Webinar Recording

Rethinking Identity and Access Governance in a World of Change and Complexity

Log in and watch the full video!

KuppingerCole Webinar recording

Log in and watch the full video!

Upgrade to the Professional or Specialist Subscription Packages to access the entire KuppingerCole video library.

I have an account
Log in  
Register your account to start 30 days of free trial access
Subscribe to become a client
Choose a package  
Good afternoon, ladies and gentleman, welcome to our copy. A cold webinar, rethinking identity and access governance in the world of change and complexity. This webinar is supported by net IQ. The speakers today are me Martin, our founder and principle Analyst of a coal and DS chief security strategist of net IQ. Before we start some general information on some housekeeping information, sort of keeping a call Analyst company, we're providing enterprise research advisory decision support, networking for it, professionals through our research services, advisory services and events. One of our events mainly when we are currently doing is European and identity and cloud conference, which will be held next time, May 14th to 17th from Munich it's event. You definitely shouldn't miss its lead went around. So leadership and best practice, digital ID, cloud, and GRC, for sure. Also covering all the topics we were discussing today, plus a lot of other topics.
So don't miss have a look at a conference website regarding the webinar. You are muted central. This year, don't have to mute or unmute yourself. We are controlling these features. We will record the webinar and the podcast recording will be available tomorrow. The slide text by the way, will also be available by tomorrow. So we will provide both slide deck in form of PDFs. Also as a download question and answer will be at the end, but you can ask questions using the Q and H at any time, we will pick them at the end or in some cases, if appropriate during the webinar, you also have the opportunity to earn one CPE point. It's called a continuous professional education credit. The learning objectives today are that you understand challenges for IM so identity access management and IG, which is identity and access governance, and a changing it landscape that you know, the different elements of identity and access governance approaches to enable users for IM and IG.
So really bring the business in and approaches to tackle the challenges for IM and it IG towards future IM these events like I've said qualifies for one group internet based CPE. If you want this, if you're collecting these points, you will need to take and pass the test. Following the webinar, when your attendance has been confirmed, you will be sent on email, containing a link to the test. So let's directly start. We have like usual an agenda, which just split into three parts. The first part, the presentation, which will be done by me. I will talk about the future of IM what you think about and how this relates to is governance and entity management. The second part done will be done by yours from net IQ. He'll talk about the net IQ strategy for rethinking identity and access governance based on best practices and implementation experience.
In the third part, then we will have the opportunity for you to ask questions and we will then try to pick the questions and answer them. Given that we have a very large audience today. If there are too many questions, we will collect these questions and answer them in my block. You can answer the questions at any time using the tool that writes out of your screen. So that go to webinar tool. There has an area questions in there. You can answer questions so that we can immediately see them. Okay, let's start. When we look at what is really happening in it, there's three fundamental changes. One is cloud computing, which is really far more deployment models. The second to social computing, which goes beyond social networks is in fact it's something which changes the way we are interacting with this person. So persons with persons, but also businesses with persons person is businesses.
There's a lot of, lot more than, than, than Facebook or so. Things like that. It's, it's far bigger thing, but it means also we have to support social logins. We have to convert customers, which we learned or which we touched first time, time as Facebook customers when they become sort of real customers. So we have a lot of things to do around this. We have mobile computing at large trend and mobile computing is really the one of the big challenges because it's about more devices. So this scope of information security is changing. Traditionally, we have look, we've looked at our private cloud notebooks and desktops, et cetera. Right now we have more deployment models, more device types, more use populations, and we have to control and manage access in this far more complex landscape today. So it's in fact, it's very much about an identity and access problem who should have access to our corporate information to the systems, regardless of the deployment model, their device, et cetera, how to manage this. It's a problem of identity to know the people and of access.
And one of the changes in this contact system that we, that also we have an increasing need to share. So in the past, when our centralized infrastructures was only internal used and we had the PCs and networking, then we had the internet where we opened up some things that our web access management, some gateways to the web we improved, or we, we, we, we moved forward just integration of business ness. And right now we are facing a far more far more advanced creation of customers than ever before. So we, we need to share more information. We need to control access to that information. Again, that's totally related to slide ahead before this is a big topic.
Okay. Moving forward. And the other thing we are facing is that we have to deal this far more complex thing. So we have millions of devices. It's sort of the Cambridge, an explosion of everything, more devices we have to manage access. We are APIs far more granular than before. So we have, if you look at open government, a lot of other initiatives, if you look at the internet of things, a lot more APIs, a lot more devices, which can be accessed. We have the big data thing, which is bigger data, et cetera, machine to machine communication, the identity explosion, where we deal with millions of customers instead of some 10 thousands of employees. For example, all of these things, again mean we have new challenges for authentication, authentic authorization. We have to change the way we deal with identities and access. We have to keep these things under control.
So we are under pressure here. We have to move forward. And that's what really puts identity, access management and governance into the, and one thing I've trust mentioned the identity explosion. I think the factors, we have some good experience frequently dealing with our employees with some of the business partners, but there are far bigger groups of people out there. Our prospects leads customers. They want access. They want access with different means of authentication, etcetera. And we have to manage this identity explosion in adequate way together with the fact that all these things happen in a situation where we have more externals. So that's in fact, one of these elements of the identity explosions. We have more internals and on the right side, on the other hand, we have external services and internal services, and it's sort of a mix and match of externals accessing sort of includes our external services hosted somewhere in the cloud or accessing internal services.
