees and hope to see you soon again in one of the upcoming and call webinars. Thank you. Bye.
There are several documents which are related to the webinar we're doing today. Like our leadership on identity provisioning. There will be also on leadership on access governance probably early next year, maybe late this year, technology report, access governance architectures. And then we have several advisory notes which are around migrating look, legacy provisioning, and migrating options and guidelines for our that. I think it's very interesting to have a look at these documents. You'll find them at our website could call com slash reports regarding the webinar itself. Pretty simple guidelines. You are muted center. You, you don't have to mute or unmute yourself. We are controlling these features. We will record the webinar. The podcast recording will be available tomorrow and Q and a will be at the end. So you can ask questions anytime using the questions tool and go to webinar in the control panel.
We'll usually pick the questions at the end and some cases if appropriate, we might also pick them during the webinar. So that's a, was the introduction. The agenda today is split into three parts. First part is the presentation given by me. I will talk about changing requirements for I and access management at we'll talk about mature levels of IM deployments about new architectural approaches. And by the way, to migrate the second part then will be done by Paul Walker from quest software. He will talk about best practice, examples of organizations which have successfully made stab. He also will have a look at sort of old IA old provision, new provisioning. So really also looking a little bit of, but things which are changing. And I think we we've managed to have not that much overlap on the points we we cover. So I think it will be to hopefully very interesting presentations to you.
The third part, by the way, will be then the Q and a session where you are then enabled to ask questions. And we will try to give Wells on these questions. So when we look at what is happening today, I think the, the, the fundamental shift we are really facing in its, which my colleague, Greg Burton recently named the computing dry car, which is really these three major trends, which are cloud computing, mobile computing, social computing, which are affecting the way we are doing it, which are really fundamentally changing the way we are doing. It leads to things like consumerization so far less control of central it partners. It also leads to the ization. So the parameter of farmer days where we said, okay, with our internal it, and there's only one point where, where data passes through these days are passed. Every one of us is using mobile devices.
There are either many or no parameters anymore, and things are fundamentally changing. And for sure, that also affects the way we have to think about identity and access management. And there are some, some other things around this here, like a bigger number of user populations. So if you look at what really this, the, what the term social computing really means, it, it really means we, besides that we have to find other ways to engage with, with customers, etcetera. It also means we have to open up our enterprise in a different way than before. So there are people who are whose first contact point might be that they're coming with Facebook login and we have to deal with it as an identity. We have to deal with it with, there are far identities, they are far more device types. They are far more deployment models. And this scope, finally, we have to understand what has to change with all the things we have done in it.
And especially if you look at provisioning in a traditional way, traditionally seen provisioning really has been more sort of, I have my HR system and I derive my change from the HR system, you know, and I then push it out to some of my bigger it systems I have and my enterprise right now, it's about how can I handle all these different accesses of all the different people using different deployment models of our applications and quotas, which might be running in the cloud. How can I keep this under control? So information security has to look at another scope and that's sort of the bigger context which drives the things we're talking about. We won't, or we will try not to fly 30,000 feet above the, above the ground all the time today. But I think starting with this high level use is important to understand many of the change changes, which are currently happening to things like provisioning to things like access governance, cetera.
And you might also argue, you know, this is not really new. Yes, for sure. We're talking about it for quite a while. But I think the important point to consider is that a lot of things are sort of growing financially, if you have far more outward facing processes. And if I look at our advisory customers, most of them currently in it are sort of of in the defense because the business is coming to them and say, Hey, we need to onboard this partner. We need to work with this partner in a very fast way. They want to have fast solution. The number of facing processes, the integration of partners of customers is, and going forward very, very quickly. The other thing is we have an increasing number of users. I've recently called this the identity explosion because it's at about our 20,000 or 200,000 employee anymore.
It's about our maybe millions of customers also. And we have the external it services used. So we have another close area where we do a lot more in the cloud and all these are related to the points of management before. And today we are sort of at the, the break point from more or less flat growth towards this really exponential growth. And that just means we can't handle everything the way we did it before anymore. So our traditional silo, in words, facing two centric, it will not scale economically. We have to change a lot of things. And that means we have also changed a lot of things around identity and access management and access governance. Not only because of these points, but largely driven and to some degree, at least determined by these things. So governance came into play. That's another point, which is important.
