Webinar Recording

Smart IAM Services for the Modern Digital Enterprise

Log in and watch the full video!

The identities of employees, appropriate authorizations in processes and systems, and a permanent control and monitoring of access to prove compliance are becoming increasingly important for organizations. However, the management of these things remains less than optimal.

Log in and watch the full video!

Upgrade to the Professional or Specialist Subscription Packages to access the entire KuppingerCole video library.

I have an account
Log in  
Register your account to start 30 days of free trial access
Subscribe to become a client
Choose a package  
Welcome to this KuppingerCole webinar smart IAM services for the modern digital enterprise. This webinar is supported by nexis the speakers for today. I will be joined by Dr. Ludwig Fuchs. He is CEO from nexis gmbh. My name is Matthias Reinwarth. I'm the director of the practice IAM here at KuppingerCole analysts. A few words, just a few words about our upcoming events, um, because there are, uh, virtual events going on right now until we are heading towards the, the era of hybrid events back again soon in September, but first of all, virtual events, one will be commencing actually tomorrow for two days, the Citus access summit, which will be in German language, um, June 9th, June 10th, which will be followed afterwards by managing digital workforce with service now on the 23rd of June and cloud strategy optimization, um, which is I think relevant for almost anybody anyway, um, working in the cloud for today.
So that's it for the actual current events that we are doing right now. I have to mention they are online and for free. Um, so please register and take part and to join our community for today. The housekeeping notes very quickly, audio control, all participants are muted centrally. We are controlling these features, so no need to use these controls on your GoToWebinar panel. On your screen, we are recording this webinar and the recording will be available as a podcast, and we will also provide the slide decks for download, um, very important. I have to stress this. There will be a Q and a session by the end of the webinar. So please submit your questions at any time using the questions section into, uh, of the, um, go to webinar panel. So, um, please let us know what you want to be answered by me.
And more importantly, by Dr. Fox later after his presentation and that's it for the housekeeping, um, the agenda for today, long titles, but they are important. I will start out with a quick overview over the right people for the right processes and tackling the challenges digital enterprises are facing. And that's mainly about shortcomings about what could be improved and who can be involved. Then Dr. Luke hooks will take over presenting a live demo of a services based approach for business stakeholders to manage identities and entitlements easily and intuitively. So that will be his part. And I'm really looking forward to that. And I'm looking forward to the questions and answers, and just as much as to the second part, and I really hope that you will, your questions to that Dr. Electric folks, and I can then discuss, and that's it for the agenda. And without further ado, I will start with a quick overview of how I am processes look like today and how they are implemented in, um, today's I am Cisco systems at least many, so there is a, a requirement for improvement.
So let's start off with this. Um, I G I am, we use these terms more or less simultaneously. Um, it all means the same. It's really the, the process of managing identities and the authorizations associated with them and the metadata around authorizations roles, groups, policies, whatever. So these processes around that we, um, as advisors that analysts think really demand for improvements and many organizations, and I'm quite sure that many of our audience can, can, yeah. Can say that's true. Um, are looking at one or more of the following challenges that might be complex and lengthy requests and approval. So you have to issue a request for an additional, um, um, authorization. It's difficult to find. It's difficult to identify the right people to author, to, to approve that. And maybe they just don't do it. So, um, authorizations, um, request and approval might be something that is really worth improving.
On the other hand, that puts burden on the employees because these administration processes that are around roles and authorizations, be it, the assignment to a single person request approval, or actually the metadata, the real role definitions, um, are really processes that often are very lengthy, complicated, cumbersome that really demand for, for improvements. And that leads to outdated role definitions if they are no fun to use and are not elegant to use. And don't have a nice user experience, uh, that leads to people just not using them. And that needs to outdate role definitions, um, conflict of interests and roles of being infringed. Uh, so sot violations and in the end audit findings. Um, and another really important part to look at is the onboarding of applications bringing in the application, the right version, the entitlements building, um, roles out of that. Um, and so adding that to the access rights management of an IGA often tends to be complex, highly manual.
And for improvement, if we take one step back, the processes to improve are around these four areas and many more, this, this list is far from being completed. So if we look at the targeted IAG services, which Dr. Fuchs will do, um, these are areas where these will make perfect sense it's it is authorization management. So the assignment, the definition, the maintenance of authorizations throughout their life cycle and target systems, and then the business processes, and this is important involving the business, but on the other hand, often forgotten authorization optimization. If you create rules once and don't improve, maintain, manage them over time, um, they won't be really irrelevant and they won't be adequate for the actual business processes that they should support. So automation, efficiency, compliance, and optimization. These are the processes that really need improvement, where, um, such, um, optimization can really be beneficial. I've mentioned access requests and approvals. So I do not dig deeper into that. And on the other hand, highly liked by business users at the end of the year access review and recertification campaigns. So services that are required to make sure that the right people still have the right access. Uh, nevertheless, this is often, um, very cumbersome, difficult to do, and there are better ways to do that. And we will have a look at that later.
That means we need to empower the right people for the right tasks or the relevant stakeholders, identifying them and involving them as subject matter expert experts to in the end, uh, leverage domain knowledge within an organization. And I won't read out all of them. Um, while I'm talking, please have a look at the list of those that are many, um, in the organizations who know better than an it team. When it comes to managing IAM authorization, spirit roles, be it policies, be it Ady groups, whatever. Um, and they, uh, should be involved with targeted services that can help them in, um, in creating the right access management and achieving least privileged assignment. So having all users have that access that they require not more, but everything they need to do their business and this ranges across the whole organization. And it really covers from auditor's to HR, from sea level to the it team from application owners to, um, organizational, um, positions like the heads of departments, um, and many more.
