Welcome to our Kuppinger Coal Analyst webinar, speeding Up Zero Trust Delivery using Manage Services. I'm Martin Kuppinger, I'm a principal Analyst at Coco Analyst. I'm your host today and I'm here together with of IS Consult Group is Senior Vice President Managed Service Strategy, and thank you to IC consult for supporting this webinar. As usual. I'll start with some housekeeping. I'll do my presentation and then I hand over to Hiko. He will do his part of the presentation, and after that we'll have the q and a, but I'll show you the agenda in a minute. So let's get started here. So from a, from an sort of function perspective, you are user centrally for housekeeping perspective, nothing to do. We will run two polls here, the webinar, I appreciate your, your participation in these polls. We'll do a q and a session at the end of the webinar, but you can end the questions at any time.
So there's on right hand side of the, usually there's the go to webinar control panel within questions of, and there you can enter your questions. We are recording the webinar so you can, you don't need to write down everything. Slidex will be made available. Recording will be made available RA rather shortly after the webinar. That also brings me directly to the first poll. And, and as I've said, I I really love to, to get your feedback on that. And the question is, and when we talk about zero trust, the question is where do you stand? So, so do you say, oh, we have a really good zero trust readiness across our IT and cybersecurity, or is it more than you deployed some parts of it, if of it or really more in a conceptual phase? Or do you say, okay, come on, zero trust password. We don't believe in it. So what's your opinion? We let it run for a bit of time, so the more of you participate, the better it is. So don't be shy, come on.
We leave it open for another, let's say 15 seconds and then we will close the poll. So as I've said, please vote. The more votes we have, the better it is. Okay, good. Thank you. This brings us back to the content of the webinar and I, I'd like to start first here with the agenda. As I've said, I'll, I'll talk a bit about managed services and zero trust. Then HEICO will talk about how to make managed zero trust really work and managed services work. And then we have a q and A phase. But then where I wanna start is when we look at some numbers we've collected previously, what, what is the relevance also in, in identity and security for zero trust? And we've been asking people about, so which of these identity management or identity security topics are most important to you today? And at the button making zero trust reality was the so to speak number one topic that is aligned with, with or overlaps to a certain extent with implementing MFA and passwordless authentication and getting better here as a policy-based concept.
But zero trust is a very relevant topic and I I I consciously ask for making zero trust a reality because I think this is the step we, we need to go nowadays that we move from, from an idea, from a concept towards how do we concretely implement zero trust and where does it play a role in many areas. This is what what I believe is very important. We will see that there are other topics that that will emerge over time. Like, like decent trust identity, but zero trust definitely is a, is a top topic. But, and I think this alliance is what I trust said. We also raised another question that was about where does your organization stand on the zero trust journey? And the big light blue part is concept phase. So two out of three more or less that we are still in a conceptual phase. I I can say the current poll was a bit better, but it wasn't that far away from that. So I think moving towards implementation of a solution, really getting zero trust implemented is the, the challenge to solve in these days. And this is where we want to, to spend a bit of time on, on, on how could this be done and why and how could managed services help on the journey.
I, anyway, I thought about it. Anyway, wanna start quickly with, with the zero trust picture. And I think it's very important some aspects here because zero trust is a concept is big, it's broad across the entire, it it's about identities. So can I, can I verify the identity? Is it Martin? This is a device Martin usually uses looking at the network system access, okay, it's still Martin. Can I authorize this? So this verification is repeated track of of is that identity, not necessarily human allow to do that, go with the network to a system to application or a SaaS service working with data and software. So it's, it's really a bigger concept. And we have a lot of technologies and this is by, by by no means anything which is about completeness, but we have identity management, we have identity threat detection, response, IDR topics around, and there's technologies that are essential to, to make, make zero trust reality.
When it comes to identity, we have UEM and E D R and E P D R. So unified endpoint management, endpoint detection response or protection detection response. We have zero trust network access, sassi secure access service network detection response technology here. And by the way, very important, when when you, when you look at zero trust network access, then then the emphasis should be on zero trust network access. So it's, it's primarily something which looks at a sort of a, the network element within zero trust, but it's not the one and only solution for zero trust. Again, topics we already had data security, DevOps, security. So we have in several areas technologies that help us to verify to, to not just rely blindly so to speak on trust. We have technologies that help us integrating all the signals, providing signals back to have better context information to be more secure.
