Hi, I'm Martin Kuppinger. I'm Principal Analyst at Cooper called Analysts, and I'm here today with Trex Shore, who is Chief Strategy Officer at Kiki. And we will have a talk about the role of identity management and in particular, I g a, so the use lifecycle provisioning access governance piece within Zero Trust. Welcome Jackson.
Thank you, Martin. It's great to be here as always.
Yeah. So, so maybe we start a bit with Zero Trust. So I think everyone has a bit of an idea what Zero Trust means, but maybe we, we, we give a bit of context how we understand your trust and then look at the role identity plays in Zero Trust. Do you wanna start?
Yeah, sure. I mean, I can, I can give you my perspective, certainly from, you know, the very early days when I started working the typical access method to get into, you know, a network or, or computer system of some nature was a modem, you know, which basically turned into using a VPN to, to getting into one of these systems. And it was kind of like, to me it was like, you know, the old medieval fortresses, right? You passed through the gate and you were inside and you had access to everything, whether you needed to go over to the food stall or you didn't need to go to the food stall, it was there, you could go over to it if you wanted to, or the dungeon or, or what have you. And I think we've operated in that mode. I mean, from, I mean, I started using modems back in, you know, the early nineties. And I think we've been using v oh, I mean, people still use VPNs, but we've been using VPNs as that gateway into the fortress for what, you know, many, many years now, 20 plus years. And I think what the realization that folks have come up with and, and it's, it's really the right thing is, you know, if somebody needs to come into, in quotes the fortress, let 'em have access to the only thing that they need to have access to at that particular time.
So that is partly zero trust. In other words, you can only get to what you actually need to get to at that particular point in time.
Well, we don't trust you. Trust because you
Passed. That's right. Your gate, just because you got past the gate, doesn't mean you get to go to the food stall. Yes. You have to have money in your pocket too. Yeah, and I think the second thing that, that, that brings with me is, you know, the fact that there really isn't a fortress anymore, right? With cloud computing, there's all these, let's call a mini forts or tents or what have you, everywhere. So again, back to the whole concept of, you know, once you get in, you've got access to all these different things. Companies and, and certainly cyber hackers have realized that there's a lot of targets of opportunity. So to me, zero Trust is very much around reducing that attack surface, reducing those targets of opportunity, and where you have these targets of opportunity. I, I think the, the thing on top of that is hardening them. How do you make it harder to get to those things through things like multifactor authentication or, or other methods? Yeah,
So, so when I look at Zero Trusts, I always say, okay, you know, the point is, so we started with Zero Trusts networks, but we quickly learned it's not just a network. There's more than the network. And, and so again, this, where I believe identity and access are so important for Zero Trusts is it starts with identity. Martin is using a device, go over a network to an application to a service and access it. So it starts with the identity Martin, is it Martin and exactly. To the Access. And I think, so over the past years, and that's what I found very interesting to see, is that the, the, the perspective of the focus of what we talked about in Zero Trust really shifted from a network-centric perspective to an identity and access centric perspective. Where I still see, and I think this is maybe part of our conversation today, that the focus is more on the identity and authentication side, but to me, the access the authorization side plays a equally important role because this is about which entitlements do I have and will I be authorized to do? So it's a bit about someone in the Fortress saying, okay, I know you are authorized to do so or not, I let you pass or not.
Yeah, I, I mean very, very much so. I mean, you know, the whole, I I think one of the main concepts around Zero Trust is this almost this concept of continual trust, right? And continual authentication and continual authorization. I mean, the, the, the, the idea of a person having, you know, being checked to see if they have access to something at a particular point in time. If, if they're authenticated to a particular entitlement or to a resource, are they authorized? Do they have the authorization to talk to this or, or use this particular entitlement or resource? And literally those things can change in some ways. I mean, I, I wouldn't want to be on a network where those things are changing minute by minute for every user, but it is something where we have seen the industry want to move towards much more of a, I'll call it, near realtime authentication and authorization for access to these various entitlements.
And, and isn't it that, that, anyway, the, the access part, so the authorization part of it is where, which is always, which always has been more continual because you access something and it's authorized to access whatever the next file and it's authorized, so you do it. So, so you come in once, but you, you have many authorization. So in that sense, I, I dare to say that we are closer to a continual access control in the broader sense, when we look at the author authorization part. I think this is also where, to my, my man perspective, the the need for, for being really good in the IGA part. So not only having an account, but having the entitlements and the access governance done right, yeah. Occurs
Right. Well, you know, I've always been a big proponent of, you know, look, you know, if I step back, so in 1999 when I joined Microsoft, you know, we launched Active Directory about six months after I joined. And you know, you're basically presented with this, what I call an empty pool. And you started filling it up with things, resources, identities, groups, distribution lists, security lists, ccls. You just started filling this pool up with all kinds of things. And like any pool leaves fall, the wind blows, you know, various different things into it. And you have to maintain that pool, you've gotta change the filters, you've gotta clear the stuff that's, that's, that's in the pool. That shouldn't be in the pool anymore. The problem is that, you know, whether it's active directory or whether in, in, in today's world, it's something like Amazon or it's something like Salesforce or ServiceNow or any of these other systems who've been around for multiple years, there's a lot of leaves that blown into the pool.
