Hello, and welcome to this webinar from KuppingerCole. My name is Paul Fisher. I'm a lead analyst with KuppingerCole. And today's webinar is sponsored by One Identity. And I'm delighted to have Stuart Sharp, who is the VP of product strategy from One Identity, to talk about identity as a service, which we believe is becoming the cornerstone of modern security. So before we get into the webinar itself, just a few housekeeping tips for you guys watching wherever you are. You don't need to do anything. You are muted, so you don't need to mute or unmute yourself.
We're going to do a couple of polls, the first one in a minute, to get your feedback on this subject. And then there's time for questions after myself and Stuart have both presented. And for those of you who have colleagues or friends that couldn't make today's live webinar, don't worry, because the whole thing is recorded and will be available very soon after this event. So first it's I'm talking, and then Stuart, and then we'll have questions and wrap up. But let's just kick off, then, to get a feel of where you are with identity as a service.
And the question is, what is the biggest challenge you foresee or have already experienced in implementing identity as a service? So is it integration with existing systems, always a problem, usually with most things, user acceptance and training up, the actual cost of implementation and deployment, and ensuring compliance with data privacy laws? So those are the four options. We'll leave that running in the background, and I will make a start on my part of the webinar.
So one of the areas that I always like to talk about is the unstoppable forces in identity, which are now cascading in on business IT and business in general. We've never seen as many identities as we have now. And we haven't seen this many identities need such fast access. So we've got three things which are happening all at the same time. We've got the velocity of identity, so the speed that identities require access, which is much faster and demanding than previously. We also got the density of identity. So that literally is the millions of identities that are now coming on stream.
And a lot of that is generated by non-human identities, which already outnumber human-based identities. And dispersion. These identities are no longer in a centralized location. The idea that all identities and work was done within a kind of single organization is far gone.
I mean, I don't really need to tell you that, but this dispersion is actually getting wider. So industry, particularly since the COVID pandemic, more and more businesses are now scattered more widely. More people work in hybrid occupations. And more businesses are now opening themselves up to more third parties, more remote parts of their supply chains, and, of course, customers. So those are the three unsteppable forces in identity, which are only going to become more intense as time goes on. So how does this actually translate on the ground, as it were?
So I put together a diagram here of how I see identity flow and management in modern business. And we look from left to right. We can see that we still have our core business infrastructure, but the infrastructure can be more than just, obviously, one organization. It can be more than one type of infrastructure. So within that, we have infrastructure as a service, platform as a service, et cetera. But we also have the supply chain infrastructure, which is increasingly a part of modern organizations.
Supply chain was always something previously associated with big manufacturing industries, like car manufacturing or other heavy industry. But supply chain, and particularly with supply chain of software, is something that affects us all. But we also have identified seven identity types, which we think are significant. So we have administrators. Administrators are still important. We have developers. Developers need access to certain parts of organization.
We have end users, employees, whatever you want to call them, machines, third parties, identities that reside at the endpoint, and, of course, customers. And it's likely that we might see different types of identity emerging in the future, not least of which could be some form of AI-generated identity. So we'll have literally avatars that exist to do work, maybe some kind of identity that we don't yet realize, some kind of hybrid between a machine and a human. And then we have what I call the identity zoo.
We have, at the moment, three main technologies that attempt to control access management for identities to make sure that they go to the right cloud apps and services. So we have privileged access management, which traditionally has been there to assist with access for privileged accounts, as they are called, particularly for administrators, et cetera. And at the bottom, we have the wider identity and access management, which is what we're going to be talking about today as a service form.
And then recently, we've seen the emergence of cloud infrastructure entitlement management, which aims to manage all the access entitlements to multiplying clouds. And then all of that, then, as I've already mentioned, we now have everything that these identities are flowing through. So they'll be going through platform as a service, software as a service, infrastructure as a service, private clouds, public clouds, DevOps. And then in the end, all that any identity is doing is trying to find access to resources and stuff. And that could be those files, servers, workloads, et cetera.