Internals going out authentication authorization is done in different ways. So it's a very complex scenario we are facing here. And we have to understand that this is really changing the game. It's a game changing situation. We are in, things are getting more complex and we have to manage access in a more complex world. And there are things coming in, which is a little bit beyond scope of this webinar, but there are things coming like versatile authentication. How can we deal with a lot of different authentication mechanisms and on the other hand, risk and context based authentication authorization. So how can we take into account the risk in the context context is something I will talk about later and based our authentication and authorization decisions on. So if someone accesses some corporate information from his desk in the organization, there might be less risk. Then when he uses it was an for us until that point, unknown mobile device from somewhere else in the world.
So that's really the point we have to keep in mind, things are getting more complex and all these things are around identity and access. And we are dealing with a situation where we don't have have this parameter anymore. On the left side, we had time where we in fact had more or less, only our mainframe. Then we connected to mainframe maybe to some others, for some EDI communication, data change or whatever. We added some PCs. Then the internet became popular. We added some more communications business partners and things are opening up. And right now it's it's that we not even have control at all parts of time. We have a lot of access to cloud services where, where we don't have any touchpoint with our corporate network anymore. And we have to solve this to really address the new challenges. And one of these things we we have in there is, is context.
Context is, as I've said before, is one of the new paradigms, which are highly important when you look at access and how to manage and how to govern access. So context is about which information is used. That's one side, but how is it used? How is it also, how is the user also indicated? Did it come in with login from a social network? Did he come in with a strong two factor indicator or biometrics? Which, why is he using, where is this device currently? All these things. Are there any signs of fraud? So has the last IP address one hour ago? Has, has it been in Germany right now at the next one appears to be from China, then obviously there is something going wrong. We have to understand that these things are also also changing. And so we, we are in a changing landscape, which is just a reality.
And within this changing landscape, identity and access are becoming far more important than they ever have been, because it's about how can we protect our corporate information or corporate resources, not to talk about all these new types of attacks that are influence this picture as well. And when we address this, we have to, to do it in a strategic way. We have to do it in a way which enables us to build a solution, the strategic one red line, which is sort of stable, which moves us away from working to the audit into the next audit, where we spend a lot of money where we switch into panic mode to, and try to fix the problem. And then we have it done it. We keep, we get a little bit more relaxed, a little bit more calm again, and then things happen again. And the story starts again.
We have to, to build a strong, reliable, mature, backend infrastructure to deal with IM and GRC, strategic, not tactical. And on the other hand, we have to bring business into the play. What I have here is the future paradigm. We have defined. Coco's one part of our Analyst work. It's our guideline for the future of it. And this framework in fact says, we have to concentrate on delivering what business really needs. So we have to deliver the services. Executive services business wants to do this. We have to manage information and manage, manage services and services can be from any deployment model. This model also says that the cloud is in fact trusted deployment model. And then we have to have an it and security management in place, which is very information security on one hand and the governance, which is information governance, service governance, and those are the areas, information management, information, security, information governance, where our access governance comes into play.
And I don't see access management is underlying thing. We have a lot of documents which go far more detailed than I can in the time I have here. But I think that's a very important thing to understand. We are working towards the business. We have to get, get better in this area. And that means we need a new structured approach, which really focus on managing information, managing services, and having security and governance in place for this environment. Also, currently working on a bigger picture. This one is, is pretty big. That goes through it pretty quickly. It's draft as of now, but this picture in fact, shows what we see as the major infrastructure building blocks, which are GRC at management, access management. Some others, I want to look at tell of some, two or three of these blocks. One of these blocks is, is really where we say we have GRC as the higher level.
So GRC stands for governance, risk compliance, and it's about understanding which risk do we have implementing controls, implementing governance. And this, this part, we have the it QRC area and it GRC. We have the, the fundamental and very important thing of access governance and access. So this is a key to, in the entire tier season, because a lot of risks we are facing operational risks, risk reputation, risks are based on access risk. We need identity management in place. We need things which are happening more and more in develop. And we also will need that. Something I will talk about, we will need a lot of things in the X are, but access governance is the key element here. It's one part of GRC, and we have to understand that it's an important part of GRC. So this big QRC picture there sort of different satellites and one of these satellites, which are strategic, where every enterprise does access governance.
So we build a GRC framework for our organization with policies, organizations controls. Then we have the business GRC part, the it GRC part, they have to be tightly aligned. And again, acts governance is one of the key elements we need to build this ecosystem. And we need to understand that access governance is not something, some it techies are doing for some other it tech it's something which is strategic to big, the access risks for an organization. And the other side, by the way, just quickly, we also will have to put far emphasis on the entire access management and to move forward. And this is risk context based access management as one of the major disciplines as well. That's something we will talk about very much at our upcoming conference. So this will be, will be one of the important topics. It also leads to what are our core building blocks for a future identity and access management overall.
So identity management, access management information rights management will become more important and access governance. These are the key things with access management, again, distributed in a, in a lot of different things. So that's just where things are moving. And again, access governance. I then see access management are key things to do. When we then look more specifically at access governance. And I just see that this I've copied from, from another slide. And obviously the colors changed a little. So it's a little hard to read the things down there, but what it was this happening in access governance overall, is that things are moving forward to understanding access governance as an integrating layer on top of existing provisioning, providing some integrated provision capabilities, integrating the service request management, et cetera, which allows us to, to really have one layer where we understand what is happening, where are the risks, what are all these things, which are happening in our organization across different systems.
