KuppingerCole Webinar Recording
KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Unlock the power of industry-leading insights and expertise. Gain access to our extensive knowledge base, vibrant community, and tailored analyst sessions—all designed to keep you at the forefront of identity security.
Get instant access to our complete research library.
Access essential knowledge at your fingertips with KuppingerCole's extensive resources. From in-depth reports to concise one-pagers, leverage our complete security library to inform strategy and drive innovation.
Get instant access to our complete research library.
Gain access to comprehensive resources, personalized analyst consultations, and exclusive events – all designed to enhance your decision-making capabilities and industry connections.
Get instant access to our complete research library.
Gain a true partner to drive transformative initiatives. Access comprehensive resources, tailored expert guidance, and networking opportunities.
Get instant access to our complete research library.
Optimize your decision-making process with the most comprehensive and up-to-date market data available.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Configure your individual requirements to discover the ideal solution for your business.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
KuppingerCole Webinar Recording
KuppingerCole Webinar Recording
Well, good morning. Good afternoon. Good evening, depending on your time zone and welcome to our little monthly. Get together the Cooper Cole webinar with me, Dave Kerns today, our subject is best practice driven identity and access management, and I'm very happy to have a distinguished panel guests with me to talk about this now Santo from AER Dave Fowler from ion Mike new and Schwan from Oracle and Rudolph Gruber from Attos. They'll all be chipping in with their ideas on what constitutes best practice driven IAM at this point in time.
For those of you who aren't particularly familiar with KuppingerCole because you happen to live in the Western hemisphere or in the Asia Pacific region. KuppingerCole is Europe's foremost analytical firm for identity security in the cloud. We do enterprise it research advisory, decision support and networking for professionals through subscription services, advisory services and events, including our biggest event.
And one of Europe's biggest identity events, the European identity and cloud conference, which will be coming up in April this year, a little earlier than normal in Munich, or just outside Munich. You can go online right now and register and you should, this will be my sixth. I believe EIC only my second as a partner of Cole, but I've always found it to be enjoyable. And you can look back through some of the things I've written about it in past years to find out just how enjoyable it can be. Okay. For today's events, we have some guidelines.
I've almost said ground rules, EV all the audiences muted centrally, you don't have to mute or unmute yourself. We control that from our end, the webinar will be recorded and the podcast recording will be available as of tomorrow at the same place you went to register for it. There's and the little control panel that you have at the bottom, there's a section for questions and answers or questions mostly. And just whenever the question occurs to you, type it in there and send it, we will take some questions during the discussion.
If it's apropo to what we're talking about at the time, otherwise we'll, we'll leave them to the end and hopefully we'll be able to get to all of them sooner or later. Our agenda of today is very simple. I'm going to have each of our panelists introduce themselves and their companies, and then we'll jump right into our discussion of best practice IAM. And then finally, we'll finish up with some Q and a, so with no further ado, we'll get right into it. And I'd like to ask our first panelist, our alphabetically, at least to, to step up to the microphone and, and tell us about himself.
That's Nelson chiquito of AER Nelson. Thank thank you, Dave Nelson, Chicago of AER the CEO founder of the company. We founded the company in 1995. We're leading identity management provider in the industry, focused on user application and asset provisioning and deprovisioning, along with GRC and enterprise password management. AER has customers from all sectors, including Miller cores, Starbucks, Marriott, ESPN, Texas capital bank, and over a million user identities at the us air force Analyst and customers alike have documented.
The avatar has the quickest time to value and best overall operational efficiencies in the industry because of our graphical configuration based approach versus the custom development approaches other vendors leading the industry with innovative methods and technology like the world's first identity store in shopping cart experience AER is the identity management solution that puts accountability in the hands of the business users rather than it. So with that, I'm looking forward to being part of this panel.
Thank you, Nelson, next up Dave Fowler, excuse me, Dave chief operating officer for Curion Dave. Thank you, Dave. So as Dave mentioned, I'm the chief operating officer for Curion corporation. We've been in business since 1996, doing identity and access management with our emphasis on password management identity and access governance and provisioning solutions. And more recently in the area of access intelligence, which is the ability to process all of that information, to be able to give an organization of view of their actual risks.
From a security perspective, we've got over 500 customers deployed successfully and over 14 million identities that we're managing across those organizations. The company has focused and has been identified as a leader in both the identity and access governance area, as well as in the provisioning area. And our focus has been on helping organizations pull together all of the individual pieces of their identity and access management into an overall system. And in many cases, using systems integrators as partners to do that, our primary focus has been to do that as a premise based solution.
But more recently, we were also deploying this as a SAS based solution as well. Thanks, Dave. I apologize to everybody now for the little frog I have in my throat, I may occasionally have to cough like that and do it before I can reach the mute button. So I'll apologize in advance. Mike wan is senior director at Oracle corporation.