And then as a foundation to this identity flow, we have at the bottom zero trust design coming in, integrated risk management, identity lifecycle management, data governance, privacy, and compliance, and then the emergence of detection and remediation technologies. And we're even seeing that in identity now. We're seeing the emergence of ITDR, which is not on this slide, but identity threat detection response, which is yet another tool that will enable us to find or at least manage identities better.
Oh, it is on this slide. Excellent. So let's go back to what we want to talk about. Within identity and access management, there is now identity as a service. And the definition of that is basically what it says here. It's a cloud-based service that provides the traditional identity and access management capabilities that previously would have fallen to the organization itself, possibly would have run on-premises, possibly would have been devised and developed by the organization itself, perhaps with some bits integrated.
But what identity as a service aims to do is look after all of these capabilities. So obviously, it's there for authentication and authorization. It's there to manage users. And they could be privileged users. It's there to control access, which is the key. It's there to help maintain directory services. It provides a much broader and flexible range of options.
In theory, an identity as a service should be able to scale much more easily than a traditional on-premise model, simply because it runs in the cloud, simply because the identity as a service provider has the resources to do that. It should be fast enough to be able to switch to new demands from the customer.
In theory, it should reduce complexity and cost. In theory, OK. So that very much depends on service level agreements. It depends on configuration. It depends also a lot on what users actually ask for in the first place. And it should provide superior integration capabilities. Everything these days in computing is about integration. Integration is everywhere. Integration between different types of SAS, different types of networks, different types of cloud, and, of course, different types of identity.
So that in itself, going back to what I was talking about earlier, the three forces in identity and the identity zoo, is something that is increasingly hard to manage for organizations. And as I already alluded to, the number of identities is increasing exponentially. And this isn't going to stop, simply because of the nature of computing. And now with AI coming on stream, we're likely to see even more types of identities emerging. Identities that, up to now, we haven't really thought about. We've only thought about human identities, which have behavioral issues.
We have static machine identities, which, in theory, are more reliable because they only can do one thing without thinking. But, of course, if they get hijacked, they're dangerous. But what if we get some kind of identity, which, as I said earlier, is some kind of hybrid now between a machine and a human, which is given an AI-generated task to do? That is another level of risk, and it's something else that we need to think about.
And if you look on the right there, this survey, which is taken from the most recent World Economic Forum Future of Jobs report, the World Economic Forum are the people that run the Dapos event every year. The first of those, every single one, digital platforms, these are technologies likely to be adopted in the next five years, and they're usually pretty accurate, these adoptions.
And all of those, digital platforms and apps, education, workforce, internet of things, big data analytics, cloud computing, et cetera, et cetera, artificial intelligence right there, all of those are going to impact on identities and the number of identities and how you manage them. So that's all coming in the next few years. It's 23 to 27. And technologies are changing all the time. User experience is another thing that you have to think about. Quite often, this is forgotten in major deployments, in when people think about identities of service or identity management.
And it's good to see that vendors are now addressing this. But for a long time, the user experience, the actual user experience of getting on board, getting online, getting access, was not really thought about. There was too much about the control and less about ease of use. But the velocity and the density has made that people have to rethink this, particularly in areas like development and DevOps, where people are used to working fast. They're used to working in a fairly free environment. And they don't really like having control.
So the secret is to control them without them realizing it, if you know what I mean. And integration, as I said, is everywhere. And these are just an example of some of the types of integration.
I mean, this is like, I just took these at random. So we have Workday, SAP, Azure. But I mean, you could have 1,000 things here on this screen to talk about, to demonstrate the level of integration that is required. And the level of integration increases every day. And another thing that's very important, and it affects privilege access management, and it affects identity and access management, but of course, is the trend towards departments or heads of department or line of businesses or even individuals, those individuals, say, in DevOps.
Those guys are quite used to spinning around are quite used to spinning up a AWS server or some other kind of tool in the day-to-day course of their work. And they integrate with stuff that central IT doesn't know about. And this is happening. This is happening all the time, and you need to realize it. And they're doing it because it makes their work easier. But you haven't got full oversight of where that's happening.