And I think you can think of others who are knowledgeable within your organization that really can support in achieving that. So what we need is targeted IAM services should not be a problem because we have licensed this large IAM suit, um, which with lots of mechanisms, including workflows, but these built in IAG features might not be enough. Um, this is no criticism for the tools. This is just a way of, we see how it is used in practice. And I go quickly through this list of, of issues of challenges. Um, sometimes these traditional delegated administration features, um, might be limited. They might be inadequate or just expensive to use. And let's have a quick look at that. Um, basically most of these tools, not to say all of these, most of these tools are aiming at it oriented staff. Uh, if we use this and hand that over as functionality for business users that might ending end up with having too much burden on them with too much complexity and often too much functionality they can do too much are not in a position to be, to be limited to the core of the actual process.
So exposing this IMO tool functionality might be not adequate for business users, and that is closely connected to the second point because they come with it language, no business user wants to use one wants to know or does know what an attribute value might be. Um, so, um, they often use it language and require configuration to hide that. So this translation between it language to business language is really of importance. Um, the, the next thing is that these tools often think in it processes that might be an, a request and approval of a technical role rather than supporting a business process, um, and modeling that in an IAM process. And that is something that is really of importance. We don't want to, um, pick up the, the business user and, and throw it processes at them. They want to think in the business language and in the processes that they want, that they use on a daily basis.
And if you want to achieve that, you might want to specify a large set of workflows that are tailored, dedicated for your individual workforce members and having that implemented. And we have seen that in some, several, many projects can lead to high initial costs and high also ongoing maintenance costs for defining and implementing such processes on top of an existing workflow engine, um, leading to works of work, um, covering more than one month of work and maybe even much more. So this is far from being agile far from being efficient. Once you have these solutions and the people who have implemented that have gone, um, there's a lack of maintainability it's code it's code related to a single version of an IAM system of an IAG system. So, um, this is really, uh, an issue when it comes to, um, release updates, but also just to changes in the processes and the final item on that slide.
It really is the software update challenges. Once you have done these customer customizations in the workflow engine for Worshan X, um, it's, the chances are high that they break with version X plus one. So that might be really an issue. And we are quickly approaching already my final slide. So, um, we are talking about, um, an, uh, we are talking about smart IAM services for the modern digital enterprise. So we just define what smart and service means. And I think we will catch up with that later when, uh, Dr. Fox shows his presentation, what does mean smart in that context? Smart means it's fully integrated in to your existing tool landscape, and that's not only IAG, it's also IAG, but it might be service management might be your collaboration platform might be mail, um, might be your Excel, whatever you're using. Um, so it's fully integrated into the way people are, are used to work.
These smart means processes are targeted to stakeholders. Um, they understand what to do, click the right button and are done, and that's achieved by using stakeholder language. And these tasks should be fit for the services should be fit for the individual tasks. So, um, I like to think of one trick ponies. Um, it's really a task as a service that does one thing perfectly, um, really configured to the individual users and their level of experience, and maybe their level of maturity, that training level. Um, and so these services are fit for the individual tasks. Um, they follow modern user interface definitions so that you have great user experience because we are all internet users and we are used to, um, modern user interfaces and proper user experience. So we don't want to sacrifice that when we are working in business, we want to have smart dashboards and tasks, um, to quickly understand what we need to do this all should look and feel across all the tasks and services in a similar way.
So all processes should look alike providing the proper, um, functionality. And for those who need to do that work, they should be easy, efficient, quick to adapt. On the other hand, we say smart IAM services. We think of services being the, the mirror of real life business processes. So they, they, if I need to approve an access request, I need to understand who is it, what is the access right to, I understand the access, right? And then I just can approve that deficit should be built on best practices, because we are really not reinventing the wheel in the year 2021 with I am being around for quite a while. So there are best practices, so we should use them. Um, we are not necessarily replacing, ripping and replacing the existing workflow engine from the IAG solution, because maybe it's good at many aspects and might need some augmentation where there is some gaps where there are some gaps or where we should have, um, just a better user interface.
So that is really important. It's not one against the other. It's really getting to a, to a common solution to a holistic solution. These surfaces should be fully configurable so quickly adaptable because they will change over time and they will need to change very quickly. Um, they cover the aspects of access management and authorization, and they use an exposed API APIs for full integration, because just because they are nice to look at an easy to use, they should be powerful in the background. They should be capable of using existing API APIs and should be made automated, um, by usage from, from other platforms as well. So just using these interfaces, um, as a provider and a consumer of APIs, I like to think of Lego. Like what you see is what you get. And we will have a look at that. Um, really important. It's, it's, it's one of these buzz words from say, four years ago, configuration over code.