Mike, why don't you tell us in case there's somebody out in the audience there who doesn't know what Oracle is? Tell us a little bit about what the, what you Do.
Thanks, Dave. Yeah, so Oracle likely means no introduction.
It's very, it's a company that I think everyone's familiar with. I've been at Oracle now for about two months and at Oracle I'm in the product management group and responsible for the overall strategy of the suite and where we're headed into the cloud, the Oracle products have been, I think also very familiar to the audience, Oracle of course, acquired sun while back. And for that reason also received all of sun's identity management products, but in addition has made some strategic acquisitions in the space and currently enjoys a very broad product offering in the identity space.
So without turn back, you Dave, You know, I actually have to unmute my microphone to speak. You knows Rudolph who's director of product management for I Rudolph well, hello, thank you, Dave. I'm heading the product management of identity and access management at the Aros group. So Aros is an international it services company with annual revenues of about 8.6 billion and 74,000 employees. In 42 countries, we serve a global client base. We deliver high tech transactional services.
For example, in the banking industry, we do consulting and technology services, systems integrations, and managed services. We are focused on business technologies and it's interesting to know, Atos is the worldwide information technology partner for the Olympic and Paralympic games. How did Atos come to the identity and access management products to the DX product fam family?
It was acquired the DX product from Siemens July, 2011 and is now a leading vendor of identity and access management products and solutions, the directs identity and access management suite ranges from automated user and rights management through access management and identity Federation, and goes to identity governance and identity auditing. In addition to the IM core solutions and products, we also provide consultancy services for security and risk management.
We have biometric solutions, smart cards, card management, and public key infrastructure as part of our product range for it security very recently, Atos EMC and VMware announced the strategic Alliance for open cloud computing and the Atos plans to create a new company canopy, to provide a wide range of cloud solutions and services.
And a couple of months back in November, 2011 Attos and to FIDA the Chinese leader in management software solutions in Asia Pacific joined the announced that they formed a joint venture UN in order to address the growing cloud market in Europe and China, maybe many people of you also don't know that maybe we are the, the longest we have the longest history in identity and access management, which goes back to the end of the eighties last century, when we started with directory services and the middle of the nineties, we then took in the product range, the directory synchronization product.
So we really have a history in identity and nexus management for more than 20 years. Thank you.
Thank you, Rudolph. It was a pleasure it's and it's interesting that, that you made the point that you've been involved. Your company's been involved in, in identity and access management services since the late eighties.
Really, when you were doing directory, synchronizations Nelson, I believe you started out in the mid nineties and Corion started out in the mid nineties. Of course, Oracle corporation's been around much longer, but didn't get into the identity space until the mid nineties, when the directory product was, was first started as sort of an adjunct to place the store identity information for the applications. And this leads right to up to the first point I wanna bring up back then in the let's say in the nineties access management really meant if it meant anything at all, it meant physical access.
We were talking about keys and doors and locks and things like that. Identity services tended to be about the directory. All other things were getting layered on top of that, but we didn't have, at that time, the suites of IAM products that that vendors are offering, that all of you were offering from your companies.
So at that time, it was very important that people found the, the best Of breed, the best solutions for each particular niche in IAM really that's no longer necessary, but can any of you say that you offer a complete suite that really the typical customer doesn't have to add anything else from outside. Anybody want to try that one?
Well, this is world. I, I would try to, to step into that. Of course we do not offer a complete suite of identity and access management product. So there's so much innovation and dynamics in the IM business. These days that we really do concentrate on the core products for management, access management and governance.
But if you look at all those strong authentication providers, privileged access management products, I think the best of breed strategy is still viable to the customers, to the enterprises and the organizations, because otherwise they would not profit from the innovation that's in the industry still these days. Okay. Anybody else? We're all in agreement then This is Mike.
Well, so can you hear me? This is Mike. Yeah. From Oracle.
So at, at Oracle, actually we have several suites. The Yes you do. There's an access suite, for example, in a directory suite. And of course we have our, our identity management suite. It includes a lot of the classic provision and that sort of thing. So when we, when we think of the word sweet, you know, we think of these packages of products that, that work together to solve certain kinds of business problems in a certain place in your data center. And that sort of thing to Rudy's point.
I think that, of course there's still innovation going on, but at Oracle we've kind of shifted our thinking towards this idea of a platform. And when we, when we think about a platform, we, we try to think about some of the important reusable services that underlie all of these technologies and, and, and, and these suites. And as an example, some of the things that we've done is created a, an API that's very flexible sort of Java based or really any there's. So based APIs there's any, any feature in any of the suites essentially is available through these APIs.
And we see that as sort of a platform play. In, in addition, we find that integrations through things like a virtual directory, or even externalizing privileges through our enterprise, excuse me, the Entitlement Server, these sorts of things allow for more of a platform play. We think that even though there may be innovation happening above that platform area, that we, it makes sense to try to, to think of some of these problems more systemically and, and take a platform approach to it. And this is Dave Fowler. So I would echo both what Rudy and and Mike were saying.