And again, this is where something where a service, like identity as a service, or even privilege access management as a service, can benefit you. And so this is, just to sort of get towards the end of my presentation, my bit, we asked end users, we asked, as a company, Coupang and Co., what their priorities were in identity and access management security. And Zero Trust was, not surprisingly, top of their minds.
I mean, part of this could be because Zero Trust has, for some reason, after a little period of not really being talked about, has become talked about a lot more. And that could be because of all the trends that I've just been speaking about, that people realize that, yeah, Zero Trust was a good idea, that we need to think about this. We need to basically say, we can't trust any identity until we know what it is, what it's doing, what it's trying to do. And MFA was second there. And multi-factor access is, as I'm sure Stuart will enlarge a bit more on, crucially important.
We no longer find simply allowing users to use a username and password to get onto something as acceptable. There has to be another layer. There has to be more factors involved. How you do that, of course, is crucial.
Again, identity services or identity management services will have different ways, different types of MFA. But again, you want to make it so that you're not hindering people in their work. You're actually making it easier. And below that, we have secure agile, having a grip on all endpoints. That's an interesting one. It's only got 5.9%. But it's almost, I would say, impossible to have a grip on all endpoints. If you think what an endpoint actually is now, it's not just a PC or a server or some compute device which is logged and registered. It's everywhere. And it changes.
It changes depending on what the identity is doing. So having a grip on all endpoints, I don't know. Is that possible? So let's just summarize some major trends in identity. IDaaS absolutely is there. IDaaS is going to be part of trends. When you think about all the challenges that I've just been talking about, we might see the emergence of a single identity. I don't know about that. But people talk about that a lot. So the idea is that everything, let's call it that, would have an identity which moves with them across whatever they're doing right into their private life.
So it would also work with a bank account or some other form of interaction. Personally, I don't know if that's really feasible. But if it worked, it would be brilliant. We will look towards one identity and access management service. That could mean individually in an organization. IDs are definitely becoming decentralized.
Again, as I said, IDs are no longer sitting in one place. They're sitting in different places at different times of the day, at different times of the month, on different devices. That's where a single identity might work, if they could crack it, so that you know that is the same identity. I don't know. But the fact is that identities, as I said, are being dispersed everywhere. We need to shift away, particularly in privilege access management, from static entitlements or standing privilege to just-in-time, and developments within privilege access certainly shifting to that.
And also, we might be able to see the emergence of identity being delivered via APIs. But again, all of those things, out of those, IDAS, just-in-time, and a 1AM are the ones that are more likely to happen right now in the foreseeable future. Single identity, as I said, is something that may not happen. So with that, I'll just ask a quick poll question before handing over to Stuart. Which feature is most important to you when selecting an identity-as-a-service IDAS provider? So a user-friendly interface, robust security features, customizability and integration, scalability, cost effectiveness.
That will remain on your screens while you vote. And I will now hand over to Stuart, who I can see is waiting patiently in the other studio, to speak.
Welcome, Stuart. Hi, thank you, Paul. And thank you very much for that interesting overview, really, of the identity space that we're all living in today.
You know, a couple of points that came up that I'd just like to comment on in your presentation. I think it's interesting, it's very significant and relevant that those top two priorities were, first of all, zero trust, and then closely followed by MFA. Because I think, really, when people talk about MFA, what they really mean is we need a better form of authentication than passwords. We need strong authentication. And in some cases, that doesn't mean two-step. It doesn't mean using two factors. But they just know they're aware of the weaknesses and the drawbacks of passwords.
And so MFA is that placeholder for strong authentication. And of course, if you don't have strong authentication, you don't have zero trust. So I would say you can't have zero trust without MFA slash strong authentication. But I thought that was, in some way, yeah.
Yeah, I agree. But I think zero trust needs to be considered carefully. And I think people are obviously very excited by it. And they think, yeah, that could be the answer. But it's a lot more than people think. It's not something that, I know this is a bit of a cliche, but you can't just bolt on zero trust. You have to architect it. You have to design it in. You have to think about everything. But you can't do it without MFA.