We also can manage this in vicious by the way, also manage element in that. So zero trust is a, a rather big beast to com to tame identity plays a very central role. But we also see when we take this, this is one of the various pictures in that case from the DD Department of Defense in the US around elements of zero trusts. And then we see there are many elements, many of these are identity related, but there are also many that are not identity related. And so there's not, not the ones silver or single bullet, you can use it, it is really a combination of things you need to bring together and that that means that to make this work, my belief is that guidance is a very important aspect that you need that the guidance to, to make this work how, how to where to start, what to, to focus on depending on your environment, your use cases, what you have, what you specifically need, and to bring these things together.
So, and I would say simply, simply said, when things are complex then it usually is a good idea. So two, two things are important. The one is trying to reduce complexity by looking at different parts. So not trying to solve everything but to focus. And the other is work with experienced partners. So sort of use help here. So you are not alone here. And I think this is the point for for that. You, you are not, not alone when it comes to zero trust, they are technology providers, but they're also service providers that can help you in making zero trust. The reality, and I think this is, this is for me, this is the, the really essential aspect here that it is important to understand such a journey, a complex journey. It's easier to do when you work as partners that have experience, that have blueprints that can help you in, in, in deciding what you need and making this essential, so to speak, implement these essentials, essentials, but also operate these essentials.
So we had, we had a detection response part. There are other parts like, like in the identity space where, where a lot of lot of knowledge in how do I do that right is needed. And this also needs an understanding of this entire cybersecurity element, including the zero trust part that is something which is more complex. So this is more, more another zero trust specific perspective. But you, you also would see that a lot of the tools mentioned here factually are tools that also have been on the previous slide. So to good be good in cybersecurity and see your trust is a, is an approach that helps you in getting better in cybersecurity, we need to cover the entire cybersecurity cycle, whichever of the cybersecurity s you use. But, but it's not just a tool thing, but we need the processes. So how do we do that?
And I think this is one of the areas where, where managed services are, are, are, are definitely very interesting because managed service providers only are successful when they work with standardized approaches. When they have good and efficient processes that that can be run with a reasonable effort and you need a people for that, which are your own people, but which are also the externals, sorry, wrong di reaction. So what you need to do is you need to take a structured approach on cybersecurity as well as, as on the zero draft pathways in cyber security. And while, while some said, okay, this plan build, run, improve, it's not really current anymore. I, I believe it's still a a very helpful thing because if you then structure it from strategy to architecture to implementation to operations, then it's always about planning and building and running and improving trust that at the bottom the operations, it's a continuous approach.
Implementation, you go to agile, but your architectural principles need to be stable and your strategy as well. It's, it's a long term strategy you need to have here. So this is, I I believe what you, what what's cell, when we look at edit from a zero trust managed service perspective than several of these areas. So I I sort of put some more in a light transparent mode. The ones which remain with the bold mobile headlines are the ones where, to my understanding, my perspective, zero trust managed services can help. A managed service provider can help you with proven principles and building a blueprint based on experience on, on standards.
It's about implementation, develop, test, run, patch, update, doing this and show the operations, doing all the operations in a very efficient manner. And so managed service services can help you doing things better because they support you in many of the areas we can discuss about some of the things I I sort of create, create out a bit and saying, okay, even that is something where they can help, like helping you in the requirements, analyze, et cetera. So their, their experience and their methods and their, their approaches help you doing things better. And the same then, then holds true. And you say, okay, what what are the the main things you need to do to, to get better to enable your business, to, to get more secure and to, to build it so to speak your fabric of services that that underpins your trust, your security fabric, your identity fabric.
And again, there are a number of areas where, where managed services can help you. So even at the top when it comes to continuous risk adaptation, I see some, this is something, but when it comes to all the things below running the service, continuous improvement, having a a well-defined target operating model, every managed service provider will emphasize on the the target operating model because this is about defining what is the responsibility of which party. And this must be well defined because otherwise you have, you have a sort of a predefined breakpoint where things go wrong. So it is essential to do that and manage service providers can help you not only by, by being an extended work bench, but by helping you with, with their experience the knowledge. And I think when we go back to this, this picture i, I brought up a bit earlier where the, the, the survey where 65% said we are, we're still in the concept phase then this is a point which must not underestimated a service provider that has standards help customers a couple of times can help in succeeding in that concept phase by having a standardized method set by learning from the others instead of trying to to invent everything yourself.