Nobody wants to write code, especially when it's difficult to maintain and breaks with the next version. Um, so this is really important to have a more or less drag and drop click, um, configuration type of paradigm for adapting these solutions. Nevertheless, we need versioning to understand what was the last version of the service and what changed since the last version and in the end service means we need to be scalable and to deployment model agnostic. Scalable means we can provide these services at the level of performance and fail over that is required. And deployment model agnostic means that we want to have the opportunity to start on prem, go hybrid and move to the cloud and move back and scale it up for different regions, et cetera. So smart services for the modern digital enterprise is really the way to move forward. And that is what we want to look at. That's actually already my final slide. I will now hand over to, um, Dr. Ludovic folks who will do his presentation, but not before I reminded you of providing your questions in the questions panel of this go-to webinar tool that is right on your desk. So please provide this information there. And with that, I now hand over to Dr. Latricia folks. Uh, are you there?
I'm there. Yes.
So great to have you add, I can hear you. Great. I can see you and I switch up my camera and I'm really looking forward to your presentation. Um, Dr. Luke folks,
Thank you very much, Mathias. Um, thanks for having me. Um, today, I like to show you how, uh, an existing IBM solution could be extended with a smart services as introduced by materials. Um, I'm not gonna give you a PowerPoint slide presentation. I'm gonna jump right into a product, our product, which is called nexis four, which has just been released in its new major version. And we're gonna show you, or I try to show you how services for end users could like look like I picked some examples of, um, role ownership, people who are responsible for entitlements, for roles, but it could be owners, um, of employees, departmental heads, um, access coordinators, um, in your business units, whatever you might think of as a stakeholder for you. Your I am system, just to give you a quick overview. Next is for the solution is not just about, um, dashboards and end user services.
Um, it's a platform which basically comes, um, if you wanted to, with some analytics role modeling, role optimization services, have many more things like sod and policy controls for today. We're just going to focus on how can we build tailor made services for any stakeholder that you might think of without writing any line of code, and how can we enhance the user experience of those stakeholders when it comes to user experience, it becomes clear that you have to talk to the, to the users, or you at least have to, to set up a user story. So what does a role owner expect, as Matea said from such a solution, what kind of expectations in terms of stability, usability, and flexibility, does this stakeholder group expect? What I'm trying to do is I hope everyone can see my screen on the left side. There's Jeanette, Jeanette is an IAG administrator.
So she's got all the options within the product to create new services and to come up with new dashboards and provide them to use the groups. And on the right side, you're to see Dorian Dorian is a role owner. So he's someone sitting in a business unit, not thinking about it. He knows that he's responsible for some roles, and there's going to be yearly recertifications. There's going to be some roles expiring. There might be some sod violations. There might be some requests of role composition changes. So new applications have been onboarded and some access rights could be included in his roles. And he is the person from the business unit. Who's responsible of answering the questions that are, um, brought to him by it or by other other business users. So at first, um, you see that the IgE team itself also has dashboards, but they are likely to have different services and dashboards dashboard for us is the canvas where we put our services on where actually the place where people from business or its, or any stakeholders would interact with the solution.
The platform itself is constructed in a modular way. So every table that you see, every background, color, text, color of cards that you see here is configurable without writing a line of code, and it can be integrated in your existing IAM solution. It could even be integrated in a service now portal where you would like to offer advanced services for end users when it comes to role ownership in, in my example for today. Um, so you could have, uh, could have a link where you jump to nexis for, without even recognizing that there is nexis for. So you would just see the pure dashboard with the pure services, without any branding of any solution. Basically, if you look on the right side, you see the landing page of a standard role owner and his, or her standard services that we provide him with our solution.
Basically, this is, um, a situation where I didn't change anything. What I did present him, I show him a list of his or her business roles. So this person Dorian is responsible for five business roles and you see those kinds of cards laying on those dashboards. They basically can be read only cards, for instance, showing someone some information, some KPI, or they could be interactive, which is, um, which is shown by the buttons on the lower end, in the footer of the card. They represent service buttons that could invoke any services, forms, processes, um, whatever you like in a modular manner. So Dorian for instance, got the list of his or her roles. And I configured the table to show those three, um, columns. And if Dorian, for instance says, um, I don't need that role. I provided him a deactivation service, which is kind of modular service.
If he clicks that service, um, he gets the option to deactivate the role. And after he did deactivate, the role you see that it's responsive, some new card would pop up because that's a conditional card. If there is a deactivated role where Dorian was a responsible role owner, it's shown here. And I basically did the vice versa thing here. I gave him the option to reactivate the role in practice. I'll be honest. Typically reactivation is very likely to be combined with an approval workflow. I didn't do that. I just said, there's a self service, self approval option. If he clicks reactivate and he reactivates the role, then basically it's active again. So, um, everything you see on the dashboard can be configured also in a conditional way. You see one thing here, congratulations, none of your business roles are expiring soon. What I prepared, I prepared a situation that Jeanette here, she is going to limit the validity of one of Dorian's roles.
Now, the sales specialist role, I just prepared that role. I created that role within our software and for now Jeanette does one thing. She sends a valid until date until tomorrow. For example, this typically would be handed over by the IAM system or the role owner would even get his own service to influence the validity. But if Jeanette saves that as an administrator, as any other stakeholder, and I clicked on the right side and refresh the dashboard, you would see that now, um, I have an expiring business role. I don't have the small card saying, congratulations. There is no role expiring. I have a conditional service telling me there's one role that is expiring and you see down there, I offered this person a service again, to request the extension, to interact with, with that thing that happened just here, that one of his roles are expiring within the next 14 days.