Yeah, you have to think about where are you not going to achieve zero trust, like you say. It's a big topic. And people have to don't take it lightly. Great objective and a standard to adhere to, but you want to recognize where you're not achieving it as well. Yeah. I would say to people, look at NIST, though. I think they have some very good guidelines.
Yeah, so just one other thing, too, is you were talking about the single identity idea. And I agree with you.
I think, do we even want that? Is it achievable? Do we want it? I do think, though, one thing that from an end user, what the end user, I think, really wants is a single method of authentication. And it doesn't mean everybody has to authenticate exactly the same way. But it's a simplification of the user experience to say, well, I have my method of authentication. It's secure. It's not the same as everyone else's. But it's what I can use everywhere.
Yeah, I'm skeptical. But I mean, I don't think I would want one identity that somehow travels with me everywhere. And I don't think it's workable. But you're right on that as well. Yeah.
So yeah, before I jump in, from my perspective, having worked in the industry on the vendor side for a number of years now in the identity space, I just wanted to ask you, because while we talk about the same subjects from a technical perspective, you have different conversations with customers, with buyers than I do. And I'm just wondering, I'm sure you get a wide range of expected or unexpected questions that they come to you asking for advice about.
But is there anything that stands out to you, the important questions that buyers more often than not are not asking you that you think they should be? Yeah, well, they always talk about, obviously, cost and deployment. And I think they don't think a little bit beyond that. I think they need to think about even more granular things like how easy it is to provision or deprovision. They need to really think. They tend to think of, quite often, the organization as it is now, rather than what it might be.
So they need to think a lot more about connectors and integrations, which is what I was talking about just now. Connectors are probably, however you want to call them, it could be API, just call them connectors. Some form of connecting everything that you do with everything else is something they don't really think about. They tend not to worry too much about monitoring or reporting or session management, which is a bit short-sighted, I think, because it's not just finance, it's not just health, it's not just public sector that need to worry about governance.
And the one thing that's going to get you into trouble is through identities that have been hijacked or are not what they seem to be. So I think they do think MFA is kind of, yeah, that'll fix everything. But there's a lot more to identity, and particularly in identity as a service. If you're going to hand over this important role to a third party, you need to be thinking about these things a lot more.
Yeah, no, very interesting, very interesting insights. Okay, well, thank you, Paul. So I'm going to go through really an overview of identity focused on as it is delivered via IDaaS. So identity as a service has been around since 2010. The OneLogin IDaaS product, which is now part of the One Identity, Identity and Access Management portfolio, was started right at the very beginning back in 2010. And back in those days, it was very much focused on access management.
But as you'll see, the remit now is really expanding beyond just the access management part of identity and access management, and is increasingly covering more and more of the IAM space. So let's just think about what the key benefits are available to you from IDaaS and what you should expect to achieve.
Okay, and I think there's no reason why with some proper forethought and planning and strategizing that any organization should be able to achieve benefits in all five of these areas. So one of the key things that I'm going to be focusing on for you is where IDaaS can play a role in centralizing identity management.
Now, it can actually increase your security and compliance, and it can do that in two ways. It's not just about extending your current security and compliance to SaaS applications, which has an absolutely vital role in.
But, you know, I think I'll talk to you about some use cases and areas where actually it can help you extend it in hybrid scenarios as well, so not just in the SaaS world. Now, as you would expect of anything delivered as a SaaS platform, you can achieve better user experience. Absolutely, you should expect it. You should demand it. Don't settle for less. And it's one of the things that really attracted me to start working for 1Login. I've worked in the security space for a number of decades.
And, you know, 10 years ago, what I started to see is that IDaaS was in that unique position where it was allowing you to offer stronger security and better experience at the same time. Can't take that for granted.
And, you know, it's now come to be expected and in the past, historically, that was hard to deliver. Scalability, flexibility, not having to worry about the scalability of your IDaaS instance, not having to worry about spikes in demand or provisioning additional users, et cetera. All of that can be handled because it's as a service.
And again, because you're part of a larger service, you should actually expect for the same level of security and scalability and interconnectedness, you should have actually achieved better cost efficiency, right? Just straightforward economies of scale.