I think it is important that we, as an industry, don't get caught up in, in saying it has to be all one suite. And it has to be all from one vendor in order to be able to get a solution that, that works well together. It identity and access management by its very nature is a system. It's not a hodgepodge of individual pieces of technology. And I know a number of organizations we have dealt with have tried that approach and have retrenched from it.
So getting a platform down or a system down that handles the core set of functionality that you need for identity and access management, and then layering on top of that other applications, either through APIs or through pre-integration helps an organization say, I can pick the core platform I need to, in order to assure that I can collect and analyze the data, but at the same time, I can add a functionality onto that, that leverages that core platform. Nelson, a question for you, then a customer.
I think we can agree will choose a platform as we'll call it or a suite of products, but suppose they don't happen to like one of the modules. How easy is it for them to bring in something else and, and layer it on top or integrate it?
Well, I, I think I, I kind of echo what everyone else was saying. Dave and Mike and, and Rudolph prior. I think it's easy for any of the vendors here to be able to take any part of their suite and augment any of the other people's suites of identity and access management products. Because a lot of this is, is modular today. And I think as we move into the future, we're gonna see because of the advent of web services that you could have an Oracle backend with the, an tier front end or occurring on password management solution, all coexisting.
The question is until we start to see some standardization in terms of reporting and business intelligence, as Dave mentioned earlier in his introduction, there, it's gonna be very difficult to take meaningful information from the stitch together identity and access management solutions that are out there. Okay. You talk about standardization and it's something that we always love to talk about.
And we always desire to have we had, for example, the service provisioning, markup language spam, which was promulgated oh 10 years ago, I guess, and has proven to be a real dud because it's hardly implemented at all. It's been succeeded more or less by skim simple cloud identity management as a, as a protocol for pushing identity data to the cloud. One question about it is that it does not cover all of the identity data that an enterprise needs. It's very simple. It's very basic.
So is skim something that we should wrap our hands around something we should be using something that we'll see in all of your products as we go along. Dave, what do you think about that? Absolutely.
In fact, we're intimately involved with the skim activities right now, and we see it as a way of bringing together some of the incompatibility that we find in the marketplace and how to get a, a user up and running and determine what access rights they're gonna have. One of the challenges for the industry as a whole over time has been, how do I get the information that I need automatically out of each of the individual applications? And then how do I use that information in order to be able to provision users or deprovision users?
And skim is one lighter technology that could be used to do this, particularly in a cloud environment. And while it's not a panacea, it's not gonna solve all of the, the problems that we struggle with as either vendors or as end user organizations.
It, it compartmentalizes one segment of the problems and could create a way to quickly get cloud based applications up and running within an enterprise environment and then would need to be linked into the enterprise solution. Mike Oracle was rather resistant to skim initially and, and tried to promote a different standard, which fell with a loud THD. So is Oracle going to rally round to skim?
Yeah, I think, I think that as, as I mentioned before, given our platform approach, we have the ability to support a lot of different protocols and, and data formats and that sort of thing. And so you're finding that even with, with standards such as OAuth and, and open ID and these sorts of things, we've, we've begun now to a series of rollouts. Let's say to, to get those things up to date as well. And we're essentially extending our services on onto whatever is, is the pervasive standard of the time.
Of course, we're not going to miss a standard. Interestingly, the, when we think of provisioning cloud solutions, you mentioned SPM L before we do more of that right now, at least for the initial load of, of say a, a hosted service or a cloud service using SPM L, which is I think reasonably well supported. There's not a whole, I don't think the vision of SPM L ever was realized, which is that everybody would just be talking SPM L over the open internet stuff would be just happening automatic.
I don't, apparently somebody thought that might happen. That's, that's certainly not the case, but SPM L is in fact being used a lot of times for these early data loads and, and we see that happening quite a bit, and we do support that. And so I think that in the case of ski it's early, still we're, we're feeling it out. We're looking for it. Certainly if it becomes more interesting in the market, we'll absolutely support it.
Rudy, is there any movement in Europe towards skim? It seems to be pretty much north American driven at the moment.
Well, I don't know about Europe so much, but my point of view on the, on skim is that it's really a good move and the right direction. So I really was well surprised and, and then, or not surprised, but, but happy that Kim brings a new level to, to, to provisioning cloud applications for example. But of course I, my, my point of view is that Kim today is mostly driven by identity and access management vendors, not so much, but the cloud vendors or by the cloud service providers.
So it's really like with SPM L it's, it's quite needed that both sides, the service side, and the client side really work together and see the potential of skim for making management, for making provisioning and, and also Federation much easier than, than before, and to, to reduce the systems integrations effort that still needed in setting up IM deployments and, and such programs. So it's really up as well to the, to the, to the workshops, to the, to the conferences that all parties see the potential of, of skim and, and buy into that.