And so I I personally believe that given also the, the fact from the numbers that zero trust too frequently is not really yet becoming a reality. If we want to make it a reality, we need a right set of partners and manage service partners to help you across everything or at least across essential parts of it. You touch identity, identity is one of these very essential parts. These are, I I think one of the, the key success factors in making zero trust a reality. And if I'm right with my slide, we have one more poll. Yes, correct. Then I'm done with my part. So second poll is asking about how do you use managed security services in, in in the broader sense currently. So is you, do most of your IT obviously internal workforce use managed services primarily for operations? Do you want to grow your use of managed services or is there any way that you see Moses any way outsourced to the managed service provider? So where do you stand curious about your results and please respond to that poll.
I would say another 10 seconds and please vote would be highly appreciated. The more votes we have, the better it is. Okay, thank you. Which by the way, I quickly can talk about as broad interesting results. So that roundabout 60% say we do most ourselves, but 27% also that we, we are intending to use no more managed services. And some also say we already have a sort of a large portion of managed services in place. So not a surprising tendency that we see growth in managed service. With that I hand over to heico heico, it's your talking about how to make manage zero trust work.
Thanks for the hint and thank you Martin overall, actually I was not aware that you were highlighting that much that we have a problem because that was the first question I asked myself when I read this title. When we're preparing this webinar, somebody put this as the title for the next section we're looking at. And I was really asking myself is that, is that even true? Do we, do we have a problem? Because it, that's what the section implies, right? If you need a how to, how to make it work, then something should not work. And so I won't go not anymore into, into that much detail of, of one aspect of the problem is we we're not anywhere. Zero trust is an old concept in IT terms, right? It's, it's brought into existence in 2010. Aspects of it are even older than that. But we, we know this term of zero trust since 2010, and that's in cybersecurity terms.
It's centuries ago that this was brought into existence. I mean the good note is that we as a community have understood it's important and we want to do something about it, but we still are not clear about what exactly we want to do, what we want to achieve, what is our scope and, and, and all around that. So that's the one aspect. The other aspect, let's, let's get into that in, in in more detail now when I try to get an understanding of what is the problem, first thing is I try to fight the Dunning Kruger effect. So I need to ask myself what, what do I really know or what do we as the community know? What don't we know? And then I really like these kinda meta literature studies that go into field and look at all the publications coming in the, the public sector coming in, the research area, coming from practice publications, et cetera, and categorize all of these.
And if you look at Zero Trust, you can, you can really find these, these broader categories. So any kind of publication you will find basically fault into one of these categories more or less and directly over next on next slide here. And when you look at that and you can see that actually, you know, performance improvements and these categories are very broad. So performance improvements mean two things in this case. One is what kind of performance improvements do we need to make zero trust work? How quickly do we need to make access decisions to really make use of our, IM in this context for example, but it also means the other way around, what kind of performance improvements does our organization get when we do this? And so that and architecture is really, really well researched. So mainly academia is looking at that and we find many publications around that.
In, in that space. The more practice oriented publications, so like the white paper will release on this topic and, and many of us in the field mainly focus on what are the organizational advantages you have when adopting zero trust and also migration strategies. Not really surprising and last but least to be honest, I was surprised to see we don't have a lot of user studies around zero trusts because in Im we have, I don't know whether there is anything in the world as researched as much as login windows in the UX community, but it seems not to be the case for many of the zero trust use cases we look these days. And also economic analysis well that we have in common in the IM community and the zero trust approach, right? There is not a lot of, of of really good studies around around that there.
So for the next part, but this is, this is something to have to have in mind. What do we know? What don't we really know well, but important architecture, performance improvements, migration strategies, all of this is here. Organizational advantages, all of that is here we have a very good understanding. So it can't be the problem that we did not achieve a high adoption rate of zero trust in the last 13 years because we don't know anything. We know quite a lot. And that's, you may remember the first picture I showed the passion that has here, there are so many people in the cybersecurity area really passionate about zero trust. But well as Martin said, we need to come really to to reality in that and that aspect. And with this slide hiding a couple of things that I took from an another study by the way you get all of these later so you can really look, look at the full paper in detail if you want.
This was a paper really going over the practical aspect of what NIST has publicized the zero trust, the SP 902 0 7, I think it's, it's, it's the paper and was going through what are the different aspects and with this I want to start telling you two stories to stories of customers we have in the managed services space were one of them was really successful and brought, brought himself in a very, very good position overall and the other really had some troubles and I think we can learn from, from both aspects a lot. I'll not give you the names, so we'll only talk about custom rating customer B in this case, but still very interesting and also that is the reason why identity management is here highlighted is one of the four key things to be considered when starting Azure Trust Initiative. And so customer, a, customer a was in the situation of a very fulfilling migration to the new IM system.