And, of course, all of this can lead to a stronger identity and access management program. So let's think about what you're trying to achieve. There are organizations who have the advantage of being able to go for a comprehensive IDaaS environment for certainly their access management, if not their entire IAM program.
And, you know, the big pros around that compared to managing your own infrastructure, obviously, are scalability. Like I said, the lower cost because running your own infrastructure and having it available to work at scale or to automatically scale can be very costly. It's also the time to value.
So with, it was some years ago, it was some five or six years ago, and I was managing our professional services team who were doing our deployments for our customers. And I said, we want to make sure that every single one-login customer is successful. Let's set a target. Let's say from the start of every deployment project, we want to make sure that they have at least one use case live in production in less than 28 days.
Now, think about, compare that to any other kind of software rollout, application rollout, any other type of IT program. We were able to achieve that over 90% of the time, less than 28 days from start of a project to first use case live, including deployments of hundreds of thousands and involving hundreds of thousands of users. So now when you're dealing with IDaaS, it is a cloud service, and it has started and focused on supporting cloud use cases.
So there are organizations that have very complex legacy infrastructure, and you can't realistically say you're going to support 100% of those use cases with a cloud-based IDaaS solution. So I'm not the kind of person to say, oh, IDaaS can solve 100% of use cases for 100% of organizations.
No, you have to be realistic, but I would just say it may cover more than you think. The other thing very careful to think about is a single point of failure, and this applies to anything, right? So when you're relying on a service and the business process is in a highly connected world, is there a single point of failure? Do you have some kind of redundancy? What are your plans? Should something go wrong? Should even employees lose internet access, et cetera?
Now, IDaaS plays very well in a hybrid world. So it's not the only access management solution in the organization. It's working alongside some of your existing legacy systems.
Now, IDaaS is very easy to deploy for even single use cases. Because the deployment is so quick and easy and user experience is so good, it can allow you to cost-effectively deploy it for what is even a single use case within a legacy environment. So it easily integrates with those existing identity provider systems, and you can leverage it to be an extension for new use cases or for applications that you're migrating to SaaS applications or to the cloud in other formats.
Of course, IDaaS in a hybrid world has additional complexity, and you do have to be careful in terms of making the design, understanding your design, understanding where the attack services are from monitoring, alerting, securing. So it's simply because you have multiple systems, there's going to be a larger attack surface.
Now, a full IDaaS deployment is particularly good for cloud-centric organizations. And those can be businesses who have made the decisions, we are going to prioritize migration to SaaS applications. So IDaaS is a very important part in supporting that migration journey.
Also, rapidly scaling businesses, because there is no friction for adding additional users, onboarding additional users. Now that IDaaS includes lifecycle management, particularly for SaaS-based applications, users are given instant access to all the applications they need. So there's no longer somebody signs up, and it's their first day of starting at work and they have to wait a week before they get access to the apps they need. It's instantly available, and importantly, it's instantly revoked if they change jobs or change roles within the company, or if they leave the company altogether.
And of course, if you're starting with new businesses, and a great example of this is fintech companies. Now, they're often companies that have 300 or 400 employees, they have very rapid development, lifecycle development processes, they're scaling and growing quickly, and they can be 100% cloud-only organizations. So why would they have an on-premise IDP in those scenarios? So where you realistically want to understand that you need a hybrid employment, obviously, it's where you've got significant on-premise systems and dependencies.
Even where the goal is to migrate to SaaS applications, if that timeline is in multiple years, more than two years out, then you want to think about more long-term integration between your on-prem and your IDaaS systems. But like I said, the integration between those is very easy to achieve. There will probably always be systems where you've got highly regulated industries, where you need dedicated tenants, or they have on-prem or self-hosted requirements, et cetera.
And like I said, if that phase cloud migration is going to take time, don't expect to just have a standalone IDaaS, but it integrates so easily with on-prem systems, why not do that right away? It really facilitates and accelerates that cloud migration scenario. So let me just run through some of the best practices for a successful IDaaS implementation.