Okay, mostly skim has talked about, and I don't wanna wanna really get as bogged down in skim, but one more point before we get off that skim is seen as a way for the enterprise data center to communicate with the cloud identity information. Of course, spam L was seen as a way for, excuse me, enterprise IAM, to communicate with the applications and services in the data center.
So my question is, if anybody wants to address this, do you see any movement towards using skim in that way for IM stacks to be able to send information provisioning information, for example, to database suites or applications or other things that are running in the data center, anybody have anything on that? Well, my, this is really speaking. So my point of view on the application side is pretty pessimistic.
I would say I have worked in the past in the last five or six years with couple of vendors that create applications like product life, cycle management, like applications in the healthcare sector. And they are quite reluctant in designing identity and access management interfaces into their software. They always see it as kind of a, a layer on top of them. So this layer must interfere or must integrate with the existing APIs, with the existing communication protocols and so much.
I think we need to more evangelize those application vendors really to design front and from the very first step, these interfaces into their solutions, and also to encourage them to, to add additional interfaces to existing applications that are along in the market as part of their evolution cycle. Okay. Anybody else wanna chip in? This is Dave.
Yeah, I would echo what Ru office is saying. The there's a reticence by existing application vendors to go back and re-architect to create new interfaces for identity and access management and so existing enterprise applications. It's difficult to get them to change at the same time. There are in many of these organizations, a large number of homegrown applications as well, and they're not going back and retrofitting those applications. So while there's a place for skim in the cloud in particular, that could be a place for ski within the organization as well.
But I just think it's a much longer time period before it gets adopted, if at all. Okay. That sounds good. Let's go off on a different tack.
Now, back back in the day, one of the things that most IAM vendors didn't offer that was homegrown was simplified sign on or single sign on SSO that was usually provided by a third party, frequently past logics who partnered with everyone with their SSO solution. Now we've all grown up and everybody, I think includes SSO or Esso as, as part of their offering.
It's, it's just something that's accepted and has to be there, but the thing that's optional, but that everyone talks about is privilege user management or privilege access management as we call it, which usually now is provided again by a third party. Somebody like say cyber a will we see that coming in as part of the suite, will it, or will the trend be to continue using a third party who has certainly expertise in the area? Which way do you think we'll go Nelson, you've been quiet, say something, Thank you, Dave.
I, I see the whole industry incorporating any new technologies into their suite. So I see a lot of vendors looking at other markets that are out there that are tangential to the, I, you know, to the core markets that people are, are currently providing in the case of Oracle. Obviously they'll probably buy someone, no offense. There might through this decade and, and beyond Anybody else Since Nelson kind of gave me a shout out, this is Mike. Maybe I'll take that one up.
I, yeah. Or At, at Oracle, Of course, we're interested in, in, as I mentioned before, we we're focused on this idea of a platform and we're not done yet. Right.
We, we see areas of, of improvement and also moving into the cloud and that sort of thing. So we're very aggressively and very interested in making sure that our offering is, has full coverage right.
Of, of important spaces and Esso, as you mentioned, it is kind of funny, right. And people have been in and out of this space for a very long time.
And, and it's, I, I think when I look back on it, I think a lot of folks were hoping that everybody would simply move to web architectures and all these legacy applications would drop away. And there wouldn't be client server, you know, come 2012. Right?
Well, here we are. And, and we there's as much client server out there as I remember, you know, back back in the day.
So, so it, it is interesting. We, we, I was talking to a, a client recently who had a very difficult situation in which their customer support people needed to log onto I something like 20 applications, but the biggest problem they were having, because they didn't have a provisioning system early on, was that they, they had no consistent way of mapping or a predictable good way of mapping those accounts for anyone particular person, because they had no identity in those systems that would link automat through normal matching rules, right. All of their 20 to 25 accounts.
So one thing that the Esso product was able to do was to take that burden off of administrators and very quickly allow each person essentially to map their own accounts. And because we have a platform approach, we were able then to capture that in the provisioning system capture that mapping, that essentially the users created for themselves through logging into all of their individual systems. So we were able to get immediate return on the Esso side. And then in addition, you know, you know, going forward, improve the provisioning of that and, and control of that particular space.
So the, these are the reasons that we're very interested in this, in this platform approach, because it allows us to then blur the lines between, you know, what's, what is the access suite doing? And what is the provisioning suite doing and how do they communicate? Anyone Else want to add something I would like to step in here, Ru speaking. So I think the, if you look at privileged user management, this is one example of the high dynamics in the market. It was as well with enterprise single and on, or maybe it was strong of education vendors.
And I really remember a couple of years ago when Mike did a presentation when he were with, on the Burton group, that time, where he illustrated the acquisition in the market. So where the big fishes eat, the small fishes when they are well ripe or whatever. And I think this is like the same situation we have right now, or we have, we had all over the last five to 10 years here.