The last system was running for more than 10 years and was the, the IM leader was extremely proud of achieving that. And it was at that time, so shortly after the go live where the first Zero trust initiative started at that, at that company. And so for several different aspects, this person a really thought of, well, you know, at our company we are so huge and it's so complicated, I'm debt. Sure your trust will fail, right? It's so complicated. I don't agree. I think your trust is not that complicated. It's complex but not complicated. But he said it's, it's so complicated and it's, it's in in general these projects, you know, the first approach and the second approach failed. Then maybe the third approach I really get into that, of course he was not neglecting any, any features and was supporting the whole project, but he was not getting himself as Im leader involved into the Zero Trust program.
Our project that was, that was happening. Customer b I want to talk about is a totally different story. Customer B really was running around asking for, hey do we, do we want to do anything around Zero Trust? Really who is leading that? Where, where can I participate? And nothing was really happening. So he started by himself saying, okay, what can we do right? Engaged us, and I'll tell about this a bit, a bit more later stage, but even though nobody really had an interest in Zero Trust, right? He started to really look at all the different aspects of Zero Trust are even outside of the IM domain to understand the requirements that will be coming towards him. And this was a couple of years ago, right? I'll not go into really more detail about the other aspects you see here on the slides. I think you can read them yourself.
I highlighted what I put here, what I also see quite a lot, which was not mentioned in the study. So that's the blue line down below and that's what I mean by, you know, zero trust is, is is complex and I mean it's not a secret by now I think you can get it. That approach of customer A and of IM leader A was really failing overall. And the main, and the main reason is a simple rule. It's the big fish and the small fish in that company A, when they started implementing zero trust, it was mainly left back in the days by the networking guys and they were really looking only at the small piece of networking and they were really, really in the nitty gritty details of it all. So therefore, as I said, IM was not a huge topic for for them.
And also the IM leader kept out of it because he said, well they're talking about solo level details. I don't, I don't really care at this, at this stage, but this effect I see times and times again, zero trust is humongous if you really start looking at the different aspects. That's why I would really love to talk in the q and A sessions a little bit more about what you mentioned Martin of saying keep your scope in control. If you, if you only want to look a network only look a network. I see many companies who are not able to do that, maybe because they don't focus enough, but also maybe for other reasons. So the zero trust program really got bigger and bigger and bigger and bigger and very, very soon it was a lot bigger and effort and people involved, you know, in in departments contributing to the whole program that Im was the small fish suddenly, even though this IM program as I said was extremely successful, it was a huge project, migrated a high three digit, four digit number of applications in time from the legacy system to the new one, et cetera.
And was, was was really looked at from many different angles. Also on the top management level was very satisfactory, but suddenly it was a small fish.
Okay, let's talk about the managed services aspect both of these customers were using. And in both cases, because we're talking about something that is running for a couple of years, we're talking about an aspect that is maybe I would call a version 1.0 of a service that we now offer, which has a lot more of options, a lot more of attributes. So with a C consult, we're vendor independent. Im company offering a huge variety of different services. I today only want to talk about what we call the smart managed services. And that is the result of a huge effort we took last year. It started last year. It's a continuous effort like many, many of these things are where we really have analysis on what is happening in the south market. So software as a service market in context of zero trust, which is our topic of today and many other aspects and and, and we see a higher and higher adoption rate of of managed services.
So I mean we do manage services for for very long, for many, many years, but we really thought let's, let's give it a thought what we can do to help our customers in a better way actually. And we came up with these three attributes that in our opinion really matter for our customers and that is the flexibility, the end-to-end scope and excellence. And these are of course first just buzzwords. So let's, let's give these buzzwords a bit, meaning what do I mean by that? And I will, yeah, we'll keep it brief and only talk about it in the context of Azure trusts. So when I talk about end-to-end scope, I mean different dimensions of how you can look at it. When we set this up with a customer, what we want to do is looking at the various different types of services. So many people when they talk about managed services, they only speak about support maybe operations, right?
These are the two aspects that are very, very common in the managed service area. When we talk about our managed services framework, we go a step beyond and really we package all the types of services. We as a C consult offer around identity access management into a bigger framework. So you can get advisory, you can get consulting implementation, support operations. And we even started to allow business process outsourcing. What do I mean by that? That is, for example, you get an SLA on how many applications per month you get onboarded or how many or do you have your re-certification campaign being outsourced, stuff like that. So whole business process being outsourced around identity and access management. We do nothing, nothing else. So when we talk about how to make manage your trust work, please have that in context, right? I'm only talking always about the identity and access management piece of the puzzle, which is a huge one.