And he has to take care of whether he wants to keep that role. And, um, as Matea said, we also integrate that. And what you see is what you get foreign designers. So I created a form that just says extend business role validity. It shows the current validity and this it offers story and the option to just enter a new validity. You can define whether you want to see column headers. What kind of naming is stated here? What kind of headlines, what kind of colors do you would have? And I said that if he extends the validity of the role, basically there's no approval necessary in practice. Again, if this role is a critical role, for instance, you would want to have an approval just for demonstration purposes. I like to show you how a user would interact with tailor-made services, not confronting this person with, um, numerous technical identifiers or columns, um, wrong sorting, non understandable forms.
I also provided this person the option to basically come up with a totally new business role. And I said, if this person wants a new business role, he can click on request. And a different form would show up, um, asking which master data could be added, um, which entitlements could be in the role. And it goes down to that level that every drop down menu point, like, do I want to add an ADT security group, a foul share group, an SAP role, whatever that is a configurable component component that you would integrate in that form, like an help information, because I wanted to show him some personal health information in your own corporate design, how to work with this form. And I need to stress that basically this is pure configuration in less than 10 minutes to come up with such a form. We do have forum versioning so that you can jump to older versions.
You can see the differences. Um, and then in terms of audit trails, it's stored, which kind of version of which form was involved for a certain service. What I want to do now for the second part, I like to come up with a new dashboard for Dorian. So Dorian up to now has worked with this dashboard, and let's just imagine that we want to create a new one. Um, we call that page design. So basically I want to create a new dashboard. I want to call it more services for role Ernest. And that's also going to be the name of the site, or, um, pardon me, I'm not going to do the internal internationalization here. So I'm not going to enter English, German and other values. I'm just going to do it with one language in English. So I create a new dashboard page. And then in the configuration, I would say the headline, which is what is stated up here should be more services for a role owners.
And those are some more services for today's modern role owner. I would pick a background image, for instance, prepared some background image I would influence because the image is a dark one, the header color, and that would store the page. And that's what I need to do. I do have a preview button, so I can always have previous of what I do. The last thing I do, I assign this to the role owner role. That means every business role owner should be allowed to see this new page in his navigate navigation chapter. Self-service so down there, you're going to have navigation chapters, which you fully can configure the way you want. And if Dorian logs in again, then he should see, um, the option to have another dashboard, which is an empty dashboard. It's just more services for role owners. It's a responsive dashboard with no contact content yet it's an empty canvas and what I want to do now, I want to add some cards to this dashboard.
I want to say Dorian should see a new KPI card, which shows me one number like, like a, this number, like the business roles with sod violations. I could say, I want to come up as an administrator with a new card, um, which is called external employees assigned to my roles. It should be a headline there stating external employees assigned to my roles. There's a number with a certain size, should be some, uh, caption like employees. And then what kind of numbers should this car display? You would configure that with a simple filter, it should display a number of employees, which employees you could filter and say, all employees that are external. But in this context, we need contextual information. Namely, I only want to see employees which are assigned to one of my roles, not to any role. I prepared a template in our visual query editor saying, take the currently logged in user, take the business roles that this person owns and give me the employees that are assigned to those business roles, but don't give me all the employees give me only the external employees currently assigned to at least one of my business roles.
And if I would save that confirmed the filter, I would assign it to my new, um, more services, dashboard and storage. And now I click on the right side and click refresh. And now I do have a cart stating that 439 employees are at least assigned to one of my roles. Now let's imagine Dorian can do that much with that number. He wants some interaction options. He wants to have a button down there showing him those employees. So I would go back as administrator, click on edit and say, I want to add some action buttons. I want to open a list of employees. I want to name that button. Show those externals.
I could say whether it should be a highlighted button or not which position, because there's probably more than one button, which tool tip. And again, which employees should this button load basically the same 439 that this number tells me. So basically I now edit a button named show those externals, which exactly pops up a list of employees with those externals. And I could say the height of this should be 900 pixels. The width should be 1400. And basically what kind of table configuration do I want to show? I'm just going to store that click refresh and there's a button show those externals. And now there's a list of external employees. And Dorian would tell me, in terms of user experience, I can't do anything with the identifier. I need other attributes presented to me. Then the administrator would go back and say, okay, we do understand that for this action button, the standard table view is not really what we need.
So I would want to edit it. I could say, um, I want to remove everything that potentially shown here. I could say, um, let me extend that size a bit. Sorry. I could say that for instance, um, the department should be visible or the status or the simply, or the function of this employee. You could do like a drag and drop reorganization. You can say there's my own table column naming. So if you have any, um, I mean the, the role owners or the business users might not understand your technical attributes, um, information like probably functions something they would understand, but you can have your own, my own, um, header, um, where you could use a tool tip and the header to improve, um, understandability. And you have a preview to immediately show you how that would look like. And now I see the identify as probably not necessary.