We have to understand that governance is far more important than it ever has been. I think everyone of you knows that from the pressure you have from auditors or your business have from monitors. So it's not about it made administrative efficiency anymore. When we only, when we look at access management and governance is about information security with other groups of users, which come into play, we have another level of access controls we have to look at. So we have to understand what happens in real time. We have to review the status. We might need to integrate into applications or externalization and fine credit authorization control, and this entire topic of identity and access management who's allowed to do what, which device and which context etcetera, is too important to be a point solution. It's very central thing. It's a key critical key capability of it.
And so we have to look at it from that perspective and to rethink the way we are doing a lot of things. And that's basically, I would say what, what really makes out what we are talking about. So it's time to reach the next, next maturity level. Here I am deployment beyond classical provisioning, which also includes that you, you will have to think about how to make migrate your sort of traditional let's call it legacy provisioning to something new, to enable new capabilities, to get better in this. And these are the two major points I want touch within the next few minutes. The one will be really about talking about maturity levels. The second will be talking about architectures and how they could look like, and the questions you might ask when you think about, I have a provision here, what to do next. So let's first look at a maturity level and I have three slides here with maturity levels, following sort of the CMM approach in that area, focused on provisioning, focus on access governance and focus on identity and access management and governance.
In total, we could be in called. We have also have several other maturity level definitions for other areas of the broader access management space, but I will focus on these three because they are really relevant to what we are talking about with this webinar. So in this CMM approach, there, there are five levels, which means an initial level are repeatable things. So you have things which you can repeat, some things which are well defined, well managed. And then finally you trust do optimization when you are, have reached a pretty high maturity level. For sure. It's not always necessary to reach the highest maturity level in every area, but usually it's, it's, it makes a lot of sense to have some degree of maturity, which you have achieved. And, but looking at provisioning, I would define these levels at initial, as initial, as process driven as automated and centralized as business driven.
And as optimizing I've put in the characteristics here, which I won't fully read them, and you can access the slide X afterwards. So they will be published where you find the, at our website where you find the information about it. So you just can download them, which is probably far easier than trying to write down all the characteristics. But just to give you an impression, I think when we look at provisioning, it starts with more or less the manual approaches moving towards some, at least defined processs where you have some standard processes, but mainly based on manual time consuming processes, a lack of things, a lack of automation, then it's going forward towards automation, which is really the, the level you can reach with a standard identity provisioning tool, sort of a classical tool. Many of them have more capabilities right now, but a classical tool would be would've been around that.
And then it's about adding the business interface either by adding an access governance tool or by having an identity provisioning tool, which can do more than just pure classic lacks identity provisioning. So it's about request interfaces for the business users about putting or basing all these things on business rules and business roles about adaptation or ertification, whatever you need there. And then it's about going forward, integrating it, for example, it service management for the manual fulfillment of requests, where you don't have a direct connect connectivity. It's about BPM integration to integrate this other business process, etcetera. And so that's basically the thing you, you have to do here. When I look at the reality out there, I would say the most companies are somewhere between level two and four. In this definition, I, I rarely see some which have at least some part of level five achieve.
Even if a look at it from, from a, the perspective of really well defined policies and guidelines, etcetera, that that even level four is, is probably hard to achieve and, and, and completeness this, but it's important to, to move forward. And I think something which also Paul will talk about is that despite the fact that the provisioning is seen a little bit more as, as an ancient or archive technology, in fact, provisioning isn't provisioning is still, is very important. It's the fulfillment layer, and we need such technologies to automate a lot of things. The question is more about what else do we need and how do we integrate it? So let's move forward to the access governance maturity levels. The five ones I have to find here are initial our reactive controlling, analyzing, and optimizing. So, so initially would be that, that we, we, we don't really have a tool to answer all the questions the auditors are asking.