So second dimension we were looking at is the coverage of services. When looking at zero trust, there come a ton of new requirements to to to IM teams and mainly you may remember the short teaser we we did where we put some thoughts up where I said, are you already best friends with this, Susan? I really mean this. We as Im community have actually at tendency to not see ourselves as part of the security community. And I think this must stop right now. We are part of the security community by now job and we need to work very, very closely to them. And I'm coming back to my customer A right? So it didn't really have any contact or sorry, I want to talk about customer B. So customer B did not ever have any contact with the security department before, really looking at at zero trust and what he can do there. And I mean apart from okay, I need to have my own application and stuff like that. He did of course that with the internal services, but apart from that, no real contact. And basically then that's what he did, right? He reached out, well not the scissor directly, but levels under him getting a grip of okay, what what do we plan and when do we plan something, right? Okay, it's not on the radar for this year, but maybe next year is there anybody working on that to be really at the forefront of it?
And at the same time he started really working towards all of the requirements he was seeing that potentially come that typically also benefit you in, in, in other areas, right? If you have a good concept around how to provide cloud access and how to manage that in your, IM then once your trust is coming, which typically addresses these problems in an early stage because a couple of the best practical literatures you can find are the zero trust concepts provided by the big cloud providers. For example, if you want to adopt something in their area, then they have good literature on that. So, so that is something that I see very often that customers then that is a starting point for zero trust. So if you are heavy Azure user, you start using your trust initiative in Azure, aws, same thing. And then you roll it out from there to the whole, to the whole organization.
So we started really, okay, we need to get to the cloud and we need to have a very efficient way of managing access, how to subject access resources and all of that in the, in the cloud and started that. And what we see is then when you start getting into more contact that you quickly learn that there are a ton of security signals coming out of the IM where IM teams typically are not ready to cover that 24 7. You know, if you have an alert triggered by locks in your IM system for example, it's sometimes very, very hard for central thought teams at, at our customers to analyze what does it really mean and what is the impact? Do we need to shut something down or can we mitigate it by only shutting down the single user? What, what does this log entry really mean?
And then in many cases the IM teams, they, they have not 24 by seven coverage, needless to say somebody available with the knowledge to analyze the impact of such an event. So we also made our services bigger introducing an IM soc, right? We don't want to be your general SOC for everything, but we think it really makes sense to have, IM experts on hold all the time in such a case you have an incident you can really reach out and use that. And then last, but not these of systems also to be honest, something that we didn't thought of but this very customer B thought of, right? He had this legacy system and he wanted to do the move to the cloud. So what he did is actually giving us the responsibility of both saying, okay, you manage our on-premises system and the cloud system.
And when you do that, right, if you take longer, if you're not efficient enough, then it's your problem, right? You take responsibility and risk from my end. And that's the key message here. So managed services is a lot about risk handling. What kind of risk you from a, from a such a complex project do you want to handle yourself? What kind of risk do you want to have somebody handle outside, right? Who has many other resources, other experiences, et cetera, and can maybe handle this risk better. It's, it's, it's a very basic insurance question and many of the security questions are such, such questions. So this is what we mean by really many different dimensions where we look at. Then another aspect which is really important is experience, as I said, right? It's a very old concept 20 10th centuries ago, basically since we know zero trust.
So it has evolved a ton since then and it is evolving very, very quickly also now, right? Every single week, if you look at the security market, you see not one, not 10, you see hundreds of new vendors reaching the markets globally that, that tell you that they have something to do with your trust, right? So having the knowledge of all of these is absolutely impossible. Also for us. I mean, I'll not tell you anything different than that, but at least there is a very good chance, right? That we, we have touched the products you'll be using, you want start integrating with with your IM system, with your SOC team, et cetera, that we have done that also be also before. But the key message is it's absolutely important when you look at a managed service provider, doesn't matter whether it's us or somebody else, absolutely key to understand what are they doing to really train the people constantly.
Not one time, but constantly. And this is also an aspect where, where we think it really makes sense if you do something around identity access management to partner with a company focusing on that because we do nothing else, right? All, all our people, we will not have anyone sitting in, in our support team who has done network security before. And, and that was the only part and he was a since admin for, for networking somewhere, right? Whoever works for for us is really focused on identity access management. And that really helped us a lot in getting a lot of managed services customers happy in, in that aspect. And last but not least before I come back to, to the stories and also some more challenges that I typically see is the part of flexibility. And this part of flexibility is a two-edged sword. On the one hand side, the time I'm dealing with money services, which is a couple of years now, I have not signed the same contract with the same type of services a second time it, it, it just did not happen.