And this access governance layer then is the one who enables the business user who gives the business user the ability to request access in a way he needs. And when he needs to define the access policies, according to the business, to do analytics, to understand the access risk, and which integrates with business tier something, Mr. S definitely will talk a about more, what is access governance? I've used this term quite sometimes right now, I'll go quickly through this. So, which are the questions, answer? The questions are, who has access to what, who has access? What, who has granted the access, maybe also, what is the risk behind this is done by combining different technologies, access warehouses, where, where I have all the access rights of the entitlement information collected. I know, okay, this current status, recertification, analyzes and intelligence. So more advanced analytic capabilities, the risk management understanding which risk is where the request management for the business user and a key element behind this.
I typically also need enterprise role management and the role of the business here very clear, because who knows about the access policies and the access risk, who understands the business' risks, who requires access and should request it and so on. It's the business. So the business has to play a stand for role within this, the business involvement and has a lot of different elements. And technology is one, but we should keep in mind. It's not only about technology. It's about guidelines. The book of rules for security, for IM it's about detailed S or segregation of Q2. Re-certification etcetera. It's about models we have for roles, constraints, competencies for bro. It's about processes. We have there for different areas and it's about technology. We have to bring these things together and listen, technology access guidelines is one of the key things to address. And on the other hand, then one of the questions which arises when we say, okay, we want have business in is how to involve business.
This, this is also about how to balance work and regard. One thing is important. Keep it lean in business has to do its business first. So everything we do has to be done in a way which enables business to do this task as lean as possible, which is not necessarily no effort, but we should try to keep it as lean as possible. We need to inform business, explain the reasons why we do this. And the approach shows them talk about the risks, really show why these things are happening. Show the benefits quicker recertification. And if you look at today, situation, a lot of people also in the business are, have to go through big lists of paper or big Excel sheets and identify things. Look at the things research education currently frequently is very complex. We have to make it simpler. We have to simplify access requests.
I've seen so many organizations where the end user just was not able to request access that's that doesn't make sense. We have to make it simpler where have to prepare it well by guidelines, policies, work procedure, something by the way, where I've learned that businesses, if done right, and explained well where we're willing to participate and we have to work focused. So not going out with hundreds of people in the organization, blocking them for months, but really focus workshops and rules of segregation, of duties and roles. Etcetera. We have to follow. And I will go to service very quickly. There's a recording of a webinar we've called enterprise role management, done ride, which you could use as a replay. If you want to dive deeper into the enterprise role model part, given that I have a limited time, I, the trust have a quick look at this.
So we have a, a role model, which we common use with this of our identities, our business roles, which have done entitlement, our function roles, which are derived from the functions and business processes. All these things are, are tied to the organization. What you will need and roles are not. The context brings in a lot OFS, but roles still are very important. What you will need is a concept for when you move towards access governance, they're a little bit bigger picture than takes into account the business rules, the context, cetera. But the good thing was, all these things is I've gone through a lot of organizations and if you do it right, you will always end up with a pretty similar concept. And if you do it right, and that's the thing I will have on my next slide, right? If you do it right, I think that the maybe most important thing is that you will be able to derive most of these things from the business.
That's again, an argument why the business should come in because the business processes, in fact, provide you with a lot of information and drive a lot of things. When you model your business two hours slides, which we might, then I will also go pretty quickly through it. But what you should should keep in mind is that things are, are moving forward quickly. And that the requirements for maturity on provisioning on access governance are changing. And, and what we really need is to do from technical approaches toward business driven approaches, which we then optimize by integrating them with more, by doing nursing for provisioning, it would mean we really need to have requesting phases, etcetera, which are business oriented, which are, can be used by, by business, which means we need to have identity provisioning in some way, integrated with access governance and the next step, we will need to integrate it with other tools as well.
And the same is true for access governance, where we have to move forward. And we have to, to get better in that area, moving for step by step here, it's really going from a reactive approach where we know what, what is going wrong towards and proactive approach, which allows you to identify things to, to react, to do reconciliation. If something goes wrong, et cetera. As I've said before, you will have access to the slide deck. So you can look at this slides, all the slides will be available by tomorrow as a PDF so that you kind of a more detailed look on this. And I've combined for identity and access management and identity access governance, where it's really about integrating a lot of things, having a, a holistic view of building your big picture. And I think that's very important. You have to understand what is changing today and what is the bigger picture you have to, to understand, solve your future challenges. And one of the important things there is how to manage access and how to keep access on control. That's about identity, access management, access governance, and lives. I will hand over right now to Mr. Who will go more into detail on these things and okay, Mr. Derek, it's your turn.
All right. Thank you, Martin. I hope you can hear me well.
All right. Thank you. So you should see my slides coming up now as well. So, Hey, Hey everybody. Thank you for joining. My name is John di, as I was introduced before, I will not go into more detail on this, and I will talk about rethinking identity and access governance from the net IQ perspective. So one slide I like, particularly on, on Martin's initial talk was very similar to this one, which I would like to start with as well in order to, to get you into the right mood for following through the rest of my slides today. So if, if you look at this one here, there are really three different areas where, where organizations change a lot in these days. So the one going up here is the, the application hosting and sourcing side. And if you think back a few years, everybody really has started with every application being on site, being installed in the local data centers and being, being maintained by, by the organization staff directly nowadays with the cloud coming up and applications being run into in the cloud at partners, public clouds and software, as a service, you have to think a lot about how identity and access management changes in, in this area.