So sometimes there are some administrative tools as points or users, which allow you to extract some audits, etcetera, but it's, it's mainly a paper based manual process supported by, by really point solutions at best. The next level reactive means that you start recertification, which is a common starting point. And which was sort of also the, the historic starting point of most of most access governance products. So where you say, okay, I do it reactively. I know what what's going wrong. I have maybe some initial, so deep support in the sense of that. I know, okay, this segregation of duty rules aren't met, but it's not about automated remediation. So, you know, what's going wrong, but you can't fix it. And that's where you need to fulfillment layers or provided as part of access governance or by provisioning or by SRM, or more likely by a mix of different things, which then allows you really to implement a closed loop approach, which then if you detect the problem allows you also to fix the problem, which is very logical back by well defined guidelines and policies.
And what I also seen in this area that most organizations don't invest enough into guidelines and policies. It's very important to do it. It helps you in implementing your products. It helps you in bridging the gap between it and business. It helps you to understand which organization responsibilities you need and all these things. So in west and guidelines and policies, it's a very important thing to do. Then the first level which I call analyzing is then what we currently see in popping up are advanced analytical capabilities around access risk, which allow you deep into insight into the status, which also means that you, on the other hand, should have done some support for integrations, business, GRC environments. So where your access risk is then understood as one part of your overall it risk. And it risk as part of the overall risks you have in your organization.
So access governance with the fulfillment layer and advanced capabilities would be the, the sort of technology mix you have here. And then at the optimizing layer, it's about integrating other technologies. So like privilege management simply said, privilege management has to become a part, an integrated part of access governance because access governance is looking at who has access to what and privilege access is just one sort of that access doesn't really make sense over time to have a privilege management infrastructure, which is more or less fully separated from your access governance infrastructure, you have to integrate these things. And then finally even looking and that, as I've said, we have more of these maturity levels, things out there are available at Cub.
If you look at the identity access management governance overall, then I, I tend to define five levels which are initial administrative business and audit focused, integrated, and optimizing, which then start with no real IM at all. Then you move forward to the basic things like some directory service ly provisioning, a little bit of enterprise and on by access management. Then it's about bringing business and audits supporting these features by access governance, by identity Federation, to support your externalization requirements, extended enterprise, the agility, your business needs, it's about supporting maybe also privilege management at that level. And then moving forward, integrated into applications through dynamic authorization management, integrated technologies, which with each other, and then move forward, optimize your policies, guidelines in the organization. I would say for most organizations today, it's more about if you're, if you have most of level three, you're pretty good compared to, to best of class organizations.
So there's for most organizations still way to go, but simply said, identity access management. That's not a project, it's a journey. It's a process. It's something which, which you will, where which, where you will have to work on virtually for forever in your organization. So, so that's then in the light of these, these things I've said, I also think that that is time to, to rethink our architectures and gonna look at our advisory customers. Most of the advisory customers read a single layered architectures today, where you say, I have an access governance layer. I have provisioning below. I might have integrated provisioning. This access governance layer might be part of one tool that might be a separate tool depending on, on the architecture, but access governance typically at least can integrate other legacy provisioning tools with has its own provisioning. In many cases can work the service request management and support all the flexibility you you might need.
And, and if you're a larger organization, you will have typically more than one provisioning product, because there are merchants and acquisitions. There are might be some, some regional it departments, which do their own thing, etcetera. And if you can integrate it hubs and it needs to provide and interface the business user, it needs to integrate this business GRC. However, many of you might have a sort of more of a, of an existing provisioning. And I might think about what you do now. So shall I migrate? And if I, if I think about migrating, how to migrate there, so there are some questions you, you should ask. And that's the, the last thing I would go through pretty quickly. There are some five major main questions. You have to ask why to migrate resu. What, when and where again, the slide deck will be available for download. So I, I won't go through through every detail on the next slides, but give you a quick overview, which is important. So the first question is why to migrate. I think there are a lot of, lot of reasons you might have in mind to migrate, which starts was you have more than one provisioning system, Q2, M and a day, or you have an end of life of a provisioning solution. You feel that you have new features like identity explosion. You had trouble with your bros, with you integrated with your end or whatever.