Every customer really needs a little bit of a different thing, but at the same time, as I said before, it is absolutely important to create these efficiencies in in your IM program if you want to handle the big complexity that you're going to face when adopting your trust. So this is, this is the fine line you have to walk on to really have on the one hand side flexibility on the other hand side, you need standardization in the single types of services that you deliver. And this is, this is true for yourself if you do it yourself, but it's also true if you engage with a services partner like us and don't take what, what we see here at this slide is only an example of how we look at this, of this whole piece, right? Where we bundle all of these different types of services of advisory, of support, of implementation, and you have really different options that you can choose.
What we like to do is really when we start engagement is going through all of them, even though you, you, you will not really consume anything else then let's say a one-time implementation of something that you like and everything else is not of interest right now, but what we see times and times again, things change and that's part of flexibility probably in, in, in a year or two your team setup looks totally different, right? Maybe people left the company, people have left to a different department, you have a different situation, et cetera. We see that all the time. And then suddenly you are in need of having a, having a partner supporting you or it's even the strategy, right? We see these waves of okay, we don't want to insource everything and then a couple of years later somebody at sea level sites want to outsource everything again.
So that is something that, that we see times and times again and for all of this, right? It's good to be, to be ready. So what we, what we like to do with our new framework here is really very briefly doesn't take a long time discuss all of these aspects, what is potentially interesting, what is not interesting at all, et cetera. And, and this helps us because then when we agree to let's work in this type of framework, then we can really make sure that we have these efficiencies. Even if you take one of these options later, even if you change your mind, you see for example here for the implementation, a managed capacity model, which is something that we offer where we really on a, on a monthly or quarterly basis, we change team sizes very quickly for very large scale projects for example.
So having this kind of flexibility absolutely important because your trust, as I said, has a lot of complexity and wherever we see this adoption running out, right? Even though you do a lot of concept work, we see that in the stats, you get surprised of how complex it really is and then you have a big migration of something happening and suddenly you really lack, I dunno, can support people that can happen very, very easily. So the customers who are really using this, I really appreciate that we are able to scale in different aspects, scale as I said, by dedicated people scale by shared teams that we have introduced. Now that also helps smaller customers who don't really engage with the full support team right away or ever because that's just not needed for the number of identities that may have. Okay? End of, end of end of that part.
Some more challenges that I see very, very often and I want to finish with my story and and, and just leave this here, but maybe that introduces some, some aspects for you to raise questions in a couple of minutes. So customer, customer, a right? Keep in mind you stayed, stayed away, stayed remote from the Zero Trust initiative and it became super, super, super huge. And basically when he understood this, IM leader of customer A, that it's becoming this big thing and even though it was failing in many aspects, but in others it was successful and you know, and you have the same cost and all of that, it was too late. He was not able to really get to the decision board anymore. He was not able to really steer how requirements should be shaped, et cetera. What really helps this Im system and basically what was happening is, okay, we were not talking to you all the time, so what we did is we looked at other services that we have from cloud providers, from other vendors, et cetera.
And actually in the end they ended up having another access management system. An access management system, which then they used for all the zero trust use cases. And guess what? Now the plans we need to migrate away from this first piece that they put in place and get to a new system which supports zero trust better because that is the strategy that they move forward. So I would say this is a, a a a huge failure overall and it could be avoided by really getting engaged early and understanding very, very early how big zero trust can become quickly and, and also that, that it cannot work without Im right? So if if the Zero trust initiative is not talking to you as Im leader, then they're talking to somebody else doing Im, it, it can't happen. Then there isn't zero trust initiative where, where, where identity access management does not play a key role.
So this is, this is the kind of aspect that you should have in mind and needless to say, right, customer b I was, I was talking about, right? He's not a go guy, he's not leading zero trust because he, he never wanted to be, but he's really in the steering board, everybody's really appreciative of him often being around being very knowledgeable about the topic, right? So for him it's piece of, piece of cake to be honest in the IM area to tackle the challenges around, around zero trust doesn't mean it's easy for the whole organization, but it means it's a lot easier for the IM program that he's running at at at customer B. So apart from these key messages, last slide, promise apart from these key messages, take it with you, right? And I I really mean it's serious. Try to make the connection to the rest of the security community at your company, really get to those departments, really get into contact and understand this early and, and, and start doing.