The second one here, the user population side, again, a few years ago where we had employees working in our own offices and in our own buildings. And then over time, you, you had contractors partners coming in and, and now today you have to think about even more people and extending your identity and access management efforts to even more people like members and, and even customers think of a cloud storage provider, tech, Dropbox, or like sugar sync or whatever. I don't wanna endorse any of these, but still, if you think of these where people store their data on a cloud service, these companies have to think really well on what kind of identity and access management approach they need in order to protect their customer's data so that nobody can access what they are not supposed to access. And then last, but at least the third channel here is the application access channel.
Again, in the past, everything was installed locally. You knew exactly where the computers were and what kind of configuration they were at and how they were secured, because you had much more tighter control about on, on what you were running for your employees and, and for your business. But nowadays you have people working from everywhere and they all want to get the same experience when they work with their applications. And they also want to work with their own devices or the B Y O D to bring your own device. Story is a, is a big, big topic today. And, and therefore you have to really think on first of all, how can I make my apps, my applications available in the same kind of way on the different devices with all the different canvas, so to speak. So the different screen sizes and whatever, but the people want to have the same experience when working with the apps.
But on the other side, you have to think about how to make sure that you, that you secure the identities and the applications in that environment. So what kind of problem is this creating, first of all, the software as a service delivery models that does not really follow any it processes just think about some person who wants to have an application and, and he goes out, asks it for it. What happens if it says, yes, you can get that, but it will cost you. And first of all, we have to analyze how secure that application will be and how we integrate it in our business. That person might simply turn around, take a credit card, take $79 out of it and buy a software as a service application on the cloud. And simply use that without anybody knowing that this is the case. So this is, this provides really a, a big challenge and, and it really needs to stay in the game and, and make sure that that first of all, this can be analyzed and detected, but also to be more flexible and offer these kind of applications at integrating that into the, the corporate it landscape.
And this is typically an example, which, which happens a lot in with people on the business side, who, who only have their business focus in mind. The same was the seamless experience, which I already mentioned just a few minutes ago. That is really important. And one topic which also described us with is the consumerization of it. So it, it becomes more of a, of a consuming experience for the user. And, and as I said before, no matter on which kind of device you're doing that, and you are, you're consuming the it systems, you want it in the same experience and that access could literally from anywhere. And so it could be that somebody is sitting in a, in an internet cafe in China or in a, in a hotel room, somewhere in, in New York city or somewhere in a home office, in, in Paris or wherever people want to work from everywhere in the same kind of way.
So the question really is how does it maintain control in this? There are, there are certain challenges which I want to briefly touch on here on, on this slide. First of all, breaches are increasing. Breaches are really going from, it is a joke of somebody who simply puts out some, some virus with a virus toolkit. It's really going up to a dramatic scale where really big corporations are being affected and where the, the impact, which the, the breaches are, are, are leaving or are causing is really dramatic. I will come back a little bit later to, to two specific use cases, because I think these described very well on, on the situation, which, which we have seen over the last years, everybody's going mobile cloud is definitely here. So a few years ago, nobody really thought about the cloud in, in that kind of way.
But nowadays people have so many cloud services available. And, and as I said before, even if, if, if it doesn't provide a specific service, there is most, probably some kind of service provider available who does that. And not only the other side, budgets are shrinking and, and you have to do more with less and maintain control at the same time, which can be quite a challenge. So when we think about all of this, it's in the end coming back to, to access. So how do I organize access and, and what kind of, what kind of access methodology would work great going forward? So let's start here with a pretty much foundational aspect of this, but still, it might have a few things in here, which not everybody has really thought about in greatest detail. So the first one here, the elements of the identity, that's pretty basic describes who and what you are.
So the name, the location, where you work from, what kind of roles and privileges you have, what kind are you a manager, maybe? Are you a, a regular worker? You, are you an executive? What kind of privileges come with that role? And what is the relationship to the business? Are you an employee contractor, et cetera, but in identity itself, just having an identity somewhere is not really getting you anywhere because you need to use the, the identity and the, the element of the identity in some way. I always describe it a little bit, like having an email address and not giving it to somebody that will not will make that will make sure that you will not get any emails for sure, but it will also do you no. Good. So the same with an identity, if you just have it, that's fine, but you will only be able to really, to really use that once your identity is, is being put into a relationship with, with access to certain things in a way, and that can be applications to systems, to data, resources, physical facilities, you name it.
So it's different levels of, of, of accesses, which have to be, or where relationships have to be defined between the identity and the, the access element on the other side. And then there, there is this third element so far, it has been pretty basic and pretty, pretty logical, but one thing which sometimes gets forgotten a little bit is the, the access utilization part. So the first thing is people wanna know if the activity you are doing is really aligned with the roles and the policies you're getting. So for example, it might be that you have some, some, some kind of access, which you should not have anymore because you have moved your job in the organization, and it needs to be made sure that your, your access rights are being maintained in, in some way. And, and that is very specifically important for privileged access rights.
And, and that will also to a big deal, help you with distinguishing attackers from insider activity. So the access utilization, the monitoring component of, of all of the access, relationships of monitoring of who grants access, who revokes access, or maybe not, and, and also the way of how you actually use your access rights very specifically on privileged access levels. The third element here. So in the end, when we, when we put it into, into our context here, it is really about the right access. So the right people should have access to the right resources at the right time, from anywhere. This is kind of the summary from what we have discussed previously. And, and if you take all of the, the, the today's situation, the challenges and, and the, the three elements from the previous slide into account, then, then this is the, the conclusion from that.