So I could collapse the identifier because I don't need that. And the function column is too narrow. So I could say, I want to increase the width and I'm going to store that again. And if Dorian now refreshes and clicks on this button, I would see a different table with different styling here. Now let's move on. Let's say Dorian, not just wants to see a list of external employees assigned to his role. He also wants to see which critical entitlements are included in my business roles without clicking through all of the roles and checking which ones are critical. So I could copy this just created card. And I can say, I want to have another card, which is called critical entitlements in my roles. Just going to copy that. And I could say, okay, obviously this card wouldn't, you want to show employees, it should show system entitlements. This is the nexis terminology for any entitlement coming from a local application system like SAP, 80 groups mainframe any cloud application. And you could say again, I prepared a template saying, um, take the nexis user that is just logged in Dorian. My example, take his business roles. And again, show me the system entitlements that are critical or very critical. So it's a very simple filter. I'm going to store that.
I'm going to have this number being stated in red. There could be even conditional highlighting. So if there is no policy violation, it's green, and if it's more than five policy violations, then it's, um, and it's red or things like that. And just come and assign that also to the more services for all on a dashboard, which I just created. I can influence the position. So which card is shown right next to each other. And if I do a refresh here, basically there's a new card. It tells me there's three entitlements, and now you see, okay, that button doesn't fit. It's still because I didn't change. It shows me the externals from above. So I'm just going to edit that card saying, I don't want to have this button anymore. I want to have a different button with the employee, with the entitlement list. So show those entitlements.
And then again, I would say, which data should be shown the same data of this number, all entitlements, which are critical and at least included in my business role. So if I do that and save that, just going to do a refresh, um, like that now I see the three entitlements are included. And again, this brings me to a limitation and this is basically it's all about the user experience. What does the user expect? Does this user expect a simple read, only list of entitlements, or do you even want to provide this person services that they could influence it? Like for instance, remove those critical entitlements or contact the critical entitlement owner or being informed. If some of those critical entitlements would expire soon because probably for his roles, it is mandatory that those entitlements are built in the role. And he wants to be notified by email, by a dashboard and have the necessary services at hand to influence or do something about an expiring, um, critical system entitlement, because it will be removed automatically from his role.
So that actually brings you to, uh, a situation where those KPI cards with popups showing you some information are not enough anymore. So let's move on as the last use case, I want to show him a list of those entitlements list of all critical entitlements in my roles. So I want to show him that list, um, in a larger sized card, which same thing it should display the same. So basically again, in which, which critical entitlements are bundled in my role. So it's going to be the three entitlements again, you would, because it's a list again, like the list here, you would be able to influence the tables and the table layout. I'm just going to use the standard table. You do have a preview, so you can see the standard table tells me there's a display name, criticality and sod class. I now could decide this play name is something that this person probably doesn't understand. So I could say it shouldn't be named discipline name. It's the critical entitlement in my use case. So now if I clicked on preview again, it's changed. And again, now if I store that, I'm just going to assign that to this dashboard, that right out of position, click refresh, then Dorian, actually I did not put it in the right position. So just give me a second.
Let's do that anyway. It doesn't matter if that is not possible now. Um, anyway, um, you have the list in addition to those, um, to those KPIs, I'm just gonna, um, remove the KPI card because he doesn't need things twice. So he's now just going to have the list. Again, only read only list. The only difference he doesn't have to click on a button and a pop-up shows up in terms of user experience. Now let's as a last move, extend the list with an action button saying, for instance, I want to call them workflow. I could say remove from all my roles for some reason, with an outline button. And I prepared a workflow, remove a critical entitlement from role, which is basically nothing else that prepared one workflow saying, remove particular entitlement from role. And this basically just needs to be approved by some person.
I didn't even configure that, but going back, I'm going to store that. Obviously you could define whether he could select more roles at once or in my example, more entitlements at once, or if you need to select one or it doesn't matter. So basically at least one says, if you don't click on one, then the button is not going to work. It's just going to show you an error message. So basically in a store that refreshing there's and remove button showing up. If I click on that without selecting anything you would have to happen, uh, enable to, to, to edit this message. If I clicked on Atlas, Wiki as an ID group, it should be removed. I could re invoke a workflow that triggers a approval for revoking this entitlement from all my business roles. I could also say, okay, probably someone doesn't understand that button.
So I could say this person needs a link to a certain manual chapter, or it should open the form, which is called help. And I created a help form if I save that, okay, I would have offered him some help form, which you could influence by showing some manual instructions by showing pictures, by showing some tabbing with information. So you're going to have a free, what you see is what you get form editor. I'm just going to jump to that and then I'm going to be done the help forum, for instance, um, you're going to have a form editor allowing you to say, I want to remove a certain part. I want to remove this, um, this, um, image. For instance, I want to change things so that if I store the form, then it would be shown differently for Dorian. And again, it's done without coding.
So basically what I wanted to show you today is there is technology for integrated ways of coming up with slim or, or very focused services for end users. However you need to know which end user stakeholder groups you are talking to. In which language in our projects, we have many customers saying the application owners should have access. They should see more technical information. They need services to manage their applications. Then we have role management teams. They are looking for KPI dashboards saying, um, just give me the most important numbers that I might need. You can go down for smaller companies to, I want to manage my own entitlements. So I want to see the business roles assigned to me. I want to have some self services to, to edit as an end user. It doesn't matter, but you have to know which they call the group expects, which kind of language, which kind of naming and for nexis for those are all components or services.