There are reasons, but you should ask the question, should you really migrate? Even if you're not fully convinced by your current solution, there might be a good reason to stay with it. So, so which of these reasons are really compelling and what are the benefits of migrating? So what do you earn new features, new capabilities. You can handle more users here getting more agile. All of these, these are good, good reasons to migrate. And in many cases it makes sense to migrate because the tools of today have far more capabilities. They allow you to, to quicker reach the next maturity level in your deployment. On the other hand, there are consequences, cost, acceptance functionality. So there might be some specific functionality you like, which you don't have anymore.
Cost factors like license, maintenance, cost, hardware costs, rebuilding a lot of things. And overall the migration risk. So will the new thing really help you? I think that's something we just have to look at very realistically, make it a rational decision. That's I think the most important advice I can give you around really make it rational, not say, okay, I need to migrate. So, but step back and say, okay, what are the consequences? What does it mean? What are the benefits? In many cases, it will pay off, but you should do it right. And if you do it right, it's also about thinking, should I, should you migrate all something or nothing? And there are also some points to consider. So running things on powerless expensive. On the other hand, in some cases you might have integrations with, with very complex environments like mainframes, where you say, if I touch them, then I have risk of affecting my core business applications. So you might leave that in place at least for some time.
So there are reasons for, for, for all these things. But if you go think back about this layered architecture picture I had before such a layer architecture allows you to run the old system in parallel to your new system, at least for quite a while, by, by just building a new layer on top, which really integrates these things, which integrates the policies that really helps you to do better job on this. When to make migrate again, really calculate the things, think about flexibility. What about folding options? And all these other things think about the resources ensure that you can migrate. That will never be an easy task. And if you look at the reports we have out there, there several reports becomes very clear, but, and again, layer architectures help you to migrate at your own pace. By the way. There's also very interesting document out right now from which we've written and which is, which focuses on how to migrate in the context of west software and request one manager, which also might be a very interesting piece to look at change your existing provisioning.
So how to migrate an example, migration path might really review your migration needs. So step back, define your target architecture, really think about what is the future. Think about maturity level, thinking about layer architectures gather the advice you really need define your migration roadmap, then select the products you need implement the top layer. And then you can reimplement the refined process on the top layer. In most cases really will have to re rethink your processes before you, you really move forward because many of the processes you have from the, say the administrative driven past don't suit, your needs of a business driven future implement connectivity between the top layer and your existing provisioning product at a new provisioning solution. And then my connectors one by one, that's probably the best way to do it. And anyway, I think it's really time to step back. Think about what about provisioning its role today? What else do you need and where do you want to move? So what is your, your future and IM look at our maturity levels, look at the migrations things and listen to what Paul will be talking about mouse. So I will hand over to Paul, make him the presenter and he will then provide you some more information on that topic.
Thank you, Martin. My name is Paulka. I work in the European identity access management team as principal consultant over in Europe. I'm gonna be talking today about beyond classical provisioning and our approach at quest software and a Palo Dell. So before we move on to look at the future, I really wanted to take a step back and look at where provisioning came from. I mean, to understand provisioning, look a bit of a history. I mean, provisioning products were emerged out to synchronization and meta directory type products, and there was very little consolidation and multiple synchronization targets existed. For example, classic synchronization between corporate and external facing directions and database. It was very it driven. And at this time connects us with king. The larger, the number of type of connectors was seen as, as increasing the value add and vendors competed on the strength of connectivity, sync and reconciliation logic was often built into the connector endpoint.
It's making changes quite complicated with integrated other recombining connectors or, or making customization changes increased the complexity of deployments, as well as the cost and effort. Therefore many provisioning projects ran into difficulty or failed, completely giving, giving IDM a bad press, to be honest, to put it simply, it was often oversold vendor and integrators were keen to satisfy all the customers, perhaps a little bit poorly understood requirements, developed provisioning systems that Creek under pressure and were poorly adopted. These are the days prior to, to compliance regulations such as, so obviously really starting to have an effect on the it controls. And we, we now see commonplace provisioning projects were driven by it efficiency and the scope was often limited to solving it challenges just such as reducing the amount of time spent performing account administration. As they evolved over time, we started to include aspects such basic self service, password management, and role based access control.