So when, when I say here, it is all about the right access, then the question is what is right? What does right here mean? And the question of right really varies by, by the organization. I like to use this, this simple graphic here showing a, a pendulum going between the, the flexibility side and the control side. And this is very important because depending on what kind of organization you are working for, it might be that you are more organizationally leaning towards the flexibility side or more towards the control side, take a bank, or somebody in the finance sector in general, you are most probably leaning way more over to the control side than any startup company who is, who is, who needs to be very agile, very flexible in, in their way, in the way, how they do business. So it's on one side, you have to take care about moving up the speed of the business.
But on the other side, you also have to think about the business risk in a great detail. So therefore there is no one size fits all kind of approach, but basically you have to take this into account when building the, the strategy for, for, for the identity and access government side governance side. So the right access also requires the proper content and the proper context, sorry. So this, what, where, why, when and who can graph here shows this quite nicely. So who has access to what? And that is including what is being accessed, where was this access coming from? And when was this access granted? So this is the, the, the top part of this graph here. This is very important, and this is traditionally relatively easy to answer, but the bottom one is the access appropriate. This is the why question, why was the access granted putting this into perspective of, with all of the other questions is, is more complex. And, and that requires a rethinking of the identity and access side to being able to answer all of these aspects at the same time.
So the right access is also what we describe as intelligent access. And this really consists of these two components here, the clear understanding of these five W's. And on the other side, finding the, the balance from, from an organizational need perspective. So long time are those days where it simply does what it thinks it was, was best today. You really have to think about the business needs and the business policies and controls, and the way how the business needs the it resources and, and needs the service out of the it organization. So if, if you think about all of these components, I'm actually moving forward. And if you keep these in mind, we would come back to them a little bit later on. So why should you care about intelligent access? And I'm, I'm going over to this slide here and now, which shows you a few of those examples, which I have promised you to talk about in, in the very beginning, which were some examples where were really dramatic cases have happened, dramatic breaches have happened.
And a lot of those were really about, about the exercise not being in total control. So I'm, I'm not covering the only PlayStation network here to a big deal. I'm just mentioning here. One thing that the, the, the public opinion is also something which comes into play a great deal when this happened. I heard it on the, on the radio news here for a duration of something like two to three weeks from the local radio channels and radio stations. So I was really surprised how much of a big, big discussion this was even in, in the general public. And that is very damaging to those organizations. Now, the association R one is kind of interesting. It was run about a 7 billion loss for association R and there was a guy named Jerome Cavel, who was a trader at association. And, and because of the, the access rights, which he has gathered over time, he was able to do certain things with his access rights and, and to do certain trades, which really put the bank at a, at a great risk.
And the, that whole case went to, to, to trial. And the judge actually said during the trial that with the deliberate actions, which this guy had had done, he had actually put the, the whole existence of the bank in per which, which actually employs something like 140,000 people. And, and, and that is a pretty dramatic thing, let alone the, the loss itself. So he, he was sentenced to three years in prison, out of that one or two years were on probation. And he had to pay back the losses, which he had cost, which obviously is only some kind of some kind of a result, which will never be fulfilled, but anyway, and he appeared for that. But, and, and the end of last year, actually, and this is why I'm talking a little bit longer about this at the end of last year, the, the trial or the sentencing was actually confirmed by, by the appeal court.
So he still has to go to, to prison for, for doing that. The second one is the, the UBS one here, which is also a, a very high loss, which had happened here. And, and also the, the CEO of UBS had resigned following the, the failure of the bank's management of risk, which resulted in, in roundabout two, 2 billion loss. And there was also a trader from, from some African country called Abu Abu. And he also was able to combine the knowledge of previously being a, a bank office worker, and later on being a trader and he circumvented the bank's internal controls. And when I look at these two examples specifically, I really do wonder whether these vulnerabilities are really commonly understood and, and whether they really play a part in, in business management of risk, the process of transferring employees from one function in a business to another is, is really a, an important part.
And it looks to me that not everybody really has this under control, and this is really coming back to periodic access, rights reviews, and, and managing and maintaining the access rights in a proper way. And then obviously we have regulatory and oversight pressures, and, and some people have always asked like, Hey, why do we have all of these regulations and, and, and, and oversight things. But if you look recently happened, I mean, not too, too long ago, then you can see that there is a certain need for having these and having regular audits from, from external auditors, as well as internal auditing, and then the, the board of directors and oversight groups. So keeping that in mind, moving up the speed of the business, and that really comes back to the fact that it should be the catalyst for, for, for the solution. It should not happen that somebody goes outside and purchases a, a, a service from, from some outsider. It needs to be the one who provides the solution and integrates that into the identity and access management story.
So bringing all of this together, the it on, on one side and the business on the other side, and keeping this pendulum between flexibility and control in mind, there were basically three key processes of intelligent access, which we have identified here. So the first one is the access fulfillment access fulfillment generally also described, and, and traditionally seen as identity management is really about branding the access and, and administrating the access and the organization, the second component, the access authorization that is it side seen, or, or, or taken care of the access management side, which is really about the enforcement of access by users, by partners, customers, et cetera. And then the third component is the access monitoring side traditionally seen as, as security management, where you have to think about the tracking and observing what is being done with the access, right? And, and to identify improper activity.
And what we have done now is we have taken these three elements and have actually broadened them out and breaking them down, broken them down into, into more sub components in, in each area. And these sub components you can see here on this next slide are actually being ordered, coming more from a business need side on one side of the story, and more from an it resource. And it point of view on the other side. So if we take the excess fulfillment, as one example, we broke it down here to access certification and access requests, which as Martin has already described in earlier is really coming out of the business that the business really wants to have a way of, of, of requesting access and of managing the access rights, because who can manage access rights to, to business critical applications and data better than the person responsible for the business components themselves.