That's, that's, that's the key message. We need to, we need to stop conceptualizing too much and really get the adoption rate up because 13 years is just, just way too long. Yeah. Apart from that, I would say these three key aspects also very important from my end. But if you look at a managed service partner focused on these three aspects, we all know this, you can, you can evaluate a thousand different things, but my recommendation is focus on these, the experience and expertise around exactly what you need. That's, that's key number one, right? And that's where I think looking at a specialist for Im, when you look at IM makes absolute sense. We have seen that also not in one of the customers I mentioned, but we, we have to very often that first you have the support operations for many years and a generalist doing basically everything for you in your IT organization, but you understand, oh, it's your trust, it's now getting more complicated. Somebody needs to have more knowledge about our infrastructure, modern systems that we have. So now we need to rethink how, how we really do all of these aspects. And actually I was, I was basically in, in a customer presentation last week where exactly that was happening that the whole support organization was analyzed again and, and rethought around, okay, what what can we do to create more efficiencies with these?
Yeah, the rest I think are, are very, very common practice, terrible German translation and no-brainers. So we assess the integration capabilities and also understand the approach for continuous learning as that if you have good guys today, it doesn't mean you have good guys tomorrow. So it's inevitable and super important that your provider, whoever that is, or if you're doing it yourself, focus on this continuum learning aspect extremely and makes it plausible. How, how is it happening and why is it happening? You know, because typically you have a tendency if you as a customer are not paying for it, why should your provider do it? Right? And, and if it's not transparent, then you're paying for it, right? How, how is this translated? It's very important to really understand this, this, this aspect because times and times again, we've seen that simply then doesn't happen. If nobody puts priority on it, it simply doesn't happen and your knowledge gets, gets outdated very, very quickly in, in this aspect. So that was my, my last slide. Now I, I really look at some, some questions. Hope we'll have a good discussion.
Thank you. And I go back to my screen. So we should have the screen again and we go into the q and A session. And so, so first thing is if there are further questions, so we have some questions already here, feel, feel free and to enter these questions in the, into the tool so that we, as I said, the more questions we have at the end, the better it is, the more more we can discuss. But also feel free to share some of your, your experiences here. So, so for instance, when, when you were implementing that, what are the biggest challenges you faced or if maybe also how did you overcome, feel free to provide a of insight into what you did in your organizations or experiences with IM managed services. I think these are aspects which then can pick up also in the, the q and a and look a bit deeper into that. So here, here, here's the first one, which I have to admit contains one, one model I'm not very familiar with, but maybe Haiku you can answer that. That just came in from one of the participants. Do you think t is t i o could be a good start for implementing a zero trust framework for an on-premises in-house developed distributed service platform using Kubernetes that shall be extended by resources for public cloud? So that's question, but
Yeah. Yeah, I can answer that, but just, just as more com I cannot see the questions unfortunately. Maybe we can do something
Reading it. I can reread it if you want. Okay.
Okay then. No, no, I, I hope I got, I got everything. So, so it to, to get everybody on the same page, IST is a tool especially designed in the Kubernetes world to create a service mesh in Kubernetes. I would put it in the area of Micros segmentation. And, and that's why this question is extremely specific, Ron. Yeah, well this technology I would say, I would say yes. Am I okay, I I need to make it bigger, right? We, we were saying this quite a couple of times, right? Zero trust is, it's complex, it's, there are a ton of different aspects. So it's very subjective in the end, what is the best first step for you if you want to adopt zero trust? And so this is a network security aspect that you're looking at and it's even more specific, it's a network security aspect than Kubernetes.
So that really depends, right? If you are a huge organization and Kubernetes is the platform of choice in the future for the things that you really care about, then maybe that is the best first thing to do, right? And then, I mean, IST is, I would say in the, in the Kubernetes community, any factor default now, right? There are some good alternatives as well. And then it's, it's also very subjective and we would need probably an hour to really go into details whether that is the best tool of choice for you. But it's, it's definitely, I mean, one of the market leaders in that aspect. So that will not be a, a bad choice. At least that is something I can say.
Okay. The next point I, I'd like to discuss is, so, so when implementing co trusts, architectures, what are, and as I said, if anyone has to share something around that, but also from your perspective, he, what are the, the biggest challenges you, you see your customers facing and, and how did they deal with that? I can maybe add that a bit from my end. How do you go first? Yeah,
So I, I had it on the slide, you may remember we had this kind of blue line at the bottom where I put what I see very often at customers, and this was legacy systems. So you come up with a very cool concept and the, the day one you really want to bring this to reality, you find out you have these ton of legacy systems and what typically happens is then that you do not start implementing something and achieving the 80% that you can achieve, but you get back to the drawing board and that's the reason where you see customers times and times again staying in this constant phase. Next thing is complexity. I think we talked about that a lot. And then skills gap, that's, I would say number, number three priority, right? Customers that we talk about, they do not have the people ready that they would really need to work on that because typically, you know, your trust is brought up by people who do something else at the company already, right? So they didn't have the capacity to really focus on this part in full, in full detail. Yeah.