So, and then for example, there's one big fish here on the panel, which Mike is representing. And I expect that they will acquire some, some privilege to the management company pretty soon At Attos, isn't all that small either Rudy, but yes, thank you.
And we, and to your, to your point, Oracle did acquire past logics, maybe not everybody remembers. And for that, that reason we have an Esso product as part of our suite currently.
So that, so that's, that's Interesting. You're right. So everybody probably knows about the acquisition history of Oracle. And I am actually, it's, it's an interesting thing to look at because it, it, it's, it's amazing the number of, of companies and the number of competing companies that Oracle has acquired over the years, but it was, yeah, it was Oracle's acquisition of past logic that prompted me to talk about privilege user management.
Because as I say, now, that's the, that's the big, low hanging fruit for acquisition that's out there because really nobody has one of their own, You know, it, well, in question, I should point out, you know, Oracle actually also includes for its da its own databases and applications. It includes some ability right now, right. To if you have a database based identity management system or whatever, it may be specifically for those things. If you're using a database, there is the, there's the enhanced security option, right.
With the, with the database and that sort of thing, that, that helps you manage those privileged users. But of course, and, and, and it also has like encryptions some other things and firewalling there's some, we, we have that too.
So I, I wanna point out that there are some basic solutions there for databases, but of course we're interested in, in, in going further than that, Dave, this is Nelson speaking. I'd like to remind the audience at this point that you can send in your questions through the control panel that you should have on your screen under the little box towards the bottom.
That says question, you can send those in and we will, we will get to them as we go through here, if we want to, I'm sorry, not if we want to, but if they're germane to whatever we're discussing at the moment, and I think I'd like to bring up the next question. Now, Again, back in the day, I believe we all recommended that whoever was the champion for IAM practices in the organization should choose the low hanging fruit, develop some quick applications or implement some quick applications to show the possibilities and then move on to the, to the stronger things.
And this led to sort of a cycle of find something that the organization needed. Do the testing, do the implementation, the rollout, tweak it, make sure it works, present it to whoever has to approve of the next project and then go on to there. And this could be a very, very long cycle that we're talking about, even if we're using things that are quick to implement. So my question to all of you is, is this still a good way to do things or is there a better way to get the IAM structure or platform that a company needs today?
Nelson, you wanna start? Yes, Dave, thank you.
At, at a tier, we definitely believe still that short wins, quick wins are going to give you the, the best opportunity for success within the organizations as they're deploying identity and access management. I think key to that is for organizations to start with an end in mind, you know, determine what their goals are, whether it be password management or user provisioning, or making sure that all accesses is removed upon termination or single sign on or privileged user management, what, whatever the core goal is. Look at that.
I think the other key thing is that organizations benchmark and measure their existing processes, you know, document the, the existing processes measure the number of occurrences measure the time it takes because you, you can't lose weight if you don't know what you weigh. And I think it's very important for organizations that are going on this identity management diet to know where they're at today, and that requires measuring where they're at today.
And yeah, go ahead. Okay.
Dave, you want to add anything? Yeah, I would love to, I, I think one of the challenges this industry has struggled with is that they took the idea of a quick win. Literally when some of the implementations were started years ago and the organizations ended up with a house that Jack built and they, they implemented one technology or one solution at a time trying to get quick wins, did 80% of the functionality that they needed not to get a quick win and then moved on to the next one. And unfortunately in those situations, identity and access management is a system.
It plays off of each technology plays off the other technologies and to Mike's earlier point about getting the platform, right? If you're gonna lay down the system and you really want to build as a system over time, then you need to get the core infrastructure, right. That you're gonna lay down so that each new application or function or value that you're bringing to the organization layers on top of and leverages what is already in place.
And I think from that perspective, we've learned a lot over the years and instead of the models of quick wins that are disjointed it's to Nelson's point a system approach to getting quick wins and then using two other things that I think the, the industry has gotten much better at the first is not going in and asking the customer, how would you like it to run, but rather bringing to the customer the best practices of the industry so that they not only can get up and running faster, but that they can leverage the experience of other organizations to get more value out of the system.
And then the second thing I think that, that the industry is starting to move towards is less focused just on the operational efficiencies and more on the value proposition that the organization can get from the information that's being gathered on identity and access management.
And just a quick aside on that, we're working with a number of organizations right now who say that their greatest value is gonna be in identifying where the key risks are within their organization and doubling down the security in that area, rather than trying to boil the ocean and apply that security level across the entire organization. You can't do that without laying down a system first. Okay. Mike agree or disagree. Wow.
Dave, thank you. That, that was took words right. Outta my mouth. I think that's, that's exactly the case. I know that in the four years I spent in the consulting world in the past four years, that certainly been the approach and, and oftentimes we'd need to get, of course we want to get to a place where every new, every new identity project, isn't some kind of exploration of a deep space, right?