So you have table configurations, you have all the cards, you have the forms, you have some navigation structure so that you can have different structuring of navigation with D with different naming for certain user groups, because from our project experience, that makes a difference. If there is, um, a standardized solution in place. On the one hand, you have more to invest in terms of configuration, you have the update and upgrade issues. And on the other hand, it's still not that flexible that you easily could say, I want a name or sort this column differently. I want to show this person more information with just within just one or two or three clicks that will bring me to an end, uh, Mathias. I hope you're still there. I think I done it in time. I hope you enjoyed the presentation. I hope you you've seen how modern and smart services could look like, um, and how that could be done in the future. Thank you very much.
Thank you. Which that was a great presentation. Um, and really, uh, I like presentation developed slides, although I do presentation with slides and there was quite some feedback, um, in, in the, in the questions and, uh, in the questions panel. Um, nevertheless, I want to remind the audience also to have a, to use the final chance to add their questions. Um, I think we covered can cover them in the remaining 14 minutes or so. And I just start out with the, um, with the first question they are chronological. So, um, you've mentioned very early Ludovic that, um, that you also deal with with policy management and mentioned that term in that context. And the question is a rather technical one. Um, if you, if you are aiming at policies for PDP pap in sense of zero trust, and so the source for the policy enforcement point, um, or what do you mean by policy? And then in that context, I think there are more than one them.
Yeah. Um, so policies for us is a, is a bundled term for different types of policies. So you might have in mind, um, sod or conflict, segregation of duty conflict policies in the classical policy sense, then we do have data quality policies. You could say, um, a role can only be owned by an internal employee and the description cannot be shorter than 20 characters, and it shouldn't be a pure copy of a different attribute. And you would have all the processes of mitigating risks of defining those policies. So we have the workforce for, in an audit auditable manner, defining those policies themselves. And we can act as preventive or real-time information point for policy results. That means we have customers, which for instance, model SAP roles in SAP with certain transactions and during the modeling process, they would send an API call to nexis. Please tell me whether this would result in an sod conflict on a transaction level, on a level, which I am solutions most of the time don't include. Um, so I wouldn't say that's policies in terms of zero trust its policies in terms of what we need for the entitlement and management. You can have your own policies. Um, if there's more interest we should talk about what kind of policies you have in mind. Okay, great.
Thank you. Um, very interesting question, which comes more back to the basics of, of, of nexis is, and what data sources for this identity data for organizational data are supported. So what w when you, when you want to have these great services, of course, you need to feed in all the data that you have in your organization.
So basically we are, um, working with any, I am solution or IAG solution out there. Um, so whether it's one identity, SailPoint servient, um, Oracle, whatever you might have in place. Um, so you would have a standard connectivity to your IAM system to load the data within some minutes. Basically, if you are a very large customer, it might take one or two hours, but, um, basically those are in practice. Mostly the sources for us, it doesn't have to be one IBM system or one source. It can be additional systems just today. I had a presentation and I was asked, could we import from one identity and from micro-focus I am and IOT solutions. Yes. And you even can have additional imports, like from any other system in terms of technology buys their standard connectivity to Ady, to SAP, to the IBM solutions, to Eldep, to databases and the file-based input. So that's what you can do all the time for now. We didn't have, we didn't have the situation had, had, had the situation where we couldn't have been able to import a certain application system so far over the last 12 years. Um, at least if the customer was able to provide a list of accounts entitlements and their assignments, so you would have your different sources available, right?
And so this was perfect because you almost answered the follow-up question as well. So the follow up question was how do the authorization of the most diverse existing systems? And I think from mainframe to cloud, from, from self-developed to, to Ady supported how do these information, these authorization, and get into the nexis for application, but this is almost answered.
However, if I can add something again, it depends on your use case. If you want to work with those dashboards for end users, you might necessarily need a regular import of data. There is not just a one time load. And then for the next year, it's going to be the same data. So you want to have a daily or in some hour difference import of the data. We do have customers which import SAP on terms of collective and single roles, but we do have customers which important, lower levels of entitlement structures also from mainframe environments, from cloud-based, from SharePoint, whatever you might have in place. Um, again, it depends on your use cases to which, um, detail level you're going to import information. We have customers which operate 17 layers of Ady group hierarchies. You have to think about which kind of layers do you need. And coming from our main background, namely analysis analysis, and modeling, basically you would import all the details and then you would try to standardize and automate things and simplify things. Um, but it depends on your use case. Okay,
Great. Thank you. Um, another question, this, obviously, somebody who is already convinced of this UI first, that's a praise, great UI, fresh and modern. Um, so that was the first statement. And of course, then there's the question. Is there a possibility to integrate other system information or action SAP, SAP UI five services, time management within your front end? Because obviously they like it. Is it possible to integrate that as well?