Yeah. And there, there are a lot of new technologies. So all these fall out five letter acronyms, a lot of promises for, for marketing. So, so I, I think when I look at trust, the number of tools that come a bit with the promise, if you use that tool then you have zero trust done. Honestly, there's not a single tool that, that you that does every single of zero trust. So what what I see as, as, as challenges is really as it is understanding what is in and and sort of prioritizing where to start and, and what really delivers then a benefit. So this educational part also has to do with skills. I think the other part is also when we look at zero trust, then we have this, for instance, this policy concept. And when we go to a new zero trust architecture, there's a wonderful policy control blame and this policy control blame must then work with a wide variety of systems.
And, and when we look at this, then it means we, we end up in sometimes the situation or they're, the systems are not really ready to, to be controlled by policy. So when you look at I tools, then there's some way to go for certain areas of policies, but we also end up in a, in a, in a situation that we, we talk about integration and integration I think between the different components of zero trust from central control planes to to enforcement and different areas, that also is definitely one, one of the bigger challenges. It requires also, I believe to, to overcome that a good, good amount of pragmaticism is extremely helpful. So if you are pragmatic yep, it makes a lot of sense. Oh, sorry, a lot of things much easier here in the zero trust world. So it, it really makes things, you need to sometimes say, okay, I can't do yet, but I at least know how I will lose policy over time. But I, I do that part first maybe in a, in a way which is not as, as perfect as I'd like to do, but at least I I made a step forward and also sometimes be, be happy with making steps forward.
Absolutely. And I really want to highlight this of the story of, of customer a right? It's also, and, and by that I want to stress what you said about prioritization. Prioritization does not only mean what do I want to implement first. It sometimes also means one of my processes that I do have today is really keeping me from achieving something. So at, at another customer, what we recently did, we're extremely proud of is we had this, and I told, I told the story of there was another general service provider managing the operations part of, of, of the system with about 20 people. And then we looked at the system, took it over, and actually nowadays we have less than a 10th of the tickets that were there before. And also we do it with less than five people. So that's a quarter of the people that were dealing with the same stuff before. So that frees up a ton of capacity, either it saves your cost or it frees up a ton of capacity of really achieving something. So it's not only looking at all the new things that you want to do, but sometimes it's also about looking at the old things to really make something work and, and free up the capacity to deal with it.
Yeah. Okay. And I think we can pick one more question, and I think this is an interesting one because it's about balancing the, the need for higher security. That's what we want to achieve with better with user convenience to me may maybe I start here. To me this is always the wrong way of thinking, balancing security and convenience also means security goes up, convenience goes down, convenience goes up, security goes down. We would be serve our, our, our sort of users much better if you could bring up both. And I, I believe that that zero trust when we look at the identity piece and the authentication piece can, can hold the promise or or finally deliver to that. When you, when you look at modern dication, adaptive risk, context based, et cetera, then the way we authenticate today with using secure elements on the device that that work in the background with biometrics et cetera, is way simpler than most of the authentication specifically cause the strong authentication in past it's also way, way simpler and username, password. So I, I think there are, there are areas I I think there's a growing understanding that balancing security and convenience includes the mistake because it's combining those
If you can. I mean it's not always possible, but especially in Im right now, we have a ton of very good trends in that area where, where that's really the case, right? And that's a win-win. And I think we as a community need to get a lot better at, you know, explaining these benefits. We are driven by, you know, many times customers come, well, we have this audit, we have these findings, we need to get rid of them, right? And that, and that's the driver for the next implementation of the next feature, et cetera. So in many places you're not used to articulating the benefits that you're bringing to the organization. And, and that's, that's changing. If, if you do what, what what you just said Martin, right? If you bring better security and better convenience to the organization, then you really have an asset that you bring. And, and that's something that I guess we as an, as an I community need to get better at communicating that to the broader organization.
Okay. Hi, cool. Thank you very much. Thank you to IC consultant for supporting this webinar. Thank you for everyone attending to this, this webinar or listening to the recording later on. So I think this has been insightful and hopefully helpful to support you and making zero trust reality and understanding what can help you here. So thank you very much and hope to have you soon back at one of our called webinars or events. Thank you.
Thank everyone.