And then we have the access administration and delegated administration moving more over to the technical side, delegated administration, for example, very much deals with the way how I handle privileged access rights in the organization, how I main handle the, the service desk, for example, and, and the, the tasks with somebody working in, in, in first second, third level support is, is handling and, and taking care of when working on, on, on servers, on active directory or on other directories and, and user accounts and, and, and access. Right? Right. And, and so on the second part here, the access authorization, we can also break it down to, to single sign on which from a business perspective is, is really something which people are keen on because they don't have to remember so many passwords. And also from a security perspective, it's a great thing. If you have a certain password policy and people have to remember, let's say 10 character passwords.
If you have single sign on, you can, you can better enforce the password policy because the chances that people write down their passport and stick it underneath the keyboard is much slimmer than if people have to remember individual passwords for every single application and service. And therefore the single sign on from a business perspective makes also a lot of sense, user authentication and authentica authorization enforcement are to more building blocks in this area. And then we move over to the privileged access management. So the way how I grant access to privileged users and user accounts in my organization, and then last, but at least the access monitoring side, and let's move backwards now for a change starting with the lock management and reporting side, this is clearly a demand being put towards the it side of the house where people demand being. Let's say, if you have to comply with certain regulations, you have to put a lock management or even security information and event management solution in place to have the proper reporting here.
This is seldomly a demand coming directly from the business, but it's more a demand coming out of regulatory compliance, as well as the security group in the company, forensic analysis and reporting, being able to go, go into the data and into the historical data to find out what access rights people have had in the past and, and, and how they have used it in order to maybe build better access profiles and, and assigning better access rights to people. If you find out that people have access rights, which they have never used in the last half year, then the chances are relatively slim that they will needed in the next half year. The security and, and and activity intelligence is also very important. Being able to, to, to detect kind of the unknown, the abnormal behavior from an access perspective, if somebody always accesses certain databases in a, in a, in a, in a database server and suddenly somebody accesses something else, then this can be pretty suspicious.
And therefore it should be alarmed on, and last but not least the, the dashboards, which, which talks about the risks and the trends. And this is actually a component which a lot of people have, have not really done well in the past. The dashboards people, a lot of people have really created dashboards, very specific to, to it related questions and to it security related questions, but not really created dashboards with the business needs in mind. And this is also one of the reasons why I specifically have it on the slide here towards the business side, because all of security, identity and access needs to be integrated into the business processes and provide value to the business. And therefore the dashboards, which you create have to be meaningful towards the business because in the end, the business is funding your, your resources and, and, and your projects going forward.
And if you can prove to the business, Hey, this is what we are doing here in, in, in identity access and security. And, and this is the benefit you have as a business out of this, then the chancellors are better that you will get better funding going forward. So you will find business stakeholders and business sponsors in a, and, and talk to them in a much better way, having proper dashboards of place. So where does all of this get us? These are a lot of building blocks. Does it mean somebody has to take all of that and implement it at once? No. Most probably. I mean, some customers or some companies might be able to do that in one run, but very often, this is not what, what is, what is the best practice here? The best practice is here are that you have a vision and a strategy, which you follow and that you identify when you look at all of these building blocks, where is the current most critical aspect, which we want to cover as, as an organization today, where is the biggest challenge which we're having, and you start from there and then having this vision in mind to build it out and to, to, to expand your reach in the identity access governance side.
So every organization definitely is different. As I said before, no one size fit fits all solution exists, really because everybody starts maybe at a different building block here. So therefore the question of where do you start and what is most important to you from a short-term perspective, as well as the long-term goals perspective is, is really key. And this is really why we put together this slide on the previous slide, where you have the individual building block. So, so that when we, and we sit down and discuss about where to start and, and where to get you, we can really talk about each of these building blocks in more detail and, and, and, and take it from there because this obviously, and, and the, and, and this webcast can only be the first part of the conversation and, and hearing from you and, and, and continuing the discussion is, is, is, is very important for us as well. So if you want more information about this, definitely we can, we can talk about that. You can find more information on our website and in white papers and through the local NetQ contents as well. And that brings me to a close with my part. And with that, I'm back over to Martin. Thank you.
Thank you. And so let's continue with third part of webinar, which is the questions and answer session. What one, again, to remind you, if you have any questions, please enter them in the go to webinar control panel, right side of your screen. So that we have a comprehensive set of questions around this, where I think were very interesting topic. I have some, some first questions here, and I want to pick one, which is rest to me specifically. So slide 16, I've talked about the Casey framework. So the, the framework or paradigm for future it and how to build your it. And the question is how you use this framework in large parts of it are outsourced even including a indication. So a customer you don't have control what happens in detail inside or at the odd source. I think that's an interesting question. If you, if you look at this picture and it's available in several could call presentation, etc.
Etcetera, available at our website, then there's, there are three layers. One of the, the business service layer, the second is the it service and security management and the middle layer, the lower layers than the service production layer. And, and in fact, the outsource itself acts on this lower layer. So the outsourcer, really the one who is providing services, including contrast to cloud, it's more sort of a probably cost grain way to provide services, but in fact, he's there. And, and so it's just, I would say outsourcing somewhere in the continuum between on-premise and the public cloud outsourcing is sort of the very private cloud, very specifically targeted to you. So, given that you, you can manage and integrate cloud service there, you can also integrate also in providers, there's just one type of deployment. And the part you have to, to have under control anyway, your organization, that's really where, where it's about which services do I use, who provides them, how do I integrate him and what are my controls for all these things, what they have, have to do, they have to bring back. And for sure, you don't have that much insight into what a cloud provider does or anyone else, but you still can define service level agreements. You can define controls, etc, which you use for them. So simply that it's feasible. And, and in the documents said, we've written around is so one of these documents is the provides the organizations, which I think make this pretty clear. And I think yes, simply said you can do it. Okay.