Obviously, you have to start with planning. That's really clear. You make your objectives and requirements very clear from the beginning.
Now, what you ideally want to do is implement comprehensive user lifecycle management processes. But that all depends on the complexity of your requirements and what you can achieve. For Greenfield sites, for cloud-only organizations, actually, it's easily achievable. You don't want to neglect the importance of increasing security and meeting compliance. And like I said, from an end-user experience, oftentimes you're actually providing the users with a better user experience with stronger security. They can go hand-in-hand. So you don't have to compromise on that.
And the first thing to do is really look at rolling out single sign-on. And those user-friendly authentication methods, that does not mean that they're weak, but you can massively improve the user experience, giving them a single sign-on portal to go to easy access to all their applications. And like Paul emphasized, integration side with both cloud-based and existing on-premise systems, that's absolutely key.
The automation that IDaaS delivers is a big part of the benefits, the cost savings, and the security, because you've got instant provision and deprovisioning, instant granting and revoking of access. And also think about the longer-term data migration and changes in hybrid environments. And of course, invest in that user training and change management.
Now, I just want to call out about some really quick wins. So like I said, my team had been given the remit, you need to get 90% plus of all our deployments live. You have to get production use cases live in less than 28 days. So obviously that starts with planning. Look at implementing out-of-the-box SaaS provisioning.
Okay, so one of the things that you can really help improve the efficiency and security of your organization is encourage them to insist on buying applications that support provisioning standards, and that standard is SCIM, okay? So if that application supports SCIM provisioning, then any IDaaS can provision to it very easily, low cost, out-of-the-box, and that makes your life so much easier. It reduces the complexity and all the risk associated with complexity. The other quick win is with single sign-on, you're enforcing MFA centrally via your IDaaS.
And when you've got hybrid environments, you can actually have enforced MFA from your IDaaS for access to the on-prem IDP. You can also, OneLogin certainly supports application-level policies, so you can support MFA when certain sensitive users are accessing, say, finance apps or HR apps, et cetera. Why not when it's so simple for you to do and roll out? And with that SSO, lead the users towards strong authentication. So all these things are initial quick wins that take literally minutes to configure and set up, and so you're only talking days and weeks to roll out, not months.
And obviously, prioritize the SaaS apps. They're more likely, in particular, your Office 365, your Google Workspaces of the world, all the employees use them. They integrate very easily, both provisioning and from a security authentication point of view. So very quick wins with a very broad coverage. And then just really look at supporting the application teams that are doing that cloud migration and make their life easy. They don't have to worry about authentication. They don't have to worry about user provisioning.
Just give them your requirements and say, if you do this, we'll be plugged in and supporting you, and we'll actually accelerate that onboarding of those new applications. And finally, obviously, end-user training is really important.
So yeah, I'm just going to give you one quick example before we turn over to the Q&A. So I mentioned about accelerating cloud adoption. In the on-premise world, before IDaaS came along, you could have very complex environments. Here I show multiple active directories, even if they're not in the same forest, and you could throw in LDAP services, et cetera. And you'd often have the concept of an IDP broker that would centralize that authentication between those systems.
Well, so even if you're starting in from this 100% on-prem environment and complex architecture, your organizations were faced with, well, now I'm getting a growing suite of SaaS applications that literally, when I started in this world, companies were just adding users manually, directly to them, and people were logging in with username and password. Far from ideal, right?
So the role that IDaaS plays there is that it becomes this, it's like a broker for all cloud SaaS access, and that handles both authentication and lifecycle management for those SaaS apps, and just plugs right into either the central identity IDP broker, or it plugs into the individual direct on-prem directories. So this is a picture of a hybrid, complex hybrid environment where IDaaS is handling everything cloud, but directly plugging in to the existing on-prem infrastructure in a very efficient and scalable way. So I'll just stop there.
Paul, and we have some time to look at some questions. Actually, sure. I just wanted to go back to your, the easy, quick wins, because when you mentioned out-of-the-box, it made me think, is that possible? Do customers think that there, you know, so many applications now say, you simply download and you're ready to go, sort of thing, that surely we're a long way from some kind of identity as a service that would automatically be available or a service that would automate the whole process and within an hour, you're set up. How far would that be?