That we, that we feel very familiar with what's going on, but there to, to get to that point, you have to put some kind of platform in place. Some kind of those basic primitives let's say in place so that you can then extend and reuse a platform that you've you've established.
I, I, I think I live in salt lake city and just recently, well, about a couple years ago, they finished a renovation of the capital building here. Apparently it was discovered that even a minor earthquake would bring the entire building down, right? That's this historical massive rotunda kind of granite building.
And they, they spent four years then putting a, a platform underneath this thing. Right? So that in the case of a fairly severe earthquake, which happens here in, in the mountains quite a bit that the building would in fact be isolated from the, from the earthquake.
Now, I, I think that's a very interesting metaphor for what we've got here. We have networks at organizations that are heavily used that can't simply be torn down and replaced that, that, that need some kind of something slid underneath. It let's say right, that allows controls and, and management and, and insight and oversight and governance to occur.
So the, the thing that, that we've been trying to do is convince people that, that they need to, first of all, swallow that replatforming exercise. And once they do that, then they can start thinking About these quick wins Based on that platform. Okay. And really anything you'd like to add to that? Yeah. I would like to add the, in my view, I think enterprises and organizations should do tactical measures in the, I tend and access management space, but there also needs to explore the strategic options.
There needs to set up an identity and access management program just to govern all the activities that have maybe in various parts of the organization and, and simply to keep control on what's going on there. Of course, low hanging fruits might be part of the tactical measures because they're maybe not so expensive. They can be deployed quite easily and, and quite fast. But we think that identity and access management is now also had entered the, the management level, the board level.
So it's no longer innovation and an attempt of the techies to make the operations more efficient, to make it faster, maybe with less administration costs, but it's more in the area of identity and access management is part of the risk management strategy is part of security as a whole, not only it security and, and this is, has changed over the last three to four years. And we see that this is taken up by the industry and, and will have this consultancy requirements and, and therefore identity and access management is much on a higher level and it needs to be driven on that higher level.
Okay. Nelson, did you want to add something to That? Yeah.
I, I just wanna be careful in, in caution the audience with, with the platforms, you know, it's very difficult to easily adapt changes to those platforms as changes come around to the organization. I, I believe that it's very important to have a, a strong infrastructure in place that's clean, but I also promote a very dynamic approach to identity and access management by using a business service catalog in the form of a, an identity store, which as Mike said earlier, one of the keys to this is to give accountability and, and governance back to the organization.
And I think by making the users accountable for what it is that they're looking for and what they're selecting, it gives you the greatest amount of accountability. And I, I think Dave, at some point, we're gonna be talking about our back or roles and, and they have their place within the organization. But organizations, as we've been moving out to very large organizations like Miller cores and others, we find that the organization's very dynamic and that the users need to select what they need when they need it.
And I think the platforms that we're putting in place are more along the lines of the, the business service repository. Yeah. You bring up an interesting point there.
And one, unfortunately I don't think we'll have time to get into deeply today and that's X based access controls, whether that's roles based rules based context based attribute based or lots of different ways to do that. That'll I think we can do a whole webinar on that itself and we, we will in a couple of days, but I did have a question here from the audience for Dave Fowler questionnaire asked, they thought, you said that you should focus more on best practices than on customer requirements in order to build the core infrastructure or platform. Okay.
Is so their, their question is, are we seeing IAM now as more of a commodity service? So, so first let me be clear. I'm not suggesting that, that you focus on best practices in lieu of customer requirements, but rather that the customer requirements can be implemented through best practices. And what has traditionally happened in the past is there's been a lot of customization of the implementations that generated no incremental value for the organization, other than taking a paper system that wasn't working already manually and automating that paper system.
And then when it was done, the organization said doesn't really work efficiently for our organization.
So we've learned a lot through that process, but I would say that that once, if you look at as an analogy, the, the difference between what we used to do for the CRM marketplace, which was back in the 2000 timeframe, we would go into an organization with an SAP solution and spend years and millions of dollars getting the implementation customized for that customer environment versus the Salesforce model, where they come in and solve 80% of the functionality out of the box without the significant investment upfront.
And then gradually over time, add more functionality on that creates more value for the end users. The latter model is the one that I believe that identity and access management is moving towards. There is an administrative aspect of this, which is how do I collect the data and process the data. And then as Mike and Nelson mentioned, move the, the use of that data to the end user organizations to manage themselves.
And then there is the ability as to translate that into risk value to the organization, because at the executive level, what they really care about is not managing individual identities, but managing the risk to the business overall. And you can do both of those things by first, getting a system in place that allows you to manage the data or the identities across the entire sets of applications that you wanna run, and then layering on top of it, the application functionality that may be specific to the user. Okay.