I would have to ask back what kind of information like time management information would, would be in, in general, just a quick answer for myself, the components and modules are generic. It doesn't have to be employees, entitlements and roles. Um, we, within our organization themselves do the employee management in terms of contracts and, um, talks to their manager and review talks yearly. They are done here as well because we can store them as objects. Um, basically it's generic. You could come up, I want to rent a rental car here. I want to have no entitlement shown, but some renting cars we haven't done for training certificates. So some customer says we have some sort of training certificates and we want to have the list here and people should apply for trainings or things like that. But I have to ask back, what kind of time management information would it be that you need to display here?
Right. Okay. Basically you can integrate with other platforms as well and use this information as you are also exposing an API for providing this. Yes,
Yes. We can talk about that in detail, but in general, there is no limitation of what kind of information is fed into the software, right?
Apart from the, from the use cases that you presented to them. Of course, the question then can also serve other IAM process within nexis, or is there a limit? So for example, um, administration of identity, data, password, change, password reset, any other processes that you can think of? We
Wouldn't, I would say we are not the place for a password reset. The password reset services are covered by IBM solutions, uh, for years. Um, we, I mean, there is no limitation on asset. You could set up a service, I want to rent a car, you could set up a service. I want to have holidays next week or vacation next week. Um, you could set up services, like I want to apply for a training seminar or things like that. Um, we have, I mean, for, for our customer base, mainly it's the use cases, but we have customers which cover their licensing for software because they store which kind of licenses who is assigned to and things like that. Um, it's about objects and their relations in the IOT space. It's mainly about role entitlement employee and account services. So things like I've shown in the main dashboard where I didn't show that card, but you could say, I want to have a card showing me which employees have moved departments in the last 90 days, or I want to use that information.
So identity information that has been handed over to us, we do have an event trigger system, which can react to all changes that might appear in terms of our data models. So in my example, employees that have a changed department and you can react to things. So you could say 14 days, I'm going to go back to my role example, same for employees. If a role expires in 14 days, the role owner should get an email. They should be presented a service just in that case when there's something expiring to extend that or to inform someone or to do something. Um, so in terms of lifecycle management and services, the service can call any workflow that you design. And if you import training certificates, those workforce are going to get to work with the training certificate use cases. And in my example, it's been business roles. Great.
Thank you. And I think that really shows the versatility versatility of the solution as well. Um, another question is around how you position yourself, be the nexis for a solution on the, on the market. And there are, so the question is, um, is your solution considered a modern UI layer for an existing IGA or the platform, or is the platform a full fledged IGA solution? And I think neither one of,
Yeah, Mathias, I mean, we've talked about that quite awhile Nick's is for, does not come with the provisioning engine. We are a, uh, specialist company and, um, provisioning has been done for years and there are many solutions in place. We can cover the full access governance layer on top of the provisioning solution. So we can act as a modern UI for your IOT solution. If you want that, if you want to have a Ciero code layer for you, I and services, we can expose all the services that you might need. We're not writing, um, back into the local applications, because that is something that, that is the wheel that already has been invented. And as a specialist company, we're not going to aim at that. However, saying that nexis for at all time knows what the current situation since the last import is and what the should be sinful situation looks like. So we always know the differences. So we would know provisioning failures or things that have been changed in the local applications. Um, even though you said it should look differently, right.
Um, fully understood, um, as we are getting closer to the hour, one final question, but I think there is lots of, um, things to consider here as well. So the question is, or maybe it's actually, it's, it's, it's a statement, but it hides a question in there. The internal customers do not want multiple portals or website to handle data around their identity. One for roles and permissions and one for password. And one for third accounts would be usually not that much acceptable. So how about integrating? How about having an umbrella across the system
Depends on your infrastructure. You can include those dashboards without showing a menu and without showing a personal toolbox where you could log in and browse. So you could just show or integrate the pure dashboard with the services, cart, or cards that you might expose. If you have a Lincoln service, now, you would just jump off to that. Um, and you would, I mean, there's more than 150 corporate identity settings. So you would make nexis for look like whatever your single stop shop looks like, whether it's your IAG solution, whether it's a homemade portal where this is just one menu point. Um, but we do fully agree that this is an issue. Um, but I also would say that looking at our customers, some of them, they operate service now. And obviously you can do everything with service now, but we have customers that try to integrate sod controls.
Low-level things like that. And service now is just the optimized to do that. So they had huge issues and they jumped back and said, we have to use a specialist. I am solution for that. It always again, on the one hand, there's the driver single stop shop for the end users on the other side there's costs maintainability. So you would have to decide whether it's enough for you to just have this kind of dashboards integrated in this shop or portal, or whether this already confuses your end users and is not enough because then you might have to build it natively in there, um, which could be expensive and cumbersome. Right.
Okay. I said, this was the last question I have a quick one. And then we closed down. Um, simple question. Can your solution be deployed in containers?
Yes. So you can have it in the cloud or on premise, whatever. You'd like great
Managed through all the questions that our audience provided. If there are further ones, we will hand them over to Dr. Folks as well. So he can get back to you if there are more questions. Thank you very much, Dr. Fox for sharing your presentation was impressive to me to see such a quick and efficient way of managing these, these IAM services. Um, so that's it for today. We are looking forward to having you as the audience in one of our upcoming webinars soon. And don't forget there is a two days Germany event commencing tomorrow, um, with the CAS, um, please register and join us tomorrow. So that's it for today. Thank you very much. Um, thank you again, doctor.
Thanks a lot. Mathias haven't as date to everyone and see you soon. Stay healthy. Bye-bye.