So part of the problem, and part of the reasons why I'm, I'm so interested in this from the, the IGA perspective, the governance perspective and, and trying to help clean these pools up is basically to give people visibility, to give companies, managers, employees, business leaders, visibility into all of that stuff that's in the pool. Now, some of it's garbage and some of it's not. The problem is that most companies don't know because it, you know, there's been so many changes of employees, of vendors, there's just been so much happening. Like if, again, if I go back to my ED days, you know, we're talking about 22, 23 years passed in February of, of 23, right? Will be the 23rd year of active directory. You can imagine you have 23 years of leaf buildup.
And, and the problem there is also, you know, in real world when, when in the region I live, pools are empties,
Right? Yeah. And then, and
Then filled up, they're filled again with water in spring. But you can't empty the pool. Not even for, for an hour or or a day, your director entitled Exactly. Let's start again. So we need, so this is, I think where IGA comes into play that help
Us hundred percent agree
Sort of reducing the garbage and keeping the tool ti pool tidy without the need of sort of, yeah.
Yeah. And, and, and to be honest, you know, when you think of this, I mean, and, and here's again, part of the situation we're in, right? I mean, I've, I, I even me as an employee in companies, not the one I'm at now, but in previous companies, as a manager, I would get these reports every quarter, Hey, Jackson, here's your 23 employees. Go through and look at the, their entitlements and certify them. This was a quarterly activity, it was a pain in the butt because it was, you know, you were under some kind of a deadline to get it done. So the typical thing was, I don't know what all this stuff does. I'm pretty sure my guys all need it, and let me click the approval and send it off. You know, just as we just talked about the sort of continuous aspect of authentication, the continuous aspect of authorization, we have to have this continuous aspect of reviewing our entitlements. Yes. At least,
At least as long as we live in a world where most applications work with static entitlements. Yes. So in, in, in,
Yeah, that's very true. Yes.
In, in, in a brighter world where, where the application has to ask a system authorized or not, and work against policies, right. Which we see as a huge uptake in the, in the development of digital services where we really see this coming back. Right. It would be simpler, but I think we have trust to cope with the reality. And that is right. Most are, most applications work with static entitlements,
Unfortunately. That's the legacy. Yes,
Yeah. So no, I, I, I, I agree. I agree a hundred percent. I mean, to, to move towards policy based access, you know, if there was a way for us to, well, not a way, there is a way, you know, the historical problem I found with, with some of these things is the requirement to basically re-engineer an application click. In the old days when before we used ldap, for example, we, we, we waited for the vendor to add LDAP support to their product. And that's a situation where in today's world where you have potentially tens, if not hundreds of SaaS applications, you're waiting on all of them to include policy-based authorization or policy-based access or policy-based entitlements. So it could be a little bit of a waiting game, but just even the aspect of being able to move from the periodic once a quarter, once a year, do you need access to Salesforce? Do you need access to this Office 365 entitlement? And making that a bit more continuous and a bit more real-time and friendly. Like perhaps sending a Slack message to somebody or teams message saying, Hey, Martin Jackson just needed access to this report. Is it okay? Yes. No, versus the, the, the every quarter, Hey, US Jackson still needed access to,
You're raising a very important point. And that is what, what I, I say one of the things is we, we should also think more about sometimes time restricted and going away from, from big spreadsheets to simply yes no decisions. Because everyone of us is quite good in making a simply yes no decision. It's like you get a mail was a simple question. You will answer that respond reply to that mail immediately, usually, right? If you get a mail where you say, okay, oh, this requires some sinking, this will take me an hour to respond to you, put it away and try not to do it. And that's what we do with reunification. We create something like these complex mails that are put away. If we make it simpler and more continual, we definitely will win. And we need to do it, as we said, for the foreseeable time, specifically for the legacy world. And a lot of SaaS already is in that sense legacy. Right? And maybe in a couple of years we will see more policy based Yeah. Access authorizations and that will simplify a lot of things. But for now, if we think about zero trust and going back to our, our theme in zero Trust, this access piece is so essential, this, how do we get a equip on the entitlements, ensure that these are the right ones, because only then we can do the right our authorization and sort of correct verification of access.
Yeah. I I, I completely agree. And you know, I would, I I know you're not meaning in the sense of email as email, but a notification methodology of some nature. Yes. Because, you know, in my, in my own organization right now, you know, there are a lot of people that, there are old people like me, if I want to use that phrase, that's that still don't mind using email. And then there are other, other folks in our organization who are younger who barely ever look at their email. They're all into Slack and teams and in all of these other social media concepts. So I think that's also as part of the problem, is in, in a way, you know, we have to be very market, market marketing driven on some of this stuff and appeal to a broader audience inside of an organization because it all organizations aren't running by just email anymore. This is part of the problem. They're running by multiple different things, right? To reach someone. Yes. You've gotta speak to them in the language that they're, that they're on. I mean, hopefully we're not setting them Instagram messages
Can say why I like, Hey, I sent you an email.
But that's also not the right way to do it, as we all know. But technically a pleasure to talk to you. And I think this work was some, some insightful talk about how sir trust and I g relate, and that we indeed can't succeed in our zero trust journey without a strong IGA poster. Jackson. Absolutely. Thank you very much for taking the time
And thank you Martin. I appreciate it too. It's great to talk to you.