Some of the things you mentioned there, and, and Rudy mentioned earlier about, about security back again, back in the day, the emphasis was all on collecting data, collecting information and distributing it to applications and services, making sure that that the, the information was as easily distributed as possible. Today's watch words, however, are privacy security, data loss prevention, and so on.
So does the customer, the user, the end user, or the, at least the manager of the IAM products have to particularly worry about DLP and security and privacy, or are those now being baked into the product as we go along? Okay.
Rudy, you wanna try that one? Well, absolutely.
They, they have to worry about, because I mean, the, the level of communication has increased very much. So you have much more constituents nowadays. So you include business partners, you include maybe development teams that are not owned by your company, especially if you looked in maybe engineering applications like product life, cycle management. So you have to give away your construction data. So therefore data leak yeah. DLP programs and as well, privacy, if you look in, if you look in healthcare or banking industries is, is, is, is a very high concern.
And then of course, these, this needs to be addressed by the, the risk management programs. So, and from the risk management programs, you have to derive the right technologies to use. You have to derive the authentication. You have to look at how you can connect mobile devices to your services.
How, for example, when people bring their own devices, like bring your own device in. So how you wanna manage that. And then this is much more challenge and much more task as well. That includes identity and access management technologies than it was before. So therefore this is absolutely a key to that. And then it's really have to be taken on, okay, Dave, your uhon is, is heavily into the healthcare industry.
So is the, the privacy considerations and the security considerations of healthcare baked into your product. It, it is.
And it, it is a critical component of what the healthcare organizations care about. These days, reputation being one of the, the biggest issues for them, not just the, the whole issue of meeting regulatory guidelines, but, but in fact, being able to protect their reputation in a fairly competitive marketplace. And so being able to tie those regulations and governance issues, they want to manage into their identity and access management activities is critical.
And to, to go to something that Rudy just said, which I think is, is critical. We are moving into a world, have been moving into a world, continue to move into a world where we're opening more and more of the data up to be accessed by more people, oftentimes external people to our organization in the healthcare industry. It's the insurance companies, it's the doctors, it's the health clinics, cetera.
And, and as we open up more of the data to be used by other organizations, and we increase the number of devices that can access that data. And in many cases, they're accessing it from outside the enterprise organizations network, the risks go up dramatically. And so you got the, the pull from the business side to be more open so that you can be competitive. And you got the pull from the regulatory side to, to be more in control of that information and sitting right in the center of that is identity and access management. And the problem is too big to do manually.
It's gotta be done in an automated fashion, and it's not something that can be done on a periodic basis in a lot of organizations we deal with, they talk about doing identity and access governance reviews on a quarterly or annual basis. It's too late. When you find out a year from now that you've had a leak to fix all of the damage that's been done. So getting to more of a real time identity and access management solution is where we see the healthcare companies headed. Okay.
Mike, do you anything on, Can you hear me? I think I muted. Oh yeah. Okay.
So the, yeah, I think that's, of course it's important for, for people to think about DLP and privacy. And I, I think that what's happened own the identity industry. I remember way back in the day when I was in, in documentation, right. We would write the user manuals or, you know, admin manuals as we called them in such a way that we would envision that there would be this one person, you know, departmentally more than likely who was this admin who had rights to do all kinds of things.
And that person had all the important tasks, you know, including, you know, of course, privacy wasn't even one of them at the time what's happened though, is that identity management infrastructure has really grown up and it's become part of critical infrastructure for the enterprise. And as such, there, isn't just this one admin person out there who has God like powers across this entire ecosystem, right? The what's happened is that we now have governance bodies that control these things. And that's a good thing, right?
I think that the, what, what I tell organizations is that they, they need to, if they haven't already establish identity management and controls management as both critical infrastructure for their organization and that organizationally, they need to treat it as something that they will be doing long term. It's something that is something that they'll have to become very adept at handling. And so things like privacy will be considered not just for identity management, but as a governance related effort across any kind of new infrastructure or application. Okay.
Nelson is governance built into your product? Absolutely. But today I, I look at the solutions that are out there and I see governance as the risk scoring and everything as too much of a manual process, meaning that, that it needs to be configured on, on all the solutions that even vendors that are not on this form today. And what AER is advocating and promoting is the ability to intelligently determine where your risks are based on the items are, are in the store and how they're being used within the store, your identity store and how they're being used within the organization.
And, and the key metrics that we're looking at are, are impact and likelihood. So what's the impact to the organization. If somebody does get access to this particular privilege or, or right, or what's the potential likelihood that this could hurt the business in any way.
So again, at a tier, we're looking at more of a way to determine this based on the characteristics of the organization and the industry type, whether it be healthcare or banking, et cetera. Thank you. We're just about running out of time, but I'd like to give each of our panelists a short time to perhaps add something that we haven't been able to discuss.