Then another question, which is a little bit, probably off topic, but still an interesting one. And maybe also Mr. S wants to provide his view, bring your own device and speak, but bring your own cloud is the major or the major concern of the person asking these questions and thoughts about this. I would say I have a lot of thoughts. And again, I think it's about understanding that you need. My, my main position is that you have to be flexible enough to understand, to able a quick adoption of loads by cloud services, but also to have very clear definitions of what is allowed and not. And you have also to, to bring in new procurement, cetera, this cloud service provider selection will be one of the topics at our European identity conference. By the way, we'll also have a workshop which is around cloud provider service, election, and cloud governance, where we will dive very deep into this topic. So I think it's very worth to, to look at this, Mr. Dick, do you want to comment on this point as well?
Yeah, so, so basically there are, there are two, two comments, maybe. So one, if, if you think about in the way of bring around cloud as, as, as the way of, of, of getting a cloud service from somebody outside, this is what I already talked about in my presentation. This is definitely a challenge. And, and you have to, you have to, to manage it properly. The second part, if, if you really bring your, bring in your own hardware to build your own kind of internal cloud in, in the organization, without anybody knowing which I see as an extended way of bring your own device of that discussion. And, and I think this, this whole bring your own cloud discussion is, is actually the next step after the bring your own device. And the, the, the situation which I'm seeing a lot at, at, at, at companies today is that they don't even have the, bring your own device story under control. And so I've been to a number of conferences recently, where this has been really a, a long discussion about people who, who really talk about how do we control this? How do we control running confidential applications inside a user provided operating system and, and protecting that and talking about sandboxes and things like that. So I think think the whole story will get more complex and, and to bring your own cloud and bring your own device story is definitely not at an end yet.
Yeah, I think it's, it's a story of increasing complexity. And so we have so two other questions here. So one is so far, I have seen authentication as a user authenticating through the network or applications. How about users that need to log into devices like switches or VPNs? These systems are not built with extensive login, security functions, like user name, password, cetera. I, I want to go even a step first and say, you know, I I've talked about this CBR explor of virtually everything. We see a lot more access based on APIs, where, where APIs are used by devices, by things, by other persons where machine to machine communication occurs. We need a lot more of different types of, we see a lot more of, of different types of devices with we or communication. Cetera. What we have to understand is really, again, this versatility and context piece, which also then brings in the second question, the person has asked, wouldn't a much broader usage of Federation authentication services simplified as things or something.
We can go into detail here, but overall, really understanding that we have to really sign the way we do authentication authorization, fundamentally that this is really fundamentally changing is a very important thing. I think one of the, the recent documents we've published, it's called the future of authentication. So we, we are currently doing a lot of research. Again, it'll be also one of the hot topics at our conference, and it's really currently fundamentally changing from I authentic once to my corporate network. And then I can be authorized to a lot of applications to work some more complex scenarios, far more types of identities device, etcetera. You any points from your side on that?
Yeah, so, so basically those, those are also elements, which, which we focus a lot on. So talking about Federation and, and talking about integrating cloud services as well into, into your own identity side. So being able to provision into cloud services, for example, additionally, there is one observation which, which I really want to, to, to quickly mention as well. So in the past, when you think about identity management on one side and, and that what you see as access governance on the other side, those are traditionally seen as, as, as, as two separate areas in a way. So identity management coming more out of the it side and being able to provision and so on and access governance, being able to, to roll it out to the business to say, Hey, here you can, you can request access and, and grant access and do access rights reviews.
But nowadays, what is really the big story is, is bringing all of that together so that there is a link in between those two systems, because when a business user requests something, and this is being granted, then the automatic provisioning on the it side definitely needs to take place in order to, to, to get that down. And that is then again, where the Federation part comes in. This is when the cloud services comes in with provisioning out. So identity on one side and, and excess governance on the other side cannot be seen as, as two separate elements anymore. They need to be brought together and, and they need to be, to be working together.
Okay. So I think we are reaching the end of the reaching the top of the hour. We're close to the end of the time. I think there are, there are a lot of other things. We had some other questions. The last one I want to pick, and you could ask more questions. I will pick them in my blog, or we will follow up this directly. We all talk and think about access protection. What is a good thing? What about watching is grinded for potential information leak or wrong access approval patterns, etcetera. I think it's, again, one of the things where it's about integrating access governance, user activity monitoring, however you want call it cm. So security information you management to towards bigger things. And I'm very convinced that, for example, one of the most, the major areas where we use big data technology will be security. Mr. Dirks.
Yeah. I can only second that, and, and there is actually something which I mentioned in, in my part earlier, which is the security dashboard about the D in general. And I give you one example, which is the FBI has put out an alert around about September last year, about a wire fraud, a wire transfer fraud in the financial sector taking place, which actually had a lot of different elements to it. And people really providing a kind of slow attack to that with different elements, intelligence. And only if you, if you model this business process, which is this wire transfer. If you model that into a dashboard and then provide all of the data feeds into that dashboard, you can actually see where the different elements come together. And, and if that is, if you're in the financial sector and this is of specific interest, I mean, we're happy to talk about that in more detail.
Okay. So thank you, Mr. Dereks. Thank you to all attendees for participating this copy call webinar, which has been supported by IQ. Thank you and have a nice day and hope to have you again, tune as participants in one of call webinars. See you in person at the se. Thank you. Bye.