And as Martin said, in recent times, we've seen a push towards access and risk governance without said, provisioning still has a part to play. We see access recertification projects, often falling short customer's expectations by not including the need to perform automated remediation and automated provisioning. So this is really how provisioning is matured to being an integral part of identity access governance. It's been development as well by vendors such as press software to provide solutions that are integrated, that don't need complex customization that are minimized the number of moving parts, but not a piecemeal approach anymore. You know, we don't have, we can have the separate provision engine, of course, but if you have an integrated solution that performs provisioning and access and risk governance, it obviously is, is better for the, for the customer and the projects overall. So just a quick recap on, on the old and the new before we were replicating data from point to point, the old classic synchronization use case.
And now we, we want to replicate data only when it's absolutely needed previously in provision projects, like the version one provisioning products, there were many, many connectors, and there were often customized. This increased the complexity and the time and effort. Nowadays, we want to focus on the key systems we want to consolidate around key authentication stores. So, so only customize if you absolutely need to consolidation as much as possible, but really good use case these days is, is leveraging Federation and claims based authorization to actually remove the need to provision entirely. A classic example, we support here at quest is this, this ship, a SharePoint claims based authorization use case. So we, we, we can leverage an existing authentication repository and we no longer have to provision systems like SharePoints by using claims based and Federation technology. Moving on previously, we focused on accounts. It was, it was an it project.
Now we focus on people. What do people need to get their job done? What permissions do they need? What authorizations and critically nowadays, what data access to the actually need. And as Martin said, again, we now delivering services to the business business is key. It's no longer an it project stored within the realms of the it department. Moving on to the top reasons of failure. This is by no means an exhaust exhausted list. It's just some things I wanted to share with you today. From a, from a vendor perspective, we, we strive here at quest providers, much out the box functionality as we possibly can. And of course we provide the ability to make customizations and configurations, but in a controlled manner, okay. For the customers that are looking to migrate, as, as Martin said previously, they need to be very careful about ensuring of proper selection procedure.
They need to double check references and look at the technology is no good. Just looking at some marketing slides or recorded demonstration that just need to bring the technology in the vendor and the partner in-house and, and double check their credentials. Also check what the business is trying to do. Why are they trying to migrate? Okay. Just knowing the project methodology and having technological knowhow is, is not really going to solve the migration challenge. You need to find a consulting partner and a vendor who is a relevant track record in delivery. And they need to know both the source system, the one you're migrating from as well as the target system and double check the track record in this space. Okay. Moving on tips for success letters more really reduce the complexity in the effort, focus on the key target systems by this. We may mean L apps or key databases or active directory.
For example, for those target systems that are relatively low value or not mission critical, we want to treat them as really disconnected systems. We're previously in version one provisioning projects, vendors often tried to connect to everything that, that often doesn't provide the benefit that we're really looking for these days. We can leverage the help desk that they use today to provision these disconnected target systems. We want to consolidate and simplify. For example, two tangible examples. If you've got multiple authentication, repositories, such as active directory or apps, you can consider virtual directory service provider bridge. Therefore you are removing the need to provision everything by, by, by using a central virtual directory, just a classic example that we've seen customers adopt here request. Another one is the world of Unix. Previously, when I was working for some Microsystems, we saw customers who had deployed provisioning technology to, to target hundreds of Unix machines.
That's very complex within an individual connector for each individual units target nowadays like with the technology quest authentication services, we can provide active directory bridging to actually incorporate the world of Unix into the world of active directory. With group policy. We are removing the need to provision those tens or hundreds of individual targets. Again, this is something that one of our existing sub migration customers leveraged to great success. So to summarize the fewer and simpler the number of connectors, the better avoid complex green scraping technologies like from mainframes adopt common protocols, such as L app where possible customized with care. If at all, we've seen a big focus around core identity management, where previously in version one technologies, we, we had customers trying to connect to everything and customizing products, taking them to edge cases where they were never designed to go to this often led to performance problems.