So I can, so let, let's try and keep it as like a minute, a piece as either a wrap up a summation or something that, that you really think should be mentioned. And hasn't been mentioned yet. And I think we'll start with Mike.
Thanks, Dave. I'm yeah, I think that, yeah, in terms of what, what we haven't been, sorry, the mute button's giving me a little bit the, in terms of what hasn't been mentioned yet. I think that's that, it's, it's what we're finding is that it's, it's all of these sort of use cases that need to be fulfilled that are kind of in between the traditional suite boundaries and product boundaries that are turning out to be very important. And so we're looking very closely at those at Oracle, you mentioned, or a couple of people mentioned, I guess, on the call, this idea of our back and roles.
And what we're finding is that, of course, it's important to figure out what roles you need apply those roles to a particular account or person. And, but, but then when it comes time to use those roles, you know, the, the context is very important as well. And a lot of role management products aren't capable really of handling that contextual role assignment or role role usage. And maybe just give it, it's very ethereal at this point. Let me just give you a quick example.
If you have, if you're a financial institution and somebody's trying to spend a lot of money or send, send money, you might have a rule that says, look, the requester, right. Can't be the approver. So I can't approve my own financial dealings, right? So there there's always gotta be somebody else to be complicit.
Well, it's highly likely that I have both the approve role and the request a role because I'm doing both things. What, what the difference there is the context is that in the case that I am actually the requester for a particular transaction, in that case, in that context, I cannot also be my own approver. And we're finding that, that then we not only need a role product to handle that sort of thing, but also something that's in the access path, something that can externalize entitlements and understand contextually when which role applies and that sort of thing.
So we're, we're looking at that the broader sort of platform idea for these sorts of things. And yeah, so that's, that's what I had to say. Thank you, Mike Rudy.
Well, Dave, so I, I just want to reiterate one of my, my previous commence that what, what companies should look at when they, they think of identity and access management technology or solutions, they really should start top down strategic approaches for designing or for creating an identity and access management program, which really looks at all facets of identity and access management technologies as well.
But the main point here is for an identity and access management program is that one of the, the cornerstones is to support the, the processes, the life cycle management processes, maybe for handling the users for handling all the privileges, all the roles and for doing all the enforcement in authentication and authorizations. So it's, it's a really key that technologies are selected that support the, the process, managing the processes of identity and access management and users and, and privilege and all these things. And I don't think that a suite or a platform can handle this.
All of course it can handle the, the core functionality and it grow over time, but there are still so many specialized technologies out there in the world, like privileged user management or token based of indication, for example, so that the suites need to be complimented by these special purpose technologies. And that's the advice to the industry, to the, to the enterprises and organizations really base the IM program on a, on a core suite or a core platform, but then complement with specific technology really to adapt the technology to, to your risk management needs. Okay.
And Nelson, any final thoughts? Yes.
Dave, thank you. The mute button also was given me a little trouble.
I, I, I believe at here we believe identity and access management is becoming a commodity. I, I believe that any of the vendors here on this panel or even vendors that were not asked to participate on this panel or, or made available, could get, and your could solve the solutions of from the majority or of the majority of the people that are on the, the webinar. I think the bottom line is, is how much money and how much time do you want to spend to get there. And then after you're there, what's it gonna cost to keep the system operational and up and running?
So at, at a tier, we believe that the best identity and access management solution is the one that's operational. And we would ask and challenge that everyone take the money that they're spending on RFPs and vendor selection committees, and put that money into strong proof of concepts, because this is becoming a commodity, get Oracle, get Curion get AER getto installed in your environment and see then when you can feel it, touch it, smell it. Then you can make a decision and see how it looks Very good. Okay.
And Dave, you get the last word. So I'm gonna sit right between Rudy and Nelson on this one.
I, I do think it's becoming a commodity in the, in the industry, but from an operational perspective, I don't think this is where organizations wanna spend their strategic dollars. They need it. They need it for the reasons that Rudy mentioned to be able to assess risks in the organization, but they want to do it for the least amount of operational dollars that they can afford to do it with. And I think that goes back to something I've heard from, I believe all of the speakers today, which is take a systems approach to this, whether you buy a suite or not take a systems approach to this.
But I would add to that, look at the ability to actually move operational functionality that you're doing from inside your organization into a SaaS environment, because a lot of the cost associated with running these operations today is in maintaining the existing systems to run those identity and access management. And that is a cost to the outsourced. Very good. Thank you very much. I wanna thank Nelson and Dave and Mike and Rudy for being with us today. Obviously we only scratch the surface on what's available in best practices for IAM.
And it's a conversation that will be continued in April at the EIC, the European identity and cloud conference. It forms one of the major tracks. So if you want to continue this discussion, we hope to see you there in April.
Meanwhile, we'll be back here next month for, and you'll see information about this soon webinar on some new things in cloud practices. And with that again, I'd like to thank the panelists, thank our attendees and say goodbye.