Stay Connected

KuppingerCole on social media

Related Videos

Webinar Recording

Application Access Governance for SAP Environments and Beyond

For many enterprises, SAP systems are an essential part of their corporate IT infrastructure, storing critical business information and employee data. SAP systems have traditionally been a major focus area for auditors. It is therefore essential that all existing SAP systems are covered by…

Webinar Recording

Zugriffsschutz für sensible Daten – mit Data Access Governance und Identity Governance

Damit Sie besagte Vorschriften rechtzeitig erfüllen können, ist es notwendig, sensible Daten zu erkennen und zu klassifizieren, unabhängig davon, wo sie sich befinden. Vor einer Cloud-Migration müssen Sie die Kritikalität von Daten verstehen und definieren, welche…

Analyst Chat

Analyst Chat #34: ITSM and IGA - How to Integrate Two Key Infrastructures Right

Matthias Reinwarth and Martin Kuppinger discuss the challenges of integrating IT service management with identity governance within an enterprise.

Webinar Recording

Agile GRC: Adapting to the Pace of Change in the Digital Era

In the digital era, the rapid rate of change in business, IT and regulatory environments is continually accelerating, making it extremely challenging for organizations to keep pace in terms of their governance, risk and compliance (GRC) capability without the right mindset and…

Webinar Recording

Gain a Unified Business View With Enterprise Identity Management

Identity Governance and Administration (IGA) is continuing to evolve through more integrated Identity and Access Governance solutions. IGA products are often required to give deep integrations with other enterprise products and applications to deliver the expected business value, as well as…

How can we help you

Send an inquiry

Call Us +49 211 2370770

Mo – Fr 8:00 – 17:00