And every time you customize you, you have a, a custom of ownership associated with that. And we've had customers come to us saying, can we perform administration configuration once the projects has been delivered or do we need to talk to the partner and, and spend lots of money maintaining these customizations? So just be careful about customization check all the out of the box features, see if it meets your needs. Don't forget to get the business buy in. It's just no longer an it driven project. It Multiplay part in the project of course, but the business is critical. They will be the final end users of the system. The overall success will be governed by how the business uses the system. Talking about migration. What we've seen the success with customers who have migrated with quest is developing a model when the integrator comes in and they look at system and the target system, having a concise, accurate, validated model of what we want to do.
And what we have today is key. Such a model may be as simple as having an Excel spreadsheet. Nobody's gonna read hundreds of pages of documentation throughout the project. It will just sit on the shelf. So what would be in a model where we would need to consider the actors, the users who are going to use the final system, as well as the resources, these will be it, they may be non-IT assets. When you provision provision accounts, new people, they may things like a laptop, a mobile phone credit cards, non-IT assets, and how do they get this? How do they request these resources? They're moving on entitlements. The permissions to actually allow people to perform a job function. Attributes are key in the system. We will need to identify the data values and how they flow throughout the systems and which systems are authoritative, for which attributes, having a simple list of the attributes and the target systems who is author, what really helps when you're migrating.
And finally, we come onto the tasks to perform the basic provisioning tasks and the process orchestration. How does the process within the company exist today? And how can we use the tools to model that process? Do we have to code, do we have to know a particular programming language, or can we use wizards and graphical tools to help with this process? Orchestration it's wanna talk about two, two customers that migrated from provisioning products to quest one identity manager. The first of which is a north American energy company. They're an existing sun identity manager customer, and they approached quest for migration. They had a very large Unix estate and we simplified the provisioning by leveraging the active directory bridging technology. I've mentioned earlier, we integrated all of their Unix estate into single active directory. So we had one single provisioning target using group quality to manage the authorizations in Unix, really helped speed up this project. The timelines was 14 weeks in total to replace SIM and the actual product work was eight weeks to install, load all the data in from the systems, configure the synchronization and, and provisioning targets and take it into production. The customer really benefited the business, benefited from the web shop. This is the self-service business. Porwal easy to use for the business for access request, governance reporting and attest or recertification. So this particular customer is, is performing recertification on 700 applications with 10,000 objects available for request and lifecycle management within the quest one web shop.
Our second customer today is a European customer that previously migrated to two former provisioning products, and they actually found it cheap and long term to migrate to quest one, the functionality that they were looking for was driven by compliance regulations. It was sovereigns Oxley. In this case, they had to perform access governance, but they did not want to go for just a simple tool that would report on what people had today and what was incorrectly assigned. They wanted an integrated tool to help reprovision that access and critically, they had a focus on data governance. And this is something that kind of wanted to talk about in later slides. So they wanted to provide the business owners with the ability to manage the requests for actual key parts of data that the, the company runs on today. So they benefited from lower maintenance costs, a better business functionality outta the box. And again, the time to migrate was a very reasonable 40 days. This particular customer took full advantage of the model, the migration model that I spoke about earlier.
Okay, we're talking about the key, the key trends in, in the market. And Martin touched on this earlier. We see mobile devices and users wanting to access information, you know, any time, anywhere on their own device. And this creates complexity around access rights and endpoint management, as well as increasing the security risk. Moving on to data explosion, we're seeing a lot of big data, huge volumes of data, a tremendous need for new approaches to protect the data and protect the access to that key data. And then there's the cloud. There's many traditional on-premise apps and infrastructure components. And moving into the cloud, you know, it is to transform, has to manage the performance security and the access request to those systems. It's new world. And it it's a new approach. And that's something that we're looking very closely here at Dell.
I mentioned data centric, identity access management. So we're seeing a trends towards data governance, and this is really leveraging what we've learned from the world of provisioning and access governance towards a data driven approach. And what we mean by this is not only the relationship between users, their accounts and entitlements, but also the authorizations that these entitlements provide to the actual data that the company runs on. We've seen customers with existing access ertification projects, state that those projects only provide certain pieces to the puzzle. And what's really key is understanding the relationship between the entitlements and the authorization to the critical data that the business actually runs on day to day. So we involve business owners to identify and analyze the unstructured data, whether it be in SharePoint or a NAS device or an NTFS, and those business data through the workshop can take control of their data, provide automation, access, request, and monitor who has access to the data and who has access their data historically. And that's performed by personalized dashboards and reports all coming under the data governance realm provisioning also plays a part here without provisioning. The automated remediation of inappropriate access rates cannot be automated, but in some circumstances, it still may be best to do this manually by help desk when existing provisioning system, it's all bit down to the actual customer themselves.