Well, I'll give you a great example. So we have, we train our partners to, you know, we have them go through training where they, we say, okay, here's an Active Directory, here's a Salesforce instance, and here's a OneLogin tenant. We want you to send, you know, set up your Active Directory integration, provision users into OneLogin, provision those users into Salesforce and have a user sign in with MFA, okay? We would give them two hours to do that in a, you know, in a new environment, nothing configured. Our good partners could do that in 25 minutes. I'll give you another good example.
With Office 365 and Google Workspace, we have a connector, it's a one-click connector that will federate your Office 365 environment with your OneLogin tenant. It takes two minutes and it's a single click.
So- Okay, so that's pretty impressive. Yeah, we are, but that's choosing the right applications that are following the modern standards. Yeah.
Right, and that's, it's really key. When you are talking about integration, if you choose the wrong SaaS, even SaaS applications, you're creating a headache for yourself that don't support those standards. And the other thing that you, real good to emphasize, which I didn't really, which is single sign-on, you know, imagine most people's working day, if they had to sign on to every application that they need in that working day, it'd be a nightmare. So the importance of single sign-on cannot be overestimated, I don't think.
Yeah, and when you think about zero trust, that's why it's important to have, to have the flexibility of policies that enforce the right level of security at the right moment. So rather than having everybody with one-hour sessions and they're having to log in every hour, which drives people crazy, what you do is you say, okay, you have a eight or even 12-hour SSO session, but when you access specific applications, you will be challenged for MFA, like a step-up MFA, even though you have an active SSO session.
So you've got that nice balance between, okay, the user has a long-lived session, but no privilege or, you know, important applications can be accessed without that MFA challenge. I want to have a look at the poll results. They pretty much kind of, you know, endorse what we've been talking about. 45% want integration is by far the biggest challenge. And I think we've kind of made that point pretty clear, but, you know, and it's getting more of a challenge. So any kind of identity service that can improve on that is going to be important.
But then having, my cynicism was that they don't, that people are less caring about compliance, doesn't really, 22% there, they do care with comparing compliance and data privacy, and of course, cost. Interesting that user acceptance and training, maybe you've got a comment on that, Stuart, that's less important or seemingly less important.
Well, I would say, I would hope it's because modern forms of authentication, MFA now are so prevalent that you expect your end users to be comfortable with them. I understand it's more of a challenge when you're dealing with SIAM, the customer identity space, because you have, you can't really train your customers and you have to support such a wide range of systems. But when it comes to employees, when workforce or even partners to that sense, you can expect that they are familiar or comfortable with or even demand modern authentication methods, so. Okay.
Let's look at the second poll, which again, 50% customizability. These are the features which are important. And then security, user-friendly interface though, 4%.
Now, I don't know who's saying that. I don't know. I don't think it's a business unit, see. No. So the guys watching this, obviously I imagine they might be engineers or they might be from the admin side of thing, but I think you need to think a little bit more about user-friendly interface than 4%. Yeah.
Yeah, well, especially if you're wanting your user base to adopt new standards or new methods, right? That adoption is key. How do you, and from experience, I know they'll complain about a change in color of a button. So you've got to manage their expectations very carefully, right? You need to, yeah, you do need to take that. But I guess here they were only asked to pick one, were they? Yeah. In the poll, so, yeah. Anyway. I guess one thing I would say, Paul, as well as I think we've been around long enough that we are not, I certainly am not a big proponent of rip and replace.
Get rid of your legacy identity infrastructure and just plug in IDaaS, right? There are so many advantages of just starting to use IDaaS for single use cases and gradually roll it out. Because you can see benefits and even, from a financial point of view, it's worthwhile just using for a few core use cases and tackle the more difficult ones as you go along. And in some cases, an on-prem system is winding down, maybe it's three or four years. You keep your legacy identity provider that is integrated with that.
Along with it, it's just, you're using it for less, for fewer and fewer integrations, and it's a gradual phase out. Okay. One thing might be useful. You know your customers very well. Can you give some case studies or examples of how IDaaS has transformed a business or made it more secure?