Stay Connected

KuppingerCole on social media

Related Videos

Webinar Recording

Erfolgreiche IAM-Projekte: Von Best Practices Lernen

Häufig beginnt die Suche nach einer Identity-Lösung mit einem ganz konkreten Schmerzpunkt im Unternehmen. Ein nicht bestandener Compliance-Audit wegen überhöhter Zugriffsberechtigungen, technische Probleme, wegen komplexer Systeme frustrierte User und eine…

Event Recording

The Role of Managed Security Service Providers (MSSPs) In Your Future IAM Application Landscape

Trying to “do identity” as a conventional IAM or Security workload with in-house resources and vendor platform deployments may not satisfy identity and access today’s requirements for IaaS, PaaS, databases and other cloud infrastructures. There are now a growing number of…

Event Recording

The IAM Fabric and How It Integrates With Your Cybersecurity Program

Architecture, operating model and governance are key viewpoints for every business as a whole and its subdomains as well. Depending of size of the organization, information security may be managed as single domain or divided into multiple subdomains. Viewpoints and domains are still static…

Event Recording

Identity Management and its key role in the Zero Trust strategy

Since any resource access is subjected to a “Zero Trust enabled” step-by-step process, where  policy engines define and enforce the appropriated access level, apart from device, network, identity systems and resources, we need also a “ZT enabled” identity…

Event Recording

Expert Chat: Interview with Neeme Vool

KuppingerCole CISO Christopher Schuetze engages in a fun discussion with Swedbank's Neeme Vool on what the future holds for Identity and Access Management.

How can we help you

Send an inquiry

Call Us +49 211 2370770

Mo – Fr 8:00 – 17:00