So this is my last slide, really talking about the future of what we see today, just to summarize where we've come from. We started off with the world of sync and this was, you know, a relatively it centric solution. It didn't really provide all the business value and provisioning took it from advantage of synchronization, took it to a next level and provided basic self service, password management, basic request functionality, but it was never really adopted by the business. So it never really fulfilled its claims and moving on to identity and access governance. This is where we are today. So identity and access governance taking full advantage of the provision capabilities to remediate people who may have inappropriate access controls, talking about data centric, identity, access management. This is where we are going. This is the content where IEG the quest. We just released the data governance edition of quest, one identity manager that provides the business owners with all the, the, the needs around critical data, providing the access request and the controls that are mandated by compliance regulations like ley. And then looking at the future, we're looking at more context to where authorization and we have the pieces, but there's still a lot of work to be done around this.
So that's my slide deck today. So quest one identity solutions, you can find out more information on the quest website, quest.com/identity. And I'll be happy to answer any questions you may have Martin or the audience.
Okay. Thank you, Paul. And right now it's latest time for the, the audience to enter the questions so that we can move forward to the Q and a part of our webinar. So if you have any questions, just enter them in the questions to at right go to webinar control panel, which you will sign at the right side of your screen so that we can pick up these questions. In the meantime, I, I have some other, some other questions here. I, I wanna start, start asking. And so, so when looking at the current state of identity access management deployments, we observed that there's a lack of well-defined processes, policies in the organization. I am done still a fairly technical project frequently doesn't deliver on its potential promise. What is your experience on that?
That's a very good question, Martin. Exactly. It is. It's still kind of struggling for the most part in the, in the it department, but with certain challenges like the, the cost of replacement or products being end of life, I, I think we're looking towards, you know, what can we achieve going forward? It's not just replacing what we have today. It's not just looking at what they what's there today. Of course we have to replace what's there today, but what can we, what can we move towards? What's the stretch goal? So that that's where we're seeing a lot of customers saying, how can we involve the business? It's, it's, it's absolutely critical that the business plays a, a, a part in these projects as they move forward. And that's where we've seen customers leverage the advantage of the quest one solution to, to provide the business with controls and the view, the transparency on the data and the permissions that actually makes the custom, the companies run daily. So now it's a very good question.
Okay. I think another important point is that many companies learn in their IM projects that is not only about entities and access to provision. So, but about many other assets, think about requests for mobile phone or whatever you can imagine. So does it make sense to evolve the, sort of the identity access management shop and you have this shopping cart paradigm for, for a while your product, does it make sense to evolve to it shop and how can quest support customers here?
Absolutely. Great question Martin. Now, what we're seeing is the it shop is, is absolutely key. It's either called an it shop or a web shop, but it's essentially an interface for the business to, to, to interact with the system. And it's more than just a shopping cart icon on the screen. It, it it's really, it's really the mechanism for people to request for themselves or for other people entitlements products that they require to do their job. So it could be for example, a mobile phone, it could be business cards. I mean, of course we're not going to physically provision a mobile phone, but there, there will be existing processes today with help their systems and procurement that we can integrate with. So as recently, the customer in Scandinavia, whereas part of the provisioning, they not only had to create domino accounts and the usual active directory and held apps and database accounts, but they also wanted to request a work desk.