Yeah, sure. So the last diagram I showed you was actually from a large manufacturing customer of ours in France. They have hundreds of thousands of users, of employees. And their focus was very much, we've got our legacy infrastructure. It's been there for decades and decades. We need something to support our cloud migration journey. Right? The interesting thing is their prime objective was, it's taking us two months to onboard a new cloud application. We want to get that down to two weeks. So within the first year of deploying OneLogin, they had achieved that.
When an application team came to them and said, we're going to roll out a new SaaS application, they could have all the user lifecycle management, onboarding, et cetera. Everything from the identity side was well within the two weeks. A few years later, they said, we've got it down to two days. We now want to get it down to two hours. So I need to go back to them and ask if they've actually got it down to a new SaaS application onboarding actually takes the identity team just two hours to achieve. Wow. So we have a question here from one of our attendees, Rene Martinez.
It's quite a big question, but in the short sentence, what is the best strategy in hybrid implementation for legacy apps? Yes. So I think you do have to, first of all, think about security and access. So because the legacy apps, is it cloud hosted now? Because a legacy app, some are migrated to the cloud and just running in the cloud. Are they on-prem? What's a network access restrictions like? And what are the authentication protocols available? So I'd ask providers like when logins, we offer a cloud-based radius, for example.
So if a legacy app supports radius and it works from a security point of view for you, you can plug it in via that. Even we have a cloud-based LDAP interface. But also you need to be open to, like I said, keeping some legacy authentication systems running, but they can be integrated into one login. So for example, if an on-premise app can authenticate via AD, well, we can give you that single sign-on experience. So if you log into an AD machine, you're automatically logged into one login as well. You're getting a single sign-on experience across both on-prem and cloud environments.
So the end user experience is good. And so you just have to be open to, do I need to keep some of my legacy authentication identity infrastructure in place? Yeah.
Okay, related to that is a question, what factors ensure organizations weigh when deciding between, you mentioned a hybrid and a dedicated IDES solution. So quickly, what are the top line things there?
Yeah, so I would always encourage for you to look, can you get a single source of truth to feed your identity systems? It removes all sorts of complications. Is that an HR system? Some companies, it is still on-prem active directory or an LDAP directory, but from a hybrid perspective, you don't want to have the same user existing and being created from two different sources. So try to achieve that single source of truth.
And yeah, I think that's one of the main things that I would get people to try and focus on. Okay, we're running out of time, but I've got a really, I think a very important question here, which really hits the, comes to the nub of when we talk about passwordless and MFA.
And Randy, again, what is your opinion between MFA or passwordless strategies or options? And I think passwordless is one of the most misunderstood terms in identity right now. So it'd be great to finish on some explanation of that. Absolutely, well, I think it's partly because the term MFA has come to mean non-password authentication factor. So people don't actually necessarily mean multiple factors to authenticate. Now we haven't touched much on AI and machine learning, and obviously it's playing an increasingly important role in authentication and risk detection and remediation.
And I'm mentioning that because where you have robust machine learning and AI risk detection, you may consolidate on single factor authentication, but that authentication factor is a strong factor. And that's what we call advanced authentication. You've combined the risk insights and machine learning with a strong authentication factor. So passwordless, yes, go passwordless because we know of all the problems with password. Passwordless can mean single factor or it can mean two factor or more, but I would recommend that you always combine it with that AI machine learning insights.
We call it smart factor. People call it adaptive authentication. So you have that dynamic response that based on the risk, the authentication journey or process that the user is faced with will adapt and change to mitigate changes in risk level. Fantastic.
Okay, well, we're bang on time. So I really appreciate Stuart for all your presentation, answering these questions. You can follow up directly with One Identity after this. After this, the slides will be available for download. And I appreciate so many of you joining us today. I think we had a record registration for this. So it just goes to show the interest in identity as a service and identity as a whole. Thanks once again to Stuart and One Identity and thanks for joining us. Bye now.
Thank you, Paul. Bye.