They wanted to request software applications, credit cards, mobile phones, company, company, company cards, and all other assets that are in the it shop. So, so with the request one web shop, we can publish it assets and non-IT assets, and they look and feel exactly the same way. People don't need training on this type of new development for, for these products. It feels, looks and feels just like an eCommerce site that they see on the see on the web, that they feel very comfortable and that people actually use the web shop. If they, they don't choose these products, if they don't choose the self-service interfaces, then the quality of the data within the system, you know, is questionable. People will go around the system, they will talk to the administrators or they'll go and call the help desk or, or just do it themselves. And, and that really just doesn't add value to, to the actual cost of deploying such systems. So a web shop being user friendly, being intuitive and giving that transparency of what people have requested looking at the workflow history, being able to run reports on historical assignments and having a complete change log of, of all the requests on all the approvals. That's absolutely key. That's absolutely key today. And that's often driving people's people's adoption of these technologies, but don't the first question they ask is not, can you provision to this target? It's, you know, can you show me how people can interact with the system? So, great question, Martin.
Okay. Another question I have here is as well about a cloud. What is the strategy of quest for supporting identity access management for the cloud and in the cloud?
Yeah, that's, it's a very wide topic, as we all know. I mean, for provisioning, we we've got the provisioning endpoint targets for systems like Salesforce and Google, as you can expect an office 365 and that's there today. Okay. What customers are also asking us for hosted systems, managed systems, service providers are talking to us about the ability to provide access governance in the cloud. You know, this, this is a very wide topic. There's also authentication and authorization. I spoke earlier about claims based authorization for systems like SharePoint. And this is something we're seeing, you know, a rapid adoption here. I mean, classic use case. I went to a customer in the middle east recently and they, their help desk was outsourced to, to India and they were in the middle east and they wanted to provide access to the help desk people to the SharePoint, which is being used as a knowledge base, but they didn't, they have a problem today of having to provision a large number of accounts and entitlements in the actual low collective dietary system. So use using cloud-based techno Federation technologies like claims based, or really allow them to simplify their, their projects and their deployment. So, no, it's great. A lot of aspects within the cloud, you know, we are looking carefully to, to see where customers are going and what they're asking. I mean, I think there's maybe a misunderstanding about provisioning in the cloud. We don't wanna put the provisioning engine in the cloud itself that doesn't really make any sense, but adopting cloud targets, leveraging cloud standards. That's absolutely key.
Okay. Another question I, I have here right now is many organizations. There are legacy provision systems that are hardware place. I think I've talked to about, for example, mainframe environments and in many organizations, there are too many local provisioning tools, etcetera, to fully standardize in one system. How do you deal or how to deal? How do you deal with these issues?
Yeah. So that's another good question. I was at a customer recently in Paris and they've adopted quest one on top of an existing provisioning engine because there's just simply too much business risk to, to turn off that existing system today. So what we, what we did was we had a, a mixed approach to integration. We had made sense. We adopted a help desk approach. So we, we can create the tickets we can interact with that help desk to, to close off our own internal approvals. When the actual ticket is created. Other approaches we've adopted are web service interfaces. Many of the provisioning products that are installed today have web service interfaces, and you can integrate via via web service bridge. So the customers need to look carefully at the cost and the risk of replacing what they have today, but also look to the future and look to what their business is asking.
Maybe a hybrid approach is best if they, if they're prepared to, to adopt a full solution, then the quest one identity manager provides not only the provisioning and if we need the sync, but also like we've spoken about the web shop and the data governance to allow the business owners to really take control of what they need to do today. So, yeah. Great question. The provision tools, it might not always make sense to turn them off immediately. And a hybrid approach is often best in this case just to reduce the risk, provide benefit business quicker.
Yeah.
So, and I think the other point was really what I call my at your own pace. Yeah. So, so having this, this layer approach really gives is customers the opportunity to, to move forward at their own pace, not taking the risk of sort of a big bang approach. And so I think they're, they're very good reasons. Okay. It looks like there are no other questions at that point of time. So if there are any questions, just end them now. Otherwise, if you look at the slide, you will find the email address of Paul and me at the slide. So you can also approach as for email. So if there are first questions, it's time for me to thank you all for participating in this and call webinar. Thank you for quest for supporting this webinar. Thank you, Paul, for your presentation.
You're welcome.
Okay. So thank you to all attendees and hope to see you soon again in one of the upcoming and call webinars. Thank you. Bye.
Stay Connected
Related Videos
How